Add contrib filter for validating sha256 checksums (#29438)
* Add contrib filter for validating sha256 checksums Signed-off-by: Raven Black <ravenblack@dropbox.com> * Undo autoformat screwup Signed-off-by: Raven Black <ravenblack@dropbox.com> * Remove debug prints Signed-off-by: Raven Black <ravenblack@dropbox.com> * fix factory registration/visibility Signed-off-by: Ryan Northey <ryan@synca.io> * docs: For Checksum filter Signed-off-by: Ryan Northey <ryan@synca.io> * Tidy Signed-off-by: Raven Black <ravenblack@dropbox.com> * CODEOWNERS Signed-off-by: Raven Black <ravenblack@dropbox.com> * Undo autoformat changes Signed-off-by: Raven Black <ravenblack@dropbox.com> * Comments Signed-off-by: Raven Black <ravenblack@dropbox.com> * Comment clarity Signed-off-by: Raven Black <ravenblack@dropbox.com> * Matchers into a oneof Signed-off-by: Raven Black <ravenblack@dropbox.com> --------- Signed-off-by: Raven Black <ravenblack@dropbox.com> Signed-off-by: Ryan Northey <ryan@synca.io> Co-authored-by: Ryan Northey <ryan@synca.io> Mirrored from https://github.com/envoyproxy/envoy @ 13709279873ccbcace21fc9f534337fad4e5e9c0main
update-envoy[bot]
1 year ago
parent
da2728a9c1
commit
f7fca8ca0c
4 changed files with 63 additions and 0 deletions
@ -0,0 +1,13 @@ |
||||
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. |
||||
|
||||
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") |
||||
|
||||
licenses(["notice"]) # Apache 2 |
||||
|
||||
api_proto_package( |
||||
deps = [ |
||||
"//envoy/type/matcher/v3:pkg", |
||||
"@com_github_cncf_udpa//udpa/annotations:pkg", |
||||
"@com_github_cncf_udpa//xds/annotations/v3:pkg", |
||||
], |
||||
) |
||||
@ -0,0 +1,48 @@ |
||||
syntax = "proto3"; |
||||
|
||||
package envoy.extensions.filters.http.checksum.v3alpha; |
||||
|
||||
import "envoy/type/matcher/v3/string.proto"; |
||||
|
||||
import "xds/annotations/v3/status.proto"; |
||||
|
||||
import "udpa/annotations/status.proto"; |
||||
import "validate/validate.proto"; |
||||
|
||||
option java_package = "io.envoyproxy.envoy.extensions.filters.http.checksum.v3alpha"; |
||||
option java_outer_classname = "ChecksumProto"; |
||||
option java_multiple_files = true; |
||||
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/checksum/v3alpha"; |
||||
option (udpa.annotations.file_status).package_version_status = ACTIVE; |
||||
option (xds.annotations.v3.file_status).work_in_progress = true; |
||||
|
||||
// [#protodoc-title: Checksum HTTP filter] |
||||
// |
||||
// Filter to reject responses that don't match a specified checksum. |
||||
// To avoid holding the entire response in memory, the rejection occurs at the end of the stream. |
||||
// [#extension: envoy.filters.http.checksum] |
||||
|
||||
message ChecksumConfig { |
||||
message Checksum { |
||||
oneof matcher { |
||||
// A matcher for a path that is expected to have a specific checksum, as specified |
||||
// in the ``sha256`` field. |
||||
type.matcher.v3.StringMatcher path_matcher = 1 [(validate.rules).message = {required: true}]; |
||||
} |
||||
|
||||
// A hex-encoded sha256 string required to match the sha256sum of the response body |
||||
// of the path specified in the ``path_matcher`` field. |
||||
string sha256 = 2 [(validate.rules).string = {pattern: "^[a-fA-F0-9]{64}"}]; |
||||
} |
||||
|
||||
// A set of matcher and checksum pairs for which, if a path matching ``path_matcher`` |
||||
// is requested and the checksum of the response body does not match the ``sha256``, the |
||||
// response will be replaced with a 403 Forbidden status. |
||||
// |
||||
// If multiple matchers match the same path, the first to match takes precedence. |
||||
repeated Checksum checksums = 1; |
||||
|
||||
// If a request doesn't match any of the specified checksum paths and reject_unmatched is |
||||
// true, the request is rejected immediately with 403 Forbidden. |
||||
bool reject_unmatched = 2; |
||||
} |
||||
Loading…
Reference in new issue