Merge remote-tracking branch 'upstream/main' into bump_v8_10.7.193.13

README.md

@@ -47,9 +47,7 @@ to find out more about the origin story and design philosophy of Envoy
 * [envoy-maintainers](https://groups.google.com/forum/#!forum/envoy-maintainers): Use this list
   to reach all core Envoy maintainers.
 * [Twitter](https://twitter.com/EnvoyProxy/): Follow along on Twitter!
-* [Slack](https://envoyproxy.slack.com/): Slack, to get invited go [here](https://envoyproxy.io/slack).
-  We have the IRC/XMPP gateways enabled if you prefer either of those. Once an account is created,
-  connection instructions for IRC/XMPP can be found [here](https://envoyproxy.slack.com/account/gateways).
+* [Slack](https://envoyproxy.slack.com/): Slack, to get invited go [here](https://communityinviter.com/apps/envoyproxy/envoy).
   * NOTE: Response to user questions is best effort on Slack. For a "guaranteed" response please email
     envoy-users@ per the guidance in the following linked thread.
 

api/envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto

@@ -26,6 +26,28 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //    without `case normalization <https://datatracker.ietf.org/doc/html/rfc3986#section-6.2.2.1>`_
 //
 message HeaderValidatorConfig {
+  // Action to take when Envoy receives client request with header names containing underscore
+  // characters.
+  // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented
+  // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore
+  // characters.
+  enum HeadersWithUnderscoresAction {
+    // Allow headers with underscores. This is the default behavior.
+    ALLOW = 0;
+
+    // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests
+    // end with the stream reset. The
+    // :ref:`httpN.requests_rejected_with_underscores_in_headers <config_http_conn_man_stats_per_codec>` counter
+    // is incremented for each rejected request.
+    REJECT_REQUEST = 1;
+
+    // Drop the client header with name containing underscores. The header is dropped before the filter chain is
+    // invoked and as such filters will not see dropped headers. The
+    // :ref:`httpN.dropped_headers_with_underscores <config_http_conn_man_stats_per_codec>` is incremented for
+    // each dropped header.
+    DROP_HEADER = 2;
+  }
+
   message UriPathNormalizationOptions {
     // Determines the action for requests that contain ``%2F``, ``%2f``, ``%5C`` or ``%5c`` sequences in the URI path.
     // This operation occurs before URL normalization and the merge slashes transformations if they were enabled.
@@ -115,4 +137,8 @@ message HeaderValidatorConfig {
   // Envoy will respond with 400 to requests with disallowed methods.
   // By default methods with arbitrary names are accepted.
   bool restrict_http_methods = 3;
+
+  // Action to take when a client request with a header name containing underscore characters is received.
+  // If this setting is not specified, the value defaults to ALLOW.
+  HeadersWithUnderscoresAction headers_with_underscores_action = 4;
 }

bazel/foreign_cc/dlb.patch

@@ -1,34 +1,3 @@
-diff --git a/dlb/libdlb/Makefile b/dlb/libdlb/Makefile
-index e7fa1fa..a9f566e 100644
---- a/dlb/libdlb/Makefile
-+++ b/dlb/libdlb/Makefile
-@@ -9,7 +9,7 @@ BUILD_DIR := build
- CFLAGS  := -g -fPIC -DVERSION_$(VERSION) -Wall -O3 -pthread
- CFLAGS  += -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security \
-            -Werror=format-security -fstack-protector-strong
--CFLAGS  += -fno-delete-null-pointer-checks -fno-strict-overflow -fwrapv
-+CFLAGS  += -fno-delete-null-pointer-checks -fwrapv
- CFLAGS  += $(EXTRA_CFLAGS)
-
- ifeq ($(DLB_DISABLE_DOMAIN_SERVER), TRUE)
-@@ -33,7 +33,7 @@ SRCS :=         \
-
- OBJS := $(addprefix $(BUILD_DIR)/, $(SRCS:.c=.o))
- DEPS := $(addprefix $(BUILD_DIR)/, $(SRCS:.c=.d))
--LIB  := libdlb.so
-+LIB  := libdlb.a
-
- default: $(LIB) examples cli doc
-
-@@ -53,7 +53,7 @@ $(BUILD_DIR)/%.o: %.c | $(BUILD_DIR)
-
- $(LIB): $(OBJS)
- 	@echo Linking $@
--	@$(CC) $^ -shared $(LDFLAGS) -o $@ -Wl,--version-script=version.map
-+	@$(AR) rcs $@ $^
-
- examples cli: $(LIB)
- 	@$(MAKE) -C $@/
 diff --git a/dlb/libdlb/dlb_ops.h b/dlb/libdlb/dlb_ops.h
 index 3f384f8..bd621be 100644
 --- a/dlb/libdlb/dlb_ops.h

bazel/repository_locations.bzl

@@ -763,13 +763,13 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "hessian2-codec",
         project_desc = "hessian2-codec is a C++ library for hessian2 codec",
         project_url = "https://github.com/alibaba/hessian2-codec.git",
-        version = "dd8e05487a27b367b90ce81f4e6e6f62d693a212",
-        sha256 = "93260c54406e11b7be078a7ea120f7ab0df475c733e68d010fde400c5c8c8162",
+        version = "e9bb36e206f2c5054b50d11f88bb1b95c77766f8",
+        sha256 = "82743dcbf2bd624a68eb2c0d54963ea87446eba4eb08c117744f0669ddc70786",
         strip_prefix = "hessian2-codec-{version}",
         urls = ["https://github.com/alibaba/hessian2-codec/archive/{version}.tar.gz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.filters.network.dubbo_proxy"],
-        release_date = "2021-04-05",
+        release_date = "2022-10-10",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/alibaba/hessian2-codec/blob/{version}/LICENSE",
@@ -1368,9 +1368,9 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Intel Dlb",
         project_desc = "Dlb",
         project_url = "https://networkbuilders.intel.com/solutionslibrary/queue-management-and-load-balancing-on-intel-architecture",
-        version = "7.6.0",
-        sha256 = "b74c1bb2863fb6374bf80b9268b5978ab7b9d4eabb2d47ea427a5460aa3ae5fe",
-        urls = ["https://downloadmirror.intel.com/727424/dlb_linux_src_release7.6.0_2022_03_30.txz"],
+        version = "7.8.0",
+        sha256 = "9070388d9a22055ca37c7e1ec6a4b55c6bfd829b1a99b860056af268b68c98b6",
+        urls = ["https://downloadmirror.intel.com/744007/dlb_linux_src_release_7.8.0_2022_09_20.txz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.network.connection_balance.dlb"],
         release_date = "2022-03-30",

changelogs/current.yaml

@@ -114,6 +114,9 @@ bug_fixes:
 - area: logger
   change: |
     added the %j and %_ format support for fine-grain loggers to make it consistant with default loggers.
+- area: thrift
+  change: |
+    fixed the routing decision when thrift filters change the value of the cluster header.
 - area: router
   change: |
     fixed edge-case interaction between weighted clusters, cluster headers and (request|response)_headers_to_(add|remove).

contrib/config/test/kv_store_xds_delegate_integration_test.cc

@@ -56,17 +56,20 @@ std::string invalidProtoKvStoreDelegateConfig() {
     )EOF";
 }
 
-class KeyValueStoreXdsDelegateIntegrationTest : public HttpIntegrationTest,
-                                                public Grpc::GrpcClientIntegrationParamTest {
+class KeyValueStoreXdsDelegateIntegrationTest
+    : public HttpIntegrationTest,
+      public Grpc::UnifiedOrLegacyMuxIntegrationParamTest {
 public:
   KeyValueStoreXdsDelegateIntegrationTest()
       : HttpIntegrationTest(Http::CodecType::HTTP2, ipVersion(),
                             ConfigHelper::baseConfigNoListeners()) {
     use_lds_ = false;
-    // TODO(abeyad): add UnifiedSotw tests too when implementation is ready.
-    sotw_or_delta_ = Grpc::SotwOrDelta::Sotw;
     skip_tag_extraction_rule_check_ = true;
 
+    if (isUnified()) {
+      config_helper_.addRuntimeOverride("envoy.reloadable_features.unified_mux", "true");
+    }
+
     // Make the default cluster HTTP2.
     config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) {
       ConfigHelper::setHttp2(*bootstrap.mutable_static_resources()->mutable_clusters(0));
@@ -276,7 +279,7 @@ class KeyValueStoreXdsDelegateIntegrationTest : public HttpIntegrationTest,
 };
 
 INSTANTIATE_TEST_SUITE_P(IpVersions, KeyValueStoreXdsDelegateIntegrationTest,
-                         GRPC_CLIENT_INTEGRATION_PARAMS);
+                         UNIFIED_LEGACY_GRPC_CLIENT_INTEGRATION_PARAMS);
 
 TEST_P(KeyValueStoreXdsDelegateIntegrationTest, BasicSuccess) {
   on_server_init_function_ = [this]() {
@@ -450,16 +453,18 @@ class InvalidProtoKeyValueStoreFactory : public KeyValueStoreFactory {
 
 class InvalidProtoKeyValueStoreXdsDelegateIntegrationTest
     : public HttpIntegrationTest,
-      public Grpc::GrpcClientIntegrationParamTest {
+      public Grpc::UnifiedOrLegacyMuxIntegrationParamTest {
 public:
   InvalidProtoKeyValueStoreXdsDelegateIntegrationTest()
       : HttpIntegrationTest(Http::CodecType::HTTP2, ipVersion(),
                             ConfigHelper::baseConfigNoListeners()) {
     use_lds_ = false;
-    // TODO(abeyad): add UnifiedSotw tests too when implementation is ready.
-    sotw_or_delta_ = Grpc::SotwOrDelta::Sotw;
     skip_tag_extraction_rule_check_ = true;
 
+    if (isUnified()) {
+      config_helper_.addRuntimeOverride("envoy.reloadable_features.unified_mux", "true");
+    }
+
     // One static CDS cluster and CDS config.
     config_helper_.addConfigModifier([](envoy::config::bootstrap::v3::Bootstrap& bootstrap) {
       auto* xds_cluster = bootstrap.mutable_static_resources()->mutable_clusters(0);
@@ -506,7 +511,7 @@ class InvalidProtoKeyValueStoreXdsDelegateIntegrationTest
 };
 
 INSTANTIATE_TEST_SUITE_P(IpVersions, InvalidProtoKeyValueStoreXdsDelegateIntegrationTest,
-                         GRPC_CLIENT_INTEGRATION_PARAMS);
+                         UNIFIED_LEGACY_GRPC_CLIENT_INTEGRATION_PARAMS);
 
 TEST_P(InvalidProtoKeyValueStoreXdsDelegateIntegrationTest, InvalidProto) {
   InvalidProtoKeyValueStoreFactory factory;

contrib/network/connection_balance/dlb/source/connection_balancer_impl.cc

@@ -20,9 +20,23 @@ namespace Dlb {
 Envoy::Network::ConnectionBalancerSharedPtr
 DlbConnectionBalanceFactory::createConnectionBalancerFromProto(
     const Protobuf::Message& config, Server::Configuration::FactoryContext& context) {
-  const auto dlb_config = MessageUtil::downcastAndValidate<
-      const envoy::extensions::network::connection_balance::dlb::v3alpha::Dlb&>(
-      config, context.messageValidationVisitor());
+  const auto& typed_config =
+      dynamic_cast<const envoy::config::core::v3::TypedExtensionConfig&>(config);
+  envoy::extensions::network::connection_balance::dlb::v3alpha::Dlb dlb_config;
+  auto status = Envoy::MessageUtil::unpackToNoThrow(typed_config.typed_config(), dlb_config);
+  if (!status.ok()) {
+    ExceptionUtil::throwEnvoyException(
+        fmt::format("unexpected dlb config: {}", typed_config.DebugString()));
+  }
+
+  const int num = context.options().concurrency();
+
+  if (num > 32) {
+    ExceptionUtil::throwEnvoyException(
+        "Dlb connection balanncer only supports up to 32 worker threads, "
+        "please decrease the number of threads by `--concurrency`");
+  }
+
 #ifdef DLB_DISABLED
   throw EnvoyException("X86_64 architecture is required for Dlb.");
 #else
@@ -128,13 +142,6 @@ DlbConnectionBalanceFactory::createConnectionBalancerFromProto(
     ExceptionUtil::throwEnvoyException(fmt::format("tx create_ldb_queue {}", errorDetails(errno)));
   }
 
-  const int num = context.options().concurrency();
-  if (num > 32) {
-    ExceptionUtil::throwEnvoyException(
-        "Dlb connection balanncer only supports up to 32 worker threads, "
-        "please decrease the number of threads by `--concurrency`");
-  }
-
   for (int i = 0; i < num; i++) {
     int tx_port_id = createLdbPort(domain, cap, ldb_pool_id, dir_pool_id);
     if (tx_port_id == -1) {

contrib/network/connection_balance/dlb/source/connection_balancer_impl.h

@@ -84,11 +84,8 @@ class DlbConnectionBalanceFactory : public Envoy::Network::ConnectionBalanceFact
     if (!cap.combined_credits) {
       args.ldb_credit_pool_id = ldb_pool;
       args.dir_credit_pool_id = dir_pool;
-      args.num_ldb_credits = 32;
-      args.num_dir_credits = 32;
     } else {
       args.credit_pool_id = ldb_pool;
-      args.num_credits = 32;
     }
     args.cq_depth = cq_depth;
     args.num_ldb_event_state_entries = cq_depth * 2;

contrib/network/connection_balance/dlb/test/BUILD

@@ -0,0 +1,20 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_test",
+    "envoy_contrib_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_contrib_package()
+
+envoy_cc_test(
+    name = "config_test",
+    srcs = ["config_test.cc"],
+    deps = [
+        "//source/common/protobuf:utility_lib",
+        "//test/test_common:status_utility_lib",
+        "@envoy_api//contrib/envoy/extensions/network/connection_balance/dlb/v3alpha:pkg_cc_proto",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
+    ],
+)

contrib/network/connection_balance/dlb/test/config_test.cc

@@ -0,0 +1,57 @@
+#include "envoy/config/core/v3/extension.pb.h"
+
+#include "source/common/protobuf/utility.h"
+
+#include "test/test_common/status_utility.h"
+
+#include "contrib/envoy/extensions/network/connection_balance/dlb/v3alpha/dlb.pb.h"
+#include "gtest/gtest.h"
+
+namespace Envoy {
+namespace Extensions {
+namespace Dlb {
+
+class DlbConnectionBalanceFactoryTest : public testing::Test {
+protected:
+  // Create a default DLB connection balance typed config.
+  static void makeDlbConnectionBalanceConfig(
+      envoy::config::core::v3::TypedExtensionConfig& typed_config,
+      envoy::extensions::network::connection_balance::dlb::v3alpha::Dlb& dlb) {
+    typed_config.mutable_typed_config()->PackFrom(dlb);
+    typed_config.set_name("envoy.network.connection_balance.dlb");
+  }
+
+  // Verify typed config is dlb, and unpack to dlb object.
+  static void verifyDlbConnectionBalanceConfigAndUnpack(
+      envoy::config::core::v3::TypedExtensionConfig& typed_config,
+      envoy::extensions::network::connection_balance::dlb::v3alpha::Dlb& dlb) {
+    EXPECT_EQ(typed_config.name(), "envoy.network.connection_balance.dlb");
+    EXPECT_EQ(typed_config.typed_config().type_url(),
+              "type.googleapis.com/"
+              "envoy.extensions.network.connection_balance.dlb.v3alpha.Dlb");
+    ASSERT_OK(MessageUtil::unpackToNoThrow(typed_config.typed_config(), dlb));
+  }
+};
+
+TEST_F(DlbConnectionBalanceFactoryTest, MakeDefaultConfig) {
+  envoy::config::core::v3::TypedExtensionConfig typed_config;
+  envoy::extensions::network::connection_balance::dlb::v3alpha::Dlb dlb;
+  makeDlbConnectionBalanceConfig(typed_config, dlb);
+  verifyDlbConnectionBalanceConfigAndUnpack(typed_config, dlb);
+  EXPECT_EQ(0, dlb.id());
+}
+
+TEST_F(DlbConnectionBalanceFactoryTest, MakeCustomConfig) {
+  envoy::config::core::v3::TypedExtensionConfig typed_config;
+
+  envoy::extensions::network::connection_balance::dlb::v3alpha::Dlb dlb;
+  dlb.set_id(10);
+
+  makeDlbConnectionBalanceConfig(typed_config, dlb);
+  verifyDlbConnectionBalanceConfigAndUnpack(typed_config, dlb);
+  EXPECT_EQ(10, dlb.id());
+}
+
+} // namespace Dlb
+} // namespace Extensions
+} // namespace Envoy

envoy/common/union_string.h

@@ -84,6 +84,8 @@ template <class Validator> class UnionStringBase {
     // Make sure the requested memory allocation is below uint32_t::max
     const uint64_t new_capacity = static_cast<uint64_t>(data_size) + size();
     validateCapacity(new_capacity);
+    ASSERT(valid(absl::string_view(data, data_size)));
+
     switch (type()) {
     case Type::Reference: {
       // Rather than be too clever and optimize this uncommon case, we switch to
@@ -101,7 +103,6 @@ template <class Validator> class UnionStringBase {
     }
     }
     getInVec(buffer_).insert(getInVec(buffer_).end(), data, data + data_size);
-    ASSERT(valid());
   }
 
   /**
@@ -256,6 +257,8 @@ template <class Validator> class UnionStringBase {
 
   bool valid() const { return Validator()(getStringView()); }
 
+  bool valid(absl::string_view data) const { return Validator()(data); }
+
   /**
    * @return the type of backing storage for the string.
    */

envoy/config/xds_resources_delegate.h

@@ -57,6 +57,7 @@ class XdsResourcesDelegate {
    * @param resource_names The names of the requested resources.
    * @return A set of xDS resources for the given source.
    */
+  // TODO(abeyad): change resource_names to a set.
   virtual std::vector<envoy::service::discovery::v3::Resource>
   getResources(const XdsSourceId& source_id,
                const std::vector<std::string>& resource_names) const PURE;

envoy/http/filter.h

@@ -519,7 +519,7 @@ class StreamDecoderFilterCallbacks : public virtual StreamFilterCallbacks {
    * response with a 200 HTTP response code and grpc-status and grpc-message headers mapped from the
    * provided parameters.
    *
-   * If a response has already started (e.g. if the router calls sendSendLocalReply after encoding
+   * If a response has already started (e.g. if the router calls sendLocalReply after encoding
    * headers) this will either ship the reply directly to the downstream codec, or reset the stream.
    *
    * @param response_code supplies the HTTP response code.
@@ -949,7 +949,7 @@ class StreamEncoderFilterCallbacks : public virtual StreamFilterCallbacks {
    * response with a 200 HTTP response code and grpc-status and grpc-message headers mapped from the
    * provided parameters.
    *
-   * If a response has already started (e.g. if the router calls sendSendLocalReply after encoding
+   * If a response has already started (e.g. if the router calls sendLocalReply after encoding
    * headers) this will either ship the reply directly to the downstream codec, or reset the stream.
    *
    * @param response_code supplies the HTTP response code.