Add a new TCP cluster rewrite filter (#2017) (#2018)

This commit adds a new TCP cluster rewrite filter which allows users to
rewrite TCP cluster names obtained via TLS SNI by matching via regex
configuration.

Signed-off-by: Venil Noronha <[email protected]>

WORKSPACE

@@ -30,7 +30,7 @@ bind(
 )
 
 # When updating envoy sha manually please update the sha in istio.deps file also
-ENVOY_SHA = "00c909c8640eab732c2c49c32896702978ff638e"
+ENVOY_SHA = "45a460fabf34698a875060482de96f7f618bdc9f"
 
 http_archive(
     name = "envoy",

include/istio/mixerclient/check_response.h

@@ -17,7 +17,7 @@
 #define ISTIO_MIXERCLIENT_CHECK_RESPONSE_H
 
 #include "google/protobuf/stubs/status.h"
-#include "mixer/v1/check.pb.h"
+#include "mixer/v1/mixer.pb.h"
 
 namespace istio {
 namespace mixerclient {

include/istio/mixerclient/environment.h

@@ -18,7 +18,7 @@
 
 #include "check_response.h"
 #include "google/protobuf/stubs/status.h"
-#include "mixer/v1/service.pb.h"
+#include "mixer/v1/mixer.pb.h"
 #include "timer.h"
 
 namespace istio {

istio.deps

@@ -4,13 +4,13 @@
 		"name": "ISTIO_API",
 		"repoName": "api",
 		"file": "repositories.bzl",
-		"lastStableSHA": "214c7598afb74f7f4dea49f77e45832c49382a15"
+		"lastStableSHA": "6b9e3a501e6ef254958bf82f7b74c37d64a57a15"
 	},
 	{
 		"_comment": "",
 		"name": "ENVOY_SHA",
 		"repoName": "envoyproxy/envoy",
 		"file": "WORKSPACE",
-		"lastStableSHA": "00c909c8640eab732c2c49c32896702978ff638e"
+		"lastStableSHA": "45a460fabf34698a875060482de96f7f618bdc9f"
 	}
 ]

repositories.bzl

@@ -113,7 +113,7 @@ cc_library(
             actual = "@googletest_git//:googletest_prod",
         )
 
-ISTIO_API = "62c345bd6d6e4c2047dd2dee128b7413231be7b4"
+ISTIO_API = "6b9e3a501e6ef254958bf82f7b74c37d64a57a15"
 
 def mixerapi_repositories(bind=True):
     BUILD = """
@@ -192,6 +192,19 @@ cc_proto_library(
     ],
 )
 
+cc_proto_library(
+    name = "tcp_cluster_rewrite_config_cc_proto",
+    srcs = glob(
+        ["envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/*.proto", ],
+    ),
+    default_runtime = "//external:protobuf",
+    protoc = "//external:protoc",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//external:cc_gogoproto",
+    ],
+)
+
 filegroup(
     name = "global_dictionary_file",
     srcs = ["mixer/v1/global_dictionary.yaml"],
@@ -222,6 +235,10 @@ filegroup(
             name = "jwt_auth_config_cc_proto",
             actual = "@mixerapi_git//:jwt_auth_config_cc_proto",
         )
+        native.bind(
+            name = "tcp_cluster_rewrite_config_cc_proto",
+            actual = "@mixerapi_git//:tcp_cluster_rewrite_config_cc_proto",
+        )
 
 load(":protobuf.bzl", "protobuf_repositories")
 load(":cc_gogo_protobuf.bzl", "cc_gogoproto_repositories")

src/envoy/BUILD

@@ -29,6 +29,7 @@ envoy_cc_binary(
         "//src/envoy/http/jwt_auth:http_filter_factory",
         "//src/envoy/http/mixer:filter_lib",
         "//src/envoy/tcp/mixer:filter_lib",
+        "//src/envoy/tcp/tcp_cluster_rewrite:tcp_cluster_rewrite_lib",
         "@envoy//source/exe:envoy_main_entry_lib",
     ],
 )

src/envoy/tcp/tcp_cluster_rewrite/BUILD

@@ -0,0 +1,72 @@
+# Copyright 2018 Istio Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+#
+
+package(default_visibility = ["//visibility:public"])
+
+load(
+    "@envoy//bazel:envoy_build_system.bzl",
+    "envoy_cc_binary",
+    "envoy_cc_library",
+    "envoy_cc_test",
+)
+
+envoy_cc_library(
+    name = "tcp_cluster_rewrite_lib",
+    srcs = ["tcp_cluster_rewrite.cc"],
+    hdrs = ["tcp_cluster_rewrite.h"],
+    repository = "@envoy",
+    deps = [
+        "//external:tcp_cluster_rewrite_config_cc_proto",
+        "@envoy//source/exe:envoy_common_lib",
+    ],
+)
+
+envoy_cc_library(
+    name = "config_lib",
+    srcs = ["config.cc"],
+    hdrs = ["config.h"],
+    repository = "@envoy",
+    deps = [
+        ":tcp_cluster_rewrite_lib",
+        "//src/envoy/utils:utils_lib",
+        "//external:tcp_cluster_rewrite_config_cc_proto",
+        "@envoy//source/exe:envoy_common_lib",
+    ],
+)
+
+envoy_cc_test(
+    name = "tcp_cluster_rewrite_test",
+    srcs = ["tcp_cluster_rewrite_test.cc"],
+    repository = "@envoy",
+    deps = [
+        ":tcp_cluster_rewrite_lib",
+        ":config_lib",
+        "@envoy//test/mocks/network:network_mocks",
+        "@envoy//test/mocks/server:server_mocks",
+        "@envoy//test/mocks/stream_info:stream_info_mocks",
+    ],
+)
+
+envoy_cc_test(
+    name = "config_test",
+    srcs = ["config_test.cc"],
+    repository = "@envoy",
+    deps = [
+        ":config_lib",
+        "@envoy//test/mocks/server:server_mocks",
+    ],
+)

src/envoy/tcp/tcp_cluster_rewrite/config.cc

@@ -0,0 +1,72 @@
+/* Copyright 2018 Istio Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "src/envoy/tcp/tcp_cluster_rewrite/config.h"
+#include "src/envoy/tcp/tcp_cluster_rewrite/tcp_cluster_rewrite.h"
+
+#include "envoy/registry/registry.h"
+#include "envoy/server/filter_config.h"
+#include "src/envoy/utils/config.h"
+
+using namespace ::istio::envoy::config::filter::network::tcp_cluster_rewrite;
+
+namespace Envoy {
+namespace Tcp {
+namespace TcpClusterRewrite {
+
+Network::FilterFactoryCb
+TcpClusterRewriteFilterConfigFactory::createFilterFactory(
+    const Json::Object& config_json, Server::Configuration::FactoryContext&) {
+  v2alpha1::TcpClusterRewrite config_pb;
+  if (!Utils::ReadV2Config(config_json, &config_pb)) {
+    throw EnvoyException("Failed to parse JSON config");
+  }
+  return createFilterFactory(config_pb);
+}
+
+Network::FilterFactoryCb
+TcpClusterRewriteFilterConfigFactory::createFilterFactoryFromProto(
+    const Protobuf::Message& config, Server::Configuration::FactoryContext&) {
+  return createFilterFactory(
+      dynamic_cast<const v2alpha1::TcpClusterRewrite&>(config));
+}
+
+ProtobufTypes::MessagePtr
+TcpClusterRewriteFilterConfigFactory::createEmptyConfigProto() {
+  return ProtobufTypes::MessagePtr{new v2alpha1::TcpClusterRewrite};
+}
+
+Network::FilterFactoryCb
+TcpClusterRewriteFilterConfigFactory::createFilterFactory(
+    const v2alpha1::TcpClusterRewrite& config_pb) {
+  TcpClusterRewriteFilterConfigSharedPtr config(
+      std::make_shared<TcpClusterRewriteFilterConfig>(config_pb));
+  return [config](Network::FilterManager& filter_manager) -> void {
+    filter_manager.addReadFilter(
+        std::make_shared<TcpClusterRewriteFilter>(config));
+  };
+}
+
+/**
+ * Static registration for the TCP cluster rewrite filter. @see RegisterFactory.
+ */
+static Registry::RegisterFactory<
+    TcpClusterRewriteFilterConfigFactory,
+    Server::Configuration::NamedNetworkFilterConfigFactory>
+    registered_;
+
+}  // namespace TcpClusterRewrite
+}  // namespace Tcp
+}  // namespace Envoy

src/envoy/tcp/tcp_cluster_rewrite/config.h

@@ -0,0 +1,56 @@
+/* Copyright 2018 Istio Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include "envoy/config/filter/network/tcp_cluster_rewrite/v2alpha1/config.pb.h"
+
+#include "envoy/network/connection.h"
+#include "envoy/network/filter.h"
+#include "envoy/registry/registry.h"
+#include "envoy/server/filter_config.h"
+
+using namespace ::istio::envoy::config::filter::network::tcp_cluster_rewrite;
+
+namespace Envoy {
+namespace Tcp {
+namespace TcpClusterRewrite {
+
+/**
+ * Config registration for the TCP cluster rewrite filter. @see
+ * NamedNetworkFilterConfigFactory.
+ */
+class TcpClusterRewriteFilterConfigFactory
+    : public Server::Configuration::NamedNetworkFilterConfigFactory {
+ public:
+  Network::FilterFactoryCb createFilterFactory(
+      const Json::Object&, Server::Configuration::FactoryContext&) override;
+
+  Network::FilterFactoryCb createFilterFactoryFromProto(
+      const Protobuf::Message&,
+      Server::Configuration::FactoryContext&) override;
+
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override;
+
+  std::string name() override { return "tcp_cluster_rewrite"; }
+
+ private:
+  Network::FilterFactoryCb createFilterFactory(
+      const v2alpha1::TcpClusterRewrite& config_pb);
+};
+
+}  // namespace TcpClusterRewrite
+}  // namespace Tcp
+}  // namespace Envoy

src/envoy/tcp/tcp_cluster_rewrite/config_test.cc

@@ -0,0 +1,49 @@
+/* Copyright 2018 Istio Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "src/envoy/tcp/tcp_cluster_rewrite/config.h"
+
+#include "test/mocks/server/mocks.h"
+
+#include "gmock/gmock.h"
+#include "gtest/gtest.h"
+
+using namespace ::istio::envoy::config::filter::network::tcp_cluster_rewrite;
+using testing::_;
+
+namespace Envoy {
+namespace Tcp {
+namespace TcpClusterRewrite {
+
+TEST(ConfigTest, ConfigTest) {
+  NiceMock<Server::Configuration::MockFactoryContext> context;
+  TcpClusterRewriteFilterConfigFactory factory;
+  v2alpha1::TcpClusterRewrite config =
+      *dynamic_cast<v2alpha1::TcpClusterRewrite*>(
+          factory.createEmptyConfigProto().get());
+
+  config.set_cluster_pattern("connection\\.sni");
+  config.set_cluster_replacement("replacement.sni");
+
+  Network::FilterFactoryCb cb =
+      factory.createFilterFactoryFromProto(config, context);
+  Network::MockConnection connection;
+  EXPECT_CALL(connection, addReadFilter(_));
+  cb(connection);
+}
+
+}  // namespace TcpClusterRewrite
+}  // namespace Tcp
+}  // namespace Envoy