envoyproxy · esmet · Feb 2, 2021 · Feb 3, 2021 · Feb 3, 2021 · Feb 8, 2021
diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h
@@ -384,7 +384,7 @@ class AsyncStreamImpl : public AsyncClient::Stream,
     }
     Utility::sendLocalReply(
         remote_closed_,
-        Utility::EncodeFunctions{nullptr, nullptr,
+        Utility::EncodeFunctions{nullptr, nullptr, nullptr,
                                  [this, modify_headers, &details](ResponseHeaderMapPtr&& headers,
                                                                   bool end_stream) -> void {
                                    if (modify_headers != nullptr) {

diff --git a/source/common/http/filter_manager.cc b/source/common/http/filter_manager.cc
@@ -862,6 +862,12 @@ void FilterManager::sendLocalReplyViaFilterChain(
   // a no-op.
   createFilterChain();
 
+  // A bit awkward, but save the local reply data for later. This will come in handy.
+  // When this pointer is non-null, it means a local reply has been initiated, which
+  // is important later on.
+  local_reply_data_ = std::make_unique<Utility::LocalReplyData>(
+      Utility::LocalReplyData{is_grpc_request, code, body, grpc_status, is_head_request});
+
   Utility::sendLocalReply(
       state_.destroyed_,
       Utility::EncodeFunctions{
@@ -875,13 +881,14 @@ void FilterManager::sendLocalReplyViaFilterChain(
               modify_headers(headers);
             }
           },
-          [this](ResponseHeaderMap& response_headers, Code& code, std::string& body,
-                 absl::string_view& content_type) -> void {
-            // TODO(snowp): This &get() business isn't nice, rework LocalReply and others to accept
-            // opt refs.
-            local_reply_.rewrite(filter_manager_callbacks_.requestHeaders().ptr(), response_headers,
-                                 stream_info_, code, body, content_type);
-          },
+          // Local reply rewrites (and upstream rewrites, for that matter) happen on the filter
+          // chain now, so we do not need to do any additional rewriting here.
+          /*rewrite_=*/nullptr,
+          // Local gRPC replies are encoded as trailers-only responses on the filter chain,
+          // so we don't need to any additional encoding of the gRPC response here. This
+          // is different from the direct local reply case, where we do encode the gRPC
+          // reply as a headers-only response using an encoder callback.
+          /*encode_grpc_=*/nullptr,
           [this, modify_headers](ResponseHeaderMapPtr&& headers, bool end_stream) -> void {
             filter_manager_callbacks_.setResponseHeaders(std::move(headers));
             // TODO: Start encoding from the last decoder filter that saw the
@@ -918,9 +925,18 @@ void FilterManager::sendDirectLocalReply(
           },
           [&](ResponseHeaderMap& response_headers, Code& code, std::string& body,
               absl::string_view& content_type) -> void {
+            /* Direct local reply rewrites happen here since we are not going through the filter
+             * chain. */
             local_reply_.rewrite(filter_manager_callbacks_.requestHeaders().ptr(), response_headers,
                                  stream_info_, code, body, content_type);
           },
+          [&](ResponseHeaderMap& headers, Code& code, std::string& body,
+              const absl::optional<Grpc::Status::GrpcStatus> grpc_status,
+              bool is_head_request) -> void {
+            /* Direct local reply gRPC encoding happens here since we are not going through the
+             * filter chain. */
+            Utility::toGrpcTrailersOnlyResponse(headers, code, body, grpc_status, is_head_request);
+          },
           [&](ResponseHeaderMapPtr&& response_headers, bool end_stream) -> void {
             // Move the response headers into the FilterManager to make sure they're visible to
             // access logs.
@@ -1044,9 +1060,55 @@ void FilterManager::encodeHeaders(ActiveStreamEncoderFilter* filter, ResponseHea
     }
   }
 
-  const bool modified_end_stream = (end_stream && continue_data_entry == encoder_filters_.end());
+  bool modified_end_stream = (end_stream && continue_data_entry == encoder_filters_.end());
+
+  // Capture the original modified_end_stream value. We may modify it again below if we add
+  // a response body.
+  const bool original_modified_end_stream = modified_end_stream;
+
+  // See if we should do an upstream rewrite. For local replies, always try to do a rewrite.
+  // For upstream replies, only try to do a rewrite if some filter rule actually applies.
+  // The rewrite config supports unconditional rewrites with no filter rules. This makes sense
+  // for local reply rewrites (e.g. one consistent format for all responses generated at Envoy)
+  // but makes a lot less sense for all responses upstream.
+  state_.do_response_rewrite_ =
+      local_reply_data_ != nullptr ||
+      local_reply_.matchesAnyMapper(filter_manager_callbacks_.requestHeaders().ptr(),
+                                    *filter_manager_callbacks_.responseHeaders(),
+                                    filter_manager_callbacks_.responseTrailers().ptr(),
+                                    stream_info_);
+  ENVOY_STREAM_LOG(debug,
+                   "FilterManager::encodeHeaders: end_stream={}, modified_end_stream={}, "
+                   "state_.do_response_rewrite_={}",
+                   *this, end_stream, modified_end_stream, state_.do_response_rewrite_);
+
+  if (state_.do_response_rewrite_) {
+    // Try to rewrite the response. This may end up not doing any actual rewrite if this is
+    // a local reply and there is no matching rule. If it's not a local reply, we know there's
+    // a match at this point since that's a condition for state_.do_response_rewrite_ above.
+    rewriteResponse();
+
+    if (buffered_response_data_) {
+      // If we have a rewritten response body, then modified_end_stream can no longer be true
+      // because we have a body now.
+      modified_end_stream = false;
+    }
+  }
+
   state_.non_100_response_headers_encoded_ = true;
   filter_manager_callbacks_.encodeHeaders(headers, modified_end_stream);
+
+  // Encode the rewritten response right away if the original `modified_end_stream` was true.
+  // If it wasn't, then we know a body will be encoded later, and we'll let that function
+  // take care of encoding the rewritten response.
+  if (state_.do_response_rewrite_ && original_modified_end_stream && buffered_response_data_) {
+    ENVOY_STREAM_LOG(trace,
+                     "FilterManager::encodeData calling filter_manager_callbacks_ with {} bytes "
+                     "from buffered_response_data and modified_end_stream={}",
+                     *this, buffered_response_data_->length(), modified_end_stream);
+    filter_manager_callbacks_.encodeData(*buffered_response_data_, modified_end_stream);
+  }
+
   maybeEndEncode(modified_end_stream);
 
   if (!modified_end_stream) {
@@ -1180,7 +1242,19 @@ void FilterManager::encodeData(ActiveStreamEncoderFilter* filter, Buffer::Instan
   }
 
   const bool modified_end_stream = end_stream && trailers_added_entry == encoder_filters_.end();
-  filter_manager_callbacks_.encodeData(data, modified_end_stream);
+  if (state_.do_response_rewrite_ && buffered_response_data_) {
+    // If we're doing a rewrite and modified_end_stream=true, encode the buffered_response_data_
+    // that was set by rewriteResponse() earlier in encodeHeaders().
+    if (modified_end_stream) {
+      ENVOY_STREAM_LOG(trace,
+                       "FilterManager::encodeData calling filter_manager_callbacks_ with {} bytes "
+                       "from buffered_response_data and modified_end_stream={}",
+                       *this, buffered_response_data_->length(), modified_end_stream);
+      filter_manager_callbacks_.encodeData(*buffered_response_data_, modified_end_stream);
+    }
+  } else {
+    filter_manager_callbacks_.encodeData(data, modified_end_stream);
+  }
   maybeEndEncode(modified_end_stream);
 
   // If trailers were adding during encodeData we need to trigger decodeTrailers in order
@@ -1225,6 +1299,58 @@ void FilterManager::maybeEndEncode(bool end_stream) {
   }
 }
 
+void FilterManager::rewriteResponse() {
+  auto response_headers = filter_manager_callbacks_.responseHeaders();
+  ASSERT(response_headers.ptr() != nullptr);
+
+  std::string rewritten_body{};
+  absl::string_view rewritten_content_type{};
+  Http::Code rewritten_code{static_cast<Http::Code>(Utility::getResponseStatus(*response_headers))};
+
+  // Start with the local reply body and text/plain content type, if we have it.
+  if (local_reply_data_) {
+    rewritten_body = local_reply_data_->body_text_;
+    rewritten_content_type = Headers::get().ContentTypeValues.Text;
+  }
+
+  // Get rid of any buffered response data we may have at this point. We're going to use this
+  // as the output parameter for a rewritten body, if any.
+  buffered_response_data_ = nullptr;
+
+  ENVOY_STREAM_LOG(trace, "rewriteResponse: calling local_reply_.rewrite with body=\"{}\", code={}",
+                   *this, rewritten_body, rewritten_code);
+  const bool did_body_rewrite =
+      local_reply_.rewrite(filter_manager_callbacks_.requestHeaders().ptr(), *response_headers,
+                           stream_info_, rewritten_code, rewritten_body, rewritten_content_type);
+  ENVOY_STREAM_LOG(
+      trace,
+      "rewriteResponse: local_reply_.rewrite returned did_body_rewrite={}, body=\"{}\", "
+      "content_type={}, code={}",
+      *this, did_body_rewrite, rewritten_body, rewritten_content_type, rewritten_code);
+
+  if (local_reply_data_ && local_reply_data_->is_grpc_) {
+    // Send a trailers-only grpc response
+    Utility::toGrpcTrailersOnlyResponse(*response_headers, rewritten_code, rewritten_body,
+                                        local_reply_data_->grpc_status_,
+                                        local_reply_data_->is_head_request_);
+    return;
+  }
+
+  if (did_body_rewrite) {
+    buffered_response_data_ = std::make_unique<Buffer::OwnedImpl>(rewritten_body);
+
+    // If we rewrote with a non-empty body, set the content length and type.
+    // Otherwise, remove them.
+    if (buffered_response_data_->length() > 0) {
+      response_headers->setContentLength(buffered_response_data_->length());
+      response_headers->setContentType(rewritten_content_type);
+    } else {
+      response_headers->removeContentLength();
+      response_headers->removeContentType();
+    }
+  }
+}
+
 bool FilterManager::processNewlyAddedMetadata() {
   if (request_metadata_map_vector_ == nullptr) {
     return false;

diff --git a/source/common/http/filter_manager.h b/source/common/http/filter_manager.h
@@ -20,6 +20,7 @@
 #include "common/grpc/common.h"
 #include "common/http/header_utility.h"
 #include "common/http/headers.h"
+#include "common/http/utility.h"
 #include "common/local_reply/local_reply.h"
 #include "common/matcher/matcher.h"
 #include "common/protobuf/utility.h"
@@ -909,6 +910,11 @@ class FilterManager : public ScopeTrackedObject,
    */
   void maybeEndEncode(bool end_stream);
 
+  /**
+   * Rewrite the response headers and body using local_reply_.
+   */
+  void rewriteResponse();
+
   void sendLocalReply(bool is_grpc_request, Code code, absl::string_view body,
                       const std::function<void(ResponseHeaderMap& headers)>& modify_headers,
                       const absl::optional<Grpc::Status::GrpcStatus> grpc_status,
@@ -1075,7 +1081,12 @@ class FilterManager : public ScopeTrackedObject,
       std::make_shared<Network::Socket::Options>();
 
   FilterChainFactory& filter_chain_factory_;
+  // Used to track local reply state
+  // TODO(esmet): We could combine the local reply reference and data into one pointer
+  // member that stays nullptr when no local reply config is present to save space in
+  // the 'off' case. But, for now, we spend two pointers of space in all cases.
   const LocalReply::LocalReply& local_reply_;
+  Utility::LocalReplyDataPtr local_reply_data_;
   OverridableRemoteSocketAddressSetterStreamInfo stream_info_;
   // TODO(snowp): Once FM has been moved to its own file we'll make these private classes of FM,
   // at which point they no longer need to be friends.
@@ -1109,7 +1120,7 @@ class FilterManager : public ScopeTrackedObject,
     State()
         : remote_complete_(false), local_complete_(false), has_continue_headers_(false),
           created_filter_chain_(false), is_head_request_(false), is_grpc_request_(false),
-          non_100_response_headers_encoded_(false) {}
+          non_100_response_headers_encoded_(false), do_response_rewrite_(false) {}
 
     uint32_t filter_call_state_{0};
 
@@ -1127,6 +1138,8 @@ class FilterManager : public ScopeTrackedObject,
     bool is_grpc_request_ : 1;
     // Tracks if headers other than 100-Continue have been encoded to the codec.
     bool non_100_response_headers_encoded_ : 1;
+    // True if we should rewrite the upstream response using local_reply_
+    bool do_response_rewrite_ : 1;
 
     // The following 3 members are booleans rather than part of the space-saving bitfield as they
     // are passed as arguments to functions expecting bools. Extend State using the bitfield

diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc
@@ -512,7 +512,7 @@ void Utility::sendLocalReply(const bool& is_reset, StreamDecoderFilterCallbacks&
 
   sendLocalReply(
       is_reset,
-      Utility::EncodeFunctions{nullptr, nullptr,
+      Utility::EncodeFunctions{nullptr, nullptr, nullptr,
                                [&](ResponseHeaderMapPtr&& headers, bool end_stream) -> void {
                                  callbacks.encodeHeaders(std::move(headers), end_stream, details);
                                },
@@ -522,6 +522,27 @@ void Utility::sendLocalReply(const bool& is_reset, StreamDecoderFilterCallbacks&
       local_reply_data);
 }
 
+void Utility::toGrpcTrailersOnlyResponse(Http::ResponseHeaderMap& response_headers,
+                                         const Http::Code& code, std::string& response_body,
+                                         const absl::optional<Grpc::Status::GrpcStatus> grpc_status,
+                                         bool is_head_request) {
+  response_headers.setStatus(std::to_string(enumToInt(Http::Code::OK)));
+  response_headers.setReferenceContentType(Headers::get().ContentTypeValues.Grpc);
+  response_headers.setGrpcStatus(std::to_string(enumToInt(
+      grpc_status ? grpc_status.value() : Grpc::Utility::httpToGrpcStatus(enumToInt(code)))));
+  if (!response_body.empty() && !is_head_request) {
+    // TODO(dio): Probably it is worth to consider caching the encoded message based on gRPC
+    // status.
+    // JsonFormatter adds a '\n' at the end. For header value, it should be removed.
+    // https://github.com/envoyproxy/envoy/blob/main/source/common/formatter/substitution_formatter.cc#L129
+    if (response_body[response_body.length() - 1] == '\n') {
+      response_body = response_body.substr(0, response_body.length() - 1);
+    }
+    response_headers.setGrpcMessage(Http::Utility::PercentEncoding::encode(response_body));
+  }
+  response_headers.removeContentLength();
+}
+
 void Utility::sendLocalReply(const bool& is_reset, const EncodeFunctions& encode_functions,
                              const LocalReplyData& local_reply_data) {
   // encode_headers() may reset the stream, so the stream must not be reset before calling it.
@@ -542,26 +563,15 @@ void Utility::sendLocalReply(const bool& is_reset, const EncodeFunctions& encode
     encode_functions.rewrite_(*response_headers, response_code, body_text, content_type);
   }
 
-  // Respond with a gRPC trailers-only response if the request is gRPC
+  // Respond with a gRPC trailers-only response if the request is gRPC. The actual encoding of the
+  // trailers-only response happens in encode_grpc_, if set. Otherwise it is assumed that the
+  // response is already encoded and ready to be finalized by encodeHeaders with end_stream=true.
   if (local_reply_data.is_grpc_) {
-    response_headers->setStatus(std::to_string(enumToInt(Code::OK)));
-    response_headers->setReferenceContentType(Headers::get().ContentTypeValues.Grpc);
-    response_headers->setGrpcStatus(
-        std::to_string(enumToInt(local_reply_data.grpc_status_
-                                     ? local_reply_data.grpc_status_.value()
-                                     : Grpc::Utility::httpToGrpcStatus(enumToInt(response_code)))));
-    if (!body_text.empty() && !local_reply_data.is_head_request_) {
-      // TODO(dio): Probably it is worth to consider caching the encoded message based on gRPC
-      // status.
-      // JsonFormatter adds a '\n' at the end. For header value, it should be removed.
-      // https://github.com/envoyproxy/envoy/blob/main/source/common/formatter/substitution_formatter.cc#L129
-      if (body_text[body_text.length() - 1] == '\n') {
-        body_text = body_text.substr(0, body_text.length() - 1);
-      }
-      response_headers->setGrpcMessage(PercentEncoding::encode(body_text));
+    if (encode_functions.encode_grpc_) {
+      encode_functions.encode_grpc_(*response_headers, response_code, body_text,
+                                    local_reply_data.grpc_status_,
+                                    local_reply_data.is_head_request_);
     }
-    // The `modify_headers` function may have added content-length, remove it.
-    response_headers->removeContentLength();
     encode_functions.encode_headers_(std::move(response_headers), true); // Trailers only response
     return;
   }

diff --git a/source/common/http/utility.h b/source/common/http/utility.h
@@ -295,6 +295,11 @@ struct EncodeFunctions {
   std::function<void(ResponseHeaderMap& response_headers, Code& code, std::string& body,
                      absl::string_view& content_type)>
       rewrite_;
+  // Function to encode a gRPC response.
+  std::function<void(ResponseHeaderMap& headers, Code& code, std::string& body,
+                     const absl::optional<Grpc::Status::GrpcStatus> grpc_status,
+                     bool is_head_request)>
+      encode_grpc_;
   // Function to encode response headers.
   std::function<void(ResponseHeaderMapPtr&& headers, bool end_stream)> encode_headers_;
   // Function to encode the response body.
@@ -313,6 +318,7 @@ struct LocalReplyData {
   // Tells if this is a response to a HEAD request.
   bool is_head_request_ = false;
 };
+using LocalReplyDataPtr = std::unique_ptr<LocalReplyData>;
 
 /**
  * Create a locally generated response using filter callbacks.
@@ -337,6 +343,18 @@ void sendLocalReply(const bool& is_reset, StreamDecoderFilterCallbacks& callback
 void sendLocalReply(const bool& is_reset, const EncodeFunctions& encode_functions,
                     const LocalReplyData& local_reply_data);
 
+/**
+ * Convert a response into a gRPC trailers-only response.
+ * @param response_headers the response headers. will be modified.
+ * @param code the upstream response code. will be converted to grpc-status
+ * @param grpc_status the original grpc status
+ * @param is_head_request whether this is a HEAD request
+ */
+void toGrpcTrailersOnlyResponse(Http::ResponseHeaderMap& response_headers, const Http::Code& code,
+                                std::string& response_body,
+                                const absl::optional<Grpc::Status::GrpcStatus> grpc_status,
+                                bool is_head_request);
+
 struct GetLastAddressFromXffInfo {
   // Last valid address pulled from the XFF header.
   Network::Address::InstanceConstSharedPtr address_;