Merge 457232b into 4c09752

api/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -306,6 +306,9 @@ message ExtAuthz {
   //
   // If this is false the filter will not emit stats, but filter_metadata will still be respected if
   // it has a value.
+  //
+  // Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service.
+  // Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service.
   bool emit_filter_state_stats = 29;
 }
 

changelogs/current.yaml

@@ -216,6 +216,9 @@ new_features:
   change: |
     Added support for :ref:`%UPSTREAM_HOST_NAME_WITHOUT_PORT% <config_access_log_format_upstream_host_name_without_port>`
     for the upstream host identifier without the port value.
+- area: ext_authz
+  change: |
+    added filter state field latency_us, bytesSent and bytesReceived access for CEL and logging.
 
 deprecated:
 - area: rbac

docs/root/configuration/http/http_filters/ext_authz_filter.rst

@@ -202,3 +202,10 @@ The fraction of requests for which the filter is enabled can be configured via t
 Tracing
 -------
 The ext_authz span keeps the sampling status of the parent span, i.e. in the tracing backend we will either see both the parent span and the child ext_authz span, or none of them.
+
+Logging
+-------
+When :ref:`emit_filter_state_stats <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.emit_filter_state_stats>` is set to true,
+ext_authz exposes fields ``latency_us``, ``bytesSent`` and ``bytesReceived`` for usage in CEL and logging.
+* ``filter_state["envoy.filters.http.ext_authz"].latency_us)``
+* ``%FILTER_STATE(envoy.filters.http.ext_authz:FIELD:latency_us)%``

source/extensions/filters/http/ext_authz/ext_authz.h

@@ -74,6 +74,19 @@ class ExtAuthzLoggingInfo : public Envoy::StreamInfo::FilterState::Object {
     upstream_host_ = std::move(upstream_host);
   }
 
+  bool hasFieldSupport() const override { return true; }
+  Envoy::StreamInfo::FilterState::Object::FieldType
+  getField(absl::string_view field_name) const override {
+    if (field_name == "latency_us" && latency_.has_value()) {
+      return int64_t(latency_.value().count());
+    } else if (field_name == "bytesSent" && bytes_sent_.has_value()) {
+      return int64_t(bytes_sent_.value());
+    } else if (field_name == "bytesReceived" && bytes_received_.has_value()) {
+      return int64_t(bytes_received_.value());
+    }
+    return {};
+  }
+
   // For convenience in testing.
   void clearLatency() { latency_ = absl::nullopt; };
   void clearBytesSent() { bytes_sent_ = absl::nullopt; }

test/extensions/filters/http/ext_authz/ext_authz_test.cc

@@ -207,6 +207,63 @@ INSTANTIATE_TEST_SUITE_P(ParameterizedFilterConfig, HttpFilterTestParam,
                          testing::Combine(testing::Bool(), testing::Bool()),
                          HttpFilterTestParam::ParamsToString);
 
+class ExtAuthzLoggingInfoTest
+    : public testing::TestWithParam<
+          std::tuple<std::string /* field_name */, absl::optional<uint64_t> /* value */>> {
+public:
+  ExtAuthzLoggingInfoTest() : logging_info_({}) {}
+
+  void SetUp() override {
+    std::string fieldName = std::get<0>(GetParam());
+    absl::optional<uint64_t> optional = std::get<1>(GetParam());
+    if (optional.has_value()) {
+      if (fieldName == "latency_us") {
+        logging_info_.setLatency(std::chrono::microseconds(optional.value()));
+      }
+      if (fieldName == "bytesSent") {
+        logging_info_.setBytesSent(optional.value());
+      }
+      if (fieldName == "bytesReceived") {
+        logging_info_.setBytesReceived(optional.value());
+      }
+    }
+  }
+
+  void test() {
+    ASSERT_TRUE(logging_info_.hasFieldSupport());
+    absl::optional<uint64_t> optional = std::get<1>(GetParam());
+    if (optional.has_value()) {
+      EXPECT_THAT(logging_info_.getField(std::get<0>(GetParam())),
+                  testing::VariantWith<int64_t>(optional.value()));
+    } else {
+      EXPECT_THAT(logging_info_.getField(std::get<0>(GetParam())),
+                  testing::VariantWith<absl::monostate>(absl::monostate{}));
+    }
+  }
+
+  static std::string ParamsToString(
+      const testing::TestParamInfo<std::tuple<std::string, absl::optional<uint64_t>>>& info) {
+    return absl::StrCat(std::get<1>(info.param).has_value() ? "" : "no_", std::get<0>(info.param),
+                        std::get<1>(info.param).has_value()
+                            ? absl::StrCat("_", std::to_string(std::get<1>(info.param).value()))
+                            : "");
+  }
+
+  ExtAuthzLoggingInfo logging_info_;
+};
+
+INSTANTIATE_TEST_SUITE_P(
+    ExtAuthzLoggingInfoTestValid, ExtAuthzLoggingInfoTest,
+    testing::Combine(testing::Values("latency_us", "bytesSent", "bytesReceived"),
+                     testing::Values(absl::optional<uint64_t>{}, absl::optional<uint64_t>{0},
+                                     absl::optional<uint64_t>{1})),
+    ExtAuthzLoggingInfoTest::ParamsToString);
+
+INSTANTIATE_TEST_SUITE_P(ExtAuthzLoggingInfoTestInvalid, ExtAuthzLoggingInfoTest,
+                         testing::Values(std::make_tuple("wrong_property_name",
+                                                         absl::optional<uint64_t>{})),
+                         ExtAuthzLoggingInfoTest::ParamsToString);
+
 class EmitFilterStateTest
     : public HttpFilterTestBase<testing::TestWithParam<
           std::tuple<bool /*http_client*/, bool /*emit_stats*/, bool /*emit_filter_metadata*/>>> {
@@ -4064,6 +4121,8 @@ TEST_P(EmitFilterStateTest, PreexistingFilterStateSameTypeMutable) {
   test(response);
 }
 
+TEST_P(ExtAuthzLoggingInfoTest, FieldTest) { test(); }
+
 } // namespace
 } // namespace ExtAuthz
 } // namespace HttpFilters