diff --git a/filter-custom-opa/build.gradle.kts b/filter-custom-opa/build.gradle.kts deleted file mode 100644 index de45eb5c6..000000000 --- a/filter-custom-opa/build.gradle.kts +++ /dev/null @@ -1,14 +0,0 @@ -plugins { - `java-library` -} - -val versions: Map by extra - -dependencies { - api(project(":filter-api")) - implementation("org.slf4j:slf4j-api:${versions["slf4j"]}") - implementation("com.squareup.okhttp3:okhttp:3.14.9") - implementation("com.fasterxml.jackson.core:jackson-databind:2.11.3") - implementation("com.google.auto.service:auto-service:1.0-rc7") - annotationProcessor("com.google.auto.service:auto-service:1.0-rc7") -} diff --git a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/CustomOpaLib.java b/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/CustomOpaLib.java deleted file mode 100644 index 6b8a653da..000000000 --- a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/CustomOpaLib.java +++ /dev/null @@ -1,106 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom; - -import com.google.auto.service.AutoService; -import io.opentelemetry.api.common.AttributeKey; -import io.opentelemetry.api.trace.Span; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; -import java.util.concurrent.Executors; -import java.util.concurrent.ScheduledExecutorService; -import java.util.concurrent.ThreadFactory; -import java.util.concurrent.TimeUnit; -import java.util.concurrent.atomic.AtomicInteger; -import org.hypertrace.agent.filter.api.Filter; -import org.hypertrace.agent.filter.opa.custom.evaluator.ICustomPolicyEvaluator; -import org.hypertrace.agent.filter.opa.custom.evaluator.IpAddressPolicyEvaluator; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** This is a legacy code ported from Traceable Java agent. */ -@AutoService(Filter.class) -public class CustomOpaLib implements Filter { - private static final Logger log = LoggerFactory.getLogger(CustomOpaLib.class); - - private static AttributeKey OPA_RESULT = AttributeKey.stringKey("traceableai.opa.result"); - - private final OpaCommunicator opaCommunicator = new OpaCommunicator(); - private final Set policyEvaluators = new HashSet<>(); - - private final ScheduledExecutorService scheduledExecutorService = - Executors.newSingleThreadScheduledExecutor( - new ThreadFactory() { - private final AtomicInteger threadSequence = new AtomicInteger(1); - - @Override - public Thread newThread(Runnable r) { - String name = "hypertrace-agent-custom-opa" + threadSequence.getAndIncrement(); - Thread thread = new Thread(r, name); - thread.setDaemon(true); - return thread; - } - }); - - public CustomOpaLib(String endpoint, String apiKey, boolean skipVerify, int maxDelay) { - opaCommunicator.init(endpoint, apiKey, skipVerify); - scheduledExecutorService.scheduleWithFixedDelay( - new Runnable() { - @Override - public void run() { - try { - opaCommunicator.pollBlockingData(); - } catch (Throwable t) { - log.debug("Unable to poll blocking data", t); - } - } - }, - 0, - maxDelay, - TimeUnit.SECONDS); - - policyEvaluators.add(new IpAddressPolicyEvaluator()); - } - - // TODO agent should clear resources at the end - // @Override - // public void fini() { - // scheduledExecutorService.shutdownNow(); - // scheduledExecutorService = null; - // opaCommunicator.clear(); - // policyEvaluators.clear(); - // } - - @Override - public boolean evaluateRequestHeaders(Span span, Map headers) { - // currently as per policy.rego, allowed list has precedence over denylist - boolean allow = - policyEvaluators.stream() - .map( - policyEvaluator -> - policyEvaluator.allow(opaCommunicator.getBlockingData(), headers)) - .anyMatch(Boolean::booleanValue); - span.setAttribute(OPA_RESULT, String.valueOf(allow)); - return !allow; - } - - @Override - public boolean evaluateRequestBody(Span span, String body) { - return true; - } -} diff --git a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/CustomOpaLibProvider.java b/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/CustomOpaLibProvider.java deleted file mode 100644 index cd0e4d353..000000000 --- a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/CustomOpaLibProvider.java +++ /dev/null @@ -1,48 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom; - -import com.google.auto.service.AutoService; -import org.hypertrace.agent.config.Config.AgentConfig; -import org.hypertrace.agent.config.Config.Reporting; -import org.hypertrace.agent.core.config.HypertraceConfig; -import org.hypertrace.agent.filter.FilterRegistry; -import org.hypertrace.agent.filter.api.Filter; -import org.hypertrace.agent.filter.spi.FilterProvider; - -@AutoService(FilterProvider.class) -public class CustomOpaLibProvider implements FilterProvider { - - public CustomOpaLibProvider() { - // by default disable this provider until HT agent config includes OPA - if (!HypertraceConfig.get().getReporting().getOpa().getEnabled().getValue()) { - String property = FilterRegistry.getProviderDisabledPropertyName(CustomOpaLibProvider.class); - System.setProperty(property, "true"); - } - } - - @Override - public Filter create() { - AgentConfig agentConfig = HypertraceConfig.get(); - Reporting reporting = agentConfig.getReporting(); - return new CustomOpaLib( - reporting.getOpa().getEndpoint().getValue(), - reporting.getToken().getValue(), - reporting.getSecure().getValue(), - reporting.getOpa().getPollPeriodSeconds().getValue()); - } -} diff --git a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/OpaCommunicator.java b/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/OpaCommunicator.java deleted file mode 100644 index ed61c982c..000000000 --- a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/OpaCommunicator.java +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom; - -import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; -import java.io.IOException; -import java.security.KeyManagementException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import javax.net.ssl.*; -import okhttp3.Interceptor; -import okhttp3.OkHttpClient; -import okhttp3.Request; -import okhttp3.Response; -import org.hypertrace.agent.filter.opa.custom.data.BlockingData; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -public class OpaCommunicator { - private static final Logger log = LoggerFactory.getLogger(OpaCommunicator.class); - - private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper(); - private static final String PATH = "/v1/data"; - - private OkHttpClient httpClient; - private Request request; - - private BlockingData blockingData; - - protected OpaCommunicator() {} - - public void init(String endpoint, String authToken, boolean skipVerify) { - OkHttpClient.Builder builder = new OkHttpClient.Builder(); - if (authToken != null && !authToken.isEmpty()) { - log.info("Adding authentication key"); - builder = withAuth(builder, authToken); - } - if (skipVerify) { - builder = withSkipVerify(builder); - } - this.httpClient = builder.build(); - if (endpoint.endsWith("/")) { - endpoint = endpoint.substring(0, endpoint.length() - 1); - } - this.request = new Request.Builder().url(endpoint + PATH).get().build(); - } - - public void pollBlockingData() { - if (httpClient == null) { - return; - } - - Response response; - try { - response = httpClient.newCall(request).execute(); - } catch (IOException e) { - log.warn("Unable to make a successful get call to the OPA service.", e); - return; - } - - log.trace("Received response from OPA service: {}", response); - if (response.isSuccessful()) { - try { - JsonNode jsonNode = OBJECT_MAPPER.readTree(response.body().byteStream()); - if (log.isDebugEnabled()) { - log.debug("Received blocking data from OPA service: {}", jsonNode); - } - blockingData = - OBJECT_MAPPER.treeToValue( - jsonNode.at("/result/traceable/http/request"), BlockingData.class); - } catch (IOException e) { - log.warn("Unable to retrieve blocking data from the OPA service.", e); - } - } - } - - public BlockingData getBlockingData() { - return blockingData; - } - - public void clear() { - httpClient = null; - request = null; - blockingData = null; - } - - private static OkHttpClient.Builder withAuth(OkHttpClient.Builder builder, String authToken) { - builder.addInterceptor(getAuthInterceptor("Bearer " + authToken)); - return builder; - } - - private static OkHttpClient.Builder withSkipVerify(OkHttpClient.Builder builder) { - // Install the all-trusting trust manager - try { - TrustManager[] trustAllCertsManagers = getTrustAllCertsManagers(); - final SSLContext sslContext = SSLContext.getInstance("SSL"); - sslContext.init(null, trustAllCertsManagers, new java.security.SecureRandom()); - // Create an ssl socket factory with our all-trusting manager - final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); - builder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCertsManagers[0]); - builder.hostnameVerifier(getSkipVerifyHostnameVerifier()); - } catch (NoSuchAlgorithmException e) { - log.warn("Error in getting SSL context. SkipVerify could not be set to true.", e); - } catch (KeyManagementException e) { - log.warn("Error in initializing SSL context. SkipVerify could not be set to true.", e); - } - return builder; - } - - private static Interceptor getAuthInterceptor(final String headerValue) { - return new Interceptor() { - @Override - public Response intercept(Chain chain) throws IOException { - return chain.proceed( - chain.request().newBuilder().addHeader("Authorization", headerValue).build()); - } - }; - } - - private static TrustManager[] getTrustAllCertsManagers() { - return new TrustManager[] { - new X509TrustManager() { - @Override - public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) - throws CertificateException {} - - @Override - public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) - throws CertificateException {} - - @Override - public java.security.cert.X509Certificate[] getAcceptedIssuers() { - return new java.security.cert.X509Certificate[] {}; - } - } - }; - } - - private static HostnameVerifier getSkipVerifyHostnameVerifier() { - return new HostnameVerifier() { - @Override - public boolean verify(String hostname, SSLSession session) { - return true; - } - }; - } -} diff --git a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/BlockingData.java b/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/BlockingData.java deleted file mode 100644 index 75df5d4d5..000000000 --- a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/BlockingData.java +++ /dev/null @@ -1,82 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom.data; - -import java.util.ArrayList; -import java.util.HashSet; -import java.util.List; - -/** data.json java class mapping for blocking policy. */ -public class BlockingData { - private IpAddress denylist; - private List suspendedlist; - private IpAddress allowlist; - private List snoozedlist; - - public BlockingData() {} - - public BlockingData( - IpAddress denylist, - List suspendedlist, - IpAddress allowlist, - List snoozedlist) { - this.denylist = denylist; - this.suspendedlist = suspendedlist; - this.allowlist = allowlist; - this.snoozedlist = snoozedlist; - } - - public static BlockingData createEmpty() { - return new BlockingData( - new IpAddress(new HashSet<>()), - new ArrayList<>(), - new IpAddress(new HashSet<>()), - new ArrayList<>()); - } - - public IpAddress getDenylist() { - return denylist; - } - - public void setDenylist(IpAddress denylist) { - this.denylist = denylist; - } - - public List getSuspendedlist() { - return suspendedlist; - } - - public void setSuspendedlist(List suspendedlist) { - this.suspendedlist = suspendedlist; - } - - public IpAddress getAllowlist() { - return allowlist; - } - - public void setAllowlist(IpAddress allowlist) { - this.allowlist = allowlist; - } - - public List getSnoozedlist() { - return snoozedlist; - } - - public void setSnoozedlist(List snoozedlist) { - this.snoozedlist = snoozedlist; - } -} diff --git a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/IpAddress.java b/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/IpAddress.java deleted file mode 100644 index 93ecb64a4..000000000 --- a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/IpAddress.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom.data; - -import java.util.Set; - -public class IpAddress { - - private Set ipAddress; - - public IpAddress() {} - - public IpAddress(Set ipAddress) { - this.ipAddress = ipAddress; - } - - public Set getIpAddress() { - return ipAddress; - } - - public void setIpAddress(Set ipAddress) { - this.ipAddress = ipAddress; - } -} diff --git a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/IpAddressWithExpiry.java b/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/IpAddressWithExpiry.java deleted file mode 100644 index 7f2c7efc0..000000000 --- a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/data/IpAddressWithExpiry.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom.data; - -import java.util.Set; - -public class IpAddressWithExpiry { - private Set ipAddress; - private Long expiry; - - public IpAddressWithExpiry() {} - - public IpAddressWithExpiry(Set ipAddress, Long expiry) { - this.ipAddress = ipAddress; - this.expiry = expiry; - } - - public Set getIpAddress() { - return ipAddress; - } - - public void setIpAddress(Set ipAddress) { - this.ipAddress = ipAddress; - } - - public Long getExpiry() { - return expiry; - } - - public void setExpiry(Long expiry) { - this.expiry = expiry; - } -} diff --git a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/evaluator/ICustomPolicyEvaluator.java b/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/evaluator/ICustomPolicyEvaluator.java deleted file mode 100644 index 279f981bc..000000000 --- a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/evaluator/ICustomPolicyEvaluator.java +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom.evaluator; - -import java.util.Map; -import org.hypertrace.agent.filter.opa.custom.data.BlockingData; - -public interface ICustomPolicyEvaluator { - boolean allow(BlockingData blockingData, Map attrMap); -} diff --git a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/evaluator/IpAddressPolicyEvaluator.java b/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/evaluator/IpAddressPolicyEvaluator.java deleted file mode 100644 index 4552949ee..000000000 --- a/filter-custom-opa/src/main/java/org/hypertrace/agent/filter/opa/custom/evaluator/IpAddressPolicyEvaluator.java +++ /dev/null @@ -1,136 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom.evaluator; - -import java.util.*; -import org.hypertrace.agent.filter.opa.custom.data.BlockingData; -import org.hypertrace.agent.filter.opa.custom.data.IpAddressWithExpiry; - -public class IpAddressPolicyEvaluator implements ICustomPolicyEvaluator { - - public static final String X_REAL_IP_KEY = "http.request.header.x-real-ip"; - public static String X_FORWARDED_FOR_KEY = "http.request.header.x-forwarded-for"; - public static String X_PROXYUSER_IP_KEY = "http.request.header.x-proxyuser-ip"; - public static String HTTP_FORWARDED_KEY = "http.request.header.forwarded"; - public static String PROXY_CLIENT_KEY = "proxy.client.addr"; - - @Override - public boolean allow(BlockingData blockingData, Map attrMap) { - long currentTimeInMillis = System.currentTimeMillis(); - - if (blockingData == null) { - return true; - } - - Set ipAddresses = new HashSet<>(); - extractXRealIps(attrMap, ipAddresses); - extractXForwardedForIps(attrMap, ipAddresses); - extractXProxyUserIps(attrMap, ipAddresses); - extractHttpForwardedIps(attrMap, ipAddresses); - extractProxyClientIps(attrMap, ipAddresses); - - Set snoozedIpData = getSnoozedIpData(blockingData, currentTimeInMillis); - Set suspendedIpData = getSuspendedIpData(blockingData, currentTimeInMillis); - Set deniedIpData = blockingData.getDenylist().getIpAddress(); - Set allowedIpData = blockingData.getAllowlist().getIpAddress(); - - Set allowed = new HashSet<>(); - Set violations = new HashSet<>(); - - ipAddresses.forEach( - ipAddr -> { - if (allowedIpData.contains(ipAddr) || snoozedIpData.contains(ipAddr)) { - allowed.add(ipAddr); - } - if (deniedIpData.contains(ipAddr) || suspendedIpData.contains(ipAddr)) { - violations.add(ipAddr); - } - }); - - if (allowed.isEmpty() && !violations.isEmpty()) { - return false; - } - - return true; - } - - void extractXRealIps(Map attrMap, Set ipAddresses) { - String ipAddr = attrMap.get(X_REAL_IP_KEY); - if (ipAddr != null && !(ipAddr = ipAddr.trim()).isEmpty()) { - ipAddresses.add(ipAddr); - } - } - - void extractXForwardedForIps(Map attrMap, Set ipAddresses) { - String ipAddrStr = attrMap.get(X_FORWARDED_FOR_KEY); - String ipAddr = - (ipAddrStr != null && !ipAddrStr.isEmpty()) ? ipAddrStr.split(",")[0].trim() : ""; - if (ipAddr != null && !ipAddr.isEmpty()) { - ipAddresses.add(ipAddr); - } - } - - void extractXProxyUserIps(Map attrMap, Set ipAddresses) { - String ipAddr = attrMap.get(X_PROXYUSER_IP_KEY); - if (ipAddr != null && !(ipAddr = ipAddr.trim()).isEmpty()) { - ipAddresses.add(ipAddr); - } - } - - void extractHttpForwardedIps(Map attrMap, Set ipAddresses) { - String val = attrMap.get(HTTP_FORWARDED_KEY); - if (val != null && !val.isEmpty()) { - String[] forwardedIpHeaderValues = val.split(";"); - for (String headerValue : forwardedIpHeaderValues) { - String[] keyValuePair = headerValue.split("="); - if (keyValuePair.length > 1 && keyValuePair[0].equals("for")) { - String ipAddr = keyValuePair[1].trim(); - if (ipAddr != null && !ipAddr.isEmpty()) { - ipAddresses.add(ipAddr); - } - } - } - } - } - - void extractProxyClientIps(Map attrMap, Set ipAddresses) { - String ipAddr = attrMap.get(PROXY_CLIENT_KEY); - if (ipAddr != null && !(ipAddr = ipAddr.trim()).isEmpty()) { - ipAddresses.add(ipAddr); - } - } - - Set getSnoozedIpData(BlockingData blockingData, long currentTimeInMillis) { - Set snoozedIps = new HashSet<>(); - for (IpAddressWithExpiry ipAddr : blockingData.getSnoozedlist()) { - if (ipAddr.getExpiry() > currentTimeInMillis) { - snoozedIps.addAll(ipAddr.getIpAddress()); - } - } - return snoozedIps; - } - - Set getSuspendedIpData(BlockingData blockingData, long currentTimeInMillis) { - Set suspendedIps = new HashSet<>(); - for (IpAddressWithExpiry ipAddr : blockingData.getSuspendedlist()) { - if (ipAddr.getExpiry() > currentTimeInMillis) { - suspendedIps.addAll(ipAddr.getIpAddress()); - } - } - return suspendedIps; - } -} diff --git a/filter-custom-opa/src/test/java/org/hypertrace/agent/filter/opa/custom/evaluator/IpAddressPolicyEvaluatorTest.java b/filter-custom-opa/src/test/java/org/hypertrace/agent/filter/opa/custom/evaluator/IpAddressPolicyEvaluatorTest.java deleted file mode 100644 index c2271c5ea..000000000 --- a/filter-custom-opa/src/test/java/org/hypertrace/agent/filter/opa/custom/evaluator/IpAddressPolicyEvaluatorTest.java +++ /dev/null @@ -1,172 +0,0 @@ -/* - * Copyright The Hypertrace Authors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.hypertrace.agent.filter.opa.custom.evaluator; - -import com.fasterxml.jackson.databind.JsonNode; -import com.fasterxml.jackson.databind.ObjectMapper; -import java.io.IOException; -import java.net.URL; -import java.util.*; -import java.util.function.BiConsumer; -import org.hypertrace.agent.filter.opa.custom.data.BlockingData; -import org.hypertrace.agent.filter.opa.custom.data.IpAddressWithExpiry; -import org.junit.jupiter.api.Assertions; -import org.junit.jupiter.api.Test; - -@SuppressWarnings("unchecked") -public class IpAddressPolicyEvaluatorTest { - - private final String ipAddr = "127.0.1.1"; - private final String ipAddr2 = "127.0.1.2"; - private final IpAddressPolicyEvaluator policyEvaluator = new IpAddressPolicyEvaluator(); - - @Test - public void testExtractXRealIps() { - BiConsumer method = (map, set) -> policyEvaluator.extractXRealIps(map, set); - String key = IpAddressPolicyEvaluator.X_REAL_IP_KEY; - assertIps(method, "xyz", ipAddr); - assertIps(method, key, " "); - assertIps(method, key, " " + ipAddr + " ", ipAddr); - } - - @Test - public void testExtractXForwardedForIps() { - BiConsumer method = (map, set) -> policyEvaluator.extractXForwardedForIps(map, set); - String key = IpAddressPolicyEvaluator.X_FORWARDED_FOR_KEY; - assertIps(method, "xyz", ipAddr); - assertIps(method, key, " "); - assertIps(method, key, " , 0.1 "); - assertIps(method, key, " " + ipAddr + " ", ipAddr); - assertIps(method, key, " " + ipAddr + " , 0.1", ipAddr); - } - - @Test - public void testExtractXProxyUserIps() { - BiConsumer method = (map, set) -> policyEvaluator.extractXProxyUserIps(map, set); - String key = IpAddressPolicyEvaluator.X_PROXYUSER_IP_KEY; - assertIps(method, "xyz", ipAddr); - assertIps(method, key, " "); - assertIps(method, key, " " + ipAddr + " ", ipAddr); - } - - @Test - public void testExtractProxyClientIps() { - BiConsumer method = (map, set) -> policyEvaluator.extractProxyClientIps(map, set); - String key = IpAddressPolicyEvaluator.PROXY_CLIENT_KEY; - assertIps(method, "xyz", ipAddr); - assertIps(method, key, " "); - assertIps(method, key, " " + ipAddr + " ", ipAddr); - } - - @Test - public void testExtractHttpForwardedIps() { - BiConsumer method = (map, set) -> policyEvaluator.extractHttpForwardedIps(map, set); - String key = IpAddressPolicyEvaluator.HTTP_FORWARDED_KEY; - assertIps(method, "xyz", ipAddr); - assertIps(method, key, " "); - assertIps(method, key, " " + ipAddr + " "); - assertIps(method, key, "f=" + ipAddr + " "); - assertIps(method, key, "for= " + ipAddr + " ", ipAddr); - assertIps(method, key, "for= "); - assertIps(method, key, "for= ; 0.1"); - assertIps(method, key, "for= " + ipAddr + " ;f=" + ipAddr2, ipAddr); - assertIps(method, key, "for= " + ipAddr + " ;for= " + ipAddr2, ipAddr, ipAddr2); - } - - @Test - public void testGetSnoozedSuspendedIpData() { - IpAddressWithExpiry activeIp = new IpAddressWithExpiry(); - activeIp.setExpiry(System.currentTimeMillis() + 60 * 60 * 1000); - activeIp.setIpAddress(Collections.singleton(ipAddr)); - IpAddressWithExpiry expiredIp = new IpAddressWithExpiry(); - expiredIp.setExpiry(System.currentTimeMillis() - 60 * 60 * 1000); - expiredIp.setIpAddress(Collections.singleton(ipAddr2)); - - List ipAddresses = - new ArrayList() { - { - add(activeIp); - add(expiredIp); - } - }; - - { - BlockingData blockingData = new BlockingData(); - blockingData.setSnoozedlist(ipAddresses); - Set resultIps = - policyEvaluator.getSnoozedIpData(blockingData, System.currentTimeMillis()); - Assertions.assertEquals(1, resultIps.size()); - Assertions.assertTrue(ipAddresses.contains(activeIp)); - } - { - BlockingData blockingData = new BlockingData(); - blockingData.setSuspendedlist(ipAddresses); - Set resultIps = - policyEvaluator.getSuspendedIpData(blockingData, System.currentTimeMillis()); - Assertions.assertEquals(1, resultIps.size()); - Assertions.assertTrue(ipAddresses.contains(activeIp)); - } - } - - @Test - public void testAllow() throws IOException { - ObjectMapper objectMapper = new ObjectMapper(); - JsonNode jsonNode = - objectMapper.readTree(getClass().getClassLoader().getResource("data/data.json")); - BlockingData blockingData = - objectMapper.treeToValue(jsonNode.at("/result/traceable/http/request"), BlockingData.class); - assertAllow(objectMapper, blockingData, null, true); - assertAllow( - objectMapper, - blockingData, - getClass().getClassLoader().getResource("input/input-allowed-non-empty.json"), - true); - assertAllow( - objectMapper, - blockingData, - getClass().getClassLoader().getResource("input/input-allowed-empty-violations-empty.json"), - true); - assertAllow( - objectMapper, - blockingData, - getClass() - .getClassLoader() - .getResource("input/input-allowed-empty-violations-non-empty.json"), - false); - } - - private void assertIps( - BiConsumer function, String key, String value, String... resultIps) { - Set ipAddresses = new HashSet<>(); - Map attrMap = new HashMap<>(); - attrMap.put(key, value); - function.accept(attrMap, ipAddresses); - - Assertions.assertEquals(resultIps.length, ipAddresses.size()); - for (String ip : resultIps) { - Assertions.assertTrue(ipAddresses.contains(ip)); - } - } - - private void assertAllow( - ObjectMapper objectMapper, BlockingData blockingData, URL fileName, boolean allow) - throws IOException { - Map attributesMap = - fileName == null ? new HashMap<>() : objectMapper.readValue(fileName, HashMap.class); - Assertions.assertEquals(policyEvaluator.allow(blockingData, attributesMap), allow); - } -} diff --git a/filter-custom-opa/src/test/resources/data/data.json b/filter-custom-opa/src/test/resources/data/data.json deleted file mode 100644 index b3b1779ab..000000000 --- a/filter-custom-opa/src/test/resources/data/data.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "result": { - "traceable": { - "http": { - "request": { - "allowlist": { - "ipAddress": [ - "127.0.0.1", - "127.0.1.1" - ] - }, - "denylist": { - "ipAddress": [ - "127.0.0.2", - "127.0.1.2" - ] - }, - "suspendedlist": [ - { - "ipAddress": [ - "127.0.0.31", - "127.0.1.31" - ], - "expiry": 1498082787000 - }, - { - "ipAddress": [ - "127.0.0.32", - "127.0.1.32" - ], - "expiry": 1698082787000 - } - ], - "snoozedlist": [ - { - "ipAddress": [ - "127.0.0.41", - "127.0.1.41" - ], - "expiry": 1498082787000 - }, - { - "ipAddress": [ - "127.0.0.42", - "127.0.1.42" - ], - "expiry": 1698082787000 - } - ] - } - } - } - } -} \ No newline at end of file diff --git a/filter-custom-opa/src/test/resources/input/input-allowed-empty-violations-empty.json b/filter-custom-opa/src/test/resources/input/input-allowed-empty-violations-empty.json deleted file mode 100644 index 8cb34cb98..000000000 --- a/filter-custom-opa/src/test/resources/input/input-allowed-empty-violations-empty.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "http.request.header.x-real-ip": "127.0.2.1", - "http.request.header.x-forwarded-for": "127.0.2.2,9.2.3", - "http.request.header.x-proxyuser-ip": "127.0.0.3", - "http.request.header.forwarded": "for=127.0.0.31;for=127.0.2.32;for=127.0.0.41;for=127.0.2.42;f=127.0.0.43;127.0.0.44;", - "proxy.client.addr": "127.0.0.5" -} \ No newline at end of file diff --git a/filter-custom-opa/src/test/resources/input/input-allowed-empty-violations-non-empty.json b/filter-custom-opa/src/test/resources/input/input-allowed-empty-violations-non-empty.json deleted file mode 100644 index baded6d71..000000000 --- a/filter-custom-opa/src/test/resources/input/input-allowed-empty-violations-non-empty.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "http.request.header.x-real-ip": "127.0.2.1", - "http.request.header.x-forwarded-for": "127.0.0.2,9.2.3", - "http.request.header.x-proxyuser-ip": "127.0.0.3", - "http.request.header.forwarded": "for=127.0.0.31;for=127.0.0.32;for=127.0.0.41;for=127.0.2.42;f=127.0.0.43;127.0.0.44;", - "proxy.client.addr": "127.0.0.5" -} \ No newline at end of file diff --git a/filter-custom-opa/src/test/resources/input/input-allowed-non-empty.json b/filter-custom-opa/src/test/resources/input/input-allowed-non-empty.json deleted file mode 100644 index aaaab05a2..000000000 --- a/filter-custom-opa/src/test/resources/input/input-allowed-non-empty.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "http.request.header.x-real-ip": "127.0.0.1", - "http.request.header.x-forwarded-for": "127.0.0.2,9.2.3", - "http.request.header.x-proxyuser-ip": "127.0.0.3", - "http.request.header.forwarded": "for=127.0.0.31;for=127.0.0.32;for=127.0.0.41;for=127.0.0.42;f=127.0.0.43;127.0.0.44;", - "proxy.client.addr": "127.0.0.5" -} \ No newline at end of file diff --git a/otel-extensions/build.gradle.kts b/otel-extensions/build.gradle.kts index a8acec87c..626e124cc 100644 --- a/otel-extensions/build.gradle.kts +++ b/otel-extensions/build.gradle.kts @@ -5,7 +5,7 @@ plugins { val versions: Map by extra dependencies { - api(project(":filter-custom-opa")) + api(project(":filter-api")) compileOnly("io.opentelemetry:opentelemetry-sdk:${versions["opentelemetry"]}") compileOnly("io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:${versions["opentelemetry"]}-alpha") diff --git a/settings.gradle.kts b/settings.gradle.kts index 38dd36f31..f571aaee4 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -36,7 +36,6 @@ include("instrumentation:grpc-1.5") findProject(":instrumentation:grpc-1.5")?.name = "grpc-1.5" include("instrumentation:okhttp:okhttp-3.0") findProject(":instrumentation:okhttp:okhttp-3.0")?.name = "okhttp-3.0" -include("filter-custom-opa") include("otel-extensions") include("testing-bootstrap") include("instrumentation:jaxrs-client-2.0")