Create new protobuf for restricting header mutations (#19141)

This protobuf will be used initialy by the ext_proc filter to control which headers may be changed by an external processing server. This begins to address #14789 . If the proto and the location are OK, I'll go on to add a common library to test a proposed header mutation against these rules and then incorporate them into the ext_proc filter. The eventual result is that, by default, an external processor for ext_proc will be able to modify any header, but there will be controls that an administrator can use when connecting to a processor to control whether that processor is actually allowed to make all possible changes. Risk Level: Low -- just the proto for now Signed-off-by: Gregory Brail <gregbrail@google.com> Mirrored from https://github.com/envoyproxy/envoy @ a3e50ecd88943536b4ce412c172a246dacb6288a
3 years ago · d10a1fe818
parent 2a96328f2d
commit d10a1fe818
3 changed files with 94 additions and 0 deletions
--- a/envoy/config/common/mutation_rules/v3/BUILD
+++ b/envoy/config/common/mutation_rules/v3/BUILD
@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/type/matcher/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
--- a/envoy/config/common/mutation_rules/v3/mutation_rules.proto
+++ b/envoy/config/common/mutation_rules/v3/mutation_rules.proto
@ -0,0 +1,81 @@
+syntax = "proto3";
+
+package envoy.config.common.mutation_rules.v3;
+
+import "envoy/type/matcher/v3/regex.proto";
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.config.common.mutation_rules.v3";
+option java_outer_classname = "MutationRulesProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3;mutation_rulesv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// The HeaderMutationRules structure specifies what headers may be
+// manipulated by a processing filter. This set of rules makes it
+// possible to control which modifications a filter may make.
+//
+// By default, an external processing server may add, modify, or remove
+// any header except for an "Envoy internal" header (which is typically
+// denoted by an x-envoy prefix) or specific headers that may affect
+// further filter processing:
+//
+// * host
+// * :authority
+// * :scheme
+// * :method
+//
+// Every attempt to add, change, append, or remove a header will be
+// tested against the rules here. Disallowed header mutations will be
+// ignored unless *disallow_is_error* is set to true.
+//
+// In addition, a counter will be incremented whenever a mutation is
+// rejected. In the ext_proc filter, that counter is named
+// "rejected_header_mutations".
+// [#next-free-field: 8]
+// [#not-implemented-hide:]
+message HeaderMutationRules {
+  // By default, certain headers that could affect processing of subsequent
+  // filters or request routing cannot be modified. These headers are
+  // "host", ":authority", ":scheme", and ":method". Setting this parameter
+  // to true allows these headers to be modified as well.
+  google.protobuf.BoolValue allow_all_routing = 1;
+
+  // If true, allow modification of envoy internal headers. By default, these
+  // start with "x-envoy" but this may be overridden in the *Bootstrap*
+  // configuration using the
+  // :ref:`header_prefix <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.header_prefix>`
+  // field. Default is false.
+  google.protobuf.BoolValue allow_envoy = 2;
+
+  // If true, prevent modification of any system header, defined as a header
+  // that starts with a ":" character, regardless of any other settings.
+  // A processing server may still override the ":status" of an HTTP response
+  // using an *ImmediateResponse* message. Default is false.
+  google.protobuf.BoolValue disallow_system = 3;
+
+  // If true, prevent modifications of all header values, regardless of any
+  // other settings. A processing server may still override the ":status"
+  // of an HTTP response using an *ImmediateResponse* message. Default is false.
+  google.protobuf.BoolValue disallow_all = 4;
+
+  // If set, specifically allow any header that matches this regular
+  // expression. This overrides all other settings except for
+  // *disallow_expression*.
+  type.matcher.v3.RegexMatcher allow_expression = 5;
+
+  // If set, specifically disallow any header that matches this regular
+  // expression regardless of any other settings.
+  type.matcher.v3.RegexMatcher disallow_expression = 6;
+
+  // If true, and if the rules in this list cause a header mutation to be
+  // disallowed, then the filter using this configuration will terminate the
+  // request with a 500 error. In addition, regardless of the setting of this
+  // parameter, any attempt to set, add, or modify a disallowed header will
+  // cause the "rejected_header_mutations" counter to be incremented.
+  // Default is false.
+  google.protobuf.BoolValue disallow_is_error = 7;
+}
--- a/versioning/BUILD
+++ b/versioning/BUILD
@ -26,6 +26,7 @@ proto_library(
        "//envoy/config/cluster/v3:pkg",
        "//envoy/config/common/key_value/v3:pkg",
        "//envoy/config/common/matcher/v3:pkg",
+        "//envoy/config/common/mutation_rules/v3:pkg",
        "//envoy/config/core/v3:pkg",
        "//envoy/config/endpoint/v3:pkg",
        "//envoy/config/filter/thrift/router/v2alpha1:pkg",