feat(filter): add grid ingress trust enforcement#803
Draft
nerdalert wants to merge 2 commits into
Draft
Conversation
Signed-off-by: Brent Salisbury <bsalisbu@redhat.com>
bfe120d to
4017a05
Compare
Signed-off-by: Brent Salisbury <bsalisbu@redhat.com>
4017a05 to
06a54c2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds the
grid_ingress_trustHTTP filter for enforcing downstream mTLS peer identity policy.grid_ingress_trustis the policy layer that consumes the peer identity captured by the TLS/request-context work in #801. It lets a Praxis gateway fail closed unless the downstream client certificate matches an explicitly trusted peer identity.This is needed for Grid gateway-to-gateway ingress enforcement: a provider-side gateway can require that inbound requests come from an expected consumer gateway identity before allowing the request to proceed.
Included in this PR:
grid_ingress_trustHTTP filterBehavior
The filter is intentionally fail-closed.
Request flow:
grid_ingress_trustreads that peer identity.Trusted peer rules can match against certificate identity fields exposed by #801:
This keeps certificate parsing and TLS details centralized in the TLS/request-context layer while keeping authorization policy in the HTTP filter layer.
Stack
Depends on:
feat(tls): expose downstream mTLS peer identity to HTTP filtersThis PR is logically stacked on #801 because it consumes the peer identity added there. It can remain draft until #801 lands, then be rebased onto
main.Validation
grid_ingress_trustunit coverage for peer identity matching and fail-closed behavior.cargo test -p praxis-proxy-filter grid_ingress_trust→ 23 passednerdalert/praxis:ai-grid-g2g-demo-validation.nerdalert/praxis-research-spikes.