proxy protocol: add new option to set encoding of TLV value (#45391)

Commit Message: proxy protocol: add new option to set encoding of TLV
value
Additional Description:

Allow to set value encode for specific TLV value.

To close #45366

Risk Level: low.
Testing: unit.
Docs Changes: n/a.
Release Notes: added.
Platform Specific Features: n/a.

---------

Signed-off-by: wbpcode/wangbaiping <wbphub@gmail.com>
Signed-off-by: code <wbphub@gmail.com>

Author: wbpcode

api/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto

@@ -33,11 +33,38 @@ message ProxyProtocol {
   }
 
   message KeyValuePair {
+    // Specifies the encoding scheme that is used to encode the TLV value before it is
+    // stored in dynamic metadata or filter state.
+    enum ValueStringEncoding {
+      // Unspecified encoding scheme. Defaults to ``SANITIZED_UTF8``.
+      UNSPECIFIED = 0;
+
+      // The TLV value will be sanitized to a valid UTF-8 string before being stored:
+      // any invalid UTF-8 sequences will be replaced with the ``!`` character.
+      SANITIZED_UTF8 = 1;
+
+      // The raw TLV value will be encoded as a `Base64 <https://datatracker.ietf.org/doc/html/rfc4648#section-4>`_
+      // string (with padding) before being stored. This is useful for binary TLV values that
+      // are not valid UTF-8 strings.
+      BASE64 = 2;
+    }
+
     // The namespace — if this is empty, the filter's namespace will be used.
     string metadata_namespace = 1;
 
     // The key to use within the namespace.
     string key = 2 [(validate.rules).string = {min_len: 1}];
+
+    // The value encoding scheme that is used to encode the TLV value before it is stored in
+    // dynamic metadata or filter state. If not set, defaults to ``SANITIZED_UTF8``, which
+    // sanitizes the TLV value to a valid UTF-8 string.
+    //
+    // .. note::
+    //
+    //   This option only applies to the legacy untyped dynamic metadata and filter state.
+    //   For the new typed dynamic metadata, the raw TLV value bytes are stored as is and
+    //   no encoding is applied.
+    ValueStringEncoding value_string_encoding = 3;
   }
 
   // A Rule defines what metadata to apply when a header is present or missing.

changelogs/changelogs.yaml

@@ -110,3 +110,5 @@ areas:
     title: wasm
   dns:
     title: dns
+  proxy_protocol:
+    title: proxy_protocol

changelogs/current/new_features/proxy_protocol__added-tlv-value-encoding-option.rst

@@ -0,0 +1,5 @@
+Added :ref:`encoding
+<envoy_v3_api_field_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.KeyValuePair.value_string_encoding>` option to
+control how a TLV value is encoded before it is stored in dynamic metadata or filter state. By default the TLV
+value is sanitized to a valid UTF-8 string (previous behavior). Setting it to ``BASE64`` stores the raw TLV value
+as a base64-encoded string instead.

docs/root/configuration/listeners/listener_filters/proxy_protocol.rst

@@ -66,6 +66,29 @@ The filter supports two storage locations for TLV values, controlled by the
               action:
                 name: allow
 
+TLV Value Encoding
+------------------
+
+By default, TLV values are sanitized to valid UTF-8 strings before being stored in
+dynamic metadata or filter state: any invalid UTF-8 sequences are replaced with the
+``!`` character. For binary TLV values, the
+:ref:`value_string_encoding <envoy_v3_api_field_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.KeyValuePair.value_string_encoding>`
+option can be set to ``BASE64`` to store the raw TLV value as a base64-encoded string instead.
+Note that this option only applies to the legacy untyped dynamic metadata and filter state;
+the typed dynamic metadata always stores the raw TLV value bytes as is:
+
+.. code-block:: yaml
+
+  listener_filters:
+    - name: envoy.filters.listener.proxy_protocol
+      typed_config:
+        "@type": type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol
+        rules:
+          - tlv_type: 0xEA
+            on_tlv_present:
+              key: "aws_vpce_id"
+              value_string_encoding: BASE64
+
 This implementation supports both version 1 and version 2, it
 automatically determines on a per-connection basis which of the two
 versions is present.

source/extensions/filters/listener/proxy_protocol/BUILD

@@ -26,6 +26,7 @@ envoy_cc_library(
         "//source/common/api:os_sys_calls_lib",
         "//source/common/buffer:buffer_lib",
         "//source/common/common:assert_lib",
+        "//source/common/common:base64_lib",
         "//source/common/common:empty_string",
         "//source/common/common:hex_lib",
         "//source/common/common:minimal_logger_lib",

source/extensions/filters/listener/proxy_protocol/proxy_protocol.cc

@@ -19,6 +19,7 @@
 
 #include "source/common/api/os_sys_calls_impl.h"
 #include "source/common/common/assert.h"
+#include "source/common/common/base64.h"
 #include "source/common/common/empty_string.h"
 #include "source/common/common/fmt.h"
 #include "source/common/common/hex.h"
@@ -604,9 +605,16 @@ bool Filter::parseTlvs(const uint8_t* buf, size_t len) {
     absl::string_view tlv_value(reinterpret_cast<char const*>(buf + idx), tlv_value_length);
     auto key_value_pair = config_->isTlvTypeNeeded(tlv_type);
     if (nullptr != key_value_pair) {
-      // Sanitize any non utf8 characters.
-      auto sanitised_tlv_value = MessageUtil::sanitizeUtf8String(tlv_value);
-      std::string sanitised_value(sanitised_tlv_value.data(), sanitised_tlv_value.size());
+      // Encode the TLV value as configured.
+      std::string sanitised_value;
+      if (key_value_pair->value_string_encoding() ==
+          envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol::KeyValuePair::
+              BASE64) {
+        sanitised_value = Base64::encode(tlv_value.data(), tlv_value.size());
+      } else {
+        // Default sanitization is to replace non-UTF-8 characters with `!` character.
+        sanitised_value = MessageUtil::sanitizeUtf8String(tlv_value);
+      }
 
       if (config_->tlvLocation() ==
           envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol::FILTER_STATE) {

test/extensions/filters/listener/proxy_protocol/proxy_protocol_test.cc

@@ -1646,6 +1646,75 @@ TEST_P(ProxyProtocolTest, V2ExtractMultipleTlvsOfInterestAndSanitiseNonUtf8) {
   EXPECT_EQ(stats_store_.counter("proxy_proto.versions.v2.found").value(), 1);
 }
 
+TEST_P(ProxyProtocolTest, V2ExtractMultipleTlvsOfInterestAndEncodeAsBase64) {
+  // A well-formed ipv4/tcp with a pair of TLV extensions is accepted.
+  constexpr uint8_t buffer[] = {0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49,
+                                0x54, 0x0a, 0x21, 0x11, 0x00, 0x39, 0x01, 0x02, 0x03, 0x04,
+                                0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x00, 0x02};
+  // A TLV of type 0x00 with size of 4 (1 byte is value).
+  constexpr uint8_t tlv1[] = {0x00, 0x00, 0x01, 0xff};
+  // A TLV of type 0x02 with size of 10 bytes (7 bytes are value). Second and last bytes in the
+  // value are non utf8 characters.
+  constexpr uint8_t tlv_type_authority[] = {0x02, 0x00, 0x07, 0x66, 0xfe,
+                                            0x6f, 0x2e, 0x63, 0x6f, 0xc1};
+  // A TLV of type 0x0f with size of 6 bytes (3 bytes are value).
+  constexpr uint8_t tlv3[] = {0x0f, 0x00, 0x03, 0xf0, 0x00, 0x0f};
+  // A TLV of type 0xea with size of 25 bytes (22 bytes are value). 7th and 21st bytes are non utf8
+  // characters.
+  constexpr uint8_t tlv_vpc_id[] = {0xea, 0x00, 0x16, 0x01, 0x76, 0x70, 0x63, 0x2d, 0x30,
+                                    0xc0, 0x35, 0x74, 0x65, 0x73, 0x74, 0x32, 0x66, 0x61,
+                                    0x36, 0x63, 0x36, 0x33, 0x68, 0xf9, 0x37};
+  constexpr uint8_t data[] = {'D', 'A', 'T', 'A'};
+
+  envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol proto_config;
+  auto rule_type_authority = proto_config.add_rules();
+  rule_type_authority->set_tlv_type(0x02);
+  rule_type_authority->mutable_on_tlv_present()->set_key("PP2 type authority");
+  rule_type_authority->mutable_on_tlv_present()->set_value_string_encoding(
+      envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol::KeyValuePair::
+          BASE64);
+
+  auto rule_vpc_id = proto_config.add_rules();
+  rule_vpc_id->set_tlv_type(0xea);
+  rule_vpc_id->mutable_on_tlv_present()->set_key("PP2 vpc id");
+  rule_vpc_id->mutable_on_tlv_present()->set_value_string_encoding(
+      envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol::KeyValuePair::
+          BASE64);
+
+  // A rule with default (SANITIZED_UTF8) encoding for comparison: the value will be sanitized
+  // to a valid UTF-8 string.
+  auto rule_tlv1 = proto_config.add_rules();
+  rule_tlv1->set_tlv_type(0x00);
+  rule_tlv1->mutable_on_tlv_present()->set_key("PP2 tlv1");
+
+  connect(true, &proto_config);
+  write(buffer, sizeof(buffer));
+  dispatcher_->run(Event::Dispatcher::RunType::NonBlock);
+
+  write(tlv1, sizeof(tlv1));
+  write(tlv_type_authority, sizeof(tlv_type_authority));
+  write(tlv3, sizeof(tlv3));
+  write(tlv_vpc_id, sizeof(tlv_vpc_id));
+  write(data, sizeof(data));
+  expectData("DATA");
+
+  auto metadata = server_connection_->streamInfo().dynamicMetadata().filter_metadata();
+  EXPECT_EQ(1, metadata.size());
+  EXPECT_EQ(1, metadata.count(ProxyProtocol));
+
+  auto fields = metadata.at(ProxyProtocol).fields();
+  EXPECT_EQ(3, fields.size());
+
+  // The raw TLV values (including the non utf8 characters) are encoded as base64.
+  EXPECT_EQ("Zv5vLmNvwQ==", fields.at("PP2 type authority").string_value());
+  EXPECT_EQ("AXZwYy0wwDV0ZXN0MmZhNmM2M2j5Nw==", fields.at("PP2 vpc id").string_value());
+  // The default encoding sanitizes the value to a valid UTF-8 string: the non utf8 byte
+  // 0xff is replaced with the `!` character.
+  EXPECT_EQ("!", fields.at("PP2 tlv1").string_value());
+  disconnect();
+  EXPECT_EQ(stats_store_.counter("proxy_proto.versions.v2.found").value(), 1);
+}
+
 TEST_P(ProxyProtocolTest, V2ExtractMultipleTlvsOfInterestAndEmitTypedAndUntypedMetadata) {
   // A well-formed ipv4/tcp with a pair of TLV extensions is accepted
   constexpr uint8_t buffer[] = {0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49,
@@ -2097,6 +2166,77 @@ TEST_P(ProxyProtocolTest, V2ExtractTLVToFilterStateAsStringAccessor) {
   EXPECT_EQ(stats_store_.counter("proxy_proto.versions.v2.found").value(), 1);
 }
 
+TEST_P(ProxyProtocolTest, V2ExtractTLVToFilterStateWithBase64Encoding) {
+  constexpr uint8_t buffer[] = {0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49,
+                                0x54, 0x0a, 0x21, 0x11, 0x00, 0x27, 0x01, 0x02, 0x03, 0x04,
+                                0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x00, 0x02};
+  constexpr uint8_t tlv1[] = {0x0, 0x0, 0x1, 0xff};
+  constexpr uint8_t tlv_type_authority[] = {0x02, 0x00, 0x07, 0x66, 0x6f,
+                                            0x6f, 0x2e, 0x63, 0x6f, 0x6d};
+  constexpr uint8_t tlv_vpce[] = {0xea, 0x00, 0x0a, 0x21, 0x76, 0x70, 0x63,
+                                  0x65, 0x2d, 0x30, 0x78, 0x78, 0x78};
+  constexpr uint8_t data[] = {'D', 'A', 'T', 'A'};
+
+  envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol proto_config;
+  proto_config.set_tlv_location(
+      envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol::FILTER_STATE);
+  auto rule1 = proto_config.add_rules();
+  rule1->set_tlv_type(0x02);
+  rule1->mutable_on_tlv_present()->set_key("PP2 type authority");
+  rule1->mutable_on_tlv_present()->set_value_string_encoding(
+      envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol::KeyValuePair::
+          BASE64);
+  auto rule2 = proto_config.add_rules();
+  rule2->set_tlv_type(0xea);
+  rule2->mutable_on_tlv_present()->set_key("aws_vpce_id");
+  rule2->mutable_on_tlv_present()->set_value_string_encoding(
+      envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol::KeyValuePair::
+          BASE64);
+  // A rule with default (SANITIZED_UTF8) encoding for comparison: the value will be sanitized
+  // to a valid UTF-8 string.
+  auto rule3 = proto_config.add_rules();
+  rule3->set_tlv_type(0x00);
+  rule3->mutable_on_tlv_present()->set_key("PP2 tlv1");
+  rule3->mutable_on_tlv_present()->set_value_string_encoding(
+      envoy::extensions::filters::listener::proxy_protocol::v3::ProxyProtocol::KeyValuePair::
+          SANITIZED_UTF8);
+
+  connect(true, &proto_config);
+  write(buffer, sizeof(buffer));
+  dispatcher_->run(Event::Dispatcher::RunType::NonBlock);
+
+  write(tlv1, sizeof(tlv1));
+  write(tlv_type_authority, sizeof(tlv_type_authority));
+  write(tlv_vpce, sizeof(tlv_vpce));
+  write(data, sizeof(data));
+  expectData("DATA");
+
+  auto& filter_state = server_connection_->streamInfo().filterState();
+
+  constexpr absl::string_view kFilterStateKey = "envoy.network.proxy_protocol.tlv";
+  EXPECT_TRUE(filter_state->hasDataWithName(kFilterStateKey));
+  const auto* tlv_obj = filter_state->getDataReadOnlyGeneric(kFilterStateKey);
+  ASSERT_NE(nullptr, tlv_obj);
+
+  // The raw TLV values are encoded as base64.
+  auto field1 = tlv_obj->getField("PP2 type authority");
+  ASSERT_TRUE(absl::holds_alternative<absl::string_view>(field1));
+  EXPECT_EQ("Zm9vLmNvbQ==", absl::get<absl::string_view>(field1));
+
+  auto field2 = tlv_obj->getField("aws_vpce_id");
+  ASSERT_TRUE(absl::holds_alternative<absl::string_view>(field2));
+  EXPECT_EQ("IXZwY2UtMHh4eA==", absl::get<absl::string_view>(field2));
+
+  // The default encoding sanitizes the value to a valid UTF-8 string: the non utf8 byte
+  // 0xff is replaced with the `!` character.
+  auto field3 = tlv_obj->getField("PP2 tlv1");
+  ASSERT_TRUE(absl::holds_alternative<absl::string_view>(field3));
+  EXPECT_EQ("!", absl::get<absl::string_view>(field3));
+
+  disconnect();
+  EXPECT_EQ(stats_store_.counter("proxy_proto.versions.v2.found").value(), 1);
+}
+
 TEST_P(ProxyProtocolTest, V2ExtractTLVToFilterStateDefaultBehavior) {
   // Test that default behavior (DYNAMIC_METADATA) still works when tlv_location is not set
   constexpr uint8_t buffer[] = {0x0d, 0x0a, 0x0d, 0x0a, 0x00, 0x0d, 0x0a, 0x51, 0x55, 0x49,