feat: configure golang filter (#92)

- config.go: specified config options for Presidio URL, OPA Bundle Server URL and other OPA config parameters - go-filter.yaml: added fields corresponding to the options that the golang filter expects (in config.go) - inbound_filter.go: initialized objects once when the filter constructor is called and persisted the object, through Decode* and Encode* methods, until it is destroyed.
dettanym · Feb 26, 2024 · befb8ce · befb8ce
1 parent 5745738
commit befb8ce
Show file tree

Hide file tree

Showing 5 changed files with 220 additions and 194 deletions.
diff --git a/evaluation/kubernetes/apps/istio-system/istio/envoy-filter/go-filter.yaml b/evaluation/kubernetes/apps/istio-system/istio/envoy-filter/go-filter.yaml
@@ -30,7 +30,21 @@ spec:
             plugin_config:
               "@type": type.googleapis.com/xds.type.v3.TypedStruct
               value:
+                presidio_url: http://presidio.prose-system.svc.cluster.local:3000/batchanalyze
                 zipkin_url: http://zipkin.prose-system.svc.cluster.local:9411/api/v2/spans
+                opa_enable: false
+                opa_config: |
+                  services: 
+                    bundle_server:
+                      url:  http://prose-server.prose-system.svc.cluster.local:8080
+                  bundles:
+                    default:
+                      resource: /bundle.tar.gz
+                      polling:
+                        min_delay_seconds: 120
+                        max_delay_seconds: 3600
+                  decision_logs:
+                    console: true
 ---
 apiVersion: networking.istio.io/v1alpha3
 kind: EnvoyFilter
@@ -63,4 +77,18 @@ spec:
             plugin_config:
               "@type": type.googleapis.com/xds.type.v3.TypedStruct
               value:
+                presidio_url: http://presidio.prose-system.svc.cluster.local:3000/batchanalyze
                 zipkin_url: http://zipkin.prose-system.svc.cluster.local:9411/api/v2/spans
+                opa_enable: false
+                opa_config: |
+                  services: 
+                    bundle_server:
+                      url:  http://prose-server.prose-system.svc.cluster.local:8080
+                  bundles:
+                    default:
+                      resource: /bundle.tar.gz
+                      polling:
+                        min_delay_seconds: 120
+                        max_delay_seconds: 3600
+                  decision_logs:
+                    console: true
diff --git a/privacy-profile-composer/pkg/composer/grpc_client.go b/privacy-profile-composer/pkg/composer/grpc_client.go
@@ -1,30 +1,14 @@
-/*
- *
- * Copyright 2015 gRPC authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
 package composer
 
 import (
 	"context"
 	"flag"
+	"log"
+
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/protobuf/types/known/emptypb"
-	"log"
+
 	pb "privacy-profile-composer/pkg/proto"
 )
 
@@ -75,3 +59,53 @@ func Run_client() {
 	}
 	log.Println(profile)
 }
+
+// TODO: Call this within the jaeger trace querying API, to submit updates to all observed profiles,
+//  after going through a batch of traces. Remove the flag as it won't be run via cli.
+func sendComposedProfile(fqdn string, purpose string, piiTypes []string, thirdParties []string) {
+	var (
+		composerSvcAddr = flag.String("addr", "http://prose-server.prose-system.svc.cluster.local:50051", "the address to connect to")
+	)
+
+	flag.Parse()
+	// Set up a connection to the server.
+	conn, err := grpc.Dial(*composerSvcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		log.Printf("can not connect to Composer SVC at addr %v. ERROR: %v", composerSvcAddr, err)
+		return
+	}
+	defer func(conn *grpc.ClientConn) {
+		err = conn.Close()
+		if err != nil {
+			log.Printf("could not close connection to Composer server %s", err)
+			return
+		}
+	}(conn)
+	c := pb.NewPrivacyProfileComposerClient(conn)
+
+	// Contact the server and print out its response.
+	ctx := context.Background()
+
+	processingEntries := make(map[string]*pb.DataItemAndThirdParties, len(piiTypes))
+	for _, pii := range piiTypes {
+		dataItemThirdParties := map[string]*pb.ThirdParties{
+			pii: {
+				ThirdParty: thirdParties,
+			},
+		}
+		processingEntries[purpose] = &pb.DataItemAndThirdParties{Entry: dataItemThirdParties}
+	}
+	_, err = c.PostObservedProfile(
+		ctx,
+		&pb.SvcObservedProfile{
+			SvcInternalFQDN: fqdn,
+			ObservedProcessingEntries: &pb.PurposeBasedProcessing{
+				ProcessingEntries: processingEntries},
+		},
+	)
+
+	if err != nil {
+		log.Printf("got this error when posting observed profile: %v", err)
+	}
+	return
+}
diff --git a/privacy-profile-composer/pkg/envoyfilter/config.go b/privacy-profile-composer/pkg/envoyfilter/config.go
@@ -10,7 +10,10 @@ import (
 )
 
 type config struct {
-	zipkinUrl string
+	zipkinUrl   string
+	opaEnable   bool
+	opaConfig   string
+	presidioUrl string
 }
 
 type ConfigParser struct {
@@ -28,11 +31,36 @@ func (p *ConfigParser) Parse(any *anypb.Any, callbacks api.ConfigCallbackHandler
 	if zipkinUrl, ok := configStruct["zipkin_url"]; !ok {
 		return nil, errors.New("missing zipkin_url")
 	} else if str, ok := zipkinUrl.(string); !ok {
-		return nil, fmt.Errorf("prefix_localreply_body: expect string while got %T", zipkinUrl)
+		return nil, fmt.Errorf("zipkin_url: expect string while got %T", zipkinUrl)
 	} else {
 		conf.zipkinUrl = str
 	}
 
+	if val, ok := configStruct["opa_enable"]; !ok {
+		conf.opaEnable = true
+	} else if opaEnable, ok := val.(bool); !ok {
+		return nil, fmt.Errorf("opa_enable: expect bool while got %T", opaEnable)
+	} else {
+		conf.opaEnable = opaEnable
+	}
+
+	// opa_config should be a YAML inline string,
+	// following this example: https://www.openpolicyagent.org/docs/latest/configuration/#example
+	if parsedStr, ok := configStruct["opa_config"]; !ok {
+		return nil, errors.New("missing opa_config")
+	} else if opaConfig, ok := parsedStr.(string); !ok {
+		return nil, fmt.Errorf("opa_config: expect (YAML inline) string while got %T", opaConfig)
+	} else {
+		conf.opaConfig = opaConfig
+	}
+
+	if parsedStr, ok := configStruct["presidio_url"]; !ok {
+		return nil, errors.New("missing presidio_url")
+	} else if presidioUrl, ok := parsedStr.(string); !ok {
+		return nil, fmt.Errorf("presidio_url: expect string while got %T", presidioUrl)
+	} else {
+		conf.presidioUrl = presidioUrl
+	}
 	return conf, nil
 }
 
@@ -47,6 +75,16 @@ func (p *ConfigParser) Merge(parent interface{}, child interface{}) interface{}
 		newConfig.zipkinUrl = childConfig.zipkinUrl
 	}
 
+	if childConfig.opaConfig != "" {
+		newConfig.opaConfig = childConfig.opaConfig
+	}
+
+	if childConfig.presidioUrl != "" {
+		newConfig.presidioUrl = childConfig.presidioUrl
+	}
+
+	newConfig.opaEnable = childConfig.opaEnable
+
 	return &newConfig
 }