Skip to content

feat: add extProc engine for traffic mutation#3

Merged
achetronic merged 3 commits into
masterfrom
feat/extproc-engine
Jun 29, 2026
Merged

feat: add extProc engine for traffic mutation#3
achetronic merged 3 commits into
masterfrom
feat/extproc-engine

Conversation

@achetronic

Copy link
Copy Markdown
Owner

What

Adds a second engine alongside the existing HTTP ext-authz: a gRPC Envoy ext_proc server that inspects and mutates live traffic. Both engines run from one policy file, share the facts registry, and hot-reload together.

Why

ext-authz can only admit or deny. The flagship driver is the Keycloak DCR case: when an untrusted client registers a redirect, Keycloak answers a 302 to a risky destination. Instead of following it, we now discard the response and serve a warning page, with the original target reachable only by an explicit click. That needs response mutation, which ext-authz cannot do.

Policy model

  • Per-group parameters.engine (extAuthz | extProc), mode, phase.
  • extAuthz: validation (allow | deny); modes firstMatch | matchAll.
  • extProc: mutations; modes firstMatch | applyAll; phase one of requestHeaders | requestBody | responseHeaders | responseBody.
  • Mandatory rule match; no action inheritance, no fallthrough.
  • Per-engine defaults; extProc onBodyOverflow skip | fail. extAuthz body overflow is a fixed fail-closed deny.

Mutation ops

setHeader, appendHeader, removeHeader, setBody, setStatus, and directResponse (discard the upstream response and serve a custom one, mapping to Envoy ImmediateResponse).

CEL

response variable in response phases, per-scope compilation so an out-of-phase reference fails at policy load, and typed compile/eval for bool, string, int and string-map outputs.

Servers

gRPC ext_proc on --grpc-port (9090) next to HTTP on --port (8080), shared policy and reload.

Breaking change

The policy schema is new (per-engine defaults, parameters, validation vs mutations, mandatory match, no fallthrough). No migration shim; existing policies must be rewritten. See the updated README and examples/policy.yaml.

Tests

go test -race ./... green. New coverage: extProc evaluation (modes, mutations, directResponse, fail-safe), gRPC stream mapping and short-circuit, engine isolation (each engine ignores the other's groups), per-phase filtering, CEL scopes and typed eval.

Commits

  • style: gofmt with Go 1.26 (formatter drift on untouched files, no logic)
  • feat: add extProc engine for traffic mutation
  • docs: document the two-engine model

Reindent comment blocks and struct alignment on files untouched by the extProc work. No logic changes.
Add a second engine alongside the existing HTTP ext-authz: a gRPC Envoy
ext_proc server that inspects and mutates live traffic. Both engines run
from one policy file, share the facts registry, and hot-reload together.

Policy model:
- Per-group parameters.engine (extAuthz | extProc), mode and phase.
- extAuthz: validation (allow | deny), modes firstMatch | matchAll.
- extProc: mutations, modes firstMatch | applyAll, phase one of
  requestHeaders | requestBody | responseHeaders | responseBody.
- Mandatory rule match; no action inheritance, no fallthrough.
- Per-engine defaults; extProc onBodyOverflow skip | fail.

Mutation ops: setHeader, appendHeader, removeHeader, setBody, setStatus,
and directResponse (discard the upstream response and serve a custom one,
mapping to Envoy ImmediateResponse). The flagship case: rewrite an
untrusted DCR redirect into a warning page.

CEL: response variable in response phases, per-scope compilation so an
out-of-phase reference fails at load, and typed compile/eval for bool,
string, int and string-map outputs.

Servers: gRPC ext_proc on --grpc-port (9090) next to HTTP on --port
(8080). Examples split into config-for-istio-extauthz.yaml and
config-for-istio-extproc.yaml, plus interstitial.html.
Restructure the README around the two engines (overview, extAuthz in full, extProc in full, then shared sections) with a table of contents. Update .agents/ to match: DECISIONS D-015..D-023, POLICY_DSL, ARCHITECTURE, GLOSSARY, AGENTS, TESTING, OPERATIONS.
@achetronic achetronic self-assigned this Jun 29, 2026
@achetronic achetronic added the enhancement New feature or request label Jun 29, 2026
@achetronic achetronic merged commit fbb4389 into master Jun 29, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant