From 371e532aed11b51f045eeb11150c2ac233c8c6bc Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Mon, 23 May 2022 12:52:33 +0000
Subject: [PATCH] quic: upstream sends early data requests (#20167)

Commit Message: make HTTP/3 upstream sends 0-RTT (early data) requests if it has cached 0-RTT credentials. Add a config knob in RouteAction to specify which request can be sent over early data, which by default are HTTP safe methods.

Risk Level: high, changes to conn pool behavior though should only take effect for h3 pool
Testing: added h3 upstream integration tests.
Docs Changes: N/A
Release Notes: changes to docs/root/version_history/current.rst
Platform Specific Features: N/A
Runtime guard: envoy.reloadable_features.http3_sends_early_data
Fixes #18715, #19542
Signed-off-by: Dan Zhang <danzh@google.com>

Signed-off-by: Dan Zhang <danzh@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 8ce13d75a982ddd347db5a333a4bb080922f7514
---
 BUILD                                          |  1 +
 envoy/config/route/v3/route_components.proto   |  7 ++++++-
 envoy/extensions/early_data/v3/BUILD           |  9 +++++++++
 .../v3/default_early_data_policy.proto         | 18 ++++++++++++++++++
 versioning/BUILD                               |  1 +
 5 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 envoy/extensions/early_data/v3/BUILD
 create mode 100644 envoy/extensions/early_data/v3/default_early_data_policy.proto

diff --git a/BUILD b/BUILD
index 1ae2d0e7..a37b3a90 100644
--- a/BUILD
+++ b/BUILD
@@ -138,6 +138,7 @@ proto_library(
         "//envoy/extensions/compression/zstd/compressor/v3:pkg",
         "//envoy/extensions/compression/zstd/decompressor/v3:pkg",
         "//envoy/extensions/config/validators/minimum_clusters/v3:pkg",
+        "//envoy/extensions/early_data/v3:pkg",
         "//envoy/extensions/filters/common/dependency/v3:pkg",
         "//envoy/extensions/filters/common/fault/v3:pkg",
         "//envoy/extensions/filters/common/matcher/action/v3:pkg",
diff --git a/envoy/config/route/v3/route_components.proto b/envoy/config/route/v3/route_components.proto
index b3ec0c59..6a55c4a9 100644
--- a/envoy/config/route/v3/route_components.proto
+++ b/envoy/config/route/v3/route_components.proto
@@ -656,7 +656,7 @@ message CorsPolicy {
   core.v3.RuntimeFractionalPercent shadow_enabled = 10;
 }
 
-// [#next-free-field: 40]
+// [#next-free-field: 41]
 message RouteAction {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction";
 
@@ -1147,6 +1147,11 @@ message RouteAction {
   // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE <envoy_v3_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_STREAM_IDLE>`.
   google.protobuf.Duration idle_timeout = 24;
 
+  // Specifies how to send request over TLS early data.
+  // If absent, allows `safe HTTP requests <https://www.rfc-editor.org/rfc/rfc7231#section-4.2.1>`_ to be sent on early data.
+  // [#extension-category: envoy.route.early_data_policy]
+  core.v3.TypedExtensionConfig early_data_policy = 40;
+
   // Indicates that the route has a retry policy. Note that if this is set,
   // it'll take precedence over the virtual host level retry policy entirely
   // (e.g.: policies are not merged, most internal one becomes the enforced policy).
diff --git a/envoy/extensions/early_data/v3/BUILD b/envoy/extensions/early_data/v3/BUILD
new file mode 100644
index 00000000..ee92fb65
--- /dev/null
+++ b/envoy/extensions/early_data/v3/BUILD
@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)
diff --git a/envoy/extensions/early_data/v3/default_early_data_policy.proto b/envoy/extensions/early_data/v3/default_early_data_policy.proto
new file mode 100644
index 00000000..0ff42a23
--- /dev/null
+++ b/envoy/extensions/early_data/v3/default_early_data_policy.proto
@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+package envoy.extensions.early_data.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.early_data.v3";
+option java_outer_classname = "DefaultEarlyDataPolicyProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/early_data/v3;early_datav3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: HTTP request early data policy]
+
+// [#extension: envoy.route.early_data_policy.default]
+// The default rule to allow/disallow a request to be sent as early data. It's an empty config now. Configuring it will disallow any request to be sent over early data.
+message DefaultEarlyDataPolicy {
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index ea4f9152..5f074692 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -75,6 +75,7 @@ proto_library(
         "//envoy/extensions/compression/zstd/compressor/v3:pkg",
         "//envoy/extensions/compression/zstd/decompressor/v3:pkg",
         "//envoy/extensions/config/validators/minimum_clusters/v3:pkg",
+        "//envoy/extensions/early_data/v3:pkg",
         "//envoy/extensions/filters/common/dependency/v3:pkg",
         "//envoy/extensions/filters/common/fault/v3:pkg",
         "//envoy/extensions/filters/common/matcher/action/v3:pkg",