wasm: capability restriction #13911
wasm: capability restriction #13911
Conversation
ryanapilado
force-pushed
the
capability-restriction-tests
branch
2 times, most recently
from
b6baa97 to
adc6b26
Compare
|
Thanks for the additional tests. What is missing before this PR is ready for review? |
ryanapilado
force-pushed
the
capability-restriction-tests
branch
from
adc6b26 to
03d1ffb
Compare
ryanapilado
changed the title
ryanapilado
changed the title
Signed-off-by: Ryan Apilado <[email protected]>
ryanapilado
force-pushed
the
capability-restriction-tests
branch
from
03d1ffb to
f468a96
Compare
ryanapilado
changed the title
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
| @@ -18,6 +18,12 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; | |||
| // [#protodoc-title: Wasm] | |||
| // [#extension: envoy.bootstrap.wasm] | |||
|
|
|||
| // Configuration for restricting proxy-wasm capabilities available to modules. | |||
| message CapabilityRestrictionConfig { | |||
| // The list of proxy-wasm capabilities which will be exposed to the module. | |||
There was a problem hiding this comment.
Can you add a reference to where the capabilities are defined?
There was a problem hiding this comment.
Added a reference and updated the docs.
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
|
/retest |
|
Retrying Azure Pipelines: |
| // and so should be left empty. | ||
| // | ||
| // The capability names are given in the | ||
| // `proxy-wasm ABI <https://github.com/proxy-wasm/spec/tree/master/abi-versions/vNEXT>`_. |
There was a problem hiding this comment.
Nit: s/proxy-wasm/Proxy-Wasm/
| @@ -18,6 +18,26 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; | |||
| // [#protodoc-title: Wasm] | |||
| // [#extension: envoy.bootstrap.wasm] | |||
|
|
|||
| // Configuration for restricting proxy-wasm capabilities available to modules. | |||
| message CapabilityRestrictionConfig { | |||
| // The proxy-wasm capabilities which will be allowed. Capabilities are mapped by | |||
There was a problem hiding this comment.
Nit: s/proxy-wasm/Proxy-Wasm/
| map<string, SanitizationConfig> allowed_capabilities = 1; | ||
| } | ||
|
|
||
| // Configuration for sanitization of inputs to an allowed capability. NOTE: This is currently unimplemented. |
There was a problem hiding this comment.
Nit: move NOTE to a new line.
There was a problem hiding this comment.
Misunderstood this, fixed.
| static bool createWasmInternal(const VmConfig& vm_config, const PluginSharedPtr& plugin, | ||
| const Stats::ScopeSharedPtr& scope, | ||
| static bool createWasmInternal(const VmConfig& vm_config, | ||
| const CapabilityRestrictionConfig& cr_config, |
There was a problem hiding this comment.
Nit: s/cr_config/capabilities_config, otherwie variable isn't self-describing.
There was a problem hiding this comment.
Fixed, changed to capabiility_restriction_config for consistency with type name and proto. Can change to capabilities_config if too long.
| WASM_EXPORT(uint32_t, proxy_on_vm_start, (uint32_t context_id, uint32_t configuration_size)) { | ||
| (void)(context_id); | ||
| (void)(configuration_size); | ||
| std::string level_message = "after on_vm_start, before proxy_log"; |
There was a problem hiding this comment.
Nit: s/level_message/log_message/
Also, this message is written as part of proxy_log, not before proxy_log.
| auto context = std::make_unique<TestContext>(wasm.get()); | ||
| EXPECT_TRUE(wasm->initialize(code, false)); | ||
|
|
||
| // on_vm_start will trigger proxy_log, but expect no call because both are restricted |
There was a problem hiding this comment.
Should proxy_on_vm_start callback be even called considering that is not allowed? This is special case, since if we don't call proxy_on_vm_start then there is a high chance that plugin won't work correctly, but other callbacks should be skipped if they are not in the allowed capabilities.
There was a problem hiding this comment.
Yeah, the comment is incorrect, proxy_on_vm_start will never run in this case. Fixed. I also added a different callback to the wasm file (proxy_on_context_create) and adjusted the tests to test for it.
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
Signed-off-by: Ryan Apilado <[email protected]>
|
/retest |
|
Retrying Azure Pipelines: |
|
/retest |
|
Retrying Azure Pipelines: |
Signed-off-by: Ryan Apilado <[email protected]>
|
@envoyproxy/dependency-shepherds PTAL |
|
/lgtm deps |
repokitteh-read-only
bot
removed
the
deps
Signed-off-by: Ryan Apilado [email protected]
For an explanation of how to fill out the fields, please see the relevant section
in PULL_REQUESTS.md
Commit Message: wasm: implement capability restriction
Additional Description: Defines the configuration for capability restriction and propagates the configuration to
proxy-wasm-cpp-host.Risk Level: Medium
Testing: Unit tests (
wasm_test.cc), configuration tests (config_test), and integration tests (wasm_filter_test.cc). Test that capabilities can be restricted selectively and are unrestricted by default.Docs Changes: Add documentation for the new
messagescreated inwasm.proto.Release notes: N/A