Skip to content

Commit

Permalink
dependencies: associate extensions with deps, validate use_category.
Browse files Browse the repository at this point in the history
This PR introduces a few related changes:

* use_category is restructured to distinguish core/extension deps. There's also an extension
  allowlist added for each dependency in the dataplane_ext and observability_ext category.

* tools/dependency/validate.py is introduced to validate a bunch of structural relationships
  implied by the bazel/repository_locations.bzl metadata. This includes that test-only deps
  aren't used in //source/.., that some obvious dataplane/controlplane packages taint the
  appropriate reachable deps and that the association between extensions/deps holds.

* The CI docs jobs now runs tools/dependency/validate.py.

* The dependency dashboard at
  https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/external_deps
  to include granular information on which dataplane/observability deps come from core/extensions.

* Some misc. cleanup of source code dep that came up while working on this.

Risk level: Low
Testing: Pyunit tests added for validate.py.

Part of envoyproxy#12673.

Signed-off-by: Harvey Tuch <htuch@google.com>
  • Loading branch information
htuch committed Sep 30, 2020
1 parent 442b3f1 commit e281064
Show file tree
Hide file tree
Showing 20 changed files with 580 additions and 98 deletions.
28 changes: 15 additions & 13 deletions bazel/repositories.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -47,35 +47,37 @@ def _repository_locations():

if "project_url" not in location:
_fail_missing_attribute("project_url", key)
s = location["project_url"]
if not s.startswith("https://") and not s.startswith("http://"):
fail("project_url must start with https:// or http://: " + s)
mutable_location.pop("project_url")
project_url = mutable_location.pop("project_url")
if not project_url.startswith("https://") and not project_url.startswith("http://"):
fail("project_url must start with https:// or http://: " + project_url)

if "version" not in location:
_fail_missing_attribute("version", key)
mutable_location.pop("version")

if "use_category" not in location:
_fail_missing_attribute("use_category", key)
mutable_location.pop("use_category")
use_category = mutable_location.pop("use_category")

if "dataplane_ext" in use_category or "observability_ext" in use_category:
if "extensions" not in location:
_fail_missing_attribute("extensions", key)
mutable_location.pop("extensions")

if "last_updated" not in location:
_fail_missing_attribute("last_updated", key)
s = location["last_updated"]
last_updated = mutable_location.pop("last_updated")

# Starlark doesn't have regexes.
if len(s) != 10 or s[4] != "-" or s[7] != "-":
fail("last_updated must match YYYY-DD-MM: " + s)
mutable_location.pop("last_updated")
if len(last_updated) != 10 or last_updated[4] != "-" or last_updated[7] != "-":
fail("last_updated must match YYYY-DD-MM: " + last_updated)

if "cpe" in location:
s = location["cpe"]
cpe = mutable_location.pop("cpe")

# Starlark doesn't have regexes.
if s != "N/A" and (not s.startswith("cpe:2.3:a:") or not s.endswith(":*") and len(s.split(":")) != 6):
fail("CPE must match cpe:2.3:a:<facet>:<facet>:*: " + s)
mutable_location.pop("cpe")
if cpe != "N/A" and (not cpe.startswith("cpe:2.3:a:") or not cpe.endswith(":*") and len(cpe.split(":")) != 6):
fail("CPE must match cpe:2.3:a:<facet>:<facet>:*: " + cpe)
elif not [category for category in USE_CATEGORIES_WITH_CPE_OPTIONAL if category in location["use_category"]]:
_fail_missing_attribute("cpe", key)

Expand Down
191 changes: 132 additions & 59 deletions bazel/repository_locations.bzl

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions ci/do_ci.sh
Original file line number Diff line number Diff line change
Expand Up @@ -402,6 +402,10 @@ elif [[ "$CI_TARGET" == "fix_spelling_pedantic" ]]; then
exit 0
elif [[ "$CI_TARGET" == "docs" ]]; then
echo "generating docs..."
# Validate dependency relationships between core/extensions and external deps.
tools/dependency/validate_test.py
tools/dependency/validate.py
# Build docs.
docs/build.sh
exit 0
elif [[ "$CI_TARGET" == "verify_examples" ]]; then
Expand Down
25 changes: 19 additions & 6 deletions docs/generate_external_dep_rst.py
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,16 @@ def RenderVersion(version):
return version


def RenderTitle(title):
underline = '~' * len(title)
return f'\n{title}\n{underline}\n\n'


if __name__ == '__main__':
security_rst_root = sys.argv[1]

Dep = namedtuple('Dep', ['name', 'sort_name', 'version', 'cpe', 'last_updated'])
use_categories = defaultdict(list)
use_categories = defaultdict(lambda: defaultdict(list))
# Bin rendered dependencies into per-use category lists.
for k, v in repository_locations.DEPENDENCY_REPOSITORIES.items():
cpe = v.get('cpe', '')
Expand All @@ -71,14 +76,22 @@ def RenderVersion(version):
last_updated = v['last_updated']
dep = Dep(name, project_name.lower(), version, cpe, last_updated)
for category in v['use_category']:
use_categories[category].append(dep)
if 'extensions' in v:
for ext in v['extensions']:
use_categories[category][ext].append(dep)
else:
use_categories[category]['core'].append(dep)

def CsvRow(dep):
return [dep.name, dep.version, dep.last_updated, dep.cpe]

# Generate per-use category RST with CSV tables.
for category, deps in use_categories.items():
output_path = pathlib.Path(security_rst_root, f'external_dep_{category}.rst')
content = CsvTable(['Name', 'Version', 'Last updated', 'CPE'], [2, 1, 1, 2],
[CsvRow(dep) for dep in sorted(deps, key=lambda d: d.sort_name)])
for category, exts in use_categories.items():
content = ''
for ext_name, deps in sorted(exts.items()):
if ext_name != 'core':
content += RenderTitle(ext_name)
output_path = pathlib.Path(security_rst_root, f'external_dep_{category}.rst')
content += CsvTable(['Name', 'Version', 'Last updated', 'CPE'], [2, 1, 1, 2],
[CsvRow(dep) for dep in sorted(deps, key=lambda d: d.sort_name)])
output_path.write_text(content)
28 changes: 19 additions & 9 deletions docs/root/intro/arch_overview/security/external_deps.rst
Original file line number Diff line number Diff line change
Expand Up @@ -6,25 +6,35 @@ External dependencies
Below we enumerate the external dependencies that may be linked into the Envoy binary. We exclude
dependencies that only are used in CI or developer tooling above.

Data plane
----------
Data plane (core)
-----------------

.. include:: external_dep_dataplane.rst
.. include:: external_dep_dataplane_core.rst

Data plane (extensions)
-----------------------

.. include:: external_dep_dataplane_ext.rst

Control plane
-------------

.. include:: external_dep_controlplane.rst

Observability
-------------
Observability (core)
--------------------

.. include:: external_dep_observability_core.rst

Observability (extensions)
--------------------------

.. include:: external_dep_observability.rst
.. include:: external_dep_observability_ext.rst

Test
----
Test only
---------

.. include:: external_dep_test.rst
.. include:: external_dep_test_only.rst

Build
-----
Expand Down
1 change: 0 additions & 1 deletion source/common/config/utility.h
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
#include "envoy/config/endpoint/v3/endpoint.pb.h"
#include "envoy/config/grpc_mux.h"
#include "envoy/config/subscription.h"
#include "envoy/json/json_object.h"
#include "envoy/local_info/local_info.h"
#include "envoy/registry/registry.h"
#include "envoy/server/filter_config.h"
Expand Down
2 changes: 0 additions & 2 deletions source/common/http/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,6 @@ envoy_cc_library(
"//source/common/common:enum_to_int",
"//source/common/common:utility_lib",
"//source/common/grpc:status_lib",
"//source/common/json:json_loader_lib",
"//source/common/network:utility_lib",
"//source/common/protobuf:utility_lib",
"//source/common/runtime:runtime_features_lib",
Expand All @@ -409,7 +408,6 @@ envoy_cc_library(
":utility_lib",
"//include/envoy/common:regex_interface",
"//include/envoy/http:header_map_interface",
"//include/envoy/json:json_object_interface",
"//source/common/common:regex_lib",
"//source/common/common:utility_lib",
"//source/common/protobuf:utility_lib",
Expand Down
1 change: 0 additions & 1 deletion source/common/http/header_utility.h
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
#include "envoy/config/route/v3/route_components.pb.h"
#include "envoy/http/header_map.h"
#include "envoy/http/protocol.h"
#include "envoy/json/json_object.h"
#include "envoy/type/v3/range.pb.h"

#include "common/protobuf/protobuf.h"
Expand Down
1 change: 0 additions & 1 deletion source/common/http/utility.h
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,6 @@

#include "common/http/exception.h"
#include "common/http/status.h"
#include "common/json/json_loader.h"

#include "absl/strings/string_view.h"
#include "absl/types/optional.h"
Expand Down
1 change: 0 additions & 1 deletion source/common/json/json_loader.cc
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
#include "rapidjson/writer.h"

#include "absl/strings/match.h"
#include "yaml-cpp/yaml.h"

namespace Envoy {
namespace Json {
Expand Down
1 change: 0 additions & 1 deletion source/common/router/config_utility.h
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@
#include "envoy/config/core/v3/base.pb.h"
#include "envoy/config/route/v3/route_components.pb.h"
#include "envoy/http/codes.h"
#include "envoy/json/json_object.h"
#include "envoy/upstream/resource_manager.h"

#include "common/common/empty_string.h"
Expand Down
4 changes: 3 additions & 1 deletion source/exe/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -104,9 +104,11 @@ envoy_cc_library(

envoy_cc_library(
name = "envoy_main_common_with_core_extensions_lib",
srcs = ["main_common.cc"],
hdrs = ["main_common.h"],
deps = [
":envoy_common_with_core_extensions_lib",
":main_common_lib",
#":main_common_lib",
":platform_impl_lib",
":process_wide_lib",
"//source/common/api:os_sys_calls_lib",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
#include "envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.pb.h"
#include "envoy/http/filter.h"
#include "envoy/http/header_map.h"
#include "envoy/json/json_object.h"

#include "common/buffer/buffer_impl.h"
#include "common/common/logger.h"
Expand Down
1 change: 1 addition & 0 deletions source/extensions/filters/http/squash/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ envoy_cc_library(
"//source/common/http:headers_lib",
"//source/common/http:message_lib",
"//source/common/http:utility_lib",
"//source/common/json:json_loader_lib",
"//source/common/protobuf:utility_lib",
"@envoy_api//envoy/extensions/filters/http/squash/v3:pkg_cc_proto",
],
Expand Down
1 change: 1 addition & 0 deletions source/extensions/filters/http/squash/squash_filter.cc
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
#include "common/http/headers.h"
#include "common/http/message_impl.h"
#include "common/http/utility.h"
#include "common/json/json_loader.h"
#include "common/protobuf/protobuf.h"
#include "common/protobuf/utility.h"

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
#include "common/http/headers.h"
#include "common/http/message_impl.h"
#include "common/http/utility.h"
#include "common/json/json_loader.h"
#include "common/network/utility.h"

namespace Envoy {
Expand Down
1 change: 0 additions & 1 deletion source/extensions/quic_listeners/quiche/platform/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,6 @@ envoy_cc_library(
"abseil_node_hash_map",
"abseil_node_hash_set",
"abseil_optional",
"googletest",
],
tags = ["nofips"],
visibility = ["//visibility:public"],
Expand Down
1 change: 0 additions & 1 deletion source/server/configuration_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@
#include "envoy/server/instance.h"

#include "common/common/logger.h"
#include "common/json/json_loader.h"
#include "common/network/resolver_impl.h"
#include "common/network/utility.h"

Expand Down
Loading

0 comments on commit e281064

Please sign in to comment.