[Audit Logging] Xds Audit Logger Registry (#32828)

Third-party loggers will be added in subsequent PRs once the logger
factory APIs are available to validate the configs here.

This registry is used in `xds_http_rbac_filter.cc` to generate service
config json.

CMakeLists.txt

@@ -648,6 +648,9 @@ protobuf_generate_grpc_cpp_with_import_path_correction(
 protobuf_generate_grpc_cpp_with_import_path_correction(
   src/proto/grpc/testing/xds/v3/aggregate_cluster.proto src/proto/grpc/testing/xds/v3/aggregate_cluster.proto
 )
+protobuf_generate_grpc_cpp_with_import_path_correction(
+  src/proto/grpc/testing/xds/v3/audit_logger_stream.proto src/proto/grpc/testing/xds/v3/audit_logger_stream.proto
+)
 protobuf_generate_grpc_cpp_with_import_path_correction(
   src/proto/grpc/testing/xds/v3/base.proto src/proto/grpc/testing/xds/v3/base.proto
 )
@@ -1300,6 +1303,7 @@ if(gRPC_BUILD_TESTS)
   if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
     add_dependencies(buildtests_cxx writes_per_rpc_test)
   endif()
+  add_dependencies(buildtests_cxx xds_audit_logger_registry_test)
   add_dependencies(buildtests_cxx xds_bootstrap_test)
   add_dependencies(buildtests_cxx xds_certificate_provider_test)
   add_dependencies(buildtests_cxx xds_client_test)
@@ -1994,6 +1998,7 @@ add_library(grpc
   src/core/ext/xds/certificate_provider_store.cc
   src/core/ext/xds/file_watcher_certificate_provider_factory.cc
   src/core/ext/xds/xds_api.cc
+  src/core/ext/xds/xds_audit_logger_registry.cc
   src/core/ext/xds/xds_bootstrap.cc
   src/core/ext/xds/xds_bootstrap_grpc.cc
   src/core/ext/xds/xds_certificate_provider.cc
@@ -22819,6 +22824,109 @@ endif()
 endif()
 if(gRPC_BUILD_TESTS)
 
+add_executable(xds_audit_logger_registry_test
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/reflection/v1alpha/reflection.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/reflection/v1alpha/reflection.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/reflection/v1alpha/reflection.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/reflection/v1alpha/reflection.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/address.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/address.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/address.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/address.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/audit_logger_stream.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/audit_logger_stream.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/audit_logger_stream.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/audit_logger_stream.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/base.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/base.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/base.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/base.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/expr.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/expr.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/expr.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/expr.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/extension.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/extension.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/extension.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/extension.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/metadata.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/metadata.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/metadata.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/metadata.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/path.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/path.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/path.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/path.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/percent.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/percent.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/percent.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/percent.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/range.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/range.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/range.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/range.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/rbac.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/rbac.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/rbac.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/rbac.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/regex.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/regex.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/regex.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/regex.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/route.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/route.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/route.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/route.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/string.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/string.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/string.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/string.grpc.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/typed_struct.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/typed_struct.grpc.pb.cc
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/typed_struct.pb.h
+  ${_gRPC_PROTO_GENS_DIR}/src/proto/grpc/testing/xds/v3/typed_struct.grpc.pb.h
+  test/core/xds/xds_audit_logger_registry_test.cc
+  test/cpp/util/cli_call.cc
+  test/cpp/util/cli_credentials.cc
+  test/cpp/util/proto_file_parser.cc
+  test/cpp/util/proto_reflection_descriptor_database.cc
+  test/cpp/util/service_describer.cc
+  third_party/googletest/googletest/src/gtest-all.cc
+  third_party/googletest/googlemock/src/gmock-all.cc
+)
+target_compile_features(xds_audit_logger_registry_test PUBLIC cxx_std_14)
+target_include_directories(xds_audit_logger_registry_test
+  PRIVATE
+    ${CMAKE_CURRENT_SOURCE_DIR}
+    ${CMAKE_CURRENT_SOURCE_DIR}/include
+    ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+    ${_gRPC_RE2_INCLUDE_DIR}
+    ${_gRPC_SSL_INCLUDE_DIR}
+    ${_gRPC_UPB_GENERATED_DIR}
+    ${_gRPC_UPB_GRPC_GENERATED_DIR}
+    ${_gRPC_UPB_INCLUDE_DIR}
+    ${_gRPC_XXHASH_INCLUDE_DIR}
+    ${_gRPC_ZLIB_INCLUDE_DIR}
+    third_party/googletest/googletest/include
+    third_party/googletest/googletest
+    third_party/googletest/googlemock/include
+    third_party/googletest/googlemock
+    ${_gRPC_PROTO_GENS_DIR}
+)
+
+target_link_libraries(xds_audit_logger_registry_test
+  ${_gRPC_BASELIB_LIBRARIES}
+  ${_gRPC_PROTOBUF_LIBRARIES}
+  ${_gRPC_ZLIB_LIBRARIES}
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc++
+  grpc_test_util
+)
+
+
+endif()
+if(gRPC_BUILD_TESTS)
+
 add_executable(xds_bootstrap_test
   test/core/xds/xds_bootstrap_test.cc
   third_party/googletest/googletest/src/gtest-all.cc

Makefile

@@ -1382,6 +1382,7 @@ LIBGRPC_SRC = \
     src/core/ext/xds/certificate_provider_store.cc \
     src/core/ext/xds/file_watcher_certificate_provider_factory.cc \
     src/core/ext/xds/xds_api.cc \
+    src/core/ext/xds/xds_audit_logger_registry.cc \
     src/core/ext/xds/xds_bootstrap.cc \
     src/core/ext/xds/xds_bootstrap_grpc.cc \
     src/core/ext/xds/xds_certificate_provider.cc \
@@ -3325,6 +3326,7 @@ src/core/ext/upbdefs-generated/xds/type/v3/typed_struct.upbdefs.c: $(OPENSSL_DEP
 src/core/ext/xds/certificate_provider_store.cc: $(OPENSSL_DEP)
 src/core/ext/xds/file_watcher_certificate_provider_factory.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_api.cc: $(OPENSSL_DEP)
+src/core/ext/xds/xds_audit_logger_registry.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_bootstrap.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_bootstrap_grpc.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_certificate_provider.cc: $(OPENSSL_DEP)

build_autogenerated.yaml

@@ -618,6 +618,7 @@ libs:
   - src/core/ext/xds/file_watcher_certificate_provider_factory.h
   - src/core/ext/xds/upb_utils.h
   - src/core/ext/xds/xds_api.h
+  - src/core/ext/xds/xds_audit_logger_registry.h
   - src/core/ext/xds/xds_bootstrap.h
   - src/core/ext/xds/xds_bootstrap_grpc.h
   - src/core/ext/xds/xds_certificate_provider.h
@@ -1417,6 +1418,7 @@ libs:
   - src/core/ext/xds/certificate_provider_store.cc
   - src/core/ext/xds/file_watcher_certificate_provider_factory.cc
   - src/core/ext/xds/xds_api.cc
+  - src/core/ext/xds/xds_audit_logger_registry.cc
   - src/core/ext/xds/xds_bootstrap.cc
   - src/core/ext/xds/xds_bootstrap_grpc.cc
   - src/core/ext/xds/xds_certificate_provider.cc
@@ -12818,6 +12820,43 @@ targets:
   - linux
   - posix
   - mac
+- name: xds_audit_logger_registry_test
+  gtest: true
+  build: test
+  language: c++
+  headers:
+  - test/cpp/util/cli_call.h
+  - test/cpp/util/cli_credentials.h
+  - test/cpp/util/config_grpc_cli.h
+  - test/cpp/util/proto_file_parser.h
+  - test/cpp/util/proto_reflection_descriptor_database.h
+  - test/cpp/util/service_describer.h
+  src:
+  - src/proto/grpc/reflection/v1alpha/reflection.proto
+  - src/proto/grpc/testing/xds/v3/address.proto
+  - src/proto/grpc/testing/xds/v3/audit_logger_stream.proto
+  - src/proto/grpc/testing/xds/v3/base.proto
+  - src/proto/grpc/testing/xds/v3/expr.proto
+  - src/proto/grpc/testing/xds/v3/extension.proto
+  - src/proto/grpc/testing/xds/v3/metadata.proto
+  - src/proto/grpc/testing/xds/v3/path.proto
+  - src/proto/grpc/testing/xds/v3/percent.proto
+  - src/proto/grpc/testing/xds/v3/range.proto
+  - src/proto/grpc/testing/xds/v3/rbac.proto
+  - src/proto/grpc/testing/xds/v3/regex.proto
+  - src/proto/grpc/testing/xds/v3/route.proto
+  - src/proto/grpc/testing/xds/v3/string.proto
+  - src/proto/grpc/testing/xds/v3/typed_struct.proto
+  - test/core/xds/xds_audit_logger_registry_test.cc
+  - test/cpp/util/cli_call.cc
+  - test/cpp/util/cli_credentials.cc
+  - test/cpp/util/proto_file_parser.cc
+  - test/cpp/util/proto_reflection_descriptor_database.cc
+  - test/cpp/util/service_describer.cc
+  deps:
+  - grpc++
+  - grpc_test_util
+  uses_polling: false
 - name: xds_bootstrap_test
   gtest: true
   build: test

config.m4

@@ -462,6 +462,7 @@ if test "$PHP_GRPC" != "no"; then
     src/core/ext/xds/certificate_provider_store.cc \
     src/core/ext/xds/file_watcher_certificate_provider_factory.cc \
     src/core/ext/xds/xds_api.cc \
+    src/core/ext/xds/xds_audit_logger_registry.cc \
     src/core/ext/xds/xds_bootstrap.cc \
     src/core/ext/xds/xds_bootstrap_grpc.cc \
     src/core/ext/xds/xds_certificate_provider.cc \

config.w32

@@ -427,6 +427,7 @@ if (PHP_GRPC != "no") {
     "src\\core\\ext\\xds\\certificate_provider_store.cc " +
     "src\\core\\ext\\xds\\file_watcher_certificate_provider_factory.cc " +
     "src\\core\\ext\\xds\\xds_api.cc " +
+    "src\\core\\ext\\xds\\xds_audit_logger_registry.cc " +
     "src\\core\\ext\\xds\\xds_bootstrap.cc " +
     "src\\core\\ext\\xds\\xds_bootstrap_grpc.cc " +
     "src\\core\\ext\\xds\\xds_certificate_provider.cc " +

gRPC-C++.podspec

@@ -689,6 +689,7 @@ Pod::Spec.new do |s|
                       'src/core/ext/xds/file_watcher_certificate_provider_factory.h',
                       'src/core/ext/xds/upb_utils.h',
                       'src/core/ext/xds/xds_api.h',
+                      'src/core/ext/xds/xds_audit_logger_registry.h',
                       'src/core/ext/xds/xds_bootstrap.h',
                       'src/core/ext/xds/xds_bootstrap_grpc.h',
                       'src/core/ext/xds/xds_certificate_provider.h',
@@ -1713,6 +1714,7 @@ Pod::Spec.new do |s|
                               'src/core/ext/xds/file_watcher_certificate_provider_factory.h',
                               'src/core/ext/xds/upb_utils.h',
                               'src/core/ext/xds/xds_api.h',
+                              'src/core/ext/xds/xds_audit_logger_registry.h',
                               'src/core/ext/xds/xds_bootstrap.h',
                               'src/core/ext/xds/xds_bootstrap_grpc.h',
                               'src/core/ext/xds/xds_certificate_provider.h',

gRPC-Core.podspec

@@ -1040,6 +1040,8 @@ Pod::Spec.new do |s|
                       'src/core/ext/xds/upb_utils.h',
                       'src/core/ext/xds/xds_api.cc',
                       'src/core/ext/xds/xds_api.h',
+                      'src/core/ext/xds/xds_audit_logger_registry.cc',
+                      'src/core/ext/xds/xds_audit_logger_registry.h',
                       'src/core/ext/xds/xds_bootstrap.cc',
                       'src/core/ext/xds/xds_bootstrap.h',
                       'src/core/ext/xds/xds_bootstrap_grpc.cc',
@@ -2430,6 +2432,7 @@ Pod::Spec.new do |s|
                               'src/core/ext/xds/file_watcher_certificate_provider_factory.h',
                               'src/core/ext/xds/upb_utils.h',
                               'src/core/ext/xds/xds_api.h',
+                              'src/core/ext/xds/xds_audit_logger_registry.h',
                               'src/core/ext/xds/xds_bootstrap.h',
                               'src/core/ext/xds/xds_bootstrap_grpc.h',
                               'src/core/ext/xds/xds_certificate_provider.h',

grpc.gemspec

@@ -946,6 +946,8 @@ Gem::Specification.new do |s|
   s.files += %w( src/core/ext/xds/upb_utils.h )
   s.files += %w( src/core/ext/xds/xds_api.cc )
   s.files += %w( src/core/ext/xds/xds_api.h )
+  s.files += %w( src/core/ext/xds/xds_audit_logger_registry.cc )
+  s.files += %w( src/core/ext/xds/xds_audit_logger_registry.h )
   s.files += %w( src/core/ext/xds/xds_bootstrap.cc )
   s.files += %w( src/core/ext/xds/xds_bootstrap.h )
   s.files += %w( src/core/ext/xds/xds_bootstrap_grpc.cc )

grpc.gyp

@@ -686,6 +686,7 @@
         'src/core/ext/xds/certificate_provider_store.cc',
         'src/core/ext/xds/file_watcher_certificate_provider_factory.cc',
         'src/core/ext/xds/xds_api.cc',
+        'src/core/ext/xds/xds_audit_logger_registry.cc',
         'src/core/ext/xds/xds_bootstrap.cc',
         'src/core/ext/xds/xds_bootstrap_grpc.cc',
         'src/core/ext/xds/xds_certificate_provider.cc',

package.xml

@@ -928,6 +928,8 @@
     <file baseinstalldir="/" name="src/core/ext/xds/upb_utils.h" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/xds_api.cc" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/xds_api.h" role="src" />
+    <file baseinstalldir="/" name="src/core/ext/xds/xds_audit_logger_registry.cc" role="src" />
+    <file baseinstalldir="/" name="src/core/ext/xds/xds_audit_logger_registry.h" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/xds_bootstrap.cc" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/xds_bootstrap.h" role="src" />
     <file baseinstalldir="/" name="src/core/ext/xds/xds_bootstrap_grpc.cc" role="src" />

src/core/BUILD

@@ -3866,6 +3866,7 @@ grpc_cc_library(
     srcs = [
         "ext/xds/certificate_provider_store.cc",
         "ext/xds/file_watcher_certificate_provider_factory.cc",
+        "ext/xds/xds_audit_logger_registry.cc",
         "ext/xds/xds_bootstrap_grpc.cc",
         "ext/xds/xds_certificate_provider.cc",
         "ext/xds/xds_client_grpc.cc",
@@ -3888,6 +3889,7 @@ grpc_cc_library(
     hdrs = [
         "ext/xds/certificate_provider_store.h",
         "ext/xds/file_watcher_certificate_provider_factory.h",
+        "ext/xds/xds_audit_logger_registry.h",
         "ext/xds/xds_bootstrap_grpc.h",
         "ext/xds/xds_certificate_provider.h",
         "ext/xds/xds_client_grpc.h",

src/core/ext/xds/xds_audit_logger_registry.cc

@@ -0,0 +1,106 @@
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/ext/xds/xds_audit_logger_registry.h"
+
+#include <utility>
+
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
+#include "absl/types/variant.h"
+#include "envoy/config/core/v3/extension.upb.h"
+#include "envoy/config/rbac/v3/rbac.upb.h"
+
+#include "src/core/ext/xds/xds_common_types.h"
+#include "src/core/lib/gprpp/validation_errors.h"
+#include "src/core/lib/json/json.h"
+
+namespace grpc_core {
+
+namespace {
+
+class StdoutLoggerConfigFactory : public XdsAuditLoggerRegistry::ConfigFactory {
+ public:
+  Json::Object ConvertXdsAuditLoggerConfig(
+      const XdsResourceType::DecodeContext& /*context*/,
+      absl::string_view /*configuration*/,
+      ValidationErrors* /*errors*/) override {
+    return Json::Object{{"stdout_logger", Json::Object()}};
+  }
+
+  absl::string_view type() override { return Type(); }
+
+  static absl::string_view Type() {
+    return "envoy.extensions.rbac.audit_loggers.stream.v3.StdoutAuditLog";
+  }
+};
+
+}  // namespace
+
+XdsAuditLoggerRegistry::XdsAuditLoggerRegistry() {
+  audit_logger_config_factories_.emplace(
+      StdoutLoggerConfigFactory::Type(),
+      std::make_unique<StdoutLoggerConfigFactory>());
+}
+
+Json XdsAuditLoggerRegistry::ConvertXdsAuditLoggerConfig(
+    const XdsResourceType::DecodeContext& context,
+    const envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig*
+        logger_config,
+    ValidationErrors* errors) const {
+  const auto* typed_extension_config =
+      envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig_audit_logger(
+          logger_config);
+  ValidationErrors::ScopedField field(errors, ".audit_logger");
+  if (typed_extension_config == nullptr) {
+    errors->AddError("field not present");
+    return Json();  // A null Json object.
+  } else {
+    ValidationErrors::ScopedField field(errors, ".typed_config");
+    const auto* typed_config =
+        envoy_config_core_v3_TypedExtensionConfig_typed_config(
+            typed_extension_config);
+    auto extension = ExtractXdsExtension(context, typed_config, errors);
+    if (!extension.has_value()) return Json();
+    // Check for registered audit logger type.
+    absl::string_view* serialized_value =
+        absl::get_if<absl::string_view>(&extension->value);
+    if (serialized_value != nullptr) {
+      auto config_factory_it =
+          audit_logger_config_factories_.find(extension->type);
+      if (config_factory_it != audit_logger_config_factories_.end()) {
+        // TODO(lwge): Parse the config with the gRPC audit logger registry.
+        return config_factory_it->second->ConvertXdsAuditLoggerConfig(
+            context, *serialized_value, errors);
+      }
+    }
+    // TODO(lwge): Check for third-party audit logger type. For now, we disallow
+    // it by rejecting TypedStruct entries.
+    if (absl::get_if<Json>(&extension->value) != nullptr) {
+      errors->AddError("third-party audit logger is not supported");
+      return Json();
+    }
+  }
+  // Add validation error only if the config is not marked optional.
+  if (!envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig_is_optional(
+          logger_config)) {
+    errors->AddError("unsupported audit logger type");
+  }
+  return Json();
+}
+}  // namespace grpc_core

src/core/ext/xds/xds_audit_logger_registry.h

@@ -0,0 +1,65 @@
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPC_SRC_CORE_EXT_XDS_XDS_AUDIT_LOGGER_REGISTRY_H
+#define GRPC_SRC_CORE_EXT_XDS_XDS_AUDIT_LOGGER_REGISTRY_H
+
+#include <grpc/support/port_platform.h>
+
+#include <map>
+#include <memory>
+
+#include "absl/strings/string_view.h"
+#include "envoy/config/rbac/v3/rbac.upb.h"
+
+#include "src/core/ext/xds/xds_resource_type.h"
+#include "src/core/lib/gprpp/validation_errors.h"
+#include "src/core/lib/json/json.h"
+
+namespace grpc_core {
+
+// A registry that maintains a set of converters that are able to map xDS
+// RBAC audit logger configuration to gRPC's JSON format.
+class XdsAuditLoggerRegistry {
+ public:
+  class ConfigFactory {
+   public:
+    virtual ~ConfigFactory() = default;
+    virtual Json::Object ConvertXdsAuditLoggerConfig(
+        const XdsResourceType::DecodeContext& context,
+        absl::string_view configuration, ValidationErrors* errors) = 0;
+    virtual absl::string_view type() = 0;
+  };
+
+  XdsAuditLoggerRegistry();
+
+  Json ConvertXdsAuditLoggerConfig(
+      const XdsResourceType::DecodeContext& context,
+      const envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig*
+          logger_config,
+      ValidationErrors* errors) const;
+
+ private:
+  // A map of config factories that goes from the type of the audit logging
+  // config to the config factory.
+  std::map<absl::string_view /* Owned by ConfigFactory */,
+           std::unique_ptr<ConfigFactory>>
+      audit_logger_config_factories_;
+};
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_EXT_XDS_XDS_AUDIT_LOGGER_REGISTRY_H

src/core/ext/xds/xds_bootstrap_grpc.h

@@ -30,6 +30,7 @@
 #include "absl/types/optional.h"
 
 #include "src/core/ext/xds/certificate_provider_store.h"
+#include "src/core/ext/xds/xds_audit_logger_registry.h"
 #include "src/core/ext/xds/xds_bootstrap.h"
 #include "src/core/ext/xds/xds_cluster_specifier_plugin.h"
 #include "src/core/ext/xds/xds_http_filters.h"
@@ -161,6 +162,9 @@ class GrpcXdsBootstrap : public XdsBootstrap {
   const XdsLbPolicyRegistry& lb_policy_registry() const {
     return lb_policy_registry_;
   }
+  const XdsAuditLoggerRegistry& audit_logger_registry() const {
+    return audit_logger_registry_;
+  }
 
   // Exposed for testing purposes only.
   const std::map<std::string, GrpcAuthority>& authorities() const {
@@ -177,6 +181,7 @@ class GrpcXdsBootstrap : public XdsBootstrap {
   XdsHttpFilterRegistry http_filter_registry_;
   XdsClusterSpecifierPluginRegistry cluster_specifier_plugin_registry_;
   XdsLbPolicyRegistry lb_policy_registry_;
+  XdsAuditLoggerRegistry audit_logger_registry_;
 };
 
 }  // namespace grpc_core

src/core/ext/xds/xds_http_rbac_filter.cc

@@ -45,6 +45,9 @@
 #include "src/core/ext/filters/rbac/rbac_filter.h"
 #include "src/core/ext/filters/rbac/rbac_service_config_parser.h"
 #include "src/core/ext/xds/upb_utils.h"
+#include "src/core/ext/xds/xds_audit_logger_registry.h"
+#include "src/core/ext/xds/xds_bootstrap_grpc.h"
+#include "src/core/ext/xds/xds_client.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/json/json.h"
 #include "src/core/lib/json/json_writer.h"
@@ -381,7 +384,30 @@ Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
   return policy_json;
 }
 
-Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
+Json ParseAuditLoggerConfigsToJson(
+    const XdsResourceType::DecodeContext& context,
+    const envoy_config_rbac_v3_RBAC_AuditLoggingOptions* audit_logging_options,
+    ValidationErrors* errors) {
+  Json::Array logger_configs_json;
+  size_t size;
+  const auto& registry =
+      static_cast<const GrpcXdsBootstrap&>(context.client->bootstrap())
+          .audit_logger_registry();
+  const envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig* const*
+      logger_configs =
+          envoy_config_rbac_v3_RBAC_AuditLoggingOptions_logger_configs(
+              audit_logging_options, &size);
+  for (size_t i = 0; i < size; ++i) {
+    ValidationErrors::ScopedField field(
+        errors, absl::StrCat(".logger_configs[", i, "]"));
+    logger_configs_json.emplace_back(registry.ConvertXdsAuditLoggerConfig(
+        context, logger_configs[i], errors));
+  }
+  return logger_configs_json;
+}
+
+Json ParseHttpRbacToJson(const XdsResourceType::DecodeContext& context,
+                         const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
                          ValidationErrors* errors) {
   Json::Object rbac_json;
   const auto* rules = envoy_extensions_filters_http_rbac_v3_RBAC_rules(rbac);
@@ -412,6 +438,32 @@ Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
       }
       inner_rbac_json.emplace("policies", std::move(policies_object));
     }
+    // Flatten the nested messages defined in rbac.proto
+    if (envoy_config_rbac_v3_RBAC_has_audit_logging_options(rules)) {
+      ValidationErrors::ScopedField field(errors, ".audit_logging_options");
+      const auto* audit_logging_options =
+          envoy_config_rbac_v3_RBAC_audit_logging_options(rules);
+      int32_t audit_condition =
+          envoy_config_rbac_v3_RBAC_AuditLoggingOptions_audit_condition(
+              audit_logging_options);
+      switch (audit_condition) {
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_NONE:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_DENY:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_ALLOW:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_DENY_AND_ALLOW:
+          inner_rbac_json.emplace("audit_condition", audit_condition);
+          break;
+        default:
+          ValidationErrors::ScopedField field(errors, ".audit_condition");
+          errors->AddError("invalid audit condition");
+      }
+      if (envoy_config_rbac_v3_RBAC_AuditLoggingOptions_has_logger_configs(
+              audit_logging_options)) {
+        inner_rbac_json.emplace("audit_loggers",
+                                ParseAuditLoggerConfigsToJson(
+                                    context, audit_logging_options, errors));
+      }
+    }
     rbac_json.emplace("rules", std::move(inner_rbac_json));
   }
   return rbac_json;
@@ -448,7 +500,8 @@ XdsHttpRbacFilter::GenerateFilterConfig(
     errors->AddError("could not parse HTTP RBAC filter config");
     return absl::nullopt;
   }
-  return FilterConfig{ConfigProtoName(), ParseHttpRbacToJson(rbac, errors)};
+  return FilterConfig{ConfigProtoName(),
+                      ParseHttpRbacToJson(context, rbac, errors)};
 }
 
 absl::optional<XdsHttpFilterImpl::FilterConfig>
@@ -476,7 +529,7 @@ XdsHttpRbacFilter::GenerateFilterConfigOverride(
     rbac_json = Json::Object();
   } else {
     ValidationErrors::ScopedField field(errors, ".rbac");
-    rbac_json = ParseHttpRbacToJson(rbac, errors);
+    rbac_json = ParseHttpRbacToJson(context, rbac, errors);
   }
   return FilterConfig{OverrideConfigProtoName(), std::move(rbac_json)};
 }

src/core/ext/xds/xds_listener.cc

@@ -37,6 +37,7 @@
 #include "envoy/config/listener/v3/listener.upb.h"
 #include "envoy/config/listener/v3/listener.upbdefs.h"
 #include "envoy/config/listener/v3/listener_components.upb.h"
+#include "envoy/config/rbac/v3/rbac.upb.h"
 #include "envoy/config/route/v3/route.upb.h"
 #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h"
 #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h"

src/proto/grpc/testing/xds/v3/BUILD

@@ -385,6 +385,14 @@ grpc_proto_library(
     ],
 )
 
+# Contains stdout audit logger.
+grpc_proto_library(
+    name = "audit_logger_stream_proto",
+    srcs = [
+        "audit_logger_stream.proto",
+    ],
+)
+
 grpc_proto_library(
     name = "client_side_weighted_round_robin_proto",
     srcs = [

src/proto/grpc/testing/xds/v3/audit_logger_stream.proto

@@ -0,0 +1,30 @@
+// Copyright 2023 The gRPC Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Local copy of Envoy xDS proto file, used for testing only.
+
+syntax = "proto3";
+
+package envoy.extensions.rbac.audit_loggers.stream.v3;
+
+option java_package = "io.envoyproxy.envoy.extensions.rbac.audit_loggers.stream.v3";
+option java_outer_classname = "StreamProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/audit_loggers/stream/v3;streamv3";
+
+// Custom configuration for the RBAC audit logger that writes log entries
+// directly to the operating system's standard output.
+// The logger outputs in JSON format and is currently not configurable.
+message StdoutAuditLog {
+}

src/proto/grpc/testing/xds/v3/rbac.proto

@@ -97,6 +97,45 @@ message RBAC {
     LOG = 2;
   }
 
+  message AuditLoggingOptions {
+    // Deny and allow here refer to RBAC decisions, not actions.
+    enum AuditCondition {
+      // Never audit.
+      NONE = 0;
+
+      // Audit when RBAC denies the request.
+      ON_DENY = 1;
+
+      // Audit when RBAC allows the request.
+      ON_ALLOW = 2;
+
+      // Audit whether RBAC allows or denies the request.
+      ON_DENY_AND_ALLOW = 3;
+    }
+
+    // [#not-implemented-hide:]
+    message AuditLoggerConfig {
+      // Typed logger configuration.
+      //
+      // [#extension-category: envoy.rbac.audit_loggers]
+      core.v3.TypedExtensionConfig audit_logger = 1;
+
+      // If true, when the logger is not supported, the data plane will not NACK but simply ignore it.
+      bool is_optional = 2;
+    }
+
+    // Condition for the audit logging to happen.
+    // If this condition is met, all the audit loggers configured here will be invoked.
+    //
+    // [#not-implemented-hide:]
+    AuditCondition audit_condition = 1;
+
+    // Configurations for RBAC-based authorization audit loggers.
+    //
+    // [#not-implemented-hide:]
+    repeated AuditLoggerConfig logger_configs = 2;
+  }
+
   // The action to take if a policy matches. Every action either allows or denies a request,
   // and can also carry out action-specific operations.
   //
@@ -116,6 +155,12 @@ message RBAC {
   // Maps from policy name to policy. A match occurs when at least one policy matches the request.
   // The policies are evaluated in lexicographic order of the policy name.
   map<string, Policy> policies = 2;
+
+  // Audit logging options that include the condition for audit logging to happen
+  // and audit logger configurations.
+  //
+  // [#not-implemented-hide:]
+  AuditLoggingOptions audit_logging_options = 3;
 }
 
 // Policy specifies a role and the principals that are assigned/denied the role.

src/python/grpcio/grpc_core_dependencies.py

@@ -436,6 +436,7 @@ CORE_SOURCE_FILES = [
     'src/core/ext/xds/certificate_provider_store.cc',
     'src/core/ext/xds/file_watcher_certificate_provider_factory.cc',
     'src/core/ext/xds/xds_api.cc',
+    'src/core/ext/xds/xds_audit_logger_registry.cc',
     'src/core/ext/xds/xds_bootstrap.cc',
     'src/core/ext/xds/xds_bootstrap_grpc.cc',
     'src/core/ext/xds/xds_certificate_provider.cc',

test/core/xds/BUILD

@@ -127,6 +127,24 @@ grpc_cc_test(
     ],
 )
 
+grpc_cc_test(
+    name = "xds_audit_logger_registry_test",
+    srcs = ["xds_audit_logger_registry_test.cc"],
+    external_deps = ["gtest"],
+    language = "C++",
+    uses_event_engine = False,
+    uses_polling = False,
+    deps = [
+        "//:gpr",
+        "//:grpc",
+        "//src/proto/grpc/testing/xds/v3:audit_logger_stream_proto",
+        "//src/proto/grpc/testing/xds/v3:rbac_proto",
+        "//src/proto/grpc/testing/xds/v3:typed_struct_proto",
+        "//test/core/util:grpc_test_util",
+        "//test/cpp/util:grpc_cli_utils",
+    ],
+)
+
 grpc_cc_library(
     name = "xds_transport_fake",
     testonly = True,

test/core/xds/xds_audit_logger_registry_test.cc

@@ -0,0 +1,160 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include "src/core/ext/xds/xds_audit_logger_registry.h"
+
+#include <string>
+
+#include <google/protobuf/any.pb.h>
+
+#include "absl/status/status.h"
+#include "absl/status/statusor.h"
+#include "envoy/config/rbac/v3/rbac.upb.h"
+#include "gtest/gtest.h"
+#include "upb/reflection/def.hpp"
+#include "upb/upb.hpp"
+
+#include <grpc/grpc.h>
+
+#include "src/core/ext/xds/xds_bootstrap_grpc.h"
+#include "src/core/lib/json/json_writer.h"
+#include "src/proto/grpc/testing/xds/v3/audit_logger_stream.pb.h"
+#include "src/proto/grpc/testing/xds/v3/extension.pb.h"
+#include "src/proto/grpc/testing/xds/v3/rbac.pb.h"
+#include "src/proto/grpc/testing/xds/v3/typed_struct.pb.h"
+#include "test/core/util/test_config.h"
+
+namespace grpc_core {
+namespace testing {
+namespace {
+
+using AuditLoggerConfigProto =
+    ::envoy::config::rbac::v3::RBAC::AuditLoggingOptions::AuditLoggerConfig;
+using ::envoy::extensions::rbac::audit_loggers::stream::v3::StdoutAuditLog;
+using ::xds::type::v3::TypedStruct;
+
+absl::StatusOr<std::string> ConvertAuditLoggerConfig(
+    const AuditLoggerConfigProto& config) {
+  std::string serialized_config = config.SerializeAsString();
+  upb::Arena arena;
+  upb::SymbolTable symtab;
+  XdsResourceType::DecodeContext context = {nullptr,
+                                            GrpcXdsBootstrap::GrpcXdsServer(),
+                                            nullptr, symtab.ptr(), arena.ptr()};
+  auto* upb_config =
+      envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig_parse(
+          serialized_config.data(), serialized_config.size(), arena.ptr());
+  ValidationErrors errors;
+  auto config_json = XdsAuditLoggerRegistry().ConvertXdsAuditLoggerConfig(
+      context, upb_config, &errors);
+  if (!errors.ok()) {
+    return errors.status(absl::StatusCode::kInvalidArgument,
+                         "validation errors");
+  }
+  return JsonDump(config_json);
+}
+
+//
+// StdoutLoggerTest
+//
+
+TEST(StdoutLoggerTest, Basic) {
+  AuditLoggerConfigProto config;
+  config.mutable_audit_logger()->mutable_typed_config()->PackFrom(
+      StdoutAuditLog());
+  auto result = ConvertAuditLoggerConfig(config);
+  ASSERT_TRUE(result.ok()) << result.status();
+  EXPECT_EQ(*result, "{\"stdout_logger\":{}}");
+}
+
+//
+// ThirdPartyLoggerTest
+//
+
+TEST(XdsAuditLoggerRegistryTest, ThirdPartyLogger) {
+  AuditLoggerConfigProto config;
+  TypedStruct logger;
+  logger.set_type_url("myorg/foo/bar/test.UnknownAuditLogger");
+  config.mutable_audit_logger()->mutable_typed_config()->PackFrom(logger);
+  auto result = ConvertAuditLoggerConfig(config);
+  EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument);
+  EXPECT_EQ(result.status().message(),
+            "validation errors: "
+            "[field:audit_logger.typed_config.value"
+            "[xds.type.v3.TypedStruct].value[test.UnknownAuditLogger] "
+            "error:third-party audit logger is not supported]")
+      << result.status();
+}
+
+//
+// XdsAuditLoggerRegistryTest
+//
+
+TEST(XdsAuditLoggerRegistryTest, EmptyAuditLoggerConfig) {
+  auto result = ConvertAuditLoggerConfig(AuditLoggerConfigProto());
+  EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument);
+  EXPECT_EQ(result.status().message(),
+            "validation errors: [field:audit_logger error:field not present]")
+      << result.status();
+}
+
+TEST(XdsAuditLoggerRegistryTest, MissingTypedConfig) {
+  AuditLoggerConfigProto config;
+  config.mutable_audit_logger();
+  auto result = ConvertAuditLoggerConfig(config);
+  EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument);
+  EXPECT_EQ(result.status().message(),
+            "validation errors: [field:audit_logger.typed_config error:field "
+            "not present]")
+      << result.status();
+}
+
+TEST(XdsAuditLoggerRegistryTest, NoSupportedType) {
+  AuditLoggerConfigProto config;
+  config.mutable_audit_logger()->mutable_typed_config()->PackFrom(
+      AuditLoggerConfigProto());
+  auto result = ConvertAuditLoggerConfig(config);
+  EXPECT_EQ(result.status().code(), absl::StatusCode::kInvalidArgument);
+  EXPECT_EQ(result.status().message(),
+            "validation errors: [field:audit_logger error:unsupported audit "
+            "logger type]")
+      << result.status();
+}
+
+TEST(XdsAuditLoggerRegistryTest, NoSupportedTypeButIsOptional) {
+  AuditLoggerConfigProto config;
+  config.mutable_audit_logger()->mutable_typed_config()->PackFrom(
+      AuditLoggerConfigProto());
+  config.set_is_optional(true);
+  auto result = ConvertAuditLoggerConfig(config);
+  EXPECT_EQ(result.status().code(), absl::StatusCode::kOk);
+  EXPECT_EQ(*result, "null");
+}
+
+}  // namespace
+}  // namespace testing
+}  // namespace grpc_core
+
+int main(int argc, char** argv) {
+  ::testing::InitGoogleTest(&argc, argv);
+  grpc::testing::TestEnvironment env(&argc, argv);
+  grpc_init();
+  auto result = RUN_ALL_TESTS();
+  grpc_shutdown();
+  return result;
+}

test/core/xds/xds_http_filters_test.cc

@@ -19,6 +19,7 @@
 #include <stdint.h>
 
 #include <algorithm>
+#include <initializer_list>
 #include <string>
 #include <utility>
 #include <vector>
@@ -28,6 +29,7 @@
 #include <google/protobuf/wrappers.pb.h>
 
 #include "absl/status/status.h"
+#include "absl/strings/str_format.h"
 #include "absl/strings/strip.h"
 #include "absl/types/variant.h"
 #include "gtest/gtest.h"
@@ -46,7 +48,11 @@
 #include "src/core/ext/filters/stateful_session/stateful_session_filter.h"
 #include "src/core/ext/filters/stateful_session/stateful_session_service_config_parser.h"
 #include "src/core/ext/xds/xds_bootstrap_grpc.h"
+#include "src/core/ext/xds/xds_client.h"
+#include "src/core/lib/gprpp/crash.h"
 #include "src/core/lib/gprpp/env.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/json/json_writer.h"
 #include "src/proto/grpc/testing/xds/v3/address.pb.h"
 #include "src/proto/grpc/testing/xds/v3/cookie.pb.h"
@@ -91,8 +97,32 @@ using ::envoy::extensions::http::stateful_session::cookie::v3 ::
 class XdsHttpFilterTest : public ::testing::Test {
  protected:
   XdsHttpFilterTest()
-      : decode_context_{nullptr, xds_server_, nullptr, upb_def_pool_.ptr(),
-                        upb_arena_.ptr()} {}
+      : xds_client_(MakeXdsClient()),
+        decode_context_{xds_client_.get(), xds_server_, nullptr,
+                        upb_def_pool_.ptr(), upb_arena_.ptr()} {}
+
+  static RefCountedPtr<XdsClient> MakeXdsClient() {
+    grpc_error_handle error;
+    auto bootstrap = GrpcXdsBootstrap::Create(
+        "{\n"
+        "  \"xds_servers\": [\n"
+        "    {\n"
+        "      \"server_uri\": \"xds.example.com\",\n"
+        "      \"channel_creds\": [\n"
+        "        {\"type\": \"google_default\"}\n"
+        "      ]\n"
+        "    }\n"
+        "  ]\n"
+        "}");
+    if (!bootstrap.ok()) {
+      Crash(absl::StrFormat("Error parsing bootstrap: %s",
+                            bootstrap.status().ToString().c_str()));
+    }
+    return MakeRefCounted<XdsClient>(std::move(*bootstrap),
+                                     /*transport_factory=*/nullptr,
+                                     /*event_engine=*/nullptr, "foo agent",
+                                     "foo version");
+  }
 
   XdsExtension MakeXdsExtension(const grpc::protobuf::Message& message) {
     google::protobuf::Any any;
@@ -115,6 +145,7 @@ class XdsHttpFilterTest : public ::testing::Test {
   }
 
   GrpcXdsBootstrap::GrpcXdsServer xds_server_;
+  RefCountedPtr<XdsClient> xds_client_;
   upb::DefPool upb_def_pool_;
   upb::Arena upb_arena_;
   XdsResourceType::DecodeContext decode_context_;
@@ -849,6 +880,79 @@ TEST_P(XdsRbacFilterConfigTest, AllPrincipalTypes) {
             "}}}}");
 }
 
+TEST_P(XdsRbacFilterConfigTest, AuditLoggingOptions) {
+  RBAC rbac;
+  auto* rules = rbac.mutable_rules();
+  rules->set_action(rules->ALLOW);
+  auto* logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(
+      envoy::config::rbac::v3::RBAC_AuditLoggingOptions_AuditCondition_ON_DENY);
+  envoy::config::rbac::v3::RBAC_AuditLoggingOptions::AuditLoggerConfig
+      logger_config;
+  auto* audit_logger = logger_config.mutable_audit_logger();
+  audit_logger->mutable_typed_config()->set_type_url(
+      "/envoy.extensions.rbac.audit_loggers.stream.v3.StdoutAuditLog");
+  *logging_options->add_logger_configs() = logger_config;
+  auto config = GenerateConfig(rbac);
+  ASSERT_TRUE(errors_.ok()) << errors_.status(
+      absl::StatusCode::kInvalidArgument, "unexpected errors");
+  ASSERT_TRUE(config.has_value());
+  EXPECT_EQ(config->config_proto_type_name,
+            GetParam() ? filter_->OverrideConfigProtoName()
+                       : filter_->ConfigProtoName());
+  EXPECT_EQ(JsonDump(config->config),
+            "{\"rules\":{\"action\":0,"
+            "\"audit_condition\":1,"
+            "\"audit_loggers\":[{\"stdout_logger\":{}}]"
+            "}}");
+}
+
+TEST_P(XdsRbacFilterConfigTest, InvalidAuditCondition) {
+  RBAC rbac;
+  auto* rules = rbac.mutable_rules();
+  rules->set_action(rules->ALLOW);
+  auto* logging_options = rules->mutable_audit_logging_options();
+  logging_options->set_audit_condition(
+      static_cast<
+          envoy::config::rbac::v3::RBAC_AuditLoggingOptions_AuditCondition>(
+          100));
+  auto config = GenerateConfig(rbac);
+  absl::Status status = errors_.status(absl::StatusCode::kInvalidArgument,
+                                       "errors validating filter config");
+  EXPECT_EQ(status.code(), absl::StatusCode::kInvalidArgument);
+  EXPECT_EQ(status.message(),
+            absl::StrCat("errors validating filter config: ["
+                         "field:",
+                         FieldPrefix(),
+                         ".rules.audit_logging_options.audit_condition "
+                         "error:invalid audit condition]"))
+      << status;
+}
+
+TEST_P(XdsRbacFilterConfigTest, InvalidAuditLoggerConfig) {
+  RBAC rbac;
+  auto* rules = rbac.mutable_rules();
+  rules->set_action(rules->ALLOW);
+  auto* logging_options = rules->mutable_audit_logging_options();
+  envoy::config::rbac::v3::RBAC_AuditLoggingOptions::AuditLoggerConfig
+      logger_config;
+  auto* audit_logger = logger_config.mutable_audit_logger();
+  audit_logger->mutable_typed_config()->set_type_url("/foo_logger");
+  *logging_options->add_logger_configs() = logger_config;
+  auto config = GenerateConfig(rbac);
+  absl::Status status = errors_.status(absl::StatusCode::kInvalidArgument,
+                                       "errors validating filter config");
+  EXPECT_EQ(status.code(), absl::StatusCode::kInvalidArgument);
+  EXPECT_EQ(status.message(),
+            absl::StrCat(
+                "errors validating filter config: ["
+                "field:",
+                FieldPrefix(),
+                ".rules.audit_logging_options.logger_configs[0].audit_logger "
+                "error:unsupported audit logger type]"))
+      << status;
+}
+
 TEST_P(XdsRbacFilterConfigTest, InvalidFieldsInPolicy) {
   RBAC rbac;
   auto* rules = rbac.mutable_rules();

tools/doxygen/Doxyfile.c++.internal

@@ -1941,6 +1941,8 @@ src/core/ext/xds/file_watcher_certificate_provider_factory.h \
 src/core/ext/xds/upb_utils.h \
 src/core/ext/xds/xds_api.cc \
 src/core/ext/xds/xds_api.h \
+src/core/ext/xds/xds_audit_logger_registry.cc \
+src/core/ext/xds/xds_audit_logger_registry.h \
 src/core/ext/xds/xds_bootstrap.cc \
 src/core/ext/xds/xds_bootstrap.h \
 src/core/ext/xds/xds_bootstrap_grpc.cc \

tools/doxygen/Doxyfile.core.internal

@@ -1718,6 +1718,8 @@ src/core/ext/xds/file_watcher_certificate_provider_factory.h \
 src/core/ext/xds/upb_utils.h \
 src/core/ext/xds/xds_api.cc \
 src/core/ext/xds/xds_api.h \
+src/core/ext/xds/xds_audit_logger_registry.cc \
+src/core/ext/xds/xds_audit_logger_registry.h \
 src/core/ext/xds/xds_bootstrap.cc \
 src/core/ext/xds/xds_bootstrap.h \
 src/core/ext/xds/xds_bootstrap_grpc.cc \

tools/run_tests/generated/tests.json

@@ -8639,6 +8639,30 @@
     ],
     "uses_polling": true
   },
+  {
+    "args": [],
+    "benchmark": false,
+    "ci_platforms": [
+      "linux",
+      "mac",
+      "posix",
+      "windows"
+    ],
+    "cpu_cost": 1.0,
+    "exclude_configs": [],
+    "exclude_iomgrs": [],
+    "flaky": false,
+    "gtest": true,
+    "language": "c++",
+    "name": "xds_audit_logger_registry_test",
+    "platforms": [
+      "linux",
+      "mac",
+      "posix",
+      "windows"
+    ],
+    "uses_polling": false
+  },
   {
     "args": [],
     "benchmark": false,