ProtoApiScrubber: Add filter config parsing and storing logic (#39628)

Signed-off-by: Sumit Kumar <[email protected]>

Author: sumitkmr2

source/extensions/filters/http/proto_api_scrubber/BUILD

@@ -15,7 +15,10 @@ envoy_cc_extension(
     hdrs = ["filter_config.h"],
     deps = [
         "//source/common/common:minimal_logger_lib",
-        "//source/extensions/filters/http/common:factory_base_lib",
+        "//source/common/http:utility_lib",
+        "//source/common/http/matching:data_impl_lib",
+        "//source/common/matcher:matcher_lib",
+        "@com_github_cncf_xds//xds/type/matcher/v3:pkg_cc_proto",
         "@envoy_api//envoy/extensions/filters/http/proto_api_scrubber/v3:pkg_cc_proto",
     ],
 )

source/extensions/filters/http/proto_api_scrubber/filter_config.cc

@@ -1,15 +1,176 @@
 #include "source/extensions/filters/http/proto_api_scrubber/filter_config.h"
 
+#include <algorithm>
+
+#include "envoy/extensions/filters/http/proto_api_scrubber/v3/matcher_actions.pb.h"
+#include "envoy/matcher/matcher.h"
+
+#include "source/common/matcher/matcher.h"
+
 namespace Envoy {
 namespace Extensions {
 namespace HttpFilters {
 namespace ProtoApiScrubber {
 namespace {
 
-using ::envoy::extensions::filters::http::proto_api_scrubber::v3::ProtoApiScrubberConfig;
+static constexpr absl::string_view kConfigInitializationError =
+    "Error encountered during config initialization.";
+
+// Returns whether the fully qualified `api_name` is valid or not.
+// Checks for separator '.' in the name and verifies each substring between these separators are
+// non-empty. Note that it does not verify whether the API actually exists or not.
+bool isApiNameValid(absl::string_view api_name) {
+  const std::vector<absl::string_view> api_name_parts = absl::StrSplit(api_name, '.');
+  if (api_name_parts.size() <= 1) {
+    return false;
+  }
+
+  // Returns true if all of the api_name_parts are non-empty, otherwise returns false.
+  return !std::any_of(api_name_parts.cbegin(), api_name_parts.cend(),
+                      [](const absl::string_view s) { return s.empty(); });
+}
+
 } // namespace
 
-FilterConfig::FilterConfig(const ProtoApiScrubberConfig&) {}
+absl::StatusOr<std::shared_ptr<const ProtoApiScrubberFilterConfig>>
+ProtoApiScrubberFilterConfig::create(const ProtoApiScrubberConfig& proto_config,
+                                     Server::Configuration::FactoryContext& context) {
+  std::shared_ptr<ProtoApiScrubberFilterConfig> filter_config_ptr =
+      std::shared_ptr<ProtoApiScrubberFilterConfig>(new ProtoApiScrubberFilterConfig());
+  RETURN_IF_ERROR(filter_config_ptr->initialize(proto_config, context));
+  return filter_config_ptr;
+}
+
+absl::Status
+ProtoApiScrubberFilterConfig::initialize(const ProtoApiScrubberConfig& proto_config,
+                                         Server::Configuration::FactoryContext& context) {
+  ENVOY_LOG(trace, "Initializing filter config from the proto config: {}",
+            proto_config.DebugString());
+
+  FilteringMode filtering_mode = proto_config.filtering_mode();
+  RETURN_IF_ERROR(validateFilteringMode(filtering_mode));
+  filtering_mode_ = filtering_mode;
+
+  for (const auto& method_restriction : proto_config.restrictions().method_restrictions()) {
+    std::string method_name = method_restriction.first;
+    RETURN_IF_ERROR(validateMethodName(method_name));
+    RETURN_IF_ERROR(initializeMethodRestrictions(
+        method_name, request_field_restrictions_,
+        method_restriction.second.request_field_restrictions(), context));
+    RETURN_IF_ERROR(initializeMethodRestrictions(
+        method_name, response_field_restrictions_,
+        method_restriction.second.response_field_restrictions(), context));
+  }
+
+  ENVOY_LOG(trace, "Filter config initialized successfully.");
+  return absl::OkStatus();
+}
+
+absl::Status ProtoApiScrubberFilterConfig::validateFilteringMode(FilteringMode filtering_mode) {
+  switch (filtering_mode) {
+  case FilteringMode::ProtoApiScrubberConfig_FilteringMode_OVERRIDE:
+    return absl::OkStatus();
+  default:
+    return absl::InvalidArgumentError(
+        fmt::format("{} Unsupported 'filtering_mode': {}.", kConfigInitializationError,
+                    envoy::extensions::filters::http::proto_api_scrubber::v3::
+                        ProtoApiScrubberConfig_FilteringMode_Name(filtering_mode)));
+  }
+}
+
+absl::Status ProtoApiScrubberFilterConfig::validateMethodName(absl::string_view method_name) {
+  if (method_name.empty()) {
+    return absl::InvalidArgumentError(
+        fmt::format("{} Invalid method name: '{}'. Method name is empty.",
+                    kConfigInitializationError, method_name));
+  }
+
+  if (absl::StrContains(method_name, '*')) {
+    return absl::InvalidArgumentError(fmt::format(
+        "{} Invalid method name: '{}'. Method name contains '*' which is not supported.",
+        kConfigInitializationError, method_name));
+  }
+
+  const std::vector<absl::string_view> method_name_parts = absl::StrSplit(method_name, '/');
+  if (method_name_parts.size() != 3 || !method_name_parts[0].empty() ||
+      method_name_parts[1].empty() || !isApiNameValid(method_name_parts[1]) ||
+      method_name_parts[2].empty()) {
+    return absl::InvalidArgumentError(
+        fmt::format("{} Invalid method name: '{}'. Method name should follow the gRPC format "
+                    "('/package.ServiceName/MethodName').",
+                    kConfigInitializationError, method_name));
+  }
+
+  return absl::OkStatus();
+}
+
+absl::Status ProtoApiScrubberFilterConfig::validateFieldMask(absl::string_view field_mask) {
+  if (field_mask.empty()) {
+    return absl::InvalidArgumentError(
+        fmt::format("{} Invalid field mask: '{}'. Field mask is empty.", kConfigInitializationError,
+                    field_mask));
+  }
+
+  if (absl::StrContains(field_mask, '*')) {
+    return absl::InvalidArgumentError(
+        fmt::format("{} Invalid field mask: '{}'. Field mask contains '*' which is not supported.",
+                    kConfigInitializationError, field_mask));
+  }
+
+  return absl::OkStatus();
+}
+
+absl::Status ProtoApiScrubberFilterConfig::initializeMethodRestrictions(
+    absl::string_view method_name, StringPairToMatchTreeMap& field_restrictions,
+    const Map<std::string, RestrictionConfig>& restrictions,
+    Envoy::Server::Configuration::FactoryContext& context) {
+  for (const auto& restriction : restrictions) {
+    absl::string_view field_mask = restriction.first;
+    RETURN_IF_ERROR(validateFieldMask(field_mask));
+    ProtoApiScrubberRemoveFieldAction remove_field_action;
+    MatcherInputValidatorVisitor validation_visitor;
+    Matcher::MatchTreeFactory<HttpMatchingData, ProtoApiScrubberRemoveFieldAction> matcher_factory(
+        remove_field_action, context.serverFactoryContext(), validation_visitor);
+
+    absl::optional<Matcher::MatchTreeFactoryCb<HttpMatchingData>> factory_cb =
+        matcher_factory.create(restriction.second.matcher());
+    if (factory_cb.has_value()) {
+      field_restrictions[std::make_pair(std::string(method_name), std::string(field_mask))] =
+          factory_cb.value()();
+    } else {
+      return absl::InvalidArgumentError(fmt::format(
+          "{} Failed to initialize matcher factory callback for method {} and field mask {}.",
+          kConfigInitializationError, method_name, field_mask));
+    }
+  }
+
+  return absl::OkStatus();
+}
+
+MatchTreeHttpMatchingDataSharedPtr
+ProtoApiScrubberFilterConfig::getRequestFieldMatcher(const std::string& method_name,
+                                                     const std::string& field_mask) const {
+  if (auto it = request_field_restrictions_.find(std::make_pair(method_name, field_mask));
+      it != request_field_restrictions_.end()) {
+    return it->second;
+  }
+
+  return nullptr;
+}
+
+MatchTreeHttpMatchingDataSharedPtr
+ProtoApiScrubberFilterConfig::getResponseFieldMatcher(const std::string& method_name,
+                                                      const std::string& field_mask) const {
+  if (auto it = response_field_restrictions_.find(std::make_pair(method_name, field_mask));
+      it != response_field_restrictions_.end()) {
+    return it->second;
+  }
+
+  return nullptr;
+}
+
+REGISTER_FACTORY(RemoveFilterActionFactory,
+                 Matcher::ActionFactory<ProtoApiScrubberRemoveFieldAction>);
 
 } // namespace ProtoApiScrubber
 } // namespace HttpFilters

source/extensions/filters/http/proto_api_scrubber/filter_config.h

@@ -1,25 +1,129 @@
 #pragma once
 
 #include "envoy/extensions/filters/http/proto_api_scrubber/v3/config.pb.h"
-#include "envoy/extensions/filters/http/proto_api_scrubber/v3/config.pb.validate.h"
+#include "envoy/extensions/filters/http/proto_api_scrubber/v3/matcher_actions.pb.h"
 
 #include "source/common/common/logger.h"
+#include "source/common/http/utility.h"
+#include "source/common/matcher/matcher.h"
+
+#include "xds/type/matcher/v3/http_inputs.pb.h"
 
 namespace Envoy {
 namespace Extensions {
 namespace HttpFilters {
 namespace ProtoApiScrubber {
+namespace {
+using envoy::extensions::filters::http::proto_api_scrubber::v3::ProtoApiScrubberConfig;
+using envoy::extensions::filters::http::proto_api_scrubber::v3::RestrictionConfig;
+using Http::HttpMatchingData;
+using Protobuf::Map;
+using xds::type::matcher::v3::HttpAttributesCelMatchInput;
+using ProtoApiScrubberRemoveFieldAction =
+    envoy::extensions::filters::http::proto_api_scrubber::v3::RemoveFieldAction;
+using FilteringMode = ProtoApiScrubberConfig::FilteringMode;
+using MatchTreeHttpMatchingDataSharedPtr = Matcher::MatchTreeSharedPtr<HttpMatchingData>;
+using StringPairToMatchTreeMap =
+    absl::flat_hash_map<std::pair<std::string, std::string>, MatchTreeHttpMatchingDataSharedPtr>;
+} // namespace
+
+// The config for Proto API Scrubber filter. As a thread-safe class, it should be constructed only
+// once and shared among filters for better performance.
+class ProtoApiScrubberFilterConfig : public Logger::Loggable<Logger::Id::filter> {
+public:
+  // Creates and returns an instance of ProtoApiScrubberConfig.
+  static absl::StatusOr<std::shared_ptr<const ProtoApiScrubberFilterConfig>>
+  create(const ProtoApiScrubberConfig& proto_config,
+         Server::Configuration::FactoryContext& context);
+
+  // Returns the match tree for a request payload field mask.
+  MatchTreeHttpMatchingDataSharedPtr getRequestFieldMatcher(const std::string& method_name,
+                                                            const std::string& field_mask) const;
+
+  // Returns the match tree for a response payload field mask.
+  MatchTreeHttpMatchingDataSharedPtr getResponseFieldMatcher(const std::string& method_name,
+                                                             const std::string& field_mask) const;
+
+  FilteringMode filteringMode() const { return filtering_mode_; }
+
+private:
+  // Private constructor to make sure that this class is used in a factory fashion using the
+  // public `create` method.
+  ProtoApiScrubberFilterConfig() = default;
+
+  // Validates the filtering mode. Currently, only FilteringMode::OVERRIDE is supported.
+  // For any unsupported FilteringMode, it returns absl::InvalidArgument.
+  absl::Status validateFilteringMode(FilteringMode);
+
+  // Validates the method name in the filter config.
+  // The method should name should be of gRPC method name format i.e., '/package.service/method'
+  // For any invalid method name, it returns absl::InvalidArgument with an appropriate error
+  // message.
+  absl::Status validateMethodName(absl::string_view);
+
+  // Validates the field mask in the filter config.
+  // The currently supported field mask is of format 'a.b.c'
+  // Wildcards (e.g., '*') are not supported.
+  // For any invalid field mask, it returns absl::InvalidArgument with an appropriate error message.
+  absl::Status validateFieldMask(absl::string_view);
+
+  // Initializes the request and response field mask maps using the proto_config.
+  absl::Status initialize(const ProtoApiScrubberConfig& proto_config,
+                          Envoy::Server::Configuration::FactoryContext& context);
 
-// The config for Proto API Scrubber filter. As a thread-safe class, it
-// should be constructed only once and shared among filters for better
-// performance.
-class FilterConfig : public Envoy::Logger::Loggable<Envoy::Logger::Id::filter> {
+  // Initializes the method's request and response restrictions using the restrictions configured
+  // in the proto config.
+  absl::Status initializeMethodRestrictions(absl::string_view method_name,
+                                            StringPairToMatchTreeMap& field_restrictions,
+                                            const Map<std::string, RestrictionConfig>& restrictions,
+                                            Server::Configuration::FactoryContext& context);
+
+  FilteringMode filtering_mode_;
+
+  // A map from {method_name, field_mask} to the respective match tree for request fields.
+  StringPairToMatchTreeMap request_field_restrictions_;
+
+  // A map from {method_name, field_mask} to the respective match tree for response fields.
+  StringPairToMatchTreeMap response_field_restrictions_;
+};
+
+// A class to validate the input type specified for the unified matcher in the config.
+class MatcherInputValidatorVisitor : public Matcher::MatchTreeValidationVisitor<HttpMatchingData> {
 public:
-  explicit FilterConfig(
-      const envoy::extensions::filters::http::proto_api_scrubber::v3::ProtoApiScrubberConfig&);
+  // Validates whether the input type for the matcher is in the list of supported input types.
+  // Currently, only CEL input type (i.e., HttpAttributesCelMatchInput) is supported.
+  absl::Status performDataInputValidation(const Matcher::DataInputFactory<HttpMatchingData>&,
+                                          absl::string_view type_url) override {
+    if (type_url == TypeUtil::descriptorFullNameToTypeUrl(
+                        HttpAttributesCelMatchInput::descriptor()->full_name())) {
+      return absl::OkStatus();
+    }
+
+    return absl::InvalidArgumentError(
+        fmt::format("ProtoApiScrubber filter does not support matching on '{}'", type_url));
+  }
 };
 
-using FilterConfigSharedPtr = std::shared_ptr<const FilterConfig>;
+// Action class for the RemoveFieldAction.
+// RemoveFieldAction semantically denotes removing a field from request or response protobuf payload
+// based on the field_mask and corresponding the restriction config provided.
+class RemoveFieldAction : public Matcher::ActionBase<ProtoApiScrubberRemoveFieldAction> {};
+
+// ActionFactory for the RemoveFieldAction.
+class RemoveFilterActionFactory : public Matcher::ActionFactory<ProtoApiScrubberRemoveFieldAction> {
+public:
+  Matcher::ActionFactoryCb createActionFactoryCb(const Protobuf::Message&,
+                                                 ProtoApiScrubberRemoveFieldAction&,
+                                                 ProtobufMessage::ValidationVisitor&) override {
+    return []() { return std::make_unique<RemoveFieldAction>(); };
+  }
+
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override {
+    return std::make_unique<ProtoApiScrubberRemoveFieldAction>();
+  }
+
+  std::string name() const override { return "removeFieldAction"; }
+};
 
 } // namespace ProtoApiScrubber
 } // namespace HttpFilters

test/extensions/filters/http/proto_api_scrubber/BUILD

@@ -0,0 +1,33 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_test",
+    "envoy_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+envoy_cc_test(
+    name = "filter_config_test",
+    srcs = ["filter_config_test.cc"],
+    data = [
+        "//test/config/integration/certs",
+        "//test/proto:apikeys_proto_descriptor",
+    ],
+    rbe_pool = "6gig",
+    deps = [
+        "//source/common/matcher:matcher_lib",
+        "//source/extensions/common/matcher:matcher_lib",
+        "//source/extensions/filters/http/proto_api_scrubber:filter_config",
+        "//source/extensions/matching/http/cel_input:cel_input_lib",
+        "//source/extensions/matching/input_matchers/cel_matcher:config",
+        "//test/mocks/http:http_mocks",
+        "//test/mocks/runtime:runtime_mocks",
+        "//test/mocks/server:factory_context_mocks",
+        "//test/proto:apikeys_proto_cc_proto",
+        "//test/test_common:environment_lib",
+        "//test/test_common:utility_lib",
+        "@com_github_cncf_xds//xds/type/matcher/v3:pkg_cc_proto",
+    ],
+)