my first try of rust

Signed-off-by: wangbaiping(wbpcode) <wangbaiping@bytedance.com>

Author: wangbaiping(wbpcode)

Cargo.lock

@@ -1,2 +1,2 @@
 [workspace]
-members = ["dynamic/rust/hello"]
+members = ["dynamic/rust/ip_restriction"]

Cargo.toml

@@ -1,6 +1,6 @@
 
 [package]
-name = "envoy-proxy-dynamic-modules-rust-hello"
+name = "envoy-proxy-dynamic-modules-rust-ip-restriction"
 version = "0.0.1"
 edition = "2021"
 license = "Apache-2.0"
@@ -9,8 +9,10 @@ repository = "https://github.com/envoyproxy/modules"
 [dependencies]
 # The SDK version must match the Envoy version due to the strict compatibility requirements.
 envoy-proxy-dynamic-modules-rust-sdk = { git = "https://github.com/envoyproxy/envoy", rev = "73fe00fc139fd5053f4c4a5d66569cc254449896" }
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
 
 [lib]
-name = "hello_proxy"
+name = "ip_restriction"
 path = "src/lib.rs"
 crate-type = ["cdylib"]

dynamic/rust/hello/src/lib.rs

@@ -0,0 +1,177 @@
+use envoy_proxy_dynamic_modules_rust_sdk::*;
+use serde::{Deserialize, Serialize};
+use std::collections::HashSet;
+use std::net::Ipv4Addr;
+use std::net::Ipv6Addr;
+use std::str::FromStr;
+use std::sync::Arc;
+
+// The raw filter config that will be deserialized from the JSON configuration.
+// TODO(wbpcode): To support protobuf based API declaration in the future.
+// TODO(wbpcode): to support ip range in the future.
+#[derive(Serialize, Deserialize, Debug)]
+pub struct RawFilterConfig {
+  denied_addresses: HashSet<String>,
+  allowed_addresses: HashSet<String>,
+}
+
+#[derive(Debug)]
+pub struct FilterConfigImpl {
+  denied_addresses_exact: HashSet<String>,
+  allowed_addresses_exact: HashSet<String>,
+}
+
+// This implements the [`envoy_proxy_dynamic_modules_rust_sdk::HttpFilterConfig`] trait.
+//
+// The trait corresponds to a Envoy filter chain configuration.
+#[derive(Debug, Clone)]
+pub struct FilterConfig {
+  config: Arc<FilterConfigImpl>,
+}
+
+impl FilterConfig {
+  /// This is the constructor for the [`FilterConfig`].
+  ///
+  /// filter_config is the filter config from the Envoy config here:
+  /// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/dynamic_modules/v3/dynamic_modules.proto#envoy-v3-api-msg-extensions-dynamic-modules-v3-dynamicmoduleconfig
+  pub fn new(filter_config: &str) -> Option<Self> {
+    let filter_config: RawFilterConfig = match serde_json::from_str(filter_config) {
+      Ok(cfg) => cfg,
+      Err(err) => {
+        eprintln!("Error parsing filter config: {err}");
+        return None;
+      },
+    };
+
+    // One and only one of denied_addresses and allowed_addresses should be set.
+    if filter_config.denied_addresses.is_empty() != filter_config.allowed_addresses.is_empty() {
+      eprintln!(
+        "Error parsing filter config: one and only one of denied_addresses\
+         and allowed_addresses should be set"
+      );
+      return None;
+    }
+
+    let mut denied_addresses_exact = HashSet::new();
+    let mut allowed_addresses_exact = HashSet::new();
+
+    // Validate every ip in the set is a valid IPv4 address or IPv6 address.
+    for ip in &filter_config.allowed_addresses {
+      if Ipv4Addr::from_str(ip).is_err() && Ipv6Addr::from_str(ip).is_err() {
+        eprintln!("Error parsing ip in allowed_addresses: {ip}");
+        return None;
+      }
+      allowed_addresses_exact.insert(ip.clone());
+    }
+    for ip in &filter_config.denied_addresses {
+      if Ipv4Addr::from_str(ip).is_err() && Ipv6Addr::from_str(ip).is_err() {
+        eprintln!("Error parsing ip in denied_addresses: {ip}");
+        return None;
+      }
+      denied_addresses_exact.insert(ip.clone());
+    }
+
+    Some(FilterConfig {
+      config: Arc::new(FilterConfigImpl {
+        denied_addresses_exact: denied_addresses_exact,
+        allowed_addresses_exact: allowed_addresses_exact,
+      }),
+    })
+  }
+}
+
+impl<EC: EnvoyHttpFilterConfig, EHF: EnvoyHttpFilter> HttpFilterConfig<EC, EHF> for FilterConfig {
+  /// This is called for each new HTTP filter.
+  fn new_http_filter(&mut self, _envoy: &mut EC) -> Box<dyn HttpFilter<EHF>> {
+    Box::new(Filter {
+      filter_config: self.clone(),
+    })
+  }
+}
+
+/// This implements the [`envoy_proxy_dynamic_modules_rust_sdk::HttpFilter`] trait.
+///
+/// This sets the request and response headers to the values specified in the filter config.
+pub struct Filter {
+  // The filter config have longer lifetime than the filter.
+  filter_config: FilterConfig,
+}
+
+/// This implements the [`envoy_proxy_dynamic_modules_rust_sdk::HttpFilter`] trait.
+impl<EHF: EnvoyHttpFilter> HttpFilter<EHF> for Filter {
+  fn on_request_headers(
+    &mut self,
+    envoy_filter: &mut EHF,
+    _end_stream: bool,
+  ) -> abi::envoy_dynamic_module_type_on_http_filter_request_headers_status {
+    let downstream_addr =
+      envoy_filter.get_attribute_string(abi::envoy_dynamic_module_type_attribute_id::SourceAddress);
+    let downstream_port =
+      envoy_filter.get_attribute_int(abi::envoy_dynamic_module_type_attribute_id::SourcePort);
+
+    if downstream_addr.is_none() || downstream_port.is_none() {
+      envoy_filter.send_response(
+        403,
+        vec![],
+        Some(b"No remote address and request is forbidden."),
+      );
+      return abi::envoy_dynamic_module_type_on_http_filter_request_headers_status::StopIteration;
+    }
+
+    let mut downstream_addr_str = String::new();
+    let address_buffer = downstream_addr.unwrap();
+    let downstream_addr_slice = address_buffer.as_slice();
+
+    if downstream_port.is_none() {
+      // Covert the slice of downstream addr to string.
+      unsafe {
+        downstream_addr_str
+          .as_mut_vec()
+          .extend_from_slice(downstream_addr_slice);
+      }
+    } else {
+      // Strip the port from the downstream addr.
+      let downstream_addr_slice = &downstream_addr_slice
+        [0..downstream_addr_slice.len() - downstream_port.unwrap().to_string().len() - 1];
+
+      unsafe {
+        downstream_addr_str
+          .as_mut_vec()
+          .extend_from_slice(downstream_addr_slice);
+      }
+    }
+
+    // Check if the downstream addr is in the allowed list.
+    if !self.filter_config.config.allowed_addresses_exact.is_empty() {
+      if !self
+        .filter_config
+        .config
+        .allowed_addresses_exact
+        .contains(&downstream_addr_str)
+      {
+        envoy_filter.send_response(403, vec![], Some(b"Request is forbidden."));
+        return abi::envoy_dynamic_module_type_on_http_filter_request_headers_status::StopIteration;
+      }
+    }
+
+    // Check if the downstream addr is in the denied list.
+    if !self.filter_config.config.denied_addresses_exact.is_empty() {
+      if self
+        .filter_config
+        .config
+        .denied_addresses_exact
+        .contains(&downstream_addr_str)
+      {
+        envoy_filter.send_response(403, vec![], Some(b"Request is forbidden."));
+        return abi::envoy_dynamic_module_type_on_http_filter_request_headers_status::StopIteration;
+      }
+    }
+
+    abi::envoy_dynamic_module_type_on_http_filter_request_headers_status::Continue
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+}