golang: make secret manager available to golang http plugin (#38703)

Additional Description:
- add generic secrets to golang.proto
- add SecretReader in C++ FilterConfig
- add SecretManager interface in Go, implemented using the config
pointer as secrets are not request scoped
- add cAPI to access the secret from C++
Fixes #38702

Signed-off-by: François JACQUES <[email protected]>

Author: hypnoce

api/contrib/envoy/extensions/filters/http/golang/v3alpha/BUILD

@@ -6,6 +6,7 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
+        "//envoy/extensions/transport_sockets/tls/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
         "@com_github_cncf_xds//xds/annotations/v3:pkg",
     ],

api/contrib/envoy/extensions/filters/http/golang/v3alpha/golang.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.golang.v3alpha;
 
+import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
+
 import "google/protobuf/any.proto";
 
 import "xds/annotations/v3/status.proto";
@@ -21,7 +23,7 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 // For an overview of the Golang HTTP filter please see the :ref:`configuration reference documentation <config_http_filters_golang>`.
 // [#extension: envoy.filters.http.golang]
 
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message Config {
   // The meanings are as follows:
   //
@@ -74,6 +76,13 @@ message Config {
   //
   // [#not-implemented-hide:]
   MergePolicy merge_policy = 5 [(validate.rules).enum = {defined_only: true}];
+
+  // Generic secret list available to the plugin.
+  // Looks into SDS or static bootstrap configuration.
+  //
+  // See :repo:`StreamFilter API <contrib/golang/common/go/api/filter.go>`
+  // for more information about how to access secrets from Go.
+  repeated transport_sockets.tls.v3.SdsSecretConfig generic_secrets = 6;
 }
 
 message RouterPlugin {

changelogs/current.yaml

@@ -332,6 +332,10 @@ new_features:
   change: |
     Added an :ref:`io_uring <envoy_v3_api_field_extensions.network.socket_interface.v3.DefaultSocketInterface.io_uring_options>` option in
     default socket interface to support io_uring.
+- area: golang
+  change: |
+    Expose generic secrets to :ref:`lua <envoy_v3_api_msg_extensions.filters.http.golang.v3alpha.Config>`
+    Add SecretManager interface in the go envoy sdk.
 - area: dns
   change: |
     Update c-ares to version 1.34.4. This upgrade exposes ``ares_reinit()`` which allows the reinitialization of c-ares channels,

contrib/golang/common/go/api/api.h

@@ -118,6 +118,8 @@ CAPIStatus envoyGoFilterHttpGetStringFilterState(void* r, void* key_data, int ke
                                                  uint64_t* value_data, int* value_len);
 CAPIStatus envoyGoFilterHttpGetStringProperty(void* r, void* key_data, int key_len,
                                               uint64_t* value_data, int* value_len, int* rc);
+CAPIStatus envoyGoFilterHttpGetStringSecret(void* r, void* key_data, int key_len,
+                                            uint64_t* value_data, int* value_len);
 
 /* These APIs have nothing to do with request */
 void envoyGoFilterLog(uint32_t level, void* message_data, int message_len);

contrib/golang/common/go/api/capi.go

@@ -59,6 +59,7 @@ type HttpCAPI interface {
 	HttpGetStringProperty(r unsafe.Pointer, key string) (string, error)
 
 	HttpFinalize(r unsafe.Pointer, reason int)
+	HttpGetStringSecret(c unsafe.Pointer, key string) (string, bool)
 
 	/* These APIs are related to config, use the pointer of config. */
 	HttpDefineMetric(c unsafe.Pointer, metricType MetricType, name string) uint32

contrib/golang/common/go/api/filter.go

@@ -186,6 +186,11 @@ type StreamFilterCallbacks interface {
 	// * ErrValueNotFound
 	GetProperty(key string) (string, error)
 	// TODO add more for filter callbacks
+
+	// Get secret manager.
+	// Secrets should be defined in the plugin configuration.
+	// It is safe to use this secret manager from any goroutine.
+	SecretManager() SecretManager
 }
 
 // FilterProcessCallbacks is the interface for filter to process request/response in decode/encode phase.
@@ -314,6 +319,12 @@ type FilterState interface {
 	GetString(key string) string
 }
 
+type SecretManager interface {
+	// Get generic secret from secret manager.
+	// bool is false on missing secret
+	GetGenericSecret(name string) (string, bool)
+}
+
 type MetricType uint32
 
 const (

contrib/golang/filters/http/source/BUILD

@@ -39,8 +39,11 @@ envoy_cc_library(
         "//source/common/http/http1:codec_lib",
         "//source/common/protobuf:utility_lib",
         "//source/common/router:string_accessor_lib",
+        "//source/common/secret:secret_provider_impl_lib",
         "//source/extensions/filters/common/expr:cel_state_lib",
         "//source/extensions/filters/common/expr:evaluator_lib",
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@com_google_absl//absl/types:optional",
         "@com_google_cel_cpp//eval/public:activation",
         "@com_google_cel_cpp//eval/public:builtin_func_registrar",
         "@com_google_cel_cpp//eval/public:cel_expr_builder_factory",
@@ -91,6 +94,7 @@ envoy_cc_library(
         "//source/common/http:utility_lib",
         "//source/common/http/http1:codec_lib",
         "//source/common/protobuf:utility_lib",
+        "//source/common/secret:secret_provider_impl_lib",
         "//source/extensions/filters/common/expr:cel_state_lib",
         "//source/extensions/filters/common/expr:evaluator_lib",
         "@envoy_api//contrib/envoy/extensions/filters/http/golang/v3alpha:pkg_cc_proto",

contrib/golang/filters/http/source/cgo.cc

@@ -361,6 +361,15 @@ CAPIStatus envoyGoFilterHttpGetStringProperty(void* r, void* key_data, int key_l
                                      });
 }
 
+CAPIStatus envoyGoFilterHttpGetStringSecret(void* r, void* key_data, int key_len,
+                                            uint64_t* value_data, int* value_len) {
+  return envoyGoFilterHandlerWrapper(
+      r, [key_data, key_len, value_data, value_len](std::shared_ptr<Filter>& filter) -> CAPIStatus {
+        auto key_str = stringViewFromGoPointer(key_data, key_len);
+        return filter->getSecret(key_str, value_data, value_len);
+      });
+}
+
 CAPIStatus envoyGoFilterHttpDefineMetric(void* c, uint32_t metric_type, void* name_data,
                                          int name_len, uint32_t* metric_id) {
   return envoyGoConfigHandlerWrapper(

contrib/golang/filters/http/source/go/pkg/http/capi_impl.go

@@ -453,6 +453,26 @@ func (c *httpCApiImpl) HttpGetStringProperty(r unsafe.Pointer, key string) (stri
 	return "", capiStatusToErr(res)
 }
 
+func (c *httpCApiImpl) HttpGetStringSecret(r unsafe.Pointer, key string) (string, bool) {
+	req := (*httpRequest)(r)
+	var valueData C.uint64_t
+	var valueLen C.int
+	req.mutex.Lock()
+	defer req.mutex.Unlock()
+	req.markMayWaitingCallback()
+	res := C.envoyGoFilterHttpGetStringSecret(unsafe.Pointer(req.req), unsafe.Pointer(unsafe.StringData(key)), C.int(len(key)), &valueData, &valueLen)
+	if res == C.CAPIYield {
+		req.checkOrWaitCallback()
+	} else {
+		req.markNoWaitingCallback()
+		handleCApiStatus(res)
+	}
+	if valueLen == -1 {
+		return "", false
+	}
+	return strings.Clone(unsafe.String((*byte)(unsafe.Pointer(uintptr(valueData))), int(valueLen))), true
+}
+
 func (c *httpCApiImpl) HttpLog(level api.LogType, message string) {
 	C.envoyGoFilterLog(C.uint32_t(level), unsafe.Pointer(unsafe.StringData(message)), C.int(len(message)))
 }

contrib/golang/filters/http/source/go/pkg/http/filter.go

@@ -284,6 +284,14 @@ func (r *httpRequest) Finalize(reason int) {
 	cAPI.HttpFinalize(unsafe.Pointer(r), reason)
 }
 
+func (r *httpRequest) SecretManager() api.SecretManager {
+	return r
+}
+
+func (r *httpRequest) GetGenericSecret(name string) (string, bool) {
+	return cAPI.HttpGetStringSecret(unsafe.Pointer(r), name)
+}
+
 type streamInfo struct {
 	request *httpRequest
 }

contrib/golang/filters/http/source/golang_filter.cc

@@ -1457,6 +1457,47 @@ void Filter::deferredDeleteRequest(HttpRequestInternal* req) {
   }
 }
 
+CAPIStatus Filter::getSecret(const absl::string_view name, uint64_t* value_data, int* value_len) {
+  // lock until this function return since it may running in a Go thread.
+  Thread::LockGuard lock(mutex_);
+  if (has_destroyed_) {
+    ENVOY_LOG(debug, "golang filter has been destroyed");
+    return CAPIStatus::CAPIFilterIsDestroy;
+  }
+
+  auto populateFilter = [](Filter& f, const absl::string_view name, uint64_t* value_data,
+                           int* value_len) {
+    auto maybe_secret = f.config_->getSecretReader().secret(std::string(name));
+    if (!maybe_secret.has_value()) {
+      *value_len = -1;
+    } else {
+      f.req_->strValue = maybe_secret.value();
+      *value_data = reinterpret_cast<uint64_t>(f.req_->strValue.data());
+      *value_len = f.req_->strValue.length();
+    }
+  };
+  ENVOY_LOG(debug, "golang filter getSecret '{}'", name);
+  if (isThreadSafe()) {
+    ENVOY_LOG(debug, "golang filter getSecret replying directly");
+    populateFilter(*this, name, value_data, value_len);
+    return CAPIStatus::CAPIOK;
+  } else {
+    ENVOY_LOG(debug, "golang filter getSecret posting request to dispatcher");
+    auto weak_ptr = weak_from_this();
+    getDispatcher().post(
+        [this, populateFilter, weak_ptr, name = std::string(name), value_data, value_len] {
+          ENVOY_LOG(debug, "golang filter getSecret request in worker thread");
+          if (!weak_ptr.expired() && !hasDestroyed()) {
+            populateFilter(*this, name, value_data, value_len);
+            dynamic_lib_->envoyGoRequestSemaDec(req_);
+          } else {
+            ENVOY_LOG(info, "golang filter has gone or destroyed in getSecret");
+          }
+        });
+    return CAPIStatus::CAPIYield;
+  }
+}
+
 /* ConfigId */
 
 uint64_t Filter::getMergedConfigId() {
@@ -1484,7 +1525,8 @@ FilterConfig::FilterConfig(
       so_path_(proto_config.library_path()), plugin_config_(proto_config.plugin_config()),
       concurrency_(context.serverFactoryContext().options().concurrency()),
       stats_(GolangFilterStats::generateStats(stats_prefix, context.scope())), dso_lib_(dso_lib),
-      metric_store_(std::make_shared<MetricStore>(context.scope().createScope(""))){};
+      metric_store_(std::make_shared<MetricStore>(context.scope().createScope(""))),
+      secret_reader_(std::make_shared<SecretReader>(proto_config, context)){};
 
 void FilterConfig::newGoPluginConfig() {
   ENVOY_LOG(debug, "initializing golang filter config");
@@ -1737,6 +1779,59 @@ uint64_t RoutePluginConfig::getMergedConfigId(uint64_t parent_id) {
   return merged_config_id_;
 };
 
+/* Secret manager */
+
+namespace {
+Secret::GenericSecretConfigProviderSharedPtr
+secretsProvider(const envoy::extensions::transport_sockets::tls::v3::SdsSecretConfig& config,
+                Secret::SecretManager& secret_manager,
+                Server::Configuration::TransportSocketFactoryContext& transport_socket_factory,
+                Init::Manager& init_manager) {
+  if (config.has_sds_config()) {
+    return secret_manager.findOrCreateGenericSecretProvider(config.sds_config(), config.name(),
+                                                            transport_socket_factory, init_manager);
+  } else {
+    return secret_manager.findStaticGenericSecretProvider(config.name());
+  }
+}
+} // namespace
+
+SecretReader::SecretReader(
+    const envoy::extensions::filters::http::golang::v3alpha::Config& proto_config,
+    Server::Configuration::FactoryContext& context) {
+  if (proto_config.generic_secrets_size() > 0) {
+    auto& secret_manager =
+        context.serverFactoryContext().clusterManager().clusterManagerFactory().secretManager();
+    auto& transport_socket_factory = context.getTransportSocketFactoryContext();
+    auto& init_manager = context.initManager();
+    auto& tls = context.serverFactoryContext().threadLocal();
+    auto& api = context.serverFactoryContext().api();
+    for (auto& secret : proto_config.generic_secrets()) {
+      // Check here to avoid creating unecessary sds provider
+      if (secrets_.contains(secret.name())) {
+        throw EnvoyException(absl::StrCat("duplicate secret ", secret.name()));
+      }
+      auto secret_provider =
+          secretsProvider(secret, secret_manager, transport_socket_factory, init_manager);
+      if (secret_provider == nullptr) {
+        throw EnvoyException(absl::StrCat("no secret provider found for ", secret.name()));
+      }
+      auto tlsp = THROW_OR_RETURN_VALUE(
+          Secret::ThreadLocalGenericSecretProvider::create(std::move(secret_provider), tls, api),
+          std::unique_ptr<Secret::ThreadLocalGenericSecretProvider>);
+      secrets_.emplace(secret.name(), std::move(tlsp));
+    }
+  }
+}
+
+absl::optional<const std::string> SecretReader::secret(const std::string& name) const {
+  auto secret = secrets_.find(name);
+  if (secret != secrets_.end()) {
+    return secret->second->secret();
+  }
+  return absl::nullopt;
+}
+
 } // namespace Golang
 } // namespace HttpFilters
 } // namespace Extensions

contrib/golang/filters/http/source/golang_filter.h

@@ -11,8 +11,11 @@
 #include "source/common/common/thread.h"
 #include "source/common/grpc/context_impl.h"
 #include "source/common/http/utility.h"
+#include "source/common/secret/secret_provider_impl.h"
 #include "source/extensions/filters/common/expr/evaluator.h"
 
+#include "absl/container/flat_hash_map.h"
+#include "absl/types/optional.h"
 #include "contrib/envoy/extensions/filters/http/golang/v3alpha/golang.pb.h"
 #include "contrib/golang/filters/http/source/processor_state.h"
 #include "contrib/golang/filters/http/source/stats.h"
@@ -56,6 +59,16 @@ using MetricStoreSharedPtr = std::shared_ptr<MetricStore>;
 
 struct httpConfigInternal;
 
+class SecretReader {
+public:
+  SecretReader(const envoy::extensions::filters::http::golang::v3alpha::Config& proto_config,
+               Server::Configuration::FactoryContext& context);
+  absl::optional<const std::string> secret(const std::string& name) const;
+
+private:
+  absl::flat_hash_map<std::string, std::unique_ptr<Secret::ThreadLocalGenericSecretProvider>>
+      secrets_;
+};
 /**
  * Configuration for the HTTP golang extension filter.
  */
@@ -72,6 +85,7 @@ class FilterConfig : public std::enable_shared_from_this<FilterConfig>,
   const std::string& pluginName() const { return plugin_name_; }
   uint64_t getConfigId();
   GolangFilterStats& stats() { return stats_; }
+  const SecretReader& getSecretReader() const { return *secret_reader_; }
 
   void newGoPluginConfig();
   CAPIStatus defineMetric(uint32_t metric_type, absl::string_view name, uint32_t* metric_id);
@@ -95,6 +109,8 @@ class FilterConfig : public std::enable_shared_from_this<FilterConfig>,
   MetricStoreSharedPtr metric_store_ ABSL_GUARDED_BY(mutex_);
   // filter level config is created in C++ side, and freed by Golang GC finalizer.
   httpConfigInternal* config_{nullptr};
+
+  std::shared_ptr<SecretReader> secret_reader_;
 };
 
 using FilterConfigSharedPtr = std::shared_ptr<FilterConfig>;
@@ -296,6 +312,7 @@ class Filter : public Http::StreamFilter,
   CAPIStatus getStringFilterState(absl::string_view key, uint64_t* value_data, int* value_len);
   CAPIStatus getStringProperty(absl::string_view path, uint64_t* value_data, int* value_len,
                                GoInt32* rc);
+  CAPIStatus getSecret(absl::string_view key, uint64_t* value_data, int* value_len);
 
   bool isProcessingInGo() {
     return decoding_state_.isProcessingInGo() || encoding_state_.isProcessingInGo();