RequestReply: Add CESQL function #8360
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,227 @@ | ||
| /* | ||
| Copyright 2022 The Knative Authors | ||
|
|
||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
|
|
||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
|
|
||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
| package subscriptionsapi | ||
|
|
||
| import ( | ||
| "context" | ||
| "crypto/aes" | ||
| "crypto/cipher" | ||
| "crypto/des" | ||
| "crypto/rc4" | ||
| "encoding/base64" | ||
| "encoding/hex" | ||
| "errors" | ||
| "os" | ||
| "path" | ||
| "regexp" | ||
| "strings" | ||
|
|
||
| cloudevents "github.com/cloudevents/sdk-go/v2" | ||
| "knative.dev/eventing/pkg/eventfilter" | ||
|
|
||
| v1 "k8s.io/api/core/v1" | ||
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | ||
| "k8s.io/client-go/kubernetes" | ||
| "k8s.io/client-go/tools/clientcmd" | ||
|
|
||
| cesql "github.com/cloudevents/sdk-go/sql/v2" | ||
| cefn "github.com/cloudevents/sdk-go/sql/v2/function" | ||
| ceruntime "github.com/cloudevents/sdk-go/sql/v2/runtime" | ||
| ) | ||
|
|
||
| // Add a user defined function to validate correlation id, then return a cesql_filter | ||
| func NewCESQLCorrelationIdFilter(expr string) (eventfilter.Filter, error) { | ||
|
|
||
| var correlationIdFilterFunction = cefn.NewFunction( | ||
| "KN_VERIFY_CORRELATIONID", | ||
| []cesql.Type{cesql.StringType}, | ||
| cesql.TypePtr(cesql.StringType), | ||
| cesql.BooleanType, | ||
| func(event cloudevents.Event, i []interface{}) (interface{}, error) { | ||
| correlationId := i[0].(string) | ||
|
|
||
| match, _ := regexp.MatchString(".*:.*", correlationId) | ||
| if !match { | ||
| return false, errors.New("correlationId Format: <original id>:<base64/hex encoded encrypted id>") | ||
| } | ||
|
|
||
| slice := strings.Split(correlationId, ":") | ||
| originalId := slice[0] | ||
| encryptedId := slice[1] | ||
|
|
||
| encryptedIdBytes, err := decodeBase64OrHex(encryptedId) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
|
|
||
| // Create a set of secret names to try looking for in k8s | ||
| secretNamesToTry := make(map[string]bool) | ||
|
|
||
| // Iterate through secret names in argument list and add them to the set | ||
| for num, secret := range i { | ||
| if num != 0 { | ||
| secretNamesToTry[secret.(string)] = true | ||
| } | ||
| } | ||
|
|
||
| secrets, err := getSecretsFromK8s() | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
|
|
||
| /* | ||
| * Go through each retrived secret | ||
|
Check failure on line 87 in pkg/eventfilter/subscriptionsapi/cesql_correlationid_filter.go
|
||
| * Check if the secret has data for a key and algorithm | ||
| * Check if the secret name matches with one of the arguments | ||
| * Decrypt encryptedId using the current secret's key | ||
| * Check if the encrypted value matches with originalId | ||
| */ | ||
| for _, secret := range secrets { | ||
| key, keyFieldExists := secret.Data["key"] | ||
| algorithm, algorithmFieldExists := secret.Data["algorithm"] | ||
|
|
||
| if keyFieldExists && algorithmFieldExists && secretNamesToTry[secret.Name] { | ||
| var decryptionFunc func(originalId string, encryptedIdBytes []byte, key []byte) (bool, error) | ||
| switch strings.ToUpper(string(algorithm)) { | ||
| case "AES", "AES-ECB": | ||
| decryptionFunc = compareWithAES | ||
| case "DES": | ||
| decryptionFunc = compareWithDES | ||
| case "3DES", "TRIPLEDES": | ||
| decryptionFunc = compareWithTripleDES | ||
| case "RC4": | ||
| decryptionFunc = compareWithRC4 | ||
| default: | ||
| return false, errors.New("cipher algorithm not supported") | ||
| } | ||
|
|
||
| res, err := decryptionFunc(originalId, encryptedIdBytes, key) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
| if res { | ||
| return true, nil | ||
| } | ||
| } | ||
|
Comment on lines
+94
to
+119
There was a problem hiding this comment. I might split this out into its own function |
||
| } | ||
|
|
||
| return false, nil | ||
| }, | ||
| ) | ||
|
|
||
| ceruntime.AddFunction(correlationIdFilterFunction) | ||
|
There was a problem hiding this comment. I might add this to the runtime somewhere else, since this will be called to make a new CESQL expression as well. The function is doing a bit too much. There should be 2 functions:
|
||
|
|
||
| return NewCESQLFilter(expr) | ||
| } | ||
|
|
||
| func getSecretsFromK8s() ([]v1.Secret, error) { | ||
| // Assuming .kube/config is in the home directory | ||
| basePath, _ := os.UserHomeDir() | ||
| defaultKubeConfigPath := path.Join(basePath, ".kube", "config") | ||
|
|
||
| // Set up k8s client to get secrets | ||
| config, err := clientcmd.BuildConfigFromFlags("", defaultKubeConfigPath) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| clientset, err := kubernetes.NewForConfig(config) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
Comment on lines
+132
to
+144
There was a problem hiding this comment. This is done for you, you can import and use it similarly to get the kube config |
||
| secrets, err := clientset.CoreV1().Secrets("default").List(context.Background(), metav1.ListOptions{}) | ||
|
There was a problem hiding this comment. Probably need to configure:
|
||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| return secrets.Items, nil | ||
| } | ||
|
|
||
| func decodeBase64OrHex(encryptedId string) ([]byte, error) { | ||
| hexRegex := regexp.MustCompile("^([0-9A-Fa-f]+)$") | ||
| base64Regex := regexp.MustCompile(`^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$`) | ||
|
|
||
| encryptedIdBytes := []byte(encryptedId) | ||
|
|
||
| if hexRegex.Match(encryptedIdBytes) { | ||
| return hex.DecodeString(encryptedId) | ||
| } else if base64Regex.Match(encryptedIdBytes) { | ||
| return base64.StdEncoding.DecodeString(encryptedId) | ||
| } else { | ||
| return nil, errors.New("encryptedId must either be Base64 or Hex encoded") | ||
| } | ||
| } | ||
|
|
||
| func compareWithAES(originalId string, encryptedIdBytes []byte, key []byte) (bool, error) { | ||
| block, err := aes.NewCipher(key) | ||
| if err != nil { | ||
| return false, err | ||
| } | ||
| plainText := getPlaintextFromBlock(block, encryptedIdBytes) | ||
|
|
||
| return plainText == originalId, nil | ||
| } | ||
|
|
||
| func compareWithDES(originalId string, encryptedIdBytes []byte, key []byte) (bool, error) { | ||
| block, err := des.NewCipher(key) | ||
| if err != nil { | ||
| return false, nil | ||
| } | ||
| plainText := getPlaintextFromBlock(block, encryptedIdBytes) | ||
|
|
||
| return plainText == originalId, nil | ||
| } | ||
|
|
||
| func compareWithTripleDES(originalId string, encryptedIdBytes []byte, key []byte) (bool, error) { | ||
| block, err := des.NewTripleDESCipher(key) | ||
| if err != nil { | ||
| return false, nil | ||
| } | ||
| plainText := getPlaintextFromBlock(block, encryptedIdBytes) | ||
|
|
||
| return plainText == originalId, nil | ||
| } | ||
|
|
||
| func compareWithRC4(originalId string, encryptedIdBytes []byte, key []byte) (bool, error) { | ||
| cipher, err := rc4.NewCipher(key) | ||
| if err != nil { | ||
| return false, nil | ||
| } | ||
| out := make([]byte, len(encryptedIdBytes)) | ||
| cipher.XORKeyStream(out, encryptedIdBytes) | ||
| plainText := string(out) | ||
|
|
||
| return plainText == originalId, nil | ||
| } | ||
|
|
||
| func getPlaintextFromBlock(block cipher.Block, encryptedIdBytes []byte) string { | ||
| plainText := make([]byte, len(encryptedIdBytes)) | ||
| for i, j := 0, block.BlockSize(); i < len(encryptedIdBytes); i, j = i+block.BlockSize(), j+block.BlockSize() { | ||
| block.Decrypt(plainText[i:j], encryptedIdBytes[i:j]) | ||
| } | ||
| trim := 0 | ||
| if len(plainText) > 0 { | ||
| trim = len(plainText) - int(plainText[len(plainText)-1]) | ||
| } | ||
|
|
||
| if trim >= 0 { | ||
| trimmedPlaintext := string(plainText[:trim]) | ||
|
|
||
| return trimmedPlaintext | ||
| } | ||
|
|
||
| return "" | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the split here, do we need to consider that
:may be a part of the id itself? Is there a need for this to be configurable? cc @pierDipi @creydr