transport socket: Add proxy proto transport socket. (envoyproxy#11584)

Commit Message: Add proxy proto transport socket Additional Description: This is the part 1 PR described in envoyproxy#10682. It adds the transports socket / unit tests, a transport socket options struct for the proxy proto header, and does a refactor to make the listener filter use the common proxy proto constants (potentially want to move these now since the proxy proto config api type is not in extensions?) Risk Level: Small Testing: Unit Docs Changes: None Release Notes: None Part Of: #1031 Signed-off-by: Weston Carlson <wez470@gmail.com> Co-authored-by: Lizan Zhou <lizan@tetrate.io> Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
KBaichoo · Jul 30, 2020 · 1c2c8da · 1c2c8da
1 parent be2c856
commit 1c2c8da
Show file tree

Hide file tree

Showing 39 changed files with 1,073 additions and 49 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -36,6 +36,10 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/transport_sockets/alts @htuch @yangminzhu
 # tls transport socket extension
 /*/extensions/transport_sockets/tls @PiotrSikora @lizan
+# proxy protocol socket extension
+/*/extensions/transport_sockets/proxy_protocol @alyssawilk @wez470
+# common transport socket
+/*/extensions/transport_sockets/common @alyssawilk @wez470
 # sni_cluster extension
 /*/extensions/filters/network/sni_cluster @rshriram @lizan
 # sni_dynamic_forward_proxy extension

diff --git a/api/BUILD b/api/BUILD
@@ -231,6 +231,7 @@ proto_library(
         "//envoy/extensions/retry/host/omit_host_metadata/v3:pkg",
         "//envoy/extensions/retry/priority/previous_priorities/v3:pkg",
         "//envoy/extensions/transport_sockets/alts/v3:pkg",
+        "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg",
         "//envoy/extensions/transport_sockets/quic/v3:pkg",
         "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg",
         "//envoy/extensions/transport_sockets/tap/v3:pkg",

diff --git a/api/envoy/extensions/transport_sockets/proxy_protocol/v3/BUILD b/api/envoy/extensions/transport_sockets/proxy_protocol/v3/BUILD
@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/api/envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto b/api/envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto
@@ -0,0 +1,26 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.proxy_protocol.v3;
+
+import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/proxy_protocol.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.proxy_protocol.v3";
+option java_outer_classname = "UpstreamProxyProtocolProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Upstream Proxy Protocol]
+// [#extension: envoy.transport_sockets.upstream_proxy_protocol]
+// [#not-implemented-hide:]
+// Configuration for PROXY protocol socket
+message ProxyProtocolUpstreamTransport {
+  config.core.v3.ProxyProtocolConfig config = 1;
+
+  // The underlying transport socket being wrapped.
+  config.core.v3.TransportSocket transport_socket = 2 [(validate.rules).message = {required: true}];
+}
diff --git a/api/versioning/BUILD b/api/versioning/BUILD
@@ -114,6 +114,7 @@ proto_library(
         "//envoy/extensions/retry/host/omit_host_metadata/v3:pkg",
         "//envoy/extensions/retry/priority/previous_priorities/v3:pkg",
         "//envoy/extensions/transport_sockets/alts/v3:pkg",
+        "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg",
         "//envoy/extensions/transport_sockets/quic/v3:pkg",
         "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg",
         "//envoy/extensions/transport_sockets/tap/v3:pkg",

diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/proxy_protocol/v3/BUILD b/generated_api_shadow/envoy/extensions/transport_sockets/proxy_protocol/v3/BUILD
diff --git a/...shadow/envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto b/...shadow/envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto
diff --git a/include/envoy/network/BUILD b/include/envoy/network/BUILD
@@ -116,6 +116,7 @@ envoy_cc_library(
     hdrs = ["transport_socket.h"],
     deps = [
         ":io_handle_interface",
+        ":proxy_protocol_options_lib",
         "//include/envoy/buffer:buffer_interface",
         "//include/envoy/ssl:connection_interface",
     ],
@@ -152,3 +153,11 @@ envoy_cc_library(
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
 )
+
+envoy_cc_library(
+    name = "proxy_protocol_options_lib",
+    hdrs = ["proxy_protocol.h"],
+    deps = [
+        ":address_interface",
+    ],
+)
diff --git a/include/envoy/network/proxy_protocol.h b/include/envoy/network/proxy_protocol.h
@@ -0,0 +1,14 @@
+#pragma once
+
+#include "envoy/network/address.h"
+
+namespace Envoy {
+namespace Network {
+
+struct ProxyProtocolData {
+  const Network::Address::InstanceConstSharedPtr src_addr_;
+  const Network::Address::InstanceConstSharedPtr dst_addr_;
+};
+
+} // namespace Network
+} // namespace Envoy
diff --git a/include/envoy/network/transport_socket.h b/include/envoy/network/transport_socket.h
@@ -5,6 +5,7 @@
 #include "envoy/buffer/buffer.h"
 #include "envoy/common/pure.h"
 #include "envoy/network/io_handle.h"
+#include "envoy/network/proxy_protocol.h"
 #include "envoy/ssl/connection.h"
 
 #include "absl/types/optional.h"
@@ -200,6 +201,11 @@ class TransportSocketOptions {
    */
   virtual const absl::optional<std::string>& applicationProtocolFallback() const PURE;
 
+  /**
+   * @return optional PROXY protocol address information.
+   */
+  virtual absl::optional<Network::ProxyProtocolData> proxyProtocolOptions() const PURE;
+
   /**
    * @param vector of bytes to which the option should append hash key data that will be used
    *        to separate connections based on the option. Any data already in the key vector must

diff --git a/source/common/network/BUILD b/source/common/network/BUILD
@@ -358,8 +358,10 @@ envoy_cc_library(
     hdrs = ["transport_socket_options_impl.h"],
     deps = [
         ":application_protocol_lib",
+        ":proxy_protocol_filter_state_lib",
         ":upstream_server_name_lib",
         ":upstream_subject_alt_names_lib",
+        "//include/envoy/network:proxy_protocol_options_lib",
         "//include/envoy/network:transport_socket_interface",
         "//include/envoy/stream_info:filter_state_interface",
         "//source/common/common:scalar_to_byte_vector_lib",
@@ -402,3 +404,14 @@ envoy_cc_library(
         "@envoy_api//envoy/config/listener/v3:pkg_cc_proto",
     ],
 )
+
+envoy_cc_library(
+    name = "proxy_protocol_filter_state_lib",
+    srcs = ["proxy_protocol_filter_state.cc"],
+    hdrs = ["proxy_protocol_filter_state.h"],
+    deps = [
+        "//include/envoy/network:proxy_protocol_options_lib",
+        "//include/envoy/stream_info:filter_state_interface",
+        "//source/common/common:macros",
+    ],
+)
diff --git a/source/common/network/proxy_protocol_filter_state.cc b/source/common/network/proxy_protocol_filter_state.cc
@@ -0,0 +1,13 @@
+#include "common/network/proxy_protocol_filter_state.h"
+
+#include "common/common/macros.h"
+
+namespace Envoy {
+namespace Network {
+
+const std::string& ProxyProtocolFilterState::key() {
+  CONSTRUCT_ON_FIRST_USE(std::string, "envoy.network.proxy_protocol_options");
+}
+
+} // namespace Network
+} // namespace Envoy
diff --git a/source/common/network/proxy_protocol_filter_state.h b/source/common/network/proxy_protocol_filter_state.h
@@ -0,0 +1,23 @@
+#pragma once
+
+#include "envoy/network/proxy_protocol.h"
+#include "envoy/stream_info/filter_state.h"
+
+namespace Envoy {
+namespace Network {
+
+/**
+ * PROXY protocol info to be used in connections.
+ */
+class ProxyProtocolFilterState : public StreamInfo::FilterState::Object {
+public:
+  ProxyProtocolFilterState(Network::ProxyProtocolData options) : options_(options) {}
+  const Network::ProxyProtocolData& value() const { return options_; }
+  static const std::string& key();
+
+private:
+  const Network::ProxyProtocolData options_;
+};
+
+} // namespace Network
+} // namespace Envoy
diff --git a/source/common/network/transport_socket_options_impl.cc b/source/common/network/transport_socket_options_impl.cc
@@ -9,6 +9,7 @@
 #include "common/common/scalar_to_byte_vector.h"
 #include "common/common/utility.h"
 #include "common/network/application_protocol.h"
+#include "common/network/proxy_protocol_filter_state.h"
 #include "common/network/upstream_server_name.h"
 #include "common/network/upstream_subject_alt_names.h"
 
@@ -54,6 +55,7 @@ TransportSocketOptionsUtility::fromFilterState(const StreamInfo::FilterState& fi
   absl::string_view server_name;
   std::vector<std::string> application_protocols;
   std::vector<std::string> subject_alt_names;
+  absl::optional<Network::ProxyProtocolData> proxy_protocol_options;
 
   bool needs_transport_socket_options = false;
   if (filter_state.hasData<UpstreamServerName>(UpstreamServerName::key())) {
@@ -77,9 +79,17 @@ TransportSocketOptionsUtility::fromFilterState(const StreamInfo::FilterState& fi
     needs_transport_socket_options = true;
   }
 
+  if (filter_state.hasData<ProxyProtocolFilterState>(ProxyProtocolFilterState::key())) {
+    const auto& proxy_protocol_filter_state =
+        filter_state.getDataReadOnly<ProxyProtocolFilterState>(ProxyProtocolFilterState::key());
+    proxy_protocol_options.emplace(proxy_protocol_filter_state.value());
+    needs_transport_socket_options = true;
+  }
+
   if (needs_transport_socket_options) {
     return std::make_shared<Network::TransportSocketOptionsImpl>(
-        server_name, std::move(subject_alt_names), std::move(application_protocols));
+        server_name, std::move(subject_alt_names), std::move(application_protocols), absl::nullopt,
+        proxy_protocol_options);
   } else {
     return nullptr;
   }

diff --git a/source/common/network/transport_socket_options_impl.h b/source/common/network/transport_socket_options_impl.h
@@ -1,5 +1,6 @@
 #pragma once
 
+#include "envoy/network/proxy_protocol.h"
 #include "envoy/network/transport_socket.h"
 #include "envoy/stream_info/filter_state.h"
 
@@ -25,6 +26,9 @@ class AlpnDecoratingTransportSocketOptions : public TransportSocketOptions {
   const absl::optional<std::string>& applicationProtocolFallback() const override {
     return alpn_fallback_;
   }
+  absl::optional<Network::ProxyProtocolData> proxyProtocolOptions() const override {
+    return inner_options_->proxyProtocolOptions();
+  }
   void hashKey(std::vector<uint8_t>& key) const override;
 
 private:
@@ -34,15 +38,18 @@ class AlpnDecoratingTransportSocketOptions : public TransportSocketOptions {
 
 class TransportSocketOptionsImpl : public TransportSocketOptions {
 public:
-  TransportSocketOptionsImpl(absl::string_view override_server_name = "",
-                             std::vector<std::string>&& override_verify_san_list = {},
-                             std::vector<std::string>&& override_alpn = {},
-                             absl::optional<std::string>&& fallback_alpn = {})
+  TransportSocketOptionsImpl(
+      absl::string_view override_server_name = "",
+      std::vector<std::string>&& override_verify_san_list = {},
+      std::vector<std::string>&& override_alpn = {},
+      absl::optional<std::string>&& fallback_alpn = {},
+      absl::optional<Network::ProxyProtocolData> proxy_proto_options = absl::nullopt)
       : override_server_name_(override_server_name.empty()
                                   ? absl::nullopt
                                   : absl::optional<std::string>(override_server_name)),
         override_verify_san_list_{std::move(override_verify_san_list)},
-        override_alpn_list_{std::move(override_alpn)}, alpn_fallback_{std::move(fallback_alpn)} {}
+        override_alpn_list_{std::move(override_alpn)}, alpn_fallback_{std::move(fallback_alpn)},
+        proxy_protocol_options_(proxy_proto_options) {}
 
   // Network::TransportSocketOptions
   const absl::optional<std::string>& serverNameOverride() const override {
@@ -57,13 +64,17 @@ class TransportSocketOptionsImpl : public TransportSocketOptions {
   const absl::optional<std::string>& applicationProtocolFallback() const override {
     return alpn_fallback_;
   }
+  absl::optional<Network::ProxyProtocolData> proxyProtocolOptions() const override {
+    return proxy_protocol_options_;
+  }
   void hashKey(std::vector<uint8_t>& key) const override;
 
 private:
   const absl::optional<std::string> override_server_name_;
   const std::vector<std::string> override_verify_san_list_;
   const std::vector<std::string> override_alpn_list_;
   const absl::optional<std::string> alpn_fallback_;
+  const absl::optional<Network::ProxyProtocolData> proxy_protocol_options_;
 };
 
 class TransportSocketOptionsUtility {

diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl
@@ -160,6 +160,7 @@ EXTENSIONS = {
     #
 
     "envoy.transport_sockets.alts":                     "//source/extensions/transport_sockets/alts:config",
+    "envoy.transport_sockets.upstream_proxy_protocol":  "//source/extensions/transport_sockets/proxy_protocol:upstream_proxy_protocol",
     "envoy.transport_sockets.raw_buffer":               "//source/extensions/transport_sockets/raw_buffer:config",
     "envoy.transport_sockets.tap":                      "//source/extensions/transport_sockets/tap:config",
     "envoy.transport_sockets.quic":                     "//source/extensions/quic_listeners/quiche:quic_transport_socket_factory_lib",

diff --git a/source/extensions/filters/listener/proxy_protocol/BUILD b/source/extensions/filters/listener/proxy_protocol/BUILD
@@ -29,6 +29,7 @@ envoy_cc_library(
         "//source/common/common:utility_lib",
         "//source/common/network:address_lib",
         "//source/common/network:utility_lib",
+        "//source/extensions/common/proxy_protocol:proxy_protocol_header_lib",
         "//source/extensions/filters/listener:well_known_names",
         "@envoy_api//envoy/extensions/filters/listener/proxy_protocol/v3:pkg_cc_proto",
     ],

diff --git a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc
@@ -21,8 +21,24 @@
 #include "common/network/address_impl.h"
 #include "common/network/utility.h"
 
+#include "extensions/common/proxy_protocol/proxy_protocol_header.h"
 #include "extensions/filters/listener/well_known_names.h"
 
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V1_SIGNATURE;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V1_SIGNATURE_LEN;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_ADDR_LEN_INET;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_ADDR_LEN_INET6;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_AF_INET;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_AF_INET6;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_HEADER_LEN;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_LOCAL;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_ONBEHALF_OF;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_SIGNATURE;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_SIGNATURE_LEN;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_TRANSPORT_DGRAM;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_TRANSPORT_STREAM;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_VERSION;
+
 namespace Envoy {
 namespace Extensions {
 namespace ListenerFilters {

diff --git a/source/extensions/filters/listener/proxy_protocol/proxy_protocol.h b/source/extensions/filters/listener/proxy_protocol/proxy_protocol.h
@@ -8,9 +8,14 @@
 
 #include "common/common/logger.h"
 
+#include "extensions/common/proxy_protocol/proxy_protocol_header.h"
+
 #include "absl/container/flat_hash_map.h"
 #include "proxy_protocol_header.h"
 
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_ADDR_LEN_UNIX;
+using Envoy::Extensions::Common::ProxyProtocol::PROXY_PROTO_V2_HEADER_LEN;
+
 namespace Envoy {
 namespace Extensions {
 namespace ListenerFilters {