From bd73f3c4da0efffb2593d7c9ecf87788856dc052 Mon Sep 17 00:00:00 2001 From: Nupur Garg <37600866+gargnupur@users.noreply.github.com> Date: Mon, 2 Nov 2020 19:39:22 -0800 Subject: [PATCH] Add Connection_Termination_Details as a CEL property (#13821) Commit Message: Add Connection_Termination_Details as a CEL property Additional Description: Risk Level: low Testing: unit tests Docs Changes: yes Release Notes: yes Signed-off-by: gargnupur --- docs/root/intro/arch_overview/security/rbac_filter.rst | 1 + docs/root/version_history/current.rst | 1 + source/extensions/filters/common/expr/context.cc | 5 +++++ source/extensions/filters/common/expr/context.h | 1 + test/extensions/filters/common/expr/context_test.cc | 10 ++++++++++ 5 files changed, 18 insertions(+) diff --git a/docs/root/intro/arch_overview/security/rbac_filter.rst b/docs/root/intro/arch_overview/security/rbac_filter.rst index b12d568a25ad..b8c1190234b0 100644 --- a/docs/root/intro/arch_overview/security/rbac_filter.rst +++ b/docs/root/intro/arch_overview/security/rbac_filter.rst @@ -102,6 +102,7 @@ The following attributes are exposed to the language runtime: connection.uri_san_local_certificate, string, The first URI entry in the SAN field of the local certificate in the downstream TLS connection connection.uri_san_peer_certificate, string, The first URI entry in the SAN field of the peer certificate in the downstream TLS connection connection.id, uint, Downstream connection ID + connection.termination_details, string, The termination details of the connection upstream.address, string, Upstream connection remote address upstream.port, int, Upstream connection remote port upstream.tls_version, string, TLS version of the upstream TLS connection diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index f93681ce5c29..43c4ce2f72b5 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -11,6 +11,7 @@ Minor Behavior Changes * build: the Alpine based debug images are no longer built in CI, use Ubuntu based images instead. * cluster manager: the cluster which can't extract secret entity by SDS to be warming and never activate. This feature is disabled by default and is controlled by runtime guard `envoy.reloadable_features.cluster_keep_warming_no_secret_entity`. +* expr filter: added `connection.termination_details` property support. * ext_authz filter: disable `envoy.reloadable_features.ext_authz_measure_timeout_on_check_created` by default. * ext_authz filter: the deprecated field :ref:`use_alpha ` is no longer supported and cannot be set anymore. * grpc_web filter: if a `grpc-accept-encoding` header is present it's passed as-is to the upstream and if it isn't `grpc-accept-encoding:identity` is sent instead. The header was always overwriten with `grpc-accept-encoding:identity,deflate,gzip` before. diff --git a/source/extensions/filters/common/expr/context.cc b/source/extensions/filters/common/expr/context.cc index 9313a550695e..a0298a5095b4 100644 --- a/source/extensions/filters/common/expr/context.cc +++ b/source/extensions/filters/common/expr/context.cc @@ -190,6 +190,11 @@ absl::optional ConnectionWrapper::operator[](CelValue key) const { return CelValue::CreateUint64(id.value()); } return {}; + } else if (value == ConnectionTerminationDetails) { + if (info_.connectionTerminationDetails().has_value()) { + return CelValue::CreateString(&info_.connectionTerminationDetails().value()); + } + return {}; } auto ssl_info = info_.downstreamSslConnection(); diff --git a/source/extensions/filters/common/expr/context.h b/source/extensions/filters/common/expr/context.h index fd4b386a9a32..2faf80b0fd8f 100644 --- a/source/extensions/filters/common/expr/context.h +++ b/source/extensions/filters/common/expr/context.h @@ -54,6 +54,7 @@ constexpr absl::string_view Connection = "connection"; constexpr absl::string_view MTLS = "mtls"; constexpr absl::string_view RequestedServerName = "requested_server_name"; constexpr absl::string_view TLSVersion = "tls_version"; +constexpr absl::string_view ConnectionTerminationDetails = "termination_details"; constexpr absl::string_view SubjectLocalCertificate = "subject_local_certificate"; constexpr absl::string_view SubjectPeerCertificate = "subject_peer_certificate"; constexpr absl::string_view URISanLocalCertificate = "uri_san_local_certificate"; diff --git a/test/extensions/filters/common/expr/context_test.cc b/test/extensions/filters/common/expr/context_test.cc index 88f4c980d62d..208d5817c853 100644 --- a/test/extensions/filters/common/expr/context_test.cc +++ b/test/extensions/filters/common/expr/context_test.cc @@ -448,6 +448,9 @@ TEST(Context, ConnectionAttributes) { EXPECT_CALL(info, upstreamTransportFailureReason()) .WillRepeatedly(ReturnRef(upstream_transport_failure_reason)); EXPECT_CALL(info, connectionID()).WillRepeatedly(Return(123)); + const absl::optional connection_termination_details = "unauthorized"; + EXPECT_CALL(info, connectionTerminationDetails()) + .WillRepeatedly(ReturnRef(connection_termination_details)); EXPECT_CALL(*downstream_ssl_info, peerCertificatePresented()).WillRepeatedly(Return(true)); EXPECT_CALL(*upstream_host, address()).WillRepeatedly(Return(upstream_address)); @@ -611,6 +614,13 @@ TEST(Context, ConnectionAttributes) { EXPECT_EQ(123, value.value().Uint64OrDie()); } + { + auto value = connection[CelValue::CreateStringView(ConnectionTerminationDetails)]; + EXPECT_TRUE(value.has_value()); + ASSERT_TRUE(value.value().IsString()); + EXPECT_EQ(connection_termination_details.value(), value.value().StringOrDie().value()); + } + { auto value = upstream[CelValue::CreateStringView(TLSVersion)]; EXPECT_TRUE(value.has_value());