Merge branch 'main' into admin-streaming-c++-api-lifecycle

Signed-off-by: Joshua Marantz <[email protected]>
jmarantz · Mar 19, 2024 · 1a7cd3e · 1a7cd3e
2 parents c03d2ed + 7fec609
commit 1a7cd3e
Show file tree

Hide file tree

Showing 21 changed files with 161 additions and 165 deletions.
diff --git a/api/envoy/extensions/filters/http/rbac/v3/rbac.proto b/api/envoy/extensions/filters/http/rbac/v3/rbac.proto
@@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.rbac]
 
 // RBAC filter config.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message RBAC {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.rbac.v2.RBAC";
@@ -34,6 +34,11 @@ message RBAC {
   config.rbac.v3.RBAC rules = 1
       [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"];
 
+  // If specified, rules will emit stats with the given prefix.
+  // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
+  // rules.
+  string rules_stat_prefix = 6;
+
   // The match tree to use when resolving RBAC action for incoming requests. Requests do not
   // match any matcher will be denied.
   // If absent, no enforcing RBAC matcher will be applied.

diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -339,6 +339,10 @@ new_features:
     Update ``aws_request_signing`` filter to support optionally sending the aws signature in query parameters rather than headers,
     by specifying the :ref:`query_string <envoy_v3_api_field_extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.query_string>`
     configuration section.
+- area: rbac
+  change: |
+    Added :ref:`rules_stat_prefix <envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.rules_stat_prefix>`
+    to allow adding custom prefix to the stats emitted by rules.
 
 deprecated:
 - area: listener

diff --git a/docs/root/configuration/http/http_filters/rbac_filter.rst b/docs/root/configuration/http/http_filters/rbac_filter.rst
@@ -33,7 +33,12 @@ The RBAC filter outputs statistics in the ``http.<stat_prefix>.rbac.`` namespace
 <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stat_prefix>` comes from the
 owning HTTP connection manager.
 
-For the shadow rule statistics ``shadow_allowed`` and ``shadow_denied``, the :ref:`shadow_rules_stat_prefix <envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.shadow_rules_stat_prefix>`
+For the rule statistics ``allowed`` and ``denied``,
+the :ref:`rules_stat_prefix <envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.rules_stat_prefix>`
+can be used to add an extra prefix to output the statistics in the ``http.<stat_prefix>.rbac.<rules_stat_prefix>.`` namespace.
+
+For the shadow rule statistics ``shadow_allowed`` and ``shadow_denied``,
+the :ref:`shadow_rules_stat_prefix <envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.shadow_rules_stat_prefix>`
 can be used to add an extra prefix to output the statistics in the ``http.<stat_prefix>.rbac.<shadow_rules_stat_prefix>.`` namespace.
 
 .. csv-table::

diff --git a/envoy/common/exception.h b/envoy/common/exception.h
@@ -17,7 +17,7 @@ namespace Envoy {
 #define throwEnvoyExceptionOrPanic(x) PANIC(x)
 #define throwExceptionOrPanic(x, y) PANIC(y)
 #else
-#define throwEnvoyExceptionOrPanic(x) throw EnvoyException(x)
+#define throwEnvoyExceptionOrPanic(x) throw ::Envoy::EnvoyException(x)
 #define throwExceptionOrPanic(y, x) throw y(x)
 #endif
 

diff --git a/mobile/library/jni/android_network_utility.cc b/mobile/library/jni/android_network_utility.cc
@@ -88,7 +88,6 @@ LocalRefUniquePtr<jobject> callJvmVerifyX509CertChain(Envoy::JNI::JniHelper& jni
                                                       const std::vector<std::string>& cert_chain,
                                                       std::string auth_type,
                                                       absl::string_view hostname) {
-  jni_log("[Envoy]", "jvmVerifyX509CertChain");
   LocalRefUniquePtr<jclass> jcls_AndroidNetworkLibrary =
       findClass("io.envoyproxy.envoymobile.utilities.AndroidNetworkLibrary");
   jmethodID jmid_verifyServerCertificates = jni_helper.getStaticMethodId(
@@ -107,8 +106,6 @@ LocalRefUniquePtr<jobject> callJvmVerifyX509CertChain(Envoy::JNI::JniHelper& jni
 
 envoy_cert_validation_result verifyX509CertChain(const std::vector<std::string>& certs,
                                                  absl::string_view hostname) {
-  jni_log("[Envoy]", "verifyX509CertChain");
-
   envoy_cert_verify_status_t result;
   bool is_issued_by_known_root;
   std::vector<std::string> verified_chain;

diff --git a/mobile/library/jni/java_jni_support.cc b/mobile/library/jni/java_jni_support.cc
@@ -2,10 +2,6 @@
 
 // NOLINT(namespace-envoy)
 
-int jni_log_fmt(const char* /*tag*/, const char* /*fmt*/, void* /*value*/) { return 0; }
-
-int jni_log(const char* /*tag*/, const char* /*str*/) { return 0; }
-
 jint attach_jvm(JavaVM* vm, JNIEnv** p_env, void* thr_args) {
   return vm->AttachCurrentThread(reinterpret_cast<void**>(p_env), thr_args);
 }
diff --git a/mobile/library/jni/jni_impl.cc b/mobile/library/jni/jni_impl.cc
diff --git a/mobile/library/jni/jni_support.h b/mobile/library/jni/jni_support.h
@@ -4,8 +4,4 @@
 
 // NOLINT(namespace-envoy)
 
-extern "C" int jni_log_fmt(const char* tag, const char* fmt, void* value);
-
-extern "C" int jni_log(const char* tag, const char* str);
-
 extern "C" jint attach_jvm(JavaVM* vm, JNIEnv** p_env, void* thr_args);
diff --git a/mobile/library/jni/ndk_jni_support.cc b/mobile/library/jni/ndk_jni_support.cc
@@ -1,19 +1,7 @@
-#include <android/log.h>
-
 #include "library/jni/jni_support.h"
 
 // NOLINT(namespace-envoy)
 
-int jni_log_fmt(const char* /*tag*/, const char* /*fmt*/, void* /*value*/) {
-  // For debug logging, use __android_log_print(ANDROID_LOG_VERBOSE, tag, fmt, value);
-  return 0;
-}
-
-int jni_log(const char* /*tag*/, const char* /*str*/) {
-  // For debug logging, use __android_log_write(ANDROID_LOG_VERBOSE, tag, str);
-  return 0;
-}
-
 jint attach_jvm(JavaVM* vm, JNIEnv** p_env, void* thr_args) {
   return vm->AttachCurrentThread(p_env, thr_args);
 }
diff --git a/mobile/test/jni/test_jni_impl.cc b/mobile/test/jni/test_jni_impl.cc
@@ -13,70 +13,60 @@
 extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeStartHttpProxyTestServer(JNIEnv* env,
                                                                                      jclass clazz) {
-  jni_log("[QTS]", "starting server");
   start_server(Envoy::TestServerType::HTTP_PROXY);
 }
 
 extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeStartHttpsProxyTestServer(
     JNIEnv* env, jclass clazz) {
-  jni_log("[QTS]", "starting server");
   start_server(Envoy::TestServerType::HTTPS_PROXY);
 }
 
 extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeStartHttp3TestServer(JNIEnv* env,
                                                                                  jclass clazz) {
-  jni_log("[QTS]", "starting server");
   start_server(Envoy::TestServerType::HTTP3);
 }
 
 extern "C" JNIEXPORT jint JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeGetServerPort(JNIEnv* env,
                                                                           jclass clazz) {
-  jni_log("[QTS]", "getting server port");
   return get_server_port();
 }
 
 extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeStartHttp2TestServer(JNIEnv* env,
                                                                                  jclass clazz) {
-  jni_log("[QTS]", "starting server");
   start_server(Envoy::TestServerType::HTTP2_WITH_TLS);
 }
 
 extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeShutdownTestServer(JNIEnv* env,
                                                                                jclass clazz) {
-  jni_log("[QTS]", "shutting down server");
   shutdown_server();
 }
 
 extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeInitXdsTestServer(JNIEnv* env,
                                                                               jclass clazz) {
-  jni_log("[XTS]", "initializing xDS server");
   initXdsServer();
 }
 
 extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeStartXdsTestServer(JNIEnv* env,
                                                                                jclass clazz) {
-  jni_log("[XTS]", "starting xDS server");
   startXdsServer();
 }
 
 extern "C" JNIEXPORT jstring JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeGetXdsTestServerHost(JNIEnv* env,
                                                                                  jclass clazz) {
-  jni_log("[XTS]", "getting xDS server host");
   return env->NewStringUTF(getXdsServerHost());
 }
 
 extern "C" JNIEXPORT jint JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeGetXdsTestServerPort(JNIEnv* env,
                                                                                  jclass clazz) {
-  jni_log("[XTS]", "getting xDS server port");
   return getXdsServerPort();
 }
 
@@ -85,7 +75,6 @@ extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeSendDiscoveryResponse(JNIEnv* env,
                                                                                   jclass clazz,
                                                                                   jstring yaml) {
-  jni_log("[XTS]", "sending DiscoveryResponse from the xDS server");
   const char* yaml_chars = env->GetStringUTFChars(yaml, /* isCopy= */ nullptr);
   // The yaml utilities have non-relevant thread asserts.
   Envoy::Thread::SkipAsserts skip;
@@ -99,7 +88,6 @@ Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeSendDiscoveryRespons
 extern "C" JNIEXPORT void JNICALL
 Java_io_envoyproxy_envoymobile_engine_testing_TestJni_nativeShutdownXdsTestServer(JNIEnv* env,
                                                                                   jclass clazz) {
-  jni_log("[XTS]", "shutting down xDS server");
   shutdownXdsServer();
 }
 

diff --git a/source/common/config/well_known_names.cc b/source/common/config/well_known_names.cc
@@ -207,6 +207,9 @@ TagNameValues::TagNameValues() {
 
   // (<stat_prefix>.).rbac.**
   addTokenized(RBAC_PREFIX, "$.rbac.**");
+
+  // http.<stat_prefix>.rbac.(<rules_stat_prefix>.)*
+  addTokenized(RBAC_HTTP_PREFIX, "http.*.rbac.$.**");
 }
 
 void TagNameValues::addRe2(const std::string& name, const std::string& regex,

diff --git a/source/common/config/well_known_names.h b/source/common/config/well_known_names.h
@@ -123,6 +123,8 @@ class TagNameValues {
   const std::string CONNECTION_LIMIT_PREFIX = "envoy.connection_limit_prefix";
   // Stats prefix for the RBAC network filter
   const std::string RBAC_PREFIX = "envoy.rbac_prefix";
+  // Stats prefix for the RBAC http filter
+  const std::string RBAC_HTTP_PREFIX = "envoy.rbac_http_prefix";
   // Stats prefix for the TCP Proxy network filter
   const std::string TCP_PREFIX = "envoy.tcp_prefix";
   // Stats prefix for the UDP Proxy network filter

diff --git a/source/extensions/filters/common/rbac/utility.cc b/source/extensions/filters/common/rbac/utility.cc
@@ -10,11 +10,14 @@ namespace Filters {
 namespace Common {
 namespace RBAC {
 
-RoleBasedAccessControlFilterStats
-generateStats(const std::string& prefix, const std::string& shadow_prefix, Stats::Scope& scope) {
+RoleBasedAccessControlFilterStats generateStats(const std::string& prefix,
+                                                const std::string& rules_prefix,
+                                                const std::string& shadow_rules_prefix,
+                                                Stats::Scope& scope) {
   const std::string final_prefix = Envoy::statPrefixJoin(prefix, "rbac.");
-  return {ENFORCE_RBAC_FILTER_STATS(POOL_COUNTER_PREFIX(scope, final_prefix))
-              SHADOW_RBAC_FILTER_STATS(POOL_COUNTER_PREFIX(scope, final_prefix + shadow_prefix))};
+  return {
+      ENFORCE_RBAC_FILTER_STATS(POOL_COUNTER_PREFIX(scope, final_prefix + rules_prefix))
+          SHADOW_RBAC_FILTER_STATS(POOL_COUNTER_PREFIX(scope, final_prefix + shadow_rules_prefix))};
 }
 
 std::string responseDetail(const std::string& policy_id) {

diff --git a/source/extensions/filters/common/rbac/utility.h b/source/extensions/filters/common/rbac/utility.h
@@ -34,8 +34,10 @@ struct RoleBasedAccessControlFilterStats {
   SHADOW_RBAC_FILTER_STATS(GENERATE_COUNTER_STRUCT)
 };
 
-RoleBasedAccessControlFilterStats
-generateStats(const std::string& prefix, const std::string& shadow_prefix, Stats::Scope& scope);
+RoleBasedAccessControlFilterStats generateStats(const std::string& prefix,
+                                                const std::string& rules_prefix,
+                                                const std::string& shadow_rules_prefix,
+                                                Stats::Scope& scope);
 
 template <class ConfigType>
 std::unique_ptr<RoleBasedAccessControlEngine>

diff --git a/source/extensions/filters/http/rbac/rbac_filter.cc b/source/extensions/filters/http/rbac/rbac_filter.cc
@@ -61,7 +61,7 @@ RoleBasedAccessControlFilterConfig::RoleBasedAccessControlFilterConfig(
     const std::string& stats_prefix, Stats::Scope& scope,
     Server::Configuration::ServerFactoryContext& context,
     ProtobufMessage::ValidationVisitor& validation_visitor)
-    : stats_(Filters::Common::RBAC::generateStats(stats_prefix,
+    : stats_(Filters::Common::RBAC::generateStats(stats_prefix, proto_config.rules_stat_prefix(),
                                                   proto_config.shadow_rules_stat_prefix(), scope)),
       shadow_rules_stat_prefix_(proto_config.shadow_rules_stat_prefix()),
       engine_(Filters::Common::RBAC::createEngine(proto_config, context, validation_visitor,

diff --git a/source/extensions/filters/network/rbac/rbac_filter.cc b/source/extensions/filters/network/rbac/rbac_filter.cc
@@ -56,7 +56,7 @@ RoleBasedAccessControlFilterConfig::RoleBasedAccessControlFilterConfig(
     const envoy::extensions::filters::network::rbac::v3::RBAC& proto_config, Stats::Scope& scope,
     Server::Configuration::ServerFactoryContext& context,
     ProtobufMessage::ValidationVisitor& validation_visitor)
-    : stats_(Filters::Common::RBAC::generateStats(proto_config.stat_prefix(),
+    : stats_(Filters::Common::RBAC::generateStats(proto_config.stat_prefix(), "",
                                                   proto_config.shadow_rules_stat_prefix(), scope)),
       shadow_rules_stat_prefix_(proto_config.shadow_rules_stat_prefix()),
       engine_(Filters::Common::RBAC::createEngine(proto_config, context, validation_visitor,

diff --git a/source/server/BUILD b/source/server/BUILD
@@ -397,6 +397,7 @@ envoy_cc_library(
     hdrs = ["listener_manager_factory.h"],
     deps = [
         "//envoy/server:factory_context_interface",
+        "//envoy/server:instance_interface",
         "//envoy/server:listener_manager_interface",
         "//envoy/server:worker_interface",
         "//source/common/quic:quic_stat_names_lib",

diff --git a/test/common/stats/tag_extractor_impl_test.cc b/test/common/stats/tag_extractor_impl_test.cc
@@ -450,6 +450,17 @@ TEST(TagExtractorTest, DefaultTagExtractors) {
   rbac_prefix.name_ = tag_names.RBAC_PREFIX;
   rbac_prefix.value_ = "my_rbac_prefix";
   regex_tester.testRegex("my_rbac_prefix.rbac.allowed", "rbac.allowed", {rbac_prefix});
+
+  // RBAC HTTP Filter Prefix
+  Tag rbac_http_hcm_prefix;
+  rbac_http_hcm_prefix.name_ = tag_names.HTTP_CONN_MANAGER_PREFIX;
+  rbac_http_hcm_prefix.value_ = "hcm_prefix";
+
+  Tag rbac_http_prefix;
+  rbac_http_prefix.name_ = tag_names.RBAC_HTTP_PREFIX;
+  rbac_http_prefix.value_ = "prefix";
+  regex_tester.testRegex("http.hcm_prefix.rbac.prefix.allowed", "http.rbac.allowed",
+                         {rbac_http_hcm_prefix, rbac_http_prefix});
 }
 
 TEST(TagExtractorTest, ExtAuthzTagExtractors) {