Skip to content

Commit

Permalink
[filters] Add RBAC condition fuzzer (CEL expressions) (#9110)
Browse files Browse the repository at this point in the history
This adds a fuzzer for CEL expression matching. These conditions are used in the RBAC filter for complementing the existing principal/permission model.

About a quarter of the execution time is coming from google::api::expr::runtime::RegisterBuiltinFunctions. The test runs locally at about 250 exec/sec.

See: #7716

Risk Level: Low
Testing: Converted unit tests into corpus entries

Signed-off-by: Asra Ali <asraa@google.com>
  • Loading branch information
asraa authored and htuch committed Dec 3, 2019
1 parent 04362e9 commit 210acff
Show file tree
Hide file tree
Showing 19 changed files with 595 additions and 7 deletions.
8 changes: 4 additions & 4 deletions bazel/repository_locations.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -94,10 +94,10 @@ REPOSITORY_LOCATIONS = dict(
urls = ["https://github.com/gabime/spdlog/archive/v1.3.1.tar.gz"],
),
com_github_google_libprotobuf_mutator = dict(
sha256 = "f45c3ad82376d891cd0bcaa7165e83efd90e0014b00aebf0cbaf07eb05a1d3f9",
strip_prefix = "libprotobuf-mutator-d1fe8a7d8ae18f3d454f055eba5213c291986f21",
# 2019-07-10
urls = ["https://github.com/google/libprotobuf-mutator/archive/d1fe8a7d8ae18f3d454f055eba5213c291986f21.tar.gz"],
sha256 = "54597f640c0ab5e5d783d2f3d3cfe8ad6da999ef1a194d89c2c5ab89a1fd8e13",
strip_prefix = "libprotobuf-mutator-dd89da92b59b1714bab6e2a135093948a1cf1c6a",
# 2019-10-08
urls = ["https://github.com/google/libprotobuf-mutator/archive/dd89da92b59b1714bab6e2a135093948a1cf1c6a.tar.gz"],
),
com_github_gperftools_gperftools = dict(
# TODO(cmluciano): Bump to release 2.8
Expand Down
4 changes: 2 additions & 2 deletions source/extensions/filters/common/expr/evaluator.cc
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ BuilderPtr createBuilder(Protobuf::Arena* arena) {
auto register_status =
google::api::expr::runtime::RegisterBuiltinFunctions(builder->GetRegistry(), options);
if (!register_status.ok()) {
throw EnvoyException(
throw CelException(
absl::StrCat("failed to register built-in functions: ", register_status.message()));
}
return builder;
Expand All @@ -59,7 +59,7 @@ ExpressionPtr createExpression(Builder& builder, const google::api::expr::v1alph
google::api::expr::v1alpha1::SourceInfo source_info;
auto cel_expression_status = builder.CreateExpression(&expr, &source_info);
if (!cel_expression_status.ok()) {
throw EnvoyException(
throw CelException(
absl::StrCat("failed to create an expression: ", cel_expression_status.status().message()));
}
return std::move(cel_expression_status.ValueOrDie());
Expand Down
6 changes: 6 additions & 0 deletions source/extensions/filters/common/expr/evaluator.h
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,12 @@ absl::optional<CelValue> evaluate(const Expression& expr, Protobuf::Arena* arena
bool matches(const Expression& expr, const StreamInfo::StreamInfo& info,
const Http::HeaderMap& headers);

// Thrown when there is an CEL library error.
class CelException : public EnvoyException {
public:
CelException(const std::string& what) : EnvoyException(what) {}
};

} // namespace Expr
} // namespace Common
} // namespace Filters
Expand Down
24 changes: 24 additions & 0 deletions test/extensions/filters/common/expr/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@ licenses(["notice"]) # Apache 2

load(
"//bazel:envoy_build_system.bzl",
"envoy_cc_fuzz_test",
"envoy_package",
"envoy_proto_library",
)
load(
"//test/extensions:extensions_build_system.bzl",
Expand All @@ -23,3 +25,25 @@ envoy_extension_cc_test(
"//test/test_common:utility_lib",
],
)

envoy_proto_library(
name = "evaluator_fuzz_proto",
srcs = ["evaluator_fuzz.proto"],
deps = [
"//test/fuzz:common_proto",
"@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",
],
)

envoy_cc_fuzz_test(
name = "evaluator_fuzz_test",
srcs = ["evaluator_fuzz_test.cc"],
corpus = ":evaluator_corpus",
deps = [
":evaluator_fuzz_proto_cc_proto",
"//source/extensions/filters/common/expr:evaluator_lib",
"//test/common/stream_info:test_util",
"//test/fuzz:utility_lib",
"//test/test_common:utility_lib",
],
)

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

26 changes: 26 additions & 0 deletions test/extensions/filters/common/expr/evaluator_corpus/example

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 210acff

Please sign in to comment.