http: stream error on invalid HTTP messaging for HTTP/1

[rulex123]

In this PR:

• HTTP/1.1 API is extended to allow configuration of behaviour on invalid HTTP messaging;
• codec interface is extended so that the HCM can pull value for new config from it;
• logic for behaviour on invalid HTTP messaging added in http: stream error on invalid messaging #11748 is updated to account for the new HTTP/1.1 option.
  Helps with http: require stream_error_on_invalid_http_messaging to be set for every HCM #9846.

Risk Level: high (HCM changes)
Testing: new unit tests and integration tests
Docs Changes: n/a
Release Notes: updated
Runtime guard: envoy.reloadable_features.hcm_stream_error_on_invalid_message (already introduced by #11748)

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy[\w/]*/(v1alpha\d?|v1|v2alpha\d?|v2))|(api/envoy/type/(matcher/)?\w+.proto).
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #11884 was opened by rulex123.

see: more, trace.

[alyssawilk]

Yep, good start! Next you'll want to make your new function available from the Http Connection Manager, since it only has the abstract APIs. You could also start on the codec tests paralleling mine for HTTP/2 for which value takes precedence. right now you can obviously only test yours being on and off, but once my PR lands we can do the full 4x combinations.

[alyssawilk]

you'll want to ref link to the actual hcm field - you can crib that notation from my PR as well :-)

[alyssawilk]

HTTP -> Http ?

[rulex123]

@alyssawilk I think this is ready for another look.

One question though: do we want to update the old code path for sending errors from the codec as well (

envoy/source/common/http/http1/codec_impl.cc

Line 969 in bfab9ed

void ServerConnectionImpl::sendProtocolErrorOld(absl::string_view details) {

) to terminate the connection or not based on the new config param?

[alyssawilk]

Looking good!

I think your PR needs a format check, and it'd be good to have an integration test Luckily I think Piotr wrote most of one for you
DownstreamProtocolIntegrationTest,.InvalidContentLengthAllowed
tests that for http/2 the config override results in stream reset, for HTTP/1 it results in disconnect.

You will need to change it to set the HTTP/1.1 override as well, and perhaps change the invalid message from one with invalid content length (which will trigger before the headers are complete) to some other messaging error - maybe remove the host?

[alyssawilk]

Hm, when this option is disabled, Envoy will terminate the connection, but I think you should remove reference to default behavior, since the default behavior is actually to ignore this field and use the HCM value.

[alyssawilk]

If this function is only used in one place, I'd be mildly inclined to make this utility in an unnamed namespace in the cc file, and unit test the HCM by setting explicit configs. WDYT?

[alyssawilk]

ping?

[alyssawilk]

Do we need to latch this, or can we just return parent_.stream_error_on_invalid_http_messaging_ here?

Also let's make sure this and the HTTP/1.1 function have unit tests, even if they're pretty trivial.

[mattklein123]

Thanks this LGTM modulo the comment about clarifying what is supported downstream and upstream. @alyssawilk is back from vacation so I will defer to her for final review. Thank you!

[mattklein123]

Yeah I think it would be good to call this out more in the comments and the proto documentation. The proto is a generic message that is used for both upstream and downstream, so I think it would be good to clarify that it only applies right now for downstream?

[rulex123]

@alyssawilk ping: any further feedback beside what Matt said?

[alyssawilk]

Oh ugh I'm so sorry, I thought I sent these comments out last week! thanks for the ping and sorry for the lag and late cross-codec-behavior comment

[alyssawilk]

I think you can leave out the "if not set" because the sentence above makes it clear that otherwise the HCM value is used.

[rulex123]

@alyssawilk no worries! I have reworked the code a bit to take into account your cross-codec-behavior comment. Please take another look when you get a chance :-)

[alyssawilk]

Awesome, thanks for your patience with the last minute thought! sending a few more ideas your way

[alyssawilk]

sorry, for any ocnfusion, I was suggesting taking out this line and following.

[alyssawilk]

update comment to remove "if value is missing, then HCM drives behaviour on invalid HTTP messaging."

[alyssawilk]

I think this function just return the override_stream_error if set, and if not returns the HCM value no?

[rulex123]

Hm, isn't it the case that when this function is called the HCM value hasn't been initialised to its default value yet (in case of no explicit configuration)? See

envoy/source/extensions/filters/network/http_connection_manager/config.cc

Lines 233 to 234 in c555587

	stream_error_on_invalid_http_messaging_(
	PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, stream_error_on_invalid_http_message, false)),

I guess we could move that initialisation so that it happens earlier, and then simplify this function as per your comment. WDYT?

[alyssawilk]

ah, I see what your concern is, but I believe (and you can unit test) that the default value for BoolValue is false, and the default for stream_error_on_invalid_http_messaging_ is false, so you should just be able to set the default to config.override_stream_error_on_invalid_http_message().value() even if it's not set.

[alyssawilk]

Looks great - just a few final comments :-)

[alyssawilk]

ah, I see what your concern is, but I believe (and you can unit test) that the default value for BoolValue is false, and the default for stream_error_on_invalid_http_messaging_ is false, so you should just be able to set the default to config.override_stream_error_on_invalid_http_message().value() even if it's not set.

[alyssawilk]

Since these are always opposite I think you can just have one boolean, stream_error_in_invalid_messaging and make sure that the connection is terminated if !stream_error

[alyssawilk]

I think you can move these to
TEST_P(IntegrationTest,...)
and then it won't kick off a test run for downstream HTTP/2

[rulex123]

@alyssawilk ping: any further comments or feedback? Would love to wrap this up this week if possible :-)

[alyssawilk]

over to Matt for API sign off.

[mattklein123]

Thank you, especially for the lengthy review cycle. This stuff is tricky to get right!