Merge remote-tracking branch 'upstream/master' into binary-lua-b64-en…

…code

* upstream/master:
  lint: add more linters for using absl:: over std:: (envoyproxy#13043)
  udpa: filesystem list collection support for inline entries. (envoyproxy#13028)
  filter: http: jwt: implement matching for HTTP CONNECT (envoyproxy#13064)
  [fuzz] split http filter logic into a fuzzing class (envoyproxy#13016)
  xds: allow empty delta update (envoyproxy#12699)
  CacheFilter: parses the allowed_vary_headers from the cache config. (envoyproxy#12928)
  router: extend HTTP CONNECT route matching criteria (envoyproxy#13056)
  docs: clarify use of Extended CONNECT for h/2 (envoyproxy#13051)
  build: shellcheck tools/ (envoyproxy#13007)
  [fuzz] Refactored Health Checker Impl Tests (envoyproxy#13017)

Signed-off-by: Lihao Luo <[email protected]>

api/envoy/config/filter/http/cache/v2alpha/cache.proto

@@ -48,17 +48,14 @@ message CacheConfig {
   // Config specific to the cache storage implementation.
   google.protobuf.Any typed_config = 1 [(validate.rules).any = {required: true}];
 
-  // [#not-implemented-hide:]
-  // <TODO(toddmgreer) implement *vary* headers>
-  //
-  // List of allowed *Vary* headers.
+  // List of matching rules that defines allowed *Vary* headers.
   //
   // The *vary* response header holds a list of header names that affect the
   // contents of a response, as described by
   // https://httpwg.org/specs/rfc7234.html#caching.negotiated.responses.
   //
   // During insertion, *allowed_vary_headers* acts as a allowlist: if a
-  // response's *vary* header mentions any header names that aren't in
+  // response's *vary* header mentions any header names that aren't matched by any rules in
   // *allowed_vary_headers*, that response will not be cached.
   //
   // During lookup, *allowed_vary_headers* controls what request headers will be

api/envoy/config/listener/v3/listener.proto

@@ -33,7 +33,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // Listener list collections. Entries are *Listener* resources or references.
 // [#not-implemented-hide:]
 message ListenerCollection {
-  udpa.core.v1.CollectionEntry entries = 1;
+  repeated udpa.core.v1.CollectionEntry entries = 1;
 }
 
 // [#next-free-field: 25]

api/envoy/config/route/v3/route_components.proto

@@ -440,7 +440,7 @@ message RouteMatch {
     // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style
     // upgrades.
     // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2,
-    // where CONNECT requests may have a path, the path matchers will work if
+    // where Extended CONNECT requests may have a path, the path matchers will work if
     // there is a path present.
     // Note that CONNECT support is currently considered alpha in Envoy.
     // [#comment:TODO(htuch): Replace the above comment with an alpha tag.

api/envoy/extensions/filters/http/cache/v3alpha/cache.proto

@@ -52,17 +52,14 @@ message CacheConfig {
   // Config specific to the cache storage implementation.
   google.protobuf.Any typed_config = 1 [(validate.rules).any = {required: true}];
 
-  // [#not-implemented-hide:]
-  // <TODO(toddmgreer) implement *vary* headers>
-  //
-  // List of allowed *Vary* headers.
+  // List of matching rules that defines allowed *Vary* headers.
   //
   // The *vary* response header holds a list of header names that affect the
   // contents of a response, as described by
   // https://httpwg.org/specs/rfc7234.html#caching.negotiated.responses.
   //
   // During insertion, *allowed_vary_headers* acts as a allowlist: if a
-  // response's *vary* header mentions any header names that aren't in
+  // response's *vary* header mentions any header names that aren't matched by any rules in
   // *allowed_vary_headers*, that response will not be cached.
   //
   // During lookup, *allowed_vary_headers* controls what request headers will be

docs/root/intro/arch_overview/http/upgrades.rst

@@ -48,7 +48,7 @@ a deployment of the form:
 In this case, if a client is for example using WebSocket, we want the Websocket to arrive at the
 upstream server functionally intact, which means it needs to traverse the HTTP/2 hop.
 
-This is accomplished via `extended CONNECT <https://tools.ietf.org/html/rfc8441>`_ support,
+This is accomplished via `Extended CONNECT (RFC8441) <https://tools.ietf.org/html/rfc8441>`_ support,
 turned on by setting :ref:`allow_connect <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.allow_connect>`
 true at the second layer Envoy. The
 WebSocket request will be transformed into an HTTP/2 CONNECT stream, with :protocol header
@@ -85,7 +85,7 @@ and forward the HTTP payload upstream. On receipt of initial TCP data from upstr
 will synthesize 200 response headers, and then forward the TCP data as the HTTP response body.
 
 .. warning::
-  This mode of CONNECT support can create major security holes if configured correctly, as the upstream
+  This mode of CONNECT support can create major security holes if not configured correctly, as the upstream
   will be forwarded *unsanitized* headers if they are in the body payload. Please use with caution
 
 Tunneling TCP over HTTP/2

include/envoy/config/subscription_factory.h

@@ -28,6 +28,27 @@ class SubscriptionFactory {
                                absl::string_view type_url, Stats::Scope& scope,
                                SubscriptionCallbacks& callbacks,
                                OpaqueResourceDecoder& resource_decoder) PURE;
+
+  /**
+   * Collection subscription factory interface for UDPA URLs.
+   *
+   * @param collection_locator collection resource locator.
+   * @param config envoy::config::core::v3::ConfigSource for authority resolution.
+   * @param type_url type URL for the resources inside the collection.
+   * @param scope stats scope for any stats tracked by the subscription.
+   * @param callbacks the callbacks needed by all [Collection]Subscription objects, to deliver
+   *                  config updates. The callbacks must not result in the deletion of the
+   *                  CollectionSubscription object.
+   * @param resource_decoder how incoming opaque resource objects are to be decoded.
+   *
+   * @return SubscriptionPtr subscription object corresponding for collection_locator.
+   */
+  virtual SubscriptionPtr
+  collectionSubscriptionFromUrl(const udpa::core::v1::ResourceLocator& collection_locator,
+                                const envoy::config::core::v3::ConfigSource& config,
+                                absl::string_view type_url, Stats::Scope& scope,
+                                SubscriptionCallbacks& callbacks,
+                                OpaqueResourceDecoder& resource_decoder) PURE;
 };
 
 } // namespace Config

include/envoy/server/listener_manager.h

@@ -58,8 +58,10 @@ class ListenerComponentFactory {
   /**
    * @return an LDS API provider.
    * @param lds_config supplies the management server configuration.
+   * @param lds_resources_locator udpa::core::v1::ResourceLocator for listener collection.
    */
-  virtual LdsApiPtr createLdsApi(const envoy::config::core::v3::ConfigSource& lds_config) PURE;
+  virtual LdsApiPtr createLdsApi(const envoy::config::core::v3::ConfigSource& lds_config,
+                                 const udpa::core::v1::ResourceLocator* lds_resources_locator) PURE;
 
   /**
    * Creates a socket.
@@ -167,8 +169,10 @@ class ListenerManager {
    * during server initialization because the listener manager is created prior to several core
    * pieces of the server existing.
    * @param lds_config supplies the management server configuration.
+   * @param lds_resources_locator udpa::core::v1::ResourceLocator for listener collection.
    */
-  virtual void createLdsApi(const envoy::config::core::v3::ConfigSource& lds_config) PURE;
+  virtual void createLdsApi(const envoy::config::core::v3::ConfigSource& lds_config,
+                            const udpa::core::v1::ResourceLocator* lds_resources_locator) PURE;
 
   /**
    * @param state the type of listener to be returned (defaults to ACTIVE), states can be OR'd

source/common/common/fmt.h

@@ -12,8 +12,8 @@ namespace fmt {
 
 // Provide an implementation of formatter for fmt::format that allows absl::string_view to be
 // formatted with the same format specifiers available to std::string.
-// TODO(zuercher): Once absl::string_view is replaced with std::string_view, this can be removed
-// as fmtlib handles std::string_view natively.
+// TODO(zuercher): Once absl::string_view is replaced with the std type, this can be removed
+// as fmtlib handles string_view natively.
 // NOLINTNEXTLINE(readability-identifier-naming)
 template <> struct formatter<absl::string_view> : formatter<string_view> {
   auto format(absl::string_view absl_string_view, fmt::format_context& ctx) -> decltype(ctx.out()) {

source/common/config/BUILD

@@ -66,6 +66,7 @@ envoy_cc_library(
     deps = [
         "//include/envoy/config:subscription_interface",
         "//source/common/protobuf:utility_lib",
+        "@com_github_cncf_udpa//udpa/core/v1:pkg_cc_proto",
     ],
 )
 
@@ -303,11 +304,13 @@ envoy_cc_library(
         ":http_subscription_lib",
         ":new_grpc_mux_lib",
         ":type_to_endpoint_lib",
+        ":udpa_resource_lib",
         ":utility_lib",
         "//include/envoy/config:subscription_factory_interface",
         "//include/envoy/config:subscription_interface",
         "//include/envoy/upstream:cluster_manager_interface",
         "//source/common/common:minimal_logger_lib",
+        "//source/common/http:utility_lib",
         "//source/common/protobuf",
         "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],

source/common/config/decoded_resource_impl.h

@@ -4,6 +4,8 @@
 
 #include "common/protobuf/utility.h"
 
+#include "udpa/core/v1/collection_entry.pb.h"
+
 namespace Envoy {
 namespace Config {
 
@@ -28,6 +30,11 @@ class DecodedResourceImpl : public DecodedResource {
                       const envoy::service::discovery::v3::Resource& resource)
       : DecodedResourceImpl(resource_decoder, resource.name(), resource.aliases(),
                             resource.resource(), resource.has_resource(), resource.version()) {}
+  DecodedResourceImpl(OpaqueResourceDecoder& resource_decoder,
+                      const udpa::core::v1::CollectionEntry::InlineEntry& inline_entry)
+      : DecodedResourceImpl(resource_decoder, inline_entry.name(),
+                            Protobuf::RepeatedPtrField<std::string>(), inline_entry.resource(),
+                            true, inline_entry.version()) {}
   DecodedResourceImpl(ProtobufTypes::MessagePtr resource, const std::string& name,
                       const std::vector<std::string>& aliases, const std::string& version)
       : resource_(std::move(resource)), has_resource_(true), name_(name), aliases_(aliases),
@@ -64,11 +71,15 @@ struct DecodedResourcesWrapper {
                           const Protobuf::RepeatedPtrField<ProtobufWkt::Any>& resources,
                           const std::string& version) {
     for (const auto& resource : resources) {
-      owned_resources_.emplace_back(new DecodedResourceImpl(resource_decoder, resource, version));
-      refvec_.emplace_back(*owned_resources_.back());
+      pushBack(std::make_unique<DecodedResourceImpl>(resource_decoder, resource, version));
     }
   }
 
+  void pushBack(Config::DecodedResourcePtr&& resource) {
+    owned_resources_.push_back(std::move(resource));
+    refvec_.emplace_back(*owned_resources_.back());
+  }
+
   std::vector<Config::DecodedResourcePtr> owned_resources_;
   std::vector<Config::DecodedResourceRef> refvec_;
 };