Merge remote-tracking branch 'upstream/master' into tcp_grpc_als

.azure-pipelines/linux.yml

@@ -10,6 +10,8 @@ jobs:
         CI_TARGET: 'bazel.gcc'
       compile_time_options:
         CI_TARGET: 'bazel.compile_time_options'
+      fuzz:
+        CI_TARGET: 'bazel.fuzz'
   dependsOn: [] # this removes the implicit dependency on previous stage and causes this to run in parallel.
   timeoutInMinutes: 360
   pool:

.bazelrc

@@ -13,6 +13,7 @@ startup --host_jvm_args=-Xmx2g
 build --workspace_status_command=bazel/get_workspace_status
 build --experimental_remap_main_repo
 build --experimental_local_memory_estimate
+build --experimental_strict_action_env=true
 build --host_force_python=PY2
 build --action_env=BAZEL_LINKLIBS=-l%:libstdc++.a
 build --action_env=BAZEL_LINKOPTS=-lm:-static-libgcc
@@ -144,4 +145,6 @@ build:remote-ci --remote_executor=grpcs://remotebuildexecution.googleapis.com
 build:asan-fuzzer --config=asan
 build:asan-fuzzer --define=FUZZING_ENGINE=libfuzzer
 build:asan-fuzzer --copt=-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
-build:asan-fuzzer --copt=-fsanitize-coverage=trace-pc-guard
+build:asan-fuzzer --copt=-fsanitize-coverage=trace-pc-guard
+# Remove UBSAN halt_on_error to avoid crashing on protobuf errors.
+build:asan-fuzzer --test_env=UBSAN_OPTIONS=print_stacktrace=1

CODEOWNERS

@@ -26,6 +26,8 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/filters/http/header_to_metadata @rgs1 @zuercher
 # alts transport socket extension
 /*/extensions/transport_sockets/alts @htuch @yangminzhu
+# tls transport socket extension
+/*/extensions/transport_sockets/tls @PiotrSikora @lizan
 # sni_cluster extension
 /*/extensions/filters/network/sni_cluster @rshriram @lizan
 # tracers.datadog extension
@@ -51,3 +53,5 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/filters/http/adaptive_concurrency @tonya11en @mattklein123
 # http inspector
 /*/extensions/filters/listener/http_inspector @crazyxy @PiotrSikora @lizan
+# attribute context
+/*/extensions/filters/common/expr @kyessenov @yangminzhu

CONTRIBUTING.md

@@ -72,7 +72,11 @@ maximize the chances of your PR being merged.
   could convert from the earlier API to the new API. A field may be deprecated
   if this tool would be able to perform the conversion. For example, removing a
   field to describe HTTP/2 window settings is valid if a more comprehensive
-  HTTP/2 protocol options field is being introduced to replace it.
+  HTTP/2 protocol options field is being introduced to replace it. The PR author
+  deprecating the old configuration is responsible for updating all tests and
+  canonical configuration, or guarding them with the DEPRECATED_FEATURE_TEST() macro.
+  This will be validated by the bazel.compile_time_options target, which will hard-fail when
+  deprecated configuration is used.
 * For configuration deprecations that are not covered by the above semantic
   replacement policy, any deprecation will only take place after
   community consultation on mailing lists, Slack and GitHub, over the period of

SECURITY.md

@@ -217,11 +217,25 @@ issue fixed for your respective distribution's users.
 Before any information from the list is shared with respective members of your team required to fix
 said issue, they must agree to the same terms and only find out information on a need-to-know basis.
 
+We typically expect a single point-of-contact (PoC) at any given legal entity. Within the
+organization, it is the responsibility of the PoC to share CVE and related patches internally. This
+should be performed on a strictly need-to-know basis with affected groups to the extent that this is
+technically plausible. All teams should be aware of the embargo conditions and accept them.
+Ultimately, if an organization breaks embargo transitively through such sharing, they will lose
+the early disclosure privilege, so it's in their best interest to carefully share information internally,
+following best practices and use their judgement in balancing the tradeoff between protecting users
+and maintaining confidentiality.
+
 The embargo applies to information shared, source code and binary images. **It is a violation of the
 embargo policy to share binary distributions of the security fixes before the public release date.**
 This includes, but is not limited to, Envoy binaries and Docker images. It is expected that
 distributors have a method to stage and validate new binaries without exposing them publicly.
 
+If the information shared is under embargo from a third party, where Envoy is one of many projects
+that a disclosure is shared with, it is critical to consider that the ramifications of any leak will
+extend beyond the Envoy community and will leave us in a position in which we will be less likely to
+receive embargoed reports in the future.
+
 In the unfortunate event you share the information beyond what is allowed by this policy, you _must_
 urgently inform the envoy-security@googlegroups.com mailing list of exactly what information leaked
 and to whom. A retrospective will take place after the leak so we can assess how to prevent making the

api/bazel/api_build_system.bzl

@@ -23,13 +23,13 @@ def _LibrarySuffix(library_name, suffix):
 # TODO(htuch): Convert this to native py_proto_library once
 # https://github.com/bazelbuild/bazel/issues/3935 and/or
 # https://github.com/bazelbuild/bazel/issues/2626 are resolved.
-def api_py_proto_library(name, srcs = [], deps = [], has_services = 0):
+def api_py_proto_library(name, srcs = [], deps = [], external_py_proto_deps = [], has_services = 0):
     _py_proto_library(
         name = _Suffix(name, _PY_SUFFIX),
         srcs = srcs,
         default_runtime = "@com_google_protobuf//:protobuf_python",
         protoc = "@com_google_protobuf//:protoc",
-        deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + [
+        deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + external_py_proto_deps + [
             "@com_envoyproxy_protoc_gen_validate//validate:validate_py",
             "@com_google_googleapis//google/rpc:status_py_proto",
             "@com_google_googleapis//google/api:annotations_py_proto",
@@ -116,6 +116,7 @@ def api_proto_library(
         deps = [],
         external_proto_deps = [],
         external_cc_proto_deps = [],
+        external_py_proto_deps = [],
         has_services = 0,
         linkstatic = None,
         require_py = 1):
@@ -152,7 +153,7 @@ def api_proto_library(
     )
     py_export_suffixes = []
     if (require_py == 1):
-        api_py_proto_library(name, srcs, deps, has_services)
+        api_py_proto_library(name, srcs, deps, external_py_proto_deps, has_services)
         py_export_suffixes = ["_py", "_py_genproto"]
 
     # Allow unlimited visibility for consumers

api/envoy/admin/v2alpha/server_info.proto

@@ -53,8 +53,11 @@ message CommandLineOptions {
   // See :option:`--config-yaml` for details.
   string config_yaml = 4;
 
-  // See :option:`--allow-unknown-fields` for details.
-  bool allow_unknown_fields = 5;
+  // See :option:`--allow-unknown-static-fields` for details.
+  bool allow_unknown_static_fields = 5;
+
+  // See :option:`--reject-unknown-dynamic-fields` for details.
+  bool reject_unknown_dynamic_fields = 26;
 
   // See :option:`--admin-address-path` for details.
   string admin_address_path = 6;

api/envoy/api/v2/auth/cert.proto

@@ -10,6 +10,8 @@ option go_package = "auth";
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/config_source.proto";
 
+import "google/protobuf/any.proto";
+import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
@@ -102,13 +104,38 @@ message TlsParameters {
   repeated string ecdh_curves = 4;
 }
 
+// BoringSSL private key method configuration. The private key methods are used for external
+// (potentially asynchronous) signing and decryption operations. Some use cases for private key
+// methods would be TPM support and TLS acceleration.
+message PrivateKeyProvider {
+  // Private key method provider name. The name must match a
+  // supported private key method provider type.
+  string provider_name = 1 [(validate.rules).string.min_bytes = 1];
+
+  // Private key method provider specific configuration.
+  oneof config_type {
+    google.protobuf.Struct config = 2;
+
+    google.protobuf.Any typed_config = 3;
+  }
+}
+
 message TlsCertificate {
   // The TLS certificate chain.
   core.DataSource certificate_chain = 1;
 
   // The TLS private key.
   core.DataSource private_key = 2;
 
+  // BoringSSL private key method provider. This is an alternative to :ref:`private_key
+  // <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
+  // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
+  // <envoy_api_field_auth.TlsCertificate.private_key>` and
+  // :ref:`private_key_provider
+  // <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an
+  // error.
+  PrivateKeyProvider private_key_provider = 6;
+
   // The password to decrypt the TLS private key. If this field is not set, it is assumed that the
   // TLS private key is not password encrypted.
   core.DataSource password = 3;

api/envoy/api/v2/listener/listener.proto

@@ -188,6 +188,11 @@ message FilterChain {
 
   // See :ref:`base.TransportSocket<envoy_api_msg_core.TransportSocket>` description.
   core.TransportSocket transport_socket = 6;
+
+  // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no
+  // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter
+  // chain is to be dynamically updated or removed via FCDS a unique name must be provided.
+  string name = 7;
 }
 
 message ListenerFilter {

api/envoy/api/v2/route/route.proto

@@ -562,7 +562,8 @@ message RouteAction {
 
   // Specifies the upstream timeout for the route. If not specified, the default is 15s. This
   // spans between the point at which the entire downstream request (i.e. end-of-stream) has been
-  // processed and when the upstream response has been completely processed.
+  // processed and when the upstream response has been completely processed. A value of 0 will
+  // disable the route's timeout.
   //
   // .. note::
   //

api/envoy/config/accesslog/v2/BUILD

@@ -1,4 +1,4 @@
-load("@envoy_api//bazel:api_build_system.bzl", "api_proto_library_internal")
+load("@envoy_api//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library_internal")
 
 licenses(["notice"])  # Apache 2
 
@@ -14,3 +14,9 @@ api_proto_library_internal(
     name = "file",
     srcs = ["file.proto"],
 )
+
+api_go_proto_library(
+    name = "als",
+    proto = ":als",
+    deps = ["//envoy/api/v2/core:grpc_service_go_proto"],
+)

api/envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -72,6 +72,20 @@ message ExtAuthz {
   // Sets the HTTP status that is returned to the client when there is a network error between the
   // filter and the authorization server. The default status is HTTP 403 Forbidden.
   envoy.type.HttpStatus status_on_error = 7;
+
+  // Specifies a list of metadata namespaces whose values, if present, will be passed to the
+  // ext_authz service as an opaque *protobuf::Struct*.
+  //
+  // For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
+  // <envoy_api_field_config.filter.http.jwt_authn.v2alpha.JwtProvider.payload_in_metadata>` is set,
+  // then the following will pass the jwt payload to the authorization server.
+  //
+  // .. code-block:: yaml
+  //
+  //    metadata_context_namespaces:
+  //    - envoy.filters.http.jwt_authn
+  //
+  repeated string metadata_context_namespaces = 8;
 }
 
 // Configuration for buffering the request data.

api/envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto

@@ -90,6 +90,29 @@ message RedisProxy {
     // this limit, then redirection will fail and the original redirection error will be passed
     // downstream unchanged. This limit defaults to 100.
     google.protobuf.UInt32Value max_upstream_unknown_connections = 6;
+
+    // ReadPolicy controls how Envoy routes read commands to Redis nodes. This is currently
+    // supported for Redis Cluster. All ReadPolicy settings except MASTER may return stale data
+    // because replication is asynchronous and requires some delay. You need to ensure that your
+    // application can tolerate stale data.
+    enum ReadPolicy {
+      // Default mode. Read from the current master node.
+      MASTER = 0;
+      // Read from the master, but if it is unavailable, read from replica nodes.
+      PREFER_MASTER = 1;
+      // Read from replica nodes. If multiple replica nodes are present within a shard, a random
+      // node is selected. Healthy nodes have precedent over unhealthy nodes.
+      REPLICA = 2;
+      // Read from the replica nodes (similar to REPLICA), but if all replicas are unavailable (not
+      // present or unhealthy), read from the master.
+      PREFER_REPLICA = 3;
+      // Read from any node of the cluster. A random node is selected among the master and replicas,
+      // healthy nodes have precedent over unhealthy nodes.
+      ANY = 4;
+    }
+
+    // Read policy. The default is to read from the master.
+    ReadPolicy read_policy = 7 [(validate.rules).enum.defined_only = true];
   }
 
   // Network settings for the connection pool to the upstream clusters.
@@ -210,4 +233,4 @@ message RedisProtocolOptions {
   // Upstream server password as defined by the `requirepass directive
   // <https://redis.io/topics/config>`_ in the server's configuration file.
   envoy.api.v2.core.DataSource auth_password = 1;
-}
+}

api/envoy/config/filter/network/tcp_proxy/v2/BUILD

@@ -1,4 +1,4 @@
-load("@envoy_api//bazel:api_build_system.bzl", "api_proto_library_internal")
+load("@envoy_api//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library_internal")
 
 licenses(["notice"])  # Apache 2
 
@@ -11,3 +11,13 @@ api_proto_library_internal(
         "//envoy/config/filter/accesslog/v2:accesslog",
     ],
 )
+
+api_go_proto_library(
+    name = "tcp_proxy",
+    proto = ":tcp_proxy",
+    deps = [
+        "//envoy/api/v2/core:address_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
+        "//envoy/config/filter/accesslog/v2:accesslog_go_proto",
+    ],
+)

api/envoy/config/rbac/v2/BUILD

@@ -5,6 +5,15 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_go_proto_library", "api_prot
 api_proto_library_internal(
     name = "rbac",
     srcs = ["rbac.proto"],
+    external_cc_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_cc_proto",
+    ],
+    external_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",
+    ],
+    external_py_proto_deps = [
+        "@com_google_googleapis//google/api/expr/v1alpha1:syntax_py_proto",
+    ],
     visibility = ["//visibility:public"],
     deps = [
         "//envoy/api/v2/core:address",
@@ -22,5 +31,6 @@ api_go_proto_library(
         "//envoy/api/v2/route:route_go_proto",
         "//envoy/type/matcher:metadata_go_proto",
         "//envoy/type/matcher:string_go_proto",
+        "@com_google_googleapis//google/api/expr/v1alpha1:cel_go_proto",
     ],
 )

api/envoy/config/rbac/v2/rbac.proto

@@ -7,6 +7,8 @@ import "envoy/api/v2/route/route.proto";
 import "envoy/type/matcher/metadata.proto";
 import "envoy/type/matcher/string.proto";
 
+import "google/api/expr/v1alpha1/syntax.proto";
+
 package envoy.config.rbac.v2;
 
 option java_outer_classname = "RbacProto";
@@ -81,7 +83,7 @@ message RBAC {
 
 // Policy specifies a role and the principals that are assigned/denied the role. A policy matches if
 // and only if at least one of its permissions match the action taking place AND at least one of its
-// principals match the downstream.
+// principals match the downstream AND the condition is true if specified.
 message Policy {
   // Required. The set of permissions that define a role. Each permission is matched with OR
   // semantics. To match all actions for this policy, a single Permission with the `any` field set
@@ -92,6 +94,10 @@ message Policy {
   // principal is matched with OR semantics. To match all downstreams for this policy, a single
   // Principal with the `any` field set to true should be used.
   repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1];
+
+  // An optional symbolic expression specifying an access control condition.
+  // The condition is combined with AND semantics.
+  google.api.expr.v1alpha1.Expr condition = 3;
 }
 
 // Permission defines an action (or actions) that a principal can take.
@@ -170,8 +176,9 @@ message Principal {
     reserved 1;
     reserved "name";
 
-    // The name of the principal. If set, The URI SAN is used from the certificate, otherwise the
-    // subject field is used. If unset, it applies to any user that is authenticated.
+    // The name of the principal. If set, The URI SAN or DNS SAN in that order is used from the
+    // certificate, otherwise the subject field is used. If unset, it applies to any user that is
+    // authenticated.
     envoy.type.matcher.StringMatcher principal_name = 2;
   }
 

api/envoy/service/auth/v2/attribute_context.proto

@@ -7,6 +7,7 @@ option java_multiple_files = true;
 option java_package = "io.envoyproxy.envoy.service.auth.v2";
 
 import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/timestamp.proto";
 import "gogoproto/gogo.proto";
@@ -49,8 +50,8 @@ message AttributeContext {
     // The authenticated identity of this peer.
     // For example, the identity associated with the workload such as a service account.
     // If an X.509 certificate is used to assert the identity this field should be sourced from
-    // `Subject` or `Subject Alternative Names`. The primary identity should be the principal.
-    // The principal format is issuer specific.
+    // `URI Subject Alternative Names`, `DNS Subject Alternate Names` or `Subject` in that order.
+    // The primary identity should be the principal. The principal format is issuer specific.
     //
     // Example:
     // *    SPIFFE format is `spiffe://trust-domain/path`
@@ -135,6 +136,9 @@ message AttributeContext {
   // information to the auth server without modifying the proto definition. It maps to the
   // internal opaque context in the filter chain.
   map<string, string> context_extensions = 10;
+
+  // Dynamic metadata associated with the request.
+  envoy.api.v2.core.Metadata metadata_context = 11;
 }
 
 // The following items are left out of this proto

bazel/BUILD

@@ -120,6 +120,11 @@ config_setting(
     values = {"define": "object_dump_on_signal_trace=disabled"},
 )
 
+config_setting(
+    name = "disable_deprecated_features",
+    values = {"define": "deprecated_features=disabled"},
+)
+
 config_setting(
     name = "disable_hot_restart",
     values = {"define": "hot_restart=disabled"},