Support for external authorization tcp filter.

[saumoh]

Title
Authorization TCP and HTTP filters using an external gRPC service.
Patch 2 of 3: TCP filter.

Description
As per the feedback on #2359 I am breaking it up into three PR's.

The patch in this PR adds support for the TCP filter.
This PR implements the discussing we had in #2291.

Testing
I have tested this on my local setup with an external gRPC authorization server. I have also added UT's for the TCP filter.

Risk
Low: Because only the users of this filter will be impacted. It should not impact general stability of Envoy it self.

Caveats

• The merge of this PR is dependent on the commit of Support for external authorization grpc service. #2415 into master. Once that is merged and this branch is in sync the change set here will build succesfully.

Signed-off-by: Saurabh Mohan saurabh+github@tigera.io

[htuch]

@junr03 could you take a first pass on this?

[saumoh]

@junr03, @htuch Not in any particular rush from my end but just want to make sure it is in your radar. :-)
Thanks.

[junr03]

@saumoh yes still on my radar. Sorry for the delay. I have been sick this week, so I had to prioritize my screen time. I will take a first pass this afternoon.

[saumoh]

@junr03 hope you feel better soon...this can wait till then!

[junr03]

thanks for splitting this work into 3 easily digestible steps. Some comments to get started.

[junr03]

@envoyproxy/senior-maintainers I noticed we are inconsistent about the naming of these filter config classes, i.e some have "filter" in them some dont.

[htuch]

I think this is fine, but if we want to have some standard to make things consistent we can put it in STYLE.md.

[junr03]

I would update the documentation with an attention blob that says that the filter only works with envoy grpc https://github.com/envoyproxy/data-plane-api/blob/master/envoy/config/filter/network/ext_authz/v2/ext_authz.proto#L18

[junr03]

nit: newline

[junr03]

please expand this comment. If I understand correctly, what you are trying to express is that there are two ways to initiate the external authz check, either when the filter gets an onEvent callback with a ConnectionEvent::Connected after a succesful ssl handshake or after an onData callback if the connection is not over ssl. I would make this more clear in this comment

[junr03]

move the comment above here

[junr03]

same as above

[junr03]

I would set expectations on the other stats to be 0

[saumoh]

added those.

[junr03]

comment for all the tests: can you set expectations on the active gauge

[saumoh]

The destructor checks for the gauge. But if that isn't read-able then i can add a check for the gauge.

[junr03]

there is no test with default (false)

[saumoh]

Thanks for catching this. Added a test.

[junr03]

Not a very descriptive test name. And I am actually having a tough time groking what it is that you want to test here. Do you mind clarifying

[htuch]

I also like the idea of adding a leading comment line for tests that aren't obvious/trivial. E.g.:

// Validate error handling when foo does bar with baz.
TEST_F(ExtAuthzFilterTest, Error) {

[saumoh]

@junr03 Thanks for the detailed review comments. I think I have addressed all of them.
I created the PR in data-plane-api also: envoyproxy/data-plane-api#491

[htuch]

Looks good, a few comments.

[htuch]

Nit: const.

[htuch]

I should have picked up on this at the time, but can you rename from CreateCheckRequest to CheckRequestUtils or something? Package and class name should be nouns, not verbs.

[htuch]

Can you integrate this state variable with status_ somehow? Having multiple state variables makes it harder to reason about.

[saumoh]

@htuch thanks for the review. I've addressed other changes. For this one I really found it more difficult to combine calling_check_ with status_.
calling_check_ is specifically to check for on stack callback; i.e when onComplete is invoked in the same call stack. When I tried to combine it into status_ it ended up with status_ CallingOnStack, CallingOffStack; which made it more confusing to me.

To me these two states feel disjoint. Any suggestions on how to address it?

[htuch]

I think you might want to retain ownership of request until it has been sent, the gRPC client doesn't make a copy and only guarantees the send happens after you receive a response.

[htuch]

Thanks for addressing last round of feedback, a few more comments/questions.

[htuch]

Should we assert or if condition on this event type?

[htuch]

Why do we treat SSL and non-SSL differently? Why not, in both cases, wait until we get the first onData? Then we can pause the pipe and perform auth check. Seems like that would have simpler flow, but I may well be missing something here, so interested to hear your thoughts.

[saumoh]

That is a very good point/observation. Deferring to onData() would definitely simplify the call logic.

[junr03]

nice, I didnt think about that

[htuch]

Nit: s/hasn/hasn't/

[htuch]

Should this be deferred until we know we are going to be successful and want to continue reading?

[htuch]

We only need this for v1 config; are we supporting v1 ext_authz?

[saumoh]

we are doing only v2. This helps in specifying the configuration as v2 json and still use it without rigging up a xDS server.

[htuch]

Not sure this is strictly needed for v2 JSON, this should only apply to v1 JSON placed in deprecated_v1. Does the test fail if you don't have this?

[saumoh]

afaik this function is the entry point when I give envoy executable a configuration file envoy.conf and I can then specify the filter's configuration like:

      "filters": [
        {
         "type": "read",
         "name": "ext_authz",
         "config": { 
                     "stat_prefix": "authz",
                     "grpc_service": {
                        "envoy_grpc": { "cluster_name": "authz_server" }
                      },
                     "failure_mode_allow": true
                   }
        },

And that way I can run an end-2-end system.
i'll remove it since it seems to be not what Envoy natively expects to support.

[htuch]

I wonder if readDisable(false) above is sufficient, and you don't need to do this; it's docs say it will restart the read pipeline, and redispatch pending data. Does this work for this filter? That could eliminate the need to maintain calling_check_.

[saumoh]

Moving readDisable(false) here -which is what u were asking about at the top of this function-makes sense.
From what I understood-which may be totally wrong-is that readDisable(false) was to get the socket buffer pipeline moving and the filter_callbacks_->continueReading() is to get the filter chain iteration moving forward. The filter iteration may have been stopped iff the callCheck()and the onComplete() callback happened asynchronously.
But if they both are invoked in the same call stack then the filter chain was never stopped, hence it doesn't need to be kick started again by invoking filter_callbacks_->continueReading().

[saumoh]

I think that filter_callback->connection().readDisable(false|true) will no longer be necessary since now we will invoke the external authz service from onData() which clearly returns either a StopIteration or Continue and NOT from onEvent().

[htuch]

Last couple of things and we can ship. This is looking great, thanks for your patience through the review process.

[htuch]

Not sure this is strictly needed for v2 JSON, this should only apply to v1 JSON placed in deprecated_v1. Does the test fail if you don't have this?

[htuch]

This file is missing coverage, see https://27311-65214191-gh.circle-artifacts.com/0/build/envoy/generated/coverage/coverage.source_server_config_network_ext_authz.cc.html. Can you add tests? See https://github.com/envoyproxy/envoy/tree/master/test/server/config for examples.

[saumoh]

my bad...thanks for catching that. Let me address this.

[saumoh]

@htuch Quick clarification please. The NamedNetworkFilterFactory expects an implementation for createFilterFactory.
Should v2 only implementations throw an exception in this case?

[saumoh]

@htuch Thanks for all your feedback and patience in working through these PR's.
I've added the missing test cases. Based off your recommendation for what to do for v2 only createFilterFactory(). (throw exception/or something else). I'll modify the code and the corresponding test.

[htuch]

@saumoh re: NamedNetworkFilterFactory question, see https://github.com/envoyproxy/envoy/blob/master/source/server/config/http/gzip.cc#L23 for example.

[htuch]

Thanks, appreciate all the changes, this is rad.

[htuch]

FYI, we now generally prefer YAML examples and using MessageUtil::loadFromYaml, but we can fix this later or leave it as is, I'd like to unblock your other PR review.

[htuch]

@saumoh I'm seeing build failures on master following the merge here, e.g. https://circleci.com/gh/envoyproxy/envoy/27658?utm_campaign=build-failed&utm_content=failing-command&utm_medium=email#tests/containers/0/actions/103

Can you take a look? Thanks. CC @danielhochman who is on-call for maintainer rotation this week.

[saumoh]

@htuch thanks for addressing the post merge issue. I just got in and was starting to look!

[htuch]

@saumoh NP. A good habit when working on PRs with rounds of reviews is to fetch/merge upstream each time you do a push. That way, the chance of this happening is reduced (but not eliminated). Try it out in your next PR review :)