Add contrib filter for validating sha256 checksums (#29438)
* Add contrib filter for validating sha256 checksums Signed-off-by: Raven Black <ravenblack@dropbox.com> * Undo autoformat screwup Signed-off-by: Raven Black <ravenblack@dropbox.com> * Remove debug prints Signed-off-by: Raven Black <ravenblack@dropbox.com> * fix factory registration/visibility Signed-off-by: Ryan Northey <ryan@synca.io> * docs: For Checksum filter Signed-off-by: Ryan Northey <ryan@synca.io> * Tidy Signed-off-by: Raven Black <ravenblack@dropbox.com> * CODEOWNERS Signed-off-by: Raven Black <ravenblack@dropbox.com> * Undo autoformat changes Signed-off-by: Raven Black <ravenblack@dropbox.com> * Comments Signed-off-by: Raven Black <ravenblack@dropbox.com> * Comment clarity Signed-off-by: Raven Black <ravenblack@dropbox.com> * Matchers into a oneof Signed-off-by: Raven Black <ravenblack@dropbox.com> --------- Signed-off-by: Raven Black <ravenblack@dropbox.com> Signed-off-by: Ryan Northey <ryan@synca.io> Co-authored-by: Ryan Northey <ryan@synca.io> Mirrored from https://github.com/envoyproxy/envoy @ 13709279873ccbcace21fc9f534337fad4e5e9c0main
parent
da2728a9c1
commit
f7fca8ca0c
4 changed files with 63 additions and 0 deletions
@ -0,0 +1,13 @@ |
|||||||
|
# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. |
||||||
|
|
||||||
|
load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") |
||||||
|
|
||||||
|
licenses(["notice"]) # Apache 2 |
||||||
|
|
||||||
|
api_proto_package( |
||||||
|
deps = [ |
||||||
|
"//envoy/type/matcher/v3:pkg", |
||||||
|
"@com_github_cncf_udpa//udpa/annotations:pkg", |
||||||
|
"@com_github_cncf_udpa//xds/annotations/v3:pkg", |
||||||
|
], |
||||||
|
) |
@ -0,0 +1,48 @@ |
|||||||
|
syntax = "proto3"; |
||||||
|
|
||||||
|
package envoy.extensions.filters.http.checksum.v3alpha; |
||||||
|
|
||||||
|
import "envoy/type/matcher/v3/string.proto"; |
||||||
|
|
||||||
|
import "xds/annotations/v3/status.proto"; |
||||||
|
|
||||||
|
import "udpa/annotations/status.proto"; |
||||||
|
import "validate/validate.proto"; |
||||||
|
|
||||||
|
option java_package = "io.envoyproxy.envoy.extensions.filters.http.checksum.v3alpha"; |
||||||
|
option java_outer_classname = "ChecksumProto"; |
||||||
|
option java_multiple_files = true; |
||||||
|
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/checksum/v3alpha"; |
||||||
|
option (udpa.annotations.file_status).package_version_status = ACTIVE; |
||||||
|
option (xds.annotations.v3.file_status).work_in_progress = true; |
||||||
|
|
||||||
|
// [#protodoc-title: Checksum HTTP filter] |
||||||
|
// |
||||||
|
// Filter to reject responses that don't match a specified checksum. |
||||||
|
// To avoid holding the entire response in memory, the rejection occurs at the end of the stream. |
||||||
|
// [#extension: envoy.filters.http.checksum] |
||||||
|
|
||||||
|
message ChecksumConfig { |
||||||
|
message Checksum { |
||||||
|
oneof matcher { |
||||||
|
// A matcher for a path that is expected to have a specific checksum, as specified |
||||||
|
// in the ``sha256`` field. |
||||||
|
type.matcher.v3.StringMatcher path_matcher = 1 [(validate.rules).message = {required: true}]; |
||||||
|
} |
||||||
|
|
||||||
|
// A hex-encoded sha256 string required to match the sha256sum of the response body |
||||||
|
// of the path specified in the ``path_matcher`` field. |
||||||
|
string sha256 = 2 [(validate.rules).string = {pattern: "^[a-fA-F0-9]{64}"}]; |
||||||
|
} |
||||||
|
|
||||||
|
// A set of matcher and checksum pairs for which, if a path matching ``path_matcher`` |
||||||
|
// is requested and the checksum of the response body does not match the ``sha256``, the |
||||||
|
// response will be replaced with a 403 Forbidden status. |
||||||
|
// |
||||||
|
// If multiple matchers match the same path, the first to match takes precedence. |
||||||
|
repeated Checksum checksums = 1; |
||||||
|
|
||||||
|
// If a request doesn't match any of the specified checksum paths and reject_unmatched is |
||||||
|
// true, the request is rejected immediately with 403 Forbidden. |
||||||
|
bool reject_unmatched = 2; |
||||||
|
} |
Loading…
Reference in new issue