when `network.rbac` filter is used in combination with `tcp_proxy`, connection to the upstream is established in any case, even if RBAC decision is `Deny`

[yskopets]

Title: when network.rbac filter is used in combination with tcp_proxy, connection to the upstream is established in any case, even if RBAC decision is Deny

Description:

• apparently, network.rbac filter doesn't prevent tcp_proxy from establishing a connection to an upstream in case when RBAC decision is Deny
• I'm wondering, is it a good/intuitive default behaviour ?

Repro steps:

• configure Envoy listener with a combination of network.rbac and tcp_proxy filters

  static_resources:
    listeners:
    - name: listener_0
      address:
        socket_address:
          protocol: TCP
          address: 0.0.0.0
          port_value: 10000
      filter_chains:
      - filters:
        - name: envoy.filters.network.rbac
          typed_config:                   
            "@type": type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC
            rules: {}    # DENY everything
            stat_prefix: backend
        - name: envoy.tcp_proxy
          typedConfig:
            '@type': type.googleapis.com/envoy.config.filter.network.tcp_proxy.v2.TcpProxy
            statPrefix: backend
            cluster: backend

• use netcat as a simple backend implementation (most importantly, it responds before reading request stream):

  nc -lk -s 127.0.0.1 -p 8081 -e echo -e HTTP/1.1 200 OK\r\nContent-Length: 17\r\n\r\n{"version":"v1"}\n

• make a request to envoy

  curl localhost:10000
  

• apparently, despite the RBAC policy being deny everything, connection to the upstream is established anyway and a response from it is passed back to the downstream

[mattklein123]

The issue is that in the network RBAC filter the check is being done in onData() and it should be done in onNewConnection(). This is so broken that I can't imagine anyone is actually using this. At least I hope not. 😱

[yskopets]

@mattklein123 I could take this issue

[kyessenov]

/cc @yangminzhu

[rshriram]

The check needs to be done in both. Not just on new connection, as we have codecs that can decode the payloads

[PiotrSikora]

@yangminzhu don't we need this fixed for Istio 1.5?

[yangminzhu]

The issue is that in the network RBAC filter the check is being done in onData() and it should be done in onNewConnection(). This is so broken that I can't imagine anyone is actually using this. At least I hope not. scream

A bit more background on this, we had a more detailed discussion in a private email right after this issue was filed. Note that the check is actually added to onData() intentionally because the x509 certificate is not available in onNewConnection(). (we followed the same pattern in other filter). In other words, we cannot fix just by moving the check to onNewConnection() because it will then always reject a connection if x509 is used in the API. The real fix is to change the behavior of the onNewConnection() and make its x509 certificate available in the callback, this requires some re-design of the Envoy core framework (not in the RBAC filter).

The impact of the issue is limited to server-first protocol which is probably not a very common use case here. I think we had some rough consensus that the severity is relative low and it's okay to fix this in public. @mattklein123 @htuch please let me know if you have other thoughts, thank you.

@yangminzhu don't we need this fixed for Istio 1.5?

@PiotrSikora I think it's unlikely to get this fixed for Istio 1.5 due to the complexity of the fix and the short time (about 3 weeks) of the 1.5 release. @yskopets please let me know if you are still working on this. I can take this if you're not going to work on this any soon. I will only have time to look at this after 1.5 release and will need some guidance from the Envoy maintainers because I'm not familiar with the framework related to the onNewConnection() in Envoy.
(if someone with more experience/time could take this, please feel free to go ahead :) )

[mattklein123]

The impact of the issue is limited to server-first protocol which is probably not a very common use case here. I think we had some rough consensus that the severity is relative low and it's okay to fix this in public. @mattklein123 @htuch please let me know if you have other thoughts, thank you.

Yes I think we should just fix this in OSS. I agree the fix is not simple and will take some time to get right. I'm happy to work with whoever is going to fix this to provide design help.