Adding support on per-route config with following goal: not to do RouteMatch twice. Currently the filter is using RouteMatch to match a request with a specific Jwt requirement. But RouteMatch is also performed at routing, so the RouteMatch is done twice.
If a Jwt requirement can be specified at the per-route config, one of RouteMatch can be eliminated.
1) Add a `requirement_map` to associate a requirement_name with a JwtRequirement in the filter config `JwtAuthentication`.
2) Add per-route-config as followings:
* a requirement_name to specify a JwtRequirement. or
* `disabled` flag to bypass Jwt verification if it is true.
Risk Level: None. Added a new feature, old features are not impacted.
Testing: Added unit-tests and integration tests.
Docs Changes: Yes
Release Notes: Added
Platform Specific Features: None
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ fe74d85d7d916eb975342e8298f2dc76279c1978
Adds support for per resource TTL for both Delta and SOTW xDS. This allows the server to direct Envoy to remove the resources in the case of control plane unavailability.
Signed-off-by: Snow Pettersen <snowp@lyft.com>
Co-authored-by: Bill Gallagher <bgallagher@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ b2b3978afb25c5d2c3ca6b344071b285e8820da1
Adds a configurable timeout for the amount of time a downstream client is allowed to finish the transport-level connect before the connection is forcefully terminated. This can be used to require that a client finishes the TLS handshake in a bounded amount of time.
Signed-off-by: Alex Konradi <akonradi@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 2d0a2f67eccc741f8d093c56b1ed4ea3f1382c06
Add flag protected checks for frame flood and abuse by upstream servers
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6b0f592dd34819fe094de9c6d11695e806bdd1d2
The comment in v3 version was missing the "If specified.." clause from the v2 version of that comment
Risk Level: low
Testing: Ran ./ci/run_envoy_docker.sh './ci/do_ci.sh fix_format'
Docs Changes: comment in a proto file changed
Signed-off-by: Sanjay Pujare <sanjaypujare@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ f8e453fb43d5545730ddc90e10da541154d690b6
Clarify that the server may not resend resources upon stream restart only if it has some way to know that the client is not subscribing to new resources that it wasn't previously subscribed to.
Risk Level: Low
Testing: N/A
Docs Changes: Included in PR
Clarifies text added in #12580.
Signed-off-by: Mark D. Roth <roth@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ adc569c6e9b44a90d703a828ccb7162923e7368e
The use of last_updated was ambiguous (is it when an Envoy contributor
creates a PR, merges a commit, or when the dependency is released?).
We really are after the release date as a measure of how stale the
dependency is.
This patch introduces a tool, tools/dependency/release_dates.py, that
uses the GitHub API to compute release date. If a mismatch is detected, an
error is raised.
This patch also introduces a dependency validation CI job that gathers existing
scripts and the release_dates.py script into a single job.
Signed-off-by: Harvey Tuch <htuch@google.com>
Co-authored-by: Michael Payne <michael@sooper.org>
Mirrored from https://github.com/envoyproxy/envoy @ 91f2bb75a34e1068dcc91de1cafca9dad92feecb
Use abort action as a default if killing is enabled and we're on a supported platform.
Risk Level: low
Testing: unit tests
Docs Changes: Included
Release Notes: Included
See PR #13208 for context as the reason it's part of core envoy and not an extension.
Signed-off-by: Kevin Baichoo <kbaichoo@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 415af040e09a1f6993c15ffc022793d39ecf5e8e
A few changes that wrapup #12673.
* Python/Go dependencies that aren't part of the Envoy binary build
don't make sense to track in repository_locations.bzl, since they
have their own language specific metadata (e.g. requirements.txt)
or are in many cases transitively implied.
* Ensure that the full set of dependencies visible to bazel query
is now validated. This requires that we explicitly call out
transitive dependencies that are implied by direct dependencies
in repository_locations.bzl. A new annotation `implied_untracked_deps`
is used.
Fixes#12673
Risk level: Low
Testing: validate.py.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 499f46a24f59eeb4fc3b28e24f6b9191b009580d
The match all filter chain is chosen when no other filter chain matches
the request.
Signed-off-by: Yuchen Dai <silentdai@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ e62c994fac7ba18babfe2742b5595217ae2569c4
Modifies ratelimit filter to be able to use information
from the route's filter metadata as one of its actions
Signed-off-by: András Czigány <andras.czigany@strivacity.com>
Mirrored from https://github.com/envoyproxy/envoy @ 06813b2c42721489470ec94b2bc75a9771d6e403
* dependencies: CVE scanner for repository_locations.bzl metadata.
This is a custom CVE scanner that consumes the NIST CVE database and
heuristically matches against the CPEs, versions and last update stamps
in repository_locations.bzl.
Future PRs will create a CI job that runs this on a periodic basis
(every few hours) to provide a CVE early warning system.
Example output:
Based on heuristic matching with the NIST CVE database, Envoy may be vulnerable to:
CVE ID: CVE-2019-19391
CVSS v3 score: 9.1
Severity: CRITICAL
Published date: 2019-11-29
Last modified date: 2019-12-19
Dependencies: com_github_luajit_luajit
Description: ** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before
2.1.2 and other products, debug.getinfo has a type confusion issue
that leads to arbitrary memory write or read operations, because
certain cases involving valid stack levels and > options are
mishandled. NOTE: The LuaJIT project owner states that the debug
libary is unsafe by definition and that this is not a vulnerability.
When LuaJIT was originally developed, the expectation was that the
entire debug library had no security guarantees and thus it made no
sense to assign CVEs. However, not all users of later LuaJIT
derivatives share this perspective.
Affected CPEs:
- cpe:2.3🅰️moonjit_project:moonjit:*
- cpe:2.3🅰️luajit:luajit:*
Risk level: Low
Testing: cve_scan_test.py unit tests, manual.
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 7d50518ce44aacc702d252eb05eb603c69461834
Signed-off-by: András Czigány <andras.czigany@strivacity.com>
Mirrored from https://github.com/envoyproxy/envoy @ dc3460c247538b8f81d49bd7984f46d142f20ba9
- Refactor code responsible for processing repository location specs, i.e. checking for the presence of fields like last_updated and interpolation of version. The same code is now usable by both API repository_locations.bzl and bazel/repository_locations.bzl.
- Cleanup reference to repo locations in repository_locations.bzl, now using a consistent set of macros.
- Add API dependencies to dependency dashboard.
Risk level: Low
Testing: Docs build.
Part of #12673
Signed-off-by: Harvey Tuch <htuch@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9181790e3ab21b53ec268470202986b9517c3723
Adds a no_traffic_healthy_interval for when a cluster is marked healthy
and we want to use a different interval than no_traffic_interval
Fixes https://github.com/envoyproxy/envoy/issues/13246
Risk level: Low
Testing: Unit test
Signed-off-by: Chuong Vu <chuongv@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 593be2274c3cba09873f162dd1d0c4d1fcf18641
This is a follow up to 2c60632.
This forces all callers to think about multiple header values. There may be places that we want
to support multiple values, but none of them are security critical and this change should be
functionally equivalent to what exists today.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 4d77fc802c3bc1c517e66c54e9c9507ed7ae8d9b
Signed-off-by: John Plevyak <jplevyak@gmail.com>
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 319a9a647f19036d831a75f68350c90e98bfc365
This patch allows to set parent context which carries the current request stream info to a gRPC async client instance.
Risk Level: Low
Testing: Added
Docs Changes: Updated
Release Notes: Added
Fixes#13345
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ e5aa69658c6182dd41b6217ec7f6c4c00cac84b4
The java_outer_classname must not collide with a type defined within a proto
file in order to compile protos to Java. Additionally, this commit
introduces a format check to prevent this from happening again.
Risk Level: low
Testing: none
Docs Changes:none
Release Notes: none
Fixes#13368
Signed-off-by: Spencer Lewis <slewis@squareup.com>
Mirrored from https://github.com/envoyproxy/envoy @ 03f46bbdafae57a510d3a7fd8aa912efb9c71db3
This patch adds a per-route flag to bypass the request body buffering.
Fixes#13285
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 10e5a47fdc9c3120d24b4d3e5383d49ddeca344a
1) Some intro text felt out of date as well as minor changes to
the overall flow.
2) Small fix to extauth docs from recent issue.
3) Remove ambassador/gloo docs. Almost definitely out of date and
don't belong anymore given how many things consume Envoy.
4) Remove TapDS. It was never implemented and would never be
implemented given ECDS.
5) Fix release notes from stable releases.
Signed-off-by: Matt Klein <mklein@lyft.com>
Mirrored from https://github.com/envoyproxy/envoy @ 50e722cbb0486268c128b0f1d0ef76217387799f
Commit Message: Implementing the new stream duration fields, and deprecating the old ones.
This does change the gRPC status code (to the correct code) for prior HCM duration timeouts. It's behind an existing guard but the status code change is not separately guarded.
Risk Level: low - config guarded with the exception of the gRPC status code change.
Testing: new unit tests, updated integration tests
Docs Changes: n/a
Release Notes: deprecation notes include new fields.
Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Mirrored from https://github.com/envoyproxy/envoy @ ce8a901c8f9f754a78ca4b3e03f4df120cc1e75b
This patch allows setting an additional prefix for HTTP filter stats. This lets the emitted statistics from configured ext_authz HTTP filters in an HTTP filter chain can be distinguished from each other.
Risk Level: Low
Testing: Added a test on additional prefix.
Docs Changes: Added
Release Notes: Added
Fixes#12666
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 720348b822aed159dc4ec8243fffe95a8775a4cd
Add support for the letting the authorization service tell Envoy which auth related headers to remove once the authorization server is done with them, so that the upstream does not see them.
Signed-off-by: Martin Matusiak <numerodix@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ 228c8ad78433c19b61eeaf9aad1c38ec1f2c75cc
Risk Level: LOW
Testing: Unit and format
Fixes#10535
Signed-off-by: Abhay Narayan Katare <abhay.katare@india.nec.com>
Mirrored from https://github.com/envoyproxy/envoy @ 6321e5d95f7e435625d762ea82316b7a9f7071a4
The CdnLoopFilter implements an HTTP filter that detects and prevents
CDN loops using the RFC 8586 CDN-Loop header. The filter can be
configured with the CDN identifier to look for as well as the number
of times the CDN identifier can be seen before responding with an
error.
Signed-off-by: Justin Mazzola Paluska <justinmp@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ c71ec2729cc3c0708223d303e0f24e3bf9a5d0eb
Add OCSP stapling support with configurable stapling policy. A pre-fetched OCSP response can be configured with its corresponding certificate via the new ocsp_staple field in the TlsCertificate message. The new ocsp_staple_policy field on DownstreamTlsContext determines whether an OCSP response is required and whether to continue using the TLS certificate for new connections once its OCSP response expires. The ocsp_staple_policy defaults to LENIENT_STAPLING, which allows the operator to omit ocsp_staples from the configuration and will only use OCSP responses that are present and valid. This should therefore not break any existing configurations.
Risk Level: Medium - touches some core functionality of certificate selection but does not alter any existing behavior
Testing: added
Docs Changes: Added OCSP Stapling subsection in the SSL section of the architecture overview.
Release Notes: Added
Runtime flags:
envoy.reloadable_features.check_ocsp_policy
envoy.reloadable_features.require_ocsp_response_for_must_staple_certs
Signed-off-by: Daniel Goldstein <danielgold95@gmail.com>
Signed-off-by: Stephan Zuercher <zuercher@gmail.com>
Mirrored from https://github.com/envoyproxy/envoy @ cdd3a837056dc6935c0d8e0fb693d4de89b998e9
This fixes the docs for REQ command operator usage example in LocalReplyConfig and SubstitutionFormatString protos. $REQ(:path)% is an invalid command operator, it should be %REQ(:path)%.
Risk Level: N/A
Testing: N/A
Docs Changes: This is a docs change.
Release Notes: N/A
Signed-off-by: Dhi Aurrahman <dio@tetrate.io>
Mirrored from https://github.com/envoyproxy/envoy @ 130c7c4e271fe306ae4dd747daa5f09ff31aef79
As the CSDS service definition described, it has the potential to be used to expose xDS config from a client or proxy. gRPC wants to utilize this service to improve its debuggability. But the ConfigStatus is designed from the control plane point of view. Especially, the client cannot predict if there is new config on its way, so it can't accurately claim any xDS config status as SYNCED. We need another config status to indicate the status that the client received the status and sent out ACK.
Risk Level: Low
Signed-off-by: Lidi Zheng <lidiz@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 22061a275d5fb53132fd1f104dd53cb533922707