init codebase

Author: AlwaysNoobCoder

Dockerfile

@@ -0,0 +1,3 @@
+FROM scratch
+
+COPY main.wasm ./plugin.wasm

Makefile

@@ -0,0 +1,95 @@
+goimports := golang.org/x/tools/cmd/[email protected]
+golangci_lint := github.com/golangci/golangci-lint/cmd/[email protected]
+
+
+.PHONY: build.example
+build.example:
+	@find ./examples -type f -name "main.go" | grep ${name}\
+	| xargs -I {} bash -c 'dirname {}' \
+	| xargs -I {} bash -c 'cd {} && tinygo build -o main.wasm -scheduler=none -target=wasi ./main.go'
+
+
+.PHONY: build.examples
+build.examples:
+	@find ./examples -mindepth 1 -type f -name "main.go" \
+	| xargs -I {} bash -c 'dirname {}' \
+	| xargs -I {} bash -c 'cd {} && tinygo build -o main.wasm -scheduler=none -target=wasi ./main.go'
+
+.PHONY: test
+test:
+	@go test $(shell go list ./... | grep -v e2e)
+	@go test -tags "proxywasm_timing" ./proxywasm/proxytest
+
+.PHONY: test.examples
+test.examples:
+	@find ./examples -mindepth 1 -type f -name "main.go" \
+	| xargs -I {} bash -c 'dirname {}' \
+	| xargs -I {} bash -c 'cd {} && go test ./...'
+
+.PHONY: test.e2e
+test.e2e:
+	@go test -v ./e2e -count=1
+
+.PHONY: test.e2e.single
+test.e2e.single:
+	@go test -v ./e2e -run '/${name}' -count=1
+
+.PHONY: run
+run:
+	@envoy -c ./examples/${name}/envoy.yaml --concurrency 2 --log-format '%v'
+
+.PHONY: lint
+lint:
+	@go run $(golangci_lint) run
+
+.PHONY: format
+format:
+	@find . -type f -name '*.go' | xargs gofmt -s -w
+	@for f in `find . -name '*.go'`; do \
+	    awk '/^import \($$/,/^\)$$/{if($$0=="")next}{print}' $$f > /tmp/fmt; \
+	    mv /tmp/fmt $$f; \
+	done
+	@go run $(goimports) -w -local github.com/tetratelabs/proxy-wasm-go-sdk `find . -name '*.go'`
+
+.PHONY: check
+check:
+	@$(MAKE) format
+	@go mod tidy
+	@if [ ! -z "`git status -s`" ]; then \
+		echo "The following differences will fail CI until committed:"; \
+		git diff --exit-code; \
+	fi
+
+# Build docker images of *compat* variant of Wasm Image Specification with built example binaries,
+# and push to ghcr.io/tetratelabs/proxy-wasm-go-sdk-examples.
+# See https://github.com/solo-io/wasm/blob/master/spec/spec-compat.md for details.
+# Only-used in github workflow on the main branch, and not for developers.
+.PHONY: wasm_image.build_push
+wasm_image.build_push:
+	@for f in `find ./examples -type f -name "main.go"`; do \
+		name=`echo $$f | sed -e 's/\\//-/g' | sed -e 's/\.-examples-//g' -e 's/\-main\.go//g'` ; \
+		ref=ghcr.io/tetratelabs/proxy-wasm-go-sdk-examples:$$name; \
+		docker build -t $$ref . -f examples/wasm-image.Dockerfile --build-arg WASM_BINARY_PATH=$$(dirname $$f)/main.wasm; \
+		docker push $$ref; \
+	done
+
+# Build OCI images of *compat* variant of Wasm Image Specification with built example binaries,
+# and push to ghcr.io/tetratelabs/proxy-wasm-go-sdk-examples.
+# See https://github.com/solo-io/wasm/blob/master/spec/spec-compat.md for details.
+# Only-used in github workflow on the main branch, and not for developers.
+# Requires "buildah" CLI.
+.PHONY: wasm_image.build_push_oci
+wasm_image.build_push_oci:
+	@for f in `find ./examples -type f -name "main.go"`; do \
+		name=`echo $$f | sed -e 's/\\//-/g' | sed -e 's/\.-examples-//g' -e 's/\-main\.go//g'` ; \
+		ref=ghcr.io/tetratelabs/proxy-wasm-go-sdk-examples:$$name-oci; \
+		buildah bud -f examples/wasm-image.Dockerfile --build-arg WASM_BINARY_PATH=$$(dirname $$f)/main.wasm -t $$ref .; \
+		buildah push $$ref; \
+	done
+
+.PHONY: tidy
+tidy: ## Runs go mod tidy on every module
+	@find . -name "go.mod" \
+	| grep go.mod \
+	| xargs -I {} bash -c 'dirname {}' \
+	| xargs -I {} bash -c 'echo "=> {}"; cd {}; go mod tidy -v; '

README.md

@@ -0,0 +1,160 @@
+# JSON Payload validation
+
+This wasm plugin checks whether the request has JSON payload and has required keys in it.
+If not, the wasm plugin ceases the further process of the request and returns 403 immediately.
+
+## Run it via Envoy
+
+`envoy.yaml` is the example envoy config file that you can use for running the wasm plugin
+with standalone Envoy.
+
+Envoy listens on `localhost:18000`, responding to any requests with static content "hello from server".
+However, the wasm plugin also runs to validate the requests' payload.
+
+```bash
+make -C ../.. run name=json_validation
+```
+
+The plugin intercepts the request and makes Envoy return 403 instead of the static content
+if the request has no JSON payload or the payload JSON doesn't have "id" or "token" keys.
+
+```console
+# Returns the normal response when the request has the required keys, id and token.
+curl -X POST localhost:18000 -H 'Content-Type: application/json' --data '{"id": "xxx", "token": "xxx"}'
+hello from the server
+
+# Returns 403 when the request has missing required keys.
+curl -v -X POST localhost:18000 -H 'Content-Type: application/json' --data '"required_keys_missing"'
+Note: Unnecessary use of -X or --request, POST is already inferred.
+*   Trying 127.0.0.1:18000...
+* TCP_NODELAY set
+* Connected to localhost (127.0.0.1) port 18000 (#0)
+> POST / HTTP/1.1
+> Host: localhost:18000
+> User-Agent: curl/7.68.0
+> Accept: */*
+> Content-Type: application/json
+> Content-Length: 23
+>
+* upload completely sent off: 23 out of 23 bytes
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 403 Forbidden
+< content-length: 15
+< content-type: text/plain
+< date: Tue, 01 Mar 2022 19:22:24 GMT
+< server: envoy
+<
+* Connection #0 to host localhost left intact
+invalid payload
+```
+
+### Run it via Istio
+
+This example details deploying to a kind cluster running the Istio httpbin sample app.
+
+```console
+# Create a test cluster
+kind create cluster
+
+# Install Istio and the httpbin sample app
+
+istioctl install --set profile=demo -y
+kubectl label namespace default istio-injection=enabled
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin.yaml
+kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.12/samples/httpbin/httpbin-gateway.yaml
+```
+
+For Istio 1.12 and later the easiest way is to use a WasmPlugin resource. For older Istio
+versions an EnvoyFilter is needed.
+
+#### Install using WasmPlugin resource
+
+Build and push the wasm module to your container registry, then apply the WasmPlugin.
+
+```console
+export HUB=your_registry # e.g. docker.io/tetrate
+make -C ../.. build.example name=json_validation
+docker build . -t ${HUB}/json-validation:v1
+docker push ${HUB}/json-validation:v1
+
+sed "s|YOUR_CONTAINER_REGISTRY|$HUB|" wasmplugin.yaml | kubectl apply -f -
+```
+
+#### Install using EnvoyFilter
+
+To use an EnvoyFilter, create a config map containing the compiled wasm plugin, mount the config
+map into the gateway pod, and then configure Envoy via an EnvoyFilter to load the wasm plugin from
+a local file.
+
+```console
+# Create the config map
+kubectl -n istio-system create configmap wasm-plugins --from-file=main.wasm
+
+# Patch the gateway deployment to mount the config map
+kubectl -n istio-system patch deployment istio-ingressgateway --patch-file=gatewaydeploymentpatch.yaml
+
+# Create the EnvoyFilter
+kubectl apply -f envoyfilter.yaml
+```
+
+#### Test the plugin
+
+Expose the ingress gateway on port 8080 on your local machine via.
+
+```console
+kubectl port-forward -n istio-system svc/istio-ingressgateway 8080:80
+```
+
+Requests without the required payload will fail:
+
+```console
+% curl -i http://localhost:8080/post  -H 'Content-Type: application/json' --data '{"id": "xxx", "not_token": "xxx"}'
+HTTP/1.1 403 Forbidden
+content-length: 15
+content-type: text/plain
+date: Tue, 15 Mar 2022 23:05:52 GMT
+server: istio-envoy
+
+invalid payload
+```
+
+But those with the payload will proceed:
+
+```console
+% curl -i http://localhost:8080/post  -H 'Content-Type: application/json' --data '{"id": "xxx", "token": "xxx"}'
+HTTP/1.1 200 OK
+server: istio-envoy
+date: Tue, 15 Mar 2022 23:06:29 GMT
+content-type: application/json
+content-length: 884
+access-control-allow-origin: *
+access-control-allow-credentials: true
+x-envoy-upstream-service-time: 3
+
+{
+  "args": {},
+  "data": "{\"id\": \"xxx\", \"token\": \"xxx\"}",
+  "files": {},
+  "form": {},
+  "headers": {
+    "Accept": "*/*",
+    "Content-Length": "29",
+    "Content-Type": "application/json",
+    "Host": "localhost:8080",
+    "User-Agent": "curl/7.64.1",
+    "X-B3-Parentspanid": "99a94908edd26592",
+    "X-B3-Sampled": "1",
+    "X-B3-Spanid": "e12fc7fd9aa74838",
+    "X-B3-Traceid": "2b7375cda8bc98a299a94908edd26592",
+    "X-Envoy-Attempt-Count": "1",
+    "X-Envoy-Internal": "true",
+    "X-Forwarded-Client-Cert": "By=spiffe://cluster.local/ns/default/sa/httpbin;Hash=5703a66dcdbc8cafc8c29e1ebee1174f4bc81234d8dc1ccc20fb9e3c26b320e1;Subject=\"\";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
+  },
+  "json": {
+    "id": "xxx",
+    "token": "xxx"
+  },
+  "origin": "10.244.0.9",
+  "url": "http://localhost:8080/post"
+}
+```

build.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+tinygo build -o main.wasm -scheduler=none -target=wasi ./main.go

envoy.yaml

@@ -0,0 +1,101 @@
+# This config has Envoy listen on localhost:18000, responding to any requests with static content "hello from server".
+# In addition, the example wasm plugin to validate the requests payload runs.
+# The plugin intercepts the request and makes Envoy return 403 instead of the static content
+# if the request has no JSON payload or the payload JSON doesn't have "id" or "token" keys.
+static_resources:
+  listeners:
+    - name: main
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: 18000
+      filter_chains:
+        - filters:
+            - name: envoy.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                codec_type: auto
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: local_service
+                      domains:
+                        - "*"
+                      routes:
+                        - match:
+                            prefix: "/"
+                          route:
+                            cluster: web_service
+
+                http_filters:
+                  - name: envoy.filters.http.wasm
+                    typed_config:
+                      "@type": type.googleapis.com/udpa.type.v1.TypedStruct
+                      type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+                      value:
+                        config:
+                          configuration:
+                            "@type": type.googleapis.com/google.protobuf.StringValue
+                            value: |
+                              { "requiredKeys": ["id", "token"] }
+                          vm_config:
+                            runtime: "envoy.wasm.runtime.v8"
+                            code:
+                              local:
+                                filename: "./examples/json_validation/main.wasm"
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+    - name: staticreply
+      address:
+        socket_address:
+          address: 127.0.0.1
+          port_value: 8099
+      filter_chains:
+        - filters:
+            - name: envoy.http_connection_manager
+              typed_config:
+                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                stat_prefix: ingress_http
+                codec_type: auto
+                route_config:
+                  name: local_route
+                  virtual_hosts:
+                    - name: local_service
+                      domains:
+                        - "*"
+                      routes:
+                        - match:
+                            prefix: "/"
+                          direct_response:
+                            status: 200
+                            body:
+                              inline_string: "hello from the server\n"
+                http_filters:
+                  - name: envoy.filters.http.router
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+
+  clusters:
+    - name: web_service
+      connect_timeout: 0.25s
+      type: STATIC
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: mock_service
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 127.0.0.1
+                      port_value: 8099
+
+admin:
+  access_log_path: "/dev/null"
+  address:
+    socket_address:
+      address: 0.0.0.0
+      port_value: 8001

envoyfilter.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: json-validation
+  namespace: istio-system
+spec:
+  configPatches:
+    - applyTo: HTTP_FILTER
+      match:
+        context: GATEWAY
+      patch:
+        operation: INSERT_BEFORE
+        value:
+          name: json-validation
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
+            config:
+              configuration:
+                "@type": type.googleapis.com/google.protobuf.StringValue
+                value: |
+                  { "requiredKeys": ["id", "token"] }
+              vm_config:
+                code:
+                  local:
+                    filename: /var/local/lib/wasm-plugins/main.wasm
+                runtime: envoy.wasm.runtime.v8
+                vm_id: json-validation