Merge from master to firebase

.bazelrc.jenkins

@@ -0,0 +1,8 @@
+# This is from Bazel's former travis setup, to avoid blowing up the RAM usage.
+startup --host_jvm_args=-Xmx8192m
+startup --host_jvm_args=-Xms8192m
+startup --batch
+
+# This is so we understand failures better
+build --verbose_failures
+

.gitignore

@@ -1 +1,3 @@
 /bazel-*
+.idea/*
+*.iml

.travis.yml

@@ -1,6 +1,10 @@
 sudo: required
 dist: xenial
 
+branches:
+  except:
+  - stable
+
 lang: go
 
 go:

Jenkinsfile

@@ -0,0 +1,65 @@
+#!groovy
+
+@Library('testutils')
+
+import org.istio.testutils.Utilities
+import org.istio.testutils.GitUtilities
+import org.istio.testutils.Bazel
+
+// Utilities shared amongst modules
+def gitUtils = new GitUtilities()
+def utils = new Utilities()
+def bazel = new Bazel()
+
+mainFlow(utils) {
+  pullRequest(utils) {
+    node {
+      gitUtils.initialize()
+      // Proxy does build work correctly with Hazelcast.
+      // Must use .bazelrc.jenkins
+      bazel.setVars('', '')
+    }
+
+    if (utils.runStage('PRESUBMIT')) {
+      presubmit(gitUtils, bazel)
+    }
+    if (utils.runStage('POSTSUBMIT')) {
+      postsubmit(gitUtils, bazel, utils)
+    }
+  }
+}
+
+def presubmit(gitUtils, bazel) {
+  buildNode(gitUtils) {
+    stage('Code Check') {
+      sh('script/check-style')
+    }
+    bazel.updateBazelRc()
+    stage('Bazel Fetch') {
+      bazel.fetch('-k //...')
+    }
+    stage('Bazel Build') {
+      bazel.build('//...')
+    }
+    stage('Bazel Tests') {
+      bazel.test('//...')
+    }
+    stage('Push Test Binary') {
+      sh 'script/release-binary'
+    }
+  }
+}
+
+def postsubmit(gitUtils, bazel, utils) {
+  buildNode(gitUtils) {
+    bazel.updateBazelRc()
+    stage('Push Binary') {
+      sh 'script/release-binary'
+    }
+    stage('Docker Push') {
+      def images = 'proxy,proxy_debug'
+      def tags = "${gitUtils.GIT_SHORT_SHA},\$(date +%Y-%m-%d-%H.%M.%S),latest"
+      utils.publishDockerImages(images, tags, 'release')
+    }
+  }
+}

WORKSPACE

@@ -31,16 +31,20 @@ googletest_repositories()
 load(
     "//contrib/endpoints:repositories.bzl",
     "grpc_repositories",
-    "mixer_client_repositories",
     "servicecontrol_client_repositories",
 )
 
 grpc_repositories()
 
-mixer_client_repositories()
-
 servicecontrol_client_repositories()
 
+load(
+    "//src/envoy/mixer:repositories.bzl",
+    "mixer_client_repositories",
+)
+
+mixer_client_repositories()
+
 # Workaround for Bazel > 0.4.0 since it needs newer protobuf.bzl from:
 # https://github.com/google/protobuf/pull/2246
 # Do not use this git_repository for anything else than protobuf.bzl
@@ -65,3 +69,30 @@ load(
 )
 
 envoy_repositories()
+
+new_http_archive(
+    name = "docker_ubuntu",
+    build_file_content = """
+load("@bazel_tools//tools/build_defs/docker:docker.bzl", "docker_build")
+docker_build(
+  name = "xenial",
+  tars = ["xenial/ubuntu-xenial-core-cloudimg-amd64-root.tar.gz"],
+  visibility = ["//visibility:public"],
+)
+""",
+    sha256 = "de31e6fcb843068965de5945c11a6f86399be5e4208c7299fb7311634fb41943",
+    strip_prefix = "docker-brew-ubuntu-core-e406914e5f648003dfe8329b512c30c9ad0d2f9c",
+    type = "zip",
+    url = "https://codeload.github.com/tianon/docker-brew-ubuntu-core/zip/e406914e5f648003dfe8329b512c30c9ad0d2f9c",
+)
+
+
+DEBUG_BASE_IMAGE_SHA="3f57ae2aceef79e4000fb07ec850bbf4bce811e6f81dc8cfd970e16cdf33e622"
+
+# See github.com/istio/manager/blob/master/docker/debug/build-and-publish-debug-image.sh
+# for instructions on how to re-build and publish this base image layer.
+http_file(
+    name = "ubuntu_xenial_debug",
+    url = "https://storage.googleapis.com/istio-build/manager/ubuntu_xenial_debug-" + DEBUG_BASE_IMAGE_SHA + ".tar.gz",
+    sha256 = DEBUG_BASE_IMAGE_SHA,
+)

contrib/endpoints/repositories.bzl

@@ -163,7 +163,7 @@ def grpc_repositories(bind=True):
 
     native.git_repository(
         name = "grpc_git",
-        commit = "d28417c856366df704200f544e72d31056931bce",
+        commit = "bb3edafea245a9780cc4c10f0b58da21e8193f38", # v1.1.1
         remote = "https://github.com/grpc/grpc.git",
     )
 
@@ -190,7 +190,7 @@ def grpc_repositories(bind=True):
 
         native.bind(
             name = "grpc_lib",
-            actual = "@grpc_git//:grpc++_reflection",
+            actual = "@grpc_git//:grpc++_codegen_proto",
         )
 
 def googleapis_repositories(protobuf_repo="@protobuf_git//", bind=True):
@@ -335,16 +335,3 @@ def servicecontrol_client_repositories(bind=True):
             name = "servicecontrol_client",
             actual = "@servicecontrol_client_git//:service_control_client_lib",
         )
-
-def mixer_client_repositories(bind=True):
-    native.git_repository(
-        name = "mixerclient_git",
-        commit = "80e450a5126960e8e6337c3631cf2ef984038eab",
-        remote = "https://github.com/istio/mixerclient.git",
-    )
-
-    if bind:
-        native.bind(
-            name = "mixer_client_lib",
-            actual = "@mixerclient_git//:mixer_client_lib",
-        )

contrib/endpoints/src/api_manager/auth/lib/auth_jwt_validator.cc

@@ -150,6 +150,8 @@ class JwtValidatorImpl : public JwtValidator {
   RSA *rsa_;
   EVP_PKEY *pkey_;
   EVP_MD_CTX *md_ctx_;
+
+  grpc_exec_ctx exec_ctx_;
 };
 
 // Gets EVP_MD mapped from an alg (algorithm string).
@@ -159,12 +161,12 @@ const EVP_MD *EvpMdFromAlg(const char *alg);
 size_t HashSizeFromAlg(const char *alg);
 
 // Parses str into grpc_json object. Does not own buffer.
-grpc_json *DecodeBase64AndParseJson(const char *str, size_t len,
-                                    gpr_slice *buffer);
+grpc_json *DecodeBase64AndParseJson(grpc_exec_ctx *exec_ctx, const char *str,
+                                    size_t len, gpr_slice *buffer);
 
 // Gets BIGNUM from b64 string, used for extracting pkey from jwk.
 // Result owned by rsa_.
-BIGNUM *BigNumFromBase64String(const char *b64);
+BIGNUM *BigNumFromBase64String(grpc_exec_ctx *exec_ctx, const char *b64);
 
 }  // namespace
 
@@ -185,7 +187,8 @@ JwtValidatorImpl::JwtValidatorImpl(const char *jwt, size_t jwt_len)
       x509_(nullptr),
       rsa_(nullptr),
       pkey_(nullptr),
-      md_ctx_(nullptr) {
+      md_ctx_(nullptr),
+      exec_ctx_(GRPC_EXEC_CTX_INIT) {
   header_buffer_ = gpr_empty_slice();
   signed_buffer_ = gpr_empty_slice();
   sig_buffer_ = gpr_empty_slice();
@@ -204,7 +207,7 @@ JwtValidatorImpl::~JwtValidatorImpl() {
     grpc_json_destroy(pkey_json_);
   }
   if (claims_ != nullptr) {
-    grpc_jwt_claims_destroy(claims_);
+    grpc_jwt_claims_destroy(&exec_ctx_, claims_);
   }
   if (!GPR_SLICE_IS_EMPTY(header_buffer_)) {
     gpr_slice_unref(header_buffer_);
@@ -304,7 +307,8 @@ grpc_jwt_verifier_status JwtValidatorImpl::ParseImpl() {
   if (dot == nullptr) {
     return GRPC_JWT_VERIFIER_BAD_FORMAT;
   }
-  header_json_ = DecodeBase64AndParseJson(cur, dot - cur, &header_buffer_);
+  header_json_ =
+      DecodeBase64AndParseJson(&exec_ctx_, cur, dot - cur, &header_buffer_);
   CreateJoseHeader();
   if (header_ == nullptr) {
     return GRPC_JWT_VERIFIER_BAD_FORMAT;
@@ -323,7 +327,7 @@ grpc_jwt_verifier_status JwtValidatorImpl::ParseImpl() {
   // case, and it is owned by claims_ for successful case.
   gpr_slice claims_buffer = gpr_empty_slice();
   grpc_json *claims_json =
-      DecodeBase64AndParseJson(cur, dot - cur, &claims_buffer);
+      DecodeBase64AndParseJson(&exec_ctx_, cur, dot - cur, &claims_buffer);
   if (claims_json == nullptr) {
     if (!GPR_SLICE_IS_EMPTY(claims_buffer)) {
       gpr_slice_unref(claims_buffer);
@@ -332,10 +336,13 @@ grpc_jwt_verifier_status JwtValidatorImpl::ParseImpl() {
   }
   UpdateAudience(claims_json);
   // Takes ownershp of claims_json and claims_buffer.
-  claims_ = grpc_jwt_claims_from_json(claims_json, claims_buffer);
-  if (claims_ == nullptr) {
+  claims_ = grpc_jwt_claims_from_json(&exec_ctx_, claims_json, claims_buffer);
+
+  // issuer is mandatory. grpc_jwt_claims_issuer checks if claims_ is nullptr.
+  if (grpc_jwt_claims_issuer(claims_) == nullptr) {
     return GRPC_JWT_VERIFIER_BAD_FORMAT;
   }
+
   // Check timestamp.
   // Passing in its own audience to skip audience check.
   // Audience check should be done by the caller.
@@ -354,8 +361,8 @@ grpc_jwt_verifier_status JwtValidatorImpl::ParseImpl() {
     return GRPC_JWT_VERIFIER_BAD_FORMAT;
   }
   cur = dot + 1;
-  sig_buffer_ =
-      grpc_base64_decode_with_len(cur, jwt_len - signed_jwt_len - 1, 1);
+  sig_buffer_ = grpc_base64_decode_with_len(&exec_ctx_, cur,
+                                            jwt_len - signed_jwt_len - 1, 1);
   if (GPR_SLICE_IS_EMPTY(sig_buffer_)) {
     return GRPC_JWT_VERIFIER_BAD_FORMAT;
   }
@@ -576,9 +583,11 @@ bool JwtValidatorImpl::ExtractPubkeyFromJwk(const grpc_json *jkey) {
   }
 
   const char *rsa_n = GetStringValue(jkey, "n");
-  rsa_->n = rsa_n == nullptr ? nullptr : BigNumFromBase64String(rsa_n);
+  rsa_->n =
+      rsa_n == nullptr ? nullptr : BigNumFromBase64String(&exec_ctx_, rsa_n);
   const char *rsa_e = GetStringValue(jkey, "e");
-  rsa_->e = rsa_e == nullptr ? nullptr : BigNumFromBase64String(rsa_e);
+  rsa_->e =
+      rsa_e == nullptr ? nullptr : BigNumFromBase64String(&exec_ctx_, rsa_e);
 
   if (rsa_->e == nullptr || rsa_->n == nullptr) {
     gpr_log(GPR_ERROR, "Missing RSA public key field.");
@@ -651,7 +660,7 @@ grpc_jwt_verifier_status JwtValidatorImpl::VerifyHsSignature(const char *pkey,
   const EVP_MD *md = EvpMdFromAlg(header_->alg);
   GPR_ASSERT(md != nullptr);  // Checked before.
 
-  pkey_buffer_ = grpc_base64_decode_with_len(pkey, pkey_len, 1);
+  pkey_buffer_ = grpc_base64_decode_with_len(&exec_ctx_, pkey, pkey_len, 1);
   if (GPR_SLICE_IS_EMPTY(pkey_buffer_)) {
     gpr_log(GPR_ERROR, "Unable to decode base64 of secret");
     return GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR;
@@ -742,11 +751,11 @@ size_t HashSizeFromAlg(const char *alg) {
   }
 }
 
-grpc_json *DecodeBase64AndParseJson(const char *str, size_t len,
-                                    gpr_slice *buffer) {
+grpc_json *DecodeBase64AndParseJson(grpc_exec_ctx *exec_ctx, const char *str,
+                                    size_t len, gpr_slice *buffer) {
   grpc_json *json;
 
-  *buffer = grpc_base64_decode_with_len(str, len, 1);
+  *buffer = grpc_base64_decode_with_len(exec_ctx, str, len, 1);
   if (GPR_SLICE_IS_EMPTY(*buffer)) {
     gpr_log(GPR_ERROR, "Invalid base64.");
     return nullptr;
@@ -760,12 +769,12 @@ grpc_json *DecodeBase64AndParseJson(const char *str, size_t len,
   return json;
 }
 
-BIGNUM *BigNumFromBase64String(const char *b64) {
+BIGNUM *BigNumFromBase64String(grpc_exec_ctx *exec_ctx, const char *b64) {
   BIGNUM *result = nullptr;
   gpr_slice bin;
 
   if (b64 == nullptr) return nullptr;
-  bin = grpc_base64_decode(b64, 1);
+  bin = grpc_base64_decode(exec_ctx, b64, 1);
   if (GPR_SLICE_IS_EMPTY(bin)) {
     gpr_log(GPR_ERROR, "Invalid base64 for big num.");
     return nullptr;

contrib/endpoints/src/api_manager/auth/lib/auth_token.cc

@@ -200,7 +200,8 @@ char *GenerateJwtClaim(const char *issuer, const char *subject,
 }
 
 char *GenerateSignatueHs256(const char *data, const char *key) {
-  gpr_slice key_buffer = grpc_base64_decode(key, 1);
+  grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+  gpr_slice key_buffer = grpc_base64_decode(&exec_ctx, key, 1);
   if (GPR_SLICE_IS_EMPTY(key_buffer)) {
     gpr_log(GPR_ERROR, "Unable to decode base64 of secret");
     return nullptr;