Merge branch 'main' into router

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

.github/config.yml

@@ -53,11 +53,6 @@ checks:
     on-run:
     - mobile-compile-time-cc
     - mobile-compile-time-options
-  mobile-core:
-    name: Mobile/Core
-    required: true
-    on-run:
-    - mobile-core
   mobile-coverage:
     name: Mobile/Coverage
     required: true
@@ -258,22 +253,6 @@ run:
     - mobile/.bazelrc
     - mobile/**/*
     - tools/code_format/check_format.py
-  mobile-core:
-    paths:
-    - .bazelrc
-    - .bazelversion
-    - .github/config.yml
-    - api/**/*
-    - bazel/external/quiche.BUILD
-    - bazel/repository_locations.bzl
-    - envoy/**/*
-    - mobile/.bazelrc
-    - mobile/**/*
-    - source/**/*
-    - test/config/**/*
-    - test/integration/*
-    - test/mocks/**/*
-    - test/test_common/**/*
   mobile-format:
     paths:
     - .bazelrc

.github/workflows/_precheck_deps.yml

@@ -55,4 +55,4 @@ jobs:
         ref: ${{ fromJSON(inputs.request).request.sha }}
         persist-credentials: false
     - name: Dependency Review
-      uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70  # v4.3.2
+      uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a  # v4.3.3

.github/workflows/codeql-daily.yml

@@ -37,7 +37,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f  # codeql-bundle-v3.25.7
+      uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff  # codeql-bundle-v3.25.8
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -71,4 +71,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f  # codeql-bundle-v3.25.7
+      uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff  # codeql-bundle-v3.25.8

.github/workflows/codeql-push.yml

@@ -68,7 +68,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f  # codeql-bundle-v3.25.7
+      uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff  # codeql-bundle-v3.25.8
       with:
         languages: cpp
 
@@ -112,4 +112,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f  # codeql-bundle-v3.25.7
+      uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff  # codeql-bundle-v3.25.8

.github/workflows/mobile-compile_time_options.yml

@@ -56,6 +56,18 @@ jobs:
             build
             --config=mobile-remote-ci-cc-no-exceptions
             //test/performance:test_binary_size //library/cc/...
+        - name: Running C++ tests with xDS enabled
+          target: cc-tests-xds-enabled
+          args: >-
+            test
+            --config=mobile-remote-ci-cc-xds-enabled
+            //test/common/integration/...
+        - name: Running C++ tests with full protos enabled
+          target: cc-tests-full-protos-enabled
+          args: >-
+            test
+            --config=mobile-remote-ci-cc-full-protos-enabled
+            //test/common/... //test/cc/...
 
   build:
     permissions:

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f  # v3.25.7
+      uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff  # v3.25.8
       with:
         sarif_file: results.sarif

CODEOWNERS

@@ -90,8 +90,8 @@ extensions/filters/common/original_src @klarose @mattklein123
 /*/extensions/filters/http/cache @toddmgreer @jmarantz @penguingao @mpwarres @capoferro
 /*/extensions/http/cache/simple_http_cache @toddmgreer @jmarantz @penguingao @mpwarres @capoferro
 # aws_iam grpc credentials
-/*/extensions/grpc_credentials/aws_iam @suniltheta @lavignes @mattklein123
-/*/extensions/common/aws @suniltheta @lavignes @mattklein123
+/*/extensions/grpc_credentials/aws_iam @suniltheta @mattklein123 @nbaws
+/*/extensions/common/aws @suniltheta @mattklein123 @nbaws
 # adaptive concurrency limit extension.
 /*/extensions/filters/http/adaptive_concurrency @tonya11en @mattklein123
 # admission control extension.
@@ -153,8 +153,8 @@ extensions/filters/common/original_src @klarose @mattklein123
 # support for on-demand VHDS requests
 /*/extensions/filters/http/on_demand @dmitri-d @htuch @kyessenov
 /*/extensions/filters/network/connection_limit @mattklein123 @alyssawilk @delong-coder
-/*/extensions/filters/http/aws_request_signing @derekargueta @suniltheta @mattklein123 @marcomagdy
-/*/extensions/filters/http/aws_lambda @suniltheta @mattklein123 @marcomagdy @lavignes
+/*/extensions/filters/http/aws_request_signing @derekargueta @suniltheta @mattklein123 @marcomagdy @nbaws
+/*/extensions/filters/http/aws_lambda @suniltheta @mattklein123 @marcomagdy @nbaws
 /*/extensions/filters/http/buffer @alyssawilk @mattklein123
 /*/extensions/transport_sockets/raw_buffer @alyssawilk @mattklein123
 # Watchdog Extensions

RELEASES.md

@@ -65,6 +65,7 @@ actual mechanics of the release itself.
 | 2022 Q4 | Can Cecen ([cancecen](https://github.com/cancecen))            | Tony Allen ([tonya11en](https://github.com/tonya11en))                   |
 | 2023 Q3 | Boteng Yao ([botengyao](https://github.com/botengyao))         | Kateryna Nezdolii ([nezdolik](https://github.com/nezdolik))              |
 | 2023 Q4 | Paul Merrison ([pmerrison](https://github.com/pmerrison))      | Brian Sonnenberg ([briansonnenberg](https://github.com/briansonnenberg)) |
+| 2024 Q2 | Ryan Northey ([phlax](https://github.com/phlax))               | Boteng Yao ([botengyao](https://github.com/botengyao))                   |
 
 ## Major release schedule
 
@@ -135,6 +136,7 @@ Security releases are published on a 3-monthly cycle, around the mid point betwe
 
 | Quarter |  Expected  |   Actual   | Difference |
 |:-------:|:----------:|:----------:|:----------:|
-| 2024 Q2 | 2024/06/04 |            |            |
+| 2024 Q2 | 2024/06/04 | 2024/06/04 |   0 days   |
+| 2024 Q3 | 2024/09/03 |
 
 NOTE: Zero-day vulnerabilities, and upstream vulnerabilities disclosed to us under embargo, may necessitate an emergency release with little or no warning.

api/envoy/extensions/access_loggers/open_telemetry/v3/BUILD

@@ -6,6 +6,7 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
+        "//envoy/config/core/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
         "@opentelemetry_proto//:common",

api/envoy/extensions/access_loggers/open_telemetry/v3/logs_service.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.access_loggers.open_telemetry.v3;
 
+import "envoy/config/core/v3/extension.proto";
 import "envoy/extensions/access_loggers/grpc/v3/als.proto";
 
 import "opentelemetry/proto/common/v1/common.proto";
@@ -22,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // populate `opentelemetry.proto.collector.v1.logs.ExportLogsServiceRequest.resource_logs <https://github.com/open-telemetry/opentelemetry-proto/blob/main/opentelemetry/proto/collector/logs/v1/logs_service.proto>`_.
 // In addition, the request start time is set in the dedicated field.
 // [#extension: envoy.access_loggers.open_telemetry]
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message OpenTelemetryAccessLogConfig {
   // [#comment:TODO(itamarkam): add 'filter_state_objects_to_log' to logs.]
   grpc.v3.CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
@@ -51,4 +52,9 @@ message OpenTelemetryAccessLogConfig {
   // ``access_logs.open_telemetry_access_log.``. If non-empty, stats will be rooted at
   // ``access_logs.open_telemetry_access_log.<stat_prefix>.``.
   string stat_prefix = 6;
+
+  // Specifies a collection of Formatter plugins that can be called from the access log configuration.
+  // See the formatters extensions documentation for details.
+  // [#extension-category: envoy.formatter]
+  repeated config.core.v3.TypedExtensionConfig formatters = 7;
 }

api/envoy/extensions/filters/http/ext_authz/v3/BUILD

@@ -7,6 +7,7 @@ licenses(["notice"])  # Apache 2
 api_proto_package(
     deps = [
         "//envoy/annotations:pkg",
+        "//envoy/config/common/mutation_rules/v3:pkg",
         "//envoy/config/core/v3:pkg",
         "//envoy/type/matcher/v3:pkg",
         "//envoy/type/v3:pkg",

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.ext_authz.v3;
 
+import "envoy/config/common/mutation_rules/v3/mutation_rules.proto";
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
@@ -28,10 +29,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 26]
+// [#next-free-field: 27]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
-      "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
+      "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
 
   reserved 4;
 
@@ -261,6 +262,23 @@ message ExtAuthz {
   // It's recommended you set this to true unless you already rely on the old behavior. False is the
   // default only for backwards compatibility.
   bool encode_raw_headers = 23;
+
+  // Rules for what modifications an ext_authz server may make to the request headers before
+  // continuing decoding / forwarding upstream.
+  //
+  // If set to anything, enables header mutation checking against configured rules. Note that
+  // :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
+  // has defaults that change ext_authz behavior. Also note that if this field is set to anything,
+  // ext_authz can no longer append to :-prefixed headers.
+  //
+  // If empty, header mutation rule checking is completely disabled.
+  //
+  // Regardless of what is configured here, ext_authz cannot remove :-prefixed headers.
+  //
+  // This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
+  // correctness checks for all header / query parameter mutations (e.g. for invalid characters).
+  // This field allows the filter to reject mutations to specific headers.
+  config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;
 }
 
 // Configuration for buffering the request data.

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -74,7 +74,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 16]
+// [#next-free-field: 17]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -111,6 +111,12 @@ message OAuth2Config {
   // Forward the OAuth token as a Bearer to upstream web service.
   bool forward_bearer_token = 7;
 
+  // If set to true, preserve the existing authorization header.
+  // By default Envoy strips the existing authorization header before forwarding upstream.
+  // Can not be set to true if forward_bearer_token is already set to true.
+  // Default value is false.
+  bool preserve_authorization_header = 16;
+
   // Any request that matches any of the provided matchers will be passed through without OAuth validation.
   repeated config.route.v3.HeaderMatcher pass_through_matcher = 8;
 

api/envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto

@@ -18,6 +18,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // PROXY protocol listener filter.
 // [#extension: envoy.filters.listener.proxy_protocol]
 
+// [#next-free-field: 6]
 message ProxyProtocol {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.listener.proxy_protocol.v2.ProxyProtocol";
@@ -85,4 +86,10 @@ message ProxyProtocol {
   //   and an incoming request matches the V2 signature, the filter will allow the request through without any modification.
   //   The filter treats this request as if it did not have any PROXY protocol information.
   repeated config.core.v3.ProxyProtocolConfig.Version disallowed_versions = 4;
+
+  // The human readable prefix to use when emitting statistics for the filter.
+  // If not configured, statistics will be emitted without the prefix segment.
+  // See the :ref:`filter's statistics documentation <config_listener_filters_proxy_protocol>` for
+  // more information.
+  string stat_prefix = 5;
 }

bazel/BUILD

@@ -351,6 +351,64 @@ selects.config_setting_group(
     ],
 )
 
+selects.config_setting_group(
+    name = "disable_http3_on_linux_ppc",
+    match_all = [
+        ":disable_http3",
+        ":linux_ppc",
+    ],
+)
+
+selects.config_setting_group(
+    name = "disable_http3_on_windows_x86_64",
+    match_all = [
+        ":disable_http3",
+        ":windows_x86_64",
+    ],
+)
+
+bool_flag(
+    name = "enabled",
+    build_setting_default = True,
+    visibility = ["//visibility:private"],
+)
+
+bool_flag(
+    name = "disabled",
+    build_setting_default = False,
+    visibility = ["//visibility:private"],
+)
+
+# Alias equal to "not(":disable_http3")" (if "not()" existed).
+alias(
+    name = "enable_http3_setting",
+    actual = select({
+        ":disable_http3": ":disabled",
+        "//conditions:default": ":enabled",
+    }),
+)
+
+config_setting(
+    name = "enable_http3",
+    flag_values = {":enable_http3_setting": "True"},
+)
+
+selects.config_setting_group(
+    name = "enable_http3_on_linux_ppc",
+    match_all = [
+        ":enable_http3",
+        ":linux_ppc",
+    ],
+)
+
+selects.config_setting_group(
+    name = "enable_http3_on_windows_x86_64",
+    match_all = [
+        ":enable_http3",
+        ":windows_x86_64",
+    ],
+)
+
 config_setting(
     name = "disable_admin_html",
     values = {"define": "admin_html=disabled"},