From dc9165ebde83ae2a8bd6b9c0471654130db34d0c Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Tue, 28 Sep 2021 16:51:16 +0000 Subject: [PATCH 01/19] accesslogs: add CEL-based extension filter This PR establishes the ability to filter access log production via CEL expressions over the set of Envoy attributes. This can simply the creation of Envoy access log filters, allowing complex tailoring. Signed-off-by: Douglas Reid --- CODEOWNERS | 1 + api/BUILD | 1 + .../access_loggers/filters/cel/v3/BUILD | 9 +++ .../access_loggers/filters/cel/v3/cel.proto | 25 +++++++++ api/versioning/BUILD | 1 + docs/root/version_history/current.rst | 39 +++++++++++++ .../access_loggers/filters/cel/BUILD | 51 +++++++++++++++++ .../access_loggers/filters/cel/cel.cc | 39 +++++++++++++ .../access_loggers/filters/cel/cel.h | 36 ++++++++++++ .../access_loggers/filters/cel/config.cc | 55 +++++++++++++++++++ .../access_loggers/filters/cel/config.h | 36 ++++++++++++ source/extensions/extensions_build_config.bzl | 1 + source/extensions/extensions_metadata.yaml | 5 ++ test/common/access_log/BUILD | 1 + .../common/access_log/access_log_impl_test.cc | 44 +++++++++++++++ test/common/http/header_map_impl_test.cc | 5 +- 16 files changed, 346 insertions(+), 3 deletions(-) create mode 100644 api/envoy/extensions/access_loggers/filters/cel/v3/BUILD create mode 100644 api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto create mode 100644 source/extensions/access_loggers/filters/cel/BUILD create mode 100644 source/extensions/access_loggers/filters/cel/cel.cc create mode 100644 source/extensions/access_loggers/filters/cel/cel.h create mode 100644 source/extensions/access_loggers/filters/cel/config.cc create mode 100644 source/extensions/access_loggers/filters/cel/config.h diff --git a/CODEOWNERS b/CODEOWNERS index 32cf634d3f16..c8c3fa0e50a0 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -6,6 +6,7 @@ /api/ @envoyproxy/api-shepherds # access loggers /*/extensions/access_loggers/common @auni53 @zuercher +/*/extensions/access_loggers/filters/cel @dio @douglas-reid /*/extensions/access_loggers/open_telemetry @itamarkam @yanavlasov /*/extensions/access_loggers/stream @mattklein123 @davinci26 # compression extensions diff --git a/api/BUILD b/api/BUILD index ddd1f98b36cb..b6438a01d735 100644 --- a/api/BUILD +++ b/api/BUILD @@ -112,6 +112,7 @@ proto_library( "//envoy/data/dns/v3:pkg", "//envoy/data/tap/v3:pkg", "//envoy/extensions/access_loggers/file/v3:pkg", + "//envoy/extensions/access_loggers/filters/cel/v3:pkg", "//envoy/extensions/access_loggers/grpc/v3:pkg", "//envoy/extensions/access_loggers/open_telemetry/v3:pkg", "//envoy/extensions/access_loggers/stream/v3:pkg", diff --git a/api/envoy/extensions/access_loggers/filters/cel/v3/BUILD b/api/envoy/extensions/access_loggers/filters/cel/v3/BUILD new file mode 100644 index 000000000000..ee92fb652582 --- /dev/null +++ b/api/envoy/extensions/access_loggers/filters/cel/v3/BUILD @@ -0,0 +1,9 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"], +) diff --git a/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto b/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto new file mode 100644 index 000000000000..34418028b250 --- /dev/null +++ b/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto @@ -0,0 +1,25 @@ +syntax = "proto3"; + +package envoy.extensions.access_loggers.filters.cel.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.access_loggers.filters.cel.v3"; +option java_outer_classname = "CelProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: ExpressionFilter] +// [#extension: envoy.access_loggers.filters.cel] + +// ExpressionFilter is an access logging filter that evaluates configured +// symbolic Common Expression Language expressions to inform the decision +// to generate an access log. +message ExpressionFilter { + // Expression that, when evaluated, will be used to filter access logs. + // Expressions are based on the set of Envoy :ref:`attributes `. + // Examples: + // - `response.code >= 400` + // - `request.headers['x-logging-flag'] == 'true'` + string expression = 1; +} diff --git a/api/versioning/BUILD b/api/versioning/BUILD index 24195d8d680d..8be3045e4b9c 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -49,6 +49,7 @@ proto_library( "//envoy/data/dns/v3:pkg", "//envoy/data/tap/v3:pkg", "//envoy/extensions/access_loggers/file/v3:pkg", + "//envoy/extensions/access_loggers/filters/cel/v3:pkg", "//envoy/extensions/access_loggers/grpc/v3:pkg", "//envoy/extensions/access_loggers/open_telemetry/v3:pkg", "//envoy/extensions/access_loggers/stream/v3:pkg", diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 0da2fd5d1f46..373b18c6ec35 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -85,6 +85,45 @@ New Features * upstream: added the ability to :ref:`configure max connection duration ` for upstream clusters. * vcl_socket_interface: added VCL socket interface extension for fd.io VPP integration to :ref:`contrib images `. This can be enabled via :ref:`VCL ` configuration. * xds: re-introduced unified delta and sotw xDS multiplexers that share most of the implementation. Added a new runtime config ``envoy.reloadable_features.unified_mux`` (disabled by default) that when enabled, switches xDS to use unified multiplexers. +* access_log: added :ref:`METADATA` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). +* access_log: added a CEL extension filter to enable filtering of access logs based on Envoy attribute expressions. +* bootstrap: added :ref:`inline_headers ` in the bootstrap to make custom inline headers bootstrap configurable. +* contrib: added new :ref:`contrib images ` which contain contrib extensions. +* dns: added :ref:`V4_PREFERRED ` option to return V6 addresses only if V4 addresses are not available. +* ext_authz: added :ref:`dynamic_metadata_from_headers ` to support emitting dynamic metadata from headers returned by an external authorization service via HTTP. +* grpc reverse bridge: added a new :ref:`option ` to support streaming response bodies when withholding gRPC frames from the upstream. +* grpc_json_transcoder: added support to unescape '+' in query parameters to space with a new config field :ref:`query_param_unescape_plus `. +* http: added cluster_header in :ref:`weighted_clusters ` to allow routing to the weighted cluster specified in the request_header. +* http: added :ref:`alternate_protocols_cache_options ` for enabling HTTP/3 connections to servers which advertise HTTP/3 support via `HTTP Alternative Services `_ and caching the advertisements to disk. +* http: added :ref:`string_match ` in the header matcher. +* http: added :ref:`x-envoy-upstream-stream-duration-ms ` that allows configuring the max stream duration via a request header. +* http: added support for :ref:`max_requests_per_connection ` for both upstream and downstream connections. +* http: sanitizing the referer header as documented :ref:`here `. This feature can be temporarily turned off by setting runtime guard ``envoy.reloadable_features.sanitize_http_header_referer`` to false. +* http: validating outgoing HTTP/2 CONNECT requests to ensure that if ``:path`` is set that ``:protocol`` is present. This behavior can be temporarily turned off by setting runtime guard ``envoy.reloadable_features.validate_connect`` to false. +* jwt_authn: added support for :ref:`Jwt Cache ` and its size can be specified by :ref:`jwt_cache_size `. +* jwt_authn: added support for extracting JWTs from request cookies using :ref:`from_cookies `. +* jwt_authn: added support for setting the extracted headers from a successfully verified JWT using :ref:`header_in_metadata ` to dynamic metadata. +* listener: new listener metric ``downstream_cx_transport_socket_connect_timeout`` to track transport socket timeouts. +* lua: added ``header:getAtIndex()`` and ``header:getNumValues()`` methods to :ref:`header object ` for retrieving the value of a header at certain index and get the total number of values for a given header. +* matcher: added :ref:`invert ` for inverting the match result in the metadata matcher. +* overload: add a new overload action that resets streams using a lot of memory. To enable the tracking of allocated bytes in buffers that a stream is using we need to configure the minimum threshold for tracking via:ref:`buffer_factory_config `. We have an overload action ``Envoy::Server::OverloadActionNameValues::ResetStreams`` that takes advantage of the tracking to reset the most expensive stream first. +* rbac: added :ref:`destination_port_range ` for matching range of destination ports. +* rbac: added :ref:`matcher` along with extension category ``extension_category_envoy.rbac.matchers`` for custom RBAC permission matchers. Added reference implementation for matchers :ref:`envoy.rbac.matchers.upstream_ip_port `. +* route config: added :ref:`dynamic_metadata ` for routing based on dynamic metadata. +* router: added retry options predicate extensions configured via + :ref:` `. These + extensions allow modification of requests between retries at the router level. There are not + currently any built-in extensions that implement this extension point. +* router: added :ref:`per_try_idle_timeout ` timeout configuration. +* router: added an optional :ref:`override_auto_sni_header ` to support setting SNI value from an arbitrary header other than host/authority. +* sxg_filter: added filter to transform response to SXG package to :ref:`contrib images `. This can be enabled by setting :ref:`SXG ` configuration. +* thrift_proxy: added support for :ref:`mirroring requests `. +* udp: allows updating filter chain in-place through LDS, which is supported by Quic listener. Such listener config will be rejected in other connection-less UDP listener implementations. It can be reverted by ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place``. +* udp: disallow L4 filter chain in config which configures connection-less UDP listener. It can be reverted by ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place``. +* upstream: added support for :ref:`slow start mode `, which allows to progresively increase traffic for new endpoints. +* upstream: extended :ref:`Round Robin load balancer configuration ` with :ref:`slow start ` support. +* upstream: extended :ref:`Least Request load balancer configuration ` with :ref:`slow start ` support. +* xray: request direction (``ingress`` or ``egress``) is recorded as X-Ray trace segment's annotation by name ``direction``. Deprecated ---------- diff --git a/source/extensions/access_loggers/filters/cel/BUILD b/source/extensions/access_loggers/filters/cel/BUILD new file mode 100644 index 000000000000..1b3d83a2d7a4 --- /dev/null +++ b/source/extensions/access_loggers/filters/cel/BUILD @@ -0,0 +1,51 @@ +load( + "//bazel:envoy_build_system.bzl", + "envoy_cc_extension", + "envoy_extension_package", +) + +licenses(["notice"]) # Apache 2 + +envoy_extension_package() + +envoy_cc_extension( + name = "cel_lib", + srcs = ["cel.cc"], + hdrs = ["cel.h"], + extra_visibility = [ + "//test:__subpackages__", + ], + deps = [ + "//envoy/access_log:access_log_interface", + "//envoy/http:header_map_interface", + "//envoy/stream_info:stream_info_interface", + "//source/common/access_log:access_log_lib", + "//source/common/config:utility_lib", + "//source/common/protobuf", + "//source/common/protobuf:utility_lib", + "//source/extensions/filters/common/expr:evaluator_lib", + ], +) + +envoy_cc_extension( + name = "config", + srcs = ["config.cc"], + hdrs = ["config.h"], + extra_visibility = [ + "//test:__subpackages__", + ], + deps = [ + ":cel_lib", + "//envoy/access_log:access_log_interface", + "//envoy/http:header_map_interface", + "//envoy/registry", + "//envoy/stream_info:stream_info_interface", + "//source/common/access_log:access_log_lib", + "//source/common/config:utility_lib", + "//source/common/protobuf", + "//source/common/protobuf:utility_lib", + "//source/extensions/filters/common/expr:evaluator_lib", + "@com_google_cel_cpp//parser", + "@envoy_api//envoy/extensions/access_loggers/filters/cel/v3:pkg_cc_proto", + ], +) diff --git a/source/extensions/access_loggers/filters/cel/cel.cc b/source/extensions/access_loggers/filters/cel/cel.cc new file mode 100644 index 000000000000..51d325e6459f --- /dev/null +++ b/source/extensions/access_loggers/filters/cel/cel.cc @@ -0,0 +1,39 @@ +#include "source/extensions/access_loggers/filters/cel/cel.h" + +namespace Envoy { +namespace Extensions { +namespace AccessLoggers { +namespace Filters { +namespace CEL { + +namespace Expr = Envoy::Extensions::Filters::Common::Expr; + +CELAccessLogExtensionFilter::CELAccessLogExtensionFilter( + Expr::Builder& builder, const google::api::expr::v1alpha1::Expr& input_expr) + : parsed_expr_(input_expr) { + compiled_expr_ = Expr::createExpression(builder, parsed_expr_); +} + +bool CELAccessLogExtensionFilter::evaluate( + const StreamInfo::StreamInfo& stream_info, const Http::RequestHeaderMap& request_headers, + const Http::ResponseHeaderMap& response_headers, + const Http::ResponseTrailerMap& response_trailers) const { + if (compiled_expr_ == nullptr) { + return false; + } + + Protobuf::Arena arena; + auto eval_status = Expr::evaluate(*compiled_expr_, arena, stream_info, &request_headers, + &response_headers, &response_trailers); + if (!eval_status.has_value()) { + return false; + } + auto result = eval_status.value(); + return result.IsBool() ? result.BoolOrDie() : false; +} + +} // namespace CEL +} // namespace Filters +} // namespace AccessLoggers +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/source/extensions/access_loggers/filters/cel/cel.h b/source/extensions/access_loggers/filters/cel/cel.h new file mode 100644 index 000000000000..a2406dfb69d4 --- /dev/null +++ b/source/extensions/access_loggers/filters/cel/cel.h @@ -0,0 +1,36 @@ +#include "envoy/access_log/access_log.h" +#include "envoy/http/header_map.h" +#include "envoy/stream_info/stream_info.h" + +#include "source/common/access_log/access_log_impl.h" +#include "source/common/config/utility.h" +#include "source/common/protobuf/message_validator_impl.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/filters/common/expr/evaluator.h" + +namespace Envoy { +namespace Extensions { +namespace AccessLoggers { +namespace Filters { +namespace CEL { + +class CELAccessLogExtensionFilter : public AccessLog::Filter { +public: + CELAccessLogExtensionFilter(Extensions::Filters::Common::Expr::Builder&, + const google::api::expr::v1alpha1::Expr&); + + bool evaluate(const StreamInfo::StreamInfo& info, const Http::RequestHeaderMap& request_headers, + const Http::ResponseHeaderMap& response_headers, + const Http::ResponseTrailerMap& response_trailers) const override; + +private: + const google::api::expr::v1alpha1::Expr parsed_expr_; + Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_; +}; + +} // namespace CEL +} // namespace Filters +} // namespace AccessLoggers +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc new file mode 100644 index 000000000000..60a056443939 --- /dev/null +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -0,0 +1,55 @@ +#include "source/extensions/access_loggers/filters/cel/config.h" + +#include "envoy/extensions/access_loggers/filters/cel/v3/cel.pb.h" + +#include "source/extensions/access_loggers/filters/cel/cel.h" + +#include "parser/parser.h" + +namespace Envoy { +namespace Extensions { +namespace AccessLoggers { +namespace Filters { +namespace CEL { + +Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( + const envoy::config::accesslog::v3::ExtensionFilter& config, Runtime::Loader&, + Random::RandomGenerator&) { + auto factory_config = Config::Utility::translateToFactoryConfig( + config, Envoy::ProtobufMessage::getNullValidationVisitor(), *this); + + envoy::extensions::access_loggers::filters::cel::v3::ExpressionFilter cel_config = + *dynamic_cast( + factory_config.get()); + + auto parse_status = google::api::expr::parser::Parse(cel_config.expression()); + if (!parse_status.ok()) { + throw EnvoyException("Not able to parse filter expression: " + + parse_status.status().ToString()); + } + return std::make_unique(getOrCreateBuilder(), + parse_status.value().expr()); +} + +ProtobufTypes::MessagePtr CELAccessLogExtensionFilterFactory::createEmptyConfigProto() { + return std::make_unique(); +} + +Extensions::Filters::Common::Expr::Builder& +CELAccessLogExtensionFilterFactory::getOrCreateBuilder() { + if (expr_builder_ == nullptr) { + expr_builder_ = Extensions::Filters::Common::Expr::createBuilder(nullptr); + } + return *expr_builder_; +} + +/** + * Static registration for the CELAccessLogExtensionFilter. @see RegisterFactory. + */ +REGISTER_FACTORY(CELAccessLogExtensionFilterFactory, Envoy::AccessLog::ExtensionFilterFactory); + +} // namespace CEL +} // namespace Filters +} // namespace AccessLoggers +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/source/extensions/access_loggers/filters/cel/config.h b/source/extensions/access_loggers/filters/cel/config.h new file mode 100644 index 000000000000..fc1c67c6a4ce --- /dev/null +++ b/source/extensions/access_loggers/filters/cel/config.h @@ -0,0 +1,36 @@ +#include "envoy/access_log/access_log.h" +#include "envoy/http/header_map.h" +#include "envoy/registry/registry.h" +#include "envoy/stream_info/stream_info.h" + +#include "source/common/access_log/access_log_impl.h" +#include "source/common/config/utility.h" +#include "source/common/protobuf/message_validator_impl.h" +#include "source/common/protobuf/protobuf.h" +#include "source/common/protobuf/utility.h" +#include "source/extensions/filters/common/expr/evaluator.h" + +namespace Envoy { +namespace Extensions { +namespace AccessLoggers { +namespace Filters { +namespace CEL { + +class CELAccessLogExtensionFilterFactory : public Envoy::AccessLog::ExtensionFilterFactory { +public: + Envoy::AccessLog::FilterPtr + createFilter(const envoy::config::accesslog::v3::ExtensionFilter& config, Runtime::Loader&, + Random::RandomGenerator&) override; + ProtobufTypes::MessagePtr createEmptyConfigProto() override; + std::string name() const override { return "cel_extension_filter"; } + +private: + Extensions::Filters::Common::Expr::Builder& getOrCreateBuilder(); + Extensions::Filters::Common::Expr::BuilderPtr expr_builder_; +}; + +} // namespace CEL +} // namespace Filters +} // namespace AccessLoggers +} // namespace Extensions +} // namespace Envoy \ No newline at end of file diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index cd6a62d3d5c4..418a13ea91d9 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -5,6 +5,7 @@ EXTENSIONS = { # "envoy.access_loggers.file": "//source/extensions/access_loggers/file:config", + "envoy.access_loggers.filters.cel": "//source/extensions/access_loggers/filters/cel:config", "envoy.access_loggers.http_grpc": "//source/extensions/access_loggers/grpc:http_config", "envoy.access_loggers.tcp_grpc": "//source/extensions/access_loggers/grpc:tcp_config", "envoy.access_loggers.open_telemetry": "//source/extensions/access_loggers/open_telemetry:config", diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 6a4a403220fd..25e5900897c2 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -3,6 +3,11 @@ envoy.access_loggers.file: - envoy.access_loggers security_posture: robust_to_untrusted_downstream status: stable +envoy.access_loggers.filters.cel: + categories: + - envoy.access_loggers.filters + security_posture: unknown + status: alpha envoy.access_loggers.http_grpc: categories: - envoy.access_loggers diff --git a/test/common/access_log/BUILD b/test/common/access_log/BUILD index 5a1908dfb08a..97253ae51916 100644 --- a/test/common/access_log/BUILD +++ b/test/common/access_log/BUILD @@ -15,6 +15,7 @@ envoy_cc_test( "//source/common/access_log:access_log_lib", "//source/common/stream_info:utility_lib", "//source/extensions/access_loggers/file:config", + "//source/extensions/access_loggers/filters/cel:config", "//source/extensions/access_loggers/grpc:http_config", "//source/extensions/access_loggers/grpc:tcp_config", "//source/extensions/access_loggers/stream:config", diff --git a/test/common/access_log/access_log_impl_test.cc b/test/common/access_log/access_log_impl_test.cc index 93cf53e0baf5..58069ae9a49a 100644 --- a/test/common/access_log/access_log_impl_test.cc +++ b/test/common/access_log/access_log_impl_test.cc @@ -1598,6 +1598,50 @@ name: accesslog } } +TEST_F(AccessLogImplTest, CelExtensionFilter) { + const std::string yaml = R"EOF( +name: accesslog +filter: + extension_filter: + name: cel_extension_filter + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.filters.cel.v3.ExpressionFilter + expression: "(request.headers['log'] == 'true') && (response.code >= 400)" +typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + )EOF"; + + InstanceSharedPtr logger = AccessLogFactory::fromProto(parseAccessLogFromV3Yaml(yaml), context_); + + request_headers_.addCopy("log", "true"); + stream_info_.response_code_ = 404; + EXPECT_CALL(*file_, write(_)); + logger->log(&request_headers_, &response_headers_, &response_trailers_, stream_info_); + + request_headers_.remove("log"); + EXPECT_CALL(*file_, write(_)).Times(0); + logger->log(&request_headers_, &response_headers_, &response_trailers_, stream_info_); +} + +TEST_F(AccessLogImplTest, CelExtensionFilterExpressionUnparsable) { + const std::string yaml = R"EOF( +name: accesslog +filter: + extension_filter: + name: cel_extension_filter + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.filters.cel.v3.ExpressionFilter + expression: "(+++" +typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + )EOF"; + + EXPECT_THROW_WITH_REGEX(AccessLogFactory::fromProto(parseAccessLogFromV3Yaml(yaml), context_), + EnvoyException, "Not able to parse filter expression: .*"); +} + // Test that the deprecated extension names are disabled by default. // TODO(zuercher): remove when envoy.deprecated_features.allow_deprecated_extension_names is removed TEST_F(AccessLogImplTest, DEPRECATED_FEATURE_TEST(DeprecatedExtensionFilterName)) { diff --git a/test/common/http/header_map_impl_test.cc b/test/common/http/header_map_impl_test.cc index 1b95f4b49ad1..7813ff5c1874 100644 --- a/test/common/http/header_map_impl_test.cc +++ b/test/common/http/header_map_impl_test.cc @@ -423,9 +423,8 @@ TEST_P(HeaderMapImplTest, AllInlineHeaders) { INLINE_REQ_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS) } { - // No request trailer O(1) headers. - } - { + // No request trailer O(1) headers. + } { auto header_map = ResponseHeaderMapImpl::create(); INLINE_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS) INLINE_REQ_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS) From c765a0eed6c3a581978cd8a041be5bedd640c93b Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Fri, 1 Oct 2021 00:34:42 +0000 Subject: [PATCH 02/19] add newlines at ends of file Signed-off-by: Douglas Reid --- source/extensions/access_loggers/filters/cel/cel.cc | 2 +- source/extensions/access_loggers/filters/cel/cel.h | 2 +- source/extensions/access_loggers/filters/cel/config.cc | 2 +- source/extensions/access_loggers/filters/cel/config.h | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/source/extensions/access_loggers/filters/cel/cel.cc b/source/extensions/access_loggers/filters/cel/cel.cc index 51d325e6459f..d1e4aea02c37 100644 --- a/source/extensions/access_loggers/filters/cel/cel.cc +++ b/source/extensions/access_loggers/filters/cel/cel.cc @@ -36,4 +36,4 @@ bool CELAccessLogExtensionFilter::evaluate( } // namespace Filters } // namespace AccessLoggers } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/source/extensions/access_loggers/filters/cel/cel.h b/source/extensions/access_loggers/filters/cel/cel.h index a2406dfb69d4..911f04106b60 100644 --- a/source/extensions/access_loggers/filters/cel/cel.h +++ b/source/extensions/access_loggers/filters/cel/cel.h @@ -33,4 +33,4 @@ class CELAccessLogExtensionFilter : public AccessLog::Filter { } // namespace Filters } // namespace AccessLoggers } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index 60a056443939..6ca3d9a99227 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -52,4 +52,4 @@ REGISTER_FACTORY(CELAccessLogExtensionFilterFactory, Envoy::AccessLog::Extension } // namespace Filters } // namespace AccessLoggers } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy diff --git a/source/extensions/access_loggers/filters/cel/config.h b/source/extensions/access_loggers/filters/cel/config.h index fc1c67c6a4ce..b69bbebe07b8 100644 --- a/source/extensions/access_loggers/filters/cel/config.h +++ b/source/extensions/access_loggers/filters/cel/config.h @@ -33,4 +33,4 @@ class CELAccessLogExtensionFilterFactory : public Envoy::AccessLog::ExtensionFil } // namespace Filters } // namespace AccessLoggers } // namespace Extensions -} // namespace Envoy \ No newline at end of file +} // namespace Envoy From bb7702989da8e6b75d1ebc5fc6f0fff130101f4a Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Fri, 1 Oct 2021 02:06:38 +0000 Subject: [PATCH 03/19] add extension Signed-off-by: Douglas Reid --- tools/code_format/requirements.txt | 21 +++++++++++++++++++-- tools/extensions/extensions_check.py | 2 +- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/tools/code_format/requirements.txt b/tools/code_format/requirements.txt index a383645319d7..7fe475df9b67 100644 --- a/tools/code_format/requirements.txt +++ b/tools/code_format/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile +# This file is autogenerated by pip-compile with python 3.7 # To update, run: # # pip-compile --generate-hashes tools/code_format/requirements.txt @@ -14,10 +14,23 @@ flake8==4.0.1 \ # via # -r tools/code_format/requirements.txt # flake8-polyfill + # pep8-naming +flake8-polyfill==1.0.2 \ + --hash=sha256:12be6a34ee3ab795b19ca73505e7b55826d5f6ad7230d31b18e106400169b9e9 \ + --hash=sha256:e44b087597f6da52ec6393a709e7108b2905317d0c0b744cdca6208e670d8eda + # via + # -r tools/code_format/requirements.txt + # pep8-naming +importlib-metadata==4.8.1 \ + --hash=sha256:b618b6d2d5ffa2f16add5697cf57a46c76a56229b0ed1c438322e4e95645bd15 \ + --hash=sha256:f284b3e11256ad1e5d03ab86bb2ccd6f5339688ff17a4d797a0fe7df326f23b1 + # via flake8 mccabe==0.6.1 \ --hash=sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42 \ --hash=sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f - # via flake8 + # via + # -r tools/code_format/requirements.txt + # flake8 pep8-naming==0.12.1 \ --hash=sha256:4a8daeaeb33cfcde779309fc0c9c0a68a3bbe2ad8a8308b763c5068f86eb9f37 \ --hash=sha256:bb2455947757d162aa4cad55dba4ce029005cd1692f2899a21d51d8630ca7841 @@ -34,3 +47,7 @@ yapf==0.31.0 \ --hash=sha256:408fb9a2b254c302f49db83c59f9aa0b4b0fd0ec25be3a5c51181327922ff63d \ --hash=sha256:e3a234ba8455fe201eaa649cdac872d590089a18b661e39bbac7020978dd9c2e # via -r tools/code_format/requirements.txt +zipp==3.6.0 \ + --hash=sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832 \ + --hash=sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc + # via importlib-metadata diff --git a/tools/extensions/extensions_check.py b/tools/extensions/extensions_check.py index c9c204050f38..7f4cd1c64553 100644 --- a/tools/extensions/extensions_check.py +++ b/tools/extensions/extensions_check.py @@ -55,7 +55,7 @@ "envoy.stats_sinks", "envoy.thrift_proxy.filters", "envoy.tracers", "envoy.sip_proxy.filters", "envoy.transport_sockets.downstream", "envoy.transport_sockets.upstream", "envoy.tls.cert_validator", "envoy.upstreams", "envoy.wasm.runtime", "envoy.common.key_value", - "envoy.network.dns_resolver", "envoy.rbac.matchers") + "envoy.network.dns_resolver", "envoy.rbac.matchers", "envoy.access_loggers.filters") EXTENSION_STATUS_VALUES = ( # This extension is stable and is expected to be production usable. From 97e0024f340b7f9bae89a76ebacebb59afe71e8d Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Fri, 1 Oct 2021 02:56:27 +0000 Subject: [PATCH 04/19] fix presubmits Signed-off-by: Douglas Reid --- bazel/repository_locations.bzl | 1 + docs/root/api-v3/config/accesslog/accesslog.rst | 1 + 2 files changed, 2 insertions(+) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index b2ed497e3a18..b948a0475169 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -869,6 +869,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( urls = ["https://github.com/google/cel-cpp/archive/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = [ + "envoy.access_loggers.filters.cel", "envoy.access_loggers.wasm", "envoy.bootstrap.wasm", "envoy.rate_limit_descriptors.expr", diff --git a/docs/root/api-v3/config/accesslog/accesslog.rst b/docs/root/api-v3/config/accesslog/accesslog.rst index dae49773f788..6f265939d7ee 100644 --- a/docs/root/api-v3/config/accesslog/accesslog.rst +++ b/docs/root/api-v3/config/accesslog/accesslog.rst @@ -9,3 +9,4 @@ Access loggers v3/* ../../extensions/access_loggers/*/v3/* + ../../extensions/access_loggers/filters/*/v3/* From 69b1cf4aa38568f32a9b9e82ee9357432283b793 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Fri, 1 Oct 2021 04:03:41 +0000 Subject: [PATCH 05/19] fixup docs and deps Signed-off-by: Douglas Reid --- api/envoy/config/accesslog/v3/accesslog.proto | 1 + bazel/repository_locations.bzl | 2 ++ docs/root/api-v3/config/accesslog/accesslog.rst | 1 + docs/root/api-v3/config/accesslog/filters.rst | 8 ++++++++ docs/root/api-v3/config/accesslog/filters/filters.rst | 8 ++++++++ docs/root/api-v3/config/config.rst | 1 + test/common/http/header_map_impl_test.cc | 5 +++-- 7 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 docs/root/api-v3/config/accesslog/filters.rst create mode 100644 docs/root/api-v3/config/accesslog/filters/filters.rst diff --git a/api/envoy/config/accesslog/v3/accesslog.proto b/api/envoy/config/accesslog/v3/accesslog.proto index bb53286380c9..88b5359ffd14 100644 --- a/api/envoy/config/accesslog/v3/accesslog.proto +++ b/api/envoy/config/accesslog/v3/accesslog.proto @@ -83,6 +83,7 @@ message AccessLogFilter { GrpcStatusFilter grpc_status_filter = 10; // Extension filter. + // [#extension-category: envoy.access_loggers.filters] ExtensionFilter extension_filter = 11; // Metadata Filter diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index b948a0475169..72f35c715e8e 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -1089,6 +1089,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( # ANTLR has a runtime component, so is not purely build. use_category = ["dataplane_ext"], extensions = [ + "envoy.access_loggers.filters.cel", "envoy.access_loggers.wasm", "envoy.bootstrap.wasm", "envoy.rate_limit_descriptors.expr", @@ -1109,6 +1110,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( urls = ["https://github.com/antlr/antlr4/archive/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = [ + "envoy.access_loggers.filters.cel", "envoy.access_loggers.wasm", "envoy.bootstrap.wasm", "envoy.rate_limit_descriptors.expr", diff --git a/docs/root/api-v3/config/accesslog/accesslog.rst b/docs/root/api-v3/config/accesslog/accesslog.rst index 6f265939d7ee..feda1e4fbd6f 100644 --- a/docs/root/api-v3/config/accesslog/accesslog.rst +++ b/docs/root/api-v3/config/accesslog/accesslog.rst @@ -9,4 +9,5 @@ Access loggers v3/* ../../extensions/access_loggers/*/v3/* + ../../extensions/access_loggers/*/v3alpha/* ../../extensions/access_loggers/filters/*/v3/* diff --git a/docs/root/api-v3/config/accesslog/filters.rst b/docs/root/api-v3/config/accesslog/filters.rst new file mode 100644 index 000000000000..fc3088fae8cb --- /dev/null +++ b/docs/root/api-v3/config/accesslog/filters.rst @@ -0,0 +1,8 @@ +Extension Filters +================= + +.. toctree:: + :glob: + :maxdepth: 2 + + filters/filters \ No newline at end of file diff --git a/docs/root/api-v3/config/accesslog/filters/filters.rst b/docs/root/api-v3/config/accesslog/filters/filters.rst new file mode 100644 index 000000000000..4474f77741ad --- /dev/null +++ b/docs/root/api-v3/config/accesslog/filters/filters.rst @@ -0,0 +1,8 @@ +Extension Filters +================= + +.. toctree:: + :glob: + :maxdepth: 2 + + ../../../extensions/access_loggers/filters/*/v3/* \ No newline at end of file diff --git a/docs/root/api-v3/config/config.rst b/docs/root/api-v3/config/config.rst index 6d4034ff5b8d..605afc346a32 100644 --- a/docs/root/api-v3/config/config.rst +++ b/docs/root/api-v3/config/config.rst @@ -9,6 +9,7 @@ Extensions filter/filter accesslog/accesslog + accesslog/filters rbac/rbac health_checker/health_checker transport_socket/transport_socket diff --git a/test/common/http/header_map_impl_test.cc b/test/common/http/header_map_impl_test.cc index 7813ff5c1874..1b95f4b49ad1 100644 --- a/test/common/http/header_map_impl_test.cc +++ b/test/common/http/header_map_impl_test.cc @@ -423,8 +423,9 @@ TEST_P(HeaderMapImplTest, AllInlineHeaders) { INLINE_REQ_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS) } { - // No request trailer O(1) headers. - } { + // No request trailer O(1) headers. + } + { auto header_map = ResponseHeaderMapImpl::create(); INLINE_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS) INLINE_REQ_RESP_STRING_HEADERS(TEST_INLINE_STRING_HEADER_FUNCS) From 7ef6a746eb31901d3686a36f965e4567165a8911 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Fri, 1 Oct 2021 04:14:19 +0000 Subject: [PATCH 06/19] last dep issue Signed-off-by: Douglas Reid --- bazel/repository_locations.bzl | 1 + 1 file changed, 1 insertion(+) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 72f35c715e8e..5f5845337f5d 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -893,6 +893,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( urls = ["https://github.com/google/flatbuffers/archive/v{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = [ + "envoy.access_loggers.filters.cel", "envoy.access_loggers.wasm", "envoy.bootstrap.wasm", "envoy.rate_limit_descriptors.expr", From df35c8da617f72ea83a5fcb0321bb1307676f283 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Fri, 1 Oct 2021 17:26:42 +0000 Subject: [PATCH 07/19] newlines for all Signed-off-by: Douglas Reid --- docs/root/api-v3/config/accesslog/filters.rst | 2 +- docs/root/api-v3/config/accesslog/filters/filters.rst | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/root/api-v3/config/accesslog/filters.rst b/docs/root/api-v3/config/accesslog/filters.rst index fc3088fae8cb..692d0a18586b 100644 --- a/docs/root/api-v3/config/accesslog/filters.rst +++ b/docs/root/api-v3/config/accesslog/filters.rst @@ -5,4 +5,4 @@ Extension Filters :glob: :maxdepth: 2 - filters/filters \ No newline at end of file + filters/filters diff --git a/docs/root/api-v3/config/accesslog/filters/filters.rst b/docs/root/api-v3/config/accesslog/filters/filters.rst index 4474f77741ad..a27e04e37692 100644 --- a/docs/root/api-v3/config/accesslog/filters/filters.rst +++ b/docs/root/api-v3/config/accesslog/filters/filters.rst @@ -5,4 +5,4 @@ Extension Filters :glob: :maxdepth: 2 - ../../../extensions/access_loggers/filters/*/v3/* \ No newline at end of file + ../../../extensions/access_loggers/filters/*/v3/* From 96d010ccae0183cbce6ae769a454802cfddf1a87 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Mon, 4 Oct 2021 21:53:08 +0000 Subject: [PATCH 08/19] address windows build and test coverage Signed-off-by: Douglas Reid --- .../access_loggers/filters/cel/BUILD | 16 ++++++++++++-- .../access_loggers/filters/cel/cel.cc | 6 +---- .../access_loggers/filters/cel/config.cc | 6 +++++ test/common/access_log/BUILD | 6 +++++ .../common/access_log/access_log_impl_test.cc | 22 +++++++++++++++++++ 5 files changed, 49 insertions(+), 7 deletions(-) diff --git a/source/extensions/access_loggers/filters/cel/BUILD b/source/extensions/access_loggers/filters/cel/BUILD index 1b3d83a2d7a4..4e53f30780d7 100644 --- a/source/extensions/access_loggers/filters/cel/BUILD +++ b/source/extensions/access_loggers/filters/cel/BUILD @@ -31,6 +31,12 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], + copts = select({ + "//bazel:windows_x86_64": [], # TODO: fix the windows ANTLR build + "//conditions:default": [ + "-DUSE_CEL_PARSER", + ], + }), extra_visibility = [ "//test:__subpackages__", ], @@ -45,7 +51,13 @@ envoy_cc_extension( "//source/common/protobuf", "//source/common/protobuf:utility_lib", "//source/extensions/filters/common/expr:evaluator_lib", - "@com_google_cel_cpp//parser", "@envoy_api//envoy/extensions/access_loggers/filters/cel/v3:pkg_cc_proto", - ], + ] + select( + { + "//bazel:windows_x86_64": [], + "//conditions:default": [ + "@com_google_cel_cpp//parser", + ], + }, + ), ) diff --git a/source/extensions/access_loggers/filters/cel/cel.cc b/source/extensions/access_loggers/filters/cel/cel.cc index d1e4aea02c37..a9c87da2e1a0 100644 --- a/source/extensions/access_loggers/filters/cel/cel.cc +++ b/source/extensions/access_loggers/filters/cel/cel.cc @@ -18,14 +18,10 @@ bool CELAccessLogExtensionFilter::evaluate( const StreamInfo::StreamInfo& stream_info, const Http::RequestHeaderMap& request_headers, const Http::ResponseHeaderMap& response_headers, const Http::ResponseTrailerMap& response_trailers) const { - if (compiled_expr_ == nullptr) { - return false; - } - Protobuf::Arena arena; auto eval_status = Expr::evaluate(*compiled_expr_, arena, stream_info, &request_headers, &response_headers, &response_trailers); - if (!eval_status.has_value()) { + if (!eval_status.has_value() || eval_status.value().IsError()) { return false; } auto result = eval_status.value(); diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index 6ca3d9a99227..73a0def202b7 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -15,6 +15,11 @@ namespace CEL { Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( const envoy::config::accesslog::v3::ExtensionFilter& config, Runtime::Loader&, Random::RandomGenerator&) { + +#if !defined(USE_CEL_PARSER) + throw EnvoyException("Not able to create filter - CEL parser not enabled."); +#endif + auto factory_config = Config::Utility::translateToFactoryConfig( config, Envoy::ProtobufMessage::getNullValidationVisitor(), *this); @@ -27,6 +32,7 @@ Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( throw EnvoyException("Not able to parse filter expression: " + parse_status.status().ToString()); } + return std::make_unique(getOrCreateBuilder(), parse_status.value().expr()); } diff --git a/test/common/access_log/BUILD b/test/common/access_log/BUILD index 97253ae51916..bc8eb168dccd 100644 --- a/test/common/access_log/BUILD +++ b/test/common/access_log/BUILD @@ -11,6 +11,12 @@ envoy_package() envoy_cc_test( name = "access_log_impl_test", srcs = ["access_log_impl_test.cc"], + copts = select({ + "//bazel:windows_x86_64": [], # TODO: fix the windows ANTLR build + "//conditions:default": [ + "-DUSE_CEL_PARSER", + ], + }), deps = [ "//source/common/access_log:access_log_lib", "//source/common/stream_info:utility_lib", diff --git a/test/common/access_log/access_log_impl_test.cc b/test/common/access_log/access_log_impl_test.cc index 58069ae9a49a..9ff34bd2dde7 100644 --- a/test/common/access_log/access_log_impl_test.cc +++ b/test/common/access_log/access_log_impl_test.cc @@ -1598,6 +1598,7 @@ name: accesslog } } +#if defined(USE_CEL_PARSER) TEST_F(AccessLogImplTest, CelExtensionFilter) { const std::string yaml = R"EOF( name: accesslog @@ -1624,6 +1625,26 @@ name: accesslog logger->log(&request_headers_, &response_headers_, &response_trailers_, stream_info_); } +TEST_F(AccessLogImplTest, CelExtensionFilterExpressionError) { + const std::string yaml = R"EOF( +name: accesslog +filter: + extension_filter: + name: cel_extension_filter + typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.filters.cel.v3.ExpressionFilter + expression: "foo['test']" +typed_config: + "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog + path: /dev/null + )EOF"; + + InstanceSharedPtr logger = AccessLogFactory::fromProto(parseAccessLogFromV3Yaml(yaml), context_); + + EXPECT_CALL(*file_, write(_)).Times(0); + logger->log(&request_headers_, &response_headers_, &response_trailers_, stream_info_); +} + TEST_F(AccessLogImplTest, CelExtensionFilterExpressionUnparsable) { const std::string yaml = R"EOF( name: accesslog @@ -1641,6 +1662,7 @@ name: accesslog EXPECT_THROW_WITH_REGEX(AccessLogFactory::fromProto(parseAccessLogFromV3Yaml(yaml), context_), EnvoyException, "Not able to parse filter expression: .*"); } +#endif // USE_CEL_PARSER // Test that the deprecated extension names are disabled by default. // TODO(zuercher): remove when envoy.deprecated_features.allow_deprecated_extension_names is removed From d31d5469043a47034cdb2c209e76a2f9adc85a81 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Tue, 5 Oct 2021 02:59:11 +0000 Subject: [PATCH 09/19] add forgotten ifdef Signed-off-by: Douglas Reid --- source/extensions/access_loggers/filters/cel/config.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index 73a0def202b7..d140e80c5ad9 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -4,7 +4,9 @@ #include "source/extensions/access_loggers/filters/cel/cel.h" +#if defined(USE_CEL_PARSER) #include "parser/parser.h" +#endif namespace Envoy { namespace Extensions { From dae58df47ec38d12421c077d0f6ee5ba0ffa9250 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Tue, 5 Oct 2021 16:25:00 +0000 Subject: [PATCH 10/19] fixup Signed-off-by: Douglas Reid --- docs/root/version_history/current.rst | 37 ------------------- .../access_loggers/filters/cel/config.cc | 8 ++-- 2 files changed, 4 insertions(+), 41 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 373b18c6ec35..d40323be1e03 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -87,43 +87,6 @@ New Features * xds: re-introduced unified delta and sotw xDS multiplexers that share most of the implementation. Added a new runtime config ``envoy.reloadable_features.unified_mux`` (disabled by default) that when enabled, switches xDS to use unified multiplexers. * access_log: added :ref:`METADATA` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). * access_log: added a CEL extension filter to enable filtering of access logs based on Envoy attribute expressions. -* bootstrap: added :ref:`inline_headers ` in the bootstrap to make custom inline headers bootstrap configurable. -* contrib: added new :ref:`contrib images ` which contain contrib extensions. -* dns: added :ref:`V4_PREFERRED ` option to return V6 addresses only if V4 addresses are not available. -* ext_authz: added :ref:`dynamic_metadata_from_headers ` to support emitting dynamic metadata from headers returned by an external authorization service via HTTP. -* grpc reverse bridge: added a new :ref:`option ` to support streaming response bodies when withholding gRPC frames from the upstream. -* grpc_json_transcoder: added support to unescape '+' in query parameters to space with a new config field :ref:`query_param_unescape_plus `. -* http: added cluster_header in :ref:`weighted_clusters ` to allow routing to the weighted cluster specified in the request_header. -* http: added :ref:`alternate_protocols_cache_options ` for enabling HTTP/3 connections to servers which advertise HTTP/3 support via `HTTP Alternative Services `_ and caching the advertisements to disk. -* http: added :ref:`string_match ` in the header matcher. -* http: added :ref:`x-envoy-upstream-stream-duration-ms ` that allows configuring the max stream duration via a request header. -* http: added support for :ref:`max_requests_per_connection ` for both upstream and downstream connections. -* http: sanitizing the referer header as documented :ref:`here `. This feature can be temporarily turned off by setting runtime guard ``envoy.reloadable_features.sanitize_http_header_referer`` to false. -* http: validating outgoing HTTP/2 CONNECT requests to ensure that if ``:path`` is set that ``:protocol`` is present. This behavior can be temporarily turned off by setting runtime guard ``envoy.reloadable_features.validate_connect`` to false. -* jwt_authn: added support for :ref:`Jwt Cache ` and its size can be specified by :ref:`jwt_cache_size `. -* jwt_authn: added support for extracting JWTs from request cookies using :ref:`from_cookies `. -* jwt_authn: added support for setting the extracted headers from a successfully verified JWT using :ref:`header_in_metadata ` to dynamic metadata. -* listener: new listener metric ``downstream_cx_transport_socket_connect_timeout`` to track transport socket timeouts. -* lua: added ``header:getAtIndex()`` and ``header:getNumValues()`` methods to :ref:`header object ` for retrieving the value of a header at certain index and get the total number of values for a given header. -* matcher: added :ref:`invert ` for inverting the match result in the metadata matcher. -* overload: add a new overload action that resets streams using a lot of memory. To enable the tracking of allocated bytes in buffers that a stream is using we need to configure the minimum threshold for tracking via:ref:`buffer_factory_config `. We have an overload action ``Envoy::Server::OverloadActionNameValues::ResetStreams`` that takes advantage of the tracking to reset the most expensive stream first. -* rbac: added :ref:`destination_port_range ` for matching range of destination ports. -* rbac: added :ref:`matcher` along with extension category ``extension_category_envoy.rbac.matchers`` for custom RBAC permission matchers. Added reference implementation for matchers :ref:`envoy.rbac.matchers.upstream_ip_port `. -* route config: added :ref:`dynamic_metadata ` for routing based on dynamic metadata. -* router: added retry options predicate extensions configured via - :ref:` `. These - extensions allow modification of requests between retries at the router level. There are not - currently any built-in extensions that implement this extension point. -* router: added :ref:`per_try_idle_timeout ` timeout configuration. -* router: added an optional :ref:`override_auto_sni_header ` to support setting SNI value from an arbitrary header other than host/authority. -* sxg_filter: added filter to transform response to SXG package to :ref:`contrib images `. This can be enabled by setting :ref:`SXG ` configuration. -* thrift_proxy: added support for :ref:`mirroring requests `. -* udp: allows updating filter chain in-place through LDS, which is supported by Quic listener. Such listener config will be rejected in other connection-less UDP listener implementations. It can be reverted by ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place``. -* udp: disallow L4 filter chain in config which configures connection-less UDP listener. It can be reverted by ``envoy.reloadable_features.udp_listener_updates_filter_chain_in_place``. -* upstream: added support for :ref:`slow start mode `, which allows to progresively increase traffic for new endpoints. -* upstream: extended :ref:`Round Robin load balancer configuration ` with :ref:`slow start ` support. -* upstream: extended :ref:`Least Request load balancer configuration ` with :ref:`slow start ` support. -* xray: request direction (``ingress`` or ``egress``) is recorded as X-Ray trace segment's annotation by name ``direction``. Deprecated ---------- diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index d140e80c5ad9..8ad3198c534f 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -18,13 +18,10 @@ Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( const envoy::config::accesslog::v3::ExtensionFilter& config, Runtime::Loader&, Random::RandomGenerator&) { -#if !defined(USE_CEL_PARSER) - throw EnvoyException("Not able to create filter - CEL parser not enabled."); -#endif - auto factory_config = Config::Utility::translateToFactoryConfig( config, Envoy::ProtobufMessage::getNullValidationVisitor(), *this); +#if defined(USE_CEL_PARSER) envoy::extensions::access_loggers::filters::cel::v3::ExpressionFilter cel_config = *dynamic_cast( factory_config.get()); @@ -37,6 +34,9 @@ Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( return std::make_unique(getOrCreateBuilder(), parse_status.value().expr()); +#elif + return nullptr; +#endif } ProtobufTypes::MessagePtr CELAccessLogExtensionFilterFactory::createEmptyConfigProto() { From 5dd4d10ce179f9fef444823ef49f4a6eb1d86951 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Wed, 6 Oct 2021 19:57:02 +0000 Subject: [PATCH 11/19] fix bad merge Signed-off-by: Douglas Reid --- docs/root/api-v3/config/accesslog/accesslog.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/root/api-v3/config/accesslog/accesslog.rst b/docs/root/api-v3/config/accesslog/accesslog.rst index feda1e4fbd6f..6f265939d7ee 100644 --- a/docs/root/api-v3/config/accesslog/accesslog.rst +++ b/docs/root/api-v3/config/accesslog/accesslog.rst @@ -9,5 +9,4 @@ Access loggers v3/* ../../extensions/access_loggers/*/v3/* - ../../extensions/access_loggers/*/v3alpha/* ../../extensions/access_loggers/filters/*/v3/* From 4dc7ccf663233745f19bb5c55f0bfe3441947775 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Thu, 7 Oct 2021 15:14:55 +0000 Subject: [PATCH 12/19] fix windows Signed-off-by: Douglas Reid --- source/extensions/access_loggers/filters/cel/config.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index 8ad3198c534f..c1f804d69ec6 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -34,7 +34,7 @@ Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( return std::make_unique(getOrCreateBuilder(), parse_status.value().expr()); -#elif +#else return nullptr; #endif } From c4a773ace1797da274dff6cb66a0b0d09490d661 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Thu, 7 Oct 2021 15:59:23 +0000 Subject: [PATCH 13/19] fix version history bad merge Signed-off-by: Douglas Reid --- docs/root/version_history/current.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index d40323be1e03..1c5b578026eb 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -87,6 +87,7 @@ New Features * xds: re-introduced unified delta and sotw xDS multiplexers that share most of the implementation. Added a new runtime config ``envoy.reloadable_features.unified_mux`` (disabled by default) that when enabled, switches xDS to use unified multiplexers. * access_log: added :ref:`METADATA` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). * access_log: added a CEL extension filter to enable filtering of access logs based on Envoy attribute expressions. +* http: added support for :ref:`retriable health check status codes `. Deprecated ---------- From 9de322a2e950c1029c3ad72a52c0af7237e62960 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Fri, 15 Oct 2021 18:53:30 +0000 Subject: [PATCH 14/19] add more complex API example Signed-off-by: Douglas Reid --- api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto b/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto index 34418028b250..ff3ef8cbf605 100644 --- a/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto +++ b/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto @@ -20,6 +20,6 @@ message ExpressionFilter { // Expressions are based on the set of Envoy :ref:`attributes `. // Examples: // - `response.code >= 400` - // - `request.headers['x-logging-flag'] == 'true'` + // - `(connection.mtls && request.headers['x-log-mtls'] == 'true') || request.url_path.contains('v1beta3')` string expression = 1; } From 727a6fcc01b2203a9c338b789be6c9324017aebd Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Thu, 21 Oct 2021 17:37:47 +0000 Subject: [PATCH 15/19] address review comments Signed-off-by: Douglas Reid --- .../access_loggers/filters/cel/v3/cel.proto | 1 + .../access_loggers/filters/cel/config.h | 2 +- tools/code_format/requirements.txt | 21 ++----------------- 3 files changed, 4 insertions(+), 20 deletions(-) diff --git a/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto b/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto index ff3ef8cbf605..ffbcb3aafc52 100644 --- a/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto +++ b/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto @@ -18,6 +18,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; message ExpressionFilter { // Expression that, when evaluated, will be used to filter access logs. // Expressions are based on the set of Envoy :ref:`attributes `. + // The provided expression must evaluate to true for logging (expression errors are considered false). // Examples: // - `response.code >= 400` // - `(connection.mtls && request.headers['x-log-mtls'] == 'true') || request.url_path.contains('v1beta3')` diff --git a/source/extensions/access_loggers/filters/cel/config.h b/source/extensions/access_loggers/filters/cel/config.h index b69bbebe07b8..4c3d9d1c1f79 100644 --- a/source/extensions/access_loggers/filters/cel/config.h +++ b/source/extensions/access_loggers/filters/cel/config.h @@ -22,7 +22,7 @@ class CELAccessLogExtensionFilterFactory : public Envoy::AccessLog::ExtensionFil createFilter(const envoy::config::accesslog::v3::ExtensionFilter& config, Runtime::Loader&, Random::RandomGenerator&) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; - std::string name() const override { return "cel_extension_filter"; } + std::string name() const override { return "envoy.access_loggers.filters.cel"; } private: Extensions::Filters::Common::Expr::Builder& getOrCreateBuilder(); diff --git a/tools/code_format/requirements.txt b/tools/code_format/requirements.txt index 7fe475df9b67..a383645319d7 100644 --- a/tools/code_format/requirements.txt +++ b/tools/code_format/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with python 3.7 +# This file is autogenerated by pip-compile # To update, run: # # pip-compile --generate-hashes tools/code_format/requirements.txt @@ -14,23 +14,10 @@ flake8==4.0.1 \ # via # -r tools/code_format/requirements.txt # flake8-polyfill - # pep8-naming -flake8-polyfill==1.0.2 \ - --hash=sha256:12be6a34ee3ab795b19ca73505e7b55826d5f6ad7230d31b18e106400169b9e9 \ - --hash=sha256:e44b087597f6da52ec6393a709e7108b2905317d0c0b744cdca6208e670d8eda - # via - # -r tools/code_format/requirements.txt - # pep8-naming -importlib-metadata==4.8.1 \ - --hash=sha256:b618b6d2d5ffa2f16add5697cf57a46c76a56229b0ed1c438322e4e95645bd15 \ - --hash=sha256:f284b3e11256ad1e5d03ab86bb2ccd6f5339688ff17a4d797a0fe7df326f23b1 - # via flake8 mccabe==0.6.1 \ --hash=sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42 \ --hash=sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f - # via - # -r tools/code_format/requirements.txt - # flake8 + # via flake8 pep8-naming==0.12.1 \ --hash=sha256:4a8daeaeb33cfcde779309fc0c9c0a68a3bbe2ad8a8308b763c5068f86eb9f37 \ --hash=sha256:bb2455947757d162aa4cad55dba4ce029005cd1692f2899a21d51d8630ca7841 @@ -47,7 +34,3 @@ yapf==0.31.0 \ --hash=sha256:408fb9a2b254c302f49db83c59f9aa0b4b0fd0ec25be3a5c51181327922ff63d \ --hash=sha256:e3a234ba8455fe201eaa649cdac872d590089a18b661e39bbac7020978dd9c2e # via -r tools/code_format/requirements.txt -zipp==3.6.0 \ - --hash=sha256:71c644c5369f4a6e07636f0aa966270449561fcea2e3d6747b8d23efaa9d7832 \ - --hash=sha256:9fe5ea21568a0a70e50f273397638d39b03353731e6cbbb3fd8502a33fec40bc - # via importlib-metadata From f256832f8de5f0c607a82bf6eafc114fa9757186 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Mon, 25 Oct 2021 23:37:17 +0000 Subject: [PATCH 16/19] fix ordering of features in current.rst Signed-off-by: Douglas Reid --- docs/root/version_history/current.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 1c5b578026eb..d29ea86058fd 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -52,6 +52,8 @@ Removed Config or Runtime New Features ------------ * access log: added :ref:`grpc_stream_retry_policy ` to the gRPC logger to reconnect when a connection fails to be established. +* access_log: added :ref:`METADATA` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). +* access_log: added a CEL extension filter to enable filtering of access logs based on Envoy attribute expressions. * api: added support for *xds.type.v3.TypedStruct* in addition to the now-deprecated *udpa.type.v1.TypedStruct* proto message, which is a wrapper proto used to encode typed JSON data in a *google.protobuf.Any* field. * aws_request_signing_filter: added :ref:`match_excluded_headers ` to the signing filter to optionally exclude request headers from signing. * bootstrap: added :ref:`typed_dns_resolver_config ` in the bootstrap to support DNS resolver as an extension. @@ -85,9 +87,6 @@ New Features * upstream: added the ability to :ref:`configure max connection duration ` for upstream clusters. * vcl_socket_interface: added VCL socket interface extension for fd.io VPP integration to :ref:`contrib images `. This can be enabled via :ref:`VCL ` configuration. * xds: re-introduced unified delta and sotw xDS multiplexers that share most of the implementation. Added a new runtime config ``envoy.reloadable_features.unified_mux`` (disabled by default) that when enabled, switches xDS to use unified multiplexers. -* access_log: added :ref:`METADATA` token to handle all types of metadata (DYNAMIC, CLUSTER, ROUTE). -* access_log: added a CEL extension filter to enable filtering of access logs based on Envoy attribute expressions. -* http: added support for :ref:`retriable health check status codes `. Deprecated ---------- From db71f55b4e1e1e7e1220cb527e307d090e22a32f Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Tue, 26 Oct 2021 20:24:31 +0000 Subject: [PATCH 17/19] Add todo for validation visitor Signed-off-by: Douglas Reid --- source/extensions/access_loggers/filters/cel/config.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index c1f804d69ec6..fbddd9f6568a 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -18,6 +18,8 @@ Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( const envoy::config::accesslog::v3::ExtensionFilter& config, Runtime::Loader&, Random::RandomGenerator&) { + // TODO: use factory_context validation. likely needs update to createFilter + // signature to pass in validation visitor. auto factory_config = Config::Utility::translateToFactoryConfig( config, Envoy::ProtobufMessage::getNullValidationVisitor(), *this); From 47a04c15f87df3dac55e8cc5a2fb2ea241ddb567 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Tue, 16 Nov 2021 19:05:59 +0000 Subject: [PATCH 18/19] Use proper extension category Signed-off-by: Douglas Reid --- api/envoy/config/accesslog/v3/accesslog.proto | 2 +- .../extensions/access_loggers/filters/cel/v3/cel.proto | 2 +- bazel/repository_locations.bzl | 8 ++++---- source/extensions/access_loggers/filters/cel/config.cc | 2 +- source/extensions/access_loggers/filters/cel/config.h | 2 +- source/extensions/extensions_build_config.bzl | 2 +- source/extensions/extensions_metadata.yaml | 4 ++-- tools/extensions/extensions_check.py | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/api/envoy/config/accesslog/v3/accesslog.proto b/api/envoy/config/accesslog/v3/accesslog.proto index 88b5359ffd14..a89a4a709be1 100644 --- a/api/envoy/config/accesslog/v3/accesslog.proto +++ b/api/envoy/config/accesslog/v3/accesslog.proto @@ -83,7 +83,7 @@ message AccessLogFilter { GrpcStatusFilter grpc_status_filter = 10; // Extension filter. - // [#extension-category: envoy.access_loggers.filters] + // [#extension-category: envoy.access_loggers.extension_filters] ExtensionFilter extension_filter = 11; // Metadata Filter diff --git a/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto b/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto index ffbcb3aafc52..8cb4d8b77925 100644 --- a/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto +++ b/api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto @@ -10,7 +10,7 @@ option java_multiple_files = true; option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: ExpressionFilter] -// [#extension: envoy.access_loggers.filters.cel] +// [#extension: envoy.access_loggers.extension_filters.cel] // ExpressionFilter is an access logging filter that evaluates configured // symbolic Common Expression Language expressions to inform the decision diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 5f5845337f5d..efbd8aa7fa1d 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -869,7 +869,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( urls = ["https://github.com/google/cel-cpp/archive/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = [ - "envoy.access_loggers.filters.cel", + "envoy.access_loggers.extension_filters.cel", "envoy.access_loggers.wasm", "envoy.bootstrap.wasm", "envoy.rate_limit_descriptors.expr", @@ -893,7 +893,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( urls = ["https://github.com/google/flatbuffers/archive/v{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = [ - "envoy.access_loggers.filters.cel", + "envoy.access_loggers.extension_filters.cel", "envoy.access_loggers.wasm", "envoy.bootstrap.wasm", "envoy.rate_limit_descriptors.expr", @@ -1090,7 +1090,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( # ANTLR has a runtime component, so is not purely build. use_category = ["dataplane_ext"], extensions = [ - "envoy.access_loggers.filters.cel", + "envoy.access_loggers.extension_filters.cel", "envoy.access_loggers.wasm", "envoy.bootstrap.wasm", "envoy.rate_limit_descriptors.expr", @@ -1111,7 +1111,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( urls = ["https://github.com/antlr/antlr4/archive/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = [ - "envoy.access_loggers.filters.cel", + "envoy.access_loggers.extension_filters.cel", "envoy.access_loggers.wasm", "envoy.bootstrap.wasm", "envoy.rate_limit_descriptors.expr", diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index fbddd9f6568a..72ee03938ece 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -37,7 +37,7 @@ Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( return std::make_unique(getOrCreateBuilder(), parse_status.value().expr()); #else - return nullptr; + throw EnvoyException("CEL is not available for use in this environment."); #endif } diff --git a/source/extensions/access_loggers/filters/cel/config.h b/source/extensions/access_loggers/filters/cel/config.h index 4c3d9d1c1f79..0266af6fbb0a 100644 --- a/source/extensions/access_loggers/filters/cel/config.h +++ b/source/extensions/access_loggers/filters/cel/config.h @@ -22,7 +22,7 @@ class CELAccessLogExtensionFilterFactory : public Envoy::AccessLog::ExtensionFil createFilter(const envoy::config::accesslog::v3::ExtensionFilter& config, Runtime::Loader&, Random::RandomGenerator&) override; ProtobufTypes::MessagePtr createEmptyConfigProto() override; - std::string name() const override { return "envoy.access_loggers.filters.cel"; } + std::string name() const override { return "envoy.access_loggers.extension_filters.cel"; } private: Extensions::Filters::Common::Expr::Builder& getOrCreateBuilder(); diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 418a13ea91d9..af6c53608439 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -5,7 +5,7 @@ EXTENSIONS = { # "envoy.access_loggers.file": "//source/extensions/access_loggers/file:config", - "envoy.access_loggers.filters.cel": "//source/extensions/access_loggers/filters/cel:config", + "envoy.access_loggers.extension_filters.cel": "//source/extensions/access_loggers/filters/cel:config", "envoy.access_loggers.http_grpc": "//source/extensions/access_loggers/grpc:http_config", "envoy.access_loggers.tcp_grpc": "//source/extensions/access_loggers/grpc:tcp_config", "envoy.access_loggers.open_telemetry": "//source/extensions/access_loggers/open_telemetry:config", diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 25e5900897c2..3cf47195acf2 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -3,9 +3,9 @@ envoy.access_loggers.file: - envoy.access_loggers security_posture: robust_to_untrusted_downstream status: stable -envoy.access_loggers.filters.cel: +envoy.access_loggers.extension_filters.cel: categories: - - envoy.access_loggers.filters + - envoy.access_loggers.extension_filters security_posture: unknown status: alpha envoy.access_loggers.http_grpc: diff --git a/tools/extensions/extensions_check.py b/tools/extensions/extensions_check.py index 7f4cd1c64553..313206572d12 100644 --- a/tools/extensions/extensions_check.py +++ b/tools/extensions/extensions_check.py @@ -55,7 +55,7 @@ "envoy.stats_sinks", "envoy.thrift_proxy.filters", "envoy.tracers", "envoy.sip_proxy.filters", "envoy.transport_sockets.downstream", "envoy.transport_sockets.upstream", "envoy.tls.cert_validator", "envoy.upstreams", "envoy.wasm.runtime", "envoy.common.key_value", - "envoy.network.dns_resolver", "envoy.rbac.matchers", "envoy.access_loggers.filters") + "envoy.network.dns_resolver", "envoy.rbac.matchers", "envoy.access_loggers.extension_filters") EXTENSION_STATUS_VALUES = ( # This extension is stable and is expected to be production usable. From 4f09adebb43de29e1ef18c2ae36b667fa3781293 Mon Sep 17 00:00:00 2001 From: Douglas Reid Date: Wed, 17 Nov 2021 21:01:17 +0000 Subject: [PATCH 19/19] better todo Signed-off-by: Douglas Reid --- source/extensions/access_loggers/filters/cel/config.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/extensions/access_loggers/filters/cel/config.cc b/source/extensions/access_loggers/filters/cel/config.cc index 72ee03938ece..0df41fc19c52 100644 --- a/source/extensions/access_loggers/filters/cel/config.cc +++ b/source/extensions/access_loggers/filters/cel/config.cc @@ -18,8 +18,8 @@ Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter( const envoy::config::accesslog::v3::ExtensionFilter& config, Runtime::Loader&, Random::RandomGenerator&) { - // TODO: use factory_context validation. likely needs update to createFilter - // signature to pass in validation visitor. + // TODO(douglas-reid): use factory_context validation. likely needs update to + // createFilter signature to pass in validation visitor. auto factory_config = Config::Utility::translateToFactoryConfig( config, Envoy::ProtobufMessage::getNullValidationVisitor(), *this);