Add contrib filter for validating sha256 checksums (#29438)

* Add contrib filter for validating sha256 checksums

Signed-off-by: Raven Black <ravenblack@dropbox.com>

* Undo autoformat screwup

Signed-off-by: Raven Black <ravenblack@dropbox.com>

* Remove debug prints

Signed-off-by: Raven Black <ravenblack@dropbox.com>

* fix factory registration/visibility

Signed-off-by: Ryan Northey <ryan@synca.io>

* docs: For Checksum filter

Signed-off-by: Ryan Northey <ryan@synca.io>

* Tidy

Signed-off-by: Raven Black <ravenblack@dropbox.com>

* CODEOWNERS

Signed-off-by: Raven Black <ravenblack@dropbox.com>

* Undo autoformat changes

Signed-off-by: Raven Black <ravenblack@dropbox.com>

* Comments

Signed-off-by: Raven Black <ravenblack@dropbox.com>

* Comment clarity

Signed-off-by: Raven Black <ravenblack@dropbox.com>

* Matchers into a oneof

Signed-off-by: Raven Black <ravenblack@dropbox.com>

---------

Signed-off-by: Raven Black <ravenblack@dropbox.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
Co-authored-by: Ryan Northey <ryan@synca.io>

Mirrored from https://github.com/envoyproxy/envoy @ 13709279873ccbcace21fc9f534337fad4e5e9c0
main
update-envoy[bot] 1 year ago
parent da2728a9c1
commit f7fca8ca0c
  1. 1
      BUILD
  2. 13
      contrib/envoy/extensions/filters/http/checksum/v3alpha/BUILD
  3. 48
      contrib/envoy/extensions/filters/http/checksum/v3alpha/checksum.proto
  4. 1
      versioning/BUILD

@ -72,6 +72,7 @@ proto_library(
name = "v3_protos", name = "v3_protos",
visibility = ["//visibility:public"], visibility = ["//visibility:public"],
deps = [ deps = [
"//contrib/envoy/extensions/filters/http/checksum/v3alpha:pkg",
"//contrib/envoy/extensions/filters/http/dynamo/v3:pkg", "//contrib/envoy/extensions/filters/http/dynamo/v3:pkg",
"//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg", "//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg",
"//contrib/envoy/extensions/filters/http/language/v3alpha:pkg", "//contrib/envoy/extensions/filters/http/language/v3alpha:pkg",

@ -0,0 +1,13 @@
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
licenses(["notice"]) # Apache 2
api_proto_package(
deps = [
"//envoy/type/matcher/v3:pkg",
"@com_github_cncf_udpa//udpa/annotations:pkg",
"@com_github_cncf_udpa//xds/annotations/v3:pkg",
],
)

@ -0,0 +1,48 @@
syntax = "proto3";
package envoy.extensions.filters.http.checksum.v3alpha;
import "envoy/type/matcher/v3/string.proto";
import "xds/annotations/v3/status.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.filters.http.checksum.v3alpha";
option java_outer_classname = "ChecksumProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/checksum/v3alpha";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
option (xds.annotations.v3.file_status).work_in_progress = true;
// [#protodoc-title: Checksum HTTP filter]
//
// Filter to reject responses that don't match a specified checksum.
// To avoid holding the entire response in memory, the rejection occurs at the end of the stream.
// [#extension: envoy.filters.http.checksum]
message ChecksumConfig {
message Checksum {
oneof matcher {
// A matcher for a path that is expected to have a specific checksum, as specified
// in the ``sha256`` field.
type.matcher.v3.StringMatcher path_matcher = 1 [(validate.rules).message = {required: true}];
}
// A hex-encoded sha256 string required to match the sha256sum of the response body
// of the path specified in the ``path_matcher`` field.
string sha256 = 2 [(validate.rules).string = {pattern: "^[a-fA-F0-9]{64}"}];
}
// A set of matcher and checksum pairs for which, if a path matching ``path_matcher``
// is requested and the checksum of the response body does not match the ``sha256``, the
// response will be replaced with a 403 Forbidden status.
//
// If multiple matchers match the same path, the first to match takes precedence.
repeated Checksum checksums = 1;
// If a request doesn't match any of the specified checksum paths and reject_unmatched is
// true, the request is rejected immediately with 403 Forbidden.
bool reject_unmatched = 2;
}

@ -10,6 +10,7 @@ proto_library(
visibility = ["//visibility:public"], visibility = ["//visibility:public"],
deps = [ deps = [
"//contrib/envoy/extensions/config/v3alpha:pkg", "//contrib/envoy/extensions/config/v3alpha:pkg",
"//contrib/envoy/extensions/filters/http/checksum/v3alpha:pkg",
"//contrib/envoy/extensions/filters/http/dynamo/v3:pkg", "//contrib/envoy/extensions/filters/http/dynamo/v3:pkg",
"//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg", "//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg",
"//contrib/envoy/extensions/filters/http/language/v3alpha:pkg", "//contrib/envoy/extensions/filters/http/language/v3alpha:pkg",

Loading…
Cancel
Save