{"id":20410268,"url":"https://github.com/kuadrant/wasm-shim","last_synced_at":"2025-04-12T15:53:14.257Z","repository":{"id":37264708,"uuid":"431402609","full_name":"Kuadrant/wasm-shim","owner":"Kuadrant","description":"A Proxy-Wasm module allowing communication to Authorino and Limitador.","archived":false,"fork":false,"pushed_at":"2024-10-29T09:55:46.000Z","size":6064,"stargazers_count":5,"open_issues_count":14,"forks_count":5,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-10-29T11:57:09.304Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Kuadrant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-24T08:24:36.000Z","updated_at":"2024-10-25T10:45:38.000Z","dependencies_parsed_at":"2023-02-17T19:01:15.808Z","dependency_job_id":"2dbbe9a3-8dc5-405b-b26e-a7e39d5d591d","html_url":"https://github.com/Kuadrant/wasm-shim","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kuadrant%2Fwasm-shim","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kuadrant%2Fwasm-shim/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kuadrant%2Fwasm-shim/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Kuadrant%2Fwasm-shim/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Kuadrant","download_url":"https://codeload.github.com/Kuadrant/wasm-shim/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248592129,"owners_count":21130184,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T05:45:17.140Z","updated_at":"2025-04-12T15:53:14.252Z","avatar_url":"https://github.com/Kuadrant.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Wasm-shim\n\n[![Rust](https://github.com/Kuadrant/wasm-shim/actions/workflows/rust.yaml/badge.svg)](https://github.com/Kuadrant/wasm-shim/actions/workflows/rust.yaml)\n[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgit%2Bgithub.com%2FKuadrant%2Fwasm-shim.svg?type=shield\u0026issueType=license)](https://app.fossa.com/projects/custom%2B162%2Fgit%2Bgithub.com%2FKuadrant%2Fwasm-shim?ref=badge_shield\u0026issueType=license)\n\nA Proxy-Wasm module written in Rust, acting as a shim between Envoy and both Rate-limiting and External Auth services.\n\n## Sample configuration\n\nFollowing is a sample configuration used by the shim.\n\n```yaml\nservices:\n auth-service:\n type: auth\n endpoint: auth-cluster\n failureMode: deny\n timeout: 10ms\n ratelimit-service:\n type: ratelimit\n endpoint: ratelimit-cluster\n failureMode: allow\nactionSets:\n - name: rlp-ns-A/rlp-name-A\n routeRuleConditions:\n hostnames: [ \"*.toystore.com\" ]\n predicates:\n - request.url_path.startsWith(\"/get\")\n - request.host == \"test.toystore.com\"\n - request.method == \"GET\"\n actions:\n - service: auth-service\n scope: auth-scope-a\n - service: ratelimit-service\n scope: ratelimit-scope-a\n predicates:\n - auth.identity.anonymous == true\n data:\n - expression:\n key: my_header\n value: request.headers[\"my-custom-header\"]\n```\n\n## Features\n\n### CEL Predicates and Expression\n\n`routeRuleConditions`'s `predicate`s are expressed in [Common Expression Language (CEL)](https://cel.dev). `Predicate`s\nevaluating to a `bool` value, while `Expression`, used for passing data to a service, evaluate to some `Value`.\n\nThese expression can operate on the data made available to them through the Well Known Attributes, see below\n\n### Well Known Attributes\n\n| Attribute | Description |\n|---------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| [Envoy Attributes](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/attributes) | Contextual properties provided by Envoy during request and connection processing |\n| `source.remote_address` | This attribute evaluates to the `trusted client address` (IP address without port) as it is being defined by [Envoy Doc](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for) |\n| `auth.*` | Data made available by the authentication service to the `ActionSet`'s pipeline |\n\n## Building\n\nPrerequisites:\n\n* Install `wasm32-unknown-unknown` build target\n\n```\nrustup target add wasm32-unknown-unknown\n```\n\nBuild the WASM module\n\n```\nmake build\n```\n\nBuild the WASM module in release mode\n\n```\nmake build BUILD=release\n```\n\nBuild the WASM module with features\n\n```\nmake build FEATURES=debug-host-behaviour\n```\n\n## Testing\n\n```\ncargo test\n```\n\n## Running local development environment (kind)\n\n`docker` is required.\n\nRun local development environment\n\n```sh\nmake local-setup\n```\n\nThis deploys a local kubernetes cluster using kind, with the local build of wasm-shim mapped to the envoy container. An\necho API as well as limitador, authorino, and some test policies are configured.\n\nTo expose the envoy endpoint run the following:\n\n```sh\nkubectl port-forward --namespace kuadrant-system deployment/envoy 8000:8000\n```\n\nThere is then a single auth action set defined for e2e testing:\n\n* `auth-a` which defines auth is required for requests to `/get` for the `AuthConfig` with `effective-route-1`\n\n```sh\ncurl -H \"Host: test.a.auth.com\" http://127.0.0.1:8000/get -i\n# HTTP/1.1 401 Unauthorized\n```\n\n```sh\ncurl -H \"Host: test.a.auth.com\" -H \"Authorization: APIKEY IAMALICE\" http://127.0.0.1:8000/get -i\n# HTTP/1.1 200 OK\n```\n\nAnd some rate limit action sets defined for e2e testing:\n\n* `rlp-a`: Only one data item. Data selector should not generate return any value. Thus, descriptor should be empty and\n rate limiting service should **not** be called.\n\n```sh\ncurl -H \"Host: test.a.rlp.com\" http://127.0.0.1:8000/get -i\n```\n\n* `rlp-b`: Conditions do not match. Hence, rate limiting service should **not** be called.\n\n```sh\ncurl -H \"Host: test.b.rlp.com\" http://127.0.0.1:8000/get -i\n```\n\n* `rlp-c`: Descriptor entries from multiple data items should be generated. Hence, rate limiting service should be called.\n\n```sh\ncurl -H \"Host: test.c.rlp.com\" -H \"x-forwarded-for: 50.0.0.1\" -H \"my-custom-header-01: my-custom-header-value-01\" -H \"x-dyn-user-id: bob\" http://127.0.0.1:8000/get -i\n```\n\nCheck limitador logs for received descriptor entries.\n\n```sh\nkubectl logs -f deployment/limitador-sample -n kuadrant-system\n```\n\nThe expected descriptor entries:\n\n```\nEntry { key: \"limit_to_be_activated\", value: \"1\" }\n```\n\n```\nEntry { key: \"source.address\", value: \"50.0.0.1:0\" }\n```\n\n```\nEntry { key: \"request.headers.my-custom-header-01\", value: \"my-custom-header-value-01\" }\n```\n\n```\nEntry { key: \"user_id\", value: \"bob\" }\n```\n\n* `multi-a` which defines two actions for authenticated ratelimiting.\n\n```sh\ncurl -H \"Host: test.a.multi.com\" http://127.0.0.1:8000/get -i\n# HTTP/1.1 401 Unauthorized\n```\n\nAlice has 5 requests per 10 seconds:\n```sh\nwhile :; do curl --write-out '%{http_code}\\n' --silent --output /dev/null -H \"Authorization: APIKEY IAMALICE\" -H \"Host: test.a.multi.com\" http://127.0.0.1:8000/get | grep -E --color \"\\b(429)\\b|$\"; sleep 1; done\n```\n\nBob has 2 requests per 10 seconds:\n```sh\nwhile :; do curl --write-out '%{http_code}\\n' --silent --output /dev/null -H \"Authorization: APIKEY IAMBOB\" -H \"Host: test.a.multi.com\" http://127.0.0.1:8000/get | grep -E --color \"\\b(429)\\b|$\"; sleep 1; done\n```\n\nTo rebuild and deploy to the cluster:\n\n```sh\nmake build local-rollout\n```\n\nStop and clean up resources:\n\n```sh\nmake local-cleanup\n```\n\n## License\n\n[Apache 2.0 License](LICENSE)\n\n[![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgit%2Bgithub.com%2FKuadrant%2Fwasm-shim.svg?type=large\u0026issueType=license)](https://app.fossa.com/projects/custom%2B162%2Fgit%2Bgithub.com%2FKuadrant%2Fwasm-shim?ref=badge_large\u0026issueType=license)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkuadrant%2Fwasm-shim","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkuadrant%2Fwasm-shim","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkuadrant%2Fwasm-shim/lists"}