feat: Add decryptor filter

Cargo.toml

@@ -70,6 +70,7 @@ base64.workspace = true
 base64-serde = "0.8.0"
 bytes.workspace = true
 cfg-if = "1.0"
+chacha20 = { version = "0.10", default-features = false, features = ["cipher"] }
 crossbeam-utils = { version = "0.8", optional = true }
 clap = { version = "4.5.54", features = ["cargo", "derive", "env"] }
 dashmap = { version = "6.1", features = ["serde"] }

crates/proto-gen/gen.rs

@@ -222,6 +222,7 @@ fn execute(which: &str) {
                 "config/v1alpha1/config",
                 "filters/capture/v1alpha1/capture",
                 "filters/concatenate/v1alpha1/concatenate",
+                "filters/decryptor/v1alpha1/decryptor",
                 "filters/debug/v1alpha1/debug",
                 "filters/drop/v1alpha1/drop",
                 "filters/firewall/v1alpha1/firewall",

crates/quilkin-proto/src/generated/quilkin/filters.rs

@@ -1,6 +1,7 @@
 pub mod capture;
 pub mod concatenate;
 pub mod debug;
+pub mod decryptor;
 pub mod drop;
 pub mod firewall;
 pub mod load_balancer;

crates/quilkin-proto/src/generated/quilkin/filters/decryptor.rs

@@ -0,0 +1 @@
+pub mod v1alpha1;

crates/quilkin-proto/src/generated/quilkin/filters/decryptor/v1alpha1.rs

@@ -0,0 +1,38 @@
+// This file is @generated by prost-build.
+#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
+pub struct Decryptor {
+    #[prost(bytes = "vec", tag = "1")]
+    pub key: ::prost::alloc::vec::Vec<u8>,
+    #[prost(enumeration = "decryptor::Mode", tag = "2")]
+    pub mode: i32,
+    #[prost(message, optional, tag = "3")]
+    pub data_key: ::core::option::Option<::prost::alloc::string::String>,
+    #[prost(message, optional, tag = "4")]
+    pub nonce_key: ::core::option::Option<::prost::alloc::string::String>,
+}
+/// Nested message and enum types in `Decryptor`.
+pub mod decryptor {
+    #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)]
+    #[repr(i32)]
+    pub enum Mode {
+        Destination = 0,
+    }
+    impl Mode {
+        /// String value of the enum field names used in the ProtoBuf definition.
+        ///
+        /// The values are not transformed in any way and thus are considered stable
+        /// (if the ProtoBuf definition does not change) and safe for programmatic use.
+        pub fn as_str_name(&self) -> &'static str {
+            match self {
+                Self::Destination => "Destination",
+            }
+        }
+        /// Creates an enum from field names used in the ProtoBuf definition.
+        pub fn from_str_name(value: &str) -> ::core::option::Option<Self> {
+            match value {
+                "Destination" => Some(Self::Destination),
+                _ => None,
+            }
+        }
+    }
+}

deny.toml

@@ -54,6 +54,7 @@ skip = [
 skip-tree = [
     { crate = "thiserror@1.0.69", reason = "many crates use this old version" },
     { crate = "hashbrown@0.15.5", reason = "many crates this old version" },
+    { crate = "sha2@0.10.9", reason = "old version that uses multiple other old crates" },
 ]
 
 [[bans.features]]
@@ -82,5 +83,4 @@ exceptions = [
     # This license should not really be used for code, but here we are
     { crate = "notify", allow = ["CC0-1.0"] },
     { crate = "webpki-roots", allow = ["CDLA-Permissive-2.0"] },
-    { crate = "ar_archive_writer", allow = ["Apache-2.0 WITH LLVM-exception"] }
 ]

docs/src/filters/decryptor.md

@@ -0,0 +1,47 @@
+# Decryptor
+
+The `Decryptor` filter's job is to decrypt a portion of a client (downstream) packet as an IPv4 or IPv6 address and port to forward the packet to.
+
+## Filter name
+
+```text
+quilkin.filters.decryptor.v1alpha1.Decryptor
+```
+
+## Configuration Examples
+
+```rust
+# let yaml = "
+version: v1alpha1
+filters:
+  - name: quilkin.filters.capture.v1alpha1.Capture
+    config:
+      suffix:
+        size: 24
+        remove: true
+  - name: quilkin.filters.decryptor.v1alpha1.Decryptor
+    config:
+        # the (binary) decryption key
+        key: keygoeshere
+        # the decryption mode, currently only `Destination` is supported, which
+        # will be interpreted as either an IPv4 or IPv6 address and a port which
+        # will be used as the destination address of the packet
+        mode: Destination
+        # the name of the metadata key to retrieve the data being decrypted.
+        # defaults to `quilkin.dev/capture` unless otherwise specified
+        data_key: quilkin.dev/capture
+        # the name of the metadata key to retrieve the nonce key from
+        nonce_key: quilkin.dev/nonce
+clusters:
+  - endpoints:
+      - address: 127.0.0.1:7001
+# ";
+# let config = quilkin::config::Config::from_reader(yaml.as_bytes()).unwrap();
+# assert_eq!(config.filters.load().len(), 2);
+```
+
+## Configuration Options ([Rust Doc](../../api/quilkin/filters/decryptor/struct.Decryptor.html))
+
+```yaml
+{{#include ../../../target/quilkin.filters.decryptor.v1alpha1.yaml}}
+```

proto/quilkin/filters/decryptor/v1alpha1/decryptor.proto

@@ -0,0 +1,32 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package quilkin.filters.decryptor.v1alpha1;
+
+import "google/protobuf/wrappers.proto";
+
+message Decryptor {
+  enum Mode {
+    Destination = 0;
+  }
+
+  bytes key = 1;
+  Mode mode = 2;
+  google.protobuf.StringValue data_key = 3;
+  google.protobuf.StringValue nonce_key = 4;
+}

src/filters.rs

@@ -27,6 +27,7 @@ mod write;
 pub mod capture;
 pub mod concatenate;
 pub mod debug;
+pub mod decryptor;
 pub mod drop;
 pub mod firewall;
 pub mod load_balancer;
@@ -53,6 +54,7 @@ pub use self::{
     chain::FilterChain,
     concatenate::Concatenate,
     debug::Debug,
+    decryptor::Decryptor,
     drop::Drop,
     error::{ConvertProtoConfigError, CreationError, FilterError},
     factory::{CreateFilterArgs, DynFilterFactory, FilterFactory, FilterInstance},
@@ -81,6 +83,7 @@ pub enum FilterKind {
     Capture,
     Concatenate,
     Debug,
+    Decryptor,
     Drop,
     Firewall,
     LoadBalancer,