From 218da90e0dfb3b7a26eedfe8203251b2dd2bede9 Mon Sep 17 00:00:00 2001 From: Matt Klein Date: Wed, 28 Mar 2018 14:37:44 -0700 Subject: [PATCH] repo reorg: move ext auth filters (#2923) Demonstrates common code across multiple filters. Signed-off-by: Matt Klein --- REPO_LAYOUT.md | 94 ++++++++++++ STYLE.md | 4 + include/envoy/ext_authz/BUILD | 18 --- source/common/filter/BUILD | 18 --- source/common/http/filter/BUILD | 34 ----- source/exe/BUILD | 2 - source/extensions/all_extensions.bzl | 2 + .../filters}/common/ext_authz/BUILD | 11 +- .../filters/common}/ext_authz/ext_authz.h | 6 + .../common/ext_authz/ext_authz_impl.cc | 10 +- .../common/ext_authz/ext_authz_impl.h | 9 +- .../extensions/filters/http/ext_authz/BUILD | 38 +++++ .../filters/http/ext_authz/config.cc} | 44 +++--- .../filters/http/ext_authz/config.h | 44 ++++++ .../filters/http/ext_authz}/ext_authz.cc | 48 +++--- .../filters/http/ext_authz}/ext_authz.h | 32 ++-- .../filters/network/ext_authz/BUILD | 41 +++++ .../filters/network/ext_authz/config.cc} | 43 +++--- .../filters/network/ext_authz/config.h} | 26 ++-- .../filters/network/ext_authz}/ext_authz.cc | 32 ++-- .../filters/network/ext_authz}/ext_authz.h | 27 ++-- source/server/BUILD | 1 - source/server/config/http/BUILD | 14 -- source/server/config/http/ext_authz.h | 39 ----- source/server/config/network/BUILD | 14 -- test/common/filter/BUILD | 21 --- test/common/http/filter/BUILD | 25 --- .../filters}/common/ext_authz/BUILD | 12 +- .../common/ext_authz/ext_authz_impl_test.cc | 9 +- .../filters/common}/ext_authz/mocks.cc | 6 + .../filters/common}/ext_authz/mocks.h | 8 +- test/extensions/filters/http/ext_authz/BUILD | 34 +++++ .../filters/http/ext_authz}/ext_authz_test.cc | 142 ++++++++++++------ .../filters/network/ext_authz/BUILD | 30 ++++ .../network/ext_authz}/ext_authz_test.cc | 102 +++++++++---- test/mocks/ext_authz/BUILD | 18 --- test/server/config/http/BUILD | 1 - test/server/config/http/config_test.cc | 32 ---- test/server/config/network/BUILD | 2 +- test/server/config/network/config_test.cc | 30 +--- 40 files changed, 656 insertions(+), 467 deletions(-) create mode 100644 REPO_LAYOUT.md delete mode 100644 include/envoy/ext_authz/BUILD rename source/{ => extensions/filters}/common/ext_authz/BUILD (81%) rename {include/envoy => source/extensions/filters/common}/ext_authz/ext_authz.h (92%) rename source/{ => extensions/filters}/common/ext_authz/ext_authz_impl.cc (97%) rename source/{ => extensions/filters}/common/ext_authz/ext_authz_impl.h (95%) create mode 100644 source/extensions/filters/http/ext_authz/BUILD rename source/{server/config/http/ext_authz.cc => extensions/filters/http/ext_authz/config.cc} (52%) create mode 100644 source/extensions/filters/http/ext_authz/config.h rename source/{common/http/filter => extensions/filters/http/ext_authz}/ext_authz.cc (61%) rename source/{common/http/filter => extensions/filters/http/ext_authz}/ext_authz.h (69%) create mode 100644 source/extensions/filters/network/ext_authz/BUILD rename source/{server/config/network/ext_authz.cc => extensions/filters/network/ext_authz/config.cc} (51%) rename source/{server/config/network/ext_authz.h => extensions/filters/network/ext_authz/config.h} (52%) rename source/{common/filter => extensions/filters/network/ext_authz}/ext_authz.cc (70%) rename source/{common/filter => extensions/filters/network/ext_authz}/ext_authz.h (83%) delete mode 100644 source/server/config/http/ext_authz.h rename test/{ => extensions/filters}/common/ext_authz/BUILD (71%) rename test/{ => extensions/filters}/common/ext_authz/ext_authz_impl_test.cc (97%) rename test/{mocks => extensions/filters/common}/ext_authz/mocks.cc (55%) rename test/{mocks => extensions/filters/common}/ext_authz/mocks.h (71%) create mode 100644 test/extensions/filters/http/ext_authz/BUILD rename test/{common/http/filter => extensions/filters/http/ext_authz}/ext_authz_test.cc (65%) create mode 100644 test/extensions/filters/network/ext_authz/BUILD rename test/{common/filter => extensions/filters/network/ext_authz}/ext_authz_test.cc (77%) delete mode 100644 test/mocks/ext_authz/BUILD diff --git a/REPO_LAYOUT.md b/REPO_LAYOUT.md new file mode 100644 index 000000000000..2c057e88d24b --- /dev/null +++ b/REPO_LAYOUT.md @@ -0,0 +1,94 @@ +# Repository layout overview + +This is a high level overview of how the repository is laid out to both aid in code investigation, +as well as to clearly specify how extensions are added to the repository. The top level directories +are: + +* [.circleci/](.circleci/): Configuration for [CircleCI](https://circleci.com/gh/envoyproxy). +* [bazel/](bazel/): Configuration for Envoy's use of [Bazel](https://bazel.build/). +* [ci/](ci/): Scripts used both during CI as well as to build Docker containers. +* [configs/](configs/): Example Envoy configurations. +* [docs/](docs/): Project level documentation as well as scripts for publishing final docs during + releases. +* [examples/](examples/): Larger Envoy examples using Docker and Docker Compose. +* [include/](include/): "Public" interface headers for "core" Envoy. In general, + these are almost entirely 100% abstract classes. There are a few cases of not-abstract classes in + the "public" headers, typically for performance reasons. Note that "core" includes some + "extensions" such as the HTTP connection manager filter and associated functionality which are + so fundamental to Envoy that they will likely never be optional from a compilation perspective. +* [restarter/](restarter/): Envoy's hot restart wrapper Python script. +* [source/](source/): Source code for core Envoy as well as extensions. The layout of this directory + is discussed in further detail below. +* [support/](support/): Development support scripts (pre-commit Git hooks, etc.) +* [test/](test/): Test code for core Envoy as well as extensions. The layout of this directory is + discussed in further detail below. +* [tools/](tools/): Miscellaneous tools that have not found a home somewhere else. + +## [source/](source/) + +* [common/](source/common/): Core Envoy code (not specific to extensions) that is also not + specific to a standalone server implementation. I.e., this is code that could be used if Envoy + were eventually embedded as a library. +* [docs/](source/docs/): Miscellaneous developer/design documentation that is not relevant for + the public user documentation. +* [exe/](source/exe/): Code specific to building the final production Envoy server binary. This is + the only code that is not shared by integration and unit tests. +* [extensions/](source/extensions/): Extensions to the core Envoy code. The layout of this + directory is discussed in further detail below. +* [server/](source/server/): Code specific to running Envoy as a standalone server. E.g, + configuration, server startup, workers, etc. Over time, the line between `common/` and `server/` + has become somewhat blurred. Use best judgment as to where to place something. + +## [test/](test/) + +Not every directory within test is described below, but a few highlights: + +* Unit tests are found in directories matching their [source/](source/) equivalents. E.g., + [common/](test/common/), [exe/](test/exe/), and [server/](test/server/). +* Extension unit tests also match their source equivalents in [extensions/](test/extensions/). +* [integration/](test/integration/) holds end-to-end integration tests using roughly the real + Envoy server code, fake downstream clients, and fake upstream servers. Integration tests also + test some of the extensions found in the repository. Note that in the future, we would like to + allow integration tests that are specific to extensions and are not required for covering + "core" Envoy functionality. Those integration tests will likely end up in the + [extensions/](test/extensions/) directory but further work and thinking is required before + we get to that point. +* [mocks/](test/mocks/) contains mock implementations of all of the core Envoy interfaces found in + [include/](include/). +* Other directories include tooling used for configuration testing, coverage testing, fuzz testing, + common test code, etc. + +## [source/extensions](source/extensions/) layout + +We maintain a very specific code and namespace layout for extensions. This aids in discovering +code/extensions, and also will allow us in the future to more easily scale out our extension +maintainers by having OWNERS files specific to certain extensions. (As of this writing, this is not +currently implemented but that is the plan moving forward.) + +* All extensions are registered in [all_extensions.bzl](source/extensions/all_extensions.bzl). In + the future this mechanism will easily allow us to compile out extensions based on build system + configuration. This is not currently implemented but is the plan moving forward. +* These are the top level extension directories and associated namespaces: + * [access_loggers/](/source/extensions/access_loggers): Access log implementations which use + the `Envoy::Extensions::AccessLoggers` namespace. + * [http_tracers/](/source/extensions/http_tracers): HTTP tracers which use the + `Envoy::Extensions::HttpTracers` namespace. + * [filters/http/](/source/extensions/filters/http): HTTP L7 filters which use the + `Envoy::Extensions::HttpFilters` namespace. + * [filters/listener/](/source/extensions/filters/listener): Listener filters which use the + `Envoy::Extensions::ListenerFilters` namespace. + * [filters/network/](/source/extensions/filters/network): L4 network filters which use the + `Envoy::Extensions::NetworkFilters` namespace. + * [resolvers/](/source/extensions/resolvers): Network address resolvers which use the + `Envoy::Extensions::Resolvers` namespace. + * [stat_sinks/](/source/extensions/stat_sinks): Stat sink implementations which use the + `Envoy::Extensions::StatSinks` namespace. + * [transport_sockets/](/source/extensions/transport_sockets): Transport socket implementations + which use the `Envoy::Extensions::TransportSockets` namespace. +* Each extension is contained wholly in its own namespace. E.g., + `Envoy::Extensions::NetworkFilters::Echo`. +* Common code that is used by multiple extensions should be in a `common/` directory as close to + the extensions as possible. E.g., [filters/common/](/source/extensions/filters/common) for common + code that is used by both HTTP and network filters. Common code used only by two HTTP filters + would be found in `filters/http/common/`. Common code should be placed in a common namespace. + E.g., `Envoy::Extensions::Filters::Common`. diff --git a/STYLE.md b/STYLE.md index c6e203f8f9fe..1ec465f983e7 100644 --- a/STYLE.md +++ b/STYLE.md @@ -9,6 +9,10 @@ The following section covers the major areas where we deviate from the Google guidelines. +# Repository file layout + +* Please see [REPO_LAYOUT.md](REPO_LAYOUT.md). + # Deviations from Google C++ style guidelines * Exceptions are allowed and encouraged where appropriate. When using exceptions, do not add diff --git a/include/envoy/ext_authz/BUILD b/include/envoy/ext_authz/BUILD deleted file mode 100644 index 34318465f0e2..000000000000 --- a/include/envoy/ext_authz/BUILD +++ /dev/null @@ -1,18 +0,0 @@ -licenses(["notice"]) # Apache 2 - -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_library", - "envoy_package", -) - -envoy_package() - -envoy_cc_library( - name = "ext_authz_interface", - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/tracing:http_tracer_interface", - "@envoy_api//envoy/service/auth/v2:external_auth_cc", - ], -) diff --git a/source/common/filter/BUILD b/source/common/filter/BUILD index 2f51715556df..75ff12a3e12d 100644 --- a/source/common/filter/BUILD +++ b/source/common/filter/BUILD @@ -22,21 +22,3 @@ envoy_cc_library( "@envoy_api//envoy/config/filter/network/rate_limit/v2:rate_limit_cc", ], ) - -envoy_cc_library( - name = "ext_authz_lib", - srcs = ["ext_authz.cc"], - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/ext_authz:ext_authz_interface", - "//include/envoy/network:connection_interface", - "//include/envoy/network:filter_interface", - "//include/envoy/runtime:runtime_interface", - "//include/envoy/stats:stats_macros", - "//include/envoy/upstream:cluster_manager_interface", - "//source/common/common:assert_lib", - "//source/common/ext_authz:ext_authz_lib", - "//source/common/tracing:http_tracer_lib", - "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/source/common/http/filter/BUILD b/source/common/http/filter/BUILD index d8d7781c178a..69c784e867b2 100644 --- a/source/common/http/filter/BUILD +++ b/source/common/http/filter/BUILD @@ -151,37 +151,3 @@ envoy_cc_library( "@envoy_api//envoy/config/filter/http/rate_limit/v2:rate_limit_cc", ], ) - -envoy_cc_library( - name = "ext_authz_lib", - srcs = ["ext_authz.cc"], - deps = [ - ":ext_authz_includes", - "//include/envoy/http:codes_interface", - "//source/common/common:assert_lib", - "//source/common/common:empty_string", - "//source/common/common:enum_to_int", - "//source/common/ext_authz:ext_authz_lib", - "//source/common/http:codes_lib", - "//source/common/router:config_lib", - ], -) - -envoy_cc_library( - name = "ext_authz_includes", - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/access_log:access_log_interface", - "//include/envoy/ext_authz:ext_authz_interface", - "//include/envoy/http:filter_interface", - "//include/envoy/local_info:local_info_interface", - "//include/envoy/runtime:runtime_interface", - "//include/envoy/upstream:cluster_manager_interface", - "//source/common/common:assert_lib", - "//source/common/http:header_map_lib", - "//source/common/json:config_schemas_lib", - "//source/common/json:json_loader_lib", - "//source/common/json:json_validator_lib", - "@envoy_api//envoy/config/filter/http/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/source/exe/BUILD b/source/exe/BUILD index e1ca20454621..54cdcf33171a 100644 --- a/source/exe/BUILD +++ b/source/exe/BUILD @@ -41,7 +41,6 @@ envoy_cc_library( "//source/server/config/access_log:grpc_access_log_lib", "//source/server/config/http:buffer_lib", "//source/server/config/http:cors_lib", - "//source/server/config/http:ext_authz_lib", "//source/server/config/http:fault_lib", "//source/server/config/http:grpc_http1_bridge_lib", "//source/server/config/http:grpc_json_transcoder_lib", @@ -53,7 +52,6 @@ envoy_cc_library( "//source/server/config/http:router_lib", "//source/server/config/listener:original_dst_lib", "//source/server/config/listener:proxy_protocol_lib", - "//source/server/config/network:ext_authz_lib", "//source/server/config/network:http_connection_manager_lib", "//source/server/config/network:ratelimit_lib", "//source/server/config/network:raw_buffer_socket_lib", diff --git a/source/extensions/all_extensions.bzl b/source/extensions/all_extensions.bzl index 813a1b4d370d..ffe6ca1946ed 100644 --- a/source/extensions/all_extensions.bzl +++ b/source/extensions/all_extensions.bzl @@ -4,8 +4,10 @@ # selection options such as maturity. def envoy_all_extensions(repository = ""): return [ + repository + "//source/extensions/filters/http/ext_authz:config", repository + "//source/extensions/filters/network/client_ssl_auth:config", repository + "//source/extensions/filters/network/echo:config", + repository + "//source/extensions/filters/network/ext_authz:config", repository + "//source/extensions/filters/network/mongo_proxy:config", repository + "//source/extensions/filters/network/tcp_proxy:config", ] diff --git a/source/common/ext_authz/BUILD b/source/extensions/filters/common/ext_authz/BUILD similarity index 81% rename from source/common/ext_authz/BUILD rename to source/extensions/filters/common/ext_authz/BUILD index 92c148e17a90..a722d043f95e 100644 --- a/source/common/ext_authz/BUILD +++ b/source/extensions/filters/common/ext_authz/BUILD @@ -8,12 +8,21 @@ load( envoy_package() +envoy_cc_library( + name = "ext_authz_interface", + hdrs = ["ext_authz.h"], + deps = [ + "//include/envoy/tracing:http_tracer_interface", + "@envoy_api//envoy/service/auth/v2:external_auth_cc", + ], +) + envoy_cc_library( name = "ext_authz_lib", srcs = ["ext_authz_impl.cc"], hdrs = ["ext_authz_impl.h"], deps = [ - "//include/envoy/ext_authz:ext_authz_interface", + ":ext_authz_interface", "//include/envoy/grpc:async_client_interface", "//include/envoy/grpc:async_client_manager_interface", "//include/envoy/http:filter_interface", diff --git a/include/envoy/ext_authz/ext_authz.h b/source/extensions/filters/common/ext_authz/ext_authz.h similarity index 92% rename from include/envoy/ext_authz/ext_authz.h rename to source/extensions/filters/common/ext_authz/ext_authz.h index fd11a284ca85..f5b466d77a62 100644 --- a/include/envoy/ext_authz/ext_authz.h +++ b/source/extensions/filters/common/ext_authz/ext_authz.h @@ -10,6 +10,9 @@ #include "envoy/tracing/http_tracer.h" namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { /** @@ -64,4 +67,7 @@ class Client { typedef std::unique_ptr ClientPtr; } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/ext_authz/ext_authz_impl.cc b/source/extensions/filters/common/ext_authz/ext_authz_impl.cc similarity index 97% rename from source/common/ext_authz/ext_authz_impl.cc rename to source/extensions/filters/common/ext_authz/ext_authz_impl.cc index ff040a457ead..cba61481ac8e 100644 --- a/source/common/ext_authz/ext_authz_impl.cc +++ b/source/extensions/filters/common/ext_authz/ext_authz_impl.cc @@ -1,4 +1,4 @@ -#include "common/ext_authz/ext_authz_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" #include #include @@ -15,9 +15,10 @@ #include "common/network/utility.h" #include "common/protobuf/protobuf.h" -#include "fmt/format.h" - namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { GrpcClientImpl::GrpcClientImpl(Grpc::AsyncClientPtr&& async_client, @@ -191,4 +192,7 @@ void CheckRequestUtils::createTcpCheck(const Network::ReadFilterCallbacks* callb } } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/ext_authz/ext_authz_impl.h b/source/extensions/filters/common/ext_authz/ext_authz_impl.h similarity index 95% rename from source/common/ext_authz/ext_authz_impl.h rename to source/extensions/filters/common/ext_authz/ext_authz_impl.h index 2474369f8a25..e9d46b2cab04 100644 --- a/source/common/ext_authz/ext_authz_impl.h +++ b/source/extensions/filters/common/ext_authz/ext_authz_impl.h @@ -5,7 +5,6 @@ #include #include -#include "envoy/ext_authz/ext_authz.h" #include "envoy/grpc/async_client.h" #include "envoy/grpc/async_client_manager.h" #include "envoy/http/filter.h" @@ -19,7 +18,12 @@ #include "common/singleton/const_singleton.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" + namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { typedef Grpc::TypedAsyncRequestCallbacks @@ -109,4 +113,7 @@ class CheckRequestUtils { }; } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/source/extensions/filters/http/ext_authz/BUILD b/source/extensions/filters/http/ext_authz/BUILD new file mode 100644 index 000000000000..351dced3c19e --- /dev/null +++ b/source/extensions/filters/http/ext_authz/BUILD @@ -0,0 +1,38 @@ +licenses(["notice"]) # Apache 2 + +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_library", + "envoy_package", +) + +envoy_package() + +envoy_cc_library( + name = "ext_authz", + srcs = ["ext_authz.cc"], + hdrs = ["ext_authz.h"], + deps = [ + "//include/envoy/http:codes_interface", + "//source/common/common:assert_lib", + "//source/common/common:empty_string", + "//source/common/common:enum_to_int", + "//source/common/http:codes_lib", + "//source/common/router:config_lib", + "//source/extensions/filters/common/ext_authz:ext_authz_lib", + "@envoy_api//envoy/config/filter/http/ext_authz/v2:ext_authz_cc", + ], +) + +envoy_cc_library( + name = "config", + srcs = ["config.cc"], + hdrs = ["config.h"], + deps = [ + ":ext_authz", + "//include/envoy/registry", + "//include/envoy/server:filter_config_interface", + "//source/common/config:well_known_names", + "//source/common/protobuf:utility_lib", + ], +) diff --git a/source/server/config/http/ext_authz.cc b/source/extensions/filters/http/ext_authz/config.cc similarity index 52% rename from source/server/config/http/ext_authz.cc rename to source/extensions/filters/http/ext_authz/config.cc index ea859b0c17b0..b9793bc79481 100644 --- a/source/server/config/http/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/config.cc @@ -1,4 +1,4 @@ -#include "server/config/http/ext_authz.h" +#include "extensions/filters/http/ext_authz/config.h" #include #include @@ -6,20 +6,22 @@ #include "envoy/config/filter/http/ext_authz/v2/ext_authz.pb.validate.h" #include "envoy/registry/registry.h" -#include "common/ext_authz/ext_authz_impl.h" -#include "common/http/filter/ext_authz.h" #include "common/protobuf/utility.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" +#include "extensions/filters/http/ext_authz/ext_authz.h" + namespace Envoy { -namespace Server { -namespace Configuration { +namespace Extensions { +namespace HttpFilters { +namespace ExtAuthz { -HttpFilterFactoryCb ExtAuthzFilterConfig::createFilter( +Server::Configuration::HttpFilterFactoryCb ExtAuthzFilterConfig::createFilter( const envoy::config::filter::http::ext_authz::v2::ExtAuthz& proto_config, const std::string&, - FactoryContext& context) { - auto filter_config = std::make_shared( - proto_config, context.localInfo(), context.scope(), context.runtime(), - context.clusterManager()); + Server::Configuration::FactoryContext& context) { + auto filter_config = + std::make_shared(proto_config, context.localInfo(), context.scope(), + context.runtime(), context.clusterManager()); const uint32_t timeout_ms = PROTOBUF_GET_MS_OR_DEFAULT(proto_config.grpc_service(), timeout, 200); return [ grpc_service = proto_config.grpc_service(), &context, filter_config, @@ -27,22 +29,23 @@ HttpFilterFactoryCb ExtAuthzFilterConfig::createFilter( auto async_client_factory = context.clusterManager().grpcAsyncClientManager().factoryForGrpcService(grpc_service, context.scope()); - auto client = std::make_unique( + auto client = std::make_unique( async_client_factory->create(), std::chrono::milliseconds(timeout_ms)); callbacks.addStreamDecoderFilter(Http::StreamDecoderFilterSharedPtr{ - std::make_shared(filter_config, std::move(client))}); + std::make_shared(filter_config, std::move(client))}); }; } -HttpFilterFactoryCb ExtAuthzFilterConfig::createFilterFactory(const Json::Object&, - const std::string&, FactoryContext&) { +Server::Configuration::HttpFilterFactoryCb +ExtAuthzFilterConfig::createFilterFactory(const Json::Object&, const std::string&, + Server::Configuration::FactoryContext&) { NOT_IMPLEMENTED; } -HttpFilterFactoryCb +Server::Configuration::HttpFilterFactoryCb ExtAuthzFilterConfig::createFilterFactoryFromProto(const Protobuf::Message& proto_config, const std::string& stats_prefix, - FactoryContext& context) { + Server::Configuration::FactoryContext& context) { return createFilter( MessageUtil::downcastAndValidate( proto_config), @@ -52,8 +55,11 @@ ExtAuthzFilterConfig::createFilterFactoryFromProto(const Protobuf::Message& prot /** * Static registration for the external authorization filter. @see RegisterFactory. */ -static Registry::RegisterFactory register_; +static Registry::RegisterFactory + register_; -} // namespace Configuration -} // namespace Server +} // namespace ExtAuthz +} // namespace HttpFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/extensions/filters/http/ext_authz/config.h b/source/extensions/filters/http/ext_authz/config.h new file mode 100644 index 000000000000..50eda21be1a7 --- /dev/null +++ b/source/extensions/filters/http/ext_authz/config.h @@ -0,0 +1,44 @@ +#pragma once + +#include + +#include "envoy/config/filter/http/ext_authz/v2/ext_authz.pb.h" +#include "envoy/server/filter_config.h" + +#include "common/config/well_known_names.h" + +namespace Envoy { +namespace Extensions { +namespace HttpFilters { +namespace ExtAuthz { + +/** + * Config registration for the external authorization filter. @see NamedHttpFilterConfigFactory. + */ +class ExtAuthzFilterConfig : public Server::Configuration::NamedHttpFilterConfigFactory { +public: + Server::Configuration::HttpFilterFactoryCb + createFilterFactory(const Json::Object& json_config, const std::string&, + Server::Configuration::FactoryContext& context) override; + + Server::Configuration::HttpFilterFactoryCb + createFilterFactoryFromProto(const Protobuf::Message& proto_config, + const std::string& stats_prefix, + Server::Configuration::FactoryContext& context) override; + + ProtobufTypes::MessagePtr createEmptyConfigProto() override { + return ProtobufTypes::MessagePtr{new envoy::config::filter::http::ext_authz::v2::ExtAuthz()}; + } + + std::string name() override { return Config::HttpFilterNames::get().EXT_AUTHORIZATION; } + +private: + Server::Configuration::HttpFilterFactoryCb + createFilter(const envoy::config::filter::http::ext_authz::v2::ExtAuthz& proto_config, + const std::string& stats_prefix, Server::Configuration::FactoryContext& context); +}; + +} // namespace ExtAuthz +} // namespace HttpFilters +} // namespace Extensions +} // namespace Envoy diff --git a/source/common/http/filter/ext_authz.cc b/source/extensions/filters/http/ext_authz/ext_authz.cc similarity index 61% rename from source/common/http/filter/ext_authz.cc rename to source/extensions/filters/http/ext_authz/ext_authz.cc index a815cbbead1e..225a8573ef41 100644 --- a/source/common/http/filter/ext_authz.cc +++ b/source/extensions/filters/http/ext_authz/ext_authz.cc @@ -1,4 +1,4 @@ -#include "common/http/filter/ext_authz.h" +#include "extensions/filters/http/ext_authz/ext_authz.h" #include #include @@ -7,27 +7,29 @@ #include "common/common/assert.h" #include "common/common/enum_to_int.h" -#include "common/ext_authz/ext_authz_impl.h" #include "common/http/codes.h" #include "common/router/config_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" + #include "fmt/format.h" namespace Envoy { -namespace Http { +namespace Extensions { +namespace HttpFilters { namespace ExtAuthz { namespace { const Http::HeaderMap* getDeniedHeader() { static const Http::HeaderMap* header_map = new Http::HeaderMapImpl{ - {Http::Headers::get().Status, std::to_string(enumToInt(Code::Forbidden))}}; + {Http::Headers::get().Status, std::to_string(enumToInt(Http::Code::Forbidden))}}; return header_map; } } // namespace -void Filter::initiateCall(const HeaderMap& headers) { +void Filter::initiateCall(const Http::HeaderMap& headers) { Router::RouteConstSharedPtr route = callbacks_->route(); if (route == nullptr || route->routeEntry() == nullptr) { return; @@ -40,7 +42,8 @@ void Filter::initiateCall(const HeaderMap& headers) { } cluster_ = cluster->info(); - Envoy::ExtAuthz::CheckRequestUtils::createHttpCheck(callbacks_, headers, check_request_); + Filters::Common::ExtAuthz::CheckRequestUtils::createHttpCheck(callbacks_, headers, + check_request_); state_ = State::Calling; initiating_call_ = true; @@ -48,23 +51,23 @@ void Filter::initiateCall(const HeaderMap& headers) { initiating_call_ = false; } -FilterHeadersStatus Filter::decodeHeaders(HeaderMap& headers, bool) { +Http::FilterHeadersStatus Filter::decodeHeaders(Http::HeaderMap& headers, bool) { initiateCall(headers); - return state_ == State::Calling ? FilterHeadersStatus::StopIteration - : FilterHeadersStatus::Continue; + return state_ == State::Calling ? Http::FilterHeadersStatus::StopIteration + : Http::FilterHeadersStatus::Continue; } -FilterDataStatus Filter::decodeData(Buffer::Instance&, bool) { - return state_ == State::Calling ? FilterDataStatus::StopIterationAndWatermark - : FilterDataStatus::Continue; +Http::FilterDataStatus Filter::decodeData(Buffer::Instance&, bool) { + return state_ == State::Calling ? Http::FilterDataStatus::StopIterationAndWatermark + : Http::FilterDataStatus::Continue; } -FilterTrailersStatus Filter::decodeTrailers(HeaderMap&) { - return state_ == State::Calling ? FilterTrailersStatus::StopIteration - : FilterTrailersStatus::Continue; +Http::FilterTrailersStatus Filter::decodeTrailers(Http::HeaderMap&) { + return state_ == State::Calling ? Http::FilterTrailersStatus::StopIteration + : Http::FilterTrailersStatus::Continue; } -void Filter::setDecoderFilterCallbacks(StreamDecoderFilterCallbacks& callbacks) { +void Filter::setDecoderFilterCallbacks(Http::StreamDecoderFilterCallbacks& callbacks) { callbacks_ = &callbacks; } @@ -75,12 +78,12 @@ void Filter::onDestroy() { } } -void Filter::onComplete(Envoy::ExtAuthz::CheckStatus status) { +void Filter::onComplete(Filters::Common::ExtAuthz::CheckStatus status) { ASSERT(cluster_); state_ = State::Complete; - using Envoy::ExtAuthz::CheckStatus; + using Filters::Common::ExtAuthz::CheckStatus; switch (status) { case CheckStatus::OK: @@ -94,7 +97,7 @@ void Filter::onComplete(Envoy::ExtAuthz::CheckStatus status) { Http::CodeUtility::ResponseStatInfo info{config_->scope(), cluster_->statsScope(), EMPTY_STRING, - enumToInt(Code::Forbidden), + enumToInt(Http::Code::Forbidden), true, EMPTY_STRING, EMPTY_STRING, @@ -109,10 +112,10 @@ void Filter::onComplete(Envoy::ExtAuthz::CheckStatus status) { // if there is an error contacting the service. if (status == CheckStatus::Denied || (status == CheckStatus::Error && !config_->failureModeAllow())) { - Http::HeaderMapPtr response_headers{new HeaderMapImpl(*getDeniedHeader())}; + Http::HeaderMapPtr response_headers{new Http::HeaderMapImpl(*getDeniedHeader())}; callbacks_->encodeHeaders(std::move(response_headers), true); callbacks_->requestInfo().setResponseFlag( - Envoy::RequestInfo::ResponseFlag::UnauthorizedExternalService); + RequestInfo::ResponseFlag::UnauthorizedExternalService); } else { // We can get completion inline, so only call continue if that isn't happening. if (!initiating_call_) { @@ -122,5 +125,6 @@ void Filter::onComplete(Envoy::ExtAuthz::CheckStatus status) { } } // namespace ExtAuthz -} // namespace Http +} // namespace HttpFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/http/filter/ext_authz.h b/source/extensions/filters/http/ext_authz/ext_authz.h similarity index 69% rename from source/common/http/filter/ext_authz.h rename to source/extensions/filters/http/ext_authz/ext_authz.h index d2d0f733dfd3..ea95c972b142 100644 --- a/source/common/http/filter/ext_authz.h +++ b/source/extensions/filters/http/ext_authz/ext_authz.h @@ -6,18 +6,20 @@ #include #include "envoy/config/filter/http/ext_authz/v2/ext_authz.pb.h" -#include "envoy/ext_authz/ext_authz.h" #include "envoy/http/filter.h" #include "envoy/local_info/local_info.h" #include "envoy/runtime/runtime.h" #include "envoy/upstream/cluster_manager.h" #include "common/common/assert.h" -#include "common/ext_authz/ext_authz_impl.h" #include "common/http/header_map_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" + namespace Envoy { -namespace Http { +namespace Extensions { +namespace HttpFilters { namespace ExtAuthz { /** @@ -59,30 +61,31 @@ typedef std::shared_ptr FilterConfigSharedPtr; * HTTP ext_authz filter. Depending on the route configuration, this filter calls the global * ext_authz service before allowing further filter iteration. */ -class Filter : public StreamDecoderFilter, public Envoy::ExtAuthz::RequestCallbacks { +class Filter : public Http::StreamDecoderFilter, + public Filters::Common::ExtAuthz::RequestCallbacks { public: - Filter(FilterConfigSharedPtr config, Envoy::ExtAuthz::ClientPtr&& client) + Filter(FilterConfigSharedPtr config, Filters::Common::ExtAuthz::ClientPtr&& client) : config_(config), client_(std::move(client)) {} // Http::StreamFilterBase void onDestroy() override; // Http::StreamDecoderFilter - FilterHeadersStatus decodeHeaders(HeaderMap& headers, bool end_stream) override; - FilterDataStatus decodeData(Buffer::Instance& data, bool end_stream) override; - FilterTrailersStatus decodeTrailers(HeaderMap& trailers) override; - void setDecoderFilterCallbacks(StreamDecoderFilterCallbacks& callbacks) override; + Http::FilterHeadersStatus decodeHeaders(Http::HeaderMap& headers, bool end_stream) override; + Http::FilterDataStatus decodeData(Buffer::Instance& data, bool end_stream) override; + Http::FilterTrailersStatus decodeTrailers(Http::HeaderMap& trailers) override; + void setDecoderFilterCallbacks(Http::StreamDecoderFilterCallbacks& callbacks) override; // ExtAuthz::RequestCallbacks - void onComplete(Envoy::ExtAuthz::CheckStatus status) override; + void onComplete(Filters::Common::ExtAuthz::CheckStatus status) override; private: enum class State { NotStarted, Calling, Complete }; - void initiateCall(const HeaderMap& headers); + void initiateCall(const Http::HeaderMap& headers); FilterConfigSharedPtr config_; - Envoy::ExtAuthz::ClientPtr client_; - StreamDecoderFilterCallbacks* callbacks_{}; + Filters::Common::ExtAuthz::ClientPtr client_; + Http::StreamDecoderFilterCallbacks* callbacks_{}; State state_{State::NotStarted}; Upstream::ClusterInfoConstSharedPtr cluster_; bool initiating_call_{}; @@ -90,5 +93,6 @@ class Filter : public StreamDecoderFilter, public Envoy::ExtAuthz::RequestCallba }; } // namespace ExtAuthz -} // namespace Http +} // namespace HttpFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/extensions/filters/network/ext_authz/BUILD b/source/extensions/filters/network/ext_authz/BUILD new file mode 100644 index 000000000000..058e9d6cde0b --- /dev/null +++ b/source/extensions/filters/network/ext_authz/BUILD @@ -0,0 +1,41 @@ +licenses(["notice"]) # Apache 2 + +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_library", + "envoy_package", +) + +envoy_package() + +envoy_cc_library( + name = "ext_authz", + srcs = ["ext_authz.cc"], + hdrs = ["ext_authz.h"], + deps = [ + "//include/envoy/network:connection_interface", + "//include/envoy/network:filter_interface", + "//include/envoy/runtime:runtime_interface", + "//include/envoy/stats:stats_macros", + "//include/envoy/upstream:cluster_manager_interface", + "//source/common/common:assert_lib", + "//source/common/tracing:http_tracer_lib", + "//source/extensions/filters/common/ext_authz:ext_authz_interface", + "//source/extensions/filters/common/ext_authz:ext_authz_lib", + "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", + ], +) + +envoy_cc_library( + name = "config", + srcs = ["config.cc"], + hdrs = ["config.h"], + deps = [ + "//include/envoy/registry", + "//include/envoy/server:filter_config_interface", + "//source/common/config:well_known_names", + "//source/common/protobuf:utility_lib", + "//source/extensions/filters/network/ext_authz", + "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", + ], +) diff --git a/source/server/config/network/ext_authz.cc b/source/extensions/filters/network/ext_authz/config.cc similarity index 51% rename from source/server/config/network/ext_authz.cc rename to source/extensions/filters/network/ext_authz/config.cc index 8b2786c7e26a..c54dc05a02dc 100644 --- a/source/server/config/network/ext_authz.cc +++ b/source/extensions/filters/network/ext_authz/config.cc @@ -1,26 +1,27 @@ -#include "server/config/network/ext_authz.h" +#include "extensions/filters/network/ext_authz/config.h" #include #include #include "envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.h" -#include "envoy/ext_authz/ext_authz.h" #include "envoy/network/connection.h" #include "envoy/registry/registry.h" -#include "common/ext_authz/ext_authz_impl.h" -#include "common/filter/ext_authz.h" #include "common/protobuf/utility.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" +#include "extensions/filters/network/ext_authz/ext_authz.h" + namespace Envoy { -namespace Server { -namespace Configuration { +namespace Extensions { +namespace NetworkFilters { +namespace ExtAuthz { -NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilter( +Server::Configuration::NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilter( const envoy::config::filter::network::ext_authz::v2::ExtAuthz& proto_config, - FactoryContext& context) { - ExtAuthz::TcpFilter::ConfigSharedPtr ext_authz_config( - new ExtAuthz::TcpFilter::Config(proto_config, context.scope())); + Server::Configuration::FactoryContext& context) { + ConfigSharedPtr ext_authz_config(new Config(proto_config, context.scope())); const uint32_t timeout_ms = PROTOBUF_GET_MS_OR_DEFAULT(proto_config.grpc_service(), timeout, 200); return [ grpc_service = proto_config.grpc_service(), &context, ext_authz_config, @@ -31,21 +32,21 @@ NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilter( context.clusterManager().grpcAsyncClientManager().factoryForGrpcService(grpc_service, context.scope()); - auto client = std::make_unique( + auto client = std::make_unique( async_client_factory->create(), std::chrono::milliseconds(timeout_ms)); filter_manager.addReadFilter(Network::ReadFilterSharedPtr{ - std::make_shared(ext_authz_config, std::move(client))}); + std::make_shared(ext_authz_config, std::move(client))}); }; } -NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilterFactory(const Json::Object&, - FactoryContext&) { +Server::Configuration::NetworkFilterFactoryCb +ExtAuthzConfigFactory::createFilterFactory(const Json::Object&, + Server::Configuration::FactoryContext&) { NOT_IMPLEMENTED; } -NetworkFilterFactoryCb -ExtAuthzConfigFactory::createFilterFactoryFromProto(const Protobuf::Message& proto_config, - FactoryContext& context) { +Server::Configuration::NetworkFilterFactoryCb ExtAuthzConfigFactory::createFilterFactoryFromProto( + const Protobuf::Message& proto_config, Server::Configuration::FactoryContext& context) { return createFilter( MessageUtil::downcastAndValidate< const envoy::config::filter::network::ext_authz::v2::ExtAuthz&>(proto_config), @@ -55,9 +56,11 @@ ExtAuthzConfigFactory::createFilterFactoryFromProto(const Protobuf::Message& pro /** * Static registration for the external authorization filter. @see RegisterFactory. */ -static Registry::RegisterFactory +static Registry::RegisterFactory registered_; -} // namespace Configuration -} // namespace Server +} // namespace ExtAuthz +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/server/config/network/ext_authz.h b/source/extensions/filters/network/ext_authz/config.h similarity index 52% rename from source/server/config/network/ext_authz.h rename to source/extensions/filters/network/ext_authz/config.h index 42c981ef94e4..ef8d23c1d35c 100644 --- a/source/server/config/network/ext_authz.h +++ b/source/extensions/filters/network/ext_authz/config.h @@ -8,20 +8,23 @@ #include "common/config/well_known_names.h" namespace Envoy { -namespace Server { -namespace Configuration { +namespace Extensions { +namespace NetworkFilters { +namespace ExtAuthz { /** * Config registration for the external authorization filter. @see NamedNetworkFilterConfigFactory. */ -class ExtAuthzConfigFactory : public NamedNetworkFilterConfigFactory { +class ExtAuthzConfigFactory : public Server::Configuration::NamedNetworkFilterConfigFactory { public: // NamedNetworkFilterConfigFactory - NetworkFilterFactoryCb createFilterFactory(const Json::Object& json_config, - FactoryContext& context) override; + Server::Configuration::NetworkFilterFactoryCb + createFilterFactory(const Json::Object& json_config, + Server::Configuration::FactoryContext& context) override; - NetworkFilterFactoryCb createFilterFactoryFromProto(const Protobuf::Message& proto_config, - FactoryContext& context) override; + Server::Configuration::NetworkFilterFactoryCb + createFilterFactoryFromProto(const Protobuf::Message& proto_config, + Server::Configuration::FactoryContext& context) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override { return ProtobufTypes::MessagePtr{new envoy::config::filter::network::ext_authz::v2::ExtAuthz()}; @@ -30,11 +33,12 @@ class ExtAuthzConfigFactory : public NamedNetworkFilterConfigFactory { std::string name() override { return Config::NetworkFilterNames::get().EXT_AUTHORIZATION; } private: - NetworkFilterFactoryCb + Server::Configuration::NetworkFilterFactoryCb createFilter(const envoy::config::filter::network::ext_authz::v2::ExtAuthz& proto_config, - FactoryContext& context); + Server::Configuration::FactoryContext& context); }; -} // namespace Configuration -} // namespace Server +} // namespace ExtAuthz +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/filter/ext_authz.cc b/source/extensions/filters/network/ext_authz/ext_authz.cc similarity index 70% rename from source/common/filter/ext_authz.cc rename to source/extensions/filters/network/ext_authz/ext_authz.cc index abefbdb681f4..174c3ddce710 100644 --- a/source/common/filter/ext_authz.cc +++ b/source/extensions/filters/network/ext_authz/ext_authz.cc @@ -1,4 +1,4 @@ -#include "common/filter/ext_authz.h" +#include "extensions/filters/network/ext_authz/ext_authz.h" #include #include @@ -6,11 +6,10 @@ #include "common/common/assert.h" #include "common/tracing/http_tracer_impl.h" -#include "fmt/format.h" - namespace Envoy { +namespace Extensions { +namespace NetworkFilters { namespace ExtAuthz { -namespace TcpFilter { InstanceStats Config::generateStats(const std::string& name, Stats::Scope& scope) { const std::string final_prefix = fmt::format("ext_authz.{}.", name); @@ -18,8 +17,8 @@ InstanceStats Config::generateStats(const std::string& name, Stats::Scope& scope POOL_GAUGE_PREFIX(scope, final_prefix))}; } -void Instance::callCheck() { - CheckRequestUtils::createTcpCheck(filter_callbacks_, check_request_); +void Filter::callCheck() { + Filters::Common::ExtAuthz::CheckRequestUtils::createTcpCheck(filter_callbacks_, check_request_); status_ = Status::Calling; config_->stats().active_.inc(); @@ -30,7 +29,7 @@ void Instance::callCheck() { calling_check_ = false; } -Network::FilterStatus Instance::onData(Buffer::Instance&, bool /* end_stream */) { +Network::FilterStatus Filter::onData(Buffer::Instance&, bool /* end_stream */) { if (status_ == Status::NotStarted) { // By waiting to invoke the check at onData() the call to authorization service will have // sufficient information to fillout the checkRequest_. @@ -40,12 +39,12 @@ Network::FilterStatus Instance::onData(Buffer::Instance&, bool /* end_stream */) : Network::FilterStatus::Continue; } -Network::FilterStatus Instance::onNewConnection() { +Network::FilterStatus Filter::onNewConnection() { // Wait till onData() happens. return Network::FilterStatus::Continue; } -void Instance::onEvent(Network::ConnectionEvent event) { +void Filter::onEvent(Network::ConnectionEvent event) { if (event == Network::ConnectionEvent::RemoteClose || event == Network::ConnectionEvent::LocalClose) { if (status_ == Status::Calling) { @@ -57,25 +56,25 @@ void Instance::onEvent(Network::ConnectionEvent event) { } } -void Instance::onComplete(CheckStatus status) { +void Filter::onComplete(Filters::Common::ExtAuthz::CheckStatus status) { status_ = Status::Complete; config_->stats().active_.dec(); switch (status) { - case CheckStatus::OK: + case Filters::Common::ExtAuthz::CheckStatus::OK: config_->stats().ok_.inc(); break; - case CheckStatus::Error: + case Filters::Common::ExtAuthz::CheckStatus::Error: config_->stats().error_.inc(); break; - case CheckStatus::Denied: + case Filters::Common::ExtAuthz::CheckStatus::Denied: config_->stats().denied_.inc(); break; } // Fail open only if configured to do so and if the check status was a error. - if (status == CheckStatus::Denied || - (status == CheckStatus::Error && !config_->failureModeAllow())) { + if (status == Filters::Common::ExtAuthz::CheckStatus::Denied || + (status == Filters::Common::ExtAuthz::CheckStatus::Error && !config_->failureModeAllow())) { config_->stats().cx_closed_.inc(); filter_callbacks_->connection().close(Network::ConnectionCloseType::NoFlush); } else { @@ -86,6 +85,7 @@ void Instance::onComplete(CheckStatus status) { } } -} // namespace TcpFilter } // namespace ExtAuthz +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/common/filter/ext_authz.h b/source/extensions/filters/network/ext_authz/ext_authz.h similarity index 83% rename from source/common/filter/ext_authz.h rename to source/extensions/filters/network/ext_authz/ext_authz.h index 3dfc39be2d97..468e571eaa81 100644 --- a/source/common/filter/ext_authz.h +++ b/source/extensions/filters/network/ext_authz/ext_authz.h @@ -6,18 +6,19 @@ #include #include "envoy/config/filter/network/ext_authz/v2/ext_authz.pb.h" -#include "envoy/ext_authz/ext_authz.h" #include "envoy/network/connection.h" #include "envoy/network/filter.h" #include "envoy/runtime/runtime.h" #include "envoy/stats/stats_macros.h" #include "envoy/upstream/cluster_manager.h" -#include "common/ext_authz/ext_authz_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" namespace Envoy { +namespace Extensions { +namespace NetworkFilters { namespace ExtAuthz { -namespace TcpFilter { /** * All tcp external authorization stats. @see stats_macros.h @@ -66,13 +67,13 @@ typedef std::shared_ptr ConfigSharedPtr; * connection will be closed without any further filters being called. Otherwise all buffered * data will be released to further filters. */ -class Instance : public Network::ReadFilter, - public Network::ConnectionCallbacks, - public RequestCallbacks { +class Filter : public Network::ReadFilter, + public Network::ConnectionCallbacks, + public Filters::Common::ExtAuthz::RequestCallbacks { public: - Instance(ConfigSharedPtr config, ClientPtr&& client) + Filter(ConfigSharedPtr config, Filters::Common::ExtAuthz::ClientPtr&& client) : config_(config), client_(std::move(client)) {} - ~Instance() {} + ~Filter() {} // Network::ReadFilter Network::FilterStatus onData(Buffer::Instance& data, bool end_stream) override; @@ -88,20 +89,20 @@ class Instance : public Network::ReadFilter, void onBelowWriteBufferLowWatermark() override {} // ExtAuthz::RequestCallbacks - void onComplete(CheckStatus status) override; + void onComplete(Filters::Common::ExtAuthz::CheckStatus status) override; private: enum class Status { NotStarted, Calling, Complete }; void callCheck(); ConfigSharedPtr config_; - ClientPtr client_; + Filters::Common::ExtAuthz::ClientPtr client_; Network::ReadFilterCallbacks* filter_callbacks_{}; Status status_{Status::NotStarted}; bool calling_check_{}; envoy::service::auth::v2::CheckRequest check_request_{}; }; - -} // TcpFilter -} // namespace ExtAuthz +} +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/source/server/BUILD b/source/server/BUILD index ca9b1dcb5b35..ed97687642c5 100644 --- a/source/server/BUILD +++ b/source/server/BUILD @@ -36,7 +36,6 @@ envoy_cc_library( "//source/common/common:utility_lib", "//source/common/config:lds_json_lib", "//source/common/config:utility_lib", - "//source/common/ext_authz:ext_authz_lib", "//source/common/network:resolver_lib", "//source/common/network:utility_lib", "//source/common/protobuf:utility_lib", diff --git a/source/server/config/http/BUILD b/source/server/config/http/BUILD index 30a464a6b68a..eebdf67b228c 100644 --- a/source/server/config/http/BUILD +++ b/source/server/config/http/BUILD @@ -230,17 +230,3 @@ envoy_cc_library( "//source/server:configuration_lib", ], ) - -envoy_cc_library( - name = "ext_authz_lib", - srcs = ["ext_authz.cc"], - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/registry", - "//include/envoy/server:filter_config_interface", - "//source/common/config:well_known_names", - "//source/common/http/filter:ext_authz_lib", - "//source/common/protobuf:utility_lib", - "@envoy_api//envoy/config/filter/http/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/source/server/config/http/ext_authz.h b/source/server/config/http/ext_authz.h deleted file mode 100644 index 69ade25583e4..000000000000 --- a/source/server/config/http/ext_authz.h +++ /dev/null @@ -1,39 +0,0 @@ -#pragma once - -#include - -#include "envoy/config/filter/http/ext_authz/v2/ext_authz.pb.h" -#include "envoy/server/filter_config.h" - -#include "common/config/well_known_names.h" - -namespace Envoy { -namespace Server { -namespace Configuration { - -/** - * Config registration for the external authorization filter. @see NamedHttpFilterConfigFactory. - */ -class ExtAuthzFilterConfig : public NamedHttpFilterConfigFactory { -public: - HttpFilterFactoryCb createFilterFactory(const Json::Object& json_config, const std::string&, - FactoryContext& context) override; - HttpFilterFactoryCb createFilterFactoryFromProto(const Protobuf::Message& proto_config, - const std::string& stats_prefix, - FactoryContext& context) override; - - ProtobufTypes::MessagePtr createEmptyConfigProto() override { - return ProtobufTypes::MessagePtr{new envoy::config::filter::http::ext_authz::v2::ExtAuthz()}; - } - - std::string name() override { return Config::HttpFilterNames::get().EXT_AUTHORIZATION; } - -private: - HttpFilterFactoryCb - createFilter(const envoy::config::filter::http::ext_authz::v2::ExtAuthz& proto_config, - const std::string& stats_prefix, FactoryContext& context); -}; - -} // namespace Configuration -} // namespace Server -} // namespace Envoy diff --git a/source/server/config/network/BUILD b/source/server/config/network/BUILD index ce7d208ce7bc..b22de2a054e4 100644 --- a/source/server/config/network/BUILD +++ b/source/server/config/network/BUILD @@ -95,17 +95,3 @@ envoy_cc_library( "@envoy_api//envoy/api/v2/auth:cert_cc", ], ) - -envoy_cc_library( - name = "ext_authz_lib", - srcs = ["ext_authz.cc"], - hdrs = ["ext_authz.h"], - deps = [ - "//include/envoy/registry", - "//include/envoy/server:filter_config_interface", - "//source/common/config:well_known_names", - "//source/common/filter:ext_authz_lib", - "//source/common/protobuf:utility_lib", - "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/test/common/filter/BUILD b/test/common/filter/BUILD index 4596e3bcb020..27f7002034a9 100644 --- a/test/common/filter/BUILD +++ b/test/common/filter/BUILD @@ -23,24 +23,3 @@ envoy_cc_test( "//test/mocks/tracing:tracing_mocks", ], ) - -envoy_cc_test( - name = "ext_authz_test", - srcs = ["ext_authz_test.cc"], - deps = [ - "//source/common/buffer:buffer_lib", - "//source/common/config:filter_json_lib", - "//source/common/event:dispatcher_lib", - "//source/common/filter:ext_authz_lib", - "//source/common/json:json_loader_lib", - "//source/common/network:address_lib", - "//source/common/protobuf:utility_lib", - "//source/common/stats:stats_lib", - "//test/mocks/ext_authz:ext_authz_mocks", - "//test/mocks/network:network_mocks", - "//test/mocks/runtime:runtime_mocks", - "//test/mocks/tracing:tracing_mocks", - "//test/mocks/upstream:upstream_mocks", - "@envoy_api//envoy/config/filter/network/ext_authz/v2:ext_authz_cc", - ], -) diff --git a/test/common/http/filter/BUILD b/test/common/http/filter/BUILD index 91d08c94a257..f0576720266e 100644 --- a/test/common/http/filter/BUILD +++ b/test/common/http/filter/BUILD @@ -119,28 +119,3 @@ envoy_cc_test( "//test/mocks/upstream:upstream_mocks", ], ) - -envoy_cc_test( - name = "ext_authz_test", - srcs = ["ext_authz_test.cc"], - deps = [ - "//source/common/buffer:buffer_lib", - "//source/common/common:empty_string", - "//source/common/config:filter_json_lib", - "//source/common/ext_authz:ext_authz_lib", - "//source/common/http:headers_lib", - "//source/common/http/filter:ext_authz_includes", - "//source/common/http/filter:ext_authz_lib", - "//source/common/json:json_loader_lib", - "//source/common/network:address_lib", - "//source/common/protobuf:utility_lib", - "//test/mocks/ext_authz:ext_authz_mocks", - "//test/mocks/http:http_mocks", - "//test/mocks/local_info:local_info_mocks", - "//test/mocks/network:network_mocks", - "//test/mocks/runtime:runtime_mocks", - "//test/mocks/tracing:tracing_mocks", - "//test/mocks/upstream:upstream_mocks", - "//test/test_common:utility_lib", - ], -) diff --git a/test/common/ext_authz/BUILD b/test/extensions/filters/common/ext_authz/BUILD similarity index 71% rename from test/common/ext_authz/BUILD rename to test/extensions/filters/common/ext_authz/BUILD index a0cfd0d21f2f..11da871031dd 100644 --- a/test/common/ext_authz/BUILD +++ b/test/extensions/filters/common/ext_authz/BUILD @@ -2,6 +2,7 @@ licenses(["notice"]) # Apache 2 load( "//bazel:envoy_build_system.bzl", + "envoy_cc_mock", "envoy_cc_test", "envoy_package", ) @@ -12,10 +13,10 @@ envoy_cc_test( name = "ext_authz_impl_test", srcs = ["ext_authz_impl_test.cc"], deps = [ - "//source/common/ext_authz:ext_authz_lib", "//source/common/http:header_map_lib", "//source/common/http:headers_lib", "//source/common/network:address_lib", + "//source/extensions/filters/common/ext_authz:ext_authz_lib", "//test/mocks/grpc:grpc_mocks", "//test/mocks/http:http_mocks", "//test/mocks/network:network_mocks", @@ -25,3 +26,12 @@ envoy_cc_test( "//test/test_common:utility_lib", ], ) + +envoy_cc_mock( + name = "ext_authz_mocks", + srcs = ["mocks.cc"], + hdrs = ["mocks.h"], + deps = [ + "//source/extensions/filters/common/ext_authz:ext_authz_interface", + ], +) diff --git a/test/common/ext_authz/ext_authz_impl_test.cc b/test/extensions/filters/common/ext_authz/ext_authz_impl_test.cc similarity index 97% rename from test/common/ext_authz/ext_authz_impl_test.cc rename to test/extensions/filters/common/ext_authz/ext_authz_impl_test.cc index e7290f40a184..f43ebfe9b2ce 100644 --- a/test/common/ext_authz/ext_authz_impl_test.cc +++ b/test/extensions/filters/common/ext_authz/ext_authz_impl_test.cc @@ -2,11 +2,12 @@ #include #include -#include "common/ext_authz/ext_authz_impl.h" #include "common/http/header_map_impl.h" #include "common/http/headers.h" #include "common/network/address_impl.h" +#include "extensions/filters/common/ext_authz/ext_authz_impl.h" + #include "test/mocks/grpc/mocks.h" #include "test/mocks/http/mocks.h" #include "test/mocks/network/mocks.h" @@ -29,6 +30,9 @@ using testing::WithArg; using testing::_; namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { class MockRequestCallbacks : public RequestCallbacks { @@ -183,4 +187,7 @@ TEST_F(CheckRequestUtilsTest, CheckAttrContextPeer) { } } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/test/mocks/ext_authz/mocks.cc b/test/extensions/filters/common/ext_authz/mocks.cc similarity index 55% rename from test/mocks/ext_authz/mocks.cc rename to test/extensions/filters/common/ext_authz/mocks.cc index 97a2cc6cb549..7416e537dcfe 100644 --- a/test/mocks/ext_authz/mocks.cc +++ b/test/extensions/filters/common/ext_authz/mocks.cc @@ -1,10 +1,16 @@ #include "mocks.h" namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { MockClient::MockClient() {} MockClient::~MockClient() {} } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/test/mocks/ext_authz/mocks.h b/test/extensions/filters/common/ext_authz/mocks.h similarity index 71% rename from test/mocks/ext_authz/mocks.h rename to test/extensions/filters/common/ext_authz/mocks.h index 057e9fc9263e..8db44e13eec8 100644 --- a/test/mocks/ext_authz/mocks.h +++ b/test/extensions/filters/common/ext_authz/mocks.h @@ -3,11 +3,14 @@ #include #include -#include "envoy/ext_authz/ext_authz.h" +#include "extensions/filters/common/ext_authz/ext_authz.h" #include "gmock/gmock.h" namespace Envoy { +namespace Extensions { +namespace Filters { +namespace Common { namespace ExtAuthz { class MockClient : public Client { @@ -23,4 +26,7 @@ class MockClient : public Client { }; } // namespace ExtAuthz +} // namespace Common +} // namespace Filters +} // namespace Extensions } // namespace Envoy diff --git a/test/extensions/filters/http/ext_authz/BUILD b/test/extensions/filters/http/ext_authz/BUILD new file mode 100644 index 000000000000..1f0b28182c26 --- /dev/null +++ b/test/extensions/filters/http/ext_authz/BUILD @@ -0,0 +1,34 @@ +licenses(["notice"]) # Apache 2 + +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) + +envoy_package() + +envoy_cc_test( + name = "ext_authz_test", + srcs = ["ext_authz_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/common:empty_string", + "//source/common/config:filter_json_lib", + "//source/common/http:headers_lib", + "//source/common/json:json_loader_lib", + "//source/common/network:address_lib", + "//source/common/protobuf:utility_lib", + "//source/extensions/filters/common/ext_authz:ext_authz_lib", + "//source/extensions/filters/http/ext_authz:config", + "//test/extensions/filters/common/ext_authz:ext_authz_mocks", + "//test/mocks/http:http_mocks", + "//test/mocks/local_info:local_info_mocks", + "//test/mocks/network:network_mocks", + "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", + "//test/mocks/tracing:tracing_mocks", + "//test/mocks/upstream:upstream_mocks", + "//test/test_common:utility_lib", + ], +) diff --git a/test/common/http/filter/ext_authz_test.cc b/test/extensions/filters/http/ext_authz/ext_authz_test.cc similarity index 65% rename from test/common/http/filter/ext_authz_test.cc rename to test/extensions/filters/http/ext_authz/ext_authz_test.cc index 40b5e452366a..d699ddc3fe64 100644 --- a/test/common/http/filter/ext_authz_test.cc +++ b/test/extensions/filters/http/ext_authz/ext_authz_test.cc @@ -6,17 +6,20 @@ #include "common/buffer/buffer_impl.h" #include "common/common/empty_string.h" -#include "common/http/filter/ext_authz.h" #include "common/http/headers.h" #include "common/json/json_loader.h" #include "common/network/address_impl.h" #include "common/protobuf/utility.h" -#include "test/mocks/ext_authz/mocks.h" +#include "extensions/filters/http/ext_authz/config.h" +#include "extensions/filters/http/ext_authz/ext_authz.h" + +#include "test/extensions/filters/common/ext_authz/mocks.h" #include "test/mocks/http/mocks.h" #include "test/mocks/local_info/mocks.h" #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/tracing/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/test_common/printers.h" @@ -36,7 +39,8 @@ using testing::WithArgs; using testing::_; namespace Envoy { -namespace Http { +namespace Extensions { +namespace HttpFilters { namespace ExtAuthz { class HttpExtAuthzFilterTestBase { @@ -44,11 +48,11 @@ class HttpExtAuthzFilterTestBase { HttpExtAuthzFilterTestBase() {} FilterConfigSharedPtr config_; - Envoy::ExtAuthz::MockClient* client_; + Filters::Common::ExtAuthz::MockClient* client_; std::unique_ptr filter_; - NiceMock filter_callbacks_; - Envoy::ExtAuthz::RequestCallbacks* request_callbacks_{}; - TestHeaderMapImpl request_headers_; + NiceMock filter_callbacks_; + Filters::Common::ExtAuthz::RequestCallbacks* request_callbacks_{}; + Http::TestHeaderMapImpl request_headers_; Buffer::OwnedImpl data_; Stats::IsolatedStoreImpl stats_store_; NiceMock runtime_; @@ -67,8 +71,8 @@ class HttpExtAuthzFilterTest : public testing::Test, public HttpExtAuthzFilterTe MessageUtil::loadFromYaml(yaml, proto_config); config_.reset(new FilterConfig(proto_config, local_info_, stats_store_, runtime_, cm_)); - client_ = new Envoy::ExtAuthz::MockClient(); - filter_.reset(new Filter(config_, Envoy::ExtAuthz::ClientPtr{client_})); + client_ = new Filters::Common::ExtAuthz::MockClient(); + filter_.reset(new Filter(config_, Filters::Common::ExtAuthz::ClientPtr{client_})); filter_->setDecoderFilterCallbacks(filter_callbacks_); addr_ = std::make_shared("1.2.3.4", 1111); } @@ -90,8 +94,8 @@ class HttpExtAuthzFilterParamTest : public TestWithParamsetDecoderFilterCallbacks(filter_callbacks_); addr_ = std::make_shared("1.2.3.4", 1111); } @@ -118,9 +122,9 @@ TEST_P(HttpExtAuthzFilterParamTest, NoRoute) { EXPECT_CALL(*filter_callbacks_.route_, routeEntry()).WillOnce(Return(nullptr)); - EXPECT_EQ(FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); - EXPECT_EQ(FilterDataStatus::Continue, filter_->decodeData(data_, false)); - EXPECT_EQ(FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(data_, false)); + EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); } // Test that the request continues when the authorization service cluster is not present. @@ -128,9 +132,9 @@ TEST_P(HttpExtAuthzFilterParamTest, NoCluster) { ON_CALL(cm_, get(_)).WillByDefault(Return(nullptr)); - EXPECT_EQ(FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); - EXPECT_EQ(FilterDataStatus::Continue, filter_->decodeData(data_, false)); - EXPECT_EQ(FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(data_, false)); + EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); } // Test that the request is stopped till there is an OK response back after which it continues on. @@ -141,19 +145,21 @@ TEST_P(HttpExtAuthzFilterParamTest, OkResponse) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, testing::A())) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); - EXPECT_EQ(FilterDataStatus::StopIterationAndWatermark, filter_->decodeData(data_, false)); - EXPECT_EQ(FilterTrailersStatus::StopIteration, filter_->decodeTrailers(request_headers_)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterDataStatus::StopIterationAndWatermark, filter_->decodeData(data_, false)); + EXPECT_EQ(Http::FilterTrailersStatus::StopIteration, filter_->decodeTrailers(request_headers_)); EXPECT_CALL(filter_callbacks_, continueDecoding()); EXPECT_CALL(filter_callbacks_.request_info_, setResponseFlag(Envoy::RequestInfo::ResponseFlag::UnauthorizedExternalService)) .Times(0); - request_callbacks_->onComplete(Envoy::ExtAuthz::CheckStatus::OK); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::OK); EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_.counter("ext_authz.ok").value()); @@ -168,14 +174,15 @@ TEST_P(HttpExtAuthzFilterParamTest, ImmediateOkResponse) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - callbacks.onComplete(Envoy::ExtAuthz::CheckStatus::OK); - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + callbacks.onComplete(Filters::Common::ExtAuthz::CheckStatus::OK); + }))); EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); - EXPECT_EQ(FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); - EXPECT_EQ(FilterDataStatus::Continue, filter_->decodeData(data_, false)); - EXPECT_EQ(FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); + EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(data_, false)); + EXPECT_EQ(Http::FilterTrailersStatus::Continue, filter_->decodeTrailers(request_headers_)); EXPECT_EQ(1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_.counter("ext_authz.ok").value()); @@ -189,17 +196,19 @@ TEST_P(HttpExtAuthzFilterParamTest, DeniedResponse) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); Http::TestHeaderMapImpl response_headers{{":status", "403"}}; EXPECT_CALL(filter_callbacks_, encodeHeaders_(HeaderMapEqualRef(&response_headers), true)); EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); EXPECT_CALL(filter_callbacks_.request_info_, setResponseFlag(Envoy::RequestInfo::ResponseFlag::UnauthorizedExternalService)); - request_callbacks_->onComplete(Envoy::ExtAuthz::CheckStatus::Denied); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Denied); EXPECT_EQ( 1U, @@ -221,11 +230,13 @@ TEST_P(HttpExtAuthzFilterParamTest, ResetDuringCall) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); EXPECT_CALL(*client_, cancel()); filter_->onDestroy(); @@ -263,13 +274,15 @@ TEST_F(HttpExtAuthzFilterTest, ErrorFailClose) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); EXPECT_CALL(filter_callbacks_, continueDecoding()).Times(0); - request_callbacks_->onComplete(Envoy::ExtAuthz::CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ( 1U, @@ -286,19 +299,48 @@ TEST_F(HttpExtAuthzFilterTest, ErrorOpen) { EXPECT_CALL(connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke([&](Envoy::ExtAuthz::RequestCallbacks& callbacks) -> void { - request_callbacks_ = &callbacks; - }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); - EXPECT_EQ(FilterHeadersStatus::StopIteration, filter_->decodeHeaders(request_headers_, false)); + EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, + filter_->decodeHeaders(request_headers_, false)); EXPECT_CALL(filter_callbacks_, continueDecoding()); - request_callbacks_->onComplete(Envoy::ExtAuthz::CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ( 1U, cm_.thread_local_cluster_.cluster_.info_->stats_store_.counter("ext_authz.error").value()); } +TEST(HttpExtAuthzConfigTest, ExtAuthzCorrectProto) { + std::string yaml = R"EOF( + grpc_service: + google_grpc: + target_uri: ext_authz_server + stat_prefix: google + failure_mode_allow: false +)EOF"; + + envoy::config::filter::http::ext_authz::v2::ExtAuthz proto_config{}; + MessageUtil::loadFromYaml(yaml, proto_config); + + NiceMock context; + ExtAuthzFilterConfig factory; + + EXPECT_CALL(context.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _)) + .WillOnce(Invoke([](const envoy::api::v2::core::GrpcService&, Stats::Scope&) { + return std::make_unique>(); + })); + Server::Configuration::HttpFilterFactoryCb cb = + factory.createFilterFactoryFromProto(proto_config, "stats", context); + Http::MockFilterChainFactoryCallbacks filter_callback; + EXPECT_CALL(filter_callback, addStreamDecoderFilter(_)); + cb(filter_callback); +} + } // namespace ExtAuthz -} // namespace Http +} // namespace HttpFilters +} // namespace Extensions } // namespace Envoy diff --git a/test/extensions/filters/network/ext_authz/BUILD b/test/extensions/filters/network/ext_authz/BUILD new file mode 100644 index 000000000000..18ec174af3e2 --- /dev/null +++ b/test/extensions/filters/network/ext_authz/BUILD @@ -0,0 +1,30 @@ +licenses(["notice"]) # Apache 2 + +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_test", + "envoy_package", +) + +envoy_package() + +envoy_cc_test( + name = "ext_authz_test", + srcs = ["ext_authz_test.cc"], + deps = [ + "//source/common/buffer:buffer_lib", + "//source/common/config:filter_json_lib", + "//source/common/event:dispatcher_lib", + "//source/common/json:json_loader_lib", + "//source/common/network:address_lib", + "//source/common/protobuf:utility_lib", + "//source/common/stats:stats_lib", + "//source/extensions/filters/network/ext_authz:config", + "//test/extensions/filters/common/ext_authz:ext_authz_mocks", + "//test/mocks/network:network_mocks", + "//test/mocks/runtime:runtime_mocks", + "//test/mocks/server:server_mocks", + "//test/mocks/tracing:tracing_mocks", + "//test/mocks/upstream:upstream_mocks", + ], +) diff --git a/test/common/filter/ext_authz_test.cc b/test/extensions/filters/network/ext_authz/ext_authz_test.cc similarity index 77% rename from test/common/filter/ext_authz_test.cc rename to test/extensions/filters/network/ext_authz/ext_authz_test.cc index d04b38dc3ae7..f56f0fa2163f 100644 --- a/test/common/filter/ext_authz_test.cc +++ b/test/extensions/filters/network/ext_authz/ext_authz_test.cc @@ -5,15 +5,18 @@ #include "envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.h" #include "common/buffer/buffer_impl.h" -#include "common/filter/ext_authz.h" #include "common/json/json_loader.h" #include "common/network/address_impl.h" #include "common/protobuf/utility.h" #include "common/stats/stats_impl.h" -#include "test/mocks/ext_authz/mocks.h" +#include "extensions/filters/network/ext_authz/config.h" +#include "extensions/filters/network/ext_authz/ext_authz.h" + +#include "test/extensions/filters/common/ext_authz/mocks.h" #include "test/mocks/network/mocks.h" #include "test/mocks/runtime/mocks.h" +#include "test/mocks/server/mocks.h" #include "test/mocks/tracing/mocks.h" #include "test/mocks/upstream/mocks.h" #include "test/test_common/printers.h" @@ -30,8 +33,9 @@ using testing::WithArgs; using testing::_; namespace Envoy { +namespace Extensions { +namespace NetworkFilters { namespace ExtAuthz { -namespace TcpFilter { class ExtAuthzFilterTest : public testing::Test { public: @@ -49,8 +53,8 @@ class ExtAuthzFilterTest : public testing::Test { envoy::config::filter::network::ext_authz::v2::ExtAuthz proto_config{}; MessageUtil::loadFromJson(json, proto_config); config_.reset(new Config(proto_config, stats_store_)); - client_ = new MockClient(); - filter_.reset(new Instance(config_, ClientPtr{client_})); + client_ = new Filters::Common::ExtAuthz::MockClient(); + filter_.reset(new Filter(config_, Filters::Common::ExtAuthz::ClientPtr{client_})); filter_->initializeReadFilterCallbacks(filter_callbacks_); addr_ = std::make_shared("/test/test.sock"); @@ -67,11 +71,11 @@ class ExtAuthzFilterTest : public testing::Test { Stats::IsolatedStoreImpl stats_store_; ConfigSharedPtr config_; - MockClient* client_; - std::unique_ptr filter_; + Filters::Common::ExtAuthz::MockClient* client_; + std::unique_ptr filter_; NiceMock filter_callbacks_; Network::Address::InstanceConstSharedPtr addr_; - RequestCallbacks* request_callbacks_{}; + Filters::Common::ExtAuthz::RequestCallbacks* request_callbacks_{}; }; TEST_F(ExtAuthzFilterTest, BadExtAuthzConfig) { @@ -96,8 +100,10 @@ TEST_F(ExtAuthzFilterTest, OKWithOnData) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, testing::A())) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); // Confirm that the invocation of onNewConnection did NOT increment the active or total count! @@ -110,7 +116,7 @@ TEST_F(ExtAuthzFilterTest, OKWithOnData) { EXPECT_EQ(1U, stats_store_.gauge("ext_authz.name.active").value()); EXPECT_CALL(filter_callbacks_, continueReading()); - request_callbacks_->onComplete(CheckStatus::OK); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::OK); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data, false)); @@ -130,8 +136,10 @@ TEST_F(ExtAuthzFilterTest, DeniedWithOnData) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); // Confirm that the invocation of onNewConnection did NOT increment the active or total count! @@ -145,7 +153,7 @@ TEST_F(ExtAuthzFilterTest, DeniedWithOnData) { EXPECT_CALL(filter_callbacks_.connection_, close(Network::ConnectionCloseType::NoFlush)); EXPECT_CALL(*client_, cancel()).Times(0); - request_callbacks_->onComplete(CheckStatus::Denied); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Denied); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data, false)); @@ -162,8 +170,10 @@ TEST_F(ExtAuthzFilterTest, FailOpen) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); @@ -172,7 +182,7 @@ TEST_F(ExtAuthzFilterTest, FailOpen) { EXPECT_CALL(filter_callbacks_.connection_, close(_)).Times(0); EXPECT_CALL(*client_, cancel()).Times(0); EXPECT_CALL(filter_callbacks_, continueReading()); - request_callbacks_->onComplete(CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data, false)); @@ -191,8 +201,10 @@ TEST_F(ExtAuthzFilterTest, FailClose) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); @@ -200,7 +212,7 @@ TEST_F(ExtAuthzFilterTest, FailClose) { EXPECT_CALL(filter_callbacks_.connection_, close(_)).Times(1); EXPECT_CALL(filter_callbacks_, continueReading()).Times(0); - request_callbacks_->onComplete(CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ(1U, stats_store_.counter("ext_authz.name.total").value()); EXPECT_EQ(1U, stats_store_.counter("ext_authz.name.error").value()); @@ -217,15 +229,17 @@ TEST_F(ExtAuthzFilterTest, DoNotCallCancelonRemoteClose) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); EXPECT_EQ(Network::FilterStatus::StopIteration, filter_->onData(data, false)); EXPECT_CALL(filter_callbacks_, continueReading()); - request_callbacks_->onComplete(CheckStatus::Error); + request_callbacks_->onComplete(Filters::Common::ExtAuthz::CheckStatus::Error); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onData(data, false)); @@ -247,8 +261,10 @@ TEST_F(ExtAuthzFilterTest, VerifyCancelOnRemoteClose) { EXPECT_CALL(filter_callbacks_.connection_, remoteAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>( - Invoke([&](RequestCallbacks& callbacks) -> void { request_callbacks_ = &callbacks; }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + request_callbacks_ = &callbacks; + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); @@ -273,8 +289,10 @@ TEST_F(ExtAuthzFilterTest, ImmediateOK) { EXPECT_CALL(filter_callbacks_.connection_, localAddress()).WillOnce(ReturnRef(addr_)); EXPECT_CALL(filter_callbacks_, continueReading()).Times(0); EXPECT_CALL(*client_, check(_, _, _)) - .WillOnce(WithArgs<0>(Invoke( - [&](RequestCallbacks& callbacks) -> void { callbacks.onComplete(CheckStatus::OK); }))); + .WillOnce( + WithArgs<0>(Invoke([&](Filters::Common::ExtAuthz::RequestCallbacks& callbacks) -> void { + callbacks.onComplete(Filters::Common::ExtAuthz::CheckStatus::OK); + }))); EXPECT_EQ(Network::FilterStatus::Continue, filter_->onNewConnection()); Buffer::OwnedImpl data("hello"); @@ -291,6 +309,34 @@ TEST_F(ExtAuthzFilterTest, ImmediateOK) { EXPECT_EQ(0U, stats_store_.counter("ext_authz.name.cx_closed").value()); } -} // namespace TcpFilter +TEST(NetworkFilterConfigTest, ExtAuthzCorrectProto) { + std::string yaml = R"EOF( + grpc_service: + google_grpc: + target_uri: ext_authz_server + stat_prefix: google + failure_mode_allow: false + stat_prefix: name +)EOF"; + + envoy::config::filter::network::ext_authz::v2::ExtAuthz proto_config{}; + MessageUtil::loadFromYaml(yaml, proto_config); + + NiceMock context; + ExtAuthzConfigFactory factory; + + EXPECT_CALL(context.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _)) + .WillOnce(Invoke([](const envoy::api::v2::core::GrpcService&, Stats::Scope&) { + return std::make_unique>(); + })); + Server::Configuration::NetworkFilterFactoryCb cb = + factory.createFilterFactoryFromProto(proto_config, context); + Network::MockConnection connection; + EXPECT_CALL(connection, addReadFilter(_)); + cb(connection); +} + } // namespace ExtAuthz +} // namespace NetworkFilters +} // namespace Extensions } // namespace Envoy diff --git a/test/mocks/ext_authz/BUILD b/test/mocks/ext_authz/BUILD deleted file mode 100644 index 725c43b30301..000000000000 --- a/test/mocks/ext_authz/BUILD +++ /dev/null @@ -1,18 +0,0 @@ -licenses(["notice"]) # Apache 2 - -load( - "//bazel:envoy_build_system.bzl", - "envoy_cc_mock", - "envoy_package", -) - -envoy_package() - -envoy_cc_mock( - name = "ext_authz_mocks", - srcs = ["mocks.cc"], - hdrs = ["mocks.h"], - deps = [ - "//include/envoy/ext_authz:ext_authz_interface", - ], -) diff --git a/test/server/config/http/BUILD b/test/server/config/http/BUILD index a93817427737..40feea2c80f4 100644 --- a/test/server/config/http/BUILD +++ b/test/server/config/http/BUILD @@ -18,7 +18,6 @@ envoy_cc_test( "//source/common/router:router_lib", "//source/server/config/http:buffer_lib", "//source/server/config/http:dynamo_lib", - "//source/server/config/http:ext_authz_lib", "//source/server/config/http:fault_lib", "//source/server/config/http:grpc_http1_bridge_lib", "//source/server/config/http:grpc_json_transcoder_lib", diff --git a/test/server/config/http/config_test.cc b/test/server/config/http/config_test.cc index 4660c5474ed4..f35b1ed6c3e0 100644 --- a/test/server/config/http/config_test.cc +++ b/test/server/config/http/config_test.cc @@ -12,7 +12,6 @@ #include "server/config/http/buffer.h" #include "server/config/http/dynamo.h" -#include "server/config/http/ext_authz.h" #include "server/config/http/fault.h" #include "server/config/http/grpc_http1_bridge.h" #include "server/config/http/grpc_json_transcoder.h" @@ -449,37 +448,6 @@ TEST(HttpTracerConfigTest, DoubleRegistrationTest) { "Double registration for name: 'envoy.zipkin'"); } -TEST(HttpExtAuthzConfigTest, ExtAuthzCorrectProto) { - std::string yaml = R"EOF( - grpc_service: - google_grpc: - target_uri: ext_authz_server - stat_prefix: google - failure_mode_allow: false -)EOF"; - - envoy::config::filter::http::ext_authz::v2::ExtAuthz proto_config{}; - MessageUtil::loadFromYaml(yaml, proto_config); - - NiceMock context; - ExtAuthzFilterConfig factory; - - EXPECT_CALL(context.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _)) - .WillOnce(Invoke([](const envoy::api::v2::core::GrpcService&, Stats::Scope&) { - return std::make_unique>(); - })); - HttpFilterFactoryCb cb = factory.createFilterFactoryFromProto(proto_config, "stats", context); - Http::MockFilterChainFactoryCallbacks filter_callback; - EXPECT_CALL(filter_callback, addStreamDecoderFilter(_)); - cb(filter_callback); -} - -TEST(HttpExtAuthzConfigTest, DoubleRegistrationTest) { - EXPECT_THROW_WITH_MESSAGE( - (Registry::RegisterFactory()), - EnvoyException, "Double registration for name: 'envoy.ext_authz'"); -} - } // namespace Configuration } // namespace Server } // namespace Envoy diff --git a/test/server/config/network/BUILD b/test/server/config/network/BUILD index 819571530283..498f5d53447f 100644 --- a/test/server/config/network/BUILD +++ b/test/server/config/network/BUILD @@ -17,10 +17,10 @@ envoy_cc_test( "//source/common/dynamo:dynamo_filter_lib", "//source/common/protobuf:utility_lib", "//source/extensions/filters/network/client_ssl_auth:config", + "//source/extensions/filters/network/ext_authz:config", "//source/extensions/filters/network/mongo_proxy:config", "//source/extensions/filters/network/tcp_proxy:config", "//source/server/config/access_log:file_access_log_lib", - "//source/server/config/network:ext_authz_lib", "//source/server/config/network:http_connection_manager_lib", "//source/server/config/network:ratelimit_lib", "//source/server/config/network:redis_proxy_lib", diff --git a/test/server/config/network/config_test.cc b/test/server/config/network/config_test.cc index ca9582adf664..c0f2a4f4e3e8 100644 --- a/test/server/config/network/config_test.cc +++ b/test/server/config/network/config_test.cc @@ -9,12 +9,12 @@ #include "common/protobuf/utility.h" #include "server/config/access_log/file_access_log.h" -#include "server/config/network/ext_authz.h" #include "server/config/network/http_connection_manager.h" #include "server/config/network/ratelimit.h" #include "server/config/network/redis_proxy.h" #include "extensions/filters/network/client_ssl_auth/config.h" +#include "extensions/filters/network/ext_authz/config.h" #include "extensions/filters/network/mongo_proxy/config.h" #include "extensions/filters/network/tcp_proxy/config.h" @@ -49,7 +49,7 @@ TEST(NetworkFilterConfigTest, ValidateFail) { envoy::config::filter::network::redis_proxy::v2::RedisProxy redis_proto; Extensions::NetworkFilters::TcpProxy::TcpProxyConfigFactory tcp_proxy_factory; envoy::config::filter::network::tcp_proxy::v2::TcpProxy tcp_proxy_proto; - ExtAuthzConfigFactory ext_authz_factory; + Extensions::NetworkFilters::ExtAuthz::ExtAuthzConfigFactory ext_authz_factory; envoy::config::filter::network::ext_authz::v2::ExtAuthz ext_authz_proto; const std::vector> filter_cases = { @@ -404,32 +404,6 @@ TEST(AccessLogConfigTest, FileAccessLogTest) { EXPECT_NE(nullptr, dynamic_cast(instance.get())); } -TEST(NetworkFilterConfigTest, ExtAuthzCorrectProto) { - std::string yaml = R"EOF( - grpc_service: - google_grpc: - target_uri: ext_authz_server - stat_prefix: google - failure_mode_allow: false - stat_prefix: name -)EOF"; - - envoy::config::filter::network::ext_authz::v2::ExtAuthz proto_config{}; - MessageUtil::loadFromYaml(yaml, proto_config); - - NiceMock context; - ExtAuthzConfigFactory factory; - - EXPECT_CALL(context.cluster_manager_.async_client_manager_, factoryForGrpcService(_, _)) - .WillOnce(Invoke([](const envoy::api::v2::core::GrpcService&, Stats::Scope&) { - return std::make_unique>(); - })); - NetworkFilterFactoryCb cb = factory.createFilterFactoryFromProto(proto_config, context); - Network::MockConnection connection; - EXPECT_CALL(connection, addReadFilter(_)); - cb(connection); -} - } // namespace Configuration } // namespace Server } // namespace Envoy