Enforcer initial changes

wso2 · Sep 9, 2024 · 042d015 · 042d015
1 parent f036712
commit 042d015
Show file tree

Hide file tree

Showing 53 changed files with 2,344 additions and 205 deletions.
diff --git a/adapter/go.mod b/adapter/go.mod
@@ -3,9 +3,9 @@ module github.com/wso2/apk/adapter
 go 1.22
 
 require (
-	github.com/envoyproxy/go-control-plane v0.12.0
+	github.com/envoyproxy/go-control-plane v0.13.0
 	github.com/fsnotify/fsnotify v1.7.0
-	github.com/golang/protobuf v1.5.3
+	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
 	github.com/onsi/ginkgo/v2 v2.14.0
 	github.com/onsi/gomega v1.30.0
@@ -14,7 +14,7 @@ require (
 	github.com/sirupsen/logrus v1.9.0
 	github.com/wso2/apk/common-go-libs v0.0.0-20231208100153-24bee7b4bd81
 	golang.org/x/exp v0.0.0-20231206192017-f3f8817b8deb
-	google.golang.org/grpc v1.62.0
+	google.golang.org/grpc v1.65.0
 	google.golang.org/protobuf v1.34.1
 	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.29.2
@@ -24,11 +24,12 @@ require (
 )
 
 require (
+	cel.dev/expr v0.15.0 // indirect
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/cncf/xds/go v0.0.0-20231128003011-0fa0005c9caa // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20240423153145-555b57ec207b // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.0.4 // indirect
@@ -56,9 +57,10 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/client_model v0.6.0 // indirect
 	github.com/prometheus/common v0.45.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/shirou/gopsutil/v3 v3.24.2 // indirect
@@ -70,17 +72,15 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/oauth2 v0.16.0 // indirect
-	golang.org/x/term v0.17.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.16.1 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.29.2 // indirect
@@ -99,8 +99,8 @@ replace github.com/wso2/apk/common-go-libs => ../common-go-libs
 
 require (
 	github.com/ghodss/yaml v1.0.0
-	github.com/stretchr/testify v1.8.4
-	golang.org/x/sys v0.17.0 // indirect
+	github.com/stretchr/testify v1.9.0
+	golang.org/x/sys v0.20.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 	sigs.k8s.io/gateway-api v1.0.0
 )
diff --git a/adapter/go.sum b/adapter/go.sum
diff --git a/adapter/internal/oasparser/envoyconf/constants.go b/adapter/internal/oasparser/envoyconf/constants.go
@@ -29,6 +29,7 @@ const (
 const (
 	httpConManagerStartPrefix  string = "ingress_http"
 	extAuthzPerRouteName       string = "type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute"
+	extProcPerRouteName        string = "type.googleapis.com/envoy.extensions.filters.http.ext_proc.v3.ExtProcPerRoute"
 	luaPerRouteName            string = "type.googleapis.com/envoy.extensions.filters.http.lua.v3.LuaPerRoute"
 	corsFilterName             string = "type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors"
 	localRateLimitPerRouteName string = "type.googleapis.com/envoy.extensions.filters.http.local_ratelimit.v3.LocalRateLimit"

diff --git a/adapter/internal/oasparser/envoyconf/http_filters.go b/adapter/internal/oasparser/envoyconf/http_filters.go
@@ -28,6 +28,7 @@ import (
 	envoy_config_ratelimit_v3 "github.com/envoyproxy/go-control-plane/envoy/config/ratelimit/v3"
 	cors_filter_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cors/v3"
 	ext_authv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
+	ext_process "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3"
 	luav3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/lua/v3"
 	ratelimit "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ratelimit/v3"
 	routerv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3"
@@ -47,9 +48,14 @@ import (
 	"github.com/golang/protobuf/ptypes/any"
 )
 
+
+// HTTPExternalProcessor HTTP filter
+const HTTPExternalProcessor = "envoy.filters.http.ext_proc"
+
 // getHTTPFilters generates httpFilter configuration
 func getHTTPFilters(globalLuaScript string) []*hcmv3.HttpFilter {
 	extAuth := getExtAuthzHTTPFilter()
+	extProcessor := getExtProcessHTTPFilter()
 	router := getRouterHTTPFilter()
 	luaLocal := getLuaFilter(LuaLocal, `
 function envoy_on_request(request_handle)
@@ -64,6 +70,7 @@ end`)
 		extAuth,
 		luaLocal,
 		luaGlobal,
+		extProcessor,
 	}
 	conf := config.ReadConfigs()
 	if conf.Envoy.RateLimit.Enabled {
@@ -190,6 +197,43 @@ func getRateLimitFilter() *hcmv3.HttpFilter {
 	return &rlFilter
 }
 
+// getExtProcessHTTPFilter gets ExtAauthz http filter.
+func getExtProcessHTTPFilter() *hcmv3.HttpFilter {
+	// conf := config.ReadConfigs()
+	externalProcessor := &ext_process.ExternalProcessor{
+		GrpcService: &corev3.GrpcService{
+			TargetSpecifier: &corev3.GrpcService_EnvoyGrpc_{
+				EnvoyGrpc: &corev3.GrpcService_EnvoyGrpc{
+					ClusterName: extAuthzClusterName,
+				},
+			},
+		},
+		ProcessingMode: &ext_process.ProcessingMode{
+			ResponseBodyMode: ext_process.ProcessingMode_BUFFERED,
+			RequestHeaderMode: ext_process.ProcessingMode_SKIP,
+			ResponseHeaderMode: ext_process.ProcessingMode_SKIP,
+		},
+		MetadataOptions: &ext_process.MetadataOptions{
+			ForwardingNamespaces: &ext_process.MetadataOptions_MetadataNamespaces{
+				Untyped: []string{"envoy.filters.http.ext_authz", "envoy.filters.http.ext_proc"},
+			},
+		},
+		RequestAttributes: []string{"xds.route_metadata"},
+		ResponseAttributes: []string{"xds.route_metadata"},
+	}
+	ext, err2 := anypb.New(externalProcessor)
+	if err2 != nil {
+		logger.LoggerOasparser.Error(err2)
+	}
+	extProcessFilter := hcmv3.HttpFilter{
+		Name: HTTPExternalProcessor,
+		ConfigType: &hcmv3.HttpFilter_TypedConfig{
+			TypedConfig: ext,
+		},
+	}
+	return &extProcessFilter
+}
+
 // getExtAuthzHTTPFilter gets ExtAauthz http filter.
 func getExtAuthzHTTPFilter() *hcmv3.HttpFilter {
 	conf := config.ReadConfigs()

diff --git a/adapter/internal/oasparser/envoyconf/routes_configs.go b/adapter/internal/oasparser/envoyconf/routes_configs.go
@@ -27,6 +27,7 @@ import (
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	extAuthService "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
+	extProcessorv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3"
 	envoy_type_matcherv3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
 	metadatav3 "github.com/envoyproxy/go-control-plane/envoy/type/metadata/v3"
 	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
@@ -40,6 +41,11 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
 	gwapiv1 "sigs.k8s.io/gateway-api/apis/v1"
+	v35 "github.com/envoyproxy/go-control-plane/envoy/type/metadata/v3"
+)
+
+const(
+	authzNamespace = "envoy.filters.http.ext_authz"
 )
 
 // Constants for Rate Limiting
@@ -97,7 +103,7 @@ func generateRouteMatch(routeRegex string) *routev3.RouteMatch {
 	return match
 }
 
-func generateRouteAction(apiType string, routeConfig *model.EndpointConfig, ratelimitCriteria *ratelimitCriteria, mirrorClusterNames []string) (action *routev3.Route_Route) {
+func generateRouteAction(apiType string, routeConfig *model.EndpointConfig, ratelimitCriteria *ratelimitCriteria, mirrorClusterNames []string, isSubscriptionBasedAIRatelimitEnabled bool, isBackendBasedAIRatelimitEnabled bool, descriptorValueForBackendBasedAIRatelimit string) (action *routev3.Route_Route) {
 	action = &routev3.Route_Route{
 		Route: &routev3.RouteAction{
 			HostRewriteSpecifier: &routev3.RouteAction_AutoHostRewrite{
@@ -128,6 +134,9 @@ func generateRouteAction(apiType string, routeConfig *model.EndpointConfig, rate
 	if ratelimitCriteria != nil && ratelimitCriteria.level != "" {
 		action.Route.RateLimits = generateRateLimitPolicy(ratelimitCriteria)
 	}
+	if isBackendBasedAIRatelimitEnabled {
+		action.Route.RateLimits = append(action.Route.RateLimits, generateBackendBasedAIRatelimit(descriptorValueForBackendBasedAIRatelimit)...)
+	}
 
 	// Add request mirroring configurations
 	if mirrorClusterNames != nil && len(mirrorClusterNames) > 0 {
@@ -182,6 +191,136 @@ func mapStatusCodeToEnum(statusCode int) int {
 		return -1
 	}
 }
+const (
+	// DescriptorKeyForAIRequestTokenCount is the descriptor key for AI request token count ratelimit
+	DescriptorKeyForAIRequestTokenCount  = "airequesttokencount"
+	// DescriptorKeyForAIResponseTokenCount is the descriptor key for AI response token count ratelimit
+	DescriptorKeyForAIResponseTokenCount = "airesponsetokencount"
+	// DescriptorKeyForAITotalTokenCount is the descriptor key for AI total token count ratelimit
+	DescriptorKeyForAITotalTokenCount    = "aitotaltokencount"
+	// DescriptorKeyForAIRequestCount is the descriptor key for AI request count ratelimit
+	DescriptorKeyForAIRequestCount       = "airequestcount"
+)
+
+func generateBackendBasedAIRatelimit(descValue string) []*routev3.RateLimit {
+	rateLimitForRequestTokenCount := routev3.RateLimit{
+		Actions: []*routev3.RateLimit_Action{
+			{
+				ActionSpecifier: &routev3.RateLimit_Action_GenericKey_{
+					GenericKey: &routev3.RateLimit_Action_GenericKey{
+						DescriptorKey:   DescriptorKeyForAIRequestTokenCount,
+						DescriptorValue: descValue,
+					},
+				},
+			},
+		},
+	}
+	rateLimitForResponseTokenCount := routev3.RateLimit{
+		Actions: []*routev3.RateLimit_Action{
+			{
+				ActionSpecifier: &routev3.RateLimit_Action_GenericKey_{
+					GenericKey: &routev3.RateLimit_Action_GenericKey{
+						DescriptorKey:   DescriptorKeyForAIResponseTokenCount,
+						DescriptorValue: descValue,
+					},
+				},
+			},
+		},
+	}
+	rateLimitForTotalTokenCount := routev3.RateLimit{
+		Actions: []*routev3.RateLimit_Action{
+			{
+				ActionSpecifier: &routev3.RateLimit_Action_GenericKey_{
+					GenericKey: &routev3.RateLimit_Action_GenericKey{
+						DescriptorKey:   DescriptorKeyForAITotalTokenCount,
+						DescriptorValue: descValue,
+					},
+				},
+			},
+		},
+	}
+	rateLimitForRequestCount := routev3.RateLimit{
+		Actions: []*routev3.RateLimit_Action{
+			{
+				ActionSpecifier: &routev3.RateLimit_Action_GenericKey_{
+					GenericKey: &routev3.RateLimit_Action_GenericKey{
+						DescriptorKey:   DescriptorKeyForAIRequestCount,
+						DescriptorValue: descValue,
+					},
+				},
+			},
+		},
+	}
+	return []*routev3.RateLimit{&rateLimitForRequestTokenCount, &rateLimitForResponseTokenCount, &rateLimitForRequestCount, &rateLimitForTotalTokenCount}
+}
+
+
+func generateSubscriptionBasedAIRatelimit(descValue string) []*routev3.RateLimit {
+	rateLimitForRequestTokenCount := routev3.RateLimit{
+		Actions: []*routev3.RateLimit_Action{
+			{
+				ActionSpecifier: &routev3.RateLimit_Action_Metadata{
+					Metadata: &routev3.RateLimit_Action_MetaData{
+						DescriptorKey: DescriptorKeyForAIRequestTokenCount,
+						MetadataKey: &v35.MetadataKey{
+							Key: authzNamespace,
+							Path: []*v35.MetadataKey_PathSegment{
+								&v35.MetadataKey_PathSegment{
+									Segment: &v35.MetadataKey_PathSegment_Key{
+										Key: "",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	rateLimitForResponseTokenCount := routev3.RateLimit{
+		Actions: []*routev3.RateLimit_Action{
+			{
+				ActionSpecifier: &routev3.RateLimit_Action_Metadata{
+					Metadata: &routev3.RateLimit_Action_MetaData{
+						DescriptorKey: DescriptorKeyForAIResponseTokenCount,
+						MetadataKey: &v35.MetadataKey{
+							Key: authzNamespace,
+							Path: []*v35.MetadataKey_PathSegment{
+								&v35.MetadataKey_PathSegment{
+									Segment: &v35.MetadataKey_PathSegment_Key{
+										Key: "",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	rateLimitForRequestCount := routev3.RateLimit{
+		Actions: []*routev3.RateLimit_Action{
+			{
+				ActionSpecifier: &routev3.RateLimit_Action_Metadata{
+					Metadata: &routev3.RateLimit_Action_MetaData{
+						DescriptorKey: DescriptorKeyForAIRequestCount,
+						MetadataKey: &v35.MetadataKey{
+							Key: authzNamespace,
+							Path: []*v35.MetadataKey_PathSegment{
+								&v35.MetadataKey_PathSegment{
+									Segment: &v35.MetadataKey_PathSegment_Key{
+										Key: "",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	return []*routev3.RateLimit{&rateLimitForRequestTokenCount, &rateLimitForResponseTokenCount, &rateLimitForRequestCount}
+}
 
 func generateRateLimitPolicy(ratelimitCriteria *ratelimitCriteria) []*routev3.RateLimit {
 	environmentValue := ratelimitCriteria.environment
@@ -526,9 +665,21 @@ func generateFilterConfigToSkipEnforcer() map[string]*anypb.Any {
 		TypeUrl: extAuthzPerRouteName,
 		Value:   data,
 	}
+	perFilterConfigExtProc := extProcessorv3.ExtProcPerRoute{
+		Override: &extProcessorv3.ExtProcPerRoute_Disabled{
+			Disabled: true,
+		},
+	}
+
+	dataExtProc, _ := proto.Marshal(&perFilterConfigExtProc)
+	filterExtProc := &any.Any{
+		TypeUrl: extProcPerRouteName,
+		Value:   dataExtProc,
+	}
 
 	return map[string]*any.Any{
 		wellknown.HTTPExternalAuthorization: filter,
+		HTTPExternalProcessor : filterExtProc,
 	}
 }