From 7d75b5e8f231c102ee8970e09abb2ed0f59447e9 Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Thu, 2 Dec 2021 04:42:39 +0000
Subject: [PATCH] accesslogs: add CEL-based extension filter (#18363)

This PR establishes the ability to filter access log production via CEL expressions over the set of Envoy attributes. This can simply the creation of Envoy access log filters, allowing complex tailoring.

Risk Level: low
Testing: unit
Docs Changes: included
Release Notes: updated

Signed-off-by: Douglas Reid <douglas-reid@users.noreply.github.com>

Mirrored from https://github.com/envoyproxy/envoy @ 77ca6cc0d9aaf0892aec3e2025fe2ad7cf0c39ff
---
 BUILD                                         |  1 +
 envoy/config/accesslog/v3/accesslog.proto     |  1 +
 .../access_loggers/filters/cel/v3/BUILD       |  9 +++++++
 .../access_loggers/filters/cel/v3/cel.proto   | 26 +++++++++++++++++++
 versioning/BUILD                              |  1 +
 5 files changed, 38 insertions(+)
 create mode 100644 envoy/extensions/access_loggers/filters/cel/v3/BUILD
 create mode 100644 envoy/extensions/access_loggers/filters/cel/v3/cel.proto

diff --git a/BUILD b/BUILD
index ddd1f98b..b6438a01 100644
--- a/BUILD
+++ b/BUILD
@@ -112,6 +112,7 @@ proto_library(
         "//envoy/data/dns/v3:pkg",
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
+        "//envoy/extensions/access_loggers/filters/cel/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
         "//envoy/extensions/access_loggers/open_telemetry/v3:pkg",
         "//envoy/extensions/access_loggers/stream/v3:pkg",
diff --git a/envoy/config/accesslog/v3/accesslog.proto b/envoy/config/accesslog/v3/accesslog.proto
index bb532863..a89a4a70 100644
--- a/envoy/config/accesslog/v3/accesslog.proto
+++ b/envoy/config/accesslog/v3/accesslog.proto
@@ -83,6 +83,7 @@ message AccessLogFilter {
     GrpcStatusFilter grpc_status_filter = 10;
 
     // Extension filter.
+    // [#extension-category: envoy.access_loggers.extension_filters]
     ExtensionFilter extension_filter = 11;
 
     // Metadata Filter
diff --git a/envoy/extensions/access_loggers/filters/cel/v3/BUILD b/envoy/extensions/access_loggers/filters/cel/v3/BUILD
new file mode 100644
index 00000000..ee92fb65
--- /dev/null
+++ b/envoy/extensions/access_loggers/filters/cel/v3/BUILD
@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)
diff --git a/envoy/extensions/access_loggers/filters/cel/v3/cel.proto b/envoy/extensions/access_loggers/filters/cel/v3/cel.proto
new file mode 100644
index 00000000..8cb4d8b7
--- /dev/null
+++ b/envoy/extensions/access_loggers/filters/cel/v3/cel.proto
@@ -0,0 +1,26 @@
+syntax = "proto3";
+
+package envoy.extensions.access_loggers.filters.cel.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.access_loggers.filters.cel.v3";
+option java_outer_classname = "CelProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: ExpressionFilter]
+// [#extension: envoy.access_loggers.extension_filters.cel]
+
+// ExpressionFilter is an access logging filter that evaluates configured
+// symbolic Common Expression Language expressions to inform the decision
+// to generate an access log.
+message ExpressionFilter {
+  // Expression that, when evaluated, will be used to filter access logs.
+  // Expressions are based on the set of Envoy :ref:`attributes <arch_overview_attributes>`.
+  // The provided expression must evaluate to true for logging (expression errors are considered false).
+  // Examples:
+  // - `response.code >= 400`
+  // - `(connection.mtls && request.headers['x-log-mtls'] == 'true') || request.url_path.contains('v1beta3')`
+  string expression = 1;
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index 24195d8d..8be3045e 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -49,6 +49,7 @@ proto_library(
         "//envoy/data/dns/v3:pkg",
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
+        "//envoy/extensions/access_loggers/filters/cel/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
         "//envoy/extensions/access_loggers/open_telemetry/v3:pkg",
         "//envoy/extensions/access_loggers/stream/v3:pkg",