Skip to content

feat(filter): add grid ingress trust enforcement#803

Draft
nerdalert wants to merge 2 commits into
praxis-proxy:mainfrom
nerdalert:praxis-06-grid-ingress-trust
Draft

feat(filter): add grid ingress trust enforcement#803
nerdalert wants to merge 2 commits into
praxis-proxy:mainfrom
nerdalert:praxis-06-grid-ingress-trust

Conversation

@nerdalert

@nerdalert nerdalert commented Jul 12, 2026

Copy link
Copy Markdown
Member

Summary

This PR adds the grid_ingress_trust HTTP filter for enforcing downstream mTLS peer identity policy.

grid_ingress_trust is the policy layer that consumes the peer identity captured by the TLS/request-context work in #801. It lets a Praxis gateway fail closed unless the downstream client certificate matches an explicitly trusted peer identity.

This is needed for Grid gateway-to-gateway ingress enforcement: a provider-side gateway can require that inbound requests come from an expected consumer gateway identity before allowing the request to proceed.

Included in this PR:

  • adds the grid_ingress_trust HTTP filter
  • reads downstream mTLS peer identity from request context
  • supports trusted peer matching by:
    • certificate digest
    • organization
    • serial number
  • rejects requests when peer identity is missing
  • rejects requests when peer identity is present but does not match policy
  • allows requests when any configured trusted peer rule matches
  • keeps enforcement local to request context; no request-time network, control-plane, or database lookups
  • adds generated filter documentation
  • adds focused unit coverage for match behavior and fail-closed paths

Behavior

The filter is intentionally fail-closed.

Request flow:

  1. The TLS layer verifies the downstream client certificate and stores peer identity in request context.
  2. grid_ingress_trust reads that peer identity.
  3. If no peer identity is present, the request is rejected.
  4. If peer identity is present but does not match any configured trusted peer rule, the request is rejected.
  5. If a trusted peer rule matches, the request continues.

Trusted peer rules can match against certificate identity fields exposed by #801:

  • certificate digest
  • organization
  • serial number

This keeps certificate parsing and TLS details centralized in the TLS/request-context layer while keeping authorization policy in the HTTP filter layer.

Stack

Depends on:

This PR is logically stacked on #801 because it consumes the peer identity added there. It can remain draft until #801 lands, then be rebased onto main.

Validation

  • Added focused grid_ingress_trust unit coverage for peer identity matching and fail-closed behavior.
  • Verified targeted filter coverage:
  • cargo test -p praxis-proxy-filter grid_ingress_trust → 23 passed
  • Verified full Grid gateway-to-gateway mTLS trust validation passed 10/10 using the combined Praxis validation branch:
    nerdalert/praxis:ai-grid-g2g-demo-validation.
  • See the validation package in nerdalert/praxis-research-spikes.

Signed-off-by: Brent Salisbury <bsalisbu@redhat.com>
@nerdalert nerdalert requested review from a team July 12, 2026 12:51
@nerdalert nerdalert requested a review from shaneutt as a code owner July 12, 2026 12:51
@nerdalert nerdalert added the skip/pr-conventions Skip conventions checks for PRs label Jul 12, 2026
@nerdalert nerdalert force-pushed the praxis-06-grid-ingress-trust branch from bfe120d to 4017a05 Compare July 12, 2026 13:00
@nerdalert nerdalert marked this pull request as draft July 12, 2026 13:02
Signed-off-by: Brent Salisbury <bsalisbu@redhat.com>
@nerdalert nerdalert force-pushed the praxis-06-grid-ingress-trust branch from 4017a05 to 06a54c2 Compare July 12, 2026 14:04
@shaneutt shaneutt self-assigned this Jul 13, 2026
@shaneutt shaneutt added this to the v0.5.0 milestone Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip/pr-conventions Skip conventions checks for PRs

Projects

Development

Successfully merging this pull request may close these issues.

2 participants