Merge firebase to master (envoyproxy#258)

* Created check security rules file and a few dummy/helper functions. (envoyproxy#40)

* Created check security rules file and a few dummy/helper functions.

And added it to check work flow.

* Fix format.

* Firebase: Merge from master. (envoyproxy#53)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (envoyproxy#38)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect

* Fixed style.

* Rebase Envoy (envoyproxy#41)

* Update prototype to use iptables (envoyproxy#42)

* Rebase to fixed Envoy (envoyproxy#43)

* Handle HEAD request. (envoyproxy#34)

* Handle HEAD request.

* Try with GET if HEAD fails.

* Address comments.

* Format file.

* Expose bazel target (envoyproxy#48)

* Try again (envoyproxy#49)

* Enable ESP to invoke Firebase Security rules. (envoyproxy#54)

* Enable ESP to invoke Firebase Security rules.

* Address code review comments.

* Remove some debug logs

* Add proto file to capture TestRulesetRequest.

* clang-format files

* Resolve a merge issue with previous commit

* Allow security rules to disabled via serverconfig

* format file

* Addressed Wayne's review comments.

* Add firebase server to Server Config.

* Address Lizan's review comments

* Address review comments.

* Disable check rules service by default.

* Address more review comments.

* Fix a check.

* Delete unwanted constant.

* Address Wayne's comments and add a simple config test.

* Address a review comment.

* Add negative test case for config

* Address code review

* Remove unwanted const std::string

* Merge from master into firebase (envoyproxy#65)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (envoyproxy#38)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect

* Fixed style.

* Rebase Envoy (envoyproxy#41)

* Update prototype to use iptables (envoyproxy#42)

* Rebase to fixed Envoy (envoyproxy#43)

* Handle HEAD request. (envoyproxy#34)

* Handle HEAD request.

* Try with GET if HEAD fails.

* Address comments.

* Format file.

* Expose bazel target (envoyproxy#48)

* Try again (envoyproxy#49)

* Integrate with mixer client. (envoyproxy#55)

* Integrate with mixer client.

* Restore  repositories.bzl back.

* Add originIp and originHost attributes. (envoyproxy#56)

* Add uuid-dev dependency in README.md (envoyproxy#45)

* Extract originIp and OriginHost. (envoyproxy#57)

* Extract originIp and OriginHost.

* Make header x-forwarded-host const.

* Update buckets for UI. (envoyproxy#58)

* Update buckets for UI.

* Only update time_distribution.

* Add targetService attribute. (envoyproxy#59)

* Use envoy new access_log handler for sending Report. (envoyproxy#60)

* use access_log handler.

* Not to use Loggable base class.

* Update to the latest envoy with envoyproxy#396. (envoyproxy#61)

* Fix tclap dependency fetching error (envoyproxy#62)

* Update the auth checke to use service.experimental.authorization.providerwq!

* Update the auth check to use service.experimental.authorization.provider

* Update the auth check to use service.experimental.authorization.provider (envoyproxy#67)

* Update the auth check to use service.experimental.authorization.provider

* Address comments and revert accidental change.

* Remove unnecessary added accidentally.

* Another patch

* fix the logic

* fix lint

* Fix broken test and add unit tests

* Fix comments

* Fix style check

* revert style for raw string

* fix small lint

* fix small lint

* fix small lint

* Unit tests for check security rules. (envoyproxy#75)

* Unit tests for check security rules.

* format

* Address review comments.

* Fix typos

* Merge from master to firebase (envoyproxy#143)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (envoyproxy#38)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect

* Fixed style.

* Rebase Envoy (envoyproxy#41)

* Update prototype to use iptables (envoyproxy#42)

* Rebase to fixed Envoy (envoyproxy#43)

* Handle HEAD request. (envoyproxy#34)

* Handle HEAD request.

* Try with GET if HEAD fails.

* Address comments.

* Format file.

* Expose bazel target (envoyproxy#48)

* Try again (envoyproxy#49)

* Integrate with mixer client. (envoyproxy#55)

* Integrate with mixer client.

* Restore  repositories.bzl back.

* Add originIp and originHost attributes. (envoyproxy#56)

* Add uuid-dev dependency in README.md (envoyproxy#45)

* Extract originIp and OriginHost. (envoyproxy#57)

* Extract originIp and OriginHost.

* Make header x-forwarded-host const.

* Update buckets for UI. (envoyproxy#58)

* Update buckets for UI.

* Only update time_distribution.

* Add targetService attribute. (envoyproxy#59)

* Use envoy new access_log handler for sending Report. (envoyproxy#60)

* use access_log handler.

* Not to use Loggable base class.

* Update to the latest envoy with envoyproxy#396. (envoyproxy#61)

* Fix tclap dependency fetching error (envoyproxy#62)

* Integrate mixer client directly with envoy. (envoyproxy#66)

* Integrate mixer client directly with envoy.

* Send response header in Report.

* rename filter name from esp to mixer.

* add README.

* Add release binary script. (envoyproxy#68)

* Push tar.gz to GCS (envoyproxy#69)

* Push tar.gz to GCS

* Rename envoy_esp

* Remove mixer_client from api_manager. (envoyproxy#72)

* Update mixer client SHA. (envoyproxy#74)

* Update readme. (envoyproxy#73)

* Adds Jenkinsfile and updates release-binary to create a SHA. (envoyproxy#71)

* Adds Jenkinsfile and update release-binary
* Update Jenkinsfile and gitignore
* Fixes typo and use normal build Node
* Uses default bazel config
* Using batch mode
* Update bazel memory settings
* Do not use Jenkins bazel env
* Set .bazelrc for postsubmit

* Update grpc and protobuf (envoyproxy#70)

* protobuf v3.2.0
* grpc v1.1.1
* Align auth lib with grpc 1.1.1

* Add sourceService. (envoyproxy#78)

* Add script to build docker image. (envoyproxy#77)

* Add script to build docker image.

* Add start_envoy for docker image.

* Use official attribute names (envoyproxy#80)

* Use official attribute names

* fix format

* Creates a KEY for mixer client dep. Updates release-binary (envoyproxy#79)

* Updated mixer repo to use a key for commit

* release-binary skip build if file exists.

* Update src/envoy/mixer/README. (envoyproxy#82)

* Fix src/envoy/mixer/README.md (envoyproxy#85)

* Get attributes from envoy config. (envoyproxy#87)

* Send all attributes.

* Remove unused const strings.

* Address comment.

* updated SHA to point to newer envoy with RDS API feature (envoyproxy#94)

* Disable travis on stable branches (envoyproxy#96)

* Publish debug binaries (no release yet) (envoyproxy#98)

* Copies the binary instead of linking for release (envoyproxy#102)

* Not to use api_key if its service is not actived. (envoyproxy#109)

* Update envoy and add c-ares (envoyproxy#107)

* Update envoy and add c-ares depedencies

* Update release script with debug and normal binary

* remove debug ls

* formatting

* Send StatusCode Attributes to Mixer. (envoyproxy#110)

* Add send_attribute filter. (envoyproxy#115)

* Add send_attribute filter.

* Fix format

* rename variable serialized_attributes_

* Address the comments.

* Fail request if api_key is not valid. (envoyproxy#116)

* Fail request if api_key is not valid.

* Format code.

* Update comments.

* Address comment.

* Rename response.http.code (envoyproxy#125)

* Send headers as string map. (envoyproxy#129)

* Send headers as string map.

* Remove origin.ip and origin.host.

* Fix format

* unify bazel's docker build targets with other istio repos (envoyproxy#127)

* update base debug docker image reference (envoyproxy#133)

* Update postsubmit to create docker images (envoyproxy#132)

* Adding config release for bazel build (envoyproxy#135)

* Fix mixer client crash. (envoyproxy#136)

* Get mixerclient with response parsing. (envoyproxy#138)

* Update nghttp2 to sync with envoy (envoyproxy#140)

* Fix src/envoy/mixer/README.md

* Update nghttp2 to sync with envoy

* update

* fix typo

* Merge from master to firebase (envoyproxy#159)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (envoyproxy#38)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect

* Fixed style.

* Rebase Envoy (envoyproxy#41)

* Update prototype to use iptables (envoyproxy#42)

* Rebase to fixed Envoy (envoyproxy#43)

* Handle HEAD request. (envoyproxy#34)

* Handle HEAD request.

* Try with GET if HEAD fails.

* Address comments.

* Format file.

* Expose bazel target (envoyproxy#48)

* Try again (envoyproxy#49)

* Integrate with mixer client. (envoyproxy#55)

* Integrate with mixer client.

* Restore  repositories.bzl back.

* Add originIp and originHost attributes. (envoyproxy#56)

* Add uuid-dev dependency in README.md (envoyproxy#45)

* Extract originIp and OriginHost. (envoyproxy#57)

* Extract originIp and OriginHost.

* Make header x-forwarded-host const.

* Update buckets for UI. (envoyproxy#58)

* Update buckets for UI.

* Only update time_distribution.

* Add targetService attribute. (envoyproxy#59)

* Use envoy new access_log handler for sending Report. (envoyproxy#60)

* use access_log handler.

* Not to use Loggable base class.

* Update to the latest envoy with envoyproxy#396. (envoyproxy#61)

* Fix tclap dependency fetching error (envoyproxy#62)

* Integrate mixer client directly with envoy. (envoyproxy#66)

* Integrate mixer client directly with envoy.

* Send response header in Report.

* rename filter name from esp to mixer.

* add README.

* Add release binary script. (envoyproxy#68)

* Push tar.gz to GCS (envoyproxy#69)

* Push tar.gz to GCS

* Rename envoy_esp

* Remove mixer_client from api_manager. (envoyproxy#72)

* Update mixer client SHA. (envoyproxy#74)

* Update readme. (envoyproxy#73)

* Adds Jenkinsfile and updates release-binary to create a SHA. (envoyproxy#71)

* Adds Jenkinsfile and update release-binary
* Update Jenkinsfile and gitignore
* Fixes typo and use normal build Node
* Uses default bazel config
* Using batch mode
* Update bazel memory settings
* Do not use Jenkins bazel env
* Set .bazelrc for postsubmit

* Update grpc and protobuf (envoyproxy#70)

* protobuf v3.2.0
* grpc v1.1.1
* Align auth lib with grpc 1.1.1

* Add sourceService. (envoyproxy#78)

* Add script to build docker image. (envoyproxy#77)

* Add script to build docker image.

* Add start_envoy for docker image.

* Use official attribute names (envoyproxy#80)

* Use official attribute names

* fix format

* Creates a KEY for mixer client dep. Updates release-binary (envoyproxy#79)

* Updated mixer repo to use a key for commit

* release-binary skip build if file exists.

* Update src/envoy/mixer/README. (envoyproxy#82)

* Fix src/envoy/mixer/README.md (envoyproxy#85)

* Get attributes from envoy config. (envoyproxy#87)

* Send all attributes.

* Remove unused const strings.

* Address comment.

* updated SHA to point to newer envoy with RDS API feature (envoyproxy#94)

* Disable travis on stable branches (envoyproxy#96)

* Publish debug binaries (no release yet) (envoyproxy#98)

* Copies the binary instead of linking for release (envoyproxy#102)

* Not to use api_key if its service is not actived. (envoyproxy#109)

* Update envoy and add c-ares (envoyproxy#107)

* Update envoy and add c-ares depedencies

* Update release script with debug and normal binary

* remove debug ls

* formatting

* Send StatusCode Attributes to Mixer. (envoyproxy#110)

* Add send_attribute filter. (envoyproxy#115)

* Add send_attribute filter.

* Fix format

* rename variable serialized_attributes_

* Address the comments.

* Fail request if api_key is not valid. (envoyproxy#116)

* Fail request if api_key is not valid.

* Format code.

* Update comments.

* Address comment.

* Rename response.http.code (envoyproxy#125)

* Send headers as string map. (envoyproxy#129)

* Send headers as string map.

* Remove origin.ip and origin.host.

* Fix format

* unify bazel's docker build targets with other istio repos (envoyproxy#127)

* update base debug docker image reference (envoyproxy#133)

* Update postsubmit to create docker images (envoyproxy#132)

* Adding config release for bazel build (envoyproxy#135)

* Fix mixer client crash. (envoyproxy#136)

* Get mixerclient with response parsing. (envoyproxy#138)

* Update nghttp2 to sync with envoy (envoyproxy#140)

* Fix src/envoy/mixer/README.md

* Update nghttp2 to sync with envoy

* update

* fix typo

* Populate origin.user attribute from the SAN field of client cert (envoyproxy#142)

* Test

* test

* test

* revert file

* address comments

* test

* fix typo

* fix format

* fix format

* Update to latest mixer_client. (envoyproxy#145)

* Update to latest mixer_client.

* Updated the sha.

* Not call report if decodeHeaders is not called. (envoyproxy#150)

* Update mixerclient with sync-ed grpc write and fail-fast. (envoyproxy#155)

* Update mixerclient with sync-ed write and fail-fast.

* Update to latest test.

* Update again

* Update envoy to PR553 (envoyproxy#156)

* Update envoy to PR553

* Update libevent to 2.1.8

* Update the Commit id for envoy

* Allow for HTTP based function from Firebase rules (envoyproxy#202)

* Allow for HTTP based function from Firebase rules

* Fix code style check

* Added more comments.

* Fix style issues.

* Address code review comments from Limin and Lizan.

* Add more comments and address CR comments.

* Fix a typo.

* Address Wayne's CR comments.

* Merge from master to firebase (envoyproxy#237)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect (envoyproxy#38)

* Simple TCP server to show how to retrieve original dest IP:port after an iptables redirect

* Fixed style.

* Rebase Envoy (envoyproxy#41)

* Update prototype to use iptables (envoyproxy#42)

* Rebase to fixed Envoy (envoyproxy#43)

* Handle HEAD request. (envoyproxy#34)

* Handle HEAD request.

* Try with GET if HEAD fails.

* Address comments.

* Format file.

* Expose bazel target (envoyproxy#48)

* Try again (envoyproxy#49)

* Integrate with mixer client. (envoyproxy#55)

* Integrate with mixer client.

* Restore  repositories.bzl back.

* Add originIp and originHost attributes. (envoyproxy#56)

* Add uuid-dev dependency in README.md (envoyproxy#45)

* Extract originIp and OriginHost. (envoyproxy#57)

* Extract originIp and OriginHost.

* Make header x-forwarded-host const.

* Update buckets for UI. (envoyproxy#58)

* Update buckets for UI.

* Only update time_distribution.

* Add targetService attribute. (envoyproxy#59)

* Use envoy new access_log handler for sending Report. (envoyproxy#60)

* use access_log handler.

* Not to use Loggable base class.

* Update to the latest envoy with envoyproxy#396. (envoyproxy#61)

* Fix tclap dependency fetching error (envoyproxy#62)

* Integrate mixer client directly with envoy. (envoyproxy#66)

* Integrate mixer client directly with envoy.

* Send response header in Report.

* rename filter name from esp to mixer.

* add README.

* Add release binary script. (envoyproxy#68)

* Push tar.gz to GCS (envoyproxy#69)

* Push tar.gz to GCS

* Rename envoy_esp

* Remove mixer_client from api_manager. (envoyproxy#72)

* Update mixer client SHA. (envoyproxy#74)

* Update readme. (envoyproxy#73)

* Adds Jenkinsfile and updates release-binary to create a SHA. (envoyproxy#71)

* Adds Jenkinsfile and update release-binary
* Update Jenkinsfile and gitignore
* Fixes typo and use normal build Node
* Uses default bazel config
* Using batch mode
* Update bazel memory settings
* Do not use Jenkins bazel env
* Set .bazelrc for postsubmit

* Update grpc and protobuf (envoyproxy#70)

* protobuf v3.2.0
* grpc v1.1.1
* Align auth lib with grpc 1.1.1

* Add sourceService. (envoyproxy#78)

* Add script to build docker image. (envoyproxy#77)

* Add script to build docker image.

* Add start_envoy for docker image.

* Use official attribute names (envoyproxy#80)

* Use official attribute names

* fix format

* Creates a KEY for mixer client dep. Updates release-binary (envoyproxy#79)

* Updated mixer repo to use a key for commit

* release-binary skip build if file exists.

* Update src/envoy/mixer/README. (envoyproxy#82)

* Fix src/envoy/mixer/README.md (envoyproxy#85)

* Get attributes from envoy config. (envoyproxy#87)

* Send all attributes.

* Remove unused const strings.

* Address comment.

* updated SHA to point to newer envoy with RDS API feature (envoyproxy#94)

* Disable travis on stable branches (envoyproxy#96)

* Publish debug binaries (no release yet) (envoyproxy#98)

* Copies the binary instead of linking for release (envoyproxy#102)

* Not to use api_key if its service is not actived. (envoyproxy#109)

* Update envoy and add c-ares (envoyproxy#107)

* Update envoy and add c-ares depedencies

* Update release script with debug and normal binary

* remove debug ls

* formatting

* Send StatusCode Attributes to Mixer. (envoyproxy#110)

* Add send_attribute filter. (envoyproxy#115)

* Add send_attribute filter.

* Fix format

* rename variable serialized_attributes_

* Address the comments.

* Fail request if api_key is not valid. (envoyproxy#116)

* Fail request if api_key is not valid.

* Format code.

* Update comments.

* Address comment.

* Rename response.http.code (envoyproxy#125)

* Send headers as string map. (envoyproxy#129)

* Send headers as string map.

* Remove origin.ip and origin.host.

* Fix format

* unify bazel's docker build targets with other istio repos (envoyproxy#127)

* update base debug docker image reference (envoyproxy#133)

* Update postsubmit to create docker images (envoyproxy#132)

* Adding config release for bazel build (envoyproxy#135)

* Fix mixer client crash. (envoyproxy#136)

* Get mixerclient with response parsing. (envoyproxy#138)

* Update nghttp2 to sync with envoy (envoyproxy#140)

* Fix src/envoy/mixer/README.md

* Update nghttp2 to sync with envoy

* update

* fix typo

* Populate origin.user attribute from the SAN field of client cert (envoyproxy#142)

* Test

* test

* test

* revert file

* address comments

* test

* fix typo

* fix format

* fix format

* Update to latest mixer_client. (envoyproxy#145)

* Update to latest mixer_client.

* Updated the sha.

* Not call report if decodeHeaders is not called. (envoyproxy#150)

* Update mixerclient with sync-ed grpc write and fail-fast. (envoyproxy#155)

* Update mixerclient with sync-ed write and fail-fast.

* Update to latest test.

* Update again

* Update envoy to PR553 (envoyproxy#156)

* Update envoy to PR553

* Update libevent to 2.1.8

* Uses a specific version of the Shared Pipeline lib (envoyproxy#158)

* Update lyft/envoy commit Id to latest. (envoyproxy#161)

* Update lyft/envoy commit Id to latest.

* Remove the comment about pull request

* Add new line - will delete in next commit.

* Update repositories.bzl (envoyproxy#169)

* Always set response latency (envoyproxy#172)

* Update mixerclient to sync_transport change. (envoyproxy#178)

* Use opaque config to turn on/off forward attribute and mixer filter (envoyproxy#179)

* Modify mixer filter

* Swap defaults

* Make the filter decoder only

* cache mixer disabled decision

* Fix a bug in opaque config change and test it out (envoyproxy#182)

* Fix a bug and test it out

* Update filter type

* Update README.md

* Update mixer client to mixer api with gogoproto. (envoyproxy#184)

* Move .bazelrc to tools/bazel.rc (envoyproxy#186)

* Move .bazelrc to tools/bazel.rc

* Update Jenkinsfile with latest version of pipeline

* Support apikey based traffic restriction (envoyproxy#189)

* b/36368559 support apikey based traffic restriction

* Fixed code formatting

* Fix crash in unreachable/overloaded RDS (envoyproxy#190)

* Add mixer client end to end integration test. (envoyproxy#177)

* Add mixer client end to end integration test.

* Split some repositories into a separate file.

* use real mixer for fake mixer_server.

* Test repository

* use mixer bzl file.

* Use mixer repositories

* Not to use mixer repository.

* Add return line at the end of WORKSPACE.

* Fix broken link (envoyproxy#193)

* Make quota call (envoyproxy#192)

* hookup quota call

* Make quota call.

* Update indent.

* Update envoy and update configs (envoyproxy#195)

* Update envoy and update configs

* Use gcc-4.9 for travis

* Use bazel 0.4.5

* Fix SHA of lightstep-tracer-common

* Enable check cache and refactory mixer config loading  (envoyproxy#197)

* Refactory the mixer config loading.

* fix format

* Add integration test.

* updated README.md

* s/send/sent/

* Split into separate tests. (envoyproxy#201)

* Update README on how to enable check cache. (envoyproxy#204)

* Update README on how to enable check cache.

* Update the comment.

* build: support Envoy native Bazel build. (envoyproxy#210)

* build: support Envoy native Bazel build.

This patch switches the Envoy build from src/envoy/repositories.bzl to
using the upstream native build.

See envoyproxy#663 for the corresponding changes
on the Envoy side.

* Use Envoy master with BUILD.wip rename merged.

* Fix clang-format issues.

* Fixes bazel.rc issues (envoyproxy#212)

* Fixes bazel rc issues

* Update Jenkins to latest pipeline version

* Fix go build (envoyproxy#224)

* Use TranscoderInputStream to reduce confusion around ByteCount() (envoyproxy#225)

* Add TranscoderInputStream to reduce confusion

* fix_format

* Merge latest changes from rate_limiting to master (envoyproxy#221)

* Point to googleapi in service control client. (envoyproxy#91)

* Point to googleapi in service control client.

* Use git repository for service-control-client.

* Merge latest changes from master (envoyproxy#104)

* Get attributes from envoy config. (envoyproxy#87)

* Send all attributes.

* Remove unused const strings.

* Address comment.

* updated SHA to point to newer envoy with RDS API feature (envoyproxy#94)

* Disable travis on stable branches (envoyproxy#96)

* Publish debug binaries (no release yet) (envoyproxy#98)

* Copies the binary instead of linking for release (envoyproxy#102)

* Extract quota config from service config. (envoyproxy#101)

* Add metric_cost in config.

* Remove group rules.

* Call loadQuotaConfig in config::create.

* Update latest update from master branch (envoyproxy#106)

* Get attributes from envoy config. (envoyproxy#87)

* Send all attributes.

* Remove unused const strings.

* Address comment.

* updated SHA to point to newer envoy with RDS API feature (envoyproxy#94)

* Disable travis on stable branches (envoyproxy#96)

* Publish debug binaries (no release yet) (envoyproxy#98)

* Copies the binary instead of linking for release (envoyproxy#102)

* Added quota contoll without the service control client library (envoyproxy#93)

* Added quota contoll without the service control client library

* Applied code review

* Applied code review

* Resolve conflicts

* Resolve conflicts

* Fixed format error reported by script/check-style

* Fixed a bug at Aggregated::GetAuthToken that causes Segmentation Fault

* Changed usage of template funcion

* Applied latest changes from the repo

* Applied latest changes from the repo

* Applied latest changes from the repo

* Adde comments

* Updated log information

* Applied envoyproxy#101

* Changed metric_cost_map to metric_cost_vector

* Fixed test case compilation error

* Fixed test case compilation error

* Add unit test for quota config. (envoyproxy#108)

* Add unit test for quota config.

* Add comments.

* Update test specifics.

* Merge latest changes from master branch (envoyproxy#112)

* Get attributes from envoy config. (envoyproxy#87)

* Send all attributes.

* Remove unused const strings.

* Address comment.

* updated SHA to point to newer envoy with RDS API feature (envoyproxy#94)

* Disable travis on stable branches (envoyproxy#96)

* Publish debug binaries (no release yet) (envoyproxy#98)

* Copies the binary instead of linking for release (envoyproxy#102)

* Not to use api_key if its service is not actived. (envoyproxy#109)

* If QuotaControl service is not available, return utils::Status::OK (envoyproxy#113)

* If QuotaControl service is not available, return utils::Status::OK

* Updated comment

* Return HTTP status code 429 on google.rpc.Code.RESOURCE_EXHAUSTED (envoyproxy#119)

* Fixed incorrectly resolved conflicts (envoyproxy#123)

* Added unit test cases for rate limiting (envoyproxy#124)

* Fixed incorrectly resolved conflicts

* Added unit test cases for rate limiting

* Added unit test cases for rate limiting

* Added unit test cases for rate limiting

* Added unit test cases for rate limiting

* Added unit test cases for rate limiting

* Added unit test cases for rate limiting

* Rename response.http.code (envoyproxy#125) (envoyproxy#128)

* Added handling of error code QUOTA_SYSTEM_UNAVAILABLE (envoyproxy#148)

* Integrated service control client library with quota cache aggregation (envoyproxy#149)

* Fixed error on merge (envoyproxy#151)

* Integrated service control client library with quota cache aggregation

* Fixed error on merge

* Fixed the compatibility issue with the latest update on esp (envoyproxy#152)

* Removed copied proto files (envoyproxy#208)

* Set default allocate quota request timeout to 1sec and applied latest service control client library change (envoyproxy#211)

* Merged key_restriction related changes from master (envoyproxy#213)

* Merge latest changes from master branch (envoyproxy#217)

* Not call report if decodeHeaders is not called. (envoyproxy#150)

* Update mixerclient with sync-ed grpc write and fail-fast. (envoyproxy#155)

* Update mixerclient with sync-ed write and fail-fast.

* Update to latest test.

* Update again

* Update envoy to PR553 (envoyproxy#156)

* Update envoy to PR553

* Update libevent to 2.1.8

* Uses a specific version of the Shared Pipeline lib (envoyproxy#158)

* Update lyft/envoy commit Id to latest. (envoyproxy#161)

* Update lyft/envoy commit Id to latest.

* Remove the comment about pull request

* Add new line - will delete in next commit.

* Update repositories.bzl (envoyproxy#169)

* Always set response latency (envoyproxy#172)

* Update mixerclient to sync_transport change. (envoyproxy#178)

* Use opaque config to turn on/off forward attribute and mixer filter (envoyproxy#179)

* Modify mixer filter

* Swap defaults

* Make the filter decoder only

* cache mixer disabled decision

* Fix a bug in opaque config change and test it out (envoyproxy#182)

* Fix a bug and test it out

* Update filter type

* Update README.md

* Update mixer client to mixer api with gogoproto. (envoyproxy#184)

* Move .bazelrc to tools/bazel.rc (envoyproxy#186)

* Move .bazelrc to tools/bazel.rc

* Update Jenkinsfile with latest version of pipeline

* Support apikey based traffic restriction (envoyproxy#189)

* b/36368559 support apikey based traffic restriction

* Fixed code formatting

* Fix crash in unreachable/overloaded RDS (envoyproxy#190)

* Add mixer client end to end integration test. (envoyproxy#177)

* Add mixer client end to end integration test.

* Split some repositories into a separate file.

* use real mixer for fake mixer_server.

* Test repository

* use mixer bzl file.

* Use mixer repositories

* Not to use mixer repository.

* Add return line at the end of WORKSPACE.

* Fix broken link (envoyproxy#193)

* Make quota call (envoyproxy#192)

* hookup quota call

* Make quota call.

* Update indent.

* Update envoy and update configs (envoyproxy#195)

* Update envoy and update configs

* Use gcc-4.9 for travis

* Use bazel 0.4.5

* Fix SHA of lightstep-tracer-common

* Enable check cache and refactory mixer config loading  (envoyproxy#197)

* Refactory the mixer config loading.

* fix format

* Add integration test.

* updated README.md

* s/send/sent/

* Split into separate tests. (envoyproxy#201)

* Update README on how to enable check cache. (envoyproxy#204)

* Update README on how to enable check cache.

* Update the comment.

* build: support Envoy native Bazel build. (envoyproxy#210)

* build: support Envoy native Bazel build.

This patch switches the Envoy build from src/envoy/repositories.bzl to
using the upstream native build.

See envoyproxy#663 for the corresponding changes
on the Envoy side.

* Use Envoy master with BUILD.wip rename merged.

* Fix clang-format issues.

* Fixes bazel.rc issues (envoyproxy#212)

* Fixes bazel rc issues

* Update Jenkins to latest pipeline version

* Updated the commit id of cloudendpoints/service-control-client-cxx (envoyproxy#218)

* Update commitid of cloudendpoints/service-control-client-cxx repo (envoyproxy#220)

* Send delta metrics for intermediate reports. (envoyproxy#219)

* Send delta metrics for intermediate reports.

* Move last_request_bytes/last_response_bytes to RequestContext.

* Handle final report.

* Address comment.

* Update attributes to match the canonical attribute list. (envoyproxy#232)

* Update response.http.code to response.code and response.latency to response.duration to line up with the canonical attributes in istio/istio.github.io/docs/concepts/attributes.md

* Format according to clang-format

* Add envoy Buffer based TranscoderInputStream (envoyproxy#231)

* Add envoy Buffer based TranscoderInputStream

* fix format

* A few doc changes for consistency across repos. (envoyproxy#235)

* Add repositories.bzl

* Added missing export setting in bazel configuration (envoyproxy#236)

* Added export missing in bazel configuration

* Added export missing in bazel configuration

* Allow HTTP functions in firebase rules to specify audience (envoyproxy#244)

* Allow HTTP functions in firebase rules to specify audience

* Allow GetAuthToken to ignore cache and fix style checks.

* Fix GetAuthToken

* Address Wayne's comment

* Check for empty response body

* Remove .bazelrc.jenkins file not present in the master branch.

* Remove forward_attribute_filter.cc not present in master.

Author: sarvaniv

contrib/endpoints/src/api_manager/BUILD

@@ -38,6 +38,19 @@ cc_proto_library(
     visibility = ["//visibility:public"],
 )
 
+cc_proto_library(
+    name = "security_rules_proto",
+    srcs = [
+        "proto/security_rules.proto",
+    ],
+    default_runtime = "//external:protobuf",
+    protoc = "//external:protoc",
+    visibility = ["//visibility:public"],
+    deps = [
+        "//external:cc_wkt_protos",
+    ],
+)
+
 cc_library(
     name = "auth_headers",
     hdrs = [
@@ -65,6 +78,8 @@ cc_library(
         "api_manager_impl.cc",
         "check_auth.cc",
         "check_auth.h",
+        "check_security_rules.cc",
+        "check_security_rules.h",
         "check_service_control.cc",
         "check_service_control.h",
         "check_workflow.cc",
@@ -95,11 +110,13 @@ cc_library(
         ":path_matcher",
         ":impl_headers",
         ":server_config_proto",
+        ":security_rules_proto",
         "//contrib/endpoints/src/api_manager/auth",
         "//contrib/endpoints/src/api_manager/cloud_trace",
         "//contrib/endpoints/src/api_manager/context",
         "//contrib/endpoints/src/api_manager/service_control",
         "//contrib/endpoints/src/api_manager/utils",
+        "//contrib/endpoints/src/api_manager/firebase_rules",
         "//external:cc_wkt_protos",
         "//external:cloud_trace",
         "//external:googletest_prod",
@@ -288,3 +305,20 @@ cc_test(
         "//external:googletest_main",
     ],
 )
+
+cc_test(
+    name = "check_security_rules_test",
+    size = "small",
+    srcs = [
+        "check_security_rules_test.cc",
+        "mock_request.h",
+    ],
+    linkstatic = 1,
+    deps = [
+        ":api_manager",
+        ":mock_api_manager_environment",
+        ":security_rules_proto",
+        "//external:cc_wkt_protos",
+        "//external:googletest_main",
+    ],
+)

contrib/endpoints/src/api_manager/auth.h

@@ -40,6 +40,8 @@ struct UserInfo {
   // Authorized party of the incoming JWT.
   // See http://openid.net/specs/openid-connect-core-1_0.html#IDToken
   std::string authorized_party;
+  // String of claims
+  std::string claims;
 
   // Returns audiences as a comma separated strings.
   std::string AudiencesAsString() const {

contrib/endpoints/src/api_manager/auth/lib/auth_jwt_validator.cc

@@ -708,12 +708,19 @@ grpc_jwt_verifier_status JwtValidatorImpl::FillUserInfoAndSetExp(
 
   // Optional field.
   const grpc_json *grpc_json = grpc_jwt_claims_json(claims_);
+
+  char *json_str =
+      grpc_json_dump_to_string(const_cast<::grpc_json *>(grpc_json), 0);
+  if (json_str != nullptr) {
+    user_info->claims = json_str;
+    gpr_free(json_str);
+  }
+
   const char *email = GetStringValue(grpc_json, "email");
   user_info->email = email == nullptr ? "" : email;
   const char *authorized_party = GetStringValue(grpc_json, "azp");
   user_info->authorized_party =
       authorized_party == nullptr ? "" : authorized_party;
-
   exp_ = system_clock::from_time_t(grpc_jwt_claims_expires_at(claims_).tv_sec);
 
   return GRPC_JWT_VERIFIER_OK;

contrib/endpoints/src/api_manager/auth/service_account_token.cc

@@ -56,10 +56,20 @@ Status ServiceAccountToken::SetClientAuthSecret(const std::string& secret) {
 void ServiceAccountToken::SetAudience(JWT_TOKEN_TYPE type,
                                       const std::string& audience) {
   GOOGLE_CHECK(type >= 0 && type < JWT_TOKEN_TYPE_MAX);
-  jwt_tokens_[type].set_audience(audience);
+  if (jwt_tokens_[type].audience() != audience) {
+    jwt_tokens_[type].set_token("", 0);
+    jwt_tokens_[type].set_audience(audience);
+  }
 }
 
 const std::string& ServiceAccountToken::GetAuthToken(JWT_TOKEN_TYPE type) {
+  return GetAuthToken(type, jwt_tokens_[type].audience());
+}
+
+const std::string& ServiceAccountToken::GetAuthToken(
+    JWT_TOKEN_TYPE type, const std::string& audience) {
+  SetAudience(type, audience);
+
   // Uses authentication secret if available.
   if (!client_auth_secret_.empty()) {
     GOOGLE_CHECK(type >= 0 && type < JWT_TOKEN_TYPE_MAX);

contrib/endpoints/src/api_manager/auth/service_account_token.h

@@ -64,6 +64,10 @@ class ServiceAccountToken {
   enum JWT_TOKEN_TYPE {
     JWT_TOKEN_FOR_SERVICE_CONTROL = 0,
     JWT_TOKEN_FOR_CLOUD_TRACING,
+    JWT_TOKEN_FOR_FIREBASE,
+
+    // JWT token for accessing the http endpoints defined in Firebase Rules.
+    JWT_TOKEN_FOR_AUTHORIZATION_SERVICE,
     JWT_TOKEN_FOR_QUOTA_CONTROL,
     JWT_TOKEN_TYPE_MAX,
   };
@@ -75,6 +79,13 @@ class ServiceAccountToken {
   // Otherwise, use the access token fetched from metadata server.
   const std::string& GetAuthToken(JWT_TOKEN_TYPE type);
 
+  // Gets the auth token to access Google services. This method accepts an
+  // audience parameter to set when generating JWT token.
+  // If client auth secret is specified, use it to calcualte JWT token.
+  // Otherwise, use the access token fetched from metadata server.
+  const std::string& GetAuthToken(JWT_TOKEN_TYPE type,
+                                  const std::string& audience);
+
  private:
   // Stores base token info. Used for both OAuth and JWT tokens.
   class TokenInfo {

contrib/endpoints/src/api_manager/check_auth.cc

@@ -243,6 +243,8 @@ void AuthChecker::CheckAudience(bool cache_hit) {
   context_->set_auth_audience(audience);
   context_->set_auth_authorized_party(user_info_.authorized_party);
 
+  context_->set_auth_claims(user_info_.claims);
+
   // Remove http/s header and trailing '/' for issuer.
   std::string issuer = utils::GetUrlContent(user_info_.issuer);
   if (!context_->method()->isIssuerAllowed(issuer)) {

contrib/endpoints/src/api_manager/check_security_rules.cc

@@ -0,0 +1,230 @@
+// Copyright 2017 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+#include "contrib/endpoints/src/api_manager/check_security_rules.h"
+#include <iostream>
+#include <sstream>
+#include "contrib/endpoints/src/api_manager/auth/lib/json_util.h"
+#include "contrib/endpoints/src/api_manager/firebase_rules/firebase_request.h"
+#include "contrib/endpoints/src/api_manager/utils/marshalling.h"
+
+using ::google::api_manager::auth::GetStringValue;
+using ::google::api_manager::firebase_rules::FirebaseRequest;
+using ::google::api_manager::utils::Status;
+const char kFirebaseAudience[] =
+    "https://staging-firebaserules.sandbox.googleapis.com/"
+    "google.firebase.rules.v1.FirebaseRulesService";
+
+namespace google {
+namespace api_manager {
+namespace {
+
+const std::string kFailedFirebaseReleaseFetch =
+    "Failed to fetch Firebase Release";
+const std::string kFailedFirebaseTest = "Failed to execute Firebase Test";
+const std::string kInvalidResponse =
+    "Invalid JSON response from Firebase Service";
+const std::string kV1 = "/v1";
+const std::string kHttpGetMethod = "GET";
+const std::string kProjects = "/projects";
+const std::string kReleases = "/releases";
+const std::string kRulesetName = "rulesetName";
+const std::string kContentType = "Content-Type";
+const std::string kApplication = "application/json";
+
+std::string GetReleaseName(const context::RequestContext &context) {
+  return context.service_context()->service_name() + ":" +
+         context.service_context()->service().apis(0).version();
+}
+
+std::string GetReleaseUrl(const context::RequestContext &context) {
+  return context.service_context()->config()->GetFirebaseServer() + kV1 +
+         kProjects + "/" + context.service_context()->project_id() + kReleases +
+         "/" + GetReleaseName(context);
+}
+
+// An AuthzChecker object is created for every incoming request. It does
+// authorizaiton by calling Firebase Rules service.
+class AuthzChecker : public std::enable_shared_from_this<AuthzChecker> {
+ public:
+  // Constructor
+  AuthzChecker(ApiManagerEnvInterface *env,
+               auth::ServiceAccountToken *sa_token);
+
+  // Check for Authorization success or failure
+  void Check(std::shared_ptr<context::RequestContext> context,
+             std::function<void(Status status)> continuation);
+
+ private:
+  // This method invokes the Firebase TestRuleset API endpoint as well as user
+  // defined endpoints provided by the TestRulesetResponse.
+  void CallNextRequest(std::function<void(Status status)> continuation);
+
+  // Parse the response for GET RELEASE API call
+  Status ParseReleaseResponse(const std::string &json_str,
+                              std::string *ruleset_id);
+
+  // Invoke the HTTP call
+  void HttpFetch(const std::string &url, const std::string &method,
+                 const std::string &request_body,
+                 auth::ServiceAccountToken::JWT_TOKEN_TYPE token_type,
+                 const std::string &audience,
+                 std::function<void(Status, std::string &&)> continuation);
+
+  std::shared_ptr<AuthzChecker> GetPtr() { return shared_from_this(); }
+
+  ApiManagerEnvInterface *env_;
+  auth::ServiceAccountToken *sa_token_;
+  std::unique_ptr<FirebaseRequest> request_handler_;
+};
+
+AuthzChecker::AuthzChecker(ApiManagerEnvInterface *env,
+                           auth::ServiceAccountToken *sa_token)
+    : env_(env), sa_token_(sa_token) {}
+
+void AuthzChecker::Check(
+    std::shared_ptr<context::RequestContext> context,
+    std::function<void(Status status)> final_continuation) {
+  // TODO: Check service config to see if "useSecurityRules" is specified.
+  // If so, call Firebase Rules service TestRuleset API.
+
+  if (!context->service_context()->IsRulesCheckEnabled() ||
+      context->method() == nullptr || !context->method()->auth()) {
+    env_->LogDebug("Skipping Firebase Rules checks since it is disabled.");
+    final_continuation(Status::OK);
+    return;
+  }
+
+  // Fetch the Release attributes and get ruleset name.
+  auto checker = GetPtr();
+  HttpFetch(GetReleaseUrl(*context), kHttpGetMethod, "",
+            auth::ServiceAccountToken::JWT_TOKEN_FOR_FIREBASE,
+            kFirebaseAudience, [context, final_continuation, checker](
+                                   Status status, std::string &&body) {
+              std::string ruleset_id;
+              if (status.ok()) {
+                checker->env_->LogDebug(
+                    std::string("GetReleasName succeeded with ") + body);
+                status = checker->ParseReleaseResponse(body, &ruleset_id);
+              } else {
+                checker->env_->LogError(std::string("GetReleaseName for ") +
+                                        GetReleaseUrl(*context.get()) +
+                                        " with status " + status.ToString());
+                status = Status(Code::INTERNAL, kFailedFirebaseReleaseFetch);
+              }
+
+              // If the parsing of the release body is successful, then call the
+              // Test Api for firebase rules service.
+              if (status.ok()) {
+                checker->request_handler_ = std::unique_ptr<FirebaseRequest>(
+                    new FirebaseRequest(ruleset_id, checker->env_, context));
+                checker->CallNextRequest(final_continuation);
+              } else {
+                final_continuation(status);
+              }
+            });
+}
+
+void AuthzChecker::CallNextRequest(
+    std::function<void(Status status)> continuation) {
+  if (request_handler_->is_done()) {
+    continuation(request_handler_->RequestStatus());
+    return;
+  }
+
+  auto checker = GetPtr();
+  firebase_rules::HttpRequest http_request = request_handler_->GetHttpRequest();
+  HttpFetch(http_request.url, http_request.method, http_request.body,
+            http_request.token_type, http_request.audience,
+            [continuation, checker](Status status, std::string &&body) {
+
+              checker->env_->LogError(std::string("Response Body = ") + body);
+              if (status.ok() && !body.empty()) {
+                checker->request_handler_->UpdateResponse(body);
+                checker->CallNextRequest(continuation);
+              } else {
+                checker->env_->LogError(
+                    std::string("Test API failed with ") +
+                    (status.ok() ? "Empty Response" : status.ToString()));
+                status = Status(Code::INTERNAL, kFailedFirebaseTest);
+                continuation(status);
+              }
+            });
+}
+
+Status AuthzChecker::ParseReleaseResponse(const std::string &json_str,
+                                          std::string *ruleset_id) {
+  grpc_json *json = grpc_json_parse_string_with_len(
+      const_cast<char *>(json_str.data()), json_str.length());
+
+  if (!json) {
+    return Status(Code::INVALID_ARGUMENT, kInvalidResponse);
+  }
+
+  Status status = Status::OK;
+  const char *id = GetStringValue(json, kRulesetName.c_str());
+  *ruleset_id = (id == nullptr) ? "" : id;
+
+  if (ruleset_id->empty()) {
+    env_->LogError("Empty ruleset Id received from firebase service");
+    status = Status(Code::INTERNAL, kInvalidResponse);
+  } else {
+    env_->LogDebug(std::string("Received ruleset Id: ") + *ruleset_id);
+  }
+
+  grpc_json_destroy(json);
+  return status;
+}
+
+void AuthzChecker::HttpFetch(
+    const std::string &url, const std::string &method,
+    const std::string &request_body,
+    auth::ServiceAccountToken::JWT_TOKEN_TYPE token_type,
+    const std::string &audience,
+    std::function<void(Status, std::string &&)> continuation) {
+  env_->LogDebug(std::string("Issue HTTP Request to url :") + url +
+                 " method : " + method + " body: " + request_body);
+
+  std::unique_ptr<HTTPRequest> request(new HTTPRequest([continuation](
+      Status status, std::map<std::string, std::string> &&,
+      std::string &&body) { continuation(status, std::move(body)); }));
+
+  if (!request) {
+    continuation(Status(Code::INTERNAL, "Out of memory"), "");
+    return;
+  }
+
+  request->set_method(method).set_url(url).set_auth_token(
+      sa_token_->GetAuthToken(token_type, audience));
+
+  if (!request_body.empty()) {
+    request->set_header(kContentType, kApplication).set_body(request_body);
+  }
+
+  env_->RunHTTPRequest(std::move(request));
+}
+
+}  // namespace
+
+void CheckSecurityRules(std::shared_ptr<context::RequestContext> context,
+                        std::function<void(Status status)> continuation) {
+  std::shared_ptr<AuthzChecker> checker = std::make_shared<AuthzChecker>(
+      context->service_context()->env(),
+      context->service_context()->service_account_token());
+  checker->Check(context, continuation);
+}
+
+}  // namespace api_manager
+}  // namespace google