support TCPRoute Authz in xDS translator (#7184)

* support TCPRoute Authz in xDS translator

Relates to #4908

Signed-off-by: Arko Dasgupta <arko@tetrate.io>
Co-authored-by: davem-git <demathieu@gmail.com>

Author: arkodg

internal/ir/xds.go

@@ -2041,6 +2041,8 @@ type TCPRoute struct {
 	BackendConnection *BackendConnection `json:"backendConnection,omitempty" yaml:"backendConnection,omitempty"`
 	// DNS is used to configure how DNS resolution is handled for the route
 	DNS *DNS `json:"dns,omitempty" yaml:"dns,omitempty"`
+	// Authorization defines the schema for the authorization.
+	Authorization *Authorization `json:"authorization,omitempty" yaml:"authorization,omitempty"`
 }
 
 // TLS holds information for configuring TLS on a listener

internal/ir/zz_generated.deepcopy.go

@@ -0,0 +1,126 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package translator
+
+import (
+	cncfv3 "github.com/cncf/xds/go/xds/core/v3"
+	matcherv3 "github.com/cncf/xds/go/xds/type/matcher/v3"
+	listenerv3 "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
+	rbacconfigv3 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
+	networkrbacv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3"
+	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
+	"google.golang.org/protobuf/types/known/anypb"
+
+	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
+	"github.com/envoyproxy/gateway/internal/ir"
+	"github.com/envoyproxy/gateway/internal/utils/proto"
+)
+
+func buildTCPRBACFilter(statPrefix string, authorization *ir.Authorization) (*listenerv3.Filter, error) {
+	if authorization == nil {
+		return nil, nil
+	}
+
+	rbacCfg, err := buildTCPRBACConfig(statPrefix, authorization)
+	if err != nil {
+		return nil, err
+	}
+	if rbacCfg == nil {
+		return nil, nil
+	}
+
+	return toNetworkFilter(wellknown.RoleBasedAccessControl, rbacCfg)
+}
+
+func buildTCPRBACConfig(statPrefix string, authorization *ir.Authorization) (*networkrbacv3.RBAC, error) {
+	allowAction, denyAction, err := buildTCPRBACActions()
+	if err != nil {
+		return nil, err
+	}
+
+	matchers := make([]*matcherv3.Matcher_MatcherList_FieldMatcher, 0, len(authorization.Rules))
+	for _, rule := range authorization.Rules {
+		predicate, err := buildTCPPrincipalPredicate(rule.Principal)
+		if err != nil {
+			return nil, err
+		}
+
+		ruleAction := allowAction
+		if rule.Action == egv1a1.AuthorizationActionDeny {
+			ruleAction = denyAction
+		}
+
+		matchers = append(matchers, &matcherv3.Matcher_MatcherList_FieldMatcher{
+			Predicate: predicate,
+			OnMatch: &matcherv3.Matcher_OnMatch{
+				OnMatch: &matcherv3.Matcher_OnMatch_Action{
+					Action: &cncfv3.TypedExtensionConfig{
+						Name:        rule.Name,
+						TypedConfig: ruleAction,
+					},
+				},
+			},
+		})
+	}
+
+	defaultAction := denyAction
+	if authorization.DefaultAction == egv1a1.AuthorizationActionAllow {
+		defaultAction = allowAction
+	}
+
+	matcher := &matcherv3.Matcher{
+		OnNoMatch: &matcherv3.Matcher_OnMatch{
+			OnMatch: &matcherv3.Matcher_OnMatch_Action{
+				Action: &cncfv3.TypedExtensionConfig{
+					Name:        "default",
+					TypedConfig: defaultAction,
+				},
+			},
+		},
+	}
+	if len(matchers) > 0 {
+		matcher.MatcherType = &matcherv3.Matcher_MatcherList_{
+			MatcherList: &matcherv3.Matcher_MatcherList{
+				Matchers: matchers,
+			},
+		}
+	} else {
+		matcher.MatcherType = nil
+	}
+
+	return &networkrbacv3.RBAC{
+		StatPrefix: statPrefix,
+		Matcher:    matcher,
+	}, nil
+}
+
+func buildTCPRBACActions() (*anypb.Any, *anypb.Any, error) {
+	allowAction, err := proto.ToAnyWithValidation(&rbacconfigv3.Action{
+		Name:   "ALLOW",
+		Action: rbacconfigv3.RBAC_ALLOW,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	denyAction, err := proto.ToAnyWithValidation(&rbacconfigv3.Action{
+		Name:   "DENY",
+		Action: rbacconfigv3.RBAC_DENY,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return allowAction, denyAction, nil
+}
+
+func buildTCPPrincipalPredicate(principal ir.Principal) (*matcherv3.Matcher_MatcherList_Predicate, error) {
+	// only build predicate for CIDR
+	if len(principal.ClientCIDRs) == 0 {
+		return nil, nil
+	}
+	return buildIPPredicate(principal.ClientCIDRs)
+}

internal/xds/translator/authorization_tcp.go

@@ -640,47 +640,19 @@ func (t *Translator) addXdsTCPFilterChain(
 
 	// Append port to the statPrefix.
 	statPrefix = strings.Join([]string{statPrefix, strconv.Itoa(int(xdsListener.Address.GetSocketAddress().GetPortValue()))}, "-")
-	al, error := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute)
-	if error != nil {
-		return error
-	}
-	mgr := &tcpv3.TcpProxy{
-		AccessLog:  al,
-		StatPrefix: statPrefix,
-		ClusterSpecifier: &tcpv3.TcpProxy_Cluster{
-			Cluster: clusterName,
-		},
-		HashPolicy: buildTCPProxyHashPolicy(irRoute.LoadBalancer),
-	}
-
-	if timeout != nil && timeout.TCP != nil {
-		if timeout.TCP.IdleTimeout != nil {
-			mgr.IdleTimeout = durationpb.New(timeout.TCP.IdleTimeout.Duration)
-		}
-	}
-
-	var filters []*listenerv3.Filter
-
-	if connection != nil && connection.ConnectionLimit != nil {
-		cl := buildConnectionLimitFilter(statPrefix, connection)
-		if clf, err := toNetworkFilter(networkConnectionLimit, cl); err == nil {
-			filters = append(filters, clf)
-		} else {
-			return err
-		}
-	}
 
-	if mgrf, err := toNetworkFilter(wellknown.TCPProxy, mgr); err == nil {
-		filters = append(filters, mgrf)
-	} else {
+	filterChain, err := buildTCPFilterChain(
+		irRoute,
+		clusterName,
+		statPrefix,
+		accesslog,
+		timeout,
+		connection,
+	)
+	if err != nil {
 		return err
 	}
 
-	filterChain := &listenerv3.FilterChain{
-		Name:    tlsListenerFilterChainName(irRoute),
-		Filters: filters,
-	}
-
 	if isTLSPassthrough {
 		if err := addServerNamesMatch(xdsListener, filterChain, irRoute.TLS.TLSInspectorConfig.SNIs); err != nil {
 			return err
@@ -707,6 +679,61 @@ func (t *Translator) addXdsTCPFilterChain(
 	return nil
 }
 
+func buildTCPFilterChain(
+	irRoute *ir.TCPRoute,
+	clusterName string,
+	statPrefix string,
+	accesslog *ir.AccessLog,
+	timeout *ir.ClientTimeout,
+	connection *ir.ClientConnection,
+) (*listenerv3.FilterChain, error) {
+	var filters []*listenerv3.Filter
+
+	al, err := buildXdsAccessLog(accesslog, ir.ProxyAccessLogTypeRoute)
+	if err != nil {
+		return nil, err
+	}
+
+	if authzFilter, err := buildTCPRBACFilter(statPrefix, irRoute.Authorization); err != nil {
+		return nil, err
+	} else if authzFilter != nil {
+		filters = append(filters, authzFilter)
+	}
+
+	// Connection limit (if configured)
+	if connection != nil && connection.ConnectionLimit != nil {
+		cl := buildConnectionLimitFilter(statPrefix, connection)
+		if clf, err := toNetworkFilter(networkConnectionLimit, cl); err == nil {
+			filters = append(filters, clf)
+		} else {
+			return nil, err
+		}
+	}
+
+	// TCP proxy last
+	mgr := &tcpv3.TcpProxy{
+		AccessLog:  al,
+		StatPrefix: statPrefix,
+		ClusterSpecifier: &tcpv3.TcpProxy_Cluster{
+			Cluster: clusterName,
+		},
+		HashPolicy: buildTCPProxyHashPolicy(irRoute.LoadBalancer),
+	}
+	if timeout != nil && timeout.TCP != nil && timeout.TCP.IdleTimeout != nil {
+		mgr.IdleTimeout = durationpb.New(timeout.TCP.IdleTimeout.Duration)
+	}
+	if mgrf, err := toNetworkFilter(wellknown.TCPProxy, mgr); err == nil {
+		filters = append(filters, mgrf)
+	} else {
+		return nil, err
+	}
+
+	return &listenerv3.FilterChain{
+		Filters: filters,
+		Name:    tlsListenerFilterChainName(irRoute),
+	}, nil
+}
+
 func buildConnectionLimitFilter(statPrefix string, connection *ir.ClientConnection) *connection_limitv3.ConnectionLimit {
 	cl := &connection_limitv3.ConnectionLimit{
 		StatPrefix:     statPrefix,

internal/xds/translator/listener.go

@@ -0,0 +1,34 @@
+tcp:
+- name: "tcp-listener-authorization"
+  address: "::"
+  port: 10080
+  routes:
+  - name: "tcp-route-authorization"
+    authorization:
+      defaultAction: Allow
+      rules:
+      - action: Deny
+        name: deny-office
+        principal:
+          clientCIDRs:
+          - cidr: 10.0.0.0/24
+            distinct: false
+            ip: 10.0.0.0
+            isIPv6: false
+            maskLen: 24
+      - action: Allow
+        name: allow-corp
+        principal:
+          clientCIDRs:
+          - cidr: 192.168.100.0/24
+            distinct: false
+            ip: 192.168.100.0
+            isIPv6: false
+            maskLen: 24
+    destination:
+      name: "tcp-route-authorization-dest"
+      settings:
+      - endpoints:
+        - host: "10.2.3.4"
+          port: 50000
+        name: "tcp-route-authorization-dest/backend/0"

internal/xds/translator/testdata/in/xds-ir/tcp-route-authorization.yaml

@@ -0,0 +1,24 @@
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_PREFERRED
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: tcp-route-authorization-dest
+  ignoreHealthOnHostRemoval: true
+  lbPolicy: LEAST_REQUEST
+  loadBalancingPolicy:
+    policies:
+    - typedExtensionConfig:
+        name: envoy.load_balancing_policies.least_request
+        typedConfig:
+          '@type': type.googleapis.com/envoy.extensions.load_balancing_policies.least_request.v3.LeastRequest
+          localityLbConfig:
+            localityWeightedLbConfig: {}
+  name: tcp-route-authorization-dest
+  perConnectionBufferLimitBytes: 32768
+  type: EDS

internal/xds/translator/testdata/out/xds-ir/tcp-route-authorization.clusters.yaml

@@ -0,0 +1,12 @@
+- clusterName: tcp-route-authorization-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 10.2.3.4
+            portValue: 50000
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: tcp-route-authorization-dest/backend/0