/proc/self/cwd/source/extensions/filters/common/ext_authz/check_request_utils.h
Line | Count | Source (jump to first uncovered line) |
1 | | #pragma once |
2 | | |
3 | | #include <chrono> |
4 | | #include <cstdint> |
5 | | #include <string> |
6 | | #include <vector> |
7 | | |
8 | | #include "envoy/config/core/v3/base.pb.h" |
9 | | #include "envoy/grpc/async_client.h" |
10 | | #include "envoy/grpc/async_client_manager.h" |
11 | | #include "envoy/http/filter.h" |
12 | | #include "envoy/http/header_map.h" |
13 | | #include "envoy/http/protocol.h" |
14 | | #include "envoy/network/address.h" |
15 | | #include "envoy/network/connection.h" |
16 | | #include "envoy/network/filter.h" |
17 | | #include "envoy/service/auth/v3/attribute_context.pb.h" |
18 | | #include "envoy/service/auth/v3/external_auth.pb.h" |
19 | | #include "envoy/tracing/tracer.h" |
20 | | #include "envoy/upstream/cluster_manager.h" |
21 | | |
22 | | #include "source/common/common/logger.h" |
23 | | #include "source/common/http/async_client_impl.h" |
24 | | #include "source/common/singleton/const_singleton.h" |
25 | | |
26 | | namespace Envoy { |
27 | | namespace Extensions { |
28 | | namespace Filters { |
29 | | namespace Common { |
30 | | namespace ExtAuthz { |
31 | | |
32 | | class Matcher; |
33 | | using MatcherSharedPtr = std::shared_ptr<Matcher>; |
34 | | |
35 | | /** |
36 | | * Matchers describe the rules for matching authorization request and response headers. |
37 | | */ |
38 | | class Matcher { |
39 | | public: |
40 | 0 | virtual ~Matcher() = default; |
41 | | |
42 | | /** |
43 | | * Returns whether or not the header key matches the rules of the matcher. |
44 | | * |
45 | | * @param key supplies the header key to be evaluated. |
46 | | */ |
47 | | virtual bool matches(absl::string_view key) const PURE; |
48 | | }; |
49 | | |
50 | | class HeaderKeyMatcher : public Matcher { |
51 | | public: |
52 | | HeaderKeyMatcher(std::vector<Matchers::StringMatcherPtr>&& list); |
53 | | |
54 | | bool matches(absl::string_view key) const override; |
55 | | |
56 | | private: |
57 | | const std::vector<Matchers::StringMatcherPtr> matchers_; |
58 | | }; |
59 | | |
60 | | class NotHeaderKeyMatcher : public Matcher { |
61 | | public: |
62 | | NotHeaderKeyMatcher(std::vector<Matchers::StringMatcherPtr>&& list); |
63 | | |
64 | | bool matches(absl::string_view key) const override; |
65 | | |
66 | | private: |
67 | | const HeaderKeyMatcher matcher_; |
68 | | }; |
69 | | |
70 | | /** |
71 | | * For creating ext_authz.proto (authorization) request. |
72 | | * CheckRequestUtils is used to extract attributes from the TCP/HTTP request |
73 | | * and fill out the details in the authorization protobuf that is sent to authorization |
74 | | * service. |
75 | | * The specific information in the request is as per the specification in the |
76 | | * data plane API. |
77 | | */ |
78 | | class CheckRequestUtils { |
79 | | public: |
80 | | /** |
81 | | * createHttpCheck is used to extract the attributes from the stream and the http headers |
82 | | * and fill them up in the CheckRequest proto message. |
83 | | * @param callbacks supplies the Http stream context from which data can be extracted. |
84 | | * @param headers supplies the header map with http headers that will be used to create the |
85 | | * check request. |
86 | | * @param request is the reference to the check request that will be filled up. |
87 | | * @param with_request_body when true, will add the request body to the check request. |
88 | | * @param pack_as_bytes when true, will set the check request body as bytes. |
89 | | * @param include_peer_certificate whether to include the peer certificate in the check request. |
90 | | * @param include_tls_session whether to include the TLS session details in the check request. |
91 | | */ |
92 | | static void createHttpCheck(const Envoy::Http::StreamDecoderFilterCallbacks* callbacks, |
93 | | const Envoy::Http::RequestHeaderMap& headers, |
94 | | Protobuf::Map<std::string, std::string>&& context_extensions, |
95 | | envoy::config::core::v3::Metadata&& metadata_context, |
96 | | envoy::config::core::v3::Metadata&& route_metadata_context, |
97 | | envoy::service::auth::v3::CheckRequest& request, |
98 | | uint64_t max_request_bytes, bool pack_as_bytes, |
99 | | bool include_peer_certificate, bool include_tls_session, |
100 | | const Protobuf::Map<std::string, std::string>& destination_labels, |
101 | | const MatcherSharedPtr& request_header_matchers); |
102 | | |
103 | | /** |
104 | | * createTcpCheck is used to extract the attributes from the network layer and fill them up |
105 | | * in the CheckRequest proto message. |
106 | | * @param callbacks supplies the network layer context from which data can be extracted. |
107 | | * @param request is the reference to the check request that will be filled up. |
108 | | * @param include_peer_certificate whether to include the peer certificate in the check request. |
109 | | */ |
110 | | static void createTcpCheck(const Network::ReadFilterCallbacks* callbacks, |
111 | | envoy::service::auth::v3::CheckRequest& request, |
112 | | bool include_peer_certificate, |
113 | | const Protobuf::Map<std::string, std::string>& destination_labels); |
114 | | |
115 | | static MatcherSharedPtr toRequestMatchers(const envoy::type::matcher::v3::ListStringMatcher& list, |
116 | | bool add_http_headers); |
117 | | static std::vector<Matchers::StringMatcherPtr> |
118 | | createStringMatchers(const envoy::type::matcher::v3::ListStringMatcher& list); |
119 | | |
120 | | private: |
121 | | static void setAttrContextPeer(envoy::service::auth::v3::AttributeContext::Peer& peer, |
122 | | const Network::Connection& connection, const std::string& service, |
123 | | const bool local, bool include_certificate); |
124 | | static void setRequestTime(envoy::service::auth::v3::AttributeContext::Request& req, |
125 | | const StreamInfo::StreamInfo& stream_info); |
126 | | static void setHttpRequest(envoy::service::auth::v3::AttributeContext::HttpRequest& httpreq, |
127 | | const uint64_t stream_id, const StreamInfo::StreamInfo& stream_info, |
128 | | const Buffer::Instance* decoding_buffer, |
129 | | const Envoy::Http::RequestHeaderMap& headers, |
130 | | uint64_t max_request_bytes, bool pack_as_byte, |
131 | | const MatcherSharedPtr& request_header_matchers); |
132 | | static void setAttrContextRequest(envoy::service::auth::v3::AttributeContext::Request& req, |
133 | | const uint64_t stream_id, |
134 | | const StreamInfo::StreamInfo& stream_info, |
135 | | const Buffer::Instance* decoding_buffer, |
136 | | const Envoy::Http::RequestHeaderMap& headers, |
137 | | uint64_t max_request_bytes, bool pack_as_bytes, |
138 | | const MatcherSharedPtr& request_header_matchers); |
139 | | static std::string getHeaderStr(const Envoy::Http::HeaderEntry* entry); |
140 | | static Envoy::Http::HeaderMap::Iterate fillHttpHeaders(const Envoy::Http::HeaderEntry&, void*); |
141 | | }; |
142 | | |
143 | | } // namespace ExtAuthz |
144 | | } // namespace Common |
145 | | } // namespace Filters |
146 | | } // namespace Extensions |
147 | | } // namespace Envoy |