reverse_tunnels: add validation in the network filter

Signed-off-by: Rohit Agrawal <[email protected]>

Author: agrawroh

api/envoy/extensions/filters/network/reverse_tunnel/v3/BUILD

@@ -8,5 +8,6 @@ api_proto_package(
     deps = [
         "//envoy/config/core/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
+        "@com_github_cncf_xds//xds/type/matcher/v3:pkg",
     ],
 )

api/envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto

@@ -6,6 +6,8 @@ import "envoy/config/core/v3/base.proto";
 
 import "google/protobuf/duration.proto";
 
+import "xds/type/matcher/v3/matcher.proto";
+
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
@@ -19,9 +21,18 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Reverse Tunnel Network Filter :ref:`configuration overview <config_network_filters_reverse_tunnel>`.
 // [#extension: envoy.filters.network.reverse_tunnel]
 
-// Configuration for the reverse tunnel network filter.
-// This filter handles reverse tunnel connection acceptance and rejection by processing
+// The Reverse Tunnel filter handles reverse tunnel connection acceptance and rejection by processing
 // HTTP requests where required identification values are provided via HTTP headers.
+//
+// The filter operates as a terminal filter when processing reverse tunnel requests, meaning it
+// stops the filter chain after processing and manages connection lifecycle. It extracts node ID,
+// cluster ID, and tenant ID from HTTP headers and optionally validates these values using the
+// generic matcher framework.
+//
+// The filter supports configurable validation rules that can match against the extracted identifiers
+// using various matcher types including string matching, regular expressions, and custom matchers.
+// Requests that fail validation are rejected with HTTP 403 Forbidden.
+// [#next-free-field: 6]
 message ReverseTunnel {
   // Ping interval for health checks on established reverse tunnel connections.
   // If not specified, defaults to 2 seconds.
@@ -31,15 +42,70 @@ message ReverseTunnel {
   }];
 
   // Whether to automatically close connections after processing reverse tunnel requests.
-  // When set to true, connections are closed after acceptance or rejection.
-  // When set to false, connections remain open for potential reuse. Defaults to false.
+  // When set to ``true``, connections are closed after acceptance or rejection.
+  // When set to ``false``, connections remain open for potential reuse. Defaults to ``false``.
   bool auto_close_connections = 2;
 
   // HTTP path to match for reverse tunnel requests.
-  // If not specified, defaults to "/reverse_connections/request".
+  // If not specified, defaults to ``/reverse_connections/request``.
   string request_path = 3 [(validate.rules).string = {min_len: 1 max_len: 255 ignore_empty: true}];
 
   // HTTP method to match for reverse tunnel requests.
   // If not specified (``METHOD_UNSPECIFIED``), this defaults to ``GET``.
   config.core.v3.RequestMethod request_method = 4 [(validate.rules).enum = {defined_only: true}];
+
+  // Optional validation matcher to apply to node and cluster identifiers using the generic matcher framework.
+  // If specified, the matcher will be evaluated against the extracted ``node_id`` and ``cluster_id`` from
+  // the incoming reverse connection handshake. Requests that fail validation will be rejected with
+  // HTTP ``403 Forbidden``.
+  //
+  // The matcher can use various input types including:
+  //
+  // * Custom inputs like ``envoy.matching.inputs.reverse_tunnel_node_id`` and
+  //   ``envoy.matching.inputs.reverse_tunnel_cluster_id`` to match against the extracted identifiers.
+  // * Standard inputs like dynamic metadata, filter state, or connection properties.
+  // * String matching, regular expressions, or custom matcher extensions.
+  //
+  // Example configuration for validating both ``node_id`` and ``cluster_id``:
+  //
+  // .. code-block:: yaml
+  //
+  //    validation_matcher:
+  //      matcher_list:
+  //        matchers:
+  //          - predicate:
+  //              and_matcher:
+  //                predicate:
+  //                  - predicate:
+  //                      single_predicate:
+  //                        input:
+  //                          name: envoy.matching.inputs.reverse_tunnel_node_id
+  //                          typed_config:
+  //                            "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.NodeIdInput
+  //                        value_match:
+  //                          exact: expected-node
+  //                  - predicate:
+  //                      single_predicate:
+  //                        input:
+  //                          name: envoy.matching.inputs.reverse_tunnel_cluster_id
+  //                          typed_config:
+  //                            "@type": type.googleapis.com/envoy.extensions.filters.network.reverse_tunnel.v3.ClusterIdInput
+  //                        value_match:
+  //                          prefix: cluster-
+  //            on_match:
+  //              action:
+  //                name: skip
+  //                typed_config:
+  //                  "@type": type.googleapis.com/envoy.extensions.filters.common.matcher.action.v3.SkipFilter
+  xds.type.matcher.v3.Matcher validation_matcher = 5;
+}
+
+// Custom input for the generic matcher that provides the node ID value
+// extracted from the ``x-envoy-reverse-tunnel-node-id`` HTTP header.
+message NodeIdInput {
+}
+
+// Custom input for the generic matcher that provides the cluster ID value
+// extracted from the ``x-envoy-reverse-tunnel-cluster-id`` HTTP header.
+message ClusterIdInput {
 }

source/extensions/filters/network/reverse_tunnel/BUILD

@@ -21,13 +21,32 @@ envoy_cc_extension(
     ],
 )
 
+envoy_cc_library(
+    name = "inputs_lib",
+    srcs = ["inputs.cc"],
+    hdrs = ["inputs.h"],
+    deps = [
+        "//envoy/matcher:matcher_interface",
+        "//envoy/server:factory_context_interface",
+        "//source/common/network/matching:data_impl_lib",
+        "@envoy_api//envoy/extensions/filters/network/reverse_tunnel/v3:pkg_cc_proto",
+    ],
+)
+
 envoy_cc_library(
     name = "reverse_tunnel_filter_lib",
-    srcs = ["reverse_tunnel_filter.cc"],
-    hdrs = ["reverse_tunnel_filter.h"],
+    srcs = [
+        "inputs.cc",
+        "reverse_tunnel_filter.cc",
+    ],
+    hdrs = [
+        "inputs.h",
+        "reverse_tunnel_filter.h",
+    ],
     deps = [
         "//envoy/buffer:buffer_interface",
         "//envoy/http:codec_interface",
+        "//envoy/matcher:matcher_interface",
         "//envoy/network:connection_interface",
         "//envoy/network:filter_interface",
         "//envoy/ssl:connection_interface",
@@ -41,7 +60,9 @@ envoy_cc_library(
         "//source/common/http/http1:codec_lib",
         "//source/common/http/http1:codec_stats_lib",
         "//source/common/http/http1:settings_lib",
+        "//source/common/matcher:matcher_lib",
         "//source/common/network:connection_socket_lib",
+        "//source/common/network/matching:data_impl_lib",
         "//source/common/protobuf",
         "//source/common/protobuf:message_validator_lib",
         "//source/common/protobuf:utility_lib",

source/extensions/filters/network/reverse_tunnel/inputs.cc

@@ -0,0 +1,53 @@
+#include "source/extensions/filters/network/reverse_tunnel/inputs.h"
+
+#include "source/common/protobuf/utility.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace NetworkFilters {
+namespace ReverseTunnel {
+
+Matcher::DataInputGetResult NodeIdInput::get(const Network::MatchingData& data) const {
+  // Try to cast to our custom matching data implementation.
+  const auto* rt_data = dynamic_cast<const ReverseTunnelMatchingDataImpl*>(&data);
+  if (rt_data != nullptr) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+            std::string(rt_data->nodeId())};
+  }
+
+  // If we can't get the data, return no data (monostate).
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::monostate()};
+}
+
+Matcher::DataInputGetResult ClusterIdInput::get(const Network::MatchingData& data) const {
+  // Try to cast to our custom matching data implementation.
+  const auto* rt_data = dynamic_cast<const ReverseTunnelMatchingDataImpl*>(&data);
+  if (rt_data != nullptr) {
+    return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable,
+            std::string(rt_data->clusterId())};
+  }
+
+  // If we can't get the data, return no data (monostate).
+  return {Matcher::DataInputGetResult::DataAvailability::AllDataAvailable, absl::monostate()};
+}
+
+Matcher::DataInputFactoryCb<Network::MatchingData>
+NodeIdInputFactory::createDataInputFactoryCb(const Protobuf::Message&,
+                                             ProtobufMessage::ValidationVisitor&) {
+  return []() { return std::make_unique<NodeIdInput>(); };
+}
+
+Matcher::DataInputFactoryCb<Network::MatchingData>
+ClusterIdInputFactory::createDataInputFactoryCb(const Protobuf::Message&,
+                                                ProtobufMessage::ValidationVisitor&) {
+  return []() { return std::make_unique<ClusterIdInput>(); };
+}
+
+// Register the input factories.
+REGISTER_FACTORY(NodeIdInputFactory, Matcher::DataInputFactory<Network::MatchingData>);
+REGISTER_FACTORY(ClusterIdInputFactory, Matcher::DataInputFactory<Network::MatchingData>);
+
+} // namespace ReverseTunnel
+} // namespace NetworkFilters
+} // namespace Extensions
+} // namespace Envoy

source/extensions/filters/network/reverse_tunnel/inputs.h

@@ -0,0 +1,76 @@
+#pragma once
+
+#include "envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.pb.h"
+#include "envoy/matcher/matcher.h"
+#include "envoy/server/factory_context.h"
+
+#include "source/common/network/matching/data_impl.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace NetworkFilters {
+namespace ReverseTunnel {
+
+// Custom matching data that extends Network::MatchingDataImpl to provide node_id and cluster_id.
+class ReverseTunnelMatchingDataImpl : public Network::Matching::MatchingDataImpl {
+public:
+  ReverseTunnelMatchingDataImpl(absl::string_view node_id, absl::string_view cluster_id,
+                                const Network::ConnectionSocket& socket,
+                                const StreamInfo::FilterState& filter_state,
+                                const envoy::config::core::v3::Metadata& dynamic_metadata)
+      : Network::Matching::MatchingDataImpl(socket, filter_state, dynamic_metadata),
+        node_id_(node_id), cluster_id_(cluster_id) {}
+
+  absl::string_view nodeId() const { return node_id_; }
+  absl::string_view clusterId() const { return cluster_id_; }
+
+private:
+  const std::string node_id_;
+  const std::string cluster_id_;
+};
+
+// Input that provides the node ID value from reverse tunnel request headers.
+class NodeIdInput : public Matcher::DataInput<Network::MatchingData> {
+public:
+  Matcher::DataInputGetResult get(const Network::MatchingData& data) const override;
+};
+
+// Input that provides the cluster ID value from reverse tunnel request headers.
+class ClusterIdInput : public Matcher::DataInput<Network::MatchingData> {
+public:
+  Matcher::DataInputGetResult get(const Network::MatchingData& data) const override;
+};
+
+// Factory for NodeIdInput.
+class NodeIdInputFactory : public Matcher::DataInputFactory<Network::MatchingData> {
+public:
+  std::string name() const override { return "envoy.matching.inputs.reverse_tunnel_node_id"; }
+
+  Matcher::DataInputFactoryCb<Network::MatchingData>
+  createDataInputFactoryCb(const Protobuf::Message& config,
+                           ProtobufMessage::ValidationVisitor&) override;
+
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override {
+    return std::make_unique<envoy::extensions::filters::network::reverse_tunnel::v3::NodeIdInput>();
+  }
+};
+
+// Factory for ClusterIdInput.
+class ClusterIdInputFactory : public Matcher::DataInputFactory<Network::MatchingData> {
+public:
+  std::string name() const override { return "envoy.matching.inputs.reverse_tunnel_cluster_id"; }
+
+  Matcher::DataInputFactoryCb<Network::MatchingData>
+  createDataInputFactoryCb(const Protobuf::Message& config,
+                           ProtobufMessage::ValidationVisitor&) override;
+
+  ProtobufTypes::MessagePtr createEmptyConfigProto() override {
+    return std::make_unique<
+        envoy::extensions::filters::network::reverse_tunnel::v3::ClusterIdInput>();
+  }
+};
+
+} // namespace ReverseTunnel
+} // namespace NetworkFilters
+} // namespace Extensions
+} // namespace Envoy