Add tcp and http filters for external authorization service.

bazel/repositories.bzl

@@ -168,6 +168,7 @@ def _envoy_api_deps():
         "rate_limit",
         "router",
         "transcoder",
+        "ext_authz",
     ]
     for t in http_filter_bind_targets:
         native.bind(
@@ -181,6 +182,7 @@ def _envoy_api_deps():
         "redis_proxy",
         "rate_limit",
         "client_ssl_auth",
+        "ext_authz",
     ]
     for t in network_filter_bind_targets:
         native.bind(
@@ -195,6 +197,14 @@ def _envoy_api_deps():
         name = "http_api_protos",
         actual = "@googleapis//:http_api_protos",
     )
+    sub_bind_targets = [
+        ("auth", "auth"),
+    ]
+    for t in sub_bind_targets:
+        native.bind(
+            name = "envoy_api_sub_" + t[0],
+            actual = "@envoy_api//api/" + t[0] + ":" + t[1] + "_cc",
+        )
 
 def envoy_dependencies(path = "@envoy_deps//", skip_targets = []):
     envoy_repository = repository_rule(

include/envoy/ext_authz/BUILD

@@ -0,0 +1,24 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+    "envoy_proto_library",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "ext_authz_interface",
+    hdrs = ["ext_authz.h"],
+    external_deps = ["envoy_api_sub_auth"],
+    deps = [
+        "//include/envoy/common:optional",
+        "//include/envoy/http:filter_interface",
+        "//include/envoy/http:header_map_interface",
+        "//include/envoy/network:filter_interface",
+        "//include/envoy/tracing:http_tracer_interface",
+    ],
+)
+

include/envoy/ext_authz/ext_authz.h

@@ -0,0 +1,101 @@
+#pragma once
+
+#include <chrono>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "envoy/common/optional.h"
+#include "envoy/common/pure.h"
+#include "envoy/http/filter.h"
+#include "envoy/http/header_map.h"
+#include "envoy/network/filter.h"
+#include "envoy/tracing/http_tracer.h"
+
+#include "api/auth/external_auth.pb.h"
+
+namespace Envoy {
+namespace ExtAuthz {
+
+using envoy::api::v2::auth::CheckRequest;
+
+/**
+ * Possible async results for a check call.
+ */
+enum class CheckStatus {
+  // The request is authorized.
+  OK,
+  // The authz service could not be queried.
+  Error,
+  // The request is denied.
+  Denied
+};
+
+/**
+ * Async callbacks used during check() calls.
+ */
+class RequestCallbacks {
+public:
+  virtual ~RequestCallbacks() {}
+
+  /**
+   * Called when a check request is complete. The resulting status is supplied.
+   */
+  virtual void complete(CheckStatus status) PURE;
+};
+
+
+class Client {
+ public:
+  // Destructor
+  virtual ~Client() {}
+
+  /**
+   * Cancel an inflight Check request.
+   */
+  virtual void cancel() PURE;
+
+  // A check call.
+  virtual void check(RequestCallbacks &callback, const CheckRequest& request,
+                     Tracing::Span& parent_span) PURE;
+
+};
+
+typedef std::unique_ptr<Client> ClientPtr;
+
+/**
+ * An interface for creating a  external authorization client.
+ */
+class ClientFactory {
+public:
+  virtual ~ClientFactory() {}
+
+  /**
+   * Return a new authz client.
+   */
+  virtual ClientPtr create(const Optional<std::chrono::milliseconds>& timeout) PURE;
+};
+
+typedef std::unique_ptr<ClientFactory> ClientFactoryPtr;
+
+
+/**
+ * An interface for creating ext_authz.proto (authorization) request.
+ */
+class CheckRequestGenIntf {
+public:
+    // Destructor
+  virtual ~CheckRequestGenIntf() {}
+
+  virtual void createHttpCheck(const Envoy::Http::StreamDecoderFilterCallbacks* callbacks,
+                               const Envoy::Http::HeaderMap &headers,
+                               envoy::api::v2::auth::CheckRequest& request) PURE;
+  virtual void createTcpCheck(const Network::ReadFilterCallbacks* callbacks,
+                              envoy::api::v2::auth::CheckRequest& request) PURE;
+};
+
+typedef std::unique_ptr<CheckRequestGenIntf> CheckRequestGenIntfPtr;
+
+} // namespace ExtAuthz
+} // namespace Envoy
+

include/envoy/request_info/request_info.h

@@ -38,8 +38,10 @@ enum ResponseFlag {
   FaultInjected = 0x400,
   // Request was ratelimited locally by rate limit filter.
   RateLimited = 0x800,
+  // Request was unauthorized.
+  Unauthorized = 0x1000,
   // ATTENTION: MAKE SURE THIS REMAINS EQUAL TO THE LAST FLAG.
-  LastFlag = RateLimited
+  LastFlag = Unauthorized
 };
 
 /**

source/common/access_log/grpc_access_log_impl.cc

@@ -82,7 +82,7 @@ void HttpGrpcAccessLog::responseFlagsToAccessLogResponseFlags(
     envoy::api::v2::filter::accesslog::AccessLogCommon& common_access_log,
     const RequestInfo::RequestInfo& request_info) {
 
-  static_assert(RequestInfo::ResponseFlag::LastFlag == 0x800,
+  static_assert(RequestInfo::ResponseFlag::LastFlag == 0x1000,
                 "A flag has been added. Fix this code.");
 
   if (request_info.getResponseFlag(RequestInfo::ResponseFlag::FailedLocalHealthCheck)) {
@@ -132,6 +132,13 @@ void HttpGrpcAccessLog::responseFlagsToAccessLogResponseFlags(
   if (request_info.getResponseFlag(RequestInfo::ResponseFlag::RateLimited)) {
     common_access_log.mutable_response_flags()->set_rate_limited(true);
   }
+
+  // @saumoh: TBD To the accesslog.proto
+  //
+  // if (request_info.getResponseFlag(RequestInfo::ResponseFlag::Unauthorized)) {
+  //  common_access_log.mutable_response_flags()->set_unauthorized(true);
+  // }
+
 }
 
 void HttpGrpcAccessLog::log(const Http::HeaderMap* request_headers,

source/common/config/BUILD

@@ -91,12 +91,14 @@ envoy_cc_library(
     external_deps = [
         "envoy_filter_network_http_connection_manager",
         "envoy_filter_http_buffer",
+        "envoy_filter_http_ext_authz",
         "envoy_filter_http_lua",
         "envoy_filter_http_fault",
         "envoy_filter_http_health_check",
         "envoy_filter_http_rate_limit",
         "envoy_filter_http_transcoder",
         "envoy_filter_http_router",
+        "envoy_filter_network_ext_authz",
         "envoy_filter_network_mongo_proxy",
         "envoy_filter_network_redis_proxy",
         "envoy_filter_network_tcp_proxy",

source/common/config/filter_json.cc

@@ -399,5 +399,36 @@ void FilterJson::translateClientSslAuthFilter(
                                       *proto_config.mutable_ip_white_list());
 }
 
+void FilterJson::translateTcpExtAuthzFilter(
+    const Json::Object& json_config, envoy::api::v2::filter::network::ExtAuthz& proto_config) {
+  json_config.validateSchema(Json::Schema::EXT_AUTHZ_NETWORK_FILTER_SCHEMA);
+
+  JSON_UTIL_SET_STRING(json_config, proto_config, stat_prefix);
+  proto_config.set_failure_mode_allow(json_config.getBoolean("failure_mode_allow", false));
+
+  const auto &json_grpc_cluster = json_config.getObject("grpc_cluster", false);
+  auto *grpc_service = proto_config.mutable_grpc_service();
+  JSON_UTIL_SET_DURATION(*json_grpc_cluster, *grpc_service, timeout);
+
+  auto *grpc_cluster = grpc_service->mutable_envoy_grpc();
+  JSON_UTIL_SET_STRING(*json_grpc_cluster, *grpc_cluster, cluster_name);
+}
+
+void FilterJson::translateHttpExtAuthzFilter(
+    const Json::Object& json_config, envoy::api::v2::filter::http::ExtAuthz& proto_config) {
+  json_config.validateSchema(Json::Schema::EXT_AUTHZ_HTTP_FILTER_SCHEMA);
+
+  proto_config.set_failure_mode_allow(json_config.getBoolean("failure_mode_allow", false));
+
+
+  const auto &json_grpc_cluster = json_config.getObject("grpc_cluster", false);
+  auto *grpc_service = proto_config.mutable_grpc_service();
+  JSON_UTIL_SET_DURATION(*json_grpc_cluster, *grpc_service, timeout);
+
+  auto *grpc_cluster = grpc_service->mutable_envoy_grpc();
+  JSON_UTIL_SET_STRING(*json_grpc_cluster, *grpc_cluster, cluster_name);
+}
+
+
 } // namespace Config
 } // namespace Envoy

source/common/config/filter_json.h

@@ -3,13 +3,15 @@
 #include "envoy/json/json_object.h"
 
 #include "api/filter/http/buffer.pb.h"
+#include "api/filter/http/ext_authz.pb.h"
 #include "api/filter/http/fault.pb.h"
 #include "api/filter/http/health_check.pb.h"
 #include "api/filter/http/lua.pb.h"
 #include "api/filter/http/rate_limit.pb.h"
 #include "api/filter/http/router.pb.h"
 #include "api/filter/http/transcoder.pb.h"
 #include "api/filter/network/client_ssl_auth.pb.h"
+#include "api/filter/network/ext_authz.pb.h"
 #include "api/filter/network/http_connection_manager.pb.h"
 #include "api/filter/network/mongo_proxy.pb.h"
 #include "api/filter/network/rate_limit.pb.h"
@@ -157,6 +159,24 @@ class FilterJson {
   static void
   translateClientSslAuthFilter(const Json::Object& json_config,
                                envoy::api::v2::filter::network::ClientSSLAuth& proto_config);
+
+  /**
+   * Translate a v1 JSON TCP external Authorization filter object to v2
+   * envoy::api::v2::filter::network::ExtAuthz.
+   * @param json_config source v1 JSON Tc Authorization Filter object.
+   * @param proto_config destination v2 envoy::api::v2::filter::network::Authz
+   */
+  static void translateTcpExtAuthzFilter(const Json::Object &json_config,
+                                         envoy::api::v2::filter::network::ExtAuthz& proto_config);
+
+  /**
+   * Translate a v1 JSON HTTP external Authorization filter object to v2
+   * envoy::api::v2::filter::http::ExtAuthz.
+   * @param json_config source v1 JSON HTTP Authorization Filter object.
+   * @param proto_config destination v2 envoy::api::v2::filter::http::Authz.
+   */
+  static void translateHttpExtAuthzFilter(const Json::Object& json_config,
+                                          envoy::api::v2::filter::http::ExtAuthz& proto_config);
 };
 
 } // namespace Config

source/common/config/well_known_names.h

@@ -66,13 +66,15 @@ class NetworkFilterNameValues {
   const std::string REDIS_PROXY = "envoy.redis_proxy";
   // IP tagging filter
   const std::string TCP_PROXY = "envoy.tcp_proxy";
+  // Authorization filter
+  const std::string EXT_AUTHORIZATION = "envoy.ext_authz";
 
   // Converts names from v1 to v2
   const V1Converter v1_converter_;
 
   NetworkFilterNameValues()
       : v1_converter_({CLIENT_SSL_AUTH, ECHO, HTTP_CONNECTION_MANAGER, MONGO_PROXY, RATE_LIMIT,
-                       REDIS_PROXY, TCP_PROXY}) {}
+                       REDIS_PROXY, TCP_PROXY, EXT_AUTHORIZATION}) {}
 };
 
 typedef ConstSingleton<NetworkFilterNameValues> NetworkFilterNames;
@@ -117,13 +119,16 @@ class HttpFilterNameValues {
   const std::string HEALTH_CHECK = "envoy.health_check";
   // Lua filter
   const std::string LUA = "envoy.lua";
+  // External Authorization filter
+  const std::string EXT_AUTHORIZATION = "envoy.ext_authz";
+
 
   // Converts names from v1 to v2
   const V1Converter v1_converter_;
 
   HttpFilterNameValues()
       : v1_converter_({BUFFER, CORS, DYNAMO, FAULT, GRPC_HTTP1_BRIDGE, GRPC_JSON_TRANSCODER,
-                       GRPC_WEB, HEALTH_CHECK, IP_TAGGING, RATE_LIMIT, ROUTER, LUA}) {}
+                       GRPC_WEB, HEALTH_CHECK, IP_TAGGING, RATE_LIMIT, ROUTER, LUA, EXT_AUTHORIZATION}) {}
 };
 
 typedef ConstSingleton<HttpFilterNameValues> HttpFilterNames;

source/common/ext_authz/BUILD

@@ -0,0 +1,30 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "ext_authz_lib",
+    srcs = ["ext_authz_impl.cc"],
+    hdrs = ["ext_authz_impl.h"],
+    external_deps = ["envoy_bootstrap"],
+    deps = [
+        "//include/envoy/ext_authz:ext_authz_interface",
+        "//include/envoy/grpc:async_client_interface",
+        "//include/envoy/http:protocol_interface",
+        "//include/envoy/network:address_interface",
+        "//include/envoy/network:connection_interface",
+        "//include/envoy/upstream:cluster_manager_interface",
+        "//include/envoy/ssl:connection_interface",
+        "//source/common/common:assert_lib",
+        "//source/common/grpc:async_client_lib",
+        "//source/common/http:headers_lib",
+        "//source/common/tracing:http_tracer_lib",
+    ],
+)
+