Merge branch 'main' into bazel_v7.2.1

Author: PiotrSikora

.github/workflows/rust.yml

@@ -238,6 +238,7 @@ jobs:
         - 'http_body'
         - 'http_config'
         - 'http_headers'
+        - 'grpc_auth_random'
 
     defaults:
       run:
@@ -301,6 +302,7 @@ jobs:
         - 'http_body'
         - 'http_config'
         - 'http_headers'
+        - 'grpc_auth_random'
 
     defaults:
       run:

README.md

@@ -21,6 +21,7 @@
 - [HTTP Headers](./examples/http_headers/)
 - [HTTP Response body](./examples/http_body/)
 - [HTTP Configuration](./examples/http_config/)
+- [gRPC Auth (random)](./examples/grpc_auth_random/)
 
 ## Articles & blog posts from the community
 

examples/grpc_auth_random/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+publish = false
+name = "proxy-wasm-example-grpc-auth-random"
+version = "0.0.1"
+description = "Proxy-Wasm plugin example: gRPC auth (random)"
+license = "Apache-2.0"
+edition = "2018"
+
+[lib]
+crate-type = ["cdylib"]
+
+[dependencies]
+log = "0.4"
+proxy-wasm = { path = "../../" }
+
+[profile.release]
+lto = true
+opt-level = 3
+codegen-units = 1
+panic = "abort"
+strip = "debuginfo"

examples/grpc_auth_random/README.md

@@ -0,0 +1,52 @@
+## Proxy-Wasm plugin example: gRPC auth (random)
+
+Proxy-Wasm plugin that grants access based on a result of gRPC callout.
+
+### Building
+
+```sh
+$ cargo build --target wasm32-wasi --release
+```
+
+### Using in Envoy
+
+This example can be run with [`docker compose`](https://docs.docker.com/compose/install/)
+and has a matching Envoy configuration.
+
+```sh
+$ docker compose up
+```
+
+#### Access granted.
+
+Send gRPC request to `localhost:10000` service `hello.HelloService`:
+
+```sh
+$ grpcurl -d '{"greeting": "Rust"}' -plaintext localhost:10000 hello.HelloService/SayHello
+{
+  "reply": "hello Rust"
+}
+```
+
+Expected Envoy logs:
+
+```console
+[...] wasm log grpc_auth_random: Access granted.
+```
+
+#### Access forbidden.
+
+Send gRPC request to `localhost:10000` service `hello.HelloService`:
+
+```sh
+$ grpcurl -d '{"greeting": "Rust"}' -plaintext localhost:10000 hello.HelloService/SayHello
+ERROR:
+  Code: Aborted
+  Message: Aborted by Proxy-Wasm!
+```
+
+Expected Envoy logs:
+
+```console
+[...] wasm log grpc_auth_random: Access forbidden.
+```

examples/grpc_auth_random/docker-compose.yaml

@@ -0,0 +1,36 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+services:
+  envoy:
+    image: envoyproxy/envoy:v1.24-latest
+    hostname: envoy
+    ports:
+      - "10000:10000"
+    volumes:
+      - ./envoy.yaml:/etc/envoy/envoy.yaml
+      - ./target/wasm32-wasi/release:/etc/envoy/proxy-wasm-plugins
+    networks:
+      - envoymesh
+    depends_on:
+      - grpcbin
+  grpcbin:
+    image: kong/grpcbin
+    hostname: grpcbin
+    ports:
+      - "9000:9000"
+    networks:
+      - envoymesh
+networks:
+  envoymesh: {}

examples/grpc_auth_random/envoy.yaml

@@ -0,0 +1,69 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+static_resources:
+  listeners:
+    address:
+      socket_address:
+        address: 0.0.0.0
+        port_value: 10000
+    filter_chains:
+      - filters:
+          - name: envoy.filters.network.http_connection_manager
+            typed_config:
+              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+              stat_prefix: ingress_http
+              codec_type: AUTO
+              route_config:
+                name: local_routes
+                virtual_hosts:
+                  - name: local_service
+                    domains:
+                      - "*"
+                    routes:
+                      - match:
+                          prefix: "/"
+                        route:
+                          cluster: grpcbin
+              http_filters:
+                - name: envoy.filters.http.wasm
+                  typed_config:
+                    "@type": type.googleapis.com/udpa.type.v1.TypedStruct
+                    type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+                    value:
+                      config:
+                        name: "grpc_auth_random"
+                        vm_config:
+                          runtime: "envoy.wasm.runtime.v8"
+                          code:
+                            local:
+                              filename: "/etc/envoy/proxy-wasm-plugins/proxy_wasm_example_grpc_auth_random.wasm"
+                - name: envoy.filters.http.router
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+  clusters:
+    - name: grpcbin
+      connect_timeout: 5s
+      type: STRICT_DNS
+      lb_policy: ROUND_ROBIN
+      http2_protocol_options: {}
+      load_assignment:
+        cluster_name: grpcbin
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: grpcbin
+                      port_value: 9000

examples/grpc_auth_random/src/lib.rs

@@ -0,0 +1,83 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+use log::info;
+use proxy_wasm::traits::*;
+use proxy_wasm::types::*;
+use std::time::Duration;
+
+proxy_wasm::main! {{
+    proxy_wasm::set_log_level(LogLevel::Trace);
+    proxy_wasm::set_http_context(|_, _| -> Box<dyn HttpContext> { Box::new(GrpcAuthRandom) });
+}}
+
+struct GrpcAuthRandom;
+
+impl HttpContext for GrpcAuthRandom {
+    fn on_http_request_headers(&mut self, _: usize, _: bool) -> Action {
+        match self.get_http_request_header("content-type") {
+            Some(value) if value.starts_with("application/grpc") => {}
+            _ => {
+                // Reject non-gRPC clients.
+                self.send_http_response(
+                    503,
+                    vec![("Powered-By", "proxy-wasm")],
+                    Some(b"Service accessible only to gRPC clients.\n"),
+                );
+                return Action::Pause;
+            }
+        }
+
+        match self.get_http_request_header(":path") {
+            Some(value) if value.starts_with("/grpc.reflection") => {
+                // Always allow gRPC calls to the reflection API.
+                Action::Continue
+            }
+            _ => {
+                // Allow other gRPC calls based on the result of grpcbin.GRPCBin/RandomError.
+                self.dispatch_grpc_call(
+                    "grpcbin",
+                    "grpcbin.GRPCBin",
+                    "RandomError",
+                    vec![],
+                    None,
+                    Duration::from_secs(1),
+                )
+                .unwrap();
+                Action::Pause
+            }
+        }
+    }
+
+    fn on_http_response_headers(&mut self, _: usize, _: bool) -> Action {
+        self.set_http_response_header("Powered-By", Some("proxy-wasm"));
+        Action::Continue
+    }
+}
+
+impl Context for GrpcAuthRandom {
+    fn on_grpc_call_response(&mut self, _: u32, status_code: u32, _: usize) {
+        if status_code % 2 == 0 {
+            info!("Access granted.");
+            self.resume_http_request();
+        } else {
+            info!("Access forbidden.");
+            self.send_grpc_response(
+                GrpcStatusCode::Aborted,
+                Some("Aborted by Proxy-Wasm!"),
+                vec![("Powered-By", b"proxy-wasm")],
+            );
+        }
+    }
+}

examples/http_auth_random/docker-compose.yaml

@@ -23,5 +23,14 @@ services:
       - ./target/wasm32-wasi/release:/etc/envoy/proxy-wasm-plugins
     networks:
       - envoymesh
+    depends_on:
+      - httpbin
+  httpbin:
+    image: mccutchen/go-httpbin
+    hostname: httpbin
+    ports:
+      - "8080:8080"
+    networks:
+      - envoymesh
 networks:
   envoymesh: {}

examples/http_auth_random/envoy.yaml

@@ -64,6 +64,5 @@ static_resources:
               - endpoint:
                   address:
                     socket_address:
-                      address: httpbin.org
-                      port_value: 80
-                  hostname: "httpbin.org"
+                      address: httpbin
+                      port_value: 8080

examples/http_auth_random/src/lib.rs

@@ -35,7 +35,7 @@ impl HttpContext for HttpAuthRandom {
             ],
             None,
             vec![],
-            Duration::from_secs(5),
+            Duration::from_secs(1),
         )
         .unwrap();
         Action::Pause