http filter: add CSRF filter (#6470)

Signed-off-by: Derek Schaller <dschaller@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ eaaa918be9f1eff5768a65e28dbbd509c7652cc3
6 years ago · da8a43117d
parent 9c735715f5
commit da8a43117d
4 changed files with 54 additions and 0 deletions
--- a/docs/BUILD
+++ b/docs/BUILD
@ -37,6 +37,7 @@ proto_library(
        "//envoy/config/filter/accesslog/v2:accesslog",
        "//envoy/config/filter/dubbo/router/v2alpha1:router",
        "//envoy/config/filter/http/buffer/v2:buffer",
+        "//envoy/config/filter/http/csrf/v2:csrf",
        "//envoy/config/filter/http/ext_authz/v2:ext_authz",
        "//envoy/config/filter/http/fault/v2:fault",
        "//envoy/config/filter/http/gzip/v2:gzip",
--- a/envoy/config/filter/http/csrf/v2/BUILD
+++ b/envoy/config/filter/http/csrf/v2/BUILD
@ -0,0 +1,9 @@
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_library_internal")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library_internal(
+    name = "csrf",
+    srcs = ["csrf.proto"],
+    deps = ["//envoy/api/v2/core:base"],
+)
--- a/envoy/config/filter/http/csrf/v2/csrf.proto
+++ b/envoy/config/filter/http/csrf/v2/csrf.proto
@ -0,0 +1,43 @@
+syntax = "proto3";
+
+package envoy.config.filter.http.csrf.v2;
+
+option java_outer_classname = "CsrfPolicyProto";
+option java_multiple_files = true;
+option java_package = "io.envoyproxy.envoy.config.filter.http.csrf.v2";
+option go_package = "v2";
+
+import "envoy/api/v2/core/base.proto";
+
+import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+// [#protodoc-title: CSRF]
+// Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+
+// CSRF filter config.
+message CsrfPolicy {
+  // Specify if CSRF is enabled.
+  //
+  // More information on how this can be controlled via runtime can be found
+  // :ref:`here <csrf-runtime>`.
+  //
+  // .. note::
+  //
+  //   This field defaults to 100/:ref:`HUNDRED
+  //   <envoy_api_enum_type.FractionalPercent.DenominatorType>`.
+  envoy.api.v2.core.RuntimeFractionalPercent filter_enabled = 1
+      [(validate.rules).message.required = true];
+
+  // Specifies that CSRF policies will be evaluated and tracked, but not enforced.
+  // This is intended to be used when filter_enabled is off.
+  //
+  // More information on how this can be controlled via runtime can be found
+  // :ref:`here <csrf-runtime>`.
+  //
+  // .. note::
+  //
+  //   This field defaults to 100/:ref:`HUNDRED
+  //   <envoy_api_enum_type.FractionalPercent.DenominatorType>`.
+  envoy.api.v2.core.RuntimeFractionalPercent shadow_enabled = 2;
+}
--- a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
+++ b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@ -428,6 +428,7 @@ message HttpFilter {
  // * :ref:`envoy.cors <config_http_filters_cors>`
  // * :ref:`envoy.ext_authz <config_http_filters_ext_authz>`
  // * :ref:`envoy.fault <config_http_filters_fault_injection>`
+  // * :ref:`envoy.filters.http.csrf <config_http_filters_csrf>`
  // * :ref:`envoy.filters.http.header_to_metadata <config_http_filters_header_to_metadata>`
  // * :ref:`envoy.filters.http.grpc_http1_reverse_bridge \
  //   <config_http_filters_grpc_http1_reverse_bridge>`