feat: enable for native api entrypoint connect phase

[mukul-tyagi08]

Issue

https://gravitee.atlassian.net/browse/APIM-12433

Description

Enable policy for native api's entrypoint connect phase.

Additional context (Assumptions/Limitations)

• DNS lookups (hostnames) are not supported - Due to performance reasons as DNS resolution would add 50-500ms latency per connection.
• matchAllFromXForwardedFor is not applicable - Native Kafka uses raw TCP connections without HTTP headers.
• Custom IP addresses with comma-separated values - Only the first IP is used, as each TCP connection has a single source address.
• If hostnames are configured in whitelist/blacklist for a Native Kafka API, they will be logged as warnings and ignored during the ENTRYPOINT_CONNECT phase.

---

Gravitee.io Automatic Deployment

🚀 A prerelease version of this package has been published on Gravitee's private artifactory, you can:

• use it directly by updating your project with version: 2.1.0-APIM-12433-enable-for-native-api-SNAPSHOT
• download it from Artifactory here

[gemini-code-assist]

Summary of Changes

Hello @mukul-tyagi08, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces support for applying the IP filtering policy to Native Kafka APIs. By integrating this policy into the 'ENTRYPOINT_CONNECT' phase, it enables robust, early-stage access control at the TCP connection level, preventing unauthorized clients from establishing a connection before any protocol-specific handshakes or authentication occur. The changes include adapting the policy's logic to the unique characteristics of Kafka's raw TCP connections and thoroughly documenting the specific operational considerations and limitations for this new capability.

Highlights

• Native Kafka IP Filtering: The IP filtering policy now supports Native Kafka APIs, executing during the 'ENTRYPOINT_CONNECT' phase to allow early connection rejection based on IP addresses.
• Kafka-Specific Limitations: Hostname DNS lookups are explicitly not supported for Native Kafka due to performance, 'X-Forwarded-For' is inapplicable, and only the first IP is considered for comma-separated custom IP values.
• Documentation Updates: The 'README.adoc' and 'schema-form.json' have been updated to clearly document the new Kafka support, its phase of execution, and all associated limitations.
• Codebase Integration: The 'IPFilteringPolicy' class now implements 'KafkaPolicy', with a new 'onEntrypointConnect' method and helper functions to manage IP extraction and filtering for Kafka connections.
• Enhanced Test Coverage: New unit tests have been added to validate the IP filtering logic specifically for the 'ENTRYPOINT_CONNECT' phase in various scenarios, including blacklist, whitelist, and custom IP configurations.

Changelog

• README.adoc
  • Updated the "Phase" table to include 'onEntrypointConnect (Native Kafka)'.
  • Added a note explaining the 'ENTRYPOINT_CONNECT' phase for Native Kafka, emphasizing its execution at the TCP connection level before authentication.
  • Introduced a new section "Native Kafka API Support" detailing the policy's behavior and specific limitations (e.g., no DNS lookups, 'matchAllFromXForwardedFor' not applicable, single IP from comma-separated values).
  • Modified descriptions for 'matchAllFromXForwardedFor', 'whitelistIps', 'blacklistIps', and 'lookupIpVersion' to clarify their applicability or limitations for Native Kafka APIs.
  • Documented the 'useCustomIPAddress' and 'customIPAddress' parameters, including their behavior for Native Kafka.
• pom.xml
  • Updated the 'gravitee-gateway-api.version' dependency to a snapshot version ('4.3.0-APIM-12432-interrupt-exception-entrypoint-connect-SNAPSHOT') to align with new reactive gateway APIs.
• src/main/java/io/gravitee/policy/ipfiltering/IPFilteringPolicy.java
  • Implemented the 'KafkaPolicy' interface and added the '@OverRide public String id()' method.
  • Introduced the 'onEntrypointConnect' method, which handles IP filtering for Native Kafka connections, performing blacklist/whitelist checks and interrupting connections via 'InterruptConnectionException' if necessary.
  • Added 'extractIpFromNativeContext' to determine the client IP, supporting custom IP addresses and correctly handling comma-separated values by taking only the first IP.
  • Modified the 'computeList' method to accept 'TemplateEngine' directly, improving reusability.
  • Imported necessary classes for reactive API context, Kafka policy, and template engine.
• src/main/resources/plugin.properties
  • Added 'native_kafka=ENTRYPOINT_CONNECT' to register the IP filtering policy for the 'ENTRYPOINT_CONNECT' phase of Native Kafka APIs.
• src/main/resources/schemas/schema-form.json
  • Enhanced descriptions for 'matchAllFromXForwardedFor', 'whitelistIps', 'blacklistIps', and 'lookupIpVersion' to explicitly state their relevance or limitations concerning Native Kafka APIs.
  • Set 'default: false' for 'matchAllFromXForwardedFor' and 'useCustomIPAddress' properties.
  • Updated the 'customIPAddress' description to clarify that for Native Kafka, only the first IP from comma-separated values is used.
• src/test/java/io/gravitee/policy/ipfiltering/IPFilteringPolicyTest.java
  • Added a comprehensive suite of unit tests for the 'onEntrypointConnect' method, covering scenarios such as blocking blacklisted IPs, allowing whitelisted IPs, blocking IPs not in the whitelist, allowing IPs not in the blacklist, using a custom IP address, handling comma-separated custom IP addresses (taking the first one), and falling back to the remote address when a custom IP is empty.
  • Added required imports for 'EntrypointConnectContext', 'InterruptConnectionException', and 'TestObserver'.

Activity

• Author 'mukul-tyagi08' initiated the pull request.
• The pull request addresses issue 'APIM-12433'.
• The description outlines key assumptions and limitations for Native Kafka integration, such as performance considerations for DNS lookups and the handling of 'X-Forwarded-For' headers.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[mukul-tyagi08]

Will replace after gravitee-io/gravitee-gateway-api#321 gets merged

[ThibaudAV]

I wonder if it's not a BC. Because I'm not sure if the policy still works for an apim 3.13.0 for example 🤔
Since this dependency is provided, won't there be an error in the NativePolicy import, in version of apim without it ?

I'm not really sure, but I have my doubts 🤷‍♂️

[callaertanthony]

I guess it is

[gemini-code-assist]

Code Review

This pull request enables IP filtering for the native Kafka API entrypoint connect phase. The changes are well-implemented across the policy logic, documentation, and configuration. The new onEntrypointConnect method correctly handles IP filtering with the documented limitations for Kafka, such as ignoring hostnames and using only the first IP from a custom list. The code is clean, and the new functionality is well-tested. I have reviewed the changes and found no issues.

[callaertanthony]

Suggested change

	public class IPFilteringPolicy implements KafkaPolicy {
	public class IPFilteringPolicy implements NativePolicy {

[callaertanthony]

I drafted the PR because we have to decide what we do with https://github.com/gravitee-io/gravitee-policy-kafka-ip-filtering/tree/ipfiltering

Please don't merge until we took a decision !