filter: add conditions to access control filter

CODEOWNERS

@@ -51,3 +51,5 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/filters/http/adaptive_concurrency @tonya11en @mattklein123
 # http inspector
 /*/extensions/filters/listener/http_inspector @crazyxy @PiotrSikora @lizan
+# attribute context
+/*/extensions/filters/common/expr @kyessenov @yangminzhu

api/bazel/api_build_system.bzl

@@ -23,13 +23,13 @@ def _LibrarySuffix(library_name, suffix):
 # TODO(htuch): Convert this to native py_proto_library once
 # https://github.com/bazelbuild/bazel/issues/3935 and/or
 # https://github.com/bazelbuild/bazel/issues/2626 are resolved.
-def api_py_proto_library(name, srcs = [], deps = [], has_services = 0):
+def api_py_proto_library(name, srcs = [], deps = [], external_py_proto_deps = [], has_services = 0):
     _py_proto_library(
         name = _Suffix(name, _PY_SUFFIX),
         srcs = srcs,
         default_runtime = "@com_google_protobuf//:protobuf_python",
         protoc = "@com_google_protobuf//:protoc",
-        deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + [
+        deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + external_py_proto_deps + [
             "@com_envoyproxy_protoc_gen_validate//validate:validate_py",
             "@com_google_googleapis//google/rpc:status_py_proto",
             "@com_google_googleapis//google/api:annotations_py_proto",
@@ -116,6 +116,7 @@ def api_proto_library(
         deps = [],
         external_proto_deps = [],
         external_cc_proto_deps = [],
+        external_py_proto_deps = [],
         has_services = 0,
         linkstatic = None,
         require_py = 1):
@@ -152,7 +153,7 @@ def api_proto_library(
     )
     py_export_suffixes = []
     if (require_py == 1):
-        api_py_proto_library(name, srcs, deps, has_services)
+        api_py_proto_library(name, srcs, deps, external_py_proto_deps, has_services)
         py_export_suffixes = ["_py", "_py_genproto"]
 
     # Allow unlimited visibility for consumers

api/envoy/config/rbac/v2/BUILD

@@ -5,6 +5,15 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_go_proto_library", "api_prot
 api_proto_library_internal(
     name = "rbac",
     srcs = ["rbac.proto"],
+    external_cc_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_cc_proto",
+    ],
+    external_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",
+    ],
+    external_py_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_py_proto",
+    ],
     visibility = ["//visibility:public"],
     deps = [
         "//envoy/api/v2/core:address",
@@ -22,5 +31,6 @@ api_go_proto_library(
         "//envoy/api/v2/route:route_go_proto",
         "//envoy/type/matcher:metadata_go_proto",
         "//envoy/type/matcher:string_go_proto",
+        "@com_google_googleapis//google/api/expr/v1alpha1:cel_go_proto",
     ],
 )

api/envoy/config/rbac/v2/rbac.proto

@@ -7,6 +7,8 @@ import "envoy/api/v2/route/route.proto";
 import "envoy/type/matcher/metadata.proto";
 import "envoy/type/matcher/string.proto";
 
+import "google/api/expr/v1alpha1/syntax.proto";
+
 package envoy.config.rbac.v2;
 
 option java_outer_classname = "RbacProto";
@@ -81,7 +83,7 @@ message RBAC {
 
 // Policy specifies a role and the principals that are assigned/denied the role. A policy matches if
 // and only if at least one of its permissions match the action taking place AND at least one of its
-// principals match the downstream.
+// principals match the downstream AND the condition is true if specified.
 message Policy {
   // Required. The set of permissions that define a role. Each permission is matched with OR
   // semantics. To match all actions for this policy, a single Permission with the `any` field set
@@ -92,6 +94,10 @@ message Policy {
   // principal is matched with OR semantics. To match all downstreams for this policy, a single
   // Principal with the `any` field set to true should be used.
   repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1];
+
+  // An optional symbolic expression specifying an access control condition.
+  // The condition is combined with AND semantics.
+  google.api.expr.v1alpha1.Expr condition = 3;
 }
 
 // Permission defines an action (or actions) that a principal can take.

bazel/repositories.bzl

@@ -153,6 +153,8 @@ def envoy_dependencies(skip_targets = []):
     _com_lightstep_tracer_cpp()
     _io_opentracing_cpp()
     _net_zlib()
+    _repository_impl("com_googlesource_code_re2")
+    _com_google_cel_cpp()
     _repository_impl("bazel_toolchains")
 
     _python_deps()
@@ -315,6 +317,9 @@ def _net_zlib():
         actual = "@envoy//bazel/foreign_cc:zlib",
     )
 
+def _com_google_cel_cpp():
+    _repository_impl("com_google_cel_cpp")
+
 def _com_github_nghttp2_nghttp2():
     location = REPOSITORY_LOCATIONS["com_github_nghttp2_nghttp2"]
     http_archive(

bazel/repository_locations.bzl

@@ -248,4 +248,14 @@ REPOSITORY_LOCATIONS = dict(
         sha256 = "fcdebf54c89d839ffa7eefae166c8e4b551c765559db13ff15bff98047f344fb",
         urls = ["https://storage.googleapis.com/quiche-envoy-integration/2a930469533c3b541443488a629fe25cd8ff53d0.tar.gz"],
     ),
+    com_google_cel_cpp = dict(
+        sha256 = "f027c551d57d38fb9f0b5e4f21a2b0b8663987119e23b1fd8dfcc7588e9a2350",
+        strip_prefix = "cel-cpp-d9d02b20ab85da2444dbdd03410bac6822141364",
+        urls = ["https://github.com/google/cel-cpp/archive/d9d02b20ab85da2444dbdd03410bac6822141364.tar.gz"],
+    ),
+    com_googlesource_code_re2 = dict(
+        sha256 = "f31db9cd224d018a7e4fe88ef84aaa874b0b3ed91d4d98ee5a1531101d3fdc64",
+        strip_prefix = "re2-87e2ad45e7b18738e1551474f7ee5886ff572059",
+        urls = ["https://github.com/google/re2/archive/87e2ad45e7b18738e1551474f7ee5886ff572059.tar.gz"],
+    ),
 )

docs/root/intro/version_history.rst

@@ -24,6 +24,7 @@ Version history
 * rbac: added support for DNS SAN as :ref:`principal_name <envoy_api_field_config.rbac.v2.Principal.Authenticated.principal_name>`.
 * lua: extended `httpCall()` and `respond()` APIs to accept headers with entry values that can be a string or table of strings.
 * performance: new buffer implementation enabled by default (to disable add "--use-libevent-buffers 1" to the command-line arguments when starting Envoy).
+* rbac: added conditions to the policy, see :ref:`condition <envoy_api_field_config.rbac.v2.Policy.condition>`.
 * router: added :ref:`rq_retry_skipped_request_not_complete <config_http_filters_router_stats>` counter stat to router stats.
 * router check tool: add coverage reporting & enforcement.
 * router check tool: add comprehensive coverage reporting.

source/extensions/filters/common/expr/BUILD

@@ -0,0 +1,34 @@
+licenses(["notice"])  # Apache 2
+
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+envoy_package()
+
+envoy_cc_library(
+    name = "evaluator_lib",
+    srcs = ["evaluator.cc"],
+    hdrs = ["evaluator.h"],
+    deps = [
+        ":context_lib",
+        "//source/common/http:utility_lib",
+        "//source/common/protobuf",
+        "@com_google_cel_cpp//eval/public:builtin_func_registrar",
+        "@com_google_cel_cpp//eval/public:cel_expr_builder_factory",
+        "@com_google_cel_cpp//eval/public:cel_expression",
+        "@com_google_cel_cpp//eval/public:cel_value",
+    ],
+)
+
+envoy_cc_library(
+    name = "context_lib",
+    srcs = ["context.cc"],
+    hdrs = ["context.h"],
+    deps = [
+        "//source/common/http:utility_lib",
+        "@com_google_cel_cpp//eval/public:cel_value",
+    ],
+)

source/extensions/filters/common/expr/context.cc

@@ -0,0 +1,164 @@
+#include "extensions/filters/common/expr/context.h"
+
+#include "absl/strings/numbers.h"
+#include "absl/time/time.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace Filters {
+namespace Common {
+namespace Expr {
+
+namespace {
+
+absl::optional<CelValue> convertHeaderEntry(const Http::HeaderEntry* header) {
+  if (header == nullptr) {
+    return {};
+  }
+  return CelValue::CreateString(header->value().getStringView());
+}
+
+} // namespace
+
+absl::optional<CelValue> HeadersWrapper::operator[](CelValue key) const {
+  if (value_ == nullptr || !key.IsString()) {
+    return {};
+  }
+  auto out = value_->get(Http::LowerCaseString(std::string(key.StringOrDie().value())));
+  return convertHeaderEntry(out);
+}
+
+absl::optional<CelValue> RequestWrapper::operator[](CelValue key) const {
+  if (!key.IsString()) {
+    return {};
+  }
+  auto value = key.StringOrDie().value();
+
+  if (value == Headers) {
+    return CelValue::CreateMap(&headers_);
+  } else if (value == Time) {
+    return CelValue::CreateTimestamp(absl::FromChrono(info_.startTime()));
+  } else if (value == Size) {
+    // it is important to make a choice whether to rely on content-length vs stream info
+    // (which is not available at the time of the request headers)
+    if (headers_.value_ != nullptr && headers_.value_->ContentLength() != nullptr) {
+      int64_t length;
+      if (absl::SimpleAtoi(headers_.value_->ContentLength()->value().getStringView(), &length)) {
+        return CelValue::CreateInt64(length);
+      }
+    } else {
+      return CelValue::CreateInt64(info_.bytesReceived());
+    }
+  } else if (value == Duration) {
+    auto duration = info_.requestComplete();
+    if (duration.has_value()) {
+      return CelValue::CreateDuration(absl::FromChrono(duration.value()));
+    }
+  }
+
+  if (headers_.value_ != nullptr) {
+    if (value == Path) {
+      return convertHeaderEntry(headers_.value_->Path());
+    } else if (value == UrlPath) {
+      absl::string_view path = headers_.value_->Path()->value().getStringView();
+      size_t query_offset = path.find('?');
+      if (query_offset == absl::string_view::npos) {
+        return CelValue::CreateString(path);
+      }
+      return CelValue::CreateString(path.substr(0, query_offset));
+    } else if (value == Host) {
+      return convertHeaderEntry(headers_.value_->Host());
+    } else if (value == Scheme) {
+      return convertHeaderEntry(headers_.value_->Scheme());
+    } else if (value == Method) {
+      return convertHeaderEntry(headers_.value_->Method());
+    } else if (value == Referer) {
+      return convertHeaderEntry(headers_.value_->Referer());
+    } else if (value == ID) {
+      return convertHeaderEntry(headers_.value_->RequestId());
+    } else if (value == UserAgent) {
+      return convertHeaderEntry(headers_.value_->UserAgent());
+    } else if (value == TotalSize) {
+      return CelValue::CreateInt64(info_.bytesReceived() + headers_.value_->byteSize());
+    }
+  }
+  return {};
+}
+
+absl::optional<CelValue> ResponseWrapper::operator[](CelValue key) const {
+  if (!key.IsString()) {
+    return {};
+  }
+  auto value = key.StringOrDie().value();
+  if (value == Code) {
+    auto code = info_.responseCode();
+    if (code.has_value()) {
+      return CelValue::CreateInt64(code.value());
+    }
+  } else if (value == Size) {
+    return CelValue::CreateInt64(info_.bytesSent());
+  } else if (value == Headers) {
+    return CelValue::CreateMap(&headers_);
+  } else if (value == Trailers) {
+    return CelValue::CreateMap(&trailers_);
+  }
+  return {};
+}
+
+absl::optional<CelValue> ConnectionWrapper::operator[](CelValue key) const {
+  if (!key.IsString()) {
+    return {};
+  }
+  auto value = key.StringOrDie().value();
+  if (value == UpstreamAddress) {
+    auto upstream_host = info_.upstreamHost();
+    if (upstream_host != nullptr && upstream_host->address() != nullptr) {
+      return CelValue::CreateString(upstream_host->address()->asStringView());
+    }
+  } else if (value == UpstreamPort) {
+    auto upstream_host = info_.upstreamHost();
+    if (upstream_host != nullptr && upstream_host->address() != nullptr &&
+        upstream_host->address()->ip() != nullptr) {
+      return CelValue::CreateInt64(upstream_host->address()->ip()->port());
+    }
+  } else if (value == MTLS) {
+    return CelValue::CreateBool(info_.downstreamSslConnection() != nullptr &&
+                                info_.downstreamSslConnection()->peerCertificatePresented());
+  } else if (value == RequestedServerName) {
+    return CelValue::CreateString(info_.requestedServerName());
+  }
+
+  return {};
+}
+
+absl::optional<CelValue> PeerWrapper::operator[](CelValue key) const {
+  if (!key.IsString()) {
+    return {};
+  }
+  auto value = key.StringOrDie().value();
+  if (value == Address) {
+    if (local_) {
+      return CelValue::CreateString(info_.downstreamLocalAddress()->asStringView());
+    } else {
+      return CelValue::CreateString(info_.downstreamRemoteAddress()->asStringView());
+    }
+  } else if (value == Port) {
+    if (local_) {
+      if (info_.downstreamLocalAddress()->ip() != nullptr) {
+        return CelValue::CreateInt64(info_.downstreamLocalAddress()->ip()->port());
+      }
+    } else {
+      if (info_.downstreamRemoteAddress()->ip() != nullptr) {
+        return CelValue::CreateInt64(info_.downstreamRemoteAddress()->ip()->port());
+      }
+    }
+  }
+
+  return {};
+}
+
+} // namespace Expr
+} // namespace Common
+} // namespace Filters
+} // namespace Extensions
+} // namespace Envoy