Add Connection_Termination_Details as a CEL property (#13821)

Commit Message: Add Connection_Termination_Details as a CEL property Additional Description: Risk Level: low Testing: unit tests Docs Changes: yes Release Notes: yes Signed-off-by: gargnupur <gargnupur@google.com>
envoyproxy · Nov 3, 2020 · bd73f3c · bd73f3c
1 parent fe74d85
commit bd73f3c
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 0 deletions.
diff --git a/docs/root/intro/arch_overview/security/rbac_filter.rst b/docs/root/intro/arch_overview/security/rbac_filter.rst
@@ -102,6 +102,7 @@ The following attributes are exposed to the language runtime:
    connection.uri_san_local_certificate, string, The first URI entry in the SAN field of the local certificate in the downstream TLS connection
    connection.uri_san_peer_certificate, string, The first URI entry in the SAN field of the peer certificate in the downstream TLS connection
    connection.id, uint, Downstream connection ID
+   connection.termination_details, string, The termination details of the connection
    upstream.address, string, Upstream connection remote address
    upstream.port, int, Upstream connection remote port
    upstream.tls_version, string, TLS version of the upstream TLS connection

diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -11,6 +11,7 @@ Minor Behavior Changes
 
 * build: the Alpine based debug images are no longer built in CI, use Ubuntu based images instead.
 * cluster manager: the cluster which can't extract secret entity by SDS to be warming and never activate. This feature is disabled by default and is controlled by runtime guard `envoy.reloadable_features.cluster_keep_warming_no_secret_entity`.
+* expr filter: added `connection.termination_details` property support.
 * ext_authz filter: disable `envoy.reloadable_features.ext_authz_measure_timeout_on_check_created` by default.
 * ext_authz filter: the deprecated field :ref:`use_alpha <envoy_api_field_config.filter.http.ext_authz.v2.ExtAuthz.use_alpha>` is no longer supported and cannot be set anymore.
 * grpc_web filter: if a `grpc-accept-encoding` header is present it's passed as-is to the upstream and if it isn't `grpc-accept-encoding:identity` is sent instead. The header was always overwriten with `grpc-accept-encoding:identity,deflate,gzip` before.

diff --git a/source/extensions/filters/common/expr/context.cc b/source/extensions/filters/common/expr/context.cc
@@ -190,6 +190,11 @@ absl::optional<CelValue> ConnectionWrapper::operator[](CelValue key) const {
       return CelValue::CreateUint64(id.value());
     }
     return {};
+  } else if (value == ConnectionTerminationDetails) {
+    if (info_.connectionTerminationDetails().has_value()) {
+      return CelValue::CreateString(&info_.connectionTerminationDetails().value());
+    }
+    return {};
   }
 
   auto ssl_info = info_.downstreamSslConnection();

diff --git a/source/extensions/filters/common/expr/context.h b/source/extensions/filters/common/expr/context.h
@@ -54,6 +54,7 @@ constexpr absl::string_view Connection = "connection";
 constexpr absl::string_view MTLS = "mtls";
 constexpr absl::string_view RequestedServerName = "requested_server_name";
 constexpr absl::string_view TLSVersion = "tls_version";
+constexpr absl::string_view ConnectionTerminationDetails = "termination_details";
 constexpr absl::string_view SubjectLocalCertificate = "subject_local_certificate";
 constexpr absl::string_view SubjectPeerCertificate = "subject_peer_certificate";
 constexpr absl::string_view URISanLocalCertificate = "uri_san_local_certificate";

diff --git a/test/extensions/filters/common/expr/context_test.cc b/test/extensions/filters/common/expr/context_test.cc
@@ -448,6 +448,9 @@ TEST(Context, ConnectionAttributes) {
   EXPECT_CALL(info, upstreamTransportFailureReason())
       .WillRepeatedly(ReturnRef(upstream_transport_failure_reason));
   EXPECT_CALL(info, connectionID()).WillRepeatedly(Return(123));
+  const absl::optional<std::string> connection_termination_details = "unauthorized";
+  EXPECT_CALL(info, connectionTerminationDetails())
+      .WillRepeatedly(ReturnRef(connection_termination_details));
 
   EXPECT_CALL(*downstream_ssl_info, peerCertificatePresented()).WillRepeatedly(Return(true));
   EXPECT_CALL(*upstream_host, address()).WillRepeatedly(Return(upstream_address));
@@ -611,6 +614,13 @@ TEST(Context, ConnectionAttributes) {
     EXPECT_EQ(123, value.value().Uint64OrDie());
   }
 
+  {
+    auto value = connection[CelValue::CreateStringView(ConnectionTerminationDetails)];
+    EXPECT_TRUE(value.has_value());
+    ASSERT_TRUE(value.value().IsString());
+    EXPECT_EQ(connection_termination_details.value(), value.value().StringOrDie().value());
+  }
+
   {
     auto value = upstream[CelValue::CreateStringView(TLSVersion)];
     EXPECT_TRUE(value.has_value());