-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable ESP to invoke Firebase Security rules. #54
Conversation
You need to use clang-format to format following files contrib/endpoints/src/api_manager/check_security_rules.cc contrib/endpoints/src/api_manager/check_security_rules.h contrib/endpoints/src/api_manager/context/request_context.h contrib/endpoints/src/api_manager/context/service_context.cc |
@@ -163,6 +175,9 @@ class RequestContext { | |||
// Report(). | |||
std::string auth_authorized_party_; | |||
|
|||
// Auth Claims: This is the decoded payload of the JWT token | |||
char *auth_claims_; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can use std::string to store it. so you don't need to include grpc headers in order to call gpr_free
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
@@ -40,6 +40,8 @@ struct UserInfo { | |||
// Authorized party of the incoming JWT. | |||
// See http://openid.net/specs/openid-connect-core-1_0.html#IDToken | |||
std::string authorized_party; | |||
// String of claims | |||
char *claims; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. We do. The UserInfo is where the decoded JWT claims are stored so it can be used in the later part of the work flow. This actually is the same flow as it is used for JWT audience and issuer fields.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed it to std::string
ParseJwt(); | ||
env_->LogInfo("After Parse JWT"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove logging?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the merge put them back in. I will delete them before the next commit.
void HttpFetch(const std::string &url, const std::string &request_body, | ||
std::function<void(Status, std::string &&)> continuation); | ||
// Fetch the Release attributes. | ||
auto pChecker = GetPtr(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Google c++ style guide, not to use camel case in variable name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm. This code is again similar to check_auth.cc below. Let me know if you want me to fix it in both places.
void AuthChecker::DiscoverJwksUri(const std::string &url) {
auto pChecker = GetPtr();
HttpFetch(url, [pChecker](S
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
// TODO: Check service config to see if "useSecurityRules" is specified. | ||
// If so, call Firebase Rules service TestRuleset API. | ||
std::pair<Status, std::string> AuthzChecker::ParseReleaseResponse( | ||
std::string *json_str) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pass in const std::string& if you are not modifying json_str
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
void AuthzChecker::Check() { | ||
// TODO: Check service config to see if "useSecurityRules" is specified. | ||
// If so, call Firebase Rules service TestRuleset API. | ||
std::pair<Status, std::string> AuthzChecker::ParseReleaseResponse( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we pass out ruleset_id in the argument. e.g.
Status Parse(..., string* ruleset_id)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
status = Status(Code::PERMISSION_DENIED, | ||
std::string("Unauthorized ") | ||
+ context->request()->GetRequestHTTPMethod() | ||
+ " access to resource " + context->request()->GetRequestPath(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does response have detail info we can pass back to help users?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No. Unfortunatley, the Test API that we use only provided with a response that looks like this:
{
"testResults": [
{
"state": "SUCCESS"
}
]
}
or
{
"testResults": [
{
"state": "FAILURE"
}
]
}
The response itself is a HTTP 200 OK message.
std::string AuthzChecker::BuildTestRequestBody( | ||
std::shared_ptr<context::RequestContext> context) { | ||
|
||
std::shared_ptr<std::ostringstream> ss(new std::ostringstream); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not need to use new. just allocate it from stack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
std::shared_ptr<AuthzChecker> authzChecker = | ||
std::make_shared<AuthzChecker>(context, continuation); | ||
authzChecker->Check(); | ||
std::shared_ptr<AuthzChecker> checker(new AuthzChecker( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why don't you use make_shared?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
std::string BuildTestRequestBody( | ||
std::shared_ptr<context::RequestContext> context); | ||
|
||
void AddToBody(const std::string &key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can some of these function static.
if so, they can be in the cc file, inside anonymous name space
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved the header file into the .cc file now.
#include "grpc/support/string_util.h" | ||
#include "grpc/support/sync.h" | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need all these headers? It looks like we are only using gpr_free() in the file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed them. After changing to std::string based on Wayne's comments, I did not need them.
@@ -213,7 +213,9 @@ void AuthChecker::LookupJwtCache() { | |||
if (cache_hit) { | |||
CheckAudience(true); | |||
} else { | |||
env_->LogInfo("Before Parse JWT"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remember remove these logs before submit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
ParseJwt(); | ||
env_->LogInfo("After Parse JWT"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove these logs before submit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
@@ -40,6 +40,8 @@ struct UserInfo { | |||
// Authorized party of the incoming JWT. | |||
// See http://openid.net/specs/openid-connect-core-1_0.html#IDToken | |||
std::string authorized_party; | |||
// String of claims | |||
char *claims; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we make it std::string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
|
||
// Get the auth token for Firebase service | ||
const std::string &GetAuthToken() { | ||
return sa_token_->GetAuthToken( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we check if sa_token_ is NULL?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm. This is similar to The Aggregator code in cloud_trace.cc where the ServiceAccountToken is being passed in. There are no null checks there. Let me know if you think this is wrong and we can fix this at book places. However, since we don't throw exceptions, the null check should be done before passing in the value. Otherwise, we will have null checks all over the code.
std::shared_ptr<std::ostringstream> ss); | ||
|
||
void AddToBody(const std::string &key, const std::string &value, | ||
bool end, std::shared_ptr<std::ostringstream> ss); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need shared_ptr here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
REmoved
std::shared_ptr<context::RequestContext> context); | ||
|
||
void AddToBody(const std::string &key, | ||
std::shared_ptr<std::ostringstream> ss); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do we need shared_ptr here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed
|
||
const std::string Stringify(const char *s) { | ||
return std::string("\"") + s + "\""; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are not handing the case that s is NULL pointer.
Converting a "char *" to string is simply:
std::string target = s == nullptr ? "" : s;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
.set_url(url) | ||
.set_auth_token(GetAuthToken()) | ||
.set_header("Content-Type", "application/json") | ||
.set_auth_token(token); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
set_auth_token(GetAuthToken()). Then you don't need "token" variable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
class AuthzChecker : public std::enable_shared_from_this<AuthzChecker> { | ||
public: | ||
AuthzChecker(std::shared_ptr<context::RequestContext> context, | ||
std::function<void(Status status)> continuation); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If AuthzChecker class is used only in check_seucurity_rules.cc/h, we prefer to put the class definition in .cc file. This way, any place that "include" check_security_rules.h will only include CheckSecurityRules() function definition (not AuthzChecker class).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
// Get Firebase specific operation Id based on the http Method. | ||
std::string GetOperation(std::string httpMethod); | ||
|
||
const std::string Stringify(const char *s) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need to be a class function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is removed with the new protobuf change.s
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed this after proto change.
} | ||
|
||
// Fetch the Release attributes. | ||
auto pchecker = GetPtr(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just "checker"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
|
||
// Fetch the Release attributes. | ||
auto pchecker = GetPtr(); | ||
HttpFetch(GetReleaseUrl(context), std::string("GET"), std::string(""), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need for std::string("GET"), just "GET", compiler will convert it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
std::function<void(Status status)> continuation) { | ||
auto pchecker = GetPtr(); | ||
|
||
HttpFetch(std::string(kFirebaseServerStaging) + "v1/" + ruleset_id + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use a separate function for URL
|
||
Status status = Status::OK; | ||
const char *id = GetStringValue(json, "rulesetName"); | ||
(*ruleset_id) = (id == nullptr) ? "" : GetStringValue(json, "rulesetName"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
last portion is id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what you mean ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
*ruleset_id = (id) : id ? "";
return status; | ||
} | ||
|
||
std::string AuthzChecker::GetOperation(std::string httpMethod) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to be a class member function?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made it static function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Made it static.
std::string AuthzChecker::BuildTestRequestBody( | ||
std::shared_ptr<context::RequestContext> context) { | ||
|
||
std::ostringstream ss; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe use a proto, build a proto message first, then convert it to json.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How I wish I could do it! The protos are not open sourced.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can copy the proto file to our ESP code base. Still prefer to use proto to convert to JSON.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are multiple proto files and this will come from the firebase codebase. I am not sure if we can just pick up the code and put it in our codebase. I will need to talk to Limin / Wencheng and may be even Firebase guys before doing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is too much trouble to copy their proto files, you just create your own simple proto message which only fields you used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see what you mean. I think I an do that. It is actually a better idea than dealing with strings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
} | ||
|
||
void AuthzChecker::AddToBody(const std::string &key, | ||
std::ostringstream &ss) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need to be a class member function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason I left it inside the class is because the usage of the function is only applicable to objects of this class.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should be static if the function is not using any class members.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. Sure. I will make them static.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Function is deleted after adding the new protobuf to capture this.
} | ||
} | ||
|
||
const std::string AuthzChecker::GetReleaseName( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no need to be a class member function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same reason as above. There is no meaning to this method outside the context of the class.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed this to static
// Pointer to access ESP running environment. | ||
ApiManagerEnvInterface *env_; | ||
// Get Firebase specific operation Id based on the http Method. | ||
std::string GetOperation(std::string httpMethod); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const std::string &httpMethod
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
#include "contrib/endpoints/include/api_manager/utils/status.h" | ||
|
||
#include <string> | ||
using ::google::api_manager::utils::Status; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No change is needed for this file. The additional "include" and "using" here should be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
@@ -112,6 +112,16 @@ class RequestContext { | |||
last_report_time_ = tp; | |||
} | |||
|
|||
void set_auth_claims(std::string &claims) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const std::string &
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
return auth_claims_; | ||
} | ||
|
||
const std::string GetAuthToken(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you need GetAuthToken() here?
|
||
namespace google { | ||
namespace api_manager { | ||
|
||
namespace { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The whole class should be an anonymous namespace. You should not remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
const char kFirebaseServerStaging[] = | ||
"https://staging-firebaserules.sandbox.googleapis.com/"; | ||
|
||
// An AuthzChecker object is created for every incoming request. It does | ||
// authorizaiton by calling Firebase Rules service. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment applies to the class. Why do you remove it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added it back. Initially I had code that was creating the object in the service context but this did not work due to circular dependences. I removed it as a part of that change and forgot to add it back.
void HttpFetch(const std::string &url, const std::string &request_body, | ||
|
||
// Helper method that invokes the test firebase service api. | ||
void FirebaseCheck(std::string ruleset_id, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const std::string &ruleset_id
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
@@ -112,6 +112,16 @@ class RequestContext { | |||
last_report_time_ = tp; | |||
} | |||
|
|||
void set_auth_claims(std::string &claims) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const std::string &claims
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
auth_claims_ = claims; | ||
} | ||
|
||
std::string &auth_claims() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this function can simply return std::string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? We just use this string to create a proto object and this string can be potentially big.
|
||
/*for (grpc_json *cur = json->child; cur != nullptr; cur = cur->next) { | ||
user_info->claims.emplace(std::string(cur->key), std::string(cur->value)); | ||
} */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is this commented out code for? If no needed, remove it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed.
message ApiCheckSecurityRulesConfig { | ||
// Allows to disable the API authorization | ||
bool force_disable = 1; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you may want to have firebase_server here so "t" test can provide a fake server.
BTW, How do we enable this feature, is it enabled by service_config? Here we force disable it? If so, we are fine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be enabled via service config. But the service config changes are not done yet. Tao is working on those changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If that is the case, it will be easier for you to integrate with ESP if you default to be disabled, only enable it from server_config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't want to disable this by default via server config and there is a reason for this. By not disabling the feature by default I am able to apply some existing auth based t tests. For example, we have checks to ensure that if auth is disabled, then we don't do any firebase rules checks too. For all those tests, since the code is not disabled by default, we are able to exercise the existing t tests without any more tests that do the same thing.
@@ -56,7 +60,11 @@ ServiceContext::ServiceContext(std::unique_ptr<ApiManagerEnvInterface> env, | |||
is_auth_force_disabled_(config_->server_config() && | |||
config_->server_config() | |||
->api_authentication_config() | |||
.force_disable()) { | |||
.force_disable()), | |||
is_check_security_rules_disabled_(config_->server_config() && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it enabled by default? do we need to check service_config ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently enabled by default. Once the service config changes are done, we will add those checks too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is better to be disabled by default for now. and only enable it when server_config has api_check_securty_rules_config and its firebase_server is specified.
we can change it when service config is ready.
const char kFailedFirebaseReleaseFetch[] = "Failed to fetch Firebase Release"; | ||
const char kFailedFirebaseTest[] = "Failed to execute Firebase Test"; | ||
const char kInvalidResponse[] = "Invalid JSON response from Firebase Service"; | ||
|
||
// An AuthzChecker object is created for every incoming request. It does | ||
// authorizaiton by calling Firebase Rules service. | ||
class AuthzChecker : public std::enable_shared_from_this<AuthzChecker> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the file name is called check_security_rules, should we call the class as SecurityRuleChecker
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was named by Limin and so was the file name provided by her. Let me see what she thinks too :-)
void HttpFetch(const std::string &url, const std::string &request_body, | ||
// Helper method that invokes the test firebase service api. | ||
void FirebaseCheck(std::string &ruleset_id, | ||
std::shared_ptr<context::RequestContext> context, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about "CallTest"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
void AuthzChecker::FirebaseCheck( | ||
std::string &ruleset_id, std::shared_ptr<context::RequestContext> context, | ||
std::function<void(Status status)> continuation) { | ||
auto checker = GetPtr(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move this line to 163
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
std::shared_ptr<context::RequestContext> context, | ||
std::string &result_string) { | ||
proto::TestRulesetRequest request; | ||
proto::TestRulesetRequest::TestCase *test_case = request.add_test_cases(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can use "auto"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup. Thank you.
|
||
Status AuthzChecker::BuildTestRequestBody( | ||
std::shared_ptr<context::RequestContext> context, | ||
std::string &result_string) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per style guide, you should use std::string*
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
|
||
void AuthzChecker::SetProtoValue(::google::protobuf::Value &head, | ||
std::string key, | ||
::google::protobuf::Value &value) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
per style guide, the prototype should be
(const string& key, const Value& value, Value* head)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
|
||
// Pointer to access ESP running environment. | ||
ApiManagerEnvInterface *env_; | ||
void SetProtoValue(::google::protobuf::Value &head, std::string key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this can be static.
I think all these 4 static functions can be out of the class.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
if (!context->service_context()->RequireRulesCheck() || | ||
context->method() == nullptr || !context->method()->auth()) { | ||
env_->LogDebug( | ||
std::string("Autherization and JWT validation was not performed") + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Authorization, no need of std::string
, just use literals without +
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
std::string *ruleset_id); | ||
|
||
// Parses the response for the TEST API call | ||
Status ParseTestResponse(std::shared_ptr<context::RequestContext> context, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
output parameter should be pointers, per our C++ style guide
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Wayne gave me this comment and I have already fixed this. in a later commit.
const std::string &json_str); | ||
|
||
// Builds the request body for the TESP API call. | ||
Status BuildTestRequestBody(std::shared_ptr<context::RequestContext> context, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ditto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same. already fixed in later commit.
if (result == nullptr) { | ||
env_->LogInfo("Result state is empty"); | ||
status = invalid; | ||
} else if (std::string(result) != "SUCCESS") { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"SUCCESS"
as constant, and make the constant as std::string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have declared a const char[] kTestSuccess with the rest of the cont strings. Let me know if this is not what you had in mind.
@@ -112,6 +112,10 @@ class RequestContext { | |||
last_report_time_ = tp; | |||
} | |||
|
|||
void set_auth_claims(const std::string &claims) { auth_claims_ = claims; } | |||
|
|||
std::string &auth_claims() { return auth_claims_; } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
@@ -15,6 +15,7 @@ | |||
#ifndef API_MANAGER_AUTH_H_ | |||
#define API_MANAGER_AUTH_H_ | |||
|
|||
#include <map> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you include ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed.
// Helper function to send a http GET request. | ||
void HttpFetch(const std::string &url, const std::string &request_body, | ||
// Helper method that invokes the test firebase service api. | ||
void CallTest(std::string &ruleset_id, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const std::string &ruleset_id;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
@@ -15,6 +15,7 @@ | |||
#ifndef API_MANAGER_CHECK_SECURITY_RULES_H_ | |||
#define API_MANAGER_CHECK_SECURITY_RULES_H_ | |||
|
|||
#include <string> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove "include".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
// Server config for API Authorization via Firebase Rules | ||
message ApiCheckSecurityRulesConfig { | ||
// Firebase server to use. | ||
string firebase_server = 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When do we use this configuration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will use this configuration with t tests. I will update this in another change once I understand t tests better. For now this is only a place holder.
@@ -699,12 +699,16 @@ grpc_jwt_verifier_status JwtValidatorImpl::FillUserInfoAndSetExp( | |||
|
|||
// Optional field. | |||
const grpc_json *grpc_json = grpc_jwt_claims_json(claims_); | |||
|
|||
char *json_str = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
json_str
is leaked
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. Missed this while addressing review comments. I was freeing this in the first commit :-)
const char kInvalidResponse[] = "Invalid JSON response from Firebase Service"; | ||
const char kTestSuccess[] = "SUCCESS"; | ||
|
||
void SetProtoValue(std::string key, ::google::protobuf::Value &value, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
const std::string&
const Value&
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
} | ||
|
||
const std::string GetReleaseName( | ||
std::shared_ptr<context::RequestContext> request_context) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not to use shared_ptr if you are not keep a ref_count.
use
const context::RequestContext&
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The CheckSecurityRules method is the entry point and it receives a share_ptr. Do you mean that I should extract the pointer from the shared pointer? I thought it is considered bad to extract a pointer out of a smart pointer. Lets discuss more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pass a shared_ptr is bad for performance. it needs to lock in order to increase ref_count.
If your function don't need to keep a ref_count, pass in the object.
} | ||
|
||
const std::string GetReleaseUrl( | ||
std::shared_ptr<context::RequestContext> request_context) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not to use shared_prt
if (!context->service_context()->RequireRulesCheck() || | ||
context->method() == nullptr || !context->method()->auth()) { | ||
env_->LogDebug( | ||
"Autherization and JWT validation was not performed" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is logging message correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should it be firebase ruleset validation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed
Status status = Status::OK; | ||
const char *id = GetStringValue(json, "rulesetName"); | ||
(*ruleset_id) = (id == nullptr) ? "" : id; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why do we need () in (*ruleset_id)?
SetProtoValue("token", claims, &token); | ||
SetProtoValue("auth", token, &auth); | ||
|
||
Map<std::string, google::protobuf::Value> *variables = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
use auto?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
std::function<void(Status, std::string &&)> continuation) { | ||
env_->LogInfo(std::string("Issue HTTP Request to url :") + url + | ||
" method : " + method + " body: " + request_body); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LogDebug
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done.
@@ -56,7 +60,11 @@ ServiceContext::ServiceContext(std::unique_ptr<ApiManagerEnvInterface> env, | |||
is_auth_force_disabled_(config_->server_config() && | |||
config_->server_config() | |||
->api_authentication_config() | |||
.force_disable()) { | |||
.force_disable()), | |||
is_check_security_rules_disabled_(config_->server_config() && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is better to be disabled by default for now. and only enable it when server_config has api_check_securty_rules_config and its firebase_server is specified.
we can change it when service config is ready.
std::shared_ptr<context::RequestContext> request_context) { | ||
return request_context->service_context()->service_name() + ":" + | ||
request_context->service_context()->service().apis(0).version(); | ||
const std::string GetReleaseName(context::RequestContext &context) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need const here? same as line 65
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and line 70
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I already tried that and I get the following compilation error. I think this is because the service_context() method is not marked as const. Let me know if you are OK with marking that method as const - I think it can be made into a const but I don't know why it was not marked const.
contrib/endpoints/src/api_manager/check_security_rules.cc: In function 'const string google::api_manager::{anonymous}::GetReleaseName(const google::api_manager::context::RequestContext&)':
contrib/endpoints/src/api_manager/check_security_rules.cc:61:34: error: passing 'const google::api_manager::context::RequestContext' as 'this' argument of 'google::api_manager::context::ServiceContext* google::api_manager::context::RequestContext::service_context()' discards qualifiers [-fpermissive]
return context.service_context()->service_name() + ":" +
^
contrib/endpoints/src/api_manager/check_security_rules.cc:62:34: error: passing 'const google::api_manager::context::RequestContext' as 'this' argument of 'google::api_manager::context::ServiceContext* google::api_manager::context::RequestContext::service_context()' discards qualifiers [-fpermissive]
context.service_context()->service().apis(0).version();
final_continuation(Status::OK); | ||
return; | ||
} | ||
|
||
// Fetch the Release attributes. | ||
auto checker = GetPtr(); | ||
HttpFetch(GetReleaseUrl(context), "GET", "", | ||
HttpFetch(GetReleaseUrl(*context.get()), "GET", "", | ||
[context, final_continuation, checker](Status status, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we just do "*context" to convert shared_ptr to const T&?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
return RequireAuth() && config_->server_config() && | ||
!config_->server_config() | ||
->api_check_security_rules_config() | ||
.firebase_server() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you may need to call has_ first before you access its members.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added it. For some reason this is not being done in other parts of the code. I am adding this check in one place I know.
char *json_str = | ||
grpc_json_dump_to_string(const_cast<::grpc_json *>(grpc_json), 0); | ||
user_info->claims = json_str == nullptr ? "" : json_str; | ||
gpr_free(json_str); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you probably want to check if json_str
is nullptr
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops.
namespace { | ||
|
||
const char kFirebaseServerStaging[] = | ||
"https://staging-firebaserules.sandbox.googleapis.com/"; | ||
|
||
const char kFirebaseService[] = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where are these two constants used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will delete them once i have done more testing.
|
||
std::string GetOperation(std::string &httpMethod) { | ||
if (httpMethod == "POST") { | ||
return std::string("create"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make these constant
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Some parts of the code were using them as I have done. I did not know this was a strict rule.
request->set_method(method).set_url(url).set_auth_token(GetAuthToken()); | ||
|
||
if (method != "GET") { | ||
request->set_header("Content-Type", "application/json") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make these constant too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have removed as many string constants from code as I could. Let me know if you think there are more that need to be changed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just add a simple config_test for firebase_server for now.
In a separate PR, add check_security_rules_test.cc, similar to auth_check_test.cc
|
||
const std::string GetFirebaseServer(const context::RequestContext &context) { | ||
return context.service_context() | ||
->config() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make a GetFireBaseServer() function in Config class. Later when service_config is ready, get it from there. Only need to change that function.
const char kContentType[] = "Content-Type"; | ||
const char kApplication[] = "application/json"; | ||
|
||
const std::string GetFirebaseServer(const context::RequestContext &context) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still don't understand the purpose of "const" in
const std::string foo()
what is this const for?
|
||
const std::string GetReleaseName(const context::RequestContext &context) { | ||
return context.service_context()->service_name() + ":" + | ||
context.service_context()->service().apis(0).version(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when enabling firebase, need to make sure apis.size() == 1.
grpc_json_dump_to_string(const_cast<::grpc_json *>(grpc_json), 0); | ||
user_info->claims = json_str == nullptr ? "" : json_str; | ||
if (json_str != nullptr) { | ||
gpr_free(json_str); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move the line above in here? member std::string is default to "", so you just need to assign once.
@@ -66,7 +66,8 @@ class ServiceContext { | |||
} | |||
|
|||
bool IsRulesCheckEnabled() const { | |||
return RequireAuth() && config_->server_config() && | |||
return RequireAuth() && service().apis_size() > 0 && | |||
config_->server_config() && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we call config->GEtFirebaseServer()?
|
||
auto server = config->GetFirebaseServer(); | ||
ASSERT_EQ(server, "https://myfirebaseserver.com/"); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you add a test case with a non-empty server_config, but no api_check_security_rules_config.
* Created check security rules file and a few dummy/helper functions. (#40) * Created check security rules file and a few dummy/helper functions. And added it to check work flow. * Fix format. * Firebase: Merge from master. (#53) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (#38) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect * Fixed style. * Rebase Envoy (#41) * Update prototype to use iptables (#42) * Rebase to fixed Envoy (#43) * Handle HEAD request. (#34) * Handle HEAD request. * Try with GET if HEAD fails. * Address comments. * Format file. * Expose bazel target (#48) * Try again (#49) * Enable ESP to invoke Firebase Security rules. (#54) * Enable ESP to invoke Firebase Security rules. * Address code review comments. * Remove some debug logs * Add proto file to capture TestRulesetRequest. * clang-format files * Resolve a merge issue with previous commit * Allow security rules to disabled via serverconfig * format file * Addressed Wayne's review comments. * Add firebase server to Server Config. * Address Lizan's review comments * Address review comments. * Disable check rules service by default. * Address more review comments. * Fix a check. * Delete unwanted constant. * Address Wayne's comments and add a simple config test. * Address a review comment. * Add negative test case for config * Address code review * Remove unwanted const std::string * Merge from master into firebase (#65) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (#38) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect * Fixed style. * Rebase Envoy (#41) * Update prototype to use iptables (#42) * Rebase to fixed Envoy (#43) * Handle HEAD request. (#34) * Handle HEAD request. * Try with GET if HEAD fails. * Address comments. * Format file. * Expose bazel target (#48) * Try again (#49) * Integrate with mixer client. (#55) * Integrate with mixer client. * Restore repositories.bzl back. * Add originIp and originHost attributes. (#56) * Add uuid-dev dependency in README.md (#45) * Extract originIp and OriginHost. (#57) * Extract originIp and OriginHost. * Make header x-forwarded-host const. * Update buckets for UI. (#58) * Update buckets for UI. * Only update time_distribution. * Add targetService attribute. (#59) * Use envoy new access_log handler for sending Report. (#60) * use access_log handler. * Not to use Loggable base class. * Update to the latest envoy with #396. (#61) * Fix tclap dependency fetching error (#62) * Update the auth checke to use service.experimental.authorization.providerwq! * Update the auth check to use service.experimental.authorization.provider * Update the auth check to use service.experimental.authorization.provider (#67) * Update the auth check to use service.experimental.authorization.provider * Address comments and revert accidental change. * Remove unnecessary added accidentally. * Another patch * fix the logic * fix lint * Fix broken test and add unit tests * Fix comments * Fix style check * revert style for raw string * fix small lint * fix small lint * fix small lint * Unit tests for check security rules. (#75) * Unit tests for check security rules. * format * Address review comments. * Fix typos * Merge from master to firebase (#143) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (#38) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect * Fixed style. * Rebase Envoy (#41) * Update prototype to use iptables (#42) * Rebase to fixed Envoy (#43) * Handle HEAD request. (#34) * Handle HEAD request. * Try with GET if HEAD fails. * Address comments. * Format file. * Expose bazel target (#48) * Try again (#49) * Integrate with mixer client. (#55) * Integrate with mixer client. * Restore repositories.bzl back. * Add originIp and originHost attributes. (#56) * Add uuid-dev dependency in README.md (#45) * Extract originIp and OriginHost. (#57) * Extract originIp and OriginHost. * Make header x-forwarded-host const. * Update buckets for UI. (#58) * Update buckets for UI. * Only update time_distribution. * Add targetService attribute. (#59) * Use envoy new access_log handler for sending Report. (#60) * use access_log handler. * Not to use Loggable base class. * Update to the latest envoy with #396. (#61) * Fix tclap dependency fetching error (#62) * Integrate mixer client directly with envoy. (#66) * Integrate mixer client directly with envoy. * Send response header in Report. * rename filter name from esp to mixer. * add README. * Add release binary script. (#68) * Push tar.gz to GCS (#69) * Push tar.gz to GCS * Rename envoy_esp * Remove mixer_client from api_manager. (#72) * Update mixer client SHA. (#74) * Update readme. (#73) * Adds Jenkinsfile and updates release-binary to create a SHA. (#71) * Adds Jenkinsfile and update release-binary * Update Jenkinsfile and gitignore * Fixes typo and use normal build Node * Uses default bazel config * Using batch mode * Update bazel memory settings * Do not use Jenkins bazel env * Set .bazelrc for postsubmit * Update grpc and protobuf (#70) * protobuf v3.2.0 * grpc v1.1.1 * Align auth lib with grpc 1.1.1 * Add sourceService. (#78) * Add script to build docker image. (#77) * Add script to build docker image. * Add start_envoy for docker image. * Use official attribute names (#80) * Use official attribute names * fix format * Creates a KEY for mixer client dep. Updates release-binary (#79) * Updated mixer repo to use a key for commit * release-binary skip build if file exists. * Update src/envoy/mixer/README. (#82) * Fix src/envoy/mixer/README.md (#85) * Get attributes from envoy config. (#87) * Send all attributes. * Remove unused const strings. * Address comment. * updated SHA to point to newer envoy with RDS API feature (#94) * Disable travis on stable branches (#96) * Publish debug binaries (no release yet) (#98) * Copies the binary instead of linking for release (#102) * Not to use api_key if its service is not actived. (#109) * Update envoy and add c-ares (#107) * Update envoy and add c-ares depedencies * Update release script with debug and normal binary * remove debug ls * formatting * Send StatusCode Attributes to Mixer. (#110) * Add send_attribute filter. (#115) * Add send_attribute filter. * Fix format * rename variable serialized_attributes_ * Address the comments. * Fail request if api_key is not valid. (#116) * Fail request if api_key is not valid. * Format code. * Update comments. * Address comment. * Rename response.http.code (#125) * Send headers as string map. (#129) * Send headers as string map. * Remove origin.ip and origin.host. * Fix format * unify bazel's docker build targets with other istio repos (#127) * update base debug docker image reference (#133) * Update postsubmit to create docker images (#132) * Adding config release for bazel build (#135) * Fix mixer client crash. (#136) * Get mixerclient with response parsing. (#138) * Update nghttp2 to sync with envoy (#140) * Fix src/envoy/mixer/README.md * Update nghttp2 to sync with envoy * update * fix typo * Merge from master to firebase (#159) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (#38) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect * Fixed style. * Rebase Envoy (#41) * Update prototype to use iptables (#42) * Rebase to fixed Envoy (#43) * Handle HEAD request. (#34) * Handle HEAD request. * Try with GET if HEAD fails. * Address comments. * Format file. * Expose bazel target (#48) * Try again (#49) * Integrate with mixer client. (#55) * Integrate with mixer client. * Restore repositories.bzl back. * Add originIp and originHost attributes. (#56) * Add uuid-dev dependency in README.md (#45) * Extract originIp and OriginHost. (#57) * Extract originIp and OriginHost. * Make header x-forwarded-host const. * Update buckets for UI. (#58) * Update buckets for UI. * Only update time_distribution. * Add targetService attribute. (#59) * Use envoy new access_log handler for sending Report. (#60) * use access_log handler. * Not to use Loggable base class. * Update to the latest envoy with #396. (#61) * Fix tclap dependency fetching error (#62) * Integrate mixer client directly with envoy. (#66) * Integrate mixer client directly with envoy. * Send response header in Report. * rename filter name from esp to mixer. * add README. * Add release binary script. (#68) * Push tar.gz to GCS (#69) * Push tar.gz to GCS * Rename envoy_esp * Remove mixer_client from api_manager. (#72) * Update mixer client SHA. (#74) * Update readme. (#73) * Adds Jenkinsfile and updates release-binary to create a SHA. (#71) * Adds Jenkinsfile and update release-binary * Update Jenkinsfile and gitignore * Fixes typo and use normal build Node * Uses default bazel config * Using batch mode * Update bazel memory settings * Do not use Jenkins bazel env * Set .bazelrc for postsubmit * Update grpc and protobuf (#70) * protobuf v3.2.0 * grpc v1.1.1 * Align auth lib with grpc 1.1.1 * Add sourceService. (#78) * Add script to build docker image. (#77) * Add script to build docker image. * Add start_envoy for docker image. * Use official attribute names (#80) * Use official attribute names * fix format * Creates a KEY for mixer client dep. Updates release-binary (#79) * Updated mixer repo to use a key for commit * release-binary skip build if file exists. * Update src/envoy/mixer/README. (#82) * Fix src/envoy/mixer/README.md (#85) * Get attributes from envoy config. (#87) * Send all attributes. * Remove unused const strings. * Address comment. * updated SHA to point to newer envoy with RDS API feature (#94) * Disable travis on stable branches (#96) * Publish debug binaries (no release yet) (#98) * Copies the binary instead of linking for release (#102) * Not to use api_key if its service is not actived. (#109) * Update envoy and add c-ares (#107) * Update envoy and add c-ares depedencies * Update release script with debug and normal binary * remove debug ls * formatting * Send StatusCode Attributes to Mixer. (#110) * Add send_attribute filter. (#115) * Add send_attribute filter. * Fix format * rename variable serialized_attributes_ * Address the comments. * Fail request if api_key is not valid. (#116) * Fail request if api_key is not valid. * Format code. * Update comments. * Address comment. * Rename response.http.code (#125) * Send headers as string map. (#129) * Send headers as string map. * Remove origin.ip and origin.host. * Fix format * unify bazel's docker build targets with other istio repos (#127) * update base debug docker image reference (#133) * Update postsubmit to create docker images (#132) * Adding config release for bazel build (#135) * Fix mixer client crash. (#136) * Get mixerclient with response parsing. (#138) * Update nghttp2 to sync with envoy (#140) * Fix src/envoy/mixer/README.md * Update nghttp2 to sync with envoy * update * fix typo * Populate origin.user attribute from the SAN field of client cert (#142) * Test * test * test * revert file * address comments * test * fix typo * fix format * fix format * Update to latest mixer_client. (#145) * Update to latest mixer_client. * Updated the sha. * Not call report if decodeHeaders is not called. (#150) * Update mixerclient with sync-ed grpc write and fail-fast. (#155) * Update mixerclient with sync-ed write and fail-fast. * Update to latest test. * Update again * Update envoy to PR553 (#156) * Update envoy to PR553 * Update libevent to 2.1.8 * Update the Commit id for envoy * Allow for HTTP based function from Firebase rules (#202) * Allow for HTTP based function from Firebase rules * Fix code style check * Added more comments. * Fix style issues. * Address code review comments from Limin and Lizan. * Add more comments and address CR comments. * Fix a typo. * Address Wayne's CR comments. * Merge from master to firebase (#237) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (#38) * Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect * Fixed style. * Rebase Envoy (#41) * Update prototype to use iptables (#42) * Rebase to fixed Envoy (#43) * Handle HEAD request. (#34) * Handle HEAD request. * Try with GET if HEAD fails. * Address comments. * Format file. * Expose bazel target (#48) * Try again (#49) * Integrate with mixer client. (#55) * Integrate with mixer client. * Restore repositories.bzl back. * Add originIp and originHost attributes. (#56) * Add uuid-dev dependency in README.md (#45) * Extract originIp and OriginHost. (#57) * Extract originIp and OriginHost. * Make header x-forwarded-host const. * Update buckets for UI. (#58) * Update buckets for UI. * Only update time_distribution. * Add targetService attribute. (#59) * Use envoy new access_log handler for sending Report. (#60) * use access_log handler. * Not to use Loggable base class. * Update to the latest envoy with #396. (#61) * Fix tclap dependency fetching error (#62) * Integrate mixer client directly with envoy. (#66) * Integrate mixer client directly with envoy. * Send response header in Report. * rename filter name from esp to mixer. * add README. * Add release binary script. (#68) * Push tar.gz to GCS (#69) * Push tar.gz to GCS * Rename envoy_esp * Remove mixer_client from api_manager. (#72) * Update mixer client SHA. (#74) * Update readme. (#73) * Adds Jenkinsfile and updates release-binary to create a SHA. (#71) * Adds Jenkinsfile and update release-binary * Update Jenkinsfile and gitignore * Fixes typo and use normal build Node * Uses default bazel config * Using batch mode * Update bazel memory settings * Do not use Jenkins bazel env * Set .bazelrc for postsubmit * Update grpc and protobuf (#70) * protobuf v3.2.0 * grpc v1.1.1 * Align auth lib with grpc 1.1.1 * Add sourceService. (#78) * Add script to build docker image. (#77) * Add script to build docker image. * Add start_envoy for docker image. * Use official attribute names (#80) * Use official attribute names * fix format * Creates a KEY for mixer client dep. Updates release-binary (#79) * Updated mixer repo to use a key for commit * release-binary skip build if file exists. * Update src/envoy/mixer/README. (#82) * Fix src/envoy/mixer/README.md (#85) * Get attributes from envoy config. (#87) * Send all attributes. * Remove unused const strings. * Address comment. * updated SHA to point to newer envoy with RDS API feature (#94) * Disable travis on stable branches (#96) * Publish debug binaries (no release yet) (#98) * Copies the binary instead of linking for release (#102) * Not to use api_key if its service is not actived. (#109) * Update envoy and add c-ares (#107) * Update envoy and add c-ares depedencies * Update release script with debug and normal binary * remove debug ls * formatting * Send StatusCode Attributes to Mixer. (#110) * Add send_attribute filter. (#115) * Add send_attribute filter. * Fix format * rename variable serialized_attributes_ * Address the comments. * Fail request if api_key is not valid. (#116) * Fail request if api_key is not valid. * Format code. * Update comments. * Address comment. * Rename response.http.code (#125) * Send headers as string map. (#129) * Send headers as string map. * Remove origin.ip and origin.host. * Fix format * unify bazel's docker build targets with other istio repos (#127) * update base debug docker image reference (#133) * Update postsubmit to create docker images (#132) * Adding config release for bazel build (#135) * Fix mixer client crash. (#136) * Get mixerclient with response parsing. (#138) * Update nghttp2 to sync with envoy (#140) * Fix src/envoy/mixer/README.md * Update nghttp2 to sync with envoy * update * fix typo * Populate origin.user attribute from the SAN field of client cert (#142) * Test * test * test * revert file * address comments * test * fix typo * fix format * fix format * Update to latest mixer_client. (#145) * Update to latest mixer_client. * Updated the sha. * Not call report if decodeHeaders is not called. (#150) * Update mixerclient with sync-ed grpc write and fail-fast. (#155) * Update mixerclient with sync-ed write and fail-fast. * Update to latest test. * Update again * Update envoy to PR553 (#156) * Update envoy to PR553 * Update libevent to 2.1.8 * Uses a specific version of the Shared Pipeline lib (#158) * Update lyft/envoy commit Id to latest. (#161) * Update lyft/envoy commit Id to latest. * Remove the comment about pull request * Add new line - will delete in next commit. * Update repositories.bzl (#169) * Always set response latency (#172) * Update mixerclient to sync_transport change. (#178) * Use opaque config to turn on/off forward attribute and mixer filter (#179) * Modify mixer filter * Swap defaults * Make the filter decoder only * cache mixer disabled decision * Fix a bug in opaque config change and test it out (#182) * Fix a bug and test it out * Update filter type * Update README.md * Update mixer client to mixer api with gogoproto. (#184) * Move .bazelrc to tools/bazel.rc (#186) * Move .bazelrc to tools/bazel.rc * Update Jenkinsfile with latest version of pipeline * Support apikey based traffic restriction (#189) * b/36368559 support apikey based traffic restriction * Fixed code formatting * Fix crash in unreachable/overloaded RDS (#190) * Add mixer client end to end integration test. (#177) * Add mixer client end to end integration test. * Split some repositories into a separate file. * use real mixer for fake mixer_server. * Test repository * use mixer bzl file. * Use mixer repositories * Not to use mixer repository. * Add return line at the end of WORKSPACE. * Fix broken link (#193) * Make quota call (#192) * hookup quota call * Make quota call. * Update indent. * Update envoy and update configs (#195) * Update envoy and update configs * Use gcc-4.9 for travis * Use bazel 0.4.5 * Fix SHA of lightstep-tracer-common * Enable check cache and refactory mixer config loading (#197) * Refactory the mixer config loading. * fix format * Add integration test. * updated README.md * s/send/sent/ * Split into separate tests. (#201) * Update README on how to enable check cache. (#204) * Update README on how to enable check cache. * Update the comment. * build: support Envoy native Bazel build. (#210) * build: support Envoy native Bazel build. This patch switches the Envoy build from src/envoy/repositories.bzl to using the upstream native build. See envoyproxy/envoy#663 for the corresponding changes on the Envoy side. * Use Envoy master with BUILD.wip rename merged. * Fix clang-format issues. * Fixes bazel.rc issues (#212) * Fixes bazel rc issues * Update Jenkins to latest pipeline version * Fix go build (#224) * Use TranscoderInputStream to reduce confusion around ByteCount() (#225) * Add TranscoderInputStream to reduce confusion * fix_format * Merge latest changes from rate_limiting to master (#221) * Point to googleapi in service control client. (#91) * Point to googleapi in service control client. * Use git repository for service-control-client. * Merge latest changes from master (#104) * Get attributes from envoy config. (#87) * Send all attributes. * Remove unused const strings. * Address comment. * updated SHA to point to newer envoy with RDS API feature (#94) * Disable travis on stable branches (#96) * Publish debug binaries (no release yet) (#98) * Copies the binary instead of linking for release (#102) * Extract quota config from service config. (#101) * Add metric_cost in config. * Remove group rules. * Call loadQuotaConfig in config::create. * Update latest update from master branch (#106) * Get attributes from envoy config. (#87) * Send all attributes. * Remove unused const strings. * Address comment. * updated SHA to point to newer envoy with RDS API feature (#94) * Disable travis on stable branches (#96) * Publish debug binaries (no release yet) (#98) * Copies the binary instead of linking for release (#102) * Added quota contoll without the service control client library (#93) * Added quota contoll without the service control client library * Applied code review * Applied code review * Resolve conflicts * Resolve conflicts * Fixed format error reported by script/check-style * Fixed a bug at Aggregated::GetAuthToken that causes Segmentation Fault * Changed usage of template funcion * Applied latest changes from the repo * Applied latest changes from the repo * Applied latest changes from the repo * Adde comments * Updated log information * Applied #101 * Changed metric_cost_map to metric_cost_vector * Fixed test case compilation error * Fixed test case compilation error * Add unit test for quota config. (#108) * Add unit test for quota config. * Add comments. * Update test specifics. * Merge latest changes from master branch (#112) * Get attributes from envoy config. (#87) * Send all attributes. * Remove unused const strings. * Address comment. * updated SHA to point to newer envoy with RDS API feature (#94) * Disable travis on stable branches (#96) * Publish debug binaries (no release yet) (#98) * Copies the binary instead of linking for release (#102) * Not to use api_key if its service is not actived. (#109) * If QuotaControl service is not available, return utils::Status::OK (#113) * If QuotaControl service is not available, return utils::Status::OK * Updated comment * Return HTTP status code 429 on google.rpc.Code.RESOURCE_EXHAUSTED (#119) * Fixed incorrectly resolved conflicts (#123) * Added unit test cases for rate limiting (#124) * Fixed incorrectly resolved conflicts * Added unit test cases for rate limiting * Added unit test cases for rate limiting * Added unit test cases for rate limiting * Added unit test cases for rate limiting * Added unit test cases for rate limiting * Added unit test cases for rate limiting * Rename response.http.code (#125) (#128) * Added handling of error code QUOTA_SYSTEM_UNAVAILABLE (#148) * Integrated service control client library with quota cache aggregation (#149) * Fixed error on merge (#151) * Integrated service control client library with quota cache aggregation * Fixed error on merge * Fixed the compatibility issue with the latest update on esp (#152) * Removed copied proto files (#208) * Set default allocate quota request timeout to 1sec and applied latest service control client library change (#211) * Merged key_restriction related changes from master (#213) * Merge latest changes from master branch (#217) * Not call report if decodeHeaders is not called. (#150) * Update mixerclient with sync-ed grpc write and fail-fast. (#155) * Update mixerclient with sync-ed write and fail-fast. * Update to latest test. * Update again * Update envoy to PR553 (#156) * Update envoy to PR553 * Update libevent to 2.1.8 * Uses a specific version of the Shared Pipeline lib (#158) * Update lyft/envoy commit Id to latest. (#161) * Update lyft/envoy commit Id to latest. * Remove the comment about pull request * Add new line - will delete in next commit. * Update repositories.bzl (#169) * Always set response latency (#172) * Update mixerclient to sync_transport change. (#178) * Use opaque config to turn on/off forward attribute and mixer filter (#179) * Modify mixer filter * Swap defaults * Make the filter decoder only * cache mixer disabled decision * Fix a bug in opaque config change and test it out (#182) * Fix a bug and test it out * Update filter type * Update README.md * Update mixer client to mixer api with gogoproto. (#184) * Move .bazelrc to tools/bazel.rc (#186) * Move .bazelrc to tools/bazel.rc * Update Jenkinsfile with latest version of pipeline * Support apikey based traffic restriction (#189) * b/36368559 support apikey based traffic restriction * Fixed code formatting * Fix crash in unreachable/overloaded RDS (#190) * Add mixer client end to end integration test. (#177) * Add mixer client end to end integration test. * Split some repositories into a separate file. * use real mixer for fake mixer_server. * Test repository * use mixer bzl file. * Use mixer repositories * Not to use mixer repository. * Add return line at the end of WORKSPACE. * Fix broken link (#193) * Make quota call (#192) * hookup quota call * Make quota call. * Update indent. * Update envoy and update configs (#195) * Update envoy and update configs * Use gcc-4.9 for travis * Use bazel 0.4.5 * Fix SHA of lightstep-tracer-common * Enable check cache and refactory mixer config loading (#197) * Refactory the mixer config loading. * fix format * Add integration test. * updated README.md * s/send/sent/ * Split into separate tests. (#201) * Update README on how to enable check cache. (#204) * Update README on how to enable check cache. * Update the comment. * build: support Envoy native Bazel build. (#210) * build: support Envoy native Bazel build. This patch switches the Envoy build from src/envoy/repositories.bzl to using the upstream native build. See envoyproxy/envoy#663 for the corresponding changes on the Envoy side. * Use Envoy master with BUILD.wip rename merged. * Fix clang-format issues. * Fixes bazel.rc issues (#212) * Fixes bazel rc issues * Update Jenkins to latest pipeline version * Updated the commit id of cloudendpoints/service-control-client-cxx (#218) * Update commitid of cloudendpoints/service-control-client-cxx repo (#220) * Send delta metrics for intermediate reports. (#219) * Send delta metrics for intermediate reports. * Move last_request_bytes/last_response_bytes to RequestContext. * Handle final report. * Address comment. * Update attributes to match the canonical attribute list. (#232) * Update response.http.code to response.code and response.latency to response.duration to line up with the canonical attributes in istio/istio.github.io/docs/concepts/attributes.md * Format according to clang-format * Add envoy Buffer based TranscoderInputStream (#231) * Add envoy Buffer based TranscoderInputStream * fix format * A few doc changes for consistency across repos. (#235) * Add repositories.bzl * Added missing export setting in bazel configuration (#236) * Added export missing in bazel configuration * Added export missing in bazel configuration * Allow HTTP functions in firebase rules to specify audience (#244) * Allow HTTP functions in firebase rules to specify audience * Allow GetAuthToken to ignore cache and fix style checks. * Fix GetAuthToken * Address Wayne's comment * Check for empty response body * Remove .bazelrc.jenkins file not present in the master branch. * Remove forward_attribute_filter.cc not present in master.
* Trigger tests and build images * Point Envoy dep to the istio/envoy repo.
No description provided.