From f7fca8ca0cd1d1b6ce373438fe5088e3fd60e0d8 Mon Sep 17 00:00:00 2001 From: "update-envoy[bot]" <135279899+update-envoy[bot]@users.noreply.github.com> Date: Thu, 14 Sep 2023 14:46:54 +0000 Subject: [PATCH] Add contrib filter for validating sha256 checksums (#29438) * Add contrib filter for validating sha256 checksums Signed-off-by: Raven Black * Undo autoformat screwup Signed-off-by: Raven Black * Remove debug prints Signed-off-by: Raven Black * fix factory registration/visibility Signed-off-by: Ryan Northey * docs: For Checksum filter Signed-off-by: Ryan Northey * Tidy Signed-off-by: Raven Black * CODEOWNERS Signed-off-by: Raven Black * Undo autoformat changes Signed-off-by: Raven Black * Comments Signed-off-by: Raven Black * Comment clarity Signed-off-by: Raven Black * Matchers into a oneof Signed-off-by: Raven Black --------- Signed-off-by: Raven Black Signed-off-by: Ryan Northey Co-authored-by: Ryan Northey Mirrored from https://github.com/envoyproxy/envoy @ 13709279873ccbcace21fc9f534337fad4e5e9c0 --- BUILD | 1 + .../filters/http/checksum/v3alpha/BUILD | 13 +++++ .../http/checksum/v3alpha/checksum.proto | 48 +++++++++++++++++++ versioning/BUILD | 1 + 4 files changed, 63 insertions(+) create mode 100644 contrib/envoy/extensions/filters/http/checksum/v3alpha/BUILD create mode 100644 contrib/envoy/extensions/filters/http/checksum/v3alpha/checksum.proto diff --git a/BUILD b/BUILD index 3ebfa5f8..37d46fa3 100644 --- a/BUILD +++ b/BUILD @@ -72,6 +72,7 @@ proto_library( name = "v3_protos", visibility = ["//visibility:public"], deps = [ + "//contrib/envoy/extensions/filters/http/checksum/v3alpha:pkg", "//contrib/envoy/extensions/filters/http/dynamo/v3:pkg", "//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg", "//contrib/envoy/extensions/filters/http/language/v3alpha:pkg", diff --git a/contrib/envoy/extensions/filters/http/checksum/v3alpha/BUILD b/contrib/envoy/extensions/filters/http/checksum/v3alpha/BUILD new file mode 100644 index 00000000..08121924 --- /dev/null +++ b/contrib/envoy/extensions/filters/http/checksum/v3alpha/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/type/matcher/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + "@com_github_cncf_udpa//xds/annotations/v3:pkg", + ], +) diff --git a/contrib/envoy/extensions/filters/http/checksum/v3alpha/checksum.proto b/contrib/envoy/extensions/filters/http/checksum/v3alpha/checksum.proto new file mode 100644 index 00000000..ba4c2fe7 --- /dev/null +++ b/contrib/envoy/extensions/filters/http/checksum/v3alpha/checksum.proto @@ -0,0 +1,48 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.checksum.v3alpha; + +import "envoy/type/matcher/v3/string.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.checksum.v3alpha"; +option java_outer_classname = "ChecksumProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/checksum/v3alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Checksum HTTP filter] +// +// Filter to reject responses that don't match a specified checksum. +// To avoid holding the entire response in memory, the rejection occurs at the end of the stream. +// [#extension: envoy.filters.http.checksum] + +message ChecksumConfig { + message Checksum { + oneof matcher { + // A matcher for a path that is expected to have a specific checksum, as specified + // in the ``sha256`` field. + type.matcher.v3.StringMatcher path_matcher = 1 [(validate.rules).message = {required: true}]; + } + + // A hex-encoded sha256 string required to match the sha256sum of the response body + // of the path specified in the ``path_matcher`` field. + string sha256 = 2 [(validate.rules).string = {pattern: "^[a-fA-F0-9]{64}"}]; + } + + // A set of matcher and checksum pairs for which, if a path matching ``path_matcher`` + // is requested and the checksum of the response body does not match the ``sha256``, the + // response will be replaced with a 403 Forbidden status. + // + // If multiple matchers match the same path, the first to match takes precedence. + repeated Checksum checksums = 1; + + // If a request doesn't match any of the specified checksum paths and reject_unmatched is + // true, the request is rejected immediately with 403 Forbidden. + bool reject_unmatched = 2; +} diff --git a/versioning/BUILD b/versioning/BUILD index 72e6de52..9b4dc169 100644 --- a/versioning/BUILD +++ b/versioning/BUILD @@ -10,6 +10,7 @@ proto_library( visibility = ["//visibility:public"], deps = [ "//contrib/envoy/extensions/config/v3alpha:pkg", + "//contrib/envoy/extensions/filters/http/checksum/v3alpha:pkg", "//contrib/envoy/extensions/filters/http/dynamo/v3:pkg", "//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg", "//contrib/envoy/extensions/filters/http/language/v3alpha:pkg",