From b6039234e526eeccdf332a7eb041729aaa1bc286 Mon Sep 17 00:00:00 2001 From: Snow Pettersen Date: Thu, 20 May 2021 23:30:58 -0400 Subject: [PATCH 01/14] docs: mark matching API and related features as alpha (#16210) Marks the matching API more clearly as experimental and updates the composite filter security posture to reflect this. Signed-off-by: Snow Pettersen --- api/STYLE.md | 5 +++++ api/envoy/config/common/matcher/v3/matcher.proto | 2 +- api/envoy/config/common/matcher/v4alpha/matcher.proto | 2 +- .../extensions/common/matching/v3/extension_matcher.proto | 2 ++ .../common/matching/v4alpha/extension_matcher.proto | 2 ++ .../extensions/filters/http/composite/v3/composite.proto | 1 + .../configuration/http/http_filters/composite_filter.rst | 5 +++++ .../arch_overview/advanced/matching/matching_api.rst | 5 +++++ docs/root/intro/arch_overview/security/threat_model.rst | 8 +++++--- .../envoy/config/common/matcher/v3/matcher.proto | 2 +- .../envoy/config/common/matcher/v4alpha/matcher.proto | 2 +- .../extensions/common/matching/v3/extension_matcher.proto | 2 ++ .../common/matching/v4alpha/extension_matcher.proto | 2 ++ .../extensions/filters/http/composite/v3/composite.proto | 1 + source/extensions/filters/http/composite/BUILD | 2 +- tools/api_proto_plugin/annotations.py | 4 ++++ tools/protodoc/protodoc.py | 8 +++++++- 17 files changed, 46 insertions(+), 9 deletions(-) diff --git a/api/STYLE.md b/api/STYLE.md index 30599e194a6f2..6368609580f08 100644 --- a/api/STYLE.md +++ b/api/STYLE.md @@ -34,6 +34,11 @@ In addition, the following conventions should be followed: implementation. These indicate that the entity is not implemented in Envoy and the entity should be hidden from the Envoy documentation. +* Use a `[#alpha:]` annotation in comments for messages that are considered alpha + and are not subject to the threat model. This is similar to the work-in-progress/alpha tagging + of extensions described below, but allows tagging messages that are used as part of the core API + as alpha without having to break it into its own file. + * Always use plural field names for `repeated` fields, such as `filters`. * Due to the fact that we consider JSON/YAML to be first class inputs, we cannot easily change a diff --git a/api/envoy/config/common/matcher/v3/matcher.proto b/api/envoy/config/common/matcher/v3/matcher.proto index d09dcbd0f62cd..d7deb71d0b469 100644 --- a/api/envoy/config/common/matcher/v3/matcher.proto +++ b/api/envoy/config/common/matcher/v3/matcher.proto @@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // As an on_no_match might result in another matching tree being evaluated, this process // might repeat several times until the final OnMatch (or no match) is decided. // -// This API is a work in progress. +// [#alpha:] message Matcher { // What to do if a match is successful. message OnMatch { diff --git a/api/envoy/config/common/matcher/v4alpha/matcher.proto b/api/envoy/config/common/matcher/v4alpha/matcher.proto index fd5928e210c25..2027331b31da3 100644 --- a/api/envoy/config/common/matcher/v4alpha/matcher.proto +++ b/api/envoy/config/common/matcher/v4alpha/matcher.proto @@ -23,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // As an on_no_match might result in another matching tree being evaluated, this process // might repeat several times until the final OnMatch (or no match) is decided. // -// This API is a work in progress. +// [#alpha:] message Matcher { option (udpa.annotations.versioning).previous_message_type = "envoy.config.common.matcher.v3.Matcher"; diff --git a/api/envoy/extensions/common/matching/v3/extension_matcher.proto b/api/envoy/extensions/common/matching/v3/extension_matcher.proto index 2d01e17b9a33a..e317d885af393 100644 --- a/api/envoy/extensions/common/matching/v3/extension_matcher.proto +++ b/api/envoy/extensions/common/matching/v3/extension_matcher.proto @@ -18,6 +18,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Wrapper around an existing extension that provides an associated matcher. This allows // decorating an existing extension with a matcher, which can be used to match against // relevant protocol data. +// +// [#alpha:] message ExtensionWithMatcher { // The associated matcher. config.common.matcher.v3.Matcher matcher = 1 [(validate.rules).message = {required: true}]; diff --git a/api/envoy/extensions/common/matching/v4alpha/extension_matcher.proto b/api/envoy/extensions/common/matching/v4alpha/extension_matcher.proto index bb71cc5a095ff..88ac7c7570f8d 100644 --- a/api/envoy/extensions/common/matching/v4alpha/extension_matcher.proto +++ b/api/envoy/extensions/common/matching/v4alpha/extension_matcher.proto @@ -19,6 +19,8 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // Wrapper around an existing extension that provides an associated matcher. This allows // decorating an existing extension with a matcher, which can be used to match against // relevant protocol data. +// +// [#alpha:] message ExtensionWithMatcher { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.common.matching.v3.ExtensionWithMatcher"; diff --git a/api/envoy/extensions/filters/http/composite/v3/composite.proto b/api/envoy/extensions/filters/http/composite/v3/composite.proto index 3afc136904c76..f8a3bd83af567 100644 --- a/api/envoy/extensions/filters/http/composite/v3/composite.proto +++ b/api/envoy/extensions/filters/http/composite/v3/composite.proto @@ -26,6 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // :ref:`ExecuteFilterAction `) // which filter configuration to create and delegate to. // +// [#alpha:] message Composite { } diff --git a/docs/root/configuration/http/http_filters/composite_filter.rst b/docs/root/configuration/http/http_filters/composite_filter.rst index 9f4814857bd98..ebb12debb8393 100644 --- a/docs/root/configuration/http/http_filters/composite_filter.rst +++ b/docs/root/configuration/http/http_filters/composite_filter.rst @@ -3,6 +3,11 @@ Composite Filter ================ +.. attention:: + + The composite filter is in alpha and is currently under active development. + Capabilities will be expanded over time and the configuration structures are likely to change. + The composite filter allows delegating filter actions to a filter specified by a :ref:`match result `. The purpose of this is to allow different filters or filter configurations to be selected based on the incoming request, allowing for more dynamic diff --git a/docs/root/intro/arch_overview/advanced/matching/matching_api.rst b/docs/root/intro/arch_overview/advanced/matching/matching_api.rst index 893ce77d14e4d..1b56eb354d288 100644 --- a/docs/root/intro/arch_overview/advanced/matching/matching_api.rst +++ b/docs/root/intro/arch_overview/advanced/matching/matching_api.rst @@ -3,6 +3,11 @@ Matching API ============ +.. attention:: + + The matching API is alpha and is currently under active development. + Capabilities will be expanded over time and the configuration structures are likely to change. + Envoy makes use of a :ref:`matching API ` to allow the various subsystems to express actions that should be performed based on incoming data. diff --git a/docs/root/intro/arch_overview/security/threat_model.rst b/docs/root/intro/arch_overview/security/threat_model.rst index b624e32d0c13c..66b906f1cb281 100644 --- a/docs/root/intro/arch_overview/security/threat_model.rst +++ b/docs/root/intro/arch_overview/security/threat_model.rst @@ -77,9 +77,11 @@ case, an extension will explicitly state this in its documentation. Core and extensions ------------------- -Anything in the Envoy core may be used in both untrusted and trusted deployments. As a consequence, -it should be hardened with this model in mind. Security issues related to core code will usually -trigger the security release process as described in this document. +Anything in the Envoy core may be used in both untrusted and trusted deployments, with the exception +of features explicitly marked as alpha; alpha features are only supported in trusted deployments +and do not qualify for treatment under the threat model below. As a consequence, the stable core should be hardened +with this model in mind. Security issues related to core code will usually trigger the security release process as +described in this document. The following extensions are intended to be hardened against untrusted downstream and upstreams: diff --git a/generated_api_shadow/envoy/config/common/matcher/v3/matcher.proto b/generated_api_shadow/envoy/config/common/matcher/v3/matcher.proto index d09dcbd0f62cd..d7deb71d0b469 100644 --- a/generated_api_shadow/envoy/config/common/matcher/v3/matcher.proto +++ b/generated_api_shadow/envoy/config/common/matcher/v3/matcher.proto @@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // As an on_no_match might result in another matching tree being evaluated, this process // might repeat several times until the final OnMatch (or no match) is decided. // -// This API is a work in progress. +// [#alpha:] message Matcher { // What to do if a match is successful. message OnMatch { diff --git a/generated_api_shadow/envoy/config/common/matcher/v4alpha/matcher.proto b/generated_api_shadow/envoy/config/common/matcher/v4alpha/matcher.proto index fd5928e210c25..2027331b31da3 100644 --- a/generated_api_shadow/envoy/config/common/matcher/v4alpha/matcher.proto +++ b/generated_api_shadow/envoy/config/common/matcher/v4alpha/matcher.proto @@ -23,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // As an on_no_match might result in another matching tree being evaluated, this process // might repeat several times until the final OnMatch (or no match) is decided. // -// This API is a work in progress. +// [#alpha:] message Matcher { option (udpa.annotations.versioning).previous_message_type = "envoy.config.common.matcher.v3.Matcher"; diff --git a/generated_api_shadow/envoy/extensions/common/matching/v3/extension_matcher.proto b/generated_api_shadow/envoy/extensions/common/matching/v3/extension_matcher.proto index 2d01e17b9a33a..e317d885af393 100644 --- a/generated_api_shadow/envoy/extensions/common/matching/v3/extension_matcher.proto +++ b/generated_api_shadow/envoy/extensions/common/matching/v3/extension_matcher.proto @@ -18,6 +18,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Wrapper around an existing extension that provides an associated matcher. This allows // decorating an existing extension with a matcher, which can be used to match against // relevant protocol data. +// +// [#alpha:] message ExtensionWithMatcher { // The associated matcher. config.common.matcher.v3.Matcher matcher = 1 [(validate.rules).message = {required: true}]; diff --git a/generated_api_shadow/envoy/extensions/common/matching/v4alpha/extension_matcher.proto b/generated_api_shadow/envoy/extensions/common/matching/v4alpha/extension_matcher.proto index bb71cc5a095ff..88ac7c7570f8d 100644 --- a/generated_api_shadow/envoy/extensions/common/matching/v4alpha/extension_matcher.proto +++ b/generated_api_shadow/envoy/extensions/common/matching/v4alpha/extension_matcher.proto @@ -19,6 +19,8 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // Wrapper around an existing extension that provides an associated matcher. This allows // decorating an existing extension with a matcher, which can be used to match against // relevant protocol data. +// +// [#alpha:] message ExtensionWithMatcher { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.common.matching.v3.ExtensionWithMatcher"; diff --git a/generated_api_shadow/envoy/extensions/filters/http/composite/v3/composite.proto b/generated_api_shadow/envoy/extensions/filters/http/composite/v3/composite.proto index 3afc136904c76..f8a3bd83af567 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/composite/v3/composite.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/composite/v3/composite.proto @@ -26,6 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // :ref:`ExecuteFilterAction `) // which filter configuration to create and delegate to. // +// [#alpha:] message Composite { } diff --git a/source/extensions/filters/http/composite/BUILD b/source/extensions/filters/http/composite/BUILD index f3d72798c5b42..0d1493808765c 100644 --- a/source/extensions/filters/http/composite/BUILD +++ b/source/extensions/filters/http/composite/BUILD @@ -46,7 +46,7 @@ envoy_cc_extension( srcs = ["config.cc"], hdrs = ["config.h"], category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", + security_posture = "unknown", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/tools/api_proto_plugin/annotations.py b/tools/api_proto_plugin/annotations.py index e878cf8bd50bd..88cd2695bf15d 100644 --- a/tools/api_proto_plugin/annotations.py +++ b/tools/api_proto_plugin/annotations.py @@ -16,6 +16,9 @@ # envoy.filters.network.http_connection_manager. EXTENSION_ANNOTATION = 'extension' +# Used to mark something as alpha, excluding it from the threat model. +ALPHA_ANNOTATION = 'alpha' + # Not implemented yet annotation on leading comments, leading to hiding of # field. NOT_IMPLEMENTED_HIDE_ANNOTATION = 'not-implemented-hide' @@ -33,6 +36,7 @@ VALID_ANNOTATIONS = set([ DOC_TITLE_ANNOTATION, EXTENSION_ANNOTATION, + ALPHA_ANNOTATION, EXTENSION_CATEGORY_ANNOTATION, NOT_IMPLEMENTED_HIDE_ANNOTATION, NEXT_FREE_FIELD_ANNOTATION, diff --git a/tools/protodoc/protodoc.py b/tools/protodoc/protodoc.py index 74141e011c6fe..0321afe0bd750 100755 --- a/tools/protodoc/protodoc.py +++ b/tools/protodoc/protodoc.py @@ -168,6 +168,12 @@ def format_comment_with_annotations(comment, type_name=''): Returns: A string with additional RST from annotations. """ + alpha_warning = '' + if annotations.ALPHA_ANNOTATION in comment.annotations: + experimental_warning = ( + '.. warning::\n This API is alpha and is not covered by the :ref:`threat model `.\n\n' + ) + formatted_extension = '' if annotations.EXTENSION_ANNOTATION in comment.annotations: extension = comment.annotations[annotations.EXTENSION_ANNOTATION] @@ -177,7 +183,7 @@ def format_comment_with_annotations(comment, type_name=''): for category in comment.annotations[annotations.EXTENSION_CATEGORY_ANNOTATION].split(","): formatted_extension_category += format_extension_category(category) comment = annotations.without_annotations(strip_leading_space(comment.raw) + '\n') - return comment + formatted_extension + formatted_extension_category + return alpha_warning + comment + formatted_extension + formatted_extension_category def map_lines(f, s): From d520883ad6bb72ec40193bc7f0932caabf494eb0 Mon Sep 17 00:00:00 2001 From: phlax Date: Fri, 21 May 2021 04:35:00 +0100 Subject: [PATCH 02/14] dependabot: Updates (#16566) Signed-off-by: dependabot[bot] Signed-off-by: Ryan Northey Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- configs/requirements.txt | 76 +++++++++---------- .../filters/network/kafka/requirements.txt | 76 +++++++++---------- tools/protodoc/requirements.txt | 76 +++++++++---------- 3 files changed, 114 insertions(+), 114 deletions(-) diff --git a/configs/requirements.txt b/configs/requirements.txt index b425b09f84ced..1cd69909b9962 100644 --- a/configs/requirements.txt +++ b/configs/requirements.txt @@ -1,38 +1,38 @@ -Jinja2==3.0.0 \ - --hash=sha256:2f2de5285cf37f33d33ecd4a9080b75c87cd0c1994d5a9c6df17131ea1f049c6 \ - --hash=sha256:ea8d7dd814ce9df6de6a761ec7f1cac98afe305b8cdc4aaae4e114b8d8ce24c5 -MarkupSafe==2.0.0 \ - --hash=sha256:2efaeb1baff547063bad2b2893a8f5e9c459c4624e1a96644bbba08910ae34e0 \ - --hash=sha256:441ce2a8c17683d97e06447fcbccbdb057cbf587c78eb75ae43ea7858042fe2c \ - --hash=sha256:45535241baa0fc0ba2a43961a1ac7562ca3257f46c4c3e9c0de38b722be41bd1 \ - --hash=sha256:90053234a6479738fd40d155268af631c7fca33365f964f2208867da1349294b \ - --hash=sha256:3b54a9c68995ef4164567e2cd1a5e16db5dac30b2a50c39c82db8d4afaf14f63 \ - --hash=sha256:f58b5ba13a5689ca8317b98439fccfbcc673acaaf8241c1869ceea40f5d585bf \ - --hash=sha256:a00dce2d96587651ef4fa192c17e039e8cfab63087c67e7d263a5533c7dad715 \ - --hash=sha256:007dc055dbce5b1104876acee177dbfd18757e19d562cd440182e1f492e96b95 \ - --hash=sha256:a08cd07d3c3c17cd33d9e66ea9dee8f8fc1c48e2d11bd88fd2dc515a602c709b \ - --hash=sha256:3c352ff634e289061711608f5e474ec38dbaa21e3e168820d53d5f4015e5b91b \ - --hash=sha256:32200f562daaab472921a11cbb63780f1654552ae49518196fc361ed8e12e901 \ - --hash=sha256:fef86115fdad7ae774720d7103aa776144cf9b66673b4afa9bcaa7af990ed07b \ - --hash=sha256:e79212d09fc0e224d20b43ad44bb0a0a3416d1e04cf6b45fed265114a5d43d20 \ - --hash=sha256:79b2ae94fa991be023832e6bcc00f41dbc8e5fe9d997a02db965831402551730 \ - --hash=sha256:3261fae28155e5c8634dd7710635fe540a05b58f160cef7713c7700cb9980e66 \ - --hash=sha256:e4570d16f88c7f3032ed909dc9e905a17da14a1c4cfd92608e3fda4cb1208bbd \ - --hash=sha256:8f806bfd0f218477d7c46a11d3e52dc7f5fdfaa981b18202b7dc84bbc287463b \ - --hash=sha256:e77e4b983e2441aff0c0d07ee711110c106b625f440292dfe02a2f60c8218bd6 \ - --hash=sha256:031bf79a27d1c42f69c276d6221172417b47cb4b31cdc73d362a9bf5a1889b9f \ - --hash=sha256:83cf0228b2f694dcdba1374d5312f2277269d798e65f40344964f642935feac1 \ - --hash=sha256:4cc563836f13c57f1473bc02d1e01fc37bab70ad4ee6be297d58c1d66bc819bf \ - --hash=sha256:d00a669e4a5bec3ee6dbeeeedd82a405ced19f8aeefb109a012ea88a45afff96 \ - --hash=sha256:161d575fa49395860b75da5135162481768b11208490d5a2143ae6785123e77d \ - --hash=sha256:58bc9fce3e1557d463ef5cee05391a05745fd95ed660f23c1742c711712c0abb \ - --hash=sha256:3fb47f97f1d338b943126e90b79cad50d4fcfa0b80637b5a9f468941dbbd9ce5 \ - --hash=sha256:dab0c685f21f4a6c95bfc2afd1e7eae0033b403dd3d8c1b6d13a652ada75b348 \ - --hash=sha256:664832fb88b8162268928df233f4b12a144a0c78b01d38b81bdcf0fc96668ecb \ - --hash=sha256:df561f65049ed3556e5b52541669310e88713fdae2934845ec3606f283337958 \ - --hash=sha256:24bbc3507fb6dfff663af7900a631f2aca90d5a445f272db5fc84999fa5718bc \ - --hash=sha256:87de598edfa2230ff274c4de7fcf24c73ffd96208c8e1912d5d0fee459767d75 \ - --hash=sha256:a19d39b02a24d3082856a5b06490b714a9d4179321225bbf22809ff1e1887cc8 \ - --hash=sha256:4aca81a687975b35e3e80bcf9aa93fe10cd57fac37bf18b2314c186095f57e05 \ - --hash=sha256:70820a1c96311e02449591cbdf5cd1c6a34d5194d5b55094ab725364375c9eb2 \ - --hash=sha256:4fae0677f712ee090721d8b17f412f1cbceefbf0dc180fe91bab3232f38b4527 +Jinja2==3.0.1 \ + --hash=sha256:1f06f2da51e7b56b8f238affdd6b4e2c61e39598a378cc49345bc1bd42a978a4 \ + --hash=sha256:703f484b47a6af502e743c9122595cc812b0271f661722403114f71a79d0f5a4 +MarkupSafe==2.0.1 \ + --hash=sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51 \ + --hash=sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff \ + --hash=sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b \ + --hash=sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94 \ + --hash=sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872 \ + --hash=sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f \ + --hash=sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d \ + --hash=sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9 \ + --hash=sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567 \ + --hash=sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18 \ + --hash=sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f \ + --hash=sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f \ + --hash=sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2 \ + --hash=sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d \ + --hash=sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415 \ + --hash=sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914 \ + --hash=sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066 \ + --hash=sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35 \ + --hash=sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b \ + --hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \ + --hash=sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75 \ + --hash=sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb \ + --hash=sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64 \ + --hash=sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833 \ + --hash=sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26 \ + --hash=sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7 \ + --hash=sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8 \ + --hash=sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5 \ + --hash=sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135 \ + --hash=sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902 \ + --hash=sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509 \ + --hash=sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74 \ + --hash=sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8 \ + --hash=sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a diff --git a/source/extensions/filters/network/kafka/requirements.txt b/source/extensions/filters/network/kafka/requirements.txt index b425b09f84ced..1cd69909b9962 100644 --- a/source/extensions/filters/network/kafka/requirements.txt +++ b/source/extensions/filters/network/kafka/requirements.txt @@ -1,38 +1,38 @@ -Jinja2==3.0.0 \ - --hash=sha256:2f2de5285cf37f33d33ecd4a9080b75c87cd0c1994d5a9c6df17131ea1f049c6 \ - --hash=sha256:ea8d7dd814ce9df6de6a761ec7f1cac98afe305b8cdc4aaae4e114b8d8ce24c5 -MarkupSafe==2.0.0 \ - --hash=sha256:2efaeb1baff547063bad2b2893a8f5e9c459c4624e1a96644bbba08910ae34e0 \ - --hash=sha256:441ce2a8c17683d97e06447fcbccbdb057cbf587c78eb75ae43ea7858042fe2c \ - --hash=sha256:45535241baa0fc0ba2a43961a1ac7562ca3257f46c4c3e9c0de38b722be41bd1 \ - --hash=sha256:90053234a6479738fd40d155268af631c7fca33365f964f2208867da1349294b \ - --hash=sha256:3b54a9c68995ef4164567e2cd1a5e16db5dac30b2a50c39c82db8d4afaf14f63 \ - --hash=sha256:f58b5ba13a5689ca8317b98439fccfbcc673acaaf8241c1869ceea40f5d585bf \ - --hash=sha256:a00dce2d96587651ef4fa192c17e039e8cfab63087c67e7d263a5533c7dad715 \ - --hash=sha256:007dc055dbce5b1104876acee177dbfd18757e19d562cd440182e1f492e96b95 \ - --hash=sha256:a08cd07d3c3c17cd33d9e66ea9dee8f8fc1c48e2d11bd88fd2dc515a602c709b \ - --hash=sha256:3c352ff634e289061711608f5e474ec38dbaa21e3e168820d53d5f4015e5b91b \ - --hash=sha256:32200f562daaab472921a11cbb63780f1654552ae49518196fc361ed8e12e901 \ - --hash=sha256:fef86115fdad7ae774720d7103aa776144cf9b66673b4afa9bcaa7af990ed07b \ - --hash=sha256:e79212d09fc0e224d20b43ad44bb0a0a3416d1e04cf6b45fed265114a5d43d20 \ - --hash=sha256:79b2ae94fa991be023832e6bcc00f41dbc8e5fe9d997a02db965831402551730 \ - --hash=sha256:3261fae28155e5c8634dd7710635fe540a05b58f160cef7713c7700cb9980e66 \ - --hash=sha256:e4570d16f88c7f3032ed909dc9e905a17da14a1c4cfd92608e3fda4cb1208bbd \ - --hash=sha256:8f806bfd0f218477d7c46a11d3e52dc7f5fdfaa981b18202b7dc84bbc287463b \ - --hash=sha256:e77e4b983e2441aff0c0d07ee711110c106b625f440292dfe02a2f60c8218bd6 \ - --hash=sha256:031bf79a27d1c42f69c276d6221172417b47cb4b31cdc73d362a9bf5a1889b9f \ - --hash=sha256:83cf0228b2f694dcdba1374d5312f2277269d798e65f40344964f642935feac1 \ - --hash=sha256:4cc563836f13c57f1473bc02d1e01fc37bab70ad4ee6be297d58c1d66bc819bf \ - --hash=sha256:d00a669e4a5bec3ee6dbeeeedd82a405ced19f8aeefb109a012ea88a45afff96 \ - --hash=sha256:161d575fa49395860b75da5135162481768b11208490d5a2143ae6785123e77d \ - --hash=sha256:58bc9fce3e1557d463ef5cee05391a05745fd95ed660f23c1742c711712c0abb \ - --hash=sha256:3fb47f97f1d338b943126e90b79cad50d4fcfa0b80637b5a9f468941dbbd9ce5 \ - --hash=sha256:dab0c685f21f4a6c95bfc2afd1e7eae0033b403dd3d8c1b6d13a652ada75b348 \ - --hash=sha256:664832fb88b8162268928df233f4b12a144a0c78b01d38b81bdcf0fc96668ecb \ - --hash=sha256:df561f65049ed3556e5b52541669310e88713fdae2934845ec3606f283337958 \ - --hash=sha256:24bbc3507fb6dfff663af7900a631f2aca90d5a445f272db5fc84999fa5718bc \ - --hash=sha256:87de598edfa2230ff274c4de7fcf24c73ffd96208c8e1912d5d0fee459767d75 \ - --hash=sha256:a19d39b02a24d3082856a5b06490b714a9d4179321225bbf22809ff1e1887cc8 \ - --hash=sha256:4aca81a687975b35e3e80bcf9aa93fe10cd57fac37bf18b2314c186095f57e05 \ - --hash=sha256:70820a1c96311e02449591cbdf5cd1c6a34d5194d5b55094ab725364375c9eb2 \ - --hash=sha256:4fae0677f712ee090721d8b17f412f1cbceefbf0dc180fe91bab3232f38b4527 +Jinja2==3.0.1 \ + --hash=sha256:1f06f2da51e7b56b8f238affdd6b4e2c61e39598a378cc49345bc1bd42a978a4 \ + --hash=sha256:703f484b47a6af502e743c9122595cc812b0271f661722403114f71a79d0f5a4 +MarkupSafe==2.0.1 \ + --hash=sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51 \ + --hash=sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff \ + --hash=sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b \ + --hash=sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94 \ + --hash=sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872 \ + --hash=sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f \ + --hash=sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d \ + --hash=sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9 \ + --hash=sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567 \ + --hash=sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18 \ + --hash=sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f \ + --hash=sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f \ + --hash=sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2 \ + --hash=sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d \ + --hash=sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415 \ + --hash=sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914 \ + --hash=sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066 \ + --hash=sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35 \ + --hash=sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b \ + --hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \ + --hash=sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75 \ + --hash=sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb \ + --hash=sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64 \ + --hash=sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833 \ + --hash=sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26 \ + --hash=sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7 \ + --hash=sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8 \ + --hash=sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5 \ + --hash=sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135 \ + --hash=sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902 \ + --hash=sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509 \ + --hash=sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74 \ + --hash=sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8 \ + --hash=sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a diff --git a/tools/protodoc/requirements.txt b/tools/protodoc/requirements.txt index 07944deec73a9..6540ec1621645 100644 --- a/tools/protodoc/requirements.txt +++ b/tools/protodoc/requirements.txt @@ -1,6 +1,6 @@ -Jinja2==3.0.0 \ - --hash=sha256:2f2de5285cf37f33d33ecd4a9080b75c87cd0c1994d5a9c6df17131ea1f049c6 \ - --hash=sha256:ea8d7dd814ce9df6de6a761ec7f1cac98afe305b8cdc4aaae4e114b8d8ce24c5 +Jinja2==3.0.1 \ + --hash=sha256:1f06f2da51e7b56b8f238affdd6b4e2c61e39598a378cc49345bc1bd42a978a4 \ + --hash=sha256:703f484b47a6af502e743c9122595cc812b0271f661722403114f71a79d0f5a4 PyYAML==5.4.1 \ --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \ --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \ @@ -31,38 +31,38 @@ PyYAML==5.4.1 \ --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \ --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \ --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 -MarkupSafe==2.0.0 \ - --hash=sha256:2efaeb1baff547063bad2b2893a8f5e9c459c4624e1a96644bbba08910ae34e0 \ - --hash=sha256:441ce2a8c17683d97e06447fcbccbdb057cbf587c78eb75ae43ea7858042fe2c \ - --hash=sha256:45535241baa0fc0ba2a43961a1ac7562ca3257f46c4c3e9c0de38b722be41bd1 \ - --hash=sha256:90053234a6479738fd40d155268af631c7fca33365f964f2208867da1349294b \ - --hash=sha256:3b54a9c68995ef4164567e2cd1a5e16db5dac30b2a50c39c82db8d4afaf14f63 \ - --hash=sha256:f58b5ba13a5689ca8317b98439fccfbcc673acaaf8241c1869ceea40f5d585bf \ - --hash=sha256:a00dce2d96587651ef4fa192c17e039e8cfab63087c67e7d263a5533c7dad715 \ - --hash=sha256:007dc055dbce5b1104876acee177dbfd18757e19d562cd440182e1f492e96b95 \ - --hash=sha256:a08cd07d3c3c17cd33d9e66ea9dee8f8fc1c48e2d11bd88fd2dc515a602c709b \ - --hash=sha256:3c352ff634e289061711608f5e474ec38dbaa21e3e168820d53d5f4015e5b91b \ - --hash=sha256:32200f562daaab472921a11cbb63780f1654552ae49518196fc361ed8e12e901 \ - --hash=sha256:fef86115fdad7ae774720d7103aa776144cf9b66673b4afa9bcaa7af990ed07b \ - --hash=sha256:e79212d09fc0e224d20b43ad44bb0a0a3416d1e04cf6b45fed265114a5d43d20 \ - --hash=sha256:79b2ae94fa991be023832e6bcc00f41dbc8e5fe9d997a02db965831402551730 \ - --hash=sha256:3261fae28155e5c8634dd7710635fe540a05b58f160cef7713c7700cb9980e66 \ - --hash=sha256:e4570d16f88c7f3032ed909dc9e905a17da14a1c4cfd92608e3fda4cb1208bbd \ - --hash=sha256:8f806bfd0f218477d7c46a11d3e52dc7f5fdfaa981b18202b7dc84bbc287463b \ - --hash=sha256:e77e4b983e2441aff0c0d07ee711110c106b625f440292dfe02a2f60c8218bd6 \ - --hash=sha256:031bf79a27d1c42f69c276d6221172417b47cb4b31cdc73d362a9bf5a1889b9f \ - --hash=sha256:83cf0228b2f694dcdba1374d5312f2277269d798e65f40344964f642935feac1 \ - --hash=sha256:4cc563836f13c57f1473bc02d1e01fc37bab70ad4ee6be297d58c1d66bc819bf \ - --hash=sha256:d00a669e4a5bec3ee6dbeeeedd82a405ced19f8aeefb109a012ea88a45afff96 \ - --hash=sha256:161d575fa49395860b75da5135162481768b11208490d5a2143ae6785123e77d \ - --hash=sha256:58bc9fce3e1557d463ef5cee05391a05745fd95ed660f23c1742c711712c0abb \ - --hash=sha256:3fb47f97f1d338b943126e90b79cad50d4fcfa0b80637b5a9f468941dbbd9ce5 \ - --hash=sha256:dab0c685f21f4a6c95bfc2afd1e7eae0033b403dd3d8c1b6d13a652ada75b348 \ - --hash=sha256:664832fb88b8162268928df233f4b12a144a0c78b01d38b81bdcf0fc96668ecb \ - --hash=sha256:df561f65049ed3556e5b52541669310e88713fdae2934845ec3606f283337958 \ - --hash=sha256:24bbc3507fb6dfff663af7900a631f2aca90d5a445f272db5fc84999fa5718bc \ - --hash=sha256:87de598edfa2230ff274c4de7fcf24c73ffd96208c8e1912d5d0fee459767d75 \ - --hash=sha256:a19d39b02a24d3082856a5b06490b714a9d4179321225bbf22809ff1e1887cc8 \ - --hash=sha256:4aca81a687975b35e3e80bcf9aa93fe10cd57fac37bf18b2314c186095f57e05 \ - --hash=sha256:70820a1c96311e02449591cbdf5cd1c6a34d5194d5b55094ab725364375c9eb2 \ - --hash=sha256:4fae0677f712ee090721d8b17f412f1cbceefbf0dc180fe91bab3232f38b4527 +MarkupSafe==2.0.1 \ + --hash=sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51 \ + --hash=sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff \ + --hash=sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b \ + --hash=sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94 \ + --hash=sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872 \ + --hash=sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f \ + --hash=sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d \ + --hash=sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9 \ + --hash=sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567 \ + --hash=sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18 \ + --hash=sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f \ + --hash=sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f \ + --hash=sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2 \ + --hash=sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d \ + --hash=sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415 \ + --hash=sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914 \ + --hash=sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066 \ + --hash=sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35 \ + --hash=sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b \ + --hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \ + --hash=sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75 \ + --hash=sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb \ + --hash=sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64 \ + --hash=sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833 \ + --hash=sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26 \ + --hash=sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7 \ + --hash=sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8 \ + --hash=sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5 \ + --hash=sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135 \ + --hash=sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902 \ + --hash=sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509 \ + --hash=sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74 \ + --hash=sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8 \ + --hash=sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a From 19abe1712849fc9c807a25609f36caa07442a2ff Mon Sep 17 00:00:00 2001 From: chaoqin-li1123 <55518381+chaoqin-li1123@users.noreply.github.com> Date: Fri, 21 May 2021 08:55:27 -0500 Subject: [PATCH 03/14] [fuzz]: fix oss fuzz 32643, config validation of lb_subset_config for server fuzz test (#16582) * misconfiguration of subset_selectors will cause the test to failed. reject such misconfiguration to prevent the fuzz test failure. Signed-off-by: chaoqin-li1123 --- .../server_corpus/invalid_lb_subset_config | 34 +++++++++++++++++++ test/server/server_fuzz_test.cc | 30 ++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 test/server/server_corpus/invalid_lb_subset_config diff --git a/test/server/server_corpus/invalid_lb_subset_config b/test/server/server_corpus/invalid_lb_subset_config new file mode 100644 index 0000000000000..c415727a10c5c --- /dev/null +++ b/test/server/server_corpus/invalid_lb_subset_config @@ -0,0 +1,34 @@ +static_resources { + clusters { + name: "my_clusters" + type: STRICT_DNS + connect_timeout { + seconds: 2304 + } + lb_subset_config { + subset_selectors { + keys: "key1" + keys: "key2" + single_host_per_subset: true + } + list_as_any: true + } + load_assignment { + cluster_name: "cluster_1" + endpoints { + lb_endpoints { + endpoint { + address { + socket_address { + protocol: UDP + address: "0.0.0.0" + ipv4_compat: true + } + } + } + } + priority: 112 + } + } + } +} diff --git a/test/server/server_fuzz_test.cc b/test/server/server_fuzz_test.cc index f96f3b17c8d62..30c399bc008a1 100644 --- a/test/server/server_fuzz_test.cc +++ b/test/server/server_fuzz_test.cc @@ -82,7 +82,37 @@ makeHermeticPathsAndPorts(Fuzz::PerTestEnvironment& test_env, return output; } +// When single_host_per_subset is set to be true, only expect 1 subset selector and 1 key inside the +// selector. Reject the misconfiguration as the use of single_host_per_subset is well documented. +// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto#config-cluster-v3-cluster-lbsubsetconfig-lbsubsetselector +bool validateLbSubsetConfig(const envoy::config::bootstrap::v3::Bootstrap& input) { + for (auto& cluster : input.static_resources().clusters()) { + bool use_single_host_per_subset = false; + int subset_selectors = 0; + for (auto& subset_selector : cluster.lb_subset_config().subset_selectors()) { + subset_selectors++; + if (subset_selector.single_host_per_subset()) { + use_single_host_per_subset = true; + // Only expect 1 key inside subset selector when use_single_host_per_subset is set to true. + if (subset_selector.keys().size() != 1) { + return false; + } + } + // Only expect 1 subset selector when use_single_host_per_subset is set to true. + if (use_single_host_per_subset && subset_selectors != 1) { + return false; + } + } + } + return true; +} + DEFINE_PROTO_FUZZER(const envoy::config::bootstrap::v3::Bootstrap& input) { + + if (!validateLbSubsetConfig(input)) { + return; + } + testing::NiceMock options; DefaultListenerHooks hooks; testing::NiceMock restart; From 537deb4a1e3f24d8bc9a5e7a7ce58d66b3c68862 Mon Sep 17 00:00:00 2001 From: htuch Date: Fri, 21 May 2021 14:24:12 -0400 Subject: [PATCH 04/14] security: add Square to distributor list. (#16613) Signed-off-by: Harvey Tuch --- SECURITY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/SECURITY.md b/SECURITY.md index 0ba3e9ddaa641..8506ae40cfc9e 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -467,3 +467,4 @@ and security team to ensure they still qualify for inclusion on the list. | envoy-security@pinterest.com | Pinterest | Yes | 12/19 | | envoy-security@dropbox.com | Dropbox | Yes | 01/20 | | envoy-security-predisclosure@stripe.com | Stripe | Yes | 01/20 | +| envoy-security@squareup.com | Square | Yes | 05/21 | From f58f93a1598536da22c081b695efdf443f31d124 Mon Sep 17 00:00:00 2001 From: phlax Date: Fri, 21 May 2021 20:22:07 +0100 Subject: [PATCH 05/14] protodoc: Fix github links (#16614) Signed-off-by: Ryan Northey --- tools/protodoc/protodoc.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/protodoc/protodoc.py b/tools/protodoc/protodoc.py index 0321afe0bd750..a66d6cf021047 100755 --- a/tools/protodoc/protodoc.py +++ b/tools/protodoc/protodoc.py @@ -678,7 +678,7 @@ def visit_enum(self, enum_proto, type_context): normal_enum_type = normalize_type_context_name(type_context.name) anchor = format_anchor(enum_cross_ref_label(normal_enum_type)) header = format_header('-', 'Enum %s' % normal_enum_type) - proto_link = github_url("f[{normal_enum_type} proto]", type_context) + '\n\n' + proto_link = github_url(f"[{normal_enum_type} proto]", type_context) + '\n\n' leading_comment = type_context.leading_comment formatted_leading_comment = format_comment_with_annotations(leading_comment, 'enum') if hide_not_implemented(leading_comment): From 7a639c4ec79ace99cf4e2736b56b8fafc6c18ce9 Mon Sep 17 00:00:00 2001 From: Josh Tway Date: Fri, 21 May 2021 15:58:51 -0400 Subject: [PATCH 06/14] stats: Improve performance of clearing scopes and histograms by batching them (#15876) Previously a post was required per histogram or scope, per thread. This greatly reduces the overhead of large config updates and when tens of thousands of histograms and scopes are queued for release in short order. This work is based off of https://gist.github.com/jmarantz/838cb6de7e74c0970ea6b63eded0139a Co-authored-by: Joshua Marantz jmarantz@google.com Signed-off-by: Josh Tway josh.tway@stackpath.com Additional Description: Came across the original patch by @jmarantz while investigating why updating a single VirtualHost, via VHDS, would frequently take 50 seconds, or more, to propagate. Turns out it was caused by the large number of Scopes being cleared for each update. Batching scopes and histogram ids queued for removal together improves this to under 20 seconds, often below 10 seconds. Risk Level: Low Testing: Before and after testing of how long it took VHDS, when > 100K VirtualHosts were present took to update. Docs Changes: N/A Release Notes: N/a Platform Specific Features: N/A Co-authored-by: Joshua Marantz Signed-off-by: Josh Tway --- include/envoy/thread_local/thread_local.h | 7 ++ source/common/stats/thread_local_store.cc | 113 +++++++++++++----- source/common/stats/thread_local_store.h | 22 +++- .../common/thread_local/thread_local_impl.h | 1 + .../stats/thread_local_store_speed_test.cc | 9 +- test/common/stats/thread_local_store_test.cc | 49 ++++++-- test/mocks/thread_local/mocks.cc | 6 +- test/mocks/thread_local/mocks.h | 9 +- test/server/admin/stats_handler_test.cc | 14 ++- 9 files changed, 170 insertions(+), 60 deletions(-) diff --git a/include/envoy/thread_local/thread_local.h b/include/envoy/thread_local/thread_local.h index 8ff2ca99c8c00..f3d846ff5cca5 100644 --- a/include/envoy/thread_local/thread_local.h +++ b/include/envoy/thread_local/thread_local.h @@ -226,6 +226,13 @@ class Instance : public SlotAllocator { * @return Event::Dispatcher& the thread local dispatcher. */ virtual Event::Dispatcher& dispatcher() PURE; + + /** + * Returns whether or not global threading has been shutdown. + * + * @return true if global threading has been shutdown or false if not. + */ + virtual bool isShutdown() const PURE; }; } // namespace ThreadLocal diff --git a/source/common/stats/thread_local_store.cc b/source/common/stats/thread_local_store.cc index 46aed025cc236..78dda479cf821 100644 --- a/source/common/stats/thread_local_store.cc +++ b/source/common/stats/thread_local_store.cc @@ -43,6 +43,9 @@ ThreadLocalStoreImpl::~ThreadLocalStoreImpl() { ASSERT(shutting_down_ || !threading_ever_initialized_); default_scope_.reset(); ASSERT(scopes_.empty()); + ASSERT(scopes_to_cleanup_.empty()); + ASSERT(central_cache_entries_to_cleanup_.empty()); + ASSERT(histograms_to_cleanup_.empty()); } void ThreadLocalStoreImpl::setHistogramSettings(HistogramSettingsConstPtr&& histogram_settings) { @@ -194,11 +197,23 @@ void ThreadLocalStoreImpl::initializeThreading(Event::Dispatcher& main_thread_di tls_cache_ = ThreadLocal::TypedSlot::makeUnique(tls); tls_cache_->set( [](Event::Dispatcher&) -> std::shared_ptr { return std::make_shared(); }); + tls_ = tls; } void ThreadLocalStoreImpl::shutdownThreading() { // This will block both future cache fills as well as cache flushes. shutting_down_ = true; + ASSERT(!tls_.has_value() || tls_->isShutdown()); + + // We can't call runOnAllThreads here as global threading has already been shutdown. It is okay + // to simply clear the scopes and central cache entries here as they will be cleaned up during + // thread local data cleanup in InstanceImpl::shutdownThread(). + { + Thread::LockGuard lock(lock_); + scopes_to_cleanup_.clear(); + central_cache_entries_to_cleanup_.clear(); + } + Thread::LockGuard lock(hist_mutex_); for (ParentHistogramImpl* histogram : histogram_set_) { histogram->setShuttingDown(true); @@ -261,22 +276,29 @@ void ThreadLocalStoreImpl::releaseScopeCrossThread(ScopeImpl* scope) { // // Since this is called from ScopeImpl's destructor, we must bump the // ref-count of the central-cache by copying to a local scoped pointer, and - // keep that reference alive until all the TLS caches are clear. - CentralCacheEntrySharedPtr central_cache = scope->central_cache_; + // keep that reference alive until all the TLS caches are clear. This is done by keeping a + // separate vector of shared_ptrs which will be destructed once all threads have completed. // This can happen from any thread. We post() back to the main thread which will initiate the // cache flush operation. if (!shutting_down_ && main_thread_dispatcher_) { - const uint64_t scope_id = scope->scope_id_; + // Clear scopes in a batch. It's possible that many different scopes will be deleted at + // the same time, before the main thread gets a chance to run cleanScopesFromCaches. If a new + // scope is deleted before that post runs, we add it to our list of scopes to clear, and there + // is no need to issue another post. This greatly reduces the overhead when there are tens of + // thousands of scopes to clear in a short period. i.e.: VHDS updates with tens of thousands of + // VirtualHosts. + bool need_post = scopes_to_cleanup_.empty(); + scopes_to_cleanup_.push_back(scope->scope_id_); + central_cache_entries_to_cleanup_.push_back(scope->central_cache_); lock.release(); - // TODO(jmarantz): consider batching all the scope IDs that should be - // cleared from TLS caches to reduce bursts of runOnAllThreads on a large - // config update. See the pattern below used for histograms. - main_thread_dispatcher_->post([this, central_cache, scope_id]() { - sync_.syncPoint(MainDispatcherCleanupSync); - clearScopeFromCaches(scope_id, central_cache); - }); + if (need_post) { + main_thread_dispatcher_->post([this]() { + sync_.syncPoint(MainDispatcherCleanupSync); + clearScopesFromCaches(); + }); + } } } @@ -284,8 +306,20 @@ void ThreadLocalStoreImpl::releaseHistogramCrossThread(uint64_t histogram_id) { // This can happen from any thread. We post() back to the main thread which will initiate the // cache flush operation. if (!shutting_down_ && main_thread_dispatcher_) { - main_thread_dispatcher_->post( - [this, histogram_id]() { clearHistogramFromCaches(histogram_id); }); + // It's possible that many different histograms will be deleted at the same + // time, before the main thread gets a chance to run + // clearHistogramsFromCaches. If a new histogram is deleted before that + // post runs, we add it to our list of histograms to clear, and there's no + // need to issue another post. + bool need_post = false; + { + Thread::LockGuard lock(hist_mutex_); + need_post = histograms_to_cleanup_.empty(); + histograms_to_cleanup_.push_back(histogram_id); + } + if (need_post) { + main_thread_dispatcher_->post([this]() { clearHistogramsFromCaches(); }); + } } } @@ -294,39 +328,62 @@ ThreadLocalStoreImpl::TlsCache::insertScope(uint64_t scope_id) { return scope_cache_[scope_id]; } -void ThreadLocalStoreImpl::TlsCache::eraseScope(uint64_t scope_id) { scope_cache_.erase(scope_id); } -void ThreadLocalStoreImpl::TlsCache::eraseHistogram(uint64_t histogram_id) { +void ThreadLocalStoreImpl::TlsCache::eraseScopes(const std::vector& scope_ids) { + for (uint64_t scope_id : scope_ids) { + scope_cache_.erase(scope_id); + } +} + +void ThreadLocalStoreImpl::TlsCache::eraseHistograms(const std::vector& histograms) { // This is called for every histogram in every thread, even though the // histogram may not have been cached in each thread yet. So we don't // want to check whether the erase() call erased anything. - tls_histogram_cache_.erase(histogram_id); + for (uint64_t histogram_id : histograms) { + tls_histogram_cache_.erase(histogram_id); + } } -void ThreadLocalStoreImpl::clearScopeFromCaches(uint64_t scope_id, - CentralCacheEntrySharedPtr central_cache) { +void ThreadLocalStoreImpl::clearScopesFromCaches() { // If we are shutting down we no longer perform cache flushes as workers may be shutting down // at the same time. if (!shutting_down_) { // Perform a cache flush on all threads. + + // Capture all the pending scope ids in a local, clearing the list held in + // this. Once this occurs, if a new scope is deleted, a new post will be + // required. + auto scope_ids = std::make_shared>(); + // Capture all the central cache entries for scopes we're deleting. These will be freed after + // all threads have completed. + auto central_caches = std::make_shared>(); + { + Thread::LockGuard lock(lock_); + *scope_ids = std::move(scopes_to_cleanup_); + scopes_to_cleanup_.clear(); + *central_caches = std::move(central_cache_entries_to_cleanup_); + central_cache_entries_to_cleanup_.clear(); + } + tls_cache_->runOnAllThreads( - [scope_id](OptRef tls_cache) { tls_cache->eraseScope(scope_id); }, - [central_cache]() { /* Holds onto central_cache until all tls caches are clear */ }); + [scope_ids](OptRef tls_cache) { tls_cache->eraseScopes(*scope_ids); }, + [central_caches]() { /* Holds onto central_caches until all tls caches are clear */ }); } } -void ThreadLocalStoreImpl::clearHistogramFromCaches(uint64_t histogram_id) { +void ThreadLocalStoreImpl::clearHistogramsFromCaches() { // If we are shutting down we no longer perform cache flushes as workers may be shutting down // at the same time. if (!shutting_down_) { - // Perform a cache flush on all threads. - // - // TODO(jmarantz): If this cross-thread posting proves to be a performance - // bottleneck, - // https://gist.github.com/jmarantz/838cb6de7e74c0970ea6b63eded0139a - // contains a patch that will implement batching together to clear multiple - // histograms. + // Move the histograms pending cleanup into a local variable. Future histogram deletions will be + // batched until the next time this function is called. + auto histograms = std::make_shared>(); + { + Thread::LockGuard lock(hist_mutex_); + histograms->swap(histograms_to_cleanup_); + } + tls_cache_->runOnAllThreads( - [histogram_id](OptRef tls_cache) { tls_cache->eraseHistogram(histogram_id); }); + [histograms](OptRef tls_cache) { tls_cache->eraseHistograms(*histograms); }); } } diff --git a/source/common/stats/thread_local_store.h b/source/common/stats/thread_local_store.h index 946a84ed874cf..bc76c13c9aa92 100644 --- a/source/common/stats/thread_local_store.h +++ b/source/common/stats/thread_local_store.h @@ -445,8 +445,8 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo struct TlsCache : public ThreadLocal::ThreadLocalObject { TlsCacheEntry& insertScope(uint64_t scope_id); - void eraseScope(uint64_t scope_id); - void eraseHistogram(uint64_t histogram); + void eraseScopes(const std::vector& scope_ids); + void eraseHistograms(const std::vector& histograms); // The TLS scope cache is keyed by scope ID. This is used to avoid complex circular references // during scope destruction. An ID is required vs. using the address of the scope pointer @@ -472,8 +472,8 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo } std::string getTagsForName(const std::string& name, TagVector& tags) const; - void clearScopeFromCaches(uint64_t scope_id, CentralCacheEntrySharedPtr central_cache); - void clearHistogramFromCaches(uint64_t histogram_id); + void clearScopesFromCaches(); + void clearHistogramsFromCaches(); void releaseScopeCrossThread(ScopeImpl* scope); void mergeInternal(PostMergeCb merge_cb); bool rejects(StatName name) const; @@ -499,6 +499,7 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo std::atomic shutting_down_{}; std::atomic merge_in_progress_{}; AllocatorImpl heap_allocator_; + OptRef tls_; NullCounterImpl null_counter_; NullGaugeImpl null_gauge_; @@ -526,6 +527,19 @@ class ThreadLocalStoreImpl : Logger::Loggable, public StoreRo std::vector deleted_gauges_ ABSL_GUARDED_BY(lock_); std::vector deleted_histograms_ ABSL_GUARDED_BY(lock_); std::vector deleted_text_readouts_ ABSL_GUARDED_BY(lock_); + + // Scope IDs and central cache entries that are queued for cross-scope release. + // Because there can be a large number of scopes, all of which are released at once, + // (e.g. when a scope is deleted), it is more efficient to batch their cleanup, + // which would otherwise entail a post() per scope per thread. + std::vector scopes_to_cleanup_ ABSL_GUARDED_BY(lock_); + std::vector central_cache_entries_to_cleanup_ ABSL_GUARDED_BY(lock_); + + // Histograms IDs that are queued for cross-scope release. Because there + // can be a large number of histograms, all of which are released at once, + // (e.g. when a scope is deleted), it is likely more efficient to batch their + // cleanup, which would otherwise entail a post() per histogram per thread. + std::vector histograms_to_cleanup_ ABSL_GUARDED_BY(hist_mutex_); }; using ThreadLocalStoreImplPtr = std::unique_ptr; diff --git a/source/common/thread_local/thread_local_impl.h b/source/common/thread_local/thread_local_impl.h index db9cd63e10230..c9df63b1e0b85 100644 --- a/source/common/thread_local/thread_local_impl.h +++ b/source/common/thread_local/thread_local_impl.h @@ -28,6 +28,7 @@ class InstanceImpl : Logger::Loggable, public NonCopyable, pub void shutdownGlobalThreading() override; void shutdownThread() override; Event::Dispatcher& dispatcher() override; + bool isShutdown() const override { return shutdown_; } private: // On destruction returns the slot index to the deferred delete queue (detaches it). This allows diff --git a/test/common/stats/thread_local_store_speed_test.cc b/test/common/stats/thread_local_store_speed_test.cc index 5208fdaed9f5c..20aa7f503a29a 100644 --- a/test/common/stats/thread_local_store_speed_test.cc +++ b/test/common/stats/thread_local_store_speed_test.cc @@ -29,17 +29,16 @@ class ThreadLocalStorePerf { store_.setTagProducer(std::make_unique(stats_config_)); Stats::TestUtil::forEachSampleStat(1000, [this](absl::string_view name) { - stat_names_.push_back(std::make_unique(name, symbol_table_)); + stat_names_.push_back(std::make_unique(name, symbol_table_)); }); } ~ThreadLocalStorePerf() { - for (auto& stat_name_storage : stat_names_) { - stat_name_storage->free(symbol_table_); + if (tls_) { + tls_->shutdownGlobalThreading(); } store_.shutdownThreading(); if (tls_) { - tls_->shutdownGlobalThreading(); tls_->shutdownThread(); } if (dispatcher_) { @@ -72,7 +71,7 @@ class ThreadLocalStorePerf { Stats::ThreadLocalStoreImpl store_; Api::ApiPtr api_; envoy::config::metrics::v3::StatsConfig stats_config_; - std::vector> stat_names_; + std::vector> stat_names_; }; } // namespace Envoy diff --git a/test/common/stats/thread_local_store_test.cc b/test/common/stats/thread_local_store_test.cc index 6d8de94d0463d..8043ebc1e4b78 100644 --- a/test/common/stats/thread_local_store_test.cc +++ b/test/common/stats/thread_local_store_test.cc @@ -69,6 +69,8 @@ class StatsThreadLocalStoreTest : public testing::Test { store_->addSink(sink_); } + ~StatsThreadLocalStoreTest() override { tls_.shutdownGlobalThreading(); } + void resetStoreWithAlloc(Allocator& alloc) { store_ = std::make_unique(alloc); store_->addSink(sink_); @@ -128,6 +130,7 @@ class HistogramTest : public testing::Test { } void TearDown() override { + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -318,6 +321,7 @@ TEST_F(StatsThreadLocalStoreTest, Tls) { EXPECT_EQ(&t1, store_->textReadouts().front().get()); // front() ok when size()==1 EXPECT_EQ(2UL, store_->textReadouts().front().use_count()); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); @@ -415,6 +419,7 @@ TEST_F(StatsThreadLocalStoreTest, BasicScope) { Stats::Histogram::Unit::Unspecified)); } + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); scope1->deliverHistogramToSinks(h1, 100); scope1->deliverHistogramToSinks(h2, 200); @@ -460,6 +465,7 @@ TEST_F(StatsThreadLocalStoreTest, HistogramScopeOverlap) { EXPECT_EQ(0, store_->histograms().size()); EXPECT_EQ(0, numTlsHistograms()); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); store_->histogramFromString("histogram_after_shutdown", Histogram::Unit::Unspecified); @@ -476,6 +482,7 @@ TEST_F(StatsThreadLocalStoreTest, SanitizePrefix) { Counter& c1 = scope1->counterFromString("c1"); EXPECT_EQ("scope1___foo.c1", c1.name()); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -499,13 +506,14 @@ TEST_F(StatsThreadLocalStoreTest, ScopeDelete) { EXPECT_EQ("scope1.c1", c1->name()); EXPECT_CALL(main_thread_dispatcher_, post(_)); - EXPECT_CALL(tls_, runOnAllThreads(_, _)); + EXPECT_CALL(tls_, runOnAllThreads(_, _)).Times(testing::AtLeast(1)); scope1.reset(); EXPECT_EQ(0UL, store_->counters().size()); EXPECT_EQ(1L, c1.use_count()); c1.reset(); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -541,6 +549,7 @@ TEST_F(StatsThreadLocalStoreTest, NestedScopes) { TextReadout& t1 = scope2->textReadoutFromString("some_string"); EXPECT_EQ("scope1.foo.some_string", t1.name()); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -605,6 +614,7 @@ TEST_F(StatsThreadLocalStoreTest, OverlappingScopes) { EXPECT_EQ("abc", t2.value()); EXPECT_EQ(1UL, store_->textReadouts().size()); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -650,6 +660,7 @@ TEST_F(StatsThreadLocalStoreTest, TextReadoutAllLengths) { t.set(""); EXPECT_EQ("", t.value()); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -805,6 +816,7 @@ TEST_F(StatsMatcherTLSTest, TestNoOpStatImpls) { store_->histogramFromString("noop_histogram_2", Stats::Histogram::Unit::Unspecified); EXPECT_EQ(&noop_histogram, &noop_histogram_2); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); } @@ -919,6 +931,7 @@ TEST_F(StatsMatcherTLSTest, TestExclusionRegex) { EXPECT_EQ("", invalid_string_2.value()); // Expected to free lowercase_counter, lowercase_gauge, valid_counter, valid_gauge + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); } @@ -938,6 +951,7 @@ class RememberStatsMatcherTest : public testing::TestWithParam { } ~RememberStatsMatcherTest() override { + tls_.shutdownGlobalThreading(); store_.shutdownThreading(); tls_.shutdownThread(); } @@ -1111,6 +1125,7 @@ TEST_F(StatsThreadLocalStoreTest, RemoveRejectedStats) { EXPECT_CALL(sink_, onHistogramComplete(Ref(histogram), 42)); histogram.recordValue(42); textReadout.set("fortytwo"); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -1127,6 +1142,7 @@ TEST_F(StatsThreadLocalStoreTest, NonHotRestartNoTruncation) { // This works fine, and we can find it by its long name because heap-stats do not // get truncated. EXPECT_NE(nullptr, TestUtility::findCounter(*store_, name_1).get()); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -1143,6 +1159,7 @@ class StatsThreadLocalStoreTestNoFixture : public testing::Test { ~StatsThreadLocalStoreTestNoFixture() override { if (threading_enabled_) { + tls_.shutdownGlobalThreading(); store_.shutdownThreading(); tls_.shutdownThread(); } @@ -1189,6 +1206,7 @@ TEST_F(StatsThreadLocalStoreTest, ShuttingDown) { store_->counterFromString("c1"); store_->gaugeFromString("g1", Gauge::ImportMode::Accumulate); store_->textReadoutFromString("t1"); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); store_->counterFromString("c2"); store_->gaugeFromString("g2", Gauge::ImportMode::Accumulate); @@ -1208,6 +1226,7 @@ TEST_F(StatsThreadLocalStoreTest, ShuttingDown) { EXPECT_EQ(2L, TestUtility::findGauge(*store_, "g2").use_count()); EXPECT_EQ(2L, TestUtility::findTextReadout(*store_, "t2").use_count()); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -1222,6 +1241,7 @@ TEST_F(StatsThreadLocalStoreTest, MergeDuringShutDown) { EXPECT_CALL(sink_, onHistogramComplete(Ref(h1), 1)); h1.recordValue(1); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); // Validate that merge callback is called during shutdown and there is no ASSERT. @@ -1229,6 +1249,7 @@ TEST_F(StatsThreadLocalStoreTest, MergeDuringShutDown) { store_->mergeHistograms([&merge_called]() -> void { merge_called = true; }); EXPECT_TRUE(merge_called); + tls_.shutdownGlobalThreading(); store_->shutdownThreading(); tls_.shutdownThread(); } @@ -1243,7 +1264,9 @@ TEST(ThreadLocalStoreThreadTest, ConstructDestruct) { store.initializeThreading(*dispatcher, tls); { ScopePtr scope1 = store.createScope("scope1."); } + tls.shutdownGlobalThreading(); store.shutdownThreading(); + tls.shutdownThread(); } // Histogram tests @@ -1502,15 +1525,7 @@ class ThreadLocalRealThreadsTestBase : public ThreadLocalStoreNoMocksTestBase { } ~ThreadLocalRealThreadsTestBase() override { - { - BlockingBarrier blocking_barrier(1); - main_dispatcher_->post(blocking_barrier.run([this]() { - store_->shutdownThreading(); - tls_->shutdownGlobalThreading(); - tls_->shutdownThread(); - })); - } - + shutdownThreading(); for (Event::DispatcherPtr& dispatcher : thread_dispatchers_) { dispatcher->post([&dispatcher]() { dispatcher->exit(); }); } @@ -1527,6 +1542,17 @@ class ThreadLocalRealThreadsTestBase : public ThreadLocalStoreNoMocksTestBase { main_thread_->join(); } + void shutdownThreading() { + BlockingBarrier blocking_barrier(1); + main_dispatcher_->post(blocking_barrier.run([this]() { + if (!tls_->isShutdown()) { + tls_->shutdownGlobalThreading(); + } + store_->shutdownThreading(); + tls_->shutdownThread(); + })); + } + void workerThreadFn(uint32_t thread_index, BlockingBarrier& blocking_barrier) { thread_dispatchers_[thread_index] = api_->allocateDispatcher(absl::StrCat("test_worker_", thread_index)); @@ -1766,8 +1792,7 @@ TEST_F(HistogramThreadTest, ScopeOverlap) { EXPECT_EQ(0, store_->histograms().size()); EXPECT_EQ(0, numTlsHistograms()); - store_->shutdownThreading(); - + shutdownThreading(); store_->histogramFromString("histogram_after_shutdown", Histogram::Unit::Unspecified); } diff --git a/test/mocks/thread_local/mocks.cc b/test/mocks/thread_local/mocks.cc index aff789b21936b..18a8cfb30baeb 100644 --- a/test/mocks/thread_local/mocks.cc +++ b/test/mocks/thread_local/mocks.cc @@ -10,10 +10,10 @@ namespace Envoy { namespace ThreadLocal { MockInstance::MockInstance() { - ON_CALL(*this, allocateSlot()).WillByDefault(Invoke(this, &MockInstance::allocateSlot_)); - ON_CALL(*this, runOnAllThreads(_)).WillByDefault(Invoke(this, &MockInstance::runOnAllThreads1_)); + ON_CALL(*this, allocateSlot()).WillByDefault(Invoke(this, &MockInstance::allocateSlotMock)); + ON_CALL(*this, runOnAllThreads(_)).WillByDefault(Invoke(this, &MockInstance::runOnAllThreads1)); ON_CALL(*this, runOnAllThreads(_, _)) - .WillByDefault(Invoke(this, &MockInstance::runOnAllThreads2_)); + .WillByDefault(Invoke(this, &MockInstance::runOnAllThreads2)); ON_CALL(*this, shutdownThread()).WillByDefault(Invoke(this, &MockInstance::shutdownThread_)); ON_CALL(*this, dispatcher()).WillByDefault(ReturnRef(dispatcher_)); } diff --git a/test/mocks/thread_local/mocks.h b/test/mocks/thread_local/mocks.h index e735c543b0e1b..3fa0f8d3479dd 100644 --- a/test/mocks/thread_local/mocks.h +++ b/test/mocks/thread_local/mocks.h @@ -22,13 +22,14 @@ class MockInstance : public Instance { // Server::ThreadLocal MOCK_METHOD(SlotPtr, allocateSlot, ()); MOCK_METHOD(void, registerThread, (Event::Dispatcher & dispatcher, bool main_thread)); - MOCK_METHOD(void, shutdownGlobalThreading, ()); + void shutdownGlobalThreading() override { shutdown_ = true; } MOCK_METHOD(void, shutdownThread, ()); MOCK_METHOD(Event::Dispatcher&, dispatcher, ()); + bool isShutdown() const override { return shutdown_; } - SlotPtr allocateSlot_() { return SlotPtr{new SlotImpl(*this, current_slot_++)}; } - void runOnAllThreads1_(Event::PostCb cb) { cb(); } - void runOnAllThreads2_(Event::PostCb cb, Event::PostCb main_callback) { + SlotPtr allocateSlotMock() { return SlotPtr{new SlotImpl(*this, current_slot_++)}; } + void runOnAllThreads1(Event::PostCb cb) { cb(); } + void runOnAllThreads2(Event::PostCb cb, Event::PostCb main_callback) { cb(); main_callback(); } diff --git a/test/server/admin/stats_handler_test.cc b/test/server/admin/stats_handler_test.cc index 1059d642edbd9..2f3b02ff75369 100644 --- a/test/server/admin/stats_handler_test.cc +++ b/test/server/admin/stats_handler_test.cc @@ -33,6 +33,12 @@ class AdminStatsTest : public testing::TestWithParamshutdownThreading(); + tls_.shutdownThread(); + } + Stats::SymbolTableImpl symbol_table_; NiceMock main_thread_dispatcher_; NiceMock tls_; @@ -189,7 +195,7 @@ TEST_P(AdminStatsTest, StatsAsJson) { })EOF"; EXPECT_THAT(expected_json, JsonStringEq(actual_json)); - store_->shutdownThreading(); + shutdownThreading(); } TEST_P(AdminStatsTest, UsedOnlyStatsAsJson) { @@ -289,7 +295,7 @@ TEST_P(AdminStatsTest, UsedOnlyStatsAsJson) { })EOF"; EXPECT_THAT(expected_json, JsonStringEq(actual_json)); - store_->shutdownThreading(); + shutdownThreading(); } TEST_P(AdminStatsTest, StatsAsJsonFilterString) { @@ -391,7 +397,7 @@ TEST_P(AdminStatsTest, StatsAsJsonFilterString) { })EOF"; EXPECT_THAT(expected_json, JsonStringEq(actual_json)); - store_->shutdownThreading(); + shutdownThreading(); } TEST_P(AdminStatsTest, UsedOnlyStatsAsJsonFilterString) { @@ -502,7 +508,7 @@ TEST_P(AdminStatsTest, UsedOnlyStatsAsJsonFilterString) { })EOF"; EXPECT_THAT(expected_json, JsonStringEq(actual_json)); - store_->shutdownThreading(); + shutdownThreading(); } INSTANTIATE_TEST_SUITE_P(IpVersions, AdminInstanceTest, From db0a477e68227b435a881934ded58b33b710aebd Mon Sep 17 00:00:00 2001 From: Mike Schore Date: Sat, 22 May 2021 04:44:04 +0800 Subject: [PATCH 07/14] build: declare original IP detection factories (#16621) Signed-off-by: Mike Schore --- .../http/original_ip_detection/custom_header/config.cc | 1 - .../http/original_ip_detection/custom_header/config.h | 3 +++ source/extensions/http/original_ip_detection/xff/config.cc | 1 - source/extensions/http/original_ip_detection/xff/config.h | 3 +++ 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/source/extensions/http/original_ip_detection/custom_header/config.cc b/source/extensions/http/original_ip_detection/custom_header/config.cc index 65defdccb738d..9dc57e1fefa3d 100644 --- a/source/extensions/http/original_ip_detection/custom_header/config.cc +++ b/source/extensions/http/original_ip_detection/custom_header/config.cc @@ -3,7 +3,6 @@ #include "envoy/extensions/http/original_ip_detection/custom_header/v3/custom_header.pb.h" #include "envoy/extensions/http/original_ip_detection/custom_header/v3/custom_header.pb.validate.h" #include "envoy/http/original_ip_detection.h" -#include "envoy/registry/registry.h" #include "common/config/utility.h" diff --git a/source/extensions/http/original_ip_detection/custom_header/config.h b/source/extensions/http/original_ip_detection/custom_header/config.h index 05e28c07b30e6..ca09b267c5d21 100644 --- a/source/extensions/http/original_ip_detection/custom_header/config.h +++ b/source/extensions/http/original_ip_detection/custom_header/config.h @@ -2,6 +2,7 @@ #include "envoy/extensions/http/original_ip_detection/custom_header/v3/custom_header.pb.h" #include "envoy/http/original_ip_detection.h" +#include "envoy/registry/registry.h" #include "common/protobuf/protobuf.h" @@ -29,6 +30,8 @@ class CustomHeaderIPDetectionFactory : public Envoy::Http::OriginalIPDetectionFa std::string name() const override { return "envoy.http.original_ip_detection.custom_header"; } }; +DECLARE_FACTORY(CustomHeaderIPDetectionFactory); + } // namespace CustomHeader } // namespace OriginalIPDetection } // namespace Http diff --git a/source/extensions/http/original_ip_detection/xff/config.cc b/source/extensions/http/original_ip_detection/xff/config.cc index 57179a6a077f0..449db7f4c0f75 100644 --- a/source/extensions/http/original_ip_detection/xff/config.cc +++ b/source/extensions/http/original_ip_detection/xff/config.cc @@ -3,7 +3,6 @@ #include "envoy/extensions/http/original_ip_detection/xff/v3/xff.pb.h" #include "envoy/extensions/http/original_ip_detection/xff/v3/xff.pb.validate.h" #include "envoy/http/original_ip_detection.h" -#include "envoy/registry/registry.h" #include "common/config/utility.h" diff --git a/source/extensions/http/original_ip_detection/xff/config.h b/source/extensions/http/original_ip_detection/xff/config.h index df3872adbab01..5a3cc31e52af7 100644 --- a/source/extensions/http/original_ip_detection/xff/config.h +++ b/source/extensions/http/original_ip_detection/xff/config.h @@ -2,6 +2,7 @@ #include "envoy/extensions/http/original_ip_detection/xff/v3/xff.pb.h" #include "envoy/http/original_ip_detection.h" +#include "envoy/registry/registry.h" #include "common/protobuf/protobuf.h" @@ -28,6 +29,8 @@ class XffIPDetectionFactory : public Envoy::Http::OriginalIPDetectionFactory { std::string name() const override { return "envoy.http.original_ip_detection.xff"; } }; +DECLARE_FACTORY(XffIPDetectionFactory); + } // namespace Xff } // namespace OriginalIPDetection } // namespace Http From 33cf6cd1c6db9433d27e38ee4857a43a35b56bcf Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Fri, 21 May 2021 14:28:31 -0700 Subject: [PATCH 08/14] wasm: update V8 to v9.2.230.2. (#16604) Signed-off-by: Piotr Sikora --- bazel/external/wee8.genrule_cmd | 2 +- bazel/external/wee8.patch | 30 ++++++++---------------------- bazel/repository_locations.bzl | 6 +++--- 3 files changed, 12 insertions(+), 26 deletions(-) diff --git a/bazel/external/wee8.genrule_cmd b/bazel/external/wee8.genrule_cmd index c5ff69049a573..57e79ce83cdb1 100644 --- a/bazel/external/wee8.genrule_cmd +++ b/bazel/external/wee8.genrule_cmd @@ -33,7 +33,7 @@ if [[ ( $${SYSTEM} == "Darwin" && $${CXX-} == "" ) || $${CXX-} == *clang* ]]; th export IS_CLANG=true export CC=$${CC:-clang} export CXX=$${CXX:-clang++} - export CXXFLAGS="$${CXXFLAGS} -Wno-implicit-int-float-conversion -Wno-builtin-assume-aligned-alignment -Wno-final-dtor-non-final-class" + export CXXFLAGS="$${CXXFLAGS} -Wno-implicit-int-float-conversion -Wno-builtin-assume-aligned-alignment -Wno-final-dtor-non-final-class -Wno-invalid-constexpr" else export IS_CLANG=false export CC=$${CC:-gcc} diff --git a/bazel/external/wee8.patch b/bazel/external/wee8.patch index 6a25320fa147b..5dfce7b799e11 100644 --- a/bazel/external/wee8.patch +++ b/bazel/external/wee8.patch @@ -1,9 +1,9 @@ # 1. Fix linking with unbundled toolchain on macOS. # 2. Increase VSZ limit to 64 TiB (allows us to start up to 6,553 VMs). -# 3. Fix building and linking with MSAN. +# 3. Fix linking with MSAN. --- wee8/build/toolchain/gcc_toolchain.gni +++ wee8/build/toolchain/gcc_toolchain.gni -@@ -348,6 +348,8 @@ template("gcc_toolchain") { +@@ -376,6 +376,8 @@ template("gcc_toolchain") { # AIX does not support either -D (deterministic output) or response # files. command = "$ar -X64 {{arflags}} -r -c -s {{output}} {{inputs}}" @@ -12,7 +12,7 @@ } else { rspfile = "{{output}}.rsp" rspfile_content = "{{inputs}}" -@@ -543,7 +545,7 @@ template("gcc_toolchain") { +@@ -565,7 +567,7 @@ template("gcc_toolchain") { start_group_flag = "" end_group_flag = "" @@ -23,9 +23,9 @@ end_group_flag = "-Wl,--end-group " --- wee8/src/objects/backing-store.cc +++ wee8/src/objects/backing-store.cc -@@ -34,7 +34,7 @@ constexpr bool kUseGuardRegions = false; - // address space limits needs to be smaller. - constexpr size_t kAddressSpaceLimit = 0x8000000000L; // 512 GiB +@@ -53,7 +53,7 @@ constexpr size_t kAddressSpaceLimit = 0x8000000000L; // 512 GiB + // RISC-V64 has a user space of 256GB on the Sv39 scheme. + constexpr size_t kAddressSpaceLimit = 0x4000000000L; // 256 GiB #elif V8_TARGET_ARCH_64_BIT -constexpr size_t kAddressSpaceLimit = 0x10100000000L; // 1 TiB + 4 GiB +constexpr size_t kAddressSpaceLimit = 0x400100000000L; // 64 TiB + 4 GiB @@ -34,7 +34,7 @@ #endif --- wee8/build/config/sanitizers/sanitizers.gni +++ wee8/build/config/sanitizers/sanitizers.gni -@@ -150,7 +150,7 @@ if (!is_a_target_toolchain) { +@@ -153,7 +153,7 @@ if (!is_a_target_toolchain) { # standard system libraries. We have instrumented system libraries for msan, # which requires them to prevent false positives. # TODO(thakis): Maybe remove this variable. @@ -43,7 +43,7 @@ # Whether we are doing a fuzzer build. Normally this should be checked instead # of checking "use_libfuzzer || use_afl" because often developers forget to -@@ -198,8 +198,7 @@ assert(!using_sanitizer || is_clang, +@@ -202,8 +202,7 @@ assert(!using_sanitizer || is_clang, assert(!is_cfi || is_clang, "is_cfi requires setting is_clang = true in 'gn args'") @@ -53,17 +53,3 @@ if (use_libfuzzer && (is_linux || is_chromeos)) { if (is_asan) { ---- wee8/build/config/compiler/BUILD.gn -+++ wee8/build/config/compiler/BUILD.gn -@@ -736,11 +736,6 @@ config("compiler") { - cflags += [ "-fcomplete-member-pointers" ] - } - -- # TODO(crbug/1185183): Remove after next clang roll -- if (is_clang && !is_nacl && is_linux && is_msan) { -- cflags += [ "-flegacy-pass-manager" ] -- } -- - # Pass the same C/C++ flags to the objective C/C++ compiler. - cflags_objc += cflags_c - cflags_objcc += cflags_cc diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index bd88f5b04890d..106d7a1799184 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -768,14 +768,14 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "V8", project_desc = "Google’s open source high-performance JavaScript and WebAssembly engine, written in C++", project_url = "https://v8.dev", - version = "9.1.269.18", + version = "9.2.230.2", # This archive was created using https://storage.googleapis.com/envoyproxy-wee8/wee8-archive.sh # and contains complete checkout of V8 with all dependencies necessary to build wee8. - sha256 = "3c4f0827f38b49c11a8a3a20cf897ce14dc8a7a7b999f8b0ee913211c6ab3d8b", + sha256 = "237b9816ee56ad9b86e12e082132d88c543be494385f9bf9797af2a415c05f56", urls = ["https://storage.googleapis.com/envoyproxy-wee8/wee8-{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = ["envoy.wasm.runtime.v8"], - release_date = "2021-04-27", + release_date = "2021-05-20", cpe = "cpe:2.3:a:google:v8:*", ), com_googlesource_quiche = dict( From c243a43c6bafef01b69f51294b14d522b7175eee Mon Sep 17 00:00:00 2001 From: Long Dai Date: Sat, 22 May 2021 05:32:20 +0800 Subject: [PATCH 09/14] devcontainer: use host network as default (#16589) Signed-off-by: Long Dai --- .devcontainer/devcontainer.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 6b7929f71eb9f..77852d506a028 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -9,6 +9,7 @@ "--security-opt=seccomp=unconfined", "--volume=${env:HOME}:${env:HOME}", "--volume=envoy-build:/build", + "--network=host", // Uncomment next line if you have devcontainer.env // "--env-file=.devcontainer/devcontainer.env" ], From 64e453ba4e21a6f054d7fdecbecf06ad3ed5529a Mon Sep 17 00:00:00 2001 From: James Peach Date: Sat, 22 May 2021 07:32:40 +1000 Subject: [PATCH 10/14] cleanup: fix various clang-tidy issues (#16607) Signed-off-by: James Peach --- include/envoy/common/platform.h | 2 +- source/common/http/utility.cc | 2 +- source/common/network/utility.cc | 2 +- source/common/router/config_impl.cc | 2 +- .../local_ratelimit/local_ratelimit_impl.h | 2 +- .../http/grpc_stats/grpc_stats_filter.cc | 4 +-- .../filters/network/wasm/wasm_filter.h | 2 +- source/server/options_impl.cc | 3 +-- .../config/grpc_subscription_test_harness.h | 1 - test/common/config/utility_test.cc | 1 - test/common/http/codec_client_test.cc | 1 - test/common/http/conn_manager_impl_test.cc | 1 - test/common/protobuf/utility_test.cc | 2 -- .../quic/platform/quic_platform_test.cc | 1 - test/common/router/router_test.cc | 4 --- .../common/secret/secret_manager_impl_test.cc | 1 - test/common/tcp_proxy/upstream_test.cc | 2 +- .../common/grpc_access_logger_test.cc | 1 - .../bootstrap/wasm/test_data/speed_cpp.cc | 26 +++++++++++-------- .../common/wasm/test_data/test_context_cpp.cc | 2 +- .../common/wasm/test_data/test_cpp.cc | 2 ++ .../http/original_src/original_src_test.cc | 1 - .../client_ssl_auth/client_ssl_auth_test.cc | 1 - .../network/dubbo_proxy/conn_manager_test.cc | 2 -- .../network/ext_authz/ext_authz_fuzz_test.cc | 1 - .../tracers/lightstep/config_test.cc | 1 - .../lightstep/lightstep_tracer_impl_test.cc | 1 - .../tracers/zipkin/zipkin_tracer_impl_test.cc | 1 - test/mocks/server/overload_manager.cc | 2 -- test/mocks/upstream/cluster_manager.cc | 2 -- test/server/admin/admin_test.cc | 5 ---- test/server/configuration_impl_test.cc | 1 - 32 files changed, 28 insertions(+), 54 deletions(-) diff --git a/include/envoy/common/platform.h b/include/envoy/common/platform.h index 36ed51becf89d..e610caccb7ee1 100644 --- a/include/envoy/common/platform.h +++ b/include/envoy/common/platform.h @@ -229,7 +229,7 @@ constexpr bool win32SupportsOriginalDestination() { #define UDP_SEGMENT 103 #endif -typedef int os_fd_t; +typedef int os_fd_t; // NOLINT(modernize-use-using) typedef int filesystem_os_id_t; // NOLINT(modernize-use-using) typedef int signal_t; // NOLINT(modernize-use-using) diff --git a/source/common/http/utility.cc b/source/common/http/utility.cc index 8075a7ba6e602..bc4545a91e3cf 100644 --- a/source/common/http/utility.cc +++ b/source/common/http/utility.cc @@ -778,7 +778,7 @@ void Utility::extractHostPathFromUri(const absl::string_view& uri, absl::string_ // Start position of the host const auto host_pos = (pos == std::string::npos) ? 0 : pos + 3; // Start position of the path - const auto path_pos = uri.find("/", host_pos); + const auto path_pos = uri.find('/', host_pos); if (path_pos == std::string::npos) { // If uri doesn't have "/", the whole string is treated as host. host = uri.substr(host_pos); diff --git a/source/common/network/utility.cc b/source/common/network/utility.cc index d30b5770b63ed..d8c59a78d8d26 100644 --- a/source/common/network/utility.cc +++ b/source/common/network/utility.cc @@ -421,7 +421,7 @@ void Utility::parsePortRangeList(absl::string_view string, std::list& uint32_t min = 0; uint32_t max = 0; - if (s.find("-") != std::string::npos) { + if (s.find('-') != std::string::npos) { char dash = 0; ss >> min; ss >> dash; diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc index 8c5ba9b1c67ab..3195a260af3cb 100644 --- a/source/common/router/config_impl.cc +++ b/source/common/router/config_impl.cc @@ -752,7 +752,7 @@ absl::string_view RouteEntryImplBase::processRequestHost(const Http::RequestHead host_end += 1; // advance to : } } else { - host_end = request_host.rfind(":"); + host_end = request_host.rfind(':'); } if (host_end != absl::string_view::npos) { diff --git a/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.h b/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.h index 953fb612daf8c..2c66a1e0f9150 100644 --- a/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.h +++ b/source/extensions/filters/common/local_ratelimit/local_ratelimit_impl.h @@ -45,7 +45,7 @@ class LocalRateLimiterImpl { } }; struct LocalDescriptorHash { - using is_transparent = void; // NOLINT(readability-identifier-naming)t + using is_transparent = void; // NOLINT(readability-identifier-naming) size_t operator()(const RateLimit::LocalDescriptor& d) const { return absl::Hash>()(d.entries_); } diff --git a/source/extensions/filters/http/grpc_stats/grpc_stats_filter.cc b/source/extensions/filters/http/grpc_stats/grpc_stats_filter.cc index 1b61e4ba9c5a1..e71f7993f57dd 100644 --- a/source/extensions/filters/http/grpc_stats/grpc_stats_filter.cc +++ b/source/extensions/filters/http/grpc_stats/grpc_stats_filter.cc @@ -53,7 +53,7 @@ class GrpcServiceMethodToRequestNamesMap { static uint64_t hash(const ViewTuple& key) { return absl::Hash()(key); } public: - using is_transparent = void; + using is_transparent = void; // NOLINT(readability-identifier-naming) uint64_t operator()(const OwningKey& key) const { return hash(key); } uint64_t operator()(const ViewKey& key) const { @@ -62,7 +62,7 @@ class GrpcServiceMethodToRequestNamesMap { }; struct MapEq { - using is_transparent = void; + using is_transparent = void; // NOLINT(readability-identifier-naming) bool operator()(const OwningKey& left, const OwningKey& right) const { return left == right; } bool operator()(const OwningKey& left, const ViewKey& right) const { return left == std::make_tuple(right.service_, right.method_); diff --git a/source/extensions/filters/network/wasm/wasm_filter.h b/source/extensions/filters/network/wasm/wasm_filter.h index 9a166139e23f7..4c482af432e36 100644 --- a/source/extensions/filters/network/wasm/wasm_filter.h +++ b/source/extensions/filters/network/wasm/wasm_filter.h @@ -51,7 +51,7 @@ class FilterConfig : Logger::Loggable { Config::DataSource::RemoteAsyncDataProviderPtr remote_data_provider_; }; -typedef std::shared_ptr FilterConfigSharedPtr; +using FilterConfigSharedPtr = std::shared_ptr; } // namespace Wasm } // namespace NetworkFilters diff --git a/source/server/options_impl.cc b/source/server/options_impl.cc index f1c2ce979a776..a9b785e1f0b3b 100644 --- a/source/server/options_impl.cc +++ b/source/server/options_impl.cc @@ -41,8 +41,7 @@ OptionsImpl::OptionsImpl(int argc, const char* const* argv, OptionsImpl::OptionsImpl(std::vector args, const HotRestartVersionCb& hot_restart_version_cb, - spdlog::level::level_enum default_log_level) - : signal_handling_enabled_(true) { + spdlog::level::level_enum default_log_level) { std::string log_levels_string = fmt::format("Log levels: {}", allowedLogLevels()); log_levels_string += fmt::format("\nDefault is [{}]", spdlog::level::level_string_views[default_log_level]); diff --git a/test/common/config/grpc_subscription_test_harness.h b/test/common/config/grpc_subscription_test_harness.h index b5cca58fb4ab7..c105ec9d7ed8d 100644 --- a/test/common/config/grpc_subscription_test_harness.h +++ b/test/common/config/grpc_subscription_test_harness.h @@ -27,7 +27,6 @@ #include "gtest/gtest.h" using testing::_; -using testing::Invoke; using testing::Mock; using testing::NiceMock; using testing::Return; diff --git a/test/common/config/utility_test.cc b/test/common/config/utility_test.cc index 8d97b8f225440..4f12e71d87a38 100644 --- a/test/common/config/utility_test.cc +++ b/test/common/config/utility_test.cc @@ -26,7 +26,6 @@ #include "gtest/gtest.h" #include "udpa/type/v1/typed_struct.pb.h" -using testing::_; using testing::Ref; using testing::Return; diff --git a/test/common/http/codec_client_test.cc b/test/common/http/codec_client_test.cc index 4f601a5a45619..06621f778ba98 100644 --- a/test/common/http/codec_client_test.cc +++ b/test/common/http/codec_client_test.cc @@ -34,7 +34,6 @@ using testing::Pointee; using testing::Ref; using testing::Return; using testing::ReturnRef; -using testing::Throw; namespace Envoy { namespace Http { diff --git a/test/common/http/conn_manager_impl_test.cc b/test/common/http/conn_manager_impl_test.cc index 7f34287cf2ec0..80e1364e23aba 100644 --- a/test/common/http/conn_manager_impl_test.cc +++ b/test/common/http/conn_manager_impl_test.cc @@ -7,7 +7,6 @@ using testing::An; using testing::AnyNumber; using testing::AtLeast; using testing::Eq; -using testing::HasSubstr; using testing::InSequence; using testing::Invoke; using testing::InvokeWithoutArgs; diff --git a/test/common/protobuf/utility_test.cc b/test/common/protobuf/utility_test.cc index 97b25a67bcade..8b2a857577c35 100644 --- a/test/common/protobuf/utility_test.cc +++ b/test/common/protobuf/utility_test.cc @@ -41,9 +41,7 @@ using namespace std::chrono_literals; namespace Envoy { -using testing::AllOf; using testing::HasSubstr; -using testing::Property; class RuntimeStatsHelper : public TestScopedRuntime { public: diff --git a/test/common/quic/platform/quic_platform_test.cc b/test/common/quic/platform/quic_platform_test.cc index cb4741bfc8c0c..22f8f9c21adc4 100644 --- a/test/common/quic/platform/quic_platform_test.cc +++ b/test/common/quic/platform/quic_platform_test.cc @@ -61,7 +61,6 @@ using testing::_; using testing::HasSubstr; -using testing::Return; namespace quic { namespace { diff --git a/test/common/router/router_test.cc b/test/common/router/router_test.cc index 9ffbd3eab416c..dfac7ba12c36b 100644 --- a/test/common/router/router_test.cc +++ b/test/common/router/router_test.cc @@ -51,10 +51,6 @@ #include "gtest/gtest.h" using testing::_; -using testing::AnyNumber; -using testing::AssertionFailure; -using testing::AssertionResult; -using testing::AssertionSuccess; using testing::AtLeast; using testing::Eq; using testing::InSequence; diff --git a/test/common/secret/secret_manager_impl_test.cc b/test/common/secret/secret_manager_impl_test.cc index 58304e1a1106e..aab0883268ad5 100644 --- a/test/common/secret/secret_manager_impl_test.cc +++ b/test/common/secret/secret_manager_impl_test.cc @@ -25,7 +25,6 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" -using testing::Return; using testing::ReturnRef; namespace Envoy { diff --git a/test/common/tcp_proxy/upstream_test.cc b/test/common/tcp_proxy/upstream_test.cc index 9040bab968d7f..d1fd2972886a1 100644 --- a/test/common/tcp_proxy/upstream_test.cc +++ b/test/common/tcp_proxy/upstream_test.cc @@ -46,7 +46,7 @@ template class HttpUpstreamTest : public testing::Test { using testing::Types; -typedef Types Implementations; +using Implementations = Types; TYPED_TEST_SUITE(HttpUpstreamTest, Implementations); diff --git a/test/extensions/access_loggers/common/grpc_access_logger_test.cc b/test/extensions/access_loggers/common/grpc_access_logger_test.cc index 0b3d1aaa9f6f3..74ad5a13345f3 100644 --- a/test/extensions/access_loggers/common/grpc_access_logger_test.cc +++ b/test/extensions/access_loggers/common/grpc_access_logger_test.cc @@ -20,7 +20,6 @@ #include "test/test_common/test_runtime.h" using testing::_; -using testing::AnyNumber; using testing::InSequence; using testing::Invoke; using testing::NiceMock; diff --git a/test/extensions/bootstrap/wasm/test_data/speed_cpp.cc b/test/extensions/bootstrap/wasm/test_data/speed_cpp.cc index 7aef81d606382..a0415847c16f9 100644 --- a/test/extensions/bootstrap/wasm/test_data/speed_cpp.cc +++ b/test/extensions/bootstrap/wasm/test_data/speed_cpp.cc @@ -79,14 +79,17 @@ std::string base64Encode(const uint8_t* start, const uint8_t* end) { } bool base64Decode(const std::basic_string& input, std::vector* output) { - if (input.length() % 4) + if (input.length() % 4) { return false; + } size_t padding = 0; if (input.length()) { - if (input[input.length() - 1] == padCharacter) + if (input[input.length() - 1] == padCharacter) { padding++; - if (input[input.length() - 2] == padCharacter) + } + if (input[input.length() - 2] == padCharacter) { padding++; + } } // Setup a vector to hold the result std::vector decodedBytes; @@ -96,17 +99,17 @@ bool base64Decode(const std::basic_string& input, std::vector* ou while (cursor < input.end()) { for (size_t quantumPosition = 0; quantumPosition < 4; quantumPosition++) { temp <<= 6; - if (*cursor >= 0x41 && *cursor <= 0x5A) // This area will need tweaking if - temp |= *cursor - 0x41; // you are using an alternate alphabet - else if (*cursor >= 0x61 && *cursor <= 0x7A) + if (*cursor >= 0x41 && *cursor <= 0x5A) { // This area will need tweaking if + temp |= *cursor - 0x41; // you are using an alternate alphabet + } else if (*cursor >= 0x61 && *cursor <= 0x7A) { temp |= *cursor - 0x47; - else if (*cursor >= 0x30 && *cursor <= 0x39) + } else if (*cursor >= 0x30 && *cursor <= 0x39) { temp |= *cursor + 0x04; - else if (*cursor == 0x2B) + } else if (*cursor == 0x2B) { temp |= 0x3E; // change to 0x2D for URL alphabet - else if (*cursor == 0x2F) + } else if (*cursor == 0x2F) { temp |= 0x3F; // change to 0x5F for URL alphabet - else if (*cursor == padCharacter) { // pad + } else if (*cursor == padCharacter) { // pad switch (input.end() - cursor) { case 1: // One pad character decodedBytes.push_back((temp >> 16) & 0x000000FF); @@ -118,8 +121,9 @@ bool base64Decode(const std::basic_string& input, std::vector* ou default: return false; } - } else + } else { return false; + } cursor++; } decodedBytes.push_back((temp >> 16) & 0x000000FF); diff --git a/test/extensions/common/wasm/test_data/test_context_cpp.cc b/test/extensions/common/wasm/test_data/test_context_cpp.cc index c89164e43f116..07d9d418f26d5 100644 --- a/test/extensions/common/wasm/test_data/test_context_cpp.cc +++ b/test/extensions/common/wasm/test_data/test_context_cpp.cc @@ -58,7 +58,7 @@ bool TestRootContext::onDone() { // Null VM fails on nullptr. void TestRootContext::onTick() { - if (envoy_resolve_dns(0, 1, &dns_token_) != WasmResult::InvalidMemoryAccess) { + if (envoy_resolve_dns(nullptr, 1, &dns_token_) != WasmResult::InvalidMemoryAccess) { logInfo("resolve_dns should report invalid memory access"); } if (envoy_resolve_dns("example.com", sizeof("example.com") - 1, nullptr) != diff --git a/test/extensions/common/wasm/test_data/test_cpp.cc b/test/extensions/common/wasm/test_data/test_cpp.cc index a344eace4943d..47750500e544b 100644 --- a/test/extensions/common/wasm/test_data/test_cpp.cc +++ b/test/extensions/common/wasm/test_data/test_cpp.cc @@ -76,6 +76,7 @@ WASM_EXPORT(uint32_t, proxy_on_vm_start, (uint32_t context_id, uint32_t configur std::string message = "before badptr"; proxy_log(LogLevel::error, message.c_str(), message.size()); ::free(const_cast(reinterpret_cast(configuration_ptr))); + configuration_ptr = nullptr; *badptr = 1; message = "after badptr"; proxy_log(LogLevel::error, message.c_str(), message.size()); @@ -83,6 +84,7 @@ WASM_EXPORT(uint32_t, proxy_on_vm_start, (uint32_t context_id, uint32_t configur std::string message = "before div by zero"; proxy_log(LogLevel::error, message.c_str(), message.size()); ::free(const_cast(reinterpret_cast(configuration_ptr))); + configuration_ptr = nullptr; int zero = context_id & 0x100000; message = "divide by zero: " + std::to_string(100 / zero); proxy_log(LogLevel::error, message.c_str(), message.size()); diff --git a/test/extensions/filters/http/original_src/original_src_test.cc b/test/extensions/filters/http/original_src/original_src_test.cc index 7b497ffd44a66..3fb9abc51e988 100644 --- a/test/extensions/filters/http/original_src/original_src_test.cc +++ b/test/extensions/filters/http/original_src/original_src_test.cc @@ -16,7 +16,6 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" -using testing::_; using testing::SaveArg; using testing::StrictMock; diff --git a/test/extensions/filters/network/client_ssl_auth/client_ssl_auth_test.cc b/test/extensions/filters/network/client_ssl_auth/client_ssl_auth_test.cc index 2b8c8cbcc2ae8..7bb1cda809942 100644 --- a/test/extensions/filters/network/client_ssl_auth/client_ssl_auth_test.cc +++ b/test/extensions/filters/network/client_ssl_auth/client_ssl_auth_test.cc @@ -23,7 +23,6 @@ #include "gtest/gtest.h" using testing::_; -using testing::Eq; using testing::InSequence; using testing::Invoke; using testing::Return; diff --git a/test/extensions/filters/network/dubbo_proxy/conn_manager_test.cc b/test/extensions/filters/network/dubbo_proxy/conn_manager_test.cc index 40f26d0fe8049..44240f4c48845 100644 --- a/test/extensions/filters/network/dubbo_proxy/conn_manager_test.cc +++ b/test/extensions/filters/network/dubbo_proxy/conn_manager_test.cc @@ -432,14 +432,12 @@ TEST_F(ConnectionManagerTest, OnDataHandlesProtocolErrorOnWrite) { // Start the read buffer writePartialHessianRequestMessage(buffer_, false, false, 0x0F, true); - uint64_t len = buffer_.length(); DubboFilters::DecoderFilterCallbacks* callbacks{}; EXPECT_CALL(*decoder_filter, setDecoderFilterCallbacks(_)) .WillOnce(Invoke([&](DubboFilters::DecoderFilterCallbacks& cb) -> void { callbacks = &cb; })); EXPECT_EQ(conn_manager_->onData(buffer_, false), Network::FilterStatus::StopIteration); - len -= buffer_.length(); // Disable sniffing writeInvalidRequestMessage(write_buffer_); diff --git a/test/extensions/filters/network/ext_authz/ext_authz_fuzz_test.cc b/test/extensions/filters/network/ext_authz/ext_authz_fuzz_test.cc index de8a274608a8b..5760a2d4805c6 100644 --- a/test/extensions/filters/network/ext_authz/ext_authz_fuzz_test.cc +++ b/test/extensions/filters/network/ext_authz/ext_authz_fuzz_test.cc @@ -14,7 +14,6 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" -using testing::ReturnRef; using testing::WithArgs; namespace Envoy { diff --git a/test/extensions/tracers/lightstep/config_test.cc b/test/extensions/tracers/lightstep/config_test.cc index a490959a6b050..94ff62d27dce2 100644 --- a/test/extensions/tracers/lightstep/config_test.cc +++ b/test/extensions/tracers/lightstep/config_test.cc @@ -10,7 +10,6 @@ #include "gmock/gmock.h" #include "gtest/gtest.h" -using testing::Eq; using testing::NiceMock; using testing::Return; diff --git a/test/extensions/tracers/lightstep/lightstep_tracer_impl_test.cc b/test/extensions/tracers/lightstep/lightstep_tracer_impl_test.cc index 3d49ba486de67..8f3a869325a4c 100644 --- a/test/extensions/tracers/lightstep/lightstep_tracer_impl_test.cc +++ b/test/extensions/tracers/lightstep/lightstep_tracer_impl_test.cc @@ -34,7 +34,6 @@ using testing::_; using testing::AtLeast; using testing::DoAll; -using testing::Eq; using testing::Invoke; using testing::NiceMock; using testing::Return; diff --git a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc index 07fe8035ab3e3..451637ce50c3c 100644 --- a/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc +++ b/test/extensions/tracers/zipkin/zipkin_tracer_impl_test.cc @@ -29,7 +29,6 @@ using testing::_; using testing::DoAll; -using testing::Eq; using testing::Invoke; using testing::NiceMock; using testing::Return; diff --git a/test/mocks/server/overload_manager.cc b/test/mocks/server/overload_manager.cc index 3cb951ea7f8ec..4ebf19f032b88 100644 --- a/test/mocks/server/overload_manager.cc +++ b/test/mocks/server/overload_manager.cc @@ -10,8 +10,6 @@ namespace Envoy { namespace Server { -using ::testing::NiceMock; -using ::testing::ReturnNew; using ::testing::ReturnRef; MockThreadLocalOverloadState::MockThreadLocalOverloadState() diff --git a/test/mocks/upstream/cluster_manager.cc b/test/mocks/upstream/cluster_manager.cc index a789f485d47b4..3b025132461a7 100644 --- a/test/mocks/upstream/cluster_manager.cc +++ b/test/mocks/upstream/cluster_manager.cc @@ -9,8 +9,6 @@ namespace Envoy { namespace Upstream { -using ::testing::_; -using ::testing::Eq; using ::testing::Return; using ::testing::ReturnRef; diff --git a/test/server/admin/admin_test.cc b/test/server/admin/admin_test.cc index aa915f954ee1f..fdcd42ac3e850 100644 --- a/test/server/admin/admin_test.cc +++ b/test/server/admin/admin_test.cc @@ -27,11 +27,6 @@ #include "gtest/gtest.h" using testing::HasSubstr; -using testing::Invoke; -using testing::NiceMock; -using testing::Return; -using testing::ReturnPointee; -using testing::ReturnRef; namespace Envoy { namespace Server { diff --git a/test/server/configuration_impl_test.cc b/test/server/configuration_impl_test.cc index a277dbbaeb40f..6abdd713c0798 100644 --- a/test/server/configuration_impl_test.cc +++ b/test/server/configuration_impl_test.cc @@ -32,7 +32,6 @@ using testing::NiceMock; using testing::Return; -using testing::ReturnRef; namespace Envoy { namespace Server { From 8cb649ee2b4d1296d5a8b8c1d7bef2be2a694f88 Mon Sep 17 00:00:00 2001 From: Lachlan Cooper Date: Sat, 22 May 2021 07:33:44 +1000 Subject: [PATCH 11/14] docs: Fix spelling errors in API docs (#16611) This includes minor spelling and grammar fixes. Signed-off-by: Lachlan Cooper --- api/API_VERSIONING.md | 6 +++--- api/STYLE.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/API_VERSIONING.md b/api/API_VERSIONING.md index d2a47c116b9d5..3f5d41e710a9c 100644 --- a/api/API_VERSIONING.md +++ b/api/API_VERSIONING.md @@ -21,12 +21,12 @@ https://github.com/envoyproxy/envoy/issues/8416. In everyday discussion and GitHub labels, we refer to the `v2`, `v3`, `vN`, `...` APIs. This has a specific technical meaning. Any given message in the Envoy API, e.g. the `Bootstrap` at -`envoy.config.bootstrap.v3.Boostrap`, will transitively reference a number of packages in the Envoy +`envoy.config.bootstrap.v3.Bootstrap`, will transitively reference a number of packages in the Envoy API. These may be at `vN`, `v(N-1)`, etc. The Envoy API is technically a DAG of versioned package namespaces. When we talk about the `vN xDS API`, we really refer to the `N` of the root configuration resources (e.g. bootstrap, xDS resources such as `Cluster`). The -v3 API bootstrap configuration is `envoy.config.bootstrap.v3.Boostrap`, even -though it might might transitively reference `envoy.service.trace.v2`. +v3 API bootstrap configuration is `envoy.config.bootstrap.v3.Bootstrap`, even +though it might transitively reference `envoy.service.trace.v2`. # Backwards compatibility diff --git a/api/STYLE.md b/api/STYLE.md index 6368609580f08..18d96fd4ae47a 100644 --- a/api/STYLE.md +++ b/api/STYLE.md @@ -230,7 +230,7 @@ xDS APIs: breaking changes where there is no substantial gain in functionality, performance, security or implementation simplification. We will tolerate technical debt in the API itself, e.g. in the form of vestigial deprecated - fields or reduced ergnomics (such as not using `oneof` when we would prefer + fields or reduced ergonomics (such as not using `oneof` when we would prefer to), in order to meet this principle. * Namespaces for extensions, metadata, etc. use a reverse DNS naming scheme, From c94e646e0280e4c521f8e613f1ae2a02b274dbbf Mon Sep 17 00:00:00 2001 From: bobby <1544881+desimone@users.noreply.github.com> Date: Sun, 23 May 2021 05:52:03 -0700 Subject: [PATCH 12/14] docs: clarify the new default client cipher list (#16474) These changes clarify that as of v1.16 the default cipher suite is different for client and servers. Risk Level: Low Testing: N/A Docs Changes: Yes Release Notes: N/A Platform Specific Features: N/A Fixes #16469 Signed-off-by: Bobby DeSimone --- .../transport_sockets/tls/v3/common.proto | 28 ++++++++++++++++--- .../tls/v4alpha/common.proto | 28 ++++++++++++++++--- .../transport_sockets/tls/v3/common.proto | 28 ++++++++++++++++--- .../tls/v4alpha/common.proto | 28 ++++++++++++++++--- 4 files changed, 96 insertions(+), 16 deletions(-) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto index 182dc4b81a5fc..aa05a31f23d90 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -51,10 +51,12 @@ message TlsParameters { // If specified, the TLS listener will only support the specified `cipher list // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // - // In non-FIPS builds, the default cipher list is: + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // + // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // @@ -71,7 +73,7 @@ message TlsParameters { // AES256-GCM-SHA384 // AES256-SHA // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: // // .. code-block:: none // @@ -87,6 +89,24 @@ message TlsParameters { // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 // AES256-SHA + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 repeated string cipher_suites = 3; // If specified, the TLS connection will only support the specified ECDH diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 0bc4bf9e963fa..e696fffc5e57d 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -52,10 +52,12 @@ message TlsParameters { // If specified, the TLS listener will only support the specified `cipher list // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // - // In non-FIPS builds, the default cipher list is: + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // + // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // @@ -72,7 +74,7 @@ message TlsParameters { // AES256-GCM-SHA384 // AES256-SHA // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: // // .. code-block:: none // @@ -88,6 +90,24 @@ message TlsParameters { // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 // AES256-SHA + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 repeated string cipher_suites = 3; // If specified, the TLS connection will only support the specified ECDH diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto index 0c5c199510766..64b3f59dcb263 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -53,10 +53,12 @@ message TlsParameters { // If specified, the TLS listener will only support the specified `cipher list // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // - // In non-FIPS builds, the default cipher list is: + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // + // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // @@ -73,7 +75,7 @@ message TlsParameters { // AES256-GCM-SHA384 // AES256-SHA // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: // // .. code-block:: none // @@ -89,6 +91,24 @@ message TlsParameters { // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 // AES256-SHA + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 repeated string cipher_suites = 3; // If specified, the TLS connection will only support the specified ECDH diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto index 0bc4bf9e963fa..e696fffc5e57d 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto @@ -52,10 +52,12 @@ message TlsParameters { // If specified, the TLS listener will only support the specified `cipher list // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // - // In non-FIPS builds, the default cipher list is: + // If not specified, a default list will be used. Defaults are different for server (downstream) and + // client (upstream) TLS configurations. + // + // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // @@ -72,7 +74,7 @@ message TlsParameters { // AES256-GCM-SHA384 // AES256-SHA // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: // // .. code-block:: none // @@ -88,6 +90,24 @@ message TlsParameters { // ECDHE-RSA-AES256-SHA // AES256-GCM-SHA384 // AES256-SHA + // + // In non-FIPS builds, the default client cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // + // In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 repeated string cipher_suites = 3; // If specified, the TLS connection will only support the specified ECDH From 9da23600bfb3c16f74bf859456048f8820f976f5 Mon Sep 17 00:00:00 2001 From: phlax Date: Sun, 23 May 2021 13:59:40 +0100 Subject: [PATCH 13/14] dependabot: Update docs jinja (#16500) Signed-off-by: dependabot[bot] Signed-off-by: Ryan Northey Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- docs/requirements.txt | 81 ++++++++++++++++++++++--------------------- 1 file changed, 41 insertions(+), 40 deletions(-) diff --git a/docs/requirements.txt b/docs/requirements.txt index 0eae9f8c01043..6a3f7c3cc01e7 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -57,46 +57,47 @@ imagesize==1.2.0 \ # via # -r docs/requirements.txt # sphinx -jinja2==2.11.3 \ - --hash=sha256:03e47ad063331dd6a3f04a43eddca8a966a26ba0c5b7207a9a9e4e08f1b29419 \ - --hash=sha256:a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6 +jinja2==3.0.1 \ + --hash=sha256:1f06f2da51e7b56b8f238affdd6b4e2c61e39598a378cc49345bc1bd42a978a4 \ + --hash=sha256:703f484b47a6af502e743c9122595cc812b0271f661722403114f71a79d0f5a4 # via # -r docs/requirements.txt # sphinx -markupsafe==1.1.1 \ - --hash=sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473 \ - --hash=sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161 \ - --hash=sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235 \ - --hash=sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5 \ - --hash=sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42 \ - --hash=sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff \ - --hash=sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b \ - --hash=sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1 \ - --hash=sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e \ - --hash=sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183 \ - --hash=sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66 \ - --hash=sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b \ - --hash=sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1 \ - --hash=sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15 \ - --hash=sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1 \ - --hash=sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e \ - --hash=sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b \ - --hash=sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905 \ - --hash=sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735 \ - --hash=sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d \ - --hash=sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e \ - --hash=sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d \ - --hash=sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c \ - --hash=sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21 \ - --hash=sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2 \ - --hash=sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5 \ - --hash=sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b \ - --hash=sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6 \ - --hash=sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f \ - --hash=sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f \ - --hash=sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2 \ - --hash=sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7 \ - --hash=sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be +markupsafe==2.0.1 \ + --hash=sha256:f9081981fe268bd86831e5c75f7de206ef275defcb82bc70740ae6dc507aee51 \ + --hash=sha256:0955295dd5eec6cb6cc2fe1698f4c6d84af2e92de33fbcac4111913cd100a6ff \ + --hash=sha256:0446679737af14f45767963a1a9ef7620189912317d095f2d9ffa183a4d25d2b \ + --hash=sha256:f826e31d18b516f653fe296d967d700fddad5901ae07c622bb3705955e1faa94 \ + --hash=sha256:fa130dd50c57d53368c9d59395cb5526eda596d3ffe36666cd81a44d56e48872 \ + --hash=sha256:905fec760bd2fa1388bb5b489ee8ee5f7291d692638ea5f67982d968366bef9f \ + --hash=sha256:6c4ca60fa24e85fe25b912b01e62cb969d69a23a5d5867682dd3e80b5b02581d \ + --hash=sha256:b2f4bf27480f5e5e8ce285a8c8fd176c0b03e93dcc6646477d4630e83440c6a9 \ + --hash=sha256:0717a7390a68be14b8c793ba258e075c6f4ca819f15edfc2a3a027c823718567 \ + --hash=sha256:6557b31b5e2c9ddf0de32a691f2312a32f77cd7681d8af66c2692efdbef84c18 \ + --hash=sha256:49e3ceeabbfb9d66c3aef5af3a60cc43b85c33df25ce03d0031a608b0a8b2e3f \ + --hash=sha256:d7f9850398e85aba693bb640262d3611788b1f29a79f0c93c565694658f4071f \ + --hash=sha256:6a7fae0dd14cf60ad5ff42baa2e95727c3d81ded453457771d02b7d2b3f9c0c2 \ + --hash=sha256:b7f2d075102dc8c794cbde1947378051c4e5180d52d276987b8d28a3bd58c17d \ + --hash=sha256:a30e67a65b53ea0a5e62fe23682cfe22712e01f453b95233b25502f7c61cb415 \ + --hash=sha256:611d1ad9a4288cf3e3c16014564df047fe08410e628f89805e475368bd304914 \ + --hash=sha256:be98f628055368795d818ebf93da628541e10b75b41c559fdf36d104c5787066 \ + --hash=sha256:1d609f577dc6e1aa17d746f8bd3c31aa4d258f4070d61b2aa5c4166c1539de35 \ + --hash=sha256:7d91275b0245b1da4d4cfa07e0faedd5b0812efc15b702576d103293e252af1b \ + --hash=sha256:01a9b8ea66f1658938f65b93a85ebe8bc016e6769611be228d797c9d998dd298 \ + --hash=sha256:47ab1e7b91c098ab893b828deafa1203de86d0bc6ab587b160f78fe6c4011f75 \ + --hash=sha256:97383d78eb34da7e1fa37dd273c20ad4320929af65d156e35a5e2d89566d9dfb \ + --hash=sha256:023cb26ec21ece8dc3907c0e8320058b2e0cb3c55cf9564da612bc325bed5e64 \ + --hash=sha256:984d76483eb32f1bcb536dc27e4ad56bba4baa70be32fa87152832cdd9db0833 \ + --hash=sha256:2ef54abee730b502252bcdf31b10dacb0a416229b72c18b19e24a4509f273d26 \ + --hash=sha256:3c112550557578c26af18a1ccc9e090bfe03832ae994343cfdacd287db6a6ae7 \ + --hash=sha256:53edb4da6925ad13c07b6d26c2a852bd81e364f95301c66e930ab2aef5b5ddd8 \ + --hash=sha256:f5653a225f31e113b152e56f154ccbe59eeb1c7487b39b9d9f9cdb58e6c79dc5 \ + --hash=sha256:4efca8f86c54b22348a5467704e3fec767b2db12fc39c6d963168ab1d3fc9135 \ + --hash=sha256:ab3ef638ace319fa26553db0624c4699e31a28bb2a835c5faca8f8acf6a5a902 \ + --hash=sha256:f8ba0e8349a38d3001fae7eadded3f6606f0da5d748ee53cc1dab1d6527b9509 \ + --hash=sha256:10f82115e21dc0dfec9ab5c0223652f7197feb168c940f3ef61563fc2d6beb74 \ + --hash=sha256:693ce3f9e70a6cf7d2fb9e6c9d8b204b6b39897a2c4a1aa65728d5ac97dcc1d8 \ + --hash=sha256:594c67807fb16238b30c44bdf74f36c02cdf22d1c8cda91ef8a0ed8dabf5620a # via # -r docs/requirements.txt # jinja2 @@ -161,9 +162,9 @@ sphinx-tabs==3.0.0 \ --hash=sha256:2abbcaaa3b8a857de06f3db31762a7bdd17aba1b8979d000f193debe6f917c2c \ --hash=sha256:3f766762fffacc99828cb877a9e4cb8ac0ba3582f2a054ea68248e5e026e5612 # via -r docs/requirements.txt -sphinx==4.0.1 \ - --hash=sha256:b2566f5f339737a6ef37198c47d56de1f4a746c722bebdb2fe045c34bfd8b9d0 \ - --hash=sha256:cf5104777571b2b7f06fa88ee08fade24563f4a0594cf4bd17d31c47b8740b4c +sphinx==4.0.2 \ + --hash=sha256:d1cb10bee9c4231f1700ec2e24a91be3f3a3aba066ea4ca9f3bbe47e59d5a1d4 \ + --hash=sha256:b5c2ae4120bf00c799ba9b3699bc895816d272d120080fbc967292f29b52b48c # via # -r docs/requirements.txt # sphinx-copybutton From c76f2b25f7573f49db6b1a58033c0b6ed7c0f839 Mon Sep 17 00:00:00 2001 From: Josiah Kiehl Date: Sun, 23 May 2021 13:51:19 -0400 Subject: [PATCH 14/14] Add 3 members to CacheFilter owners list (#16596) @penguingao @mpwarres and myself are actively working on CacheFilter, bringing it up to RFC compliance among other functionality. Signed-off-by: Josiah Kiehl --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 90b5d3a35482c..82b28a9924e74 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -79,7 +79,7 @@ extensions/filters/common/original_src @snowp @klarose # omit_canary_hosts retry predicate /*/extensions/retry/host/omit_canary_hosts @sriduth @snowp # HTTP caching extension -/*/extensions/filters/http/cache @toddmgreer @jmarantz +/*/extensions/filters/http/cache @toddmgreer @jmarantz @penguingao @mpwarres @capoferro # aws_iam grpc credentials /*/extensions/grpc_credentials/aws_iam @lavignes @mattklein123 @tonya11en /*/extensions/common/aws @lavignes @mattklein123 @tonya11en