Merge branch 'main' into util

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

.github/workflows/codeql-daily.yml

@@ -37,7 +37,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276  # codeql-bundle-v3.25.6
+      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f  # codeql-bundle-v3.25.7
       # Override language selection by uncommenting this and choosing your languages
       with:
         languages: cpp
@@ -71,4 +71,4 @@ jobs:
         git clean -xdf
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276  # codeql-bundle-v3.25.6
+      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f  # codeql-bundle-v3.25.7

.github/workflows/codeql-push.yml

@@ -68,7 +68,7 @@ jobs:
 
     - name: Initialize CodeQL
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276  # codeql-bundle-v3.25.6
+      uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f  # codeql-bundle-v3.25.7
       with:
         languages: cpp
 
@@ -112,4 +112,4 @@ jobs:
 
     - name: Perform CodeQL Analysis
       if: ${{ env.BUILD_TARGETS != '' }}
-      uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276  # codeql-bundle-v3.25.6
+      uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f  # codeql-bundle-v3.25.7

.github/workflows/mobile-release.yml

@@ -125,7 +125,7 @@ jobs:
         # `--pinentry-mode=loopback` could be needed to ensure we
         # suppress the gpg prompt
         echo $GPG_KEY | base64 --decode > signing-key
-        gpg --default-key $GPG_DEFAULT_KEY --passphrase $GPG_PASSPHRASE --batch --import signing-key
+        gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
         shred signing-key
 
         gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}.aar

.github/workflows/scorecard.yml

@@ -40,6 +40,6 @@ jobs:
         retention-days: 5
 
     - name: "Upload to code-scanning"
-      uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276  # v3.25.6
+      uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f  # v3.25.7
       with:
         sarif_file: results.sarif

api/BUILD

@@ -300,6 +300,7 @@ proto_library(
         "//envoy/extensions/outlier_detection_monitors/consecutive_errors/v3:pkg",
         "//envoy/extensions/path/match/uri_template/v3:pkg",
         "//envoy/extensions/path/rewrite/uri_template/v3:pkg",
+        "//envoy/extensions/quic/connection_debug_visitor/v3:pkg",
         "//envoy/extensions/quic/connection_id_generator/v3:pkg",
         "//envoy/extensions/quic/crypto_stream/v3:pkg",
         "//envoy/extensions/quic/proof_source/v3:pkg",

api/bazel/repository_locations.bzl

@@ -131,11 +131,11 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "buf",
         project_desc = "A new way of working with Protocol Buffers.",  # Used for breaking change detection in API protobufs
         project_url = "https://buf.build",
-        version = "1.32.1",
-        sha256 = "ca09415a6f0b86d9c38bde25a678dcc31b8e75492e68379e36b6c9ccd1755190",
+        version = "1.32.2",
+        sha256 = "16253b6702dd447ef941b01c9c386a2ab7c8d20bbbc86a5efa5953270f6c9010",
         strip_prefix = "buf",
         urls = ["https://github.com/bufbuild/buf/releases/download/v{version}/buf-Linux-x86_64.tar.gz"],
-        release_date = "2024-05-21",
+        release_date = "2024-05-28",
         use_category = ["api"],
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/buf/blob/v{version}/LICENSE",

api/envoy/config/listener/v3/quic_config.proto

@@ -24,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 11]
+// [#next-free-field: 12]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -81,4 +81,9 @@ message QuicProtocolOptions {
   // Configure the server to send transport parameter `disable_active_migration <https://www.rfc-editor.org/rfc/rfc9000#section-18.2-4.30.1>`_.
   // Defaults to false (do not send this transport parameter).
   google.protobuf.BoolValue send_disable_active_migration = 10;
+
+  // Configure which implementation of ``quic::QuicConnectionDebugVisitor`` to be used for this listener.
+  // If not specified, no debug visitor will be attached to connections.
+  // [#extension-category: envoy.quic.connection_debug_visitor]
+  core.v3.TypedExtensionConfig connection_debug_visitor_config = 11;
 }

api/envoy/extensions/quic/connection_debug_visitor/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+)

api/envoy/extensions/quic/connection_debug_visitor/v3/connection_debug_visitor_basic.proto

@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+package envoy.extensions.quic.connection_debug_visitor.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.quic.connection_debug_visitor.v3";
+option java_outer_classname = "ConnectionDebugVisitorBasicProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/connection_debug_visitor/v3;connection_debug_visitorv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: QUIC connection debug visitor basic config]
+// [#extension: envoy.quic.connection_debug_visitor.basic]
+
+// Configuration for a basic QUIC connection debug visitor.
+message BasicConfig {
+}

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -323,7 +323,7 @@ message SubjectAltNameMatcher {
   type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}];
 }
 
-// [#next-free-field: 17]
+// [#next-free-field: 18]
 message CertificateValidationContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.CertificateValidationContext";
@@ -339,6 +339,9 @@ message CertificateValidationContext {
     ACCEPT_UNTRUSTED = 1;
   }
 
+  message SystemRootCerts {
+  }
+
   reserved 4, 5;
 
   reserved "verify_subject_alt_name";
@@ -389,6 +392,12 @@ message CertificateValidationContext {
   CertificateProviderPluginInstance ca_certificate_provider_instance = 13
       [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"];
 
+  // Use system root certs for validation.
+  // If present, system root certs are used only if neither of the ``trusted_ca``
+  // or ``ca_certificate_provider_instance`` fields are set.
+  // [#not-implemented-hide:]
+  SystemRootCerts system_root_certs = 17;
+
   // If specified, updates of a file-based ``trusted_ca`` source will be triggered
   // by this watch. This allows explicit control over the path watched, by
   // default the parent directory of the filesystem path in ``trusted_ca`` is

api/versioning/BUILD

@@ -239,6 +239,7 @@ proto_library(
         "//envoy/extensions/outlier_detection_monitors/consecutive_errors/v3:pkg",
         "//envoy/extensions/path/match/uri_template/v3:pkg",
         "//envoy/extensions/path/rewrite/uri_template/v3:pkg",
+        "//envoy/extensions/quic/connection_debug_visitor/v3:pkg",
         "//envoy/extensions/quic/connection_id_generator/v3:pkg",
         "//envoy/extensions/quic/crypto_stream/v3:pkg",
         "//envoy/extensions/quic/proof_source/v3:pkg",

bazel/repositories_extra.bzl

@@ -9,7 +9,7 @@ def _python_minor_version(python_version):
     return "_".join(python_version.split(".")[:-1])
 
 # Python version for `rules_python`
-PYTHON_VERSION = "3.11.3"
+PYTHON_VERSION = "3.11.9"
 PYTHON_MINOR_VERSION = _python_minor_version(PYTHON_VERSION)
 
 # Envoy deps that rely on a first stage of dependency loading in envoy_dependencies().

bazel/repository_locations.bzl

@@ -148,12 +148,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Aspect Bazel helpers",
         project_desc = "Base Starlark libraries and basic Bazel rules which are useful for constructing rulesets and BUILD files",
         project_url = "https://github.com/aspect-build/bazel-lib",
-        version = "2.7.6",
-        sha256 = "3a702a082560c94c2f1a9b34996a2f1364aeb979641cece34a7868508bae552e",
+        version = "2.7.7",
+        sha256 = "f8ea96b0151bf90b0330662cb02361849c642ebd5bbaeed84b361883b267117d",
         strip_prefix = "bazel-lib-{version}",
         urls = ["https://github.com/aspect-build/bazel-lib/archive/v{version}.tar.gz"],
         use_category = ["build"],
-        release_date = "2024-05-23",
+        release_date = "2024-05-28",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/aspect-build/bazel-lib/blob/v{version}/LICENSE",

changelogs/current.yaml

@@ -118,6 +118,10 @@ bug_fixes:
   change: |
     Handle ``append_action`` from :ref:`external authorization service <envoy_v3_api_msg_service.auth.v3.CheckResponse>`
     that was ignored.
+- area: oauth2
+  change: |
+    Fixed a bug that would cause Envoy to crash when recieving an Oauth callback while the Oauth upstream is unhealthy
+    (e.g. due to DNS issues).
 - area: http
   change: |
     Fix BalsaParser resetting state too early, guarded by default-true
@@ -151,6 +155,9 @@ removed_config_or_runtime:
 - area: router
   change: |
     Removed ``envoy.reloadable_features.copy_response_code_to_downstream_stream_info`` runtime flag and legacy code paths.
+- area: jwt
+  change: |
+    Removed ``envoy.reloadable_features.token_passed_entirely`` runtime flag and legacy code paths.
 
 new_features:
 - area: hot_restart

contrib/generic_proxy/filters/network/source/BUILD

@@ -92,13 +92,25 @@ envoy_cc_library(
         "match.h",
     ],
     deps = [
+        ":match_input_lib",
         "//contrib/generic_proxy/filters/network/source/interface:stream_interface",
         "//source/common/matcher:matcher_lib",
         "@envoy_api//contrib/envoy/extensions/filters/network/generic_proxy/matcher/v3:pkg_cc_proto",
     ],
     alwayslink = 1,
 )
 
+envoy_cc_library(
+    name = "match_input_lib",
+    hdrs = [
+        "match_input.h",
+    ],
+    deps = [
+        "//contrib/generic_proxy/filters/network/source/interface:stream_interface",
+        "//envoy/stream_info:stream_info_interface",
+    ],
+)
+
 envoy_cc_library(
     name = "rds_interface",
     hdrs = ["rds.h"],

contrib/generic_proxy/filters/network/source/access_log.cc

@@ -7,64 +7,46 @@ namespace Extensions {
 namespace NetworkFilters {
 namespace GenericProxy {
 
-class StringValueFormatterProvider : public FormatterProvider {
-public:
-  using ValueExtractor = std::function<absl::optional<std::string>(const FormatterContext&,
-                                                                   const StreamInfo::StreamInfo&)>;
-
-  StringValueFormatterProvider(ValueExtractor f, absl::optional<size_t> max_length = absl::nullopt)
-      : value_extractor_(f), max_length_(max_length) {}
-
-  // FormatterProvider
-  absl::optional<std::string>
-  formatWithContext(const FormatterContext& context,
-                    const StreamInfo::StreamInfo& stream_info) const override {
-    auto optional_str = value_extractor_(context, stream_info);
-    if (!optional_str) {
-      return absl::nullopt;
-    }
-    if (max_length_.has_value()) {
-      if (optional_str->length() > max_length_.value()) {
-        optional_str->resize(max_length_.value());
-      }
+absl::optional<std::string>
+StringValueFormatterProvider::formatWithContext(const FormatterContext& context,
+                                                const StreamInfo::StreamInfo& stream_info) const {
+  auto optional_str = value_extractor_(context, stream_info);
+  if (!optional_str) {
+    return absl::nullopt;
+  }
+  if (max_length_.has_value()) {
+    if (optional_str->length() > max_length_.value()) {
+      optional_str->resize(max_length_.value());
     }
-    return optional_str;
   }
-  ProtobufWkt::Value
-  formatValueWithContext(const FormatterContext& context,
-                         const StreamInfo::StreamInfo& stream_info) const override {
-    return ValueUtil::optionalStringValue(formatWithContext(context, stream_info));
+  return optional_str;
+}
+ProtobufWkt::Value StringValueFormatterProvider::formatValueWithContext(
+    const FormatterContext& context, const StreamInfo::StreamInfo& stream_info) const {
+  return ValueUtil::optionalStringValue(formatWithContext(context, stream_info));
+}
+
+absl::optional<std::string>
+GenericStatusCodeFormatterProvider::formatWithContext(const FormatterContext& context,
+                                                      const StreamInfo::StreamInfo&) const {
+  if (context.response_ == nullptr) {
+    return absl::nullopt;
   }
 
-private:
-  ValueExtractor value_extractor_;
-  absl::optional<size_t> max_length_;
-};
-
-class GenericStatusCodeFormatterProvider : public FormatterProvider {
-public:
-  GenericStatusCodeFormatterProvider() = default;
-
-  // FormatterProvider
-  absl::optional<std::string> formatWithContext(const FormatterContext& context,
-                                                const StreamInfo::StreamInfo&) const override {
-    if (context.response_ == nullptr) {
-      return absl::nullopt;
-    }
+  const int code = context.response_->status().code();
+  return std::to_string(code);
+}
 
-    const int code = context.response_->status().code();
-    return std::to_string(code);
+ProtobufWkt::Value
+GenericStatusCodeFormatterProvider::formatValueWithContext(const FormatterContext& context,
+                                                           const StreamInfo::StreamInfo&) const {
+  if (context.response_ == nullptr) {
+    return ValueUtil::nullValue();
   }
-  ProtobufWkt::Value formatValueWithContext(const FormatterContext& context,
-                                            const StreamInfo::StreamInfo&) const override {
-    if (context.response_ == nullptr) {
-      return ValueUtil::nullValue();
-    }
 
-    const int code = context.response_->status().code();
-    return ValueUtil::numberValue(code);
-  }
-};
+  const int code = context.response_->status().code();
+  return ValueUtil::numberValue(code);
+}
 
 class SimpleCommandParser : public CommandParser {
 public:

contrib/generic_proxy/filters/network/source/access_log.h

@@ -35,6 +35,38 @@ using AccessLogInstanceFactory = AccessLog::AccessLogInstanceFactoryBase<Formatt
 using FileAccessLog = FileAccessLogBase<FormatterContext>;
 using FileAccessLogFactory = FileAccessLogFactoryBase<FormatterContext>;
 
+class StringValueFormatterProvider : public FormatterProvider {
+public:
+  using ValueExtractor = std::function<absl::optional<std::string>(const FormatterContext&,
+                                                                   const StreamInfo::StreamInfo&)>;
+
+  StringValueFormatterProvider(ValueExtractor f, absl::optional<size_t> max_length = absl::nullopt)
+      : value_extractor_(f), max_length_(max_length) {}
+
+  // FormatterProvider
+  absl::optional<std::string>
+  formatWithContext(const FormatterContext& context,
+                    const StreamInfo::StreamInfo& stream_info) const override;
+  ProtobufWkt::Value
+  formatValueWithContext(const FormatterContext& context,
+                         const StreamInfo::StreamInfo& stream_info) const override;
+
+private:
+  ValueExtractor value_extractor_;
+  absl::optional<size_t> max_length_;
+};
+
+class GenericStatusCodeFormatterProvider : public FormatterProvider {
+public:
+  GenericStatusCodeFormatterProvider() = default;
+
+  // FormatterProvider
+  absl::optional<std::string> formatWithContext(const FormatterContext& context,
+                                                const StreamInfo::StreamInfo&) const override;
+  ProtobufWkt::Value formatValueWithContext(const FormatterContext& context,
+                                            const StreamInfo::StreamInfo&) const override;
+};
+
 } // namespace GenericProxy
 } // namespace NetworkFilters
 } // namespace Extensions

contrib/generic_proxy/filters/network/source/interface/BUILD

@@ -65,6 +65,7 @@ envoy_cc_library(
     ],
     deps = [
         ":stream_interface",
+        "//contrib/generic_proxy/filters/network/source:match_input_lib",
         "//envoy/config:typed_metadata_interface",
         "//envoy/event:dispatcher_interface",
         "//envoy/network:connection_interface",
@@ -97,6 +98,7 @@ envoy_cc_library(
         ":filter_interface",
         ":route_interface",
         "//contrib/generic_proxy/filters/network/source:access_log_lib",
+        "//contrib/generic_proxy/filters/network/source:match_input_lib",
         "//envoy/tracing:trace_config_interface",
         "//envoy/tracing:tracer_interface",
     ],

contrib/generic_proxy/filters/network/source/interface/proxy_config.h

@@ -7,6 +7,7 @@
 #include "contrib/generic_proxy/filters/network/source/interface/codec.h"
 #include "contrib/generic_proxy/filters/network/source/interface/filter.h"
 #include "contrib/generic_proxy/filters/network/source/interface/route.h"
+#include "contrib/generic_proxy/filters/network/source/match_input.h"
 #include "contrib/generic_proxy/filters/network/source/stats.h"
 
 namespace Envoy {
@@ -24,7 +25,7 @@ class FilterConfig : public FilterChainFactory {
    * @param request request.
    * @return RouteEntryConstSharedPtr route entry.
    */
-  virtual RouteEntryConstSharedPtr routeEntry(const Request& request) const PURE;
+  virtual RouteEntryConstSharedPtr routeEntry(const MatchInput& request) const PURE;
 
   /**
    * Get codec factory for  decoding/encoding of request/response.