envoyproxy · htuch · Feb 20, 2018 · Jan 19, 2018 · Jan 23, 2018 · Jan 24, 2018
diff --git a/source/common/ext_authz/ext_authz_impl.cc b/source/common/ext_authz/ext_authz_impl.cc
@@ -66,9 +66,9 @@ void GrpcClientImpl::onFailure(Grpc::Status::GrpcStatus status, const std::strin
   callbacks_ = nullptr;
 }
 
-void CreateCheckRequest::setAttrContextPeer(envoy::service::auth::v2::AttributeContext_Peer& peer,
-                                            const Network::Connection& connection,
-                                            const std::string& service, const bool local) {
+void CheckRequestUtils::setAttrContextPeer(envoy::service::auth::v2::AttributeContext_Peer& peer,
+                                           const Network::Connection& connection,
+                                           const std::string& service, const bool local) {
 
   // Set the address
   auto addr = peer.mutable_address();
@@ -103,14 +103,14 @@ void CreateCheckRequest::setAttrContextPeer(envoy::service::auth::v2::AttributeC
   }
 }
 
-std::string CreateCheckRequest::getHeaderStr(const Envoy::Http::HeaderEntry* entry) {
+std::string CheckRequestUtils::getHeaderStr(const Envoy::Http::HeaderEntry* entry) {
   if (entry) {
     return entry->value().getString();
   }
   return "";
 }
 
-void CreateCheckRequest::setHttpRequest(
+void CheckRequestUtils::setHttpRequest(
     ::envoy::service::auth::v2::AttributeContext_HttpRequest& httpreq,
     const Envoy::Http::StreamDecoderFilterCallbacks* callbacks,
     const Envoy::Http::HeaderMap& headers) {
@@ -152,16 +152,16 @@ void CreateCheckRequest::setHttpRequest(
       mutable_headers);
 }
 
-void CreateCheckRequest::setAttrContextRequest(
+void CheckRequestUtils::setAttrContextRequest(
     ::envoy::service::auth::v2::AttributeContext_Request& req,
     const Envoy::Http::StreamDecoderFilterCallbacks* callbacks,
     const Envoy::Http::HeaderMap& headers) {
   setHttpRequest(*req.mutable_http(), callbacks, headers);
 }
 
-void CreateCheckRequest::createHttpCheck(const Envoy::Http::StreamDecoderFilterCallbacks* callbacks,
-                                         const Envoy::Http::HeaderMap& headers,
-                                         envoy::service::auth::v2::CheckRequest& request) {
+void CheckRequestUtils::createHttpCheck(const Envoy::Http::StreamDecoderFilterCallbacks* callbacks,
+                                        const Envoy::Http::HeaderMap& headers,
+                                        envoy::service::auth::v2::CheckRequest& request) {
 
   auto attrs = request.mutable_attributes();
 
@@ -175,8 +175,8 @@ void CreateCheckRequest::createHttpCheck(const Envoy::Http::StreamDecoderFilterC
   setAttrContextRequest(*attrs->mutable_request(), callbacks, headers);
 }
 
-void CreateCheckRequest::createTcpCheck(const Network::ReadFilterCallbacks* callbacks,
-                                        envoy::service::auth::v2::CheckRequest& request) {
+void CheckRequestUtils::createTcpCheck(const Network::ReadFilterCallbacks* callbacks,
+                                       envoy::service::auth::v2::CheckRequest& request) {
 
   auto attrs = request.mutable_attributes();
 

diff --git a/source/common/ext_authz/ext_authz_impl.h b/source/common/ext_authz/ext_authz_impl.h
@@ -63,13 +63,13 @@ class GrpcClientImpl : public Client, public ExtAuthzAsyncCallbacks {
 
 /**
  * For creating ext_authz.proto (authorization) request.
- * CreateCheckRequest is used to extract attributes from the TCP/HTTP request
+ * CheckRequestUtils is used to extract attributes from the TCP/HTTP request
  * and fill out the details in the authorization protobuf that is sent to authorization
  * service.
  * The specific information in the request is as per the specification in the
  * data-plane-api.
  */
-class CreateCheckRequest {
+class CheckRequestUtils {
 public:
   /**
    * createHttpCheck is used to extract the attributes from the stream and the http headers

diff --git a/source/common/filter/BUILD b/source/common/filter/BUILD
@@ -65,3 +65,21 @@ envoy_cc_library(
         "@envoy_api//envoy/config/filter/network/tcp_proxy/v2:tcp_proxy_cc",
     ],
 )
+
+envoy_cc_library(
+    name = "ext_authz_lib",
+    srcs = ["ext_authz.cc"],
+    hdrs = ["ext_authz.h"],
+    deps = [
+        "//include/envoy/ext_authz:ext_authz_interface",
+        "//include/envoy/network:connection_interface",
+        "//include/envoy/network:filter_interface",
+        "//include/envoy/runtime:runtime_interface",
+        "//include/envoy/stats:stats_macros",
+        "//include/envoy/upstream:cluster_manager_interface",
+        "//source/common/common:assert_lib",
+        "//source/common/ext_authz:ext_authz_lib",
+        "//source/common/tracing:http_tracer_lib",
+        "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc",
+    ],
+)
diff --git a/source/common/filter/ext_authz.cc b/source/common/filter/ext_authz.cc
@@ -0,0 +1,90 @@
+#include "common/filter/ext_authz.h"
+
+#include <cstdint>
+#include <string>
+
+#include "common/common/assert.h"
+#include "common/tracing/http_tracer_impl.h"
+
+#include "fmt/format.h"
+
+namespace Envoy {
+namespace ExtAuthz {
+namespace TcpFilter {
+
+InstanceStats Config::generateStats(const std::string& name, Stats::Scope& scope) {
+  const std::string final_prefix = fmt::format("ext_authz.{}.", name);
+  return {ALL_TCP_EXT_AUTHZ_STATS(POOL_COUNTER_PREFIX(scope, final_prefix),
+                                  POOL_GAUGE_PREFIX(scope, final_prefix))};
+}
+
+void Instance::callCheck() {
+  CheckRequestUtils::createTcpCheck(filter_callbacks_, checkRequest_);
+
+  status_ = Status::Calling;
+  config_->stats().active_.inc();
+  config_->stats().total_.inc();
+
+  calling_check_ = true;
+  client_->check(*this, checkRequest_, Tracing::NullSpan::instance());
+  calling_check_ = false;
+}
+
+Network::FilterStatus Instance::onData(Buffer::Instance&) {
+  if (status_ == Status::NotStarted) {
+    // By waiting to invoke the check at onData() the call to authorization service will have
+    // sufficient information to fillout the checkRequest_.
+    callCheck();
+  }
+  return status_ == Status::Calling ? Network::FilterStatus::StopIteration
+                                    : Network::FilterStatus::Continue;
+}
+
+Network::FilterStatus Instance::onNewConnection() {
+  // Wait till onData() happens.
+  return Network::FilterStatus::Continue;
+}
+
+void Instance::onEvent(Network::ConnectionEvent event) {
+  if (event == Network::ConnectionEvent::RemoteClose ||
+      event == Network::ConnectionEvent::LocalClose) {
+    if (status_ == Status::Calling) {
+      // Make sure that any pending request in the client is cancelled. This will be NOP if the
+      // request already completed.
+      client_->cancel();
+      config_->stats().active_.dec();
+    }
+  }
+}
+
+void Instance::onComplete(CheckStatus status) {
+  status_ = Status::Complete;
+  config_->stats().active_.dec();
+
+  switch (status) {
+  case CheckStatus::OK:
+    config_->stats().ok_.inc();
+    break;
+  case CheckStatus::Error:
+    config_->stats().error_.inc();
+    break;
+  case CheckStatus::Denied:
+    config_->stats().denied_.inc();
+    break;
+  }
+
+  // Fail open only if configured to do so and if the check status was a error.
+  if (status == CheckStatus::Denied || (status == CheckStatus::Error && !config_->failOpen())) {
+    config_->stats().cx_closed_.inc();
+    filter_callbacks_->connection().close(Network::ConnectionCloseType::NoFlush);
+  } else {
+    // We can get completion inline, so only call continue if that isn't happening.
+    if (!calling_check_) {
+      filter_callbacks_->continueReading();
+    }
+  }
+}
+
+} // namespace TcpFilter
+} // namespace ExtAuthz
+} // namespace Envoy
diff --git a/source/common/filter/ext_authz.h b/source/common/filter/ext_authz.h
@@ -0,0 +1,107 @@
+#pragma once
+
+#include <cstdint>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include "envoy/config/filter/network/ext_authz/v2/ext_authz.pb.h"
+#include "envoy/ext_authz/ext_authz.h"
+#include "envoy/network/connection.h"
+#include "envoy/network/filter.h"
+#include "envoy/runtime/runtime.h"
+#include "envoy/stats/stats_macros.h"
+#include "envoy/upstream/cluster_manager.h"
+
+#include "common/ext_authz/ext_authz_impl.h"
+
+namespace Envoy {
+namespace ExtAuthz {
+namespace TcpFilter {
+
+/**
+ * All tcp external authorization stats. @see stats_macros.h
+ */
+// clang-format off
+#define ALL_TCP_EXT_AUTHZ_STATS(COUNTER, GAUGE)         \
+  COUNTER(total)                                        \
+  COUNTER(error)                                        \
+  COUNTER(denied)                                      \
+  COUNTER(ok)                                           \
+  COUNTER(cx_closed)                                    \
+  GAUGE  (active)
+// clang-format on
+
+/**
+ * Struct definition for all external authorization stats. @see stats_macros.h
+ */
+struct InstanceStats {
+  ALL_TCP_EXT_AUTHZ_STATS(GENERATE_COUNTER_STRUCT, GENERATE_GAUGE_STRUCT)
+};
+
+/**
+ * Global configuration for ExtAuthz filter.
+ */
+class Config {
+public:
+  Config(const envoy::config::filter::network::ext_authz::v2::ExtAuthz& config, Stats::Scope& scope)
+      : stats_(generateStats(config.stat_prefix(), scope)),
+        failure_mode_allow_(config.failure_mode_allow()) {}
+
+  const InstanceStats& stats() { return stats_; }
+  bool failOpen() const { return failure_mode_allow_; }
+  void setFailModeAllow(bool value) { failure_mode_allow_ = value; }
+
+private:
+  static InstanceStats generateStats(const std::string& name, Stats::Scope& scope);
+  const InstanceStats stats_;
+  bool failure_mode_allow_;
+};
+
+typedef std::shared_ptr<Config> ConfigSharedPtr;
+
+/**
+ * ExtAuthz filter instance. This filter will call the Authorization service with the given
+ * configuration parameters. If the authorization service returns an error or a deny the
+ * connection will be closed without any further filters being called. Otherwise all buffered
+ * data will be released to further filters.
+ */
+class Instance : public Network::ReadFilter,
+                 public Network::ConnectionCallbacks,
+                 public RequestCallbacks {
+public:
+  Instance(ConfigSharedPtr config, ClientPtr&& client)
+      : config_(config), client_(std::move(client)) {}
+  ~Instance() {}
+
+  // Network::ReadFilter
+  Network::FilterStatus onData(Buffer::Instance& data) override;
+  Network::FilterStatus onNewConnection() override;
+  void initializeReadFilterCallbacks(Network::ReadFilterCallbacks& callbacks) override {
+    filter_callbacks_ = &callbacks;
+    filter_callbacks_->connection().addConnectionCallbacks(*this);
+  }
+
+  // Network::ConnectionCallbacks
+  void onEvent(Network::ConnectionEvent event) override;
+  void onAboveWriteBufferHighWatermark() override {}
+  void onBelowWriteBufferLowWatermark() override {}
+
+  // ExtAuthz::RequestCallbacks
+  void onComplete(CheckStatus status) override;
+
+private:
+  enum class Status { NotStarted, Calling, Complete };
+  void callCheck();
+
+  ConfigSharedPtr config_;
+  ClientPtr client_;
+  Network::ReadFilterCallbacks* filter_callbacks_{};
+  Status status_{Status::NotStarted};
+  bool calling_check_{};
+  envoy::service::auth::v2::CheckRequest checkRequest_{};
+};
+
+} // TcpFilter
+} // namespace ExtAuthz
+} // namespace Envoy
diff --git a/source/exe/BUILD b/source/exe/BUILD
@@ -49,6 +49,7 @@ envoy_cc_library(
         "//source/server/config/listener:proxy_protocol_lib",
         "//source/server/config/network:client_ssl_auth_lib",
         "//source/server/config/network:echo_lib",
+        "//source/server/config/network:ext_authz_lib",
         "//source/server/config/network:http_connection_manager_lib",
         "//source/server/config/network:ratelimit_lib",
         "//source/server/config/network:raw_buffer_socket_lib",

diff --git a/source/server/config/network/BUILD b/source/server/config/network/BUILD
@@ -146,3 +146,17 @@ envoy_cc_library(
         "@envoy_api//envoy/api/v2/auth:cert_cc",
     ],
 )
+
+envoy_cc_library(
+    name = "ext_authz_lib",
+    srcs = ["ext_authz.cc"],
+    hdrs = ["ext_authz.h"],
+    deps = [
+        "//include/envoy/registry",
+        "//include/envoy/server:filter_config_interface",
+        "//source/common/config:well_known_names",
+        "//source/common/filter:ext_authz_lib",
+        "//source/common/protobuf:utility_lib",
+        "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc",
+    ],
+)
diff --git a/source/server/config/network/ext_authz.cc b/source/server/config/network/ext_authz.cc
@@ -0,0 +1,69 @@
+#include "server/config/network/ext_authz.h"
+
+#include <chrono>
+#include <string>
+
+#include "envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.h"
+#include "envoy/ext_authz/ext_authz.h"
+#include "envoy/network/connection.h"
+#include "envoy/registry/registry.h"
+
+#include "common/ext_authz/ext_authz_impl.h"
+#include "common/filter/ext_authz.h"
+#include "common/protobuf/utility.h"
+
+namespace Envoy {
+namespace Server {
+namespace Configuration {
+
+NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilter(
+    const envoy::config::filter::network::ext_authz::v2::ExtAuthz& proto_config,
+    FactoryContext& context) {
+
+  ASSERT(!proto_config.stat_prefix().empty());
+  ASSERT(!proto_config.grpc_service().envoy_grpc().cluster_name().empty());
+
+  ExtAuthz::TcpFilter::ConfigSharedPtr ext_authz_config(
+      new ExtAuthz::TcpFilter::Config(proto_config, context.scope()));
+  const uint32_t timeout_ms = PROTOBUF_GET_MS_OR_DEFAULT(proto_config.grpc_service(), timeout, 200);
+
+  return [ grpc_service = proto_config.grpc_service(), &context, ext_authz_config,
+           timeout_ms ](Network::FilterManager & filter_manager)
+      ->void {
+
+    auto async_client_factory =
+        context.clusterManager().grpcAsyncClientManager().factoryForGrpcService(grpc_service,
+                                                                                context.scope());
+
+    auto client = std::make_unique<Envoy::ExtAuthz::GrpcClientImpl>(
+        async_client_factory->create(), std::chrono::milliseconds(timeout_ms));
+    filter_manager.addReadFilter(Network::ReadFilterSharedPtr{
+        new ExtAuthz::TcpFilter::Instance(ext_authz_config, std::move(client))});
+  };
+}
+
+NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilterFactory(const Json::Object& json_config,
+                                                                  FactoryContext& context) {
+  envoy::config::filter::network::ext_authz::v2::ExtAuthz proto_config;
+  MessageUtil::loadFromJson(json_config.asJsonString(), proto_config);
+  return createFilter(proto_config, context);
+}
+
+NetworkFilterFactoryCb
+ExtAuthzConfigFactory::createFilterFactoryFromProto(const Protobuf::Message& proto_config,
+                                                    FactoryContext& context) {
+  return createFilter(
+      MessageUtil::downcastAndValidate<
+          const envoy::config::filter::network::ext_authz::v2::ExtAuthz&>(proto_config),
+      context);
+}
+
+/**
+ * Static registration for the external authorization filter. @see RegisterFactory.
+ */
+static Registry::RegisterFactory<ExtAuthzConfigFactory, NamedNetworkFilterConfigFactory>
+    registered_;
+
+} // namespace Configuration
+} // namespace Server
+} // namespace Envoy