diff --git a/REPO_LAYOUT.md b/REPO_LAYOUT.md new file mode 100644 index 0000000000000..eec6372d14e7d --- /dev/null +++ b/REPO_LAYOUT.md @@ -0,0 +1,26 @@ +# Repository layout overview + +This is a high level overview of how the repository is laid out to both aid in code investigation, +as well as to clearly specify how extensions are added to the repository. The top level directories +are: + +* `.circleci/`: +* `bazel/`: +* `ci/`: +* `configs/`: +* `docs/`: +* `examples/`: +* `include/`: +* `restarter/`: +* `source/`: +* `support/`: +* `test/`: +* `tools/`: + +## `include/` + +## `source/` + +## `test/` + +## Extension layout diff --git a/include/envoy/ext_authz/BUILD b/include/envoy/ext_authz/BUILD deleted file mode 100644 index 34318465f0e2a..0000000000000 --- a/include/envoy/ext_authz/BUILD +++ /dev/null @@ -1,18 +0,0 @@ -licenses(["notice"]) # Apache 2 - -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_library", - "envoy_package", -) - -envoy_package() - -envoy_cc_library( - name = "ext_authz_interface", - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/tracing:http_tracer_interface", - "@envoy_api//envoy/service/auth/v2:external_auth_cc", - ], -) diff --git a/source/common/filter/BUILD b/source/common/filter/BUILD index 2f51715556dff..75ff12a3e12dd 100644 --- a/source/common/filter/BUILD +++ b/source/common/filter/BUILD @@ -22,21 +22,3 @@ envoy_cc_library( "@envoy_api//envoy/config/filter/network/rate_limit/v2:rate_limit_cc", ], ) - -envoy_cc_library( - name = "ext_authz_lib", - srcs = ["ext_authz.cc"], - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/ext_authz:ext_authz_interface", - "//include/envoy/network:connection_interface", - "//include/envoy/network:filter_interface", - "//include/envoy/runtime:runtime_interface", - "//include/envoy/stats:stats_macros", - "//include/envoy/upstream:cluster_manager_interface", - "//source/common/common:assert_lib", - "//source/common/ext_authz:ext_authz_lib", - "//source/common/tracing:http_tracer_lib", - "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/source/common/http/filter/BUILD b/source/common/http/filter/BUILD index d8d7781c178a4..69c784e867b2c 100644 --- a/source/common/http/filter/BUILD +++ b/source/common/http/filter/BUILD @@ -151,37 +151,3 @@ envoy_cc_library( "@envoy_api//envoy/config/filter/http/rate_limit/v2:rate_limit_cc", ], ) - -envoy_cc_library( - name = "ext_authz_lib", - srcs = ["ext_authz.cc"], - deps = [ - ":ext_authz_includes", - "//include/envoy/http:codes_interface", - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:enum_to_int", - "//source/common/ext_authz:ext_authz_lib", - "//source/common/http:codes_lib", - "//source/common/router:config_lib", - ], -) - -envoy_cc_library( - name = "ext_authz_includes", - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/access_log:access_log_interface", - "//include/envoy/ext_authz:ext_authz_interface", - "//include/envoy/http:filter_interface", - "//include/envoy/local_info:local_info_interface", - "//include/envoy/runtime:runtime_interface", - "//include/envoy/upstream:cluster_manager_interface", - "//source/common/common:assert_lib", - "//source/common/http:header_map_lib", - "//source/common/json:config_schemas_lib", - "//source/common/json:json_loader_lib", - "//source/common/json:json_validator_lib", - "@envoy_api//envoy/config/filter/http/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/source/exe/BUILD b/source/exe/BUILD index e1ca20454621c..54cdcf33171a8 100644 --- a/source/exe/BUILD +++ b/source/exe/BUILD @@ -41,7 +41,6 @@ envoy_cc_library( "//source/server/config/access_log:grpc_access_log_lib", "//source/server/config/http:buffer_lib", "//source/server/config/http:cors_lib", - "//source/server/config/http:ext_authz_lib", "//source/server/config/http:fault_lib", "//source/server/config/http:grpc_http1_bridge_lib", "//source/server/config/http:grpc_json_transcoder_lib", @@ -53,7 +52,6 @@ envoy_cc_library( "//source/server/config/http:router_lib", "//source/server/config/listener:original_dst_lib", "//source/server/config/listener:proxy_protocol_lib", - "//source/server/config/network:ext_authz_lib", "//source/server/config/network:http_connection_manager_lib", "//source/server/config/network:ratelimit_lib", "//source/server/config/network:raw_buffer_socket_lib", diff --git a/source/extensions/all_extensions.bzl b/source/extensions/all_extensions.bzl index 813a1b4d370db..ffe6ca1946ed9 100644 --- a/source/extensions/all_extensions.bzl +++ b/source/extensions/all_extensions.bzl @@ -4,8 +4,10 @@ # selection options such as maturity. def envoy_all_extensions(repository = ""): return [ + repository + "//source/extensions/filters/http/ext_authz:config", repository + "//source/extensions/filters/network/client_ssl_auth:config", repository + "//source/extensions/filters/network/echo:config", + repository + "//source/extensions/filters/network/ext_authz:config", repository + "//source/extensions/filters/network/mongo_proxy:config", repository + "//source/extensions/filters/network/tcp_proxy:config", ] diff --git a/source/common/ext_authz/BUILD b/source/extensions/filters/common/ext_authz/BUILD similarity index 81% rename from source/common/ext_authz/BUILD rename to source/extensions/filters/common/ext_authz/BUILD index 92c148e17a900..a722d043f95e4 100644 --- a/source/common/ext_authz/BUILD +++ b/source/extensions/filters/common/ext_authz/BUILD @@ -8,12 +8,21 @@ load( envoy_package() +envoy_cc_library( + name = "ext_authz_interface", + hdrs = ["ext_authz.h"], + deps = [ + "//include/envoy/tracing:http_tracer_interface", + "@envoy_api//envoy/service/auth/v2:external_auth_cc", + ], +) + envoy_cc_library( name = "ext_authz_lib", srcs = ["ext_authz_impl.cc"], hdrs = ["ext_authz_impl.h"], deps = [ - "//include/envoy/ext_authz:ext_authz_interface", + ":ext_authz_interface", "//include/envoy/grpc:async_client_interface", "//include/envoy/grpc:async_client_manager_interface", "//include/envoy/http:filter_interface", diff --git a/include/envoy/ext_authz/ext_authz.h b/source/extensions/filters/common/ext_authz/ext_authz.h similarity index 92% rename from include/envoy/ext_authz/ext_authz.h rename to source/extensions/filters/common/ext_authz/ext_authz.h index fd11a284ca85a..f5b466d77a62a 100644 --- a/include/envoy/ext_authz/ext_authz.h +++ b/source/extensions/filters/common/ext_authz/ext_authz.h @@ -10,6 +10,9 @@ #include "envoy/tracing/http_tracer.h" namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { /** @@ -64,4 +67,7 @@ class Client { typedef std::unique_ptr ClientPtr; } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/ext_authz/ext_authz_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_impl.cc similarity index 97% rename from source/common/ext_authz/ext_authz_impl.cc rename to source/extensions/filters/common/ext_authz/ext_authz_impl.cc index ff040a457eadf..cba61481ac8ef 100644 --- a/source/common/ext_authz/ext_authz_impl.cc +++ b/source/extensions/filters/common/ext_authz/ext_authz_impl.cc @@ -1,4 +1,4 @@ -#include "common/ext_authz/ext_authz_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" #include #include @@ -15,9 +15,10 @@ #include "common/network/utility.h" #include "common/protobuf/protobuf.h" -#include "fmt/format.h" - namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { GrpcClientImpl::GrpcClientImpl(Grpc::AsyncClientPtr&& async_client, @@ -191,4 +192,7 @@ void CheckRequestUtils::createTcpCheck(const Network::ReadFilterCallbacks* callb } } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/ext_authz/ext_authz_impl.h b/source/extensions/filters/common/ext_authz/ext_authz_impl.h similarity index 95% rename from source/common/ext_authz/ext_authz_impl.h rename to source/extensions/filters/common/ext_authz/ext_authz_impl.h index 2474369f8a25f..e9d46b2cab049 100644 --- a/source/common/ext_authz/ext_authz_impl.h +++ b/source/extensions/filters/common/ext_authz/ext_authz_impl.h @@ -5,7 +5,6 @@ #include #include -#include "envoy/ext_authz/ext_authz.h" #include "envoy/grpc/async_client.h" #include "envoy/grpc/async_client_manager.h" #include "envoy/http/filter.h" @@ -19,7 +18,12 @@ #include "common/singleton/const_singleton.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" + namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { typedef Grpc::TypedAsyncRequestCallbacks @@ -109,4 +113,7 @@ class CheckRequestUtils { }; } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/source/extensions/filters/http/ext_authz/BUILD b/source/extensions/filters/http/ext_authz/BUILD new file mode 100644 index 0000000000000..351dced3c19e6 --- /dev/null +++ b/source/extensions/filters/http/ext_authz/BUILD @@ -0,0 +1,38 @@ +licenses(["notice"]) # Apache 2 + +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_library", + "envoy_package", +) + +envoy_package() + +envoy_cc_library( + name = "ext_authz", + srcs = ["ext_authz.cc"], + hdrs = ["ext_authz.h"], + deps = [ + "//include/envoy/http:codes_interface", + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:enum_to_int", + "//source/common/http:codes_lib", + "//source/common/router:config_lib", + "//source/extensions/filters/common/ext_authz:ext_authz_lib", + "@envoy_api//envoy/config/filter/http/ext_authz/v2:ext_authz_cc", + ], +) + +envoy_cc_library( + name = "config", + srcs = ["config.cc"], + hdrs = ["config.h"], + deps = [ + ":ext_authz", + "//include/envoy/registry", + "//include/envoy/server:filter_config_interface", + "//source/common/config:well_known_names", + "//source/common/protobuf:utility_lib", + ], +) diff --git a/source/server/config/http/ext_authz.cc b/source/extensions/filters/http/ext_authz/config.cc similarity index 52% rename from source/server/config/http/ext_authz.cc rename to source/extensions/filters/http/ext_authz/config.cc index ea859b0c17b0f..b9793bc794814 100644 --- a/source/server/config/http/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/config.cc @@ -1,4 +1,4 @@ -#include "server/config/http/ext_authz.h" +#include "extensions/filters/http/ext_authz/config.h" #include #include @@ -6,20 +6,22 @@ #include "envoy/config/filter/http/ext_authz/v2/ext_authz.pb.validate.h" #include "envoy/registry/registry.h" -#include "common/ext_authz/ext_authz_impl.h" -#include "common/http/filter/ext_authz.h" #include "common/protobuf/utility.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" +#include "extensions/filters/http/ext_authz/ext_authz.h" + namespace Envoy { -namespace Server { -namespace Configuration { +namespace Extensions { +namespace HttpFilters { +namespace ExtAuthz { -HttpFilterFactoryCb ExtAuthzFilterConfig::createFilter( +Server::Configuration::HttpFilterFactoryCb ExtAuthzFilterConfig::createFilter( const envoy::config::filter::http::ext_authz::v2::ExtAuthz& proto_config, const std::string&, - FactoryContext& context) { - auto filter_config = std::make_shared( - proto_config, context.localInfo(), context.scope(), context.runtime(), - context.clusterManager()); + Server::Configuration::FactoryContext& context) { + auto filter_config = + std::make_shared(proto_config, context.localInfo(), context.scope(), + context.runtime(), context.clusterManager()); const uint32_t timeout_ms = PROTOBUF_GET_MS_OR_DEFAULT(proto_config.grpc_service(), timeout, 200); return [ grpc_service = proto_config.grpc_service(), &context, filter_config, @@ -27,22 +29,23 @@ HttpFilterFactoryCb ExtAuthzFilterConfig::createFilter( auto async_client_factory = context.clusterManager().grpcAsyncClientManager().factoryForGrpcService(grpc_service, context.scope()); - auto client = std::make_unique( + auto client = std::make_unique( async_client_factory->create(), std::chrono::milliseconds(timeout_ms)); callbacks.addStreamDecoderFilter(Http::StreamDecoderFilterSharedPtr{ - std::make_shared(filter_config, std::move(client))}); + std::make_shared(filter_config, std::move(client))}); }; } -HttpFilterFactoryCb ExtAuthzFilterConfig::createFilterFactory(const Json::Object&, - const std::string&, FactoryContext&) { +Server::Configuration::HttpFilterFactoryCb +ExtAuthzFilterConfig::createFilterFactory(const Json::Object&, const std::string&, + Server::Configuration::FactoryContext&) { NOT_IMPLEMENTED; } -HttpFilterFactoryCb +Server::Configuration::HttpFilterFactoryCb ExtAuthzFilterConfig::createFilterFactoryFromProto(const Protobuf::Message& proto_config, const std::string& stats_prefix, - FactoryContext& context) { + Server::Configuration::FactoryContext& context) { return createFilter( MessageUtil::downcastAndValidate( proto_config), @@ -52,8 +55,11 @@ ExtAuthzFilterConfig::createFilterFactoryFromProto(const Protobuf::Message& prot /** * Static registration for the external authorization filter. @see RegisterFactory. */ -static Registry::RegisterFactory register_; +static Registry::RegisterFactory + register_; -} // namespace Configuration -} // namespace Server +} // namespace ExtAuthz +} // namespace HttpFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/extensions/filters/http/ext_authz/config.h b/source/extensions/filters/http/ext_authz/config.h new file mode 100644 index 0000000000000..50eda21be1a7b --- /dev/null +++ b/source/extensions/filters/http/ext_authz/config.h @@ -0,0 +1,44 @@ +#pragma once + +#include + +#include "envoy/config/filter/http/ext_authz/v2/ext_authz.pb.h" +#include "envoy/server/filter_config.h" + +#include "common/config/well_known_names.h" + +namespace Envoy { +namespace Extensions { +namespace HttpFilters { +namespace ExtAuthz { + +/** + * Config registration for the external authorization filter. @see NamedHttpFilterConfigFactory. + */ +class ExtAuthzFilterConfig : public Server::Configuration::NamedHttpFilterConfigFactory { +public: + Server::Configuration::HttpFilterFactoryCb + createFilterFactory(const Json::Object& json_config, const std::string&, + Server::Configuration::FactoryContext& context) override; + + Server::Configuration::HttpFilterFactoryCb + createFilterFactoryFromProto(const Protobuf::Message& proto_config, + const std::string& stats_prefix, + Server::Configuration::FactoryContext& context) override; + + ProtobufTypes::MessagePtr createEmptyConfigProto() override { + return ProtobufTypes::MessagePtr{new envoy::config::filter::http::ext_authz::v2::ExtAuthz()}; + } + + std::string name() override { return Config::HttpFilterNames::get().EXT_AUTHORIZATION; } + +private: + Server::Configuration::HttpFilterFactoryCb + createFilter(const envoy::config::filter::http::ext_authz::v2::ExtAuthz& proto_config, + const std::string& stats_prefix, Server::Configuration::FactoryContext& context); +}; + +} // namespace ExtAuthz +} // namespace HttpFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/common/http/filter/ext_authz.cc b/source/extensions/filters/http/ext_authz/ext_authz.cc similarity index 61% rename from source/common/http/filter/ext_authz.cc rename to source/extensions/filters/http/ext_authz/ext_authz.cc index a815cbbead1ef..225a8573ef41a 100644 --- a/source/common/http/filter/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/ext_authz.cc @@ -1,4 +1,4 @@ -#include "common/http/filter/ext_authz.h" +#include "extensions/filters/http/ext_authz/ext_authz.h" #include #include @@ -7,27 +7,29 @@ #include "common/common/assert.h" #include "common/common/enum_to_int.h" -#include "common/ext_authz/ext_authz_impl.h" #include "common/http/codes.h" #include "common/router/config_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" + #include "fmt/format.h" namespace Envoy { -namespace Http { +namespace Extensions { +namespace HttpFilters { namespace ExtAuthz { namespace { const Http::HeaderMap* getDeniedHeader() { static const Http::HeaderMap* header_map = new Http::HeaderMapImpl{ - {Http::Headers::get().Status, std::to_string(enumToInt(Code::Forbidden))}}; + {Http::Headers::get().Status, std::to_string(enumToInt(Http::Code::Forbidden))}}; return header_map; } } // namespace -void Filter::initiateCall(const HeaderMap& headers) { +void Filter::initiateCall(const Http::HeaderMap& headers) { Router::RouteConstSharedPtr route = callbacks_->route(); if (route == nullptr || route->routeEntry() == nullptr) { return; @@ -40,7 +42,8 @@ void Filter::initiateCall(const HeaderMap& headers) { } cluster_ = cluster->info(); - Envoy::ExtAuthz::CheckRequestUtils::createHttpCheck(callbacks_, headers, check_request_); + Filters::Common::ExtAuthz::CheckRequestUtils::createHttpCheck(callbacks_, headers, + check_request_); state_ = State::Calling; initiating_call_ = true; @@ -48,23 +51,23 @@ void Filter::initiateCall(const HeaderMap& headers) { initiating_call_ = false; } -FilterHeadersStatus Filter::decodeHeaders(HeaderMap& headers, bool) { +Http::FilterHeadersStatus Filter::decodeHeaders(Http::HeaderMap& headers, bool) { initiateCall(headers); - return state_ == State::Calling ? FilterHeadersStatus::StopIteration - : FilterHeadersStatus::Continue; + return state_ == State::Calling ? Http::FilterHeadersStatus::StopIteration + : Http::FilterHeadersStatus::Continue; } -FilterDataStatus Filter::decodeData(Buffer::Instance&, bool) { - return state_ == State::Calling ? FilterDataStatus::StopIterationAndWatermark - : FilterDataStatus::Continue; +Http::FilterDataStatus Filter::decodeData(Buffer::Instance&, bool) { + return state_ == State::Calling ? Http::FilterDataStatus::StopIterationAndWatermark + : Http::FilterDataStatus::Continue; } -FilterTrailersStatus Filter::decodeTrailers(HeaderMap&) { - return state_ == State::Calling ? FilterTrailersStatus::StopIteration - : FilterTrailersStatus::Continue; +Http::FilterTrailersStatus Filter::decodeTrailers(Http::HeaderMap&) { + return state_ == State::Calling ? Http::FilterTrailersStatus::StopIteration + : Http::FilterTrailersStatus::Continue; } -void Filter::setDecoderFilterCallbacks(StreamDecoderFilterCallbacks& callbacks) { +void Filter::setDecoderFilterCallbacks(Http::StreamDecoderFilterCallbacks& callbacks) { callbacks_ = &callbacks; } @@ -75,12 +78,12 @@ void Filter::onDestroy() { } } -void Filter::onComplete(Envoy::ExtAuthz::CheckStatus status) { +void Filter::onComplete(Filters::Common::ExtAuthz::CheckStatus status) { ASSERT(cluster_); state_ = State::Complete; - using Envoy::ExtAuthz::CheckStatus; + using Filters::Common::ExtAuthz::CheckStatus; switch (status) { case CheckStatus::OK: @@ -94,7 +97,7 @@ void Filter::onComplete(Envoy::ExtAuthz::CheckStatus status) { Http::CodeUtility::ResponseStatInfo info{config_->scope(), cluster_->statsScope(), EMPTY_STRING, - enumToInt(Code::Forbidden), + enumToInt(Http::Code::Forbidden), true, EMPTY_STRING, EMPTY_STRING, @@ -109,10 +112,10 @@ void Filter::onComplete(Envoy::ExtAuthz::CheckStatus status) { // if there is an error contacting the service. if (status == CheckStatus::Denied || (status == CheckStatus::Error && !config_->failureModeAllow())) { - Http::HeaderMapPtr response_headers{new HeaderMapImpl(*getDeniedHeader())}; + Http::HeaderMapPtr response_headers{new Http::HeaderMapImpl(*getDeniedHeader())}; callbacks_->encodeHeaders(std::move(response_headers), true); callbacks_->requestInfo().setResponseFlag( - Envoy::RequestInfo::ResponseFlag::UnauthorizedExternalService); + RequestInfo::ResponseFlag::UnauthorizedExternalService); } else { // We can get completion inline, so only call continue if that isn't happening. if (!initiating_call_) { @@ -122,5 +125,6 @@ void Filter::onComplete(Envoy::ExtAuthz::CheckStatus status) { } } // namespace ExtAuthz -} // namespace Http +} // namespace HttpFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/http/filter/ext_authz.h b/source/extensions/filters/http/ext_authz/ext_authz.h similarity index 69% rename from source/common/http/filter/ext_authz.h rename to source/extensions/filters/http/ext_authz/ext_authz.h index d2d0f733dfd34..ea95c972b142a 100644 --- a/source/common/http/filter/ext_authz.h +++ b/source/extensions/filters/http/ext_authz/ext_authz.h @@ -6,18 +6,20 @@ #include #include "envoy/config/filter/http/ext_authz/v2/ext_authz.pb.h" -#include "envoy/ext_authz/ext_authz.h" #include "envoy/http/filter.h" #include "envoy/local_info/local_info.h" #include "envoy/runtime/runtime.h" #include "envoy/upstream/cluster_manager.h" #include "common/common/assert.h" -#include "common/ext_authz/ext_authz_impl.h" #include "common/http/header_map_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" + namespace Envoy { -namespace Http { +namespace Extensions { +namespace HttpFilters { namespace ExtAuthz { /** @@ -59,30 +61,31 @@ typedef std::shared_ptr FilterConfigSharedPtr; * HTTP ext_authz filter. Depending on the route configuration, this filter calls the global * ext_authz service before allowing further filter iteration. */ -class Filter : public StreamDecoderFilter, public Envoy::ExtAuthz::RequestCallbacks { +class Filter : public Http::StreamDecoderFilter, + public Filters::Common::ExtAuthz::RequestCallbacks { public: - Filter(FilterConfigSharedPtr config, Envoy::ExtAuthz::ClientPtr&& client) + Filter(FilterConfigSharedPtr config, Filters::Common::ExtAuthz::ClientPtr&& client) : config_(config), client_(std::move(client)) {} // Http::StreamFilterBase void onDestroy() override; // Http::StreamDecoderFilter - FilterHeadersStatus decodeHeaders(HeaderMap& headers, bool end_stream) override; - FilterDataStatus decodeData(Buffer::Instance& data, bool end_stream) override; - FilterTrailersStatus decodeTrailers(HeaderMap& trailers) override; - void setDecoderFilterCallbacks(StreamDecoderFilterCallbacks& callbacks) override; + Http::FilterHeadersStatus decodeHeaders(Http::HeaderMap& headers, bool end_stream) override; + Http::FilterDataStatus decodeData(Buffer::Instance& data, bool end_stream) override; + Http::FilterTrailersStatus decodeTrailers(Http::HeaderMap& trailers) override; + void setDecoderFilterCallbacks(Http::StreamDecoderFilterCallbacks& callbacks) override; // ExtAuthz::RequestCallbacks - void onComplete(Envoy::ExtAuthz::CheckStatus status) override; + void onComplete(Filters::Common::ExtAuthz::CheckStatus status) override; private: enum class State { NotStarted, Calling, Complete }; - void initiateCall(const HeaderMap& headers); + void initiateCall(const Http::HeaderMap& headers); FilterConfigSharedPtr config_; - Envoy::ExtAuthz::ClientPtr client_; - StreamDecoderFilterCallbacks* callbacks_{}; + Filters::Common::ExtAuthz::ClientPtr client_; + Http::StreamDecoderFilterCallbacks* callbacks_{}; State state_{State::NotStarted}; Upstream::ClusterInfoConstSharedPtr cluster_; bool initiating_call_{}; @@ -90,5 +93,6 @@ class Filter : public StreamDecoderFilter, public Envoy::ExtAuthz::RequestCallba }; } // namespace ExtAuthz -} // namespace Http +} // namespace HttpFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/extensions/filters/network/ext_authz/BUILD b/source/extensions/filters/network/ext_authz/BUILD new file mode 100644 index 0000000000000..058e9d6cde0bb --- /dev/null +++ b/source/extensions/filters/network/ext_authz/BUILD @@ -0,0 +1,41 @@ +licenses(["notice"]) # Apache 2 + +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_library", + "envoy_package", +) + +envoy_package() + +envoy_cc_library( + name = "ext_authz", + srcs = ["ext_authz.cc"], + hdrs = ["ext_authz.h"], + deps = [ + "//include/envoy/network:connection_interface", + "//include/envoy/network:filter_interface", + "//include/envoy/runtime:runtime_interface", + "//include/envoy/stats:stats_macros", + "//include/envoy/upstream:cluster_manager_interface", + "//source/common/common:assert_lib", + "//source/common/tracing:http_tracer_lib", + "//source/extensions/filters/common/ext_authz:ext_authz_interface", + "//source/extensions/filters/common/ext_authz:ext_authz_lib", + "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", + ], +) + +envoy_cc_library( + name = "config", + srcs = ["config.cc"], + hdrs = ["config.h"], + deps = [ + "//include/envoy/registry", + "//include/envoy/server:filter_config_interface", + "//source/common/config:well_known_names", + "//source/common/protobuf:utility_lib", + "//source/extensions/filters/network/ext_authz", + "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", + ], +) diff --git a/source/server/config/network/ext_authz.cc b/source/extensions/filters/network/ext_authz/config.cc similarity index 51% rename from source/server/config/network/ext_authz.cc rename to source/extensions/filters/network/ext_authz/config.cc index 8b2786c7e26a1..c54dc05a02dcf 100644 --- a/source/server/config/network/ext_authz.cc +++ b/source/extensions/filters/network/ext_authz/config.cc @@ -1,26 +1,27 @@ -#include "server/config/network/ext_authz.h" +#include "extensions/filters/network/ext_authz/config.h" #include #include #include "envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.h" -#include "envoy/ext_authz/ext_authz.h" #include "envoy/network/connection.h" #include "envoy/registry/registry.h" -#include "common/ext_authz/ext_authz_impl.h" -#include "common/filter/ext_authz.h" #include "common/protobuf/utility.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" +#include "extensions/filters/network/ext_authz/ext_authz.h" + namespace Envoy { -namespace Server { -namespace Configuration { +namespace Extensions { +namespace NetworkFilters { +namespace ExtAuthz { -NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilter( +Server::Configuration::NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilter( const envoy::config::filter::network::ext_authz::v2::ExtAuthz& proto_config, - FactoryContext& context) { - ExtAuthz::TcpFilter::ConfigSharedPtr ext_authz_config( - new ExtAuthz::TcpFilter::Config(proto_config, context.scope())); + Server::Configuration::FactoryContext& context) { + ConfigSharedPtr ext_authz_config(new Config(proto_config, context.scope())); const uint32_t timeout_ms = PROTOBUF_GET_MS_OR_DEFAULT(proto_config.grpc_service(), timeout, 200); return [ grpc_service = proto_config.grpc_service(), &context, ext_authz_config, @@ -31,21 +32,21 @@ NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilter( context.clusterManager().grpcAsyncClientManager().factoryForGrpcService(grpc_service, context.scope()); - auto client = std::make_unique( + auto client = std::make_unique( async_client_factory->create(), std::chrono::milliseconds(timeout_ms)); filter_manager.addReadFilter(Network::ReadFilterSharedPtr{ - std::make_shared(ext_authz_config, std::move(client))}); + std::make_shared(ext_authz_config, std::move(client))}); }; } -NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilterFactory(const Json::Object&, - FactoryContext&) { +Server::Configuration::NetworkFilterFactoryCb +ExtAuthzConfigFactory::createFilterFactory(const Json::Object&, + Server::Configuration::FactoryContext&) { NOT_IMPLEMENTED; } -NetworkFilterFactoryCb -ExtAuthzConfigFactory::createFilterFactoryFromProto(const Protobuf::Message& proto_config, - FactoryContext& context) { +Server::Configuration::NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilterFactoryFromProto( + const Protobuf::Message& proto_config, Server::Configuration::FactoryContext& context) { return createFilter( MessageUtil::downcastAndValidate< const envoy::config::filter::network::ext_authz::v2::ExtAuthz&>(proto_config), @@ -55,9 +56,11 @@ ExtAuthzConfigFactory::createFilterFactoryFromProto(const Protobuf::Message& pro /** * Static registration for the external authorization filter. @see RegisterFactory. */ -static Registry::RegisterFactory +static Registry::RegisterFactory registered_; -} // namespace Configuration -} // namespace Server +} // namespace ExtAuthz +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/server/config/network/ext_authz.h b/source/extensions/filters/network/ext_authz/config.h similarity index 52% rename from source/server/config/network/ext_authz.h rename to source/extensions/filters/network/ext_authz/config.h index 42c981ef94e43..ef8d23c1d35c1 100644 --- a/source/server/config/network/ext_authz.h +++ b/source/extensions/filters/network/ext_authz/config.h @@ -8,20 +8,23 @@ #include "common/config/well_known_names.h" namespace Envoy { -namespace Server { -namespace Configuration { +namespace Extensions { +namespace NetworkFilters { +namespace ExtAuthz { /** * Config registration for the external authorization filter. @see NamedNetworkFilterConfigFactory. */ -class ExtAuthzConfigFactory : public NamedNetworkFilterConfigFactory { +class ExtAuthzConfigFactory : public Server::Configuration::NamedNetworkFilterConfigFactory { public: // NamedNetworkFilterConfigFactory - NetworkFilterFactoryCb createFilterFactory(const Json::Object& json_config, - FactoryContext& context) override; + Server::Configuration::NetworkFilterFactoryCb + createFilterFactory(const Json::Object& json_config, + Server::Configuration::FactoryContext& context) override; - NetworkFilterFactoryCb createFilterFactoryFromProto(const Protobuf::Message& proto_config, - FactoryContext& context) override; + Server::Configuration::NetworkFilterFactoryCb + createFilterFactoryFromProto(const Protobuf::Message& proto_config, + Server::Configuration::FactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return ProtobufTypes::MessagePtr{new envoy::config::filter::network::ext_authz::v2::ExtAuthz()}; @@ -30,11 +33,12 @@ class ExtAuthzConfigFactory : public NamedNetworkFilterConfigFactory { std::string name() override { return Config::NetworkFilterNames::get().EXT_AUTHORIZATION; } private: - NetworkFilterFactoryCb + Server::Configuration::NetworkFilterFactoryCb createFilter(const envoy::config::filter::network::ext_authz::v2::ExtAuthz& proto_config, - FactoryContext& context); + Server::Configuration::FactoryContext& context); }; -} // namespace Configuration -} // namespace Server +} // namespace ExtAuthz +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/filter/ext_authz.cc b/source/extensions/filters/network/ext_authz/ext_authz.cc similarity index 70% rename from source/common/filter/ext_authz.cc rename to source/extensions/filters/network/ext_authz/ext_authz.cc index abefbdb681f40..174c3ddce7101 100644 --- a/source/common/filter/ext_authz.cc +++ b/source/extensions/filters/network/ext_authz/ext_authz.cc @@ -1,4 +1,4 @@ -#include "common/filter/ext_authz.h" +#include "extensions/filters/network/ext_authz/ext_authz.h" #include #include @@ -6,11 +6,10 @@ #include "common/common/assert.h" #include "common/tracing/http_tracer_impl.h" -#include "fmt/format.h" - namespace Envoy { +namespace Extensions { +namespace NetworkFilters { namespace ExtAuthz { -namespace TcpFilter { InstanceStats Config::generateStats(const std::string& name, Stats::Scope& scope) { const std::string final_prefix = fmt::format("ext_authz.{}.", name); @@ -18,8 +17,8 @@ InstanceStats Config::generateStats(const std::string& name, Stats::Scope& scope POOL_GAUGE_PREFIX(scope, final_prefix))}; } -void Instance::callCheck() { - CheckRequestUtils::createTcpCheck(filter_callbacks_, check_request_); +void Filter::callCheck() { + Filters::Common::ExtAuthz::CheckRequestUtils::createTcpCheck(filter_callbacks_, check_request_); status_ = Status::Calling; config_->stats().active_.inc(); @@ -30,7 +29,7 @@ void Instance::callCheck() { calling_check_ = false; } -Network::FilterStatus Instance::onData(Buffer::Instance&, bool /* end_stream */) { +Network::FilterStatus Filter::onData(Buffer::Instance&, bool /* end_stream */) { if (status_ == Status::NotStarted) { // By waiting to invoke the check at onData() the call to authorization service will have // sufficient information to fillout the checkRequest_. @@ -40,12 +39,12 @@ Network::FilterStatus Instance::onData(Buffer::Instance&, bool /* end_stream */) : Network::FilterStatus::Continue; } -Network::FilterStatus Instance::onNewConnection() { +Network::FilterStatus Filter::onNewConnection() { // Wait till onData() happens. return Network::FilterStatus::Continue; } -void Instance::onEvent(Network::ConnectionEvent event) { +void Filter::onEvent(Network::ConnectionEvent event) { if (event == Network::ConnectionEvent::RemoteClose || event == Network::ConnectionEvent::LocalClose) { if (status_ == Status::Calling) { @@ -57,25 +56,25 @@ void Instance::onEvent(Network::ConnectionEvent event) { } } -void Instance::onComplete(CheckStatus status) { +void Filter::onComplete(Filters::Common::ExtAuthz::CheckStatus status) { status_ = Status::Complete; config_->stats().active_.dec(); switch (status) { - case CheckStatus::OK: + case Filters::Common::ExtAuthz::CheckStatus::OK: config_->stats().ok_.inc(); break; - case CheckStatus::Error: + case Filters::Common::ExtAuthz::CheckStatus::Error: config_->stats().error_.inc(); break; - case CheckStatus::Denied: + case Filters::Common::ExtAuthz::CheckStatus::Denied: config_->stats().denied_.inc(); break; } // Fail open only if configured to do so and if the check status was a error. - if (status == CheckStatus::Denied || - (status == CheckStatus::Error && !config_->failureModeAllow())) { + if (status == Filters::Common::ExtAuthz::CheckStatus::Denied || + (status == Filters::Common::ExtAuthz::CheckStatus::Error && !config_->failureModeAllow())) { config_->stats().cx_closed_.inc(); filter_callbacks_->connection().close(Network::ConnectionCloseType::NoFlush); } else { @@ -86,6 +85,7 @@ void Instance::onComplete(CheckStatus status) { } } -} // namespace TcpFilter } // namespace ExtAuthz +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/filter/ext_authz.h b/source/extensions/filters/network/ext_authz/ext_authz.h similarity index 83% rename from source/common/filter/ext_authz.h rename to source/extensions/filters/network/ext_authz/ext_authz.h index 3dfc39be2d972..468e571eaa811 100644 --- a/source/common/filter/ext_authz.h +++ b/source/extensions/filters/network/ext_authz/ext_authz.h @@ -6,18 +6,19 @@ #include #include "envoy/config/filter/network/ext_authz/v2/ext_authz.pb.h" -#include "envoy/ext_authz/ext_authz.h" #include "envoy/network/connection.h" #include "envoy/network/filter.h" #include "envoy/runtime/runtime.h" #include "envoy/stats/stats_macros.h" #include "envoy/upstream/cluster_manager.h" -#include "common/ext_authz/ext_authz_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" namespace Envoy { +namespace Extensions { +namespace NetworkFilters { namespace ExtAuthz { -namespace TcpFilter { /** * All tcp external authorization stats. @see stats_macros.h @@ -66,13 +67,13 @@ typedef std::shared_ptr ConfigSharedPtr; * connection will be closed without any further filters being called. Otherwise all buffered * data will be released to further filters. */ -class Instance : public Network::ReadFilter, - public Network::ConnectionCallbacks, - public RequestCallbacks { +class Filter : public Network::ReadFilter, + public Network::ConnectionCallbacks, + public Filters::Common::ExtAuthz::RequestCallbacks { public: - Instance(ConfigSharedPtr config, ClientPtr&& client) + Filter(ConfigSharedPtr config, Filters::Common::ExtAuthz::ClientPtr&& client) : config_(config), client_(std::move(client)) {} - ~Instance() {} + ~Filter() {} // Network::ReadFilter Network::FilterStatus onData(Buffer::Instance& data, bool end_stream) override; @@ -88,20 +89,20 @@ class Instance : public Network::ReadFilter, void onBelowWriteBufferLowWatermark() override {} // ExtAuthz::RequestCallbacks - void onComplete(CheckStatus status) override; + void onComplete(Filters::Common::ExtAuthz::CheckStatus status) override; private: enum class Status { NotStarted, Calling, Complete }; void callCheck(); ConfigSharedPtr config_; - ClientPtr client_; + Filters::Common::ExtAuthz::ClientPtr client_; Network::ReadFilterCallbacks* filter_callbacks_{}; Status status_{Status::NotStarted}; bool calling_check_{}; envoy::service::auth::v2::CheckRequest check_request_{}; }; - -} // TcpFilter -} // namespace ExtAuthz +} +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/server/BUILD b/source/server/BUILD index ca9b1dcb5b356..ed97687642c54 100644 --- a/source/server/BUILD +++ b/source/server/BUILD @@ -36,7 +36,6 @@ envoy_cc_library( "//source/common/common:utility_lib", "//source/common/config:lds_json_lib", "//source/common/config:utility_lib", - "//source/common/ext_authz:ext_authz_lib", "//source/common/network:resolver_lib", "//source/common/network:utility_lib", "//source/common/protobuf:utility_lib", diff --git a/source/server/config/http/BUILD b/source/server/config/http/BUILD index 30a464a6b68a3..eebdf67b228ca 100644 --- a/source/server/config/http/BUILD +++ b/source/server/config/http/BUILD @@ -230,17 +230,3 @@ envoy_cc_library( "//source/server:configuration_lib", ], ) - -envoy_cc_library( - name = "ext_authz_lib", - srcs = ["ext_authz.cc"], - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/registry", - "//include/envoy/server:filter_config_interface", - "//source/common/config:well_known_names", - "//source/common/http/filter:ext_authz_lib", - "//source/common/protobuf:utility_lib", - "@envoy_api//envoy/config/filter/http/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/source/server/config/http/ext_authz.h b/source/server/config/http/ext_authz.h deleted file mode 100644 index 69ade25583e4e..0000000000000 --- a/source/server/config/http/ext_authz.h +++ /dev/null @@ -1,39 +0,0 @@ -#pragma once - -#include - -#include "envoy/config/filter/http/ext_authz/v2/ext_authz.pb.h" -#include "envoy/server/filter_config.h" - -#include "common/config/well_known_names.h" - -namespace Envoy { -namespace Server { -namespace Configuration { - -/** - * Config registration for the external authorization filter. @see NamedHttpFilterConfigFactory. - */ -class ExtAuthzFilterConfig : public NamedHttpFilterConfigFactory { -public: - HttpFilterFactoryCb createFilterFactory(const Json::Object& json_config, const std::string&, - FactoryContext& context) override; - HttpFilterFactoryCb createFilterFactoryFromProto(const Protobuf::Message& proto_config, - const std::string& stats_prefix, - FactoryContext& context) override; - - ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new envoy::config::filter::http::ext_authz::v2::ExtAuthz()}; - } - - std::string name() override { return Config::HttpFilterNames::get().EXT_AUTHORIZATION; } - -private: - HttpFilterFactoryCb - createFilter(const envoy::config::filter::http::ext_authz::v2::ExtAuthz& proto_config, - const std::string& stats_prefix, FactoryContext& context); -}; - -} // namespace Configuration -} // namespace Server -} // namespace Envoy diff --git a/source/server/config/network/BUILD b/source/server/config/network/BUILD index ce7d208ce7bc9..b22de2a054e40 100644 --- a/source/server/config/network/BUILD +++ b/source/server/config/network/BUILD @@ -95,17 +95,3 @@ envoy_cc_library( "@envoy_api//envoy/api/v2/auth:cert_cc", ], ) - -envoy_cc_library( - name = "ext_authz_lib", - srcs = ["ext_authz.cc"], - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/registry", - "//include/envoy/server:filter_config_interface", - "//source/common/config:well_known_names", - "//source/common/filter:ext_authz_lib", - "//source/common/protobuf:utility_lib", - "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/test/common/filter/BUILD b/test/common/filter/BUILD index 4596e3bcb020f..27f7002034a95 100644 --- a/test/common/filter/BUILD +++ b/test/common/filter/BUILD @@ -23,24 +23,3 @@ envoy_cc_test( "//test/mocks/tracing:tracing_mocks", ], ) - -envoy_cc_test( - name = "ext_authz_test", - srcs = ["ext_authz_test.cc"], - deps = [ - "//source/common/buffer:buffer_lib", - "//source/common/config:filter_json_lib", - "//source/common/event:dispatcher_lib", - "//source/common/filter:ext_authz_lib", - "//source/common/json:json_loader_lib", - "//source/common/network:address_lib", - "//source/common/protobuf:utility_lib", - "//source/common/stats:stats_lib", - "//test/mocks/ext_authz:ext_authz_mocks", - "//test/mocks/network:network_mocks", - "//test/mocks/runtime:runtime_mocks", - "//test/mocks/tracing:tracing_mocks", - "//test/mocks/upstream:upstream_mocks", - "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/test/common/http/filter/BUILD b/test/common/http/filter/BUILD index 91d08c94a257b..f0576720266ea 100644 --- a/test/common/http/filter/BUILD +++ b/test/common/http/filter/BUILD @@ -119,28 +119,3 @@ envoy_cc_test( "//test/mocks/upstream:upstream_mocks", ], ) - -envoy_cc_test( - name = "ext_authz_test", - srcs = ["ext_authz_test.cc"], - deps = [ - "//source/common/buffer:buffer_lib", - "//source/common/common:empty_string", - "//source/common/config:filter_json_lib", - "//source/common/ext_authz:ext_authz_lib", - "//source/common/http:headers_lib", - "//source/common/http/filter:ext_authz_includes", - "//source/common/http/filter:ext_authz_lib", - "//source/common/json:json_loader_lib", - "//source/common/network:address_lib", - "//source/common/protobuf:utility_lib", - "//test/mocks/ext_authz:ext_authz_mocks", - "//test/mocks/http:http_mocks", - "//test/mocks/local_info:local_info_mocks", - "//test/mocks/network:network_mocks", - "//test/mocks/runtime:runtime_mocks", - "//test/mocks/tracing:tracing_mocks", - "//test/mocks/upstream:upstream_mocks", - "//test/test_common:utility_lib", - ], -) diff --git a/test/common/ext_authz/BUILD b/test/extensions/filters/common/ext_authz/BUILD similarity index 71% rename from test/common/ext_authz/BUILD rename to test/extensions/filters/common/ext_authz/BUILD index a0cfd0d21f2ff..11da871031dd7 100644 --- a/test/common/ext_authz/BUILD +++ b/test/extensions/filters/common/ext_authz/BUILD @@ -2,6 +2,7 @@ licenses(["notice"]) # Apache 2 load( "//bazel:envoy_build_system.bzl", + "envoy_cc_mock", "envoy_cc_test", "envoy_package", ) @@ -12,10 +13,10 @@ envoy_cc_test( name = "ext_authz_impl_test", srcs = ["ext_authz_impl_test.cc"], deps = [ - "//source/common/ext_authz:ext_authz_lib", "//source/common/http:header_map_lib", "//source/common/http:headers_lib", "//source/common/network:address_lib", + "//source/extensions/filters/common/ext_authz:ext_authz_lib", "//test/mocks/grpc:grpc_mocks", "//test/mocks/http:http_mocks", "//test/mocks/network:network_mocks", @@ -25,3 +26,12 @@ envoy_cc_test( "//test/test_common:utility_lib", ], ) + +envoy_cc_mock( + name = "ext_authz_mocks", + srcs = ["mocks.cc"], + hdrs = ["mocks.h"], + deps = [ + "//source/extensions/filters/common/ext_authz:ext_authz_interface", + ], +) diff --git a/test/common/ext_authz/ext_authz_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_impl_test.cc similarity index 97% rename from test/common/ext_authz/ext_authz_impl_test.cc rename to test/extensions/filters/common/ext_authz/ext_authz_impl_test.cc index e7290f40a1847..f43ebfe9b2ce4 100644 --- a/test/common/ext_authz/ext_authz_impl_test.cc +++ b/test/extensions/filters/common/ext_authz/ext_authz_impl_test.cc @@ -2,11 +2,12 @@ #include #include -#include "common/ext_authz/ext_authz_impl.h" #include "common/http/header_map_impl.h" #include "common/http/headers.h" #include "common/network/address_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" + #include "test/mocks/grpc/mocks.h" #include "test/mocks/http/mocks.h" #include "test/mocks/network/mocks.h" @@ -29,6 +30,9 @@ using testing::WithArg; using testing::_; namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { class MockRequestCallbacks : public RequestCallbacks { @@ -183,4 +187,7 @@ TEST_F(CheckRequestUtilsTest, CheckAttrContextPeer) { } } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/test/mocks/ext_authz/mocks.cc b/test/extensions/filters/common/ext_authz/mocks.cc similarity index 55% rename from test/mocks/ext_authz/mocks.cc rename to test/extensions/filters/common/ext_authz/mocks.cc index 97a2cc6cb5493..7416e537dcfe7 100644 --- a/test/mocks/ext_authz/mocks.cc +++ b/test/extensions/filters/common/ext_authz/mocks.cc @@ -1,10 +1,16 @@ #include "mocks.h" namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { MockClient::MockClient() {} MockClient::~MockClient() {} } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/test/mocks/ext_authz/mocks.h b/test/extensions/filters/common/ext_authz/mocks.h similarity index 71% rename from test/mocks/ext_authz/mocks.h rename to test/extensions/filters/common/ext_authz/mocks.h index 057e9fc9263e4..8db44e13eec8c 100644 --- a/test/mocks/ext_authz/mocks.h +++ b/test/extensions/filters/common/ext_authz/mocks.h @@ -3,11 +3,14 @@ #include #include -#include "envoy/ext_authz/ext_authz.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" #include "gmock/gmock.h" namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { class MockClient : public Client { @@ -23,4 +26,7 @@ class MockClient : public Client { }; } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/test/extensions/filters/http/ext_authz/BUILD b/test/extensions/filters/http/ext_authz/BUILD new file mode 100644 index 0000000000000..1f0b28182c262 --- /dev/null +++ b/test/extensions/filters/http/ext_authz/BUILD @@ -0,0 +1,34 @@ +licenses(["notice"]) # Apache 2 + +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) + +envoy_package() + +envoy_cc_test( + name = "ext_authz_test", + srcs = ["ext_authz_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/common:empty_string", + "//source/common/config:filter_json_lib", + "//source/common/http:headers_lib", + "//source/common/json:json_loader_lib", + "//source/common/network:address_lib", + "//source/common/protobuf:utility_lib", + "//source/extensions/filters/common/ext_authz:ext_authz_lib", + "//source/extensions/filters/http/ext_authz:config", + "//test/extensions/filters/common/ext_authz:ext_authz_mocks", + "//test/mocks/http:http_mocks", + "//test/mocks/local_info:local_info_mocks", + "//test/mocks/network:network_mocks", + "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", + "//test/mocks/tracing:tracing_mocks", + "//test/mocks/upstream:upstream_mocks", + "//test/test_common:utility_lib", + ], +) diff --git a/test/common/http/filter/ext_authz_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_test.cc similarity index 65% rename from test/common/http/filter/ext_authz_test.cc rename to test/extensions/filters/http/ext_authz/ext_authz_test.cc index 40b5e452366aa..d699ddc3fe645 100644 --- a/test/common/http/filter/ext_authz_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_test.cc @@ -6,17 +6,20 @@ #include "common/buffer/buffer_impl.h" #include "common/common/empty_string.h" -#include "common/http/filter/ext_authz.h" #include "common/http/headers.h" #include "common/json/json_loader.h" #include "common/network/address_impl.h" #include "common/protobuf/utility.h" -#include "test/mocks/ext_authz/mocks.h" +#include "extensions/filters/http/ext_authz/config.h" +#include "extensions/filters/http/ext_authz/ext_authz.h" + +#include "test/extensions/filters/common/ext_authz/mocks.h" #include "test/mocks/http/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/tracing/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/test_common/printers.h" @@ -36,7 +39,8 @@ using testing::WithArgs; using testing::_; namespace Envoy { -namespace Http { +namespace Extensions { +namespace HttpFilters { namespace ExtAuthz { class HttpExtAuthzFilterTestBase { @@ -44,11 +48,11 @@ class HttpExtAuthzFilterTestBase { HttpExtAuthzFilterTestBase() {} FilterConfigSharedPtr config_; - Envoy::ExtAuthz::MockClient* client_; + Filters::Common::ExtAuthz::MockClient* client_; std::unique_ptr filter_; - NiceMock filter_callbacks_; - Envoy::ExtAuthz::RequestCallbacks* request_callbacks_{}; - TestHeaderMapImpl request_headers_; + NiceMock filter_callbacks_; + Filters::Common::ExtAuthz::RequestCallbacks* request_callbacks_{}; + Http::TestHeaderMapImpl request_headers_; Buffer::OwnedImpl data_; Stats::IsolatedStoreImpl stats_store_; NiceMock runtime_; @@ -67,8 +71,8 @@ class HttpExtAuthzFilterTest : public testing::Test, public HttpExtAuthzFilterTe MessageUtil::loadFromYaml(yaml, proto_config); config_.reset(new FilterConfig(proto_config, local_info_, stats_store_, runtime_, cm_)); - client_ = new Envoy::ExtAuthz::MockClient(); - filter_.reset(new Filter(config_, Envoy::ExtAuthz::ClientPtr{client_})); + client_ = new Filters::Common::ExtAuthz::MockClient(); + filter_.reset(new Filter(config_, Filters::Common::ExtAuthz::ClientPtr{client_})); filter_->setDecoderFilterCallbacks(filter_callbacks_); addr_ = std::make_shared("1.2.3.4", 1111); } @@ -90,8 +94,8 @@ class HttpExtAuthzFilterParamTest : public TestWithParamsetDecoderFilterCallbacks(filter_callbacks_); addr_ = std::make_shared("1.2.3.4", 1111); } @@ -118,9 +122,9 @@ TEST_P(HttpExtAuthzFilterParamTest, NoRoute) { EXPECT_CALL(*filter_callbacks_.route_, routeEntry()).WillOnce(Return(nullptr)); - EXPECT_EQ(FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); - EXPECT_EQ(FilterDataStatus::Continue, filter_->decodeData(data_, false)); - EXPECT_EQ(FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(data_, false)); + EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); } // Test that the request continues when the authorization service cluster is not present. @@ -128,9 +132,9 @@ TEST_P(HttpExtAuthzFilterParamTest, NoCluster) { ON_CALL(cm_, get(_)).WillByDefault(Return(nullptr)); - EXPECT_EQ(FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); - EXPECT_EQ(FilterDataStatus::Continue, filter_->decodeData(data_, false)); - EXPECT_EQ(FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(data_, false)); + EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); } // Test that the request is stopped till there is an OK response back after which it continues on. @@ -141,19 +145,21 @@ TEST_P(HttpExtAuthzFilterParamTest, OkResponse) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, testing::A())) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); - EXPECT_EQ(FilterDataStatus::StopIterationAndWatermark, filter_->decodeData(data_, false)); - EXPECT_EQ(FilterTrailersStatus::StopIteration, filter_->decodeTrailers(request_headers_)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterDataStatus::StopIterationAndWatermark, filter_->decodeData(data_, false)); + EXPECT_EQ(Http::FilterTrailersStatus::StopIteration, filter_->decodeTrailers(request_headers_)); EXPECT_CALL(filter_callbacks_, continueDecoding()); EXPECT_CALL(filter_callbacks_.request_info_, setResponseFlag(Envoy::RequestInfo::ResponseFlag::UnauthorizedExternalService)) .Times(0); - request_callbacks_->onComplete(Envoy::ExtAuthz::CheckStatus::OK); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::OK); EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_.counter("ext_authz.ok").value()); @@ -168,14 +174,15 @@ TEST_P(HttpExtAuthzFilterParamTest, ImmediateOkResponse) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - callbacks.onComplete(Envoy::ExtAuthz::CheckStatus::OK); - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + callbacks.onComplete(Filters::Common::ExtAuthz::CheckStatus::OK); + }))); EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); - EXPECT_EQ(FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); - EXPECT_EQ(FilterDataStatus::Continue, filter_->decodeData(data_, false)); - EXPECT_EQ(FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(data_, false)); + EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_.counter("ext_authz.ok").value()); @@ -189,17 +196,19 @@ TEST_P(HttpExtAuthzFilterParamTest, DeniedResponse) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); Http::TestHeaderMapImpl response_headers{{":status", "403"}}; EXPECT_CALL(filter_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true)); EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); EXPECT_CALL(filter_callbacks_.request_info_, setResponseFlag(Envoy::RequestInfo::ResponseFlag::UnauthorizedExternalService)); - request_callbacks_->onComplete(Envoy::ExtAuthz::CheckStatus::Denied); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Denied); EXPECT_EQ( 1U, @@ -221,11 +230,13 @@ TEST_P(HttpExtAuthzFilterParamTest, ResetDuringCall) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); EXPECT_CALL(*client_, cancel()); filter_->onDestroy(); @@ -263,13 +274,15 @@ TEST_F(HttpExtAuthzFilterTest, ErrorFailClose) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); - request_callbacks_->onComplete(Envoy::ExtAuthz::CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ( 1U, @@ -286,19 +299,48 @@ TEST_F(HttpExtAuthzFilterTest, ErrorOpen) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); EXPECT_CALL(filter_callbacks_, continueDecoding()); - request_callbacks_->onComplete(Envoy::ExtAuthz::CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ( 1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_.counter("ext_authz.error").value()); } +TEST(HttpExtAuthzConfigTest, ExtAuthzCorrectProto) { + std::string yaml = R"EOF( + grpc_service: + google_grpc: + target_uri: ext_authz_server + stat_prefix: google + failure_mode_allow: false +)EOF"; + + envoy::config::filter::http::ext_authz::v2::ExtAuthz proto_config{}; + MessageUtil::loadFromYaml(yaml, proto_config); + + NiceMock context; + ExtAuthzFilterConfig factory; + + EXPECT_CALL(context.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _)) + .WillOnce(Invoke([](const envoy::api::v2::core::GrpcService&, Stats::Scope&) { + return std::make_unique>(); + })); + Server::Configuration::HttpFilterFactoryCb cb = + factory.createFilterFactoryFromProto(proto_config, "stats", context); + Http::MockFilterChainFactoryCallbacks filter_callback; + EXPECT_CALL(filter_callback, addStreamDecoderFilter(_)); + cb(filter_callback); +} + } // namespace ExtAuthz -} // namespace Http +} // namespace HttpFilters +} // namespace Extensions } // namespace Envoy diff --git a/test/extensions/filters/network/ext_authz/BUILD b/test/extensions/filters/network/ext_authz/BUILD new file mode 100644 index 0000000000000..18ec174af3e25 --- /dev/null +++ b/test/extensions/filters/network/ext_authz/BUILD @@ -0,0 +1,30 @@ +licenses(["notice"]) # Apache 2 + +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) + +envoy_package() + +envoy_cc_test( + name = "ext_authz_test", + srcs = ["ext_authz_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/config:filter_json_lib", + "//source/common/event:dispatcher_lib", + "//source/common/json:json_loader_lib", + "//source/common/network:address_lib", + "//source/common/protobuf:utility_lib", + "//source/common/stats:stats_lib", + "//source/extensions/filters/network/ext_authz:config", + "//test/extensions/filters/common/ext_authz:ext_authz_mocks", + "//test/mocks/network:network_mocks", + "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", + "//test/mocks/tracing:tracing_mocks", + "//test/mocks/upstream:upstream_mocks", + ], +) diff --git a/test/common/filter/ext_authz_test.cc b/test/extensions/filters/network/ext_authz/ext_authz_test.cc similarity index 77% rename from test/common/filter/ext_authz_test.cc rename to test/extensions/filters/network/ext_authz/ext_authz_test.cc index d04b38dc3ae78..f56f0fa2163f4 100644 --- a/test/common/filter/ext_authz_test.cc +++ b/test/extensions/filters/network/ext_authz/ext_authz_test.cc @@ -5,15 +5,18 @@ #include "envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.h" #include "common/buffer/buffer_impl.h" -#include "common/filter/ext_authz.h" #include "common/json/json_loader.h" #include "common/network/address_impl.h" #include "common/protobuf/utility.h" #include "common/stats/stats_impl.h" -#include "test/mocks/ext_authz/mocks.h" +#include "extensions/filters/network/ext_authz/config.h" +#include "extensions/filters/network/ext_authz/ext_authz.h" + +#include "test/extensions/filters/common/ext_authz/mocks.h" #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/tracing/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/test_common/printers.h" @@ -30,8 +33,9 @@ using testing::WithArgs; using testing::_; namespace Envoy { +namespace Extensions { +namespace NetworkFilters { namespace ExtAuthz { -namespace TcpFilter { class ExtAuthzFilterTest : public testing::Test { public: @@ -49,8 +53,8 @@ class ExtAuthzFilterTest : public testing::Test { envoy::config::filter::network::ext_authz::v2::ExtAuthz proto_config{}; MessageUtil::loadFromJson(json, proto_config); config_.reset(new Config(proto_config, stats_store_)); - client_ = new MockClient(); - filter_.reset(new Instance(config_, ClientPtr{client_})); + client_ = new Filters::Common::ExtAuthz::MockClient(); + filter_.reset(new Filter(config_, Filters::Common::ExtAuthz::ClientPtr{client_})); filter_->initializeReadFilterCallbacks(filter_callbacks_); addr_ = std::make_shared("/test/test.sock"); @@ -67,11 +71,11 @@ class ExtAuthzFilterTest : public testing::Test { Stats::IsolatedStoreImpl stats_store_; ConfigSharedPtr config_; - MockClient* client_; - std::unique_ptr filter_; + Filters::Common::ExtAuthz::MockClient* client_; + std::unique_ptr filter_; NiceMock filter_callbacks_; Network::Address::InstanceConstSharedPtr addr_; - RequestCallbacks* request_callbacks_{}; + Filters::Common::ExtAuthz::RequestCallbacks* request_callbacks_{}; }; TEST_F(ExtAuthzFilterTest, BadExtAuthzConfig) { @@ -96,8 +100,10 @@ TEST_F(ExtAuthzFilterTest, OKWithOnData) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, testing::A())) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); // Confirm that the invocation of onNewConnection did NOT increment the active or total count! @@ -110,7 +116,7 @@ TEST_F(ExtAuthzFilterTest, OKWithOnData) { EXPECT_EQ(1U, stats_store_.gauge("ext_authz.name.active").value()); EXPECT_CALL(filter_callbacks_, continueReading()); - request_callbacks_->onComplete(CheckStatus::OK); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::OK); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data, false)); @@ -130,8 +136,10 @@ TEST_F(ExtAuthzFilterTest, DeniedWithOnData) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); // Confirm that the invocation of onNewConnection did NOT increment the active or total count! @@ -145,7 +153,7 @@ TEST_F(ExtAuthzFilterTest, DeniedWithOnData) { EXPECT_CALL(filter_callbacks_.connection_, close(Network::ConnectionCloseType::NoFlush)); EXPECT_CALL(*client_, cancel()).Times(0); - request_callbacks_->onComplete(CheckStatus::Denied); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Denied); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data, false)); @@ -162,8 +170,10 @@ TEST_F(ExtAuthzFilterTest, FailOpen) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); @@ -172,7 +182,7 @@ TEST_F(ExtAuthzFilterTest, FailOpen) { EXPECT_CALL(filter_callbacks_.connection_, close(_)).Times(0); EXPECT_CALL(*client_, cancel()).Times(0); EXPECT_CALL(filter_callbacks_, continueReading()); - request_callbacks_->onComplete(CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data, false)); @@ -191,8 +201,10 @@ TEST_F(ExtAuthzFilterTest, FailClose) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); @@ -200,7 +212,7 @@ TEST_F(ExtAuthzFilterTest, FailClose) { EXPECT_CALL(filter_callbacks_.connection_, close(_)).Times(1); EXPECT_CALL(filter_callbacks_, continueReading()).Times(0); - request_callbacks_->onComplete(CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ(1U, stats_store_.counter("ext_authz.name.total").value()); EXPECT_EQ(1U, stats_store_.counter("ext_authz.name.error").value()); @@ -217,15 +229,17 @@ TEST_F(ExtAuthzFilterTest, DoNotCallCancelonRemoteClose) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data, false)); EXPECT_CALL(filter_callbacks_, continueReading()); - request_callbacks_->onComplete(CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data, false)); @@ -247,8 +261,10 @@ TEST_F(ExtAuthzFilterTest, VerifyCancelOnRemoteClose) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); @@ -273,8 +289,10 @@ TEST_F(ExtAuthzFilterTest, ImmediateOK) { EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_, continueReading()).Times(0); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke( - [&](RequestCallbacks& callbacks) -> void { callbacks.onComplete(CheckStatus::OK); }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + callbacks.onComplete(Filters::Common::ExtAuthz::CheckStatus::OK); + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); @@ -291,6 +309,34 @@ TEST_F(ExtAuthzFilterTest, ImmediateOK) { EXPECT_EQ(0U, stats_store_.counter("ext_authz.name.cx_closed").value()); } -} // namespace TcpFilter +TEST(NetworkFilterConfigTest, ExtAuthzCorrectProto) { + std::string yaml = R"EOF( + grpc_service: + google_grpc: + target_uri: ext_authz_server + stat_prefix: google + failure_mode_allow: false + stat_prefix: name +)EOF"; + + envoy::config::filter::network::ext_authz::v2::ExtAuthz proto_config{}; + MessageUtil::loadFromYaml(yaml, proto_config); + + NiceMock context; + ExtAuthzConfigFactory factory; + + EXPECT_CALL(context.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _)) + .WillOnce(Invoke([](const envoy::api::v2::core::GrpcService&, Stats::Scope&) { + return std::make_unique>(); + })); + Server::Configuration::NetworkFilterFactoryCb cb = + factory.createFilterFactoryFromProto(proto_config, context); + Network::MockConnection connection; + EXPECT_CALL(connection, addReadFilter(_)); + cb(connection); +} + } // namespace ExtAuthz +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/test/mocks/ext_authz/BUILD b/test/mocks/ext_authz/BUILD deleted file mode 100644 index 725c43b303014..0000000000000 --- a/test/mocks/ext_authz/BUILD +++ /dev/null @@ -1,18 +0,0 @@ -licenses(["notice"]) # Apache 2 - -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_mock", - "envoy_package", -) - -envoy_package() - -envoy_cc_mock( - name = "ext_authz_mocks", - srcs = ["mocks.cc"], - hdrs = ["mocks.h"], - deps = [ - "//include/envoy/ext_authz:ext_authz_interface", - ], -) diff --git a/test/server/config/http/BUILD b/test/server/config/http/BUILD index a93817427737d..40feea2c80f4f 100644 --- a/test/server/config/http/BUILD +++ b/test/server/config/http/BUILD @@ -18,7 +18,6 @@ envoy_cc_test( "//source/common/router:router_lib", "//source/server/config/http:buffer_lib", "//source/server/config/http:dynamo_lib", - "//source/server/config/http:ext_authz_lib", "//source/server/config/http:fault_lib", "//source/server/config/http:grpc_http1_bridge_lib", "//source/server/config/http:grpc_json_transcoder_lib", diff --git a/test/server/config/http/config_test.cc b/test/server/config/http/config_test.cc index 4660c5474ed41..f35b1ed6c3e06 100644 --- a/test/server/config/http/config_test.cc +++ b/test/server/config/http/config_test.cc @@ -12,7 +12,6 @@ #include "server/config/http/buffer.h" #include "server/config/http/dynamo.h" -#include "server/config/http/ext_authz.h" #include "server/config/http/fault.h" #include "server/config/http/grpc_http1_bridge.h" #include "server/config/http/grpc_json_transcoder.h" @@ -449,37 +448,6 @@ TEST(HttpTracerConfigTest, DoubleRegistrationTest) { "Double registration for name: 'envoy.zipkin'"); } -TEST(HttpExtAuthzConfigTest, ExtAuthzCorrectProto) { - std::string yaml = R"EOF( - grpc_service: - google_grpc: - target_uri: ext_authz_server - stat_prefix: google - failure_mode_allow: false -)EOF"; - - envoy::config::filter::http::ext_authz::v2::ExtAuthz proto_config{}; - MessageUtil::loadFromYaml(yaml, proto_config); - - NiceMock context; - ExtAuthzFilterConfig factory; - - EXPECT_CALL(context.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _)) - .WillOnce(Invoke([](const envoy::api::v2::core::GrpcService&, Stats::Scope&) { - return std::make_unique>(); - })); - HttpFilterFactoryCb cb = factory.createFilterFactoryFromProto(proto_config, "stats", context); - Http::MockFilterChainFactoryCallbacks filter_callback; - EXPECT_CALL(filter_callback, addStreamDecoderFilter(_)); - cb(filter_callback); -} - -TEST(HttpExtAuthzConfigTest, DoubleRegistrationTest) { - EXPECT_THROW_WITH_MESSAGE( - (Registry::RegisterFactory()), - EnvoyException, "Double registration for name: 'envoy.ext_authz'"); -} - } // namespace Configuration } // namespace Server } // namespace Envoy diff --git a/test/server/config/network/BUILD b/test/server/config/network/BUILD index 8195715302830..498f5d53447fc 100644 --- a/test/server/config/network/BUILD +++ b/test/server/config/network/BUILD @@ -17,10 +17,10 @@ envoy_cc_test( "//source/common/dynamo:dynamo_filter_lib", "//source/common/protobuf:utility_lib", "//source/extensions/filters/network/client_ssl_auth:config", + "//source/extensions/filters/network/ext_authz:config", "//source/extensions/filters/network/mongo_proxy:config", "//source/extensions/filters/network/tcp_proxy:config", "//source/server/config/access_log:file_access_log_lib", - "//source/server/config/network:ext_authz_lib", "//source/server/config/network:http_connection_manager_lib", "//source/server/config/network:ratelimit_lib", "//source/server/config/network:redis_proxy_lib", diff --git a/test/server/config/network/config_test.cc b/test/server/config/network/config_test.cc index ca9582adf664b..c0f2a4f4e3e82 100644 --- a/test/server/config/network/config_test.cc +++ b/test/server/config/network/config_test.cc @@ -9,12 +9,12 @@ #include "common/protobuf/utility.h" #include "server/config/access_log/file_access_log.h" -#include "server/config/network/ext_authz.h" #include "server/config/network/http_connection_manager.h" #include "server/config/network/ratelimit.h" #include "server/config/network/redis_proxy.h" #include "extensions/filters/network/client_ssl_auth/config.h" +#include "extensions/filters/network/ext_authz/config.h" #include "extensions/filters/network/mongo_proxy/config.h" #include "extensions/filters/network/tcp_proxy/config.h" @@ -49,7 +49,7 @@ TEST(NetworkFilterConfigTest, ValidateFail) { envoy::config::filter::network::redis_proxy::v2::RedisProxy redis_proto; Extensions::NetworkFilters::TcpProxy::TcpProxyConfigFactory tcp_proxy_factory; envoy::config::filter::network::tcp_proxy::v2::TcpProxy tcp_proxy_proto; - ExtAuthzConfigFactory ext_authz_factory; + Extensions::NetworkFilters::ExtAuthz::ExtAuthzConfigFactory ext_authz_factory; envoy::config::filter::network::ext_authz::v2::ExtAuthz ext_authz_proto; const std::vector> filter_cases = { @@ -404,32 +404,6 @@ TEST(AccessLogConfigTest, FileAccessLogTest) { EXPECT_NE(nullptr, dynamic_cast(instance.get())); } -TEST(NetworkFilterConfigTest, ExtAuthzCorrectProto) { - std::string yaml = R"EOF( - grpc_service: - google_grpc: - target_uri: ext_authz_server - stat_prefix: google - failure_mode_allow: false - stat_prefix: name -)EOF"; - - envoy::config::filter::network::ext_authz::v2::ExtAuthz proto_config{}; - MessageUtil::loadFromYaml(yaml, proto_config); - - NiceMock context; - ExtAuthzConfigFactory factory; - - EXPECT_CALL(context.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _)) - .WillOnce(Invoke([](const envoy::api::v2::core::GrpcService&, Stats::Scope&) { - return std::make_unique>(); - })); - NetworkFilterFactoryCb cb = factory.createFilterFactoryFromProto(proto_config, context); - Network::MockConnection connection; - EXPECT_CALL(connection, addReadFilter(_)); - cb(connection); -} - } // namespace Configuration } // namespace Server } // namespace Envoy