feat: grab direction from config instead of xds

Looks like `xds.listener_direction` does not work and does not return a proper value.
dettanym · Feb 29, 2024 · 6e609e3 · 6e609e3
1 parent 95ff2df
commit 6e609e3
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 23 deletions.
diff --git a/...uation/kubernetes/apps/test-sample-microservices/bookinfo/envoy-filter/golang-filter.yaml b/...uation/kubernetes/apps/test-sample-microservices/bookinfo/envoy-filter/golang-filter.yaml
@@ -34,7 +34,7 @@ spec:
                   split_spans_for_request: true
     - applyTo: HTTP_FILTER
       match:
-        context: SIDECAR_INBOUND
+        context: &direction SIDECAR_INBOUND
         listener:
           portNumber: 9080
           filterChain:
@@ -54,6 +54,7 @@ spec:
             plugin_config:
               "@type": type.googleapis.com/xds.type.v3.TypedStruct
               value:
+                direction: *direction
                 presidio_url: http://presidio.prose-system.svc.cluster.local:3000/batchanalyze
                 zipkin_url: http://zipkin.prose-system.svc.cluster.local:9411/api/v2/spans
                 opa_enforce: false
@@ -106,7 +107,7 @@ spec:
                   split_spans_for_request: true
     - applyTo: HTTP_FILTER
       match:
-        context: SIDECAR_OUTBOUND
+        context: &direction SIDECAR_OUTBOUND
         listener:
           filterChain:
             filter:
@@ -125,6 +126,7 @@ spec:
             plugin_config:
               "@type": type.googleapis.com/xds.type.v3.TypedStruct
               value:
+                direction: *direction
                 presidio_url: http://presidio.prose-system.svc.cluster.local:3000/batchanalyze
                 zipkin_url: http://zipkin.prose-system.svc.cluster.local:9411/api/v2/spans
                 opa_enforce: false

diff --git a/privacy-profile-composer/pkg/envoyfilter/config.go b/privacy-profile-composer/pkg/envoyfilter/config.go
@@ -7,9 +7,12 @@ import (
 	xds "github.com/cncf/xds/go/xds/type/v3"
 	"github.com/envoyproxy/envoy/contrib/golang/common/go/api"
 	"google.golang.org/protobuf/types/known/anypb"
+
+	"privacy-profile-composer/pkg/envoyfilter/internal/common"
 )
 
 type config struct {
+	direction   common.SidecarDirection
 	zipkinUrl   string
 	opaEnforce  bool
 	opaConfig   string
@@ -28,6 +31,21 @@ func (p *ConfigParser) Parse(any *anypb.Any, callbacks api.ConfigCallbackHandler
 
 	conf := &config{}
 
+	if val, ok := configStruct["direction"]; !ok {
+		return nil, errors.New("missing direction")
+	} else if str, ok := val.(string); !ok {
+		return nil, fmt.Errorf("direction: expect string while got %T", str)
+	} else {
+		switch str {
+		case "SIDECAR_INBOUND":
+			conf.direction = common.Inbound
+		case "SIDECAR_OUTBOUND":
+			conf.direction = common.Outbound
+		default:
+			return nil, fmt.Errorf("direction: expected either `SIDECAR_INBOUND` or `SIDECAR_OUTBOUND`, but got `%v`", str)
+		}
+	}
+
 	if zipkinUrl, ok := configStruct["zipkin_url"]; !ok {
 		return nil, errors.New("missing zipkin_url")
 	} else if str, ok := zipkinUrl.(string); !ok {
@@ -72,6 +90,8 @@ func (p *ConfigParser) Merge(parent interface{}, child interface{}) interface{}
 	// copy one, do not update parentConfig directly.
 	newConfig := *parentConfig
 
+	newConfig.direction = childConfig.direction
+
 	if childConfig.zipkinUrl != "" {
 		newConfig.zipkinUrl = childConfig.zipkinUrl
 	}

diff --git a/privacy-profile-composer/pkg/envoyfilter/filter.go b/privacy-profile-composer/pkg/envoyfilter/filter.go
@@ -17,11 +17,6 @@ import (
 )
 
 func NewFilter(callbacks api.FilterCallbackHandler, config *config) (api.StreamFilter, error) {
-	sidecarDirection, err := common.GetDirection(callbacks)
-	if err != nil {
-		return nil, err
-	}
-
 	tracer, err := common.NewZipkinTracer(config.zipkinUrl)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create tracer: %+v\n", err)
@@ -38,22 +33,20 @@ func NewFilter(callbacks api.FilterCallbackHandler, config *config) (api.StreamF
 	}
 
 	return &Filter{
-		callbacks:        callbacks,
-		config:           config,
-		tracer:           tracer,
-		sidecarDirection: sidecarDirection,
-		opa:              opaObj,
+		callbacks: callbacks,
+		config:    config,
+		tracer:    tracer,
+		opa:       opaObj,
 	}, nil
 }
 
 type Filter struct {
 	api.PassThroughStreamFilter
 
-	callbacks        api.FilterCallbackHandler
-	config           *config
-	tracer           *common.ZipkinTracer
-	opa              *sdk.OPA
-	sidecarDirection common.SidecarDirection
+	callbacks api.FilterCallbackHandler
+	config    *config
+	tracer    *common.ZipkinTracer
+	opa       *sdk.OPA
 
 	// Runtime state of the filter
 	parentSpanContext model.SpanContext
@@ -93,13 +86,13 @@ func (f *Filter) DecodeData(buffer api.BufferInstance, endStream bool) api.Statu
 	processBody := false
 	// If it is an inbound sidecar, then do process the body
 	// run PII Analysis + OPA directly
-	if f.sidecarDirection == common.Inbound {
+	if f.config.direction == common.Inbound {
 		processBody = true
 	}
 
 	//  If it is an outbound sidecar, then check if it's a request to a third party
 	//  and only process the body in this case
-	if f.sidecarDirection == common.Outbound {
+	if f.config.direction == common.Outbound {
 		thirdPartyURL, err := f.checkIfRequestToThirdParty()
 		if err != nil {
 			log.Println(err)
@@ -169,7 +162,7 @@ func (f *Filter) EncodeData(buffer api.BufferInstance, endStream bool) api.Statu
 	// TODO: This is usually data obtained from another service
 	//  but it could also be data obtained from a third party. I.e. a kind of join violation.
 	//  Not sure if we'll run into those cases in the examples we look at.
-	if f.sidecarDirection == common.Outbound {
+	if f.config.direction == common.Outbound {
 		sendLocalReply, err, proseTags := f.processBody(ctx, buffer, false)
 		for k, v := range proseTags {
 			span.Tag(k, v)
@@ -210,7 +203,7 @@ func (f *Filter) processBody(ctx context.Context, buffer api.BufferInstance, isD
 
 	proseTags = map[string]string{}
 
-	proseTags[PROSE_SIDECAR_DIRECTION] = string(f.sidecarDirection)
+	proseTags[PROSE_SIDECAR_DIRECTION] = string(f.config.direction)
 
 	jsonBody, err := common.GetJSONBody(f.headerMetadata, buffer)
 	if err != nil {
@@ -286,13 +279,13 @@ func (f *Filter) runOPA(ctx context.Context, isDecode bool) (sendLocalReply bool
 
 	// Include a tag for the violation type
 	if isDecode {
-		if f.sidecarDirection == common.Outbound {
+		if f.config.direction == common.Outbound {
 			proseTags[PROSE_VIOLATION_TYPE] = DataSharing
 		} else { // inbound sidecar within decode method
 			proseTags[PROSE_VIOLATION_TYPE] = PurposeOfUseDirect
 		}
 	} else { // encode method
-		if f.sidecarDirection == common.Outbound {
+		if f.config.direction == common.Outbound {
 			proseTags[PROSE_VIOLATION_TYPE] = PurposeOfUseIndirect
 		}
 		// we don't call this method (from EncodeData) if it's an inbound sidecar