Add custom OPA filter implementation (#117)

Signed-off-by: Pavol Loffay <[email protected]>

Author: pavolloffay

README.md

@@ -19,6 +19,10 @@ List of supported frameworks with additional capabilities:
 | [gRPC](https://github.com/grpc/grpc-java)                                                              | 1.5+            |
 | [OkHttp](https://github.com/square/okhttp/)                                                            | 3.0+            |
 
+### Adding custom filter implementation
+
+Custom filter implementations can be added via `FilterProvider` SPI (Java service loader).
+The providers can be disabled at startup via `ht.filter.provider.<provider-class-name>.disabled=true`.
 
 ## Build
 

filter-custom-opa/build.gradle.kts

@@ -0,0 +1,13 @@
+plugins {
+    java
+}
+
+dependencies {
+    implementation(project(":filter"))
+    implementation("org.slf4j:slf4j-api:1.7.30")
+    implementation("com.squareup.okhttp3:okhttp:3.14.9")
+    // https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind
+    implementation("com.fasterxml.jackson.core:jackson-databind:2.11.3")
+    implementation("com.google.auto.service:auto-service:1.0-rc7")
+    annotationProcessor("com.google.auto.service:auto-service:1.0-rc7")
+}

filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/CustomOpaLib.java

@@ -0,0 +1,105 @@
+/*
+ * Copyright The Hypertrace Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.hypertrace.agent.filter.opa.custom;
+
+import com.google.auto.service.AutoService;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ThreadFactory;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.atomic.AtomicInteger;
+import org.hypertrace.agent.filter.ExecutionBlocked;
+import org.hypertrace.agent.filter.ExecutionNotBlocked;
+import org.hypertrace.agent.filter.Filter;
+import org.hypertrace.agent.filter.FilterResult;
+import org.hypertrace.agent.filter.opa.custom.evaluator.ICustomPolicyEvaluator;
+import org.hypertrace.agent.filter.opa.custom.evaluator.IpAddressPolicyEvaluator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/** This is a legacy code ported from Traceable Java agent. */
+@AutoService(Filter.class)
+public class CustomOpaLib implements Filter {
+  private static final Logger log = LoggerFactory.getLogger(CustomOpaLib.class);
+
+  private final OpaCommunicator opaCommunicator = new OpaCommunicator();
+  private final Set<ICustomPolicyEvaluator> policyEvaluators = new HashSet<>();
+
+  private final ScheduledExecutorService scheduledExecutorService =
+      Executors.newSingleThreadScheduledExecutor(
+          new ThreadFactory() {
+            private final AtomicInteger threadSequence = new AtomicInteger(1);
+
+            @Override
+            public Thread newThread(Runnable r) {
+              String name = "hypertrace-agent-custom-opa" + threadSequence.getAndIncrement();
+              Thread thread = new Thread(r, name);
+              thread.setDaemon(true);
+              return thread;
+            }
+          });
+
+  public CustomOpaLib(String endpoint, String apiKey, boolean skipVerify, int maxDelay) {
+    opaCommunicator.init(endpoint, apiKey, skipVerify);
+    scheduledExecutorService.scheduleWithFixedDelay(
+        new Runnable() {
+          @Override
+          public void run() {
+            try {
+              opaCommunicator.pollBlockingData();
+            } catch (Throwable t) {
+              log.debug("Unable to poll blocking data", t);
+            }
+          }
+        },
+        0,
+        maxDelay,
+        TimeUnit.SECONDS);
+
+    policyEvaluators.add(new IpAddressPolicyEvaluator());
+  }
+
+  // TODO agent should clear resources at the end
+  //  @Override
+  //  public void fini() {
+  //    scheduledExecutorService.shutdownNow();
+  //    scheduledExecutorService = null;
+  //    opaCommunicator.clear();
+  //    policyEvaluators.clear();
+  //  }
+
+  @Override
+  public FilterResult evaluateRequestHeaders(
+      io.opentelemetry.trace.Span span, Map<String, String> headers) {
+    // currently as per policy.rego, allowed list has precedence over denylist
+    boolean allow =
+        policyEvaluators.stream()
+            .map(
+                policyEvaluator ->
+                    policyEvaluator.allow(opaCommunicator.getBlockingData(), headers))
+            .anyMatch(Boolean::booleanValue);
+    return allow ? ExecutionNotBlocked.INSTANCE : ExecutionBlocked.INSTANCE;
+  }
+
+  @Override
+  public FilterResult evaluateRequestBody(io.opentelemetry.trace.Span span, String body) {
+    return ExecutionNotBlocked.INSTANCE;
+  }
+}

filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/CustomOpaLibProvider.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright The Hypertrace Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.hypertrace.agent.filter.opa.custom;
+
+import com.google.auto.service.AutoService;
+import org.hypertrace.agent.core.EnvironmentConfig;
+import org.hypertrace.agent.filter.Filter;
+import org.hypertrace.agent.filter.FilterProvider;
+import org.hypertrace.agent.filter.FilterRegistry;
+
+@AutoService(FilterProvider.class)
+public class CustomOpaLibProvider implements FilterProvider {
+
+  public CustomOpaLibProvider() {
+    String property = FilterRegistry.getProviderDisabledPropertyName(CustomOpaLibProvider.class);
+    // by default disable this provider until HT agent config includes OPA
+    if (EnvironmentConfig.getProperty(property) == null) {
+      System.setProperty(property, "true");
+    }
+  }
+
+  @Override
+  public Filter create() {
+    String endpoint = EnvironmentConfig.getProperty("hypertrace.opa.endpoint");
+    String token = EnvironmentConfig.getProperty("hypertrace.reporting.token");
+    String pullInterval = EnvironmentConfig.getProperty("hypertrace.opa.pull_interval");
+    String skipVerify = EnvironmentConfig.getProperty("hypertrace.opa.skip_verify");
+    return new CustomOpaLib(
+        endpoint, token, Boolean.parseBoolean(skipVerify), Integer.parseInt(pullInterval));
+  }
+}

filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/OpaCommunicator.java

@@ -0,0 +1,162 @@
+/*
+ * Copyright The Hypertrace Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.hypertrace.agent.filter.opa.custom;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import javax.net.ssl.*;
+import okhttp3.Interceptor;
+import okhttp3.OkHttpClient;
+import okhttp3.Request;
+import okhttp3.Response;
+import org.hypertrace.agent.filter.opa.custom.data.BlockingData;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class OpaCommunicator {
+  private static final Logger log = LoggerFactory.getLogger(OpaCommunicator.class);
+
+  private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
+  private static final String PATH = "/v1/data";
+
+  private OkHttpClient httpClient;
+  private Request request;
+
+  private BlockingData blockingData;
+
+  protected OpaCommunicator() {}
+
+  public void init(String endpoint, String authToken, boolean skipVerify) {
+    OkHttpClient.Builder builder = new OkHttpClient.Builder();
+    if (authToken != null && !authToken.isEmpty()) {
+      log.info("Adding authentication key");
+      builder = withAuth(builder, authToken);
+    }
+    if (skipVerify) {
+      builder = withSkipVerify(builder);
+    }
+    this.httpClient = builder.build();
+    if (endpoint.endsWith("/")) {
+      endpoint = endpoint.substring(0, endpoint.length() - 1);
+    }
+    this.request = new Request.Builder().url(endpoint + PATH).get().build();
+  }
+
+  public void pollBlockingData() {
+    if (httpClient == null) {
+      return;
+    }
+
+    Response response;
+    try {
+      response = httpClient.newCall(request).execute();
+    } catch (IOException e) {
+      log.warn("Unable to make a successful get call to the OPA service.", e);
+      return;
+    }
+
+    log.trace("Received response from OPA service: {}", response);
+    if (response.isSuccessful()) {
+      try {
+        JsonNode jsonNode = OBJECT_MAPPER.readTree(response.body().byteStream());
+        if (log.isDebugEnabled()) {
+          log.debug("Received blocking data from OPA service: {}", jsonNode);
+        }
+        blockingData =
+            OBJECT_MAPPER.treeToValue(
+                jsonNode.at("/result/traceable/http/request"), BlockingData.class);
+      } catch (IOException e) {
+        log.warn("Unable to retrieve blocking data from the OPA service.", e);
+      }
+    }
+  }
+
+  public BlockingData getBlockingData() {
+    return blockingData;
+  }
+
+  public void clear() {
+    httpClient = null;
+    request = null;
+    blockingData = null;
+  }
+
+  private static OkHttpClient.Builder withAuth(OkHttpClient.Builder builder, String authToken) {
+    builder.addInterceptor(getAuthInterceptor("Bearer " + authToken));
+    return builder;
+  }
+
+  private static OkHttpClient.Builder withSkipVerify(OkHttpClient.Builder builder) {
+    // Install the all-trusting trust manager
+    try {
+      TrustManager[] trustAllCertsManagers = getTrustAllCertsManagers();
+      final SSLContext sslContext = SSLContext.getInstance("SSL");
+      sslContext.init(null, trustAllCertsManagers, new java.security.SecureRandom());
+      // Create an ssl socket factory with our all-trusting manager
+      final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
+      builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCertsManagers[0]);
+      builder.hostnameVerifier(getSkipVerifyHostnameVerifier());
+    } catch (NoSuchAlgorithmException e) {
+      log.warn("Error in getting SSL context. SkipVerify could not be set to true.", e);
+    } catch (KeyManagementException e) {
+      log.warn("Error in initializing SSL context. SkipVerify could not be set to true.", e);
+    }
+    return builder;
+  }
+
+  private static Interceptor getAuthInterceptor(final String headerValue) {
+    return new Interceptor() {
+      @Override
+      public Response intercept(Chain chain) throws IOException {
+        return chain.proceed(
+            chain.request().newBuilder().addHeader("Authorization", headerValue).build());
+      }
+    };
+  }
+
+  private static TrustManager[] getTrustAllCertsManagers() {
+    return new TrustManager[] {
+      new X509TrustManager() {
+        @Override
+        public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType)
+            throws CertificateException {}
+
+        @Override
+        public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType)
+            throws CertificateException {}
+
+        @Override
+        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
+          return new java.security.cert.X509Certificate[] {};
+        }
+      }
+    };
+  }
+
+  private static HostnameVerifier getSkipVerifyHostnameVerifier() {
+    return new HostnameVerifier() {
+      @Override
+      public boolean verify(String hostname, SSLSession session) {
+        return true;
+      }
+    };
+  }
+}