diff --git a/docs/root/intro/arch_overview/advanced/matching/matching_api.rst b/docs/root/intro/arch_overview/advanced/matching/matching_api.rst index a178ba64925e2..7d00c7d9b5287 100644 --- a/docs/root/intro/arch_overview/advanced/matching/matching_api.rst +++ b/docs/root/intro/arch_overview/advanced/matching/matching_api.rst @@ -40,18 +40,21 @@ These input functions are available for matching HTTP requests: Network Input Functions *********************** -These input functions are available for matching both TCP connections and UDP datagrams: +These input functions are available for matching TCP connections, UDP datagrams, and HTTP requests: * :ref:`Destination IP `. * :ref:`Destination port `. * :ref:`Source IP `. * :ref:`Source port `. -These input functions are available for matching TCP connections: +These input functions are available for matching TCP connections and HTTP requests: * :ref:`Direct source IP `. * :ref:`Source type `. * :ref:`Server name `. + +These input functions are available for matching TCP connections: + * :ref:`Transport protocol `. * :ref:`Application protocol `. diff --git a/envoy/http/filter.h b/envoy/http/filter.h index da1b579dd6d7e..39f62f8896067 100644 --- a/envoy/http/filter.h +++ b/envoy/http/filter.h @@ -1001,6 +1001,7 @@ class HttpMatchingData { virtual RequestTrailerMapOptConstRef requestTrailers() const PURE; virtual ResponseHeaderMapOptConstRef responseHeaders() const PURE; virtual ResponseTrailerMapOptConstRef responseTrailers() const PURE; + virtual const Network::ConnectionInfoProvider& connectionInfoProvider() const PURE; }; /** diff --git a/envoy/network/filter.h b/envoy/network/filter.h index d0fa799982b86..747a69f3ddf52 100644 --- a/envoy/network/filter.h +++ b/envoy/network/filter.h @@ -529,6 +529,10 @@ class MatchingData { virtual ~MatchingData() = default; virtual const ConnectionSocket& socket() const PURE; + + const ConnectionInfoProvider& connectionInfoProvider() const { + return socket().connectionInfoProvider(); + } }; /** diff --git a/source/common/http/filter_manager.h b/source/common/http/filter_manager.h index 9fc0c99b0359b..bccd371f8de67 100644 --- a/source/common/http/filter_manager.h +++ b/source/common/http/filter_manager.h @@ -698,7 +698,8 @@ class FilterManager : public ScopeTrackedObject, addStreamDecoderFilterWorker( filter, std::make_shared(std::move(match_tree), - std::make_shared()), + std::make_shared( + stream_info_.downstreamAddressProvider())), false); return; } @@ -715,7 +716,8 @@ class FilterManager : public ScopeTrackedObject, addStreamEncoderFilterWorker( filter, std::make_shared(std::move(match_tree), - std::make_shared()), + std::make_shared( + stream_info_.downstreamAddressProvider())), false); return; } @@ -736,7 +738,8 @@ class FilterManager : public ScopeTrackedObject, // the result to both filters after the first match evaluation. if (match_tree) { auto matching_state = std::make_shared( - std::move(match_tree), std::make_shared()); + std::move(match_tree), std::make_shared( + stream_info_.downstreamAddressProvider())); addStreamDecoderFilterWorker(filter, matching_state, true); addStreamEncoderFilterWorker(filter, std::move(matching_state), true); return; diff --git a/source/common/http/matching/data_impl.h b/source/common/http/matching/data_impl.h index 3299b46f13cc5..6a8f1d9c59b3c 100644 --- a/source/common/http/matching/data_impl.h +++ b/source/common/http/matching/data_impl.h @@ -13,6 +13,9 @@ namespace Matching { */ class HttpMatchingDataImpl : public HttpMatchingData { public: + explicit HttpMatchingDataImpl(const Network::ConnectionInfoProvider& connection_info_provider) + : connection_info_provider_(connection_info_provider) {} + static absl::string_view name() { return "http"; } void onRequestHeaders(const RequestHeaderMap& request_headers) { @@ -47,7 +50,12 @@ class HttpMatchingDataImpl : public HttpMatchingData { return makeOptRefFromPtr(response_trailers_); } + const Network::ConnectionInfoProvider& connectionInfoProvider() const override { + return connection_info_provider_; + } + private: + const Network::ConnectionInfoProvider& connection_info_provider_; const RequestHeaderMap* request_headers_{}; const ResponseHeaderMap* response_headers_{}; const RequestTrailerMap* request_trailers_{}; diff --git a/source/common/network/matching/BUILD b/source/common/network/matching/BUILD index dce37cb6a2dc8..ca64ff93342ce 100644 --- a/source/common/network/matching/BUILD +++ b/source/common/network/matching/BUILD @@ -21,6 +21,7 @@ envoy_cc_library( srcs = ["inputs.cc"], hdrs = ["inputs.h"], deps = [ + "//envoy/http:filter_interface", "//envoy/matcher:matcher_interface", "//envoy/network:filter_interface", "//envoy/registry", diff --git a/source/common/network/matching/inputs.cc b/source/common/network/matching/inputs.cc index 6f03971b6865d..1084170f595b8 100644 --- a/source/common/network/matching/inputs.cc +++ b/source/common/network/matching/inputs.cc @@ -1,25 +1,14 @@ #include "source/common/network/matching/inputs.h" +#include "envoy/http/filter.h" #include "envoy/registry/registry.h" -#include "source/common/network/utility.h" - #include "absl/strings/str_cat.h" namespace Envoy { namespace Network { namespace Matching { -template <> -Matcher::DataInputGetResult DestinationIPInput::get(const MatchingData& data) const { - const auto& address = data.socket().connectionInfoProvider().localAddress(); - if (address->type() != Network::Address::Type::Ip) { - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; - } - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, - address->ip()->addressAsString()}; -} - template <> Matcher::DataInputGetResult DestinationIPInput::get(const UdpMatchingData& data) const { @@ -31,17 +20,6 @@ DestinationIPInput::get(const UdpMatchingData& data) const { address.ip()->addressAsString()}; } -template <> -Matcher::DataInputGetResult -DestinationPortInput::get(const MatchingData& data) const { - const auto& address = data.socket().connectionInfoProvider().localAddress(); - if (address->type() != Network::Address::Type::Ip) { - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; - } - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, - absl::StrCat(address->ip()->port())}; -} - template <> Matcher::DataInputGetResult DestinationPortInput::get(const UdpMatchingData& data) const { @@ -53,16 +31,6 @@ DestinationPortInput::get(const UdpMatchingData& data) const { absl::StrCat(address.ip()->port())}; } -template <> -Matcher::DataInputGetResult SourceIPInput::get(const MatchingData& data) const { - const auto& address = data.socket().connectionInfoProvider().remoteAddress(); - if (address->type() != Network::Address::Type::Ip) { - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; - } - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, - address->ip()->addressAsString()}; -} - template <> Matcher::DataInputGetResult SourceIPInput::get(const UdpMatchingData& data) const { const auto& address = data.remoteAddress(); @@ -73,16 +41,6 @@ Matcher::DataInputGetResult SourceIPInput::get(const UdpMatchin address.ip()->addressAsString()}; } -template <> -Matcher::DataInputGetResult SourcePortInput::get(const MatchingData& data) const { - const auto& address = data.socket().connectionInfoProvider().remoteAddress(); - if (address->type() != Network::Address::Type::Ip) { - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; - } - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, - absl::StrCat(address->ip()->port())}; -} - template <> Matcher::DataInputGetResult SourcePortInput::get(const UdpMatchingData& data) const { @@ -94,32 +52,6 @@ SourcePortInput::get(const UdpMatchingData& data) const { absl::StrCat(address.ip()->port())}; } -Matcher::DataInputGetResult DirectSourceIPInput::get(const MatchingData& data) const { - const auto& address = data.socket().connectionInfoProvider().directRemoteAddress(); - if (address->type() != Network::Address::Type::Ip) { - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; - } - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, - address->ip()->addressAsString()}; -} - -Matcher::DataInputGetResult SourceTypeInput::get(const MatchingData& data) const { - const bool is_local_connection = Network::Utility::isSameIpOrLoopback(data.socket()); - if (is_local_connection) { - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, "local"}; - } - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; -} - -Matcher::DataInputGetResult ServerNameInput::get(const MatchingData& data) const { - const auto server_name = data.socket().requestedServerName(); - if (!server_name.empty()) { - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, - std::string(server_name)}; - } - return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; -} - Matcher::DataInputGetResult TransportProtocolInput::get(const MatchingData& data) const { const auto transport_protocol = data.socket().detectedTransportProtocol(); if (!transport_protocol.empty()) { @@ -138,17 +70,53 @@ Matcher::DataInputGetResult ApplicationProtocolInput::get(const MatchingData& da return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; } +class DestinationIPInputFactory : public DestinationIPInputBaseFactory {}; +class UdpDestinationIPInputFactory : public DestinationIPInputBaseFactory {}; +class HttpDestinationIPInputFactory : public DestinationIPInputBaseFactory { +}; REGISTER_FACTORY(DestinationIPInputFactory, Matcher::DataInputFactory); REGISTER_FACTORY(UdpDestinationIPInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(HttpDestinationIPInputFactory, Matcher::DataInputFactory); + +class DestinationPortInputFactory : public DestinationPortInputBaseFactory {}; +class UdpDestinationPortInputFactory : public DestinationPortInputBaseFactory {}; +class HttpDestinationPortInputFactory + : public DestinationPortInputBaseFactory {}; REGISTER_FACTORY(DestinationPortInputFactory, Matcher::DataInputFactory); REGISTER_FACTORY(UdpDestinationPortInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(HttpDestinationPortInputFactory, + Matcher::DataInputFactory); + +class SourceIPInputFactory : public SourceIPInputBaseFactory {}; +class UdpSourceIPInputFactory : public SourceIPInputBaseFactory {}; +class HttpSourceIPInputFactory : public SourceIPInputBaseFactory {}; REGISTER_FACTORY(SourceIPInputFactory, Matcher::DataInputFactory); REGISTER_FACTORY(UdpSourceIPInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(HttpSourceIPInputFactory, Matcher::DataInputFactory); + +class SourcePortInputFactory : public SourcePortInputBaseFactory {}; +class UdpSourcePortInputFactory : public SourcePortInputBaseFactory {}; +class HttpSourcePortInputFactory : public SourcePortInputBaseFactory {}; REGISTER_FACTORY(SourcePortInputFactory, Matcher::DataInputFactory); REGISTER_FACTORY(UdpSourcePortInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(HttpSourcePortInputFactory, Matcher::DataInputFactory); + +class DirectSourceIPInputFactory : public DirectSourceIPInputBaseFactory {}; +class HttpDirectSourceIPInputFactory + : public DirectSourceIPInputBaseFactory {}; REGISTER_FACTORY(DirectSourceIPInputFactory, Matcher::DataInputFactory); -REGISTER_FACTORY(SourceTypeInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(HttpDirectSourceIPInputFactory, Matcher::DataInputFactory); + +class ServerNameInputFactory : public ServerNameInputBaseFactory {}; +class HttpServerNameInputFactory : public ServerNameInputBaseFactory {}; REGISTER_FACTORY(ServerNameInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(HttpServerNameInputFactory, Matcher::DataInputFactory); + +class SourceTypeInputFactory : public SourceTypeInputBaseFactory {}; +class HttpSourceTypeInputFactory : public SourceTypeInputBaseFactory {}; +REGISTER_FACTORY(SourceTypeInputFactory, Matcher::DataInputFactory); +REGISTER_FACTORY(HttpSourceTypeInputFactory, Matcher::DataInputFactory); + REGISTER_FACTORY(TransportProtocolInputFactory, Matcher::DataInputFactory); REGISTER_FACTORY(ApplicationProtocolInputFactory, Matcher::DataInputFactory); diff --git a/source/common/network/matching/inputs.h b/source/common/network/matching/inputs.h index 7eb8d4a5d29b5..73be852f01ec5 100644 --- a/source/common/network/matching/inputs.h +++ b/source/common/network/matching/inputs.h @@ -5,6 +5,8 @@ #include "envoy/matcher/matcher.h" #include "envoy/network/filter.h" +#include "source/common/network/utility.h" + namespace Envoy { namespace Network { namespace Matching { @@ -32,9 +34,20 @@ class BaseFactory : public Matcher::DataInputFactory { template class DestinationIPInput : public Matcher::DataInput { public: - Matcher::DataInputGetResult get(const MatchingDataType& data) const override; + Matcher::DataInputGetResult get(const MatchingDataType& data) const override { + const auto& address = data.connectionInfoProvider().localAddress(); + if (address->type() != Network::Address::Type::Ip) { + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; + } + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, + address->ip()->addressAsString()}; + } }; +template <> +Matcher::DataInputGetResult +DestinationIPInput::get(const UdpMatchingData& data) const; + template class DestinationIPInputBaseFactory : public BaseFactory< @@ -48,16 +61,23 @@ class DestinationIPInputBaseFactory MatchingDataType>("destination_ip") {} }; -class DestinationIPInputFactory : public DestinationIPInputBaseFactory {}; - -class UdpDestinationIPInputFactory : public DestinationIPInputBaseFactory {}; - template class DestinationPortInput : public Matcher::DataInput { public: - Matcher::DataInputGetResult get(const MatchingDataType& data) const override; + Matcher::DataInputGetResult get(const MatchingDataType& data) const override { + const auto& address = data.connectionInfoProvider().localAddress(); + if (address->type() != Network::Address::Type::Ip) { + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; + } + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, + absl::StrCat(address->ip()->port())}; + } }; +template <> +Matcher::DataInputGetResult +DestinationPortInput::get(const UdpMatchingData& data) const; + template class DestinationPortInputBaseFactory : public BaseFactory< @@ -71,16 +91,22 @@ class DestinationPortInputBaseFactory MatchingDataType>("destination_port") {} }; -class DestinationPortInputFactory : public DestinationPortInputBaseFactory {}; - -class UdpDestinationPortInputFactory : public DestinationPortInputBaseFactory {}; - template class SourceIPInput : public Matcher::DataInput { public: - Matcher::DataInputGetResult get(const MatchingDataType& data) const override; + Matcher::DataInputGetResult get(const MatchingDataType& data) const override { + const auto& address = data.connectionInfoProvider().remoteAddress(); + if (address->type() != Network::Address::Type::Ip) { + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; + } + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, + address->ip()->addressAsString()}; + } }; +template <> +Matcher::DataInputGetResult SourceIPInput::get(const UdpMatchingData& data) const; + template class SourceIPInputBaseFactory : public BaseFactory, @@ -93,16 +119,23 @@ class SourceIPInputBaseFactory MatchingDataType>("source_ip") {} }; -class SourceIPInputFactory : public SourceIPInputBaseFactory {}; - -class UdpSourceIPInputFactory : public SourceIPInputBaseFactory {}; - template class SourcePortInput : public Matcher::DataInput { public: - Matcher::DataInputGetResult get(const MatchingDataType& data) const override; + Matcher::DataInputGetResult get(const MatchingDataType& data) const override { + const auto& address = data.connectionInfoProvider().remoteAddress(); + if (address->type() != Network::Address::Type::Ip) { + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; + } + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, + absl::StrCat(address->ip()->port())}; + } }; +template <> +Matcher::DataInputGetResult +SourcePortInput::get(const UdpMatchingData& data) const; + template class SourcePortInputBaseFactory : public BaseFactory, @@ -115,48 +148,80 @@ class SourcePortInputBaseFactory MatchingDataType>("source_port") {} }; -class SourcePortInputFactory : public SourcePortInputBaseFactory {}; - -class UdpSourcePortInputFactory : public SourcePortInputBaseFactory {}; - -class DirectSourceIPInput : public Matcher::DataInput { +template +class DirectSourceIPInput : public Matcher::DataInput { public: - Matcher::DataInputGetResult get(const MatchingData& data) const override; + Matcher::DataInputGetResult get(const MatchingDataType& data) const override { + const auto& address = data.connectionInfoProvider().directRemoteAddress(); + if (address->type() != Network::Address::Type::Ip) { + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; + } + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, + address->ip()->addressAsString()}; + } }; -class DirectSourceIPInputFactory +template +class DirectSourceIPInputBaseFactory : public BaseFactory< - DirectSourceIPInput, + DirectSourceIPInput, envoy::extensions::matching::common_inputs::network::v3::DirectSourceIPInput, - MatchingData> { + MatchingDataType> { public: - DirectSourceIPInputFactory() : BaseFactory("direct_source_ip") {} + DirectSourceIPInputBaseFactory() + : BaseFactory, + envoy::extensions::matching::common_inputs::network::v3::DirectSourceIPInput, + MatchingDataType>("direct_source_ip") {} }; -class SourceTypeInput : public Matcher::DataInput { +template +class SourceTypeInput : public Matcher::DataInput { public: - Matcher::DataInputGetResult get(const MatchingData& data) const override; + Matcher::DataInputGetResult get(const MatchingDataType& data) const override { + const bool is_local_connection = + Network::Utility::isSameIpOrLoopback(data.connectionInfoProvider()); + if (is_local_connection) { + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, "local"}; + } + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; + } }; -class SourceTypeInputFactory - : public BaseFactory +class SourceTypeInputBaseFactory + : public BaseFactory, envoy::extensions::matching::common_inputs::network::v3::SourceTypeInput, - MatchingData> { + MatchingDataType> { public: - SourceTypeInputFactory() : BaseFactory("source_type") {} + SourceTypeInputBaseFactory() + : BaseFactory, + envoy::extensions::matching::common_inputs::network::v3::SourceTypeInput, + MatchingDataType>("source_type") {} }; -class ServerNameInput : public Matcher::DataInput { +template +class ServerNameInput : public Matcher::DataInput { public: - Matcher::DataInputGetResult get(const MatchingData& data) const override; + Matcher::DataInputGetResult get(const MatchingDataType& data) const override { + const auto server_name = data.connectionInfoProvider().requestedServerName(); + if (!server_name.empty()) { + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, + std::string(server_name)}; + } + return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::nullopt}; + } }; -class ServerNameInputFactory - : public BaseFactory +class ServerNameInputBaseFactory + : public BaseFactory, envoy::extensions::matching::common_inputs::network::v3::ServerNameInput, - MatchingData> { + MatchingDataType> { public: - ServerNameInputFactory() : BaseFactory("server_name") {} + ServerNameInputBaseFactory() + : BaseFactory, + envoy::extensions::matching::common_inputs::network::v3::ServerNameInput, + MatchingDataType>("server_name") {} }; class TransportProtocolInput : public Matcher::DataInput { diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc index 5f69eec16d221..fe5b42f85494b 100644 --- a/source/common/network/utility.cc +++ b/source/common/network/utility.cc @@ -280,16 +280,16 @@ Address::InstanceConstSharedPtr Utility::getLocalAddress(const Address::IpVersio return ret; } -bool Utility::isSameIpOrLoopback(const ConnectionSocket& socket) { +bool Utility::isSameIpOrLoopback(const ConnectionInfoProvider& connection_info_provider) { // These are local: // - Pipes // - Sockets to a loopback address // - Sockets where the local and remote address (ignoring port) are the same - const auto& remote_address = socket.connectionInfoProvider().remoteAddress(); + const auto& remote_address = connection_info_provider.remoteAddress(); if (remote_address->type() == Address::Type::Pipe || isLoopbackAddress(*remote_address)) { return true; } - const auto local_ip = socket.connectionInfoProvider().localAddress()->ip(); + const auto local_ip = connection_info_provider.localAddress()->ip(); const auto remote_ip = remote_address->ip(); if (remote_ip != nullptr && local_ip != nullptr && remote_ip->addressAsString() == local_ip->addressAsString()) { diff --git a/source/common/network/utility.h b/source/common/network/utility.h index 13c5722f3fe32..54cff85a81d17 100644 --- a/source/common/network/utility.h +++ b/source/common/network/utility.h @@ -227,7 +227,7 @@ class Utility { * Determine whether this is a local connection. * @return bool the address is a local connection. */ - static bool isSameIpOrLoopback(const ConnectionSocket& socket); + static bool isSameIpOrLoopback(const ConnectionInfoProvider& socket); /** * Determine whether this is an internal (RFC1918) address. diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 6f00cd1edc5dd..f654f9072a5d1 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -1640,7 +1640,7 @@ RouteConstSharedPtr VirtualHostImpl::getRouteFromEntries(const RouteCallback& cb } if (matcher_) { - Http::Matching::HttpMatchingDataImpl data; + Http::Matching::HttpMatchingDataImpl data(stream_info.downstreamAddressProvider()); data.onRequestHeaders(headers); auto match = Matcher::evaluateMatch(*matcher_, data); diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 08a49feb73e44..41a91d3c852de 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -787,36 +787,43 @@ envoy.matching.inputs.response_trailers: status: alpha envoy.matching.inputs.destination_ip: categories: + - envoy.matching.http.input - envoy.matching.network.input security_posture: unknown status: alpha envoy.matching.inputs.destination_port: categories: + - envoy.matching.http.input - envoy.matching.network.input security_posture: unknown status: alpha envoy.matching.inputs.source_ip: categories: + - envoy.matching.http.input - envoy.matching.network.input security_posture: unknown status: alpha envoy.matching.inputs.source_port: categories: + - envoy.matching.http.input - envoy.matching.network.input security_posture: unknown status: alpha envoy.matching.inputs.direct_source_ip: categories: + - envoy.matching.http.input - envoy.matching.network.input security_posture: unknown status: alpha envoy.matching.inputs.source_type: categories: + - envoy.matching.http.input - envoy.matching.network.input security_posture: unknown status: alpha envoy.matching.inputs.server_name: categories: + - envoy.matching.http.input - envoy.matching.network.input security_posture: unknown status: alpha diff --git a/source/server/filter_chain_manager_impl.cc b/source/server/filter_chain_manager_impl.cc index cc54e304814dc..7a5e6b67eb519 100644 --- a/source/server/filter_chain_manager_impl.cc +++ b/source/server/filter_chain_manager_impl.cc @@ -706,7 +706,7 @@ const Network::FilterChain* FilterChainManagerImpl::findFilterChainForSourceType // isSameIpOrLoopback can be expensive. Call it only if LOCAL or EXTERNAL have entries. const bool is_local_connection = (!filter_chain_local.first.empty() || !filter_chain_external.first.empty()) - ? Network::Utility::isSameIpOrLoopback(socket) + ? Network::Utility::isSameIpOrLoopback(socket.connectionInfoProvider()) : false; if (is_local_connection) { diff --git a/test/common/http/matching/BUILD b/test/common/http/matching/BUILD index 92a2f0c1187c3..7546fc4e9977c 100644 --- a/test/common/http/matching/BUILD +++ b/test/common/http/matching/BUILD @@ -14,5 +14,7 @@ envoy_cc_test( deps = [ "//source/common/http/matching:data_impl_lib", "//source/common/http/matching:inputs_lib", + "//source/common/network:address_lib", + "//source/common/network:socket_lib", ], ) diff --git a/test/common/http/matching/inputs_test.cc b/test/common/http/matching/inputs_test.cc index 951b0bdda7dfd..fda5c0a021497 100644 --- a/test/common/http/matching/inputs_test.cc +++ b/test/common/http/matching/inputs_test.cc @@ -2,6 +2,8 @@ #include "source/common/http/matching/data_impl.h" #include "source/common/http/matching/inputs.h" +#include "source/common/network/address_impl.h" +#include "source/common/network/socket_impl.h" #include "test/test_common/utility.h" @@ -11,7 +13,10 @@ namespace Matching { TEST(HttpHeadersDataInputBase, ReturnValueNotPersistedBetweenCalls) { HttpRequestHeadersDataInput input("header"); - HttpMatchingDataImpl data; + Network::ConnectionInfoSetterImpl connection_info_provider( + std::make_shared(80), + std::make_shared(80)); + HttpMatchingDataImpl data(connection_info_provider); { TestRequestHeaderMapImpl request_headers({{"header", "bar"}}); diff --git a/test/common/network/matching/BUILD b/test/common/network/matching/BUILD index 447d3e68099ff..e0723d8853d7b 100644 --- a/test/common/network/matching/BUILD +++ b/test/common/network/matching/BUILD @@ -12,6 +12,7 @@ envoy_cc_test( name = "inputs_test", srcs = ["inputs_test.cc"], deps = [ + "//source/common/http/matching:data_impl_lib", "//source/common/network:address_lib", "//source/common/network/matching:data_impl_lib", "//source/common/network/matching:inputs_lib", diff --git a/test/common/network/matching/inputs_integration_test.cc b/test/common/network/matching/inputs_integration_test.cc index 0cc43feb4301f..f3f9203b89ff0 100644 --- a/test/common/network/matching/inputs_integration_test.cc +++ b/test/common/network/matching/inputs_integration_test.cc @@ -134,11 +134,12 @@ TEST_F(InputsIntegrationTest, SourceTypeInput) { } TEST_F(InputsIntegrationTest, ServerNameInput) { - initialize("ServerNameInput", "example.com"); + const auto host = "example.com"; + initialize("ServerNameInput", host); Network::MockConnectionSocket socket; MatchingDataImpl data(socket); - EXPECT_CALL(socket, requestedServerName).WillOnce(testing::Return("example.com")); + socket.connection_info_provider_->setRequestedServerName(host); const auto result = match_tree_()->match(data); EXPECT_EQ(result.match_state_, Matcher::MatchState::MatchComplete); diff --git a/test/common/network/matching/inputs_test.cc b/test/common/network/matching/inputs_test.cc index fdc9c20511048..c673a6220f2a5 100644 --- a/test/common/network/matching/inputs_test.cc +++ b/test/common/network/matching/inputs_test.cc @@ -1,5 +1,6 @@ #include "envoy/http/filter.h" +#include "source/common/http/matching/data_impl.h" #include "source/common/network/address_impl.h" #include "source/common/network/matching/data_impl.h" #include "source/common/network/matching/inputs.h" @@ -34,6 +35,69 @@ TEST(MatchingData, DestinationIPInput) { } } +TEST(MatchingData, HttpDestinationIPInput) { + ConnectionInfoSetterImpl connection_info_provider( + std::make_shared("127.0.0.1", 8080), + std::make_shared("10.0.0.1", 9090)); + connection_info_provider.setDirectRemoteAddressForTest( + std::make_shared("127.0.0.2", 8081)); + auto host = "example.com"; + connection_info_provider.setRequestedServerName(host); + Http::Matching::HttpMatchingDataImpl data(connection_info_provider); + { + DestinationIPInput input; + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(result.data_, "127.0.0.1"); + } + { + DestinationPortInput input; + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(result.data_, "8080"); + } + { + SourceIPInput input; + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(result.data_, "10.0.0.1"); + } + { + SourcePortInput input; + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(result.data_, "9090"); + } + { + DirectSourceIPInput input; + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(result.data_, "127.0.0.2"); + } + { + ServerNameInput input; + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(result.data_, host); + } + + connection_info_provider.setRemoteAddress( + std::make_shared("127.0.0.1", 8081)); + { + SourceTypeInput input; + const auto result = input.get(data); + EXPECT_EQ(result.data_availability_, + Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); + EXPECT_EQ(result.data_, "local"); + } +} + TEST(MatchingData, DestinationPortInput) { DestinationPortInput input; MockConnectionSocket socket; @@ -107,7 +171,7 @@ TEST(MatchingData, SourcePortInput) { } TEST(MatchingData, DirectSourceIPInput) { - DirectSourceIPInput input; + DirectSourceIPInput input; MockConnectionSocket socket; MatchingDataImpl data(socket); @@ -131,7 +195,7 @@ TEST(MatchingData, DirectSourceIPInput) { } TEST(MatchingData, SourceTypeInput) { - SourceTypeInput input; + SourceTypeInput input; MockConnectionSocket socket; MatchingDataImpl data(socket); @@ -155,12 +219,11 @@ TEST(MatchingData, SourceTypeInput) { } TEST(MatchingData, ServerNameInput) { - ServerNameInput input; + ServerNameInput input; MockConnectionSocket socket; MatchingDataImpl data(socket); { - EXPECT_CALL(socket, requestedServerName).WillOnce(testing::Return("")); const auto result = input.get(data); EXPECT_EQ(result.data_availability_, Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); @@ -169,7 +232,7 @@ TEST(MatchingData, ServerNameInput) { { const auto host = "example.com"; - EXPECT_CALL(socket, requestedServerName).WillOnce(testing::Return(host)); + socket.connection_info_provider_->setRequestedServerName(host); const auto result = input.get(data); EXPECT_EQ(result.data_availability_, Matcher::DataInputGetResult::DataAvailability::AllDataAvailable); diff --git a/test/common/network/utility_test.cc b/test/common/network/utility_test.cc index b5453aeba935e..63c1c0931739a 100644 --- a/test/common/network/utility_test.cc +++ b/test/common/network/utility_test.cc @@ -269,71 +269,71 @@ TEST(NetworkUtility, LocalConnection) { std::make_shared("127.0.0.1")); socket.connection_info_provider_->setRemoteAddress( std::make_shared("/pipe/path")); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setLocalAddress( std::make_shared("/pipe/path")); socket.connection_info_provider_->setRemoteAddress( std::make_shared("/pipe/path")); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setLocalAddress( std::make_shared("127.0.0.1")); socket.connection_info_provider_->setRemoteAddress( std::make_shared("127.0.0.1")); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setLocalAddress( std::make_shared("127.0.0.2")); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setLocalAddress( std::make_shared("4.4.4.4")); socket.connection_info_provider_->setRemoteAddress( std::make_shared("8.8.8.8")); - EXPECT_FALSE(Utility::isSameIpOrLoopback(socket)); + EXPECT_FALSE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setLocalAddress( std::make_shared("4.4.4.4")); socket.connection_info_provider_->setRemoteAddress( std::make_shared("4.4.4.4")); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setLocalAddress( std::make_shared("4.4.4.4", 1234)); socket.connection_info_provider_->setRemoteAddress( std::make_shared("4.4.4.4", 4321)); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setLocalAddress( std::make_shared("::1")); socket.connection_info_provider_->setRemoteAddress( std::make_shared("::1")); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setLocalAddress( std::make_shared("::2")); socket.connection_info_provider_->setRemoteAddress( std::make_shared("::1")); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setRemoteAddress( std::make_shared("::3")); - EXPECT_FALSE(Utility::isSameIpOrLoopback(socket)); + EXPECT_FALSE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setRemoteAddress( std::make_shared("::2")); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setRemoteAddress( std::make_shared("::2", 4321)); socket.connection_info_provider_->setLocalAddress( std::make_shared("::2", 1234)); - EXPECT_TRUE(Utility::isSameIpOrLoopback(socket)); + EXPECT_TRUE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); socket.connection_info_provider_->setRemoteAddress( std::make_shared("fd00::")); - EXPECT_FALSE(Utility::isSameIpOrLoopback(socket)); + EXPECT_FALSE(Utility::isSameIpOrLoopback(socket.connectionInfoProvider())); } TEST(NetworkUtility, InternalAddress) { diff --git a/test/server/listener_manager_impl_test.h b/test/server/listener_manager_impl_test.h index 8adb7e7a92073..bfa8756b4be86 100644 --- a/test/server/listener_manager_impl_test.h +++ b/test/server/listener_manager_impl_test.h @@ -197,6 +197,7 @@ class ListenerManagerImplTest : public testing::TestWithParam { } socket_->connection_info_provider_->setLocalAddress(local_address_); + socket_->connection_info_provider_->setRequestedServerName(server_name); ON_CALL(*socket_, requestedServerName()).WillByDefault(Return(absl::string_view(server_name))); ON_CALL(*socket_, detectedTransportProtocol()) .WillByDefault(Return(absl::string_view(transport_protocol)));