Add plugins (#27)

plugins/wasm-cpp/extensions/sni_misdirect/BUILD

@@ -0,0 +1,55 @@
+load("@proxy_wasm_cpp_sdk//bazel/wasm:wasm.bzl", "wasm_cc_binary")
+load("//bazel:wasm.bzl", "declare_wasm_image_targets")
+
+wasm_cc_binary(
+    name = "sni_misdirect.wasm",
+    srcs = [
+        "plugin.cc",
+        "plugin.h",
+    ],
+    deps = [
+        "@com_google_absl//absl/strings:str_format",        
+        "@com_google_absl//absl/strings",
+        "@proxy_wasm_cpp_sdk//:proxy_wasm_intrinsics",
+        "//common:http_util",
+    ],
+)
+
+cc_library(
+    name = "sni_misdirect_lib",
+    srcs = [
+        "plugin.cc",
+    ],
+    hdrs = [
+        "plugin.h",
+    ],
+    copts = ["-DNULL_PLUGIN"],
+    visibility = ["//visibility:public"],
+    alwayslink = 1,
+    deps = [
+        "@com_google_absl//absl/strings:str_format",
+        "@com_google_absl//absl/strings",
+        "@proxy_wasm_cpp_host//:lib",
+        "//common:http_util",
+    ],
+)
+
+cc_test(
+    name = "sni_misdirect_test",
+    srcs = [
+        "plugin_test.cc",
+    ],
+    copts = ["-DNULL_PLUGIN"],
+    deps = [
+        ":sni_misdirect_lib",
+        "@com_google_absl//absl/strings:str_format",
+        "@com_google_googletest//:gtest",
+        "@com_google_googletest//:gtest_main",
+        "@proxy_wasm_cpp_host//:lib",
+    ],
+)
+
+declare_wasm_image_targets(
+    name = "sni_misdirect",
+    wasm_file = ":sni_misdirect.wasm",
+)

plugins/wasm-cpp/extensions/sni_misdirect/plugin.cc

@@ -0,0 +1,111 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "extensions/sni_misdirect/plugin.h"
+
+#include "absl/strings/match.h"
+#include "absl/strings/str_format.h"
+#include "common/http_util.h"
+
+#ifdef NULL_PLUGIN
+
+namespace proxy_wasm {
+namespace null_plugin {
+namespace sni_misdirect {
+
+PROXY_WASM_NULL_PLUGIN_REGISTRY
+
+NullPluginRegistry* context_registry_;
+RegisterNullVmPluginFactory register_sni_misdirect_plugin(
+    "envoy.wasm.sni_misdirect", []() {
+      return std::make_unique<NullPlugin>(sni_misdirect::context_registry_);
+    });
+
+#endif
+
+static RegisterContextFactory register_SNIMisdirect(
+    CONTEXT_FACTORY(PluginContext), ROOT_FACTORY(PluginRootContext));
+
+namespace {
+
+void misdirectedRequest() {
+  sendLocalResponse(421, "Misdirected Request", "", {});
+}
+
+}  // namespace
+
+FilterHeadersStatus PluginContext::onRequestHeaders(uint32_t, bool) {
+  std::string protocol;
+  // no need to check HTTP/1.0 and HTTP/1.1
+  if (getValue({"request", "protocol"}, &protocol) &&
+      absl::StartsWith(protocol, "HTTP/1")) {
+    return FilterHeadersStatus::Continue;
+  }
+  // no need to check http scheme
+  std::string scheme;
+  if (getValue({"request", "scheme"}, &scheme) && scheme != "https") {
+    return FilterHeadersStatus::Continue;
+  }
+  // no need to check grpc
+  auto content_type_header =
+      getRequestHeader(Wasm::Common::Http::Header::ContentType);
+  auto content_type = content_type_header->view();
+  auto grpc_value =
+      absl::string_view(Wasm::Common::Http::ContentTypeValues::Grpc.data(),
+                        Wasm::Common::Http::ContentTypeValues::Grpc.size());
+  if (absl::StartsWith(
+          absl::string_view(content_type.data(), content_type.size()),
+          grpc_value) &&
+      (content_type.size() == grpc_value.size() ||
+       content_type.at(grpc_value.size()) == '+')) {
+    LOG_DEBUG("ignore grpc");
+    return FilterHeadersStatus::Continue;
+  }
+  std::string sni;
+  if (!getValue({"connection", "requested_server_name"}, &sni) || sni.empty()) {
+    LOG_DEBUG("failed to get sni");
+    return FilterHeadersStatus::Continue;
+  }
+
+  auto host_header = getRequestHeader(":authority");
+  auto host = host_header->view();
+  if (host.empty()) {
+    LOG_CRITICAL("failed to get authority");
+    return FilterHeadersStatus::Continue;
+  }
+  host = Wasm::Common::Http::stripPortFromHost(host);
+  LOG_DEBUG(absl::StrFormat("sni:%s authority:%s", sni, host));
+  if (sni == host) {
+    return FilterHeadersStatus::Continue;
+  }
+  auto isWildcardSNI = absl::StartsWith(sni, "*.");
+  if (!isWildcardSNI) {
+    misdirectedRequest();
+    return FilterHeadersStatus::StopIteration;
+  }
+  if (!absl::StrContains(absl::string_view(host.data(), host.size()),
+                         sni.substr(1))) {
+    misdirectedRequest();
+    return FilterHeadersStatus::StopIteration;
+  }
+  return FilterHeadersStatus::Continue;
+}
+
+#ifdef NULL_PLUGIN
+
+}  // namespace sni_misdirect
+}  // namespace null_plugin
+}  // namespace proxy_wasm
+
+#endif

plugins/wasm-cpp/extensions/sni_misdirect/plugin.h

@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2022 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <assert.h>
+
+#include <string>
+#include <unordered_set>
+#define ASSERT(_X) assert(_X)
+
+#ifndef NULL_PLUGIN
+
+#include "proxy_wasm_intrinsics.h"
+
+#else
+
+#include "include/proxy-wasm/null_plugin.h"
+
+namespace proxy_wasm {
+namespace null_plugin {
+namespace sni_misdirect {
+
+#endif
+
+// PluginRootContext is the root context for all streams processed by the
+// thread. It has the same lifetime as the worker thread and acts as target for
+// interactions that outlives individual stream, e.g. timer, async calls.
+class PluginRootContext : public RootContext {
+ public:
+  PluginRootContext(uint32_t id, std::string_view root_id)
+      : RootContext(id, root_id) {}
+  ~PluginRootContext() {}
+};
+
+// Per-stream context.
+class PluginContext : public Context {
+ public:
+  explicit PluginContext(uint32_t id, RootContext* root) : Context(id, root) {}
+  FilterHeadersStatus onRequestHeaders(uint32_t, bool) override;
+};
+
+#ifdef NULL_PLUGIN
+
+}  // namespace sni_misdirect
+}  // namespace null_plugin
+}  // namespace proxy_wasm
+
+#endif

plugins/wasm-cpp/extensions/sni_misdirect/plugin_test.cc

@@ -0,0 +1,197 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "extensions/sni_misdirect/plugin.h"
+
+#include <initializer_list>
+
+#include "absl/strings/str_format.h"
+#include "gmock/gmock.h"
+#include "gtest/gtest.h"
+#include "include/proxy-wasm/context.h"
+#include "include/proxy-wasm/null.h"
+
+namespace proxy_wasm {
+namespace null_plugin {
+namespace sni_misdirect {
+
+NullPluginRegistry* context_registry_;
+RegisterNullVmPluginFactory register_sni_misdirect_plugin(
+    "sni_misdirect", []() {
+      return std::make_unique<NullPlugin>(sni_misdirect::context_registry_);
+    });
+
+class MockContext : public proxy_wasm::ContextBase {
+ public:
+  MockContext(WasmBase* wasm) : ContextBase(wasm) {}
+
+  MOCK_METHOD(BufferInterface*, getBuffer, (WasmBufferType));
+  MOCK_METHOD(WasmResult, log, (uint32_t, std::string_view));
+  MOCK_METHOD(WasmResult, getHeaderMapValue,
+              (WasmHeaderMapType /* type */, std::string_view /* key */,
+               std::string_view* /*result */));
+  MOCK_METHOD(WasmResult, sendLocalResponse,
+              (uint32_t /* response_code */, std::string_view /* body */,
+               Pairs /* additional_headers */, uint32_t /* grpc_status */,
+               std::string_view /* details */));
+  MOCK_METHOD(WasmResult, getProperty, (std::string_view, std::string*));
+};
+
+class SNIMisdirectTest : public ::testing::Test {
+ protected:
+  SNIMisdirectTest() {
+    // Initialize test VM
+    test_vm_ = createNullVm();
+    wasm_base_ = std::make_unique<WasmBase>(
+        std::move(test_vm_), "test-vm", "", "",
+        std::unordered_map<std::string, std::string>{},
+        AllowedCapabilitiesMap{});
+    wasm_base_->load("sni_misdirect");
+    wasm_base_->initialize();
+
+    // Initialize host side context
+    mock_context_ = std::make_unique<MockContext>(wasm_base_.get());
+    current_context_ = mock_context_.get();
+
+    ON_CALL(*mock_context_, log(testing::_, testing::_))
+        .WillByDefault([](uint32_t, std::string_view m) {
+          std::cerr << m << "\n";
+          return WasmResult::Ok;
+        });
+
+    ON_CALL(*mock_context_, getHeaderMapValue(WasmHeaderMapType::RequestHeaders,
+                                              testing::_, testing::_))
+        .WillByDefault([&](WasmHeaderMapType, std::string_view header,
+                           std::string_view* result) {
+          if (header == ":authority") {
+            *result = authority_;
+          }
+          if (header == "content-type") {
+            *result = content_type_;
+          }
+          return WasmResult::Ok;
+        });
+
+    ON_CALL(*mock_context_, getProperty(testing::_, testing::_))
+        .WillByDefault([&](std::string_view path, std::string* result) {
+          if (path == absl::StrFormat("%s%c%s%c", "connection", 0,
+                                      "requested_server_name", 0)) {
+            *result = sni_;
+          }
+          if (path ==
+              absl::StrFormat("%s%c%s%c", "request", 0, "protocol", 0)) {
+            *result = protocol_;
+          }
+          if (path == absl::StrFormat("%s%c%s%c", "request", 0, "scheme", 0)) {
+            *result = scheme_;
+          }
+          return WasmResult::Ok;
+        });
+
+    // Initialize Wasm sandbox context
+    root_context_ = std::make_unique<PluginRootContext>(0, "");
+    context_ = std::make_unique<PluginContext>(1, root_context_.get());
+  }
+  ~SNIMisdirectTest() override {}
+
+  std::unique_ptr<WasmBase> wasm_base_;
+  std::unique_ptr<WasmVm> test_vm_;
+  std::unique_ptr<MockContext> mock_context_;
+
+  std::unique_ptr<PluginRootContext> root_context_;
+  std::unique_ptr<PluginContext> context_;
+
+  std::string protocol_ = "HTTP/2";
+  std::string authority_;
+  std::string sni_;
+  std::string content_type_;
+  std::string scheme_ = "https";
+};
+
+TEST_F(SNIMisdirectTest, OnMatch) {
+  authority_ = "a.example.com";
+  sni_ = "b.example.com";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(421, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+
+  authority_ = "a.example.com";
+  sni_ = "a.example.com";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  authority_ = "a.example.com:80";
+  sni_ = "a.example.com";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  authority_ = "a.test.com";
+  sni_ = "*.example.com";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(421, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+
+  authority_ = "a.example.com";
+  sni_ = "*.example.com";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  authority_ = "a.example.com";
+  sni_ = "b.example.com";
+  protocol_ = "HTTP/1.1";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  authority_ = "a.example.com";
+  sni_ = "";
+  protocol_ = "HTTP/2";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  authority_ = "a.example.com";
+  sni_ = "b.example.com";
+  protocol_ = "HTTP/2";
+  content_type_ = "application/grpc";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  authority_ = "a.example.com";
+  sni_ = "b.example.com";
+  protocol_ = "HTTP/2";
+  content_type_ = "application/grpc+";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+
+  authority_ = "a.example.com";
+  sni_ = "b.example.com";
+  protocol_ = "HTTP/2";
+  content_type_ = "application/grpc-web";
+  EXPECT_CALL(*mock_context_, sendLocalResponse(421, testing::_, testing::_,
+                                                testing::_, testing::_));
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::StopIteration);
+
+  authority_ = "a.example.com";
+  sni_ = "b.example.com";
+  protocol_ = "HTTP/2";
+  scheme_ = "http";
+  EXPECT_EQ(context_->onRequestHeaders(0, false),
+            FilterHeadersStatus::Continue);
+}
+
+}  // namespace sni_misdirect
+}  // namespace null_plugin
+}  // namespace proxy_wasm