envoyproxy · mattklein123 · Feb 12, 2019 · Jan 20, 2019 · Jan 20, 2019 · Jan 21, 2019
diff --git a/api/envoy/config/filter/accesslog/v2/accesslog.proto b/api/envoy/config/filter/accesslog/v2/accesslog.proto
@@ -73,6 +73,9 @@ message AccessLogFilter {
 
     // Response flag filter.
     ResponseFlagFilter response_flag_filter = 9;
+
+    // gRPC status filter.
+    GrpcStatusFilter grpc_status_filter = 10;
   }
 }
 
@@ -192,3 +195,34 @@ message ResponseFlagFilter {
     ]
   }];
 }
+
+// Filters gRPC requests based on their response status. If a gRPC status is not provided, the
+// filter will infer the status from the HTTP status code.
+message GrpcStatusFilter {
+  enum Status {
+    OK = 0;
+    CANCELED = 1;
+    UNKNOWN = 2;
+    INVALID_ARGUMENT = 3;
+    DEADLINE_EXCEEDED = 4;
+    NOT_FOUND = 5;
+    ALREADY_EXISTS = 6;
+    PERMISSION_DENIED = 7;
+    RESOURCE_EXHAUSTED = 8;
+    FAILED_PRECONDITION = 9;
+    ABORTED = 10;
+    OUT_OF_RANGE = 11;
+    UNIMPLEMENTED = 12;
+    INTERNAL = 13;
+    UNAVAILABLE = 14;
+    DATA_LOSS = 15;
+    UNAUTHENTICATED = 16;
+  }
+
+  // Logs only responses that have any one of the gRPC statuses in this field.
+  repeated Status statuses = 1 [(validate.rules).repeated .items.enum.defined_only = true];
+
+  // If included and set to true, the filter will instead block all responses with a gRPC status or
+  // inferred gRPC status enumerated in statuses, and allow all other responses.
+  bool exclude = 2;
+}
diff --git a/docs/root/intro/version_history.rst b/docs/root/intro/version_history.rst
@@ -4,6 +4,7 @@ Version history
 1.10.0 (pending)
 ================
 * access log: added a new flag for upstream retry count exceeded.
+* access log: added a :ref:`gRPC filter <envoy_api_msg_config.filter.accesslog.v2.GrpcStatusFilter>` to allow filtering on gRPC status.
 * access log: added a new flag for stream idle timeout.
 * admin: the admin server can now be accessed via HTTP/2 (prior knowledge).
 * buffer: fix vulnerabilities when allocation fails.

diff --git a/include/envoy/access_log/access_log.h b/include/envoy/access_log/access_log.h
@@ -41,8 +41,9 @@ class Filter {
    * Evaluate whether an access log should be written based on request and response data.
    * @return TRUE if the log should be written.
    */
-  virtual bool evaluate(const StreamInfo::StreamInfo& info,
-                        const Http::HeaderMap& request_headers) PURE;
+  virtual bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                        const Http::HeaderMap& response_headers,
+                        const Http::HeaderMap& response_trailers) PURE;
 };
 
 typedef std::unique_ptr<Filter> FilterPtr;

diff --git a/include/envoy/grpc/status.h b/include/envoy/grpc/status.h
@@ -5,6 +5,8 @@ namespace Grpc {
 
 class Status {
 public:
+  // If this enum is changed, then the std::unordered_map in Envoy::Grpc::Utility::nameToGrpcStatus
+  // located at: //source/common/access_log/grpc/status.cc must also be changed.
   enum GrpcStatus {
     // The RPC completed successfully.
     Ok = 0,

diff --git a/source/common/access_log/access_log_impl.cc b/source/common/access_log/access_log_impl.cc
@@ -74,27 +74,33 @@ FilterFactory::fromProto(const envoy::config::filter::accesslog::v2::AccessLogFi
   case envoy::config::filter::accesslog::v2::AccessLogFilter::kResponseFlagFilter:
     MessageUtil::validate(config);
     return FilterPtr{new ResponseFlagFilter(config.response_flag_filter())};
+  case envoy::config::filter::accesslog::v2::AccessLogFilter::kGrpcStatusFilter:
+    MessageUtil::validate(config);
+    return FilterPtr{new GrpcStatusFilter(config.grpc_status_filter())};
   default:
     NOT_REACHED_GCOVR_EXCL_LINE;
   }
 }
 
 bool TraceableRequestFilter::evaluate(const StreamInfo::StreamInfo& info,
-                                      const Http::HeaderMap& request_headers) {
+                                      const Http::HeaderMap& request_headers,
+                                      const Http::HeaderMap&, const Http::HeaderMap&) {
   Tracing::Decision decision = Tracing::HttpTracerUtility::isTracing(info, request_headers);
 
   return decision.traced && decision.reason == Tracing::Reason::ServiceForced;
 }
 
-bool StatusCodeFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&) {
+bool StatusCodeFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&,
+                                const Http::HeaderMap&, const Http::HeaderMap&) {
   if (!info.responseCode()) {
     return compareAgainstValue(0ULL);
   }
 
   return compareAgainstValue(info.responseCode().value());
 }
 
-bool DurationFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&) {
+bool DurationFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&,
+                              const Http::HeaderMap&, const Http::HeaderMap&) {
   absl::optional<std::chrono::nanoseconds> final = info.requestComplete();
   ASSERT(final);
 
@@ -108,7 +114,8 @@ RuntimeFilter::RuntimeFilter(const envoy::config::filter::accesslog::v2::Runtime
       percent_(config.percent_sampled()),
       use_independent_randomness_(config.use_independent_randomness()) {}
 
-bool RuntimeFilter::evaluate(const StreamInfo::StreamInfo&, const Http::HeaderMap& request_header) {
+bool RuntimeFilter::evaluate(const StreamInfo::StreamInfo&, const Http::HeaderMap& request_header,
+                             const Http::HeaderMap&, const Http::HeaderMap&) {
   const Http::HeaderEntry* uuid = request_header.RequestId();
   uint64_t random_value;
   if (use_independent_randomness_ || uuid == nullptr ||
@@ -139,11 +146,12 @@ AndFilter::AndFilter(const envoy::config::filter::accesslog::v2::AndFilter& conf
                      Runtime::Loader& runtime, Runtime::RandomGenerator& random)
     : OperatorFilter(config.filters(), runtime, random) {}
 
-bool OrFilter::evaluate(const StreamInfo::StreamInfo& info,
-                        const Http::HeaderMap& request_headers) {
+bool OrFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                        const Http::HeaderMap& response_headers,
+                        const Http::HeaderMap& response_trailers) {
   bool result = false;
   for (auto& filter : filters_) {
-    result |= filter->evaluate(info, request_headers);
+    result |= filter->evaluate(info, request_headers, response_headers, response_trailers);
 
     if (result) {
       break;
@@ -153,11 +161,12 @@ bool OrFilter::evaluate(const StreamInfo::StreamInfo& info,
   return result;
 }
 
-bool AndFilter::evaluate(const StreamInfo::StreamInfo& info,
-                         const Http::HeaderMap& request_headers) {
+bool AndFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                         const Http::HeaderMap& response_headers,
+                         const Http::HeaderMap& response_trailers) {
   bool result = true;
   for (auto& filter : filters_) {
-    result &= filter->evaluate(info, request_headers);
+    result &= filter->evaluate(info, request_headers, response_headers, response_trailers);
 
     if (!result) {
       break;
@@ -167,15 +176,17 @@ bool AndFilter::evaluate(const StreamInfo::StreamInfo& info,
   return result;
 }
 
-bool NotHealthCheckFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&) {
+bool NotHealthCheckFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&,
+                                    const Http::HeaderMap&, const Http::HeaderMap&) {
   return !info.healthCheck();
 }
 
 HeaderFilter::HeaderFilter(const envoy::config::filter::accesslog::v2::HeaderFilter& config) {
   header_data_.push_back(Http::HeaderUtility::HeaderData(config.header()));
 }
 
-bool HeaderFilter::evaluate(const StreamInfo::StreamInfo&, const Http::HeaderMap& request_headers) {
+bool HeaderFilter::evaluate(const StreamInfo::StreamInfo&, const Http::HeaderMap& request_headers,
+                            const Http::HeaderMap&, const Http::HeaderMap&) {
   return Http::HeaderUtility::matchHeaders(request_headers, header_data_);
 }
 
@@ -190,13 +201,60 @@ ResponseFlagFilter::ResponseFlagFilter(
   }
 }
 
-bool ResponseFlagFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&) {
+bool ResponseFlagFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&,
+                                  const Http::HeaderMap&, const Http::HeaderMap&) {
   if (configured_flags_ != 0) {
     return info.intersectResponseFlags(configured_flags_);
   }
   return info.hasAnyResponseFlag();
 }
 
+GrpcStatusFilter::GrpcStatusFilter(
+    const envoy::config::filter::accesslog::v2::GrpcStatusFilter& config) {
+  for (int i = 0; i < config.statuses_size(); i++) {
+    statuses_.insert(protoToGrpcStatus(config.statuses(i)));
+  }
+
+  exclude_ = config.exclude();
+}
+
+bool GrpcStatusFilter::evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap&,
+                                const Http::HeaderMap& response_headers,
+                                const Http::HeaderMap& response_trailers) {
+  // The gRPC specification does not guarantee a gRPC status code will be returned from a gRPC
+  // request. When it is returned, it will be in the response trailers. With that said, Envoy will
+  // treat a trailers-only response as a headers-only response, so we have to check the following
+  // in order:
+  //   1. response_trailers gRPC status, if it exists.
+  //   2. response_headers gRPC status, if it exists.
+  //   3. Inferred from info HTTP status, if it exists.
+  //
+  // If none of those options exist, it will default to Grpc::Status::GrpcStatus::Unknown.
+  const std::array<absl::optional<Grpc::Status::GrpcStatus>, 3> optional_statuses = {{
+      {Grpc::Common::getGrpcStatus(response_trailers)},
+      {Grpc::Common::getGrpcStatus(response_headers)},
+      {info.responseCode() ? absl::optional<Grpc::Status::GrpcStatus>(
+                                 Grpc::Utility::httpToGrpcStatus(info.responseCode().value()))
+                           : absl::nullopt},
+  }};
+
+  Grpc::Status::GrpcStatus status = Grpc::Status::GrpcStatus::Unknown;
+  for (const auto& optional_status : optional_statuses) {
+    if (optional_status.has_value()) {
+      status = optional_status.value();
+      break;
+    }
+  }
+
+  const bool found = statuses_.find(status) != statuses_.end();
+  return exclude_ ? !found : found;
+}
+
+Grpc::Status::GrpcStatus GrpcStatusFilter::protoToGrpcStatus(
+    envoy::config::filter::accesslog::v2::GrpcStatusFilter_Status status) const {
+  return static_cast<Grpc::Status::GrpcStatus>(status);
+}
+
 InstanceSharedPtr
 AccessLogFactory::fromProto(const envoy::config::filter::accesslog::v2::AccessLog& config,
                             Server::Configuration::FactoryContext& context) {

diff --git a/source/common/access_log/access_log_impl.h b/source/common/access_log/access_log_impl.h
@@ -2,13 +2,15 @@
 
 #include <cstdint>
 #include <string>
+#include <unordered_set>
 #include <vector>
 
 #include "envoy/access_log/access_log.h"
 #include "envoy/config/filter/accesslog/v2/accesslog.pb.h"
 #include "envoy/runtime/runtime.h"
 #include "envoy/server/access_log_config.h"
 
+#include "common/grpc/status.h"
 #include "common/http/header_utility.h"
 #include "common/protobuf/protobuf.h"
 
@@ -51,8 +53,9 @@ class StatusCodeFilter : public ComparisonFilter {
       : ComparisonFilter(config.comparison(), runtime) {}
 
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 };
 
 /**
@@ -65,8 +68,9 @@ class DurationFilter : public ComparisonFilter {
       : ComparisonFilter(config.comparison(), runtime) {}
 
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 };
 
 /**
@@ -91,8 +95,9 @@ class AndFilter : public OperatorFilter {
             Runtime::RandomGenerator& random);
 
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 };
 
 /**
@@ -104,8 +109,9 @@ class OrFilter : public OperatorFilter {
            Runtime::RandomGenerator& random);
 
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 };
 
 /**
@@ -116,8 +122,9 @@ class NotHealthCheckFilter : public Filter {
   NotHealthCheckFilter() {}
 
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 };
 
 /**
@@ -126,8 +133,9 @@ class NotHealthCheckFilter : public Filter {
 class TraceableRequestFilter : public Filter {
 public:
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 };
 
 /**
@@ -139,8 +147,9 @@ class RuntimeFilter : public Filter {
                 Runtime::Loader& runtime, Runtime::RandomGenerator& random);
 
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 
 private:
   Runtime::Loader& runtime_;
@@ -158,8 +167,9 @@ class HeaderFilter : public Filter {
   HeaderFilter(const envoy::config::filter::accesslog::v2::HeaderFilter& config);
 
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 
 private:
   std::vector<Http::HeaderUtility::HeaderData> header_data_;
@@ -173,13 +183,40 @@ class ResponseFlagFilter : public Filter {
   ResponseFlagFilter(const envoy::config::filter::accesslog::v2::ResponseFlagFilter& config);
 
   // AccessLog::Filter
-  bool evaluate(const StreamInfo::StreamInfo& info,
-                const Http::HeaderMap& request_headers) override;
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
 
 private:
   uint64_t configured_flags_{};
 };
 
+/**
+ * Filters requests that have a response with a gRPC status. Because the gRPC protocol does not
+ * guarantee a gRPC status code, if a gRPC status code is not available, then the filter will infer
+ * the gRPC status code from an HTTP status code if available.
+ */
+class GrpcStatusFilter : public Filter {
+public:
+  GrpcStatusFilter(const envoy::config::filter::accesslog::v2::GrpcStatusFilter& config);
+
+  // AccessLog::Filter
+  bool evaluate(const StreamInfo::StreamInfo& info, const Http::HeaderMap& request_headers,
+                const Http::HeaderMap& response_headers,
+                const Http::HeaderMap& response_trailers) override;
+
+private:
+  std::unordered_set<Grpc::Status::GrpcStatus> statuses_;
+  bool exclude_;
+
+  /**
+   * Converts a Protobuf representation of a gRPC status into the equivalent code version of a gRPC
+   * status.
+   */
+  Grpc::Status::GrpcStatus
+  protoToGrpcStatus(envoy::config::filter::accesslog::v2::GrpcStatusFilter_Status status) const;
+};
+
 /**
  * Access log factory that reads the configuration from proto.
  */

diff --git a/source/extensions/access_loggers/file/file_access_log_impl.cc b/source/extensions/access_loggers/file/file_access_log_impl.cc
@@ -30,7 +30,7 @@ void FileAccessLog::log(const Http::HeaderMap* request_headers,
   }
 
   if (filter_) {
-    if (!filter_->evaluate(stream_info, *request_headers)) {
+    if (!filter_->evaluate(stream_info, *request_headers, *response_headers, *response_trailers)) {
       return;
     }
   }
-Original file line number
+Diff line change
@@ Expand Up @@
       }
       if (filter_) {
-        if (!filter_->evaluate(stream_info, *request_headers)) {
+        if (!filter_->evaluate(stream_info, *request_headers, *response_headers, *response_trailers)) {
           return;
         }
       }
@@ Expand Down @@