[wip] v2-api: rate limit (tcp, http), client ssl auth

source/common/config/BUILD

@@ -93,10 +93,13 @@ envoy_cc_library(
         "envoy_filter_http_buffer",
         "envoy_filter_http_fault",
         "envoy_filter_http_health_check",
+        "envoy_filter_http_rate_limit",
         "envoy_filter_http_router",
         "envoy_filter_network_mongo_proxy",
         "envoy_filter_network_redis_proxy",
         "envoy_filter_network_tcp_proxy",
+        "envoy_filter_network_rate_limit",
+	"envoy_filter_network_client_ssl_auth",
     ],
     deps = [
         ":address_json_lib",

source/common/config/filter_json.h

@@ -6,10 +6,13 @@
 #include "api/filter/http/fault.pb.h"
 #include "api/filter/http/health_check.pb.h"
 #include "api/filter/http/router.pb.h"
+#include "api/filter/http/rate_limit.pb.h"
 #include "api/filter/network/http_connection_manager.pb.h"
 #include "api/filter/network/mongo_proxy.pb.h"
 #include "api/filter/network/redis_proxy.pb.h"
 #include "api/filter/network/tcp_proxy.pb.h"
+#include "api/filter/network/rate_limit.pb.h"
+#include "api/filter/network/client_ssl_auth.pb.h"
 
 namespace Envoy {
 namespace Config {
@@ -19,92 +22,120 @@ class FilterJson {
   /**
    * Translate a v1 JSON access log filter object to v2
    * envoy::api::v2::filter::accesslog::AccessLogFilter.
-   * @param json_access_log_filter source v1 JSON access log object.
-   * @param access_log_filter destination v2 envoy::api::v2::filter::accesslog::AccessLog.
+   * @param json_config source v1 JSON access log object.
+   * @param proto_config destination v2 envoy::api::v2::filter::accesslog::AccessLog.
    */
   static void
-  translateAccessLogFilter(const Json::Object& json_access_log_filter,
-                           envoy::api::v2::filter::accesslog::AccessLogFilter& access_log_filter);
+  translateAccessLogFilter(const Json::Object& json_config,
+                           envoy::api::v2::filter::accesslog::AccessLogFilter& proto_config);
 
   /**
    * Translate a v1 JSON access log object to v2 envoy::api::v2::filter::accesslog::AccessLog.
-   * @param json_access_log source v1 JSON access log object.
-   * @param access_log destination v2 envoy::api::v2::filter::accesslog::AccessLog.
+   * @param json_config source v1 JSON access log object.
+   * @param proto_config destination v2 envoy::api::v2::filter::accesslog::AccessLog.
    */
-  static void translateAccessLog(const Json::Object& json_access_log,
-                                 envoy::api::v2::filter::accesslog::AccessLog& access_log);
+  static void translateAccessLog(const Json::Object& json_config,
+                                 envoy::api::v2::filter::accesslog::AccessLog& proto_config);
 
   /**
    * Translate a v1 JSON HTTP connection manager object to v2
    * envoy::api::v2::filter::network::HttpConnectionManager.
-   * @param json_http_connection_manager source v1 JSON HTTP connection manager object.
-   * @param http_connection_manager destination v2
+   * @param json_config source v1 JSON HTTP connection manager object.
+   * @param proto_config destination v2
    * envoy::api::v2::filter::network::HttpConnectionManager.
    */
   static void translateHttpConnectionManager(
-      const Json::Object& json_http_connection_manager,
-      envoy::api::v2::filter::network::HttpConnectionManager& http_connection_manager);
+      const Json::Object& json_config,
+      envoy::api::v2::filter::network::HttpConnectionManager& proto_config);
 
   /**
    * Translate a v1 JSON Redis proxy object to v2 envoy::api::v2::filter::network::RedisProxy.
-   * @param json_redis_proxy source v1 JSON HTTP connection manager object.
-   * @param redis_proxy destination v2
+   * @param json_config source v1 JSON HTTP connection manager object.
+   * @param proto_config destination v2
    * envoy::api::v2::filter::network::RedisProxy.
    */
-  static void translateRedisProxy(const Json::Object& json_redis_proxy,
-                                  envoy::api::v2::filter::network::RedisProxy& redis_proxy);
+  static void translateRedisProxy(const Json::Object& json_config,
+                                  envoy::api::v2::filter::network::RedisProxy& proto_config);
 
   /**
    * Translate a v1 JSON Mongo proxy object to v2 envoy::api::v2::filter::network::MongoProxy.
-   * @param json_mongo_proxy source v1 JSON HTTP connection manager object.
-   * @param mongo_proxy destination v2
+   * @param json_config source v1 JSON HTTP connection manager object.
+   * @param proto_config destination v2
    * envoy::api::v2::filter::network::MongoProxy.
    */
-  static void translateMongoProxy(const Json::Object& json_mongo_proxy,
-                                  envoy::api::v2::filter::network::MongoProxy& mongo_proxy);
+  static void translateMongoProxy(const Json::Object& json_config,
+                                  envoy::api::v2::filter::network::MongoProxy& proto_config);
 
   /**
    * Translate a v1 JSON Fault filter object to v2 envoy::api::v2::filter::http::HTTPFault.
-   * @param json_fault source v1 JSON HTTP Fault Filter object.
-   * @param fault destination v2
+   * @param json_config source v1 JSON HTTP Fault Filter object.
+   * @param proto_config destination v2
    * envoy::api::v2::filter::http::HTTPFault.
    */
-  static void translateFaultFilter(const Json::Object& json_fault,
-                                   envoy::api::v2::filter::http::HTTPFault& fault);
+  static void translateFaultFilter(const Json::Object& json_config,
+                                   envoy::api::v2::filter::http::HTTPFault& proto_config);
 
   /**
    * Translate a v1 JSON Health Check filter object to v2 envoy::api::v2::filter::http::HealthCheck.
-   * @param config source v1 JSON Health Check Filter object.
-   * @param health_check destination v2
+   * @param json_config source v1 JSON Health Check Filter object.
+   * @param proto_config destination v2
    * envoy::api::v2::filter::http::HealthCheck.
    */
-  static void translateHealthCheckFilter(const Json::Object& config,
-                                         envoy::api::v2::filter::http::HealthCheck& health_check);
+  static void translateHealthCheckFilter(const Json::Object& json_config,
+                                         envoy::api::v2::filter::http::HealthCheck& proto_config);
 
-  /*
+  /**
    * Translate a v1 JSON Router object to v2 envoy::api::v2::filter::http::Router.
-   * @param json_router source v1 JSON HTTP router object.
-   * @param router destination v2 envoy::api::v2::filter::http::Router.
+   * @param json_config source v1 JSON HTTP router object.
+   * @param proto_config destination v2 envoy::api::v2::filter::http::Router.
    */
-  static void translateRouter(const Json::Object& json_router,
-                              envoy::api::v2::filter::http::Router& router);
+  static void translateRouter(const Json::Object& json_config,
+                              envoy::api::v2::filter::http::Router& proto_config);
 
   /**
    * Translate a v1 JSON Buffer filter object to v2 envoy::api::v2::filter::http::Buffer.
-   * @param json_buffer source v1 JSON HTTP Buffer Filter object.
-   * @param buffer destination v2
+   * @param json_config source v1 JSON HTTP Buffer Filter object.
+   * @param proto_config destination v2
    * envoy::api::v2::filter::http::Buffer.
    */
-  static void translateBufferFilter(const Json::Object& json_buffer,
-                                    envoy::api::v2::filter::http::Buffer& buffer);
+  static void translateBufferFilter(const Json::Object& json_config,
+                                    envoy::api::v2::filter::http::Buffer& proto_config);
 
   /**
    * Translate a v1 JSON TCP proxy filter object to a v2 envoy::api::v2::filter::network::TcpProxy.
-   * @param json_tcp_proxy source v1 JSON TCP proxy object.
-   * @param tcp_proxy destination v2 envoy::api::v2::filter::network::TcpProxy.
+   * @param json_config source v1 JSON TCP proxy object.
+   * @param proto_config destination v2 envoy::api::v2::filter::network::TcpProxy.
+   */
+  static void translateTcpProxy(const Json::Object& json_config,
+                                envoy::api::v2::filter::network::TcpProxy& proto_config);
+
+  /**
+   * Translate a v1 JSON Tcp Rate Limit filter object to v2
+   * envoy::api::v2::filter::network::RateLimit.
+   * @param json_config source v1 JSON Tcp Rate Limit Filter object.
+   * @param proto_config destination v2 envoy::api::v2::filter::network::RateLimit.
    */
-  static void translateTcpProxy(const Json::Object& json_tcp_proxy,
-                                envoy::api::v2::filter::network::TcpProxy& tcp_proxy);
+  static void translateTcpRateLimitFilter(const Json::Object& json_config,
+                                          envoy::api::v2::filter::network::RateLimit& proto_config);
+
+  /**
+   * Translate a v1 JSON Http Rate Limit filter object to v2
+   * envoy::api::v2::filter::http::RateLimit.
+   * @param json_config source v1 JSON Http Rate Limit Filter object.
+   * @param proto_config destination v2 envoy::api::v2::filter::http::RateLimit.
+   */
+  static void translateHttpRateLimitFilter(const Json::Object& json_config,
+                                           envoy::api::v2::filter::http::RateLimit& proto_config);
+
+  /**
+   * Translate a v1 JSON Client SSL Auth filter object to v2
+   * envoy::api::v2::filter::network::ClientSSLAuth.
+   * @param json_config source v1 JSON Client SSL Auth Filter object.
+   * @param proto_config destination v2 envoy::api::v2::filter::network::ClientSSLAuth.
+   */
+  static void
+  translateClientSslAuthFilter(const Json::Object& json_config,
+                               envoy::api::v2::filter::network::ClientSSLAuth& proto_config);
 };
 
 } // namespace Config

source/common/filter/BUILD

@@ -25,14 +25,13 @@ envoy_cc_library(
     name = "ratelimit_lib",
     srcs = ["ratelimit.cc"],
     hdrs = ["ratelimit.h"],
+    external_deps = ["envoy_filter_network_rate_limit"],
     deps = [
         "//include/envoy/network:connection_interface",
         "//include/envoy/network:filter_interface",
         "//include/envoy/ratelimit:ratelimit_interface",
         "//include/envoy/runtime:runtime_interface",
         "//include/envoy/stats:stats_macros",
-        "//source/common/json:config_schemas_lib",
-        "//source/common/json:json_loader_lib",
         "//source/common/tracing:http_tracer_lib",
     ],
 )

source/common/filter/auth/BUILD

@@ -12,6 +12,7 @@ envoy_cc_library(
     name = "client_ssl_lib",
     srcs = ["client_ssl.cc"],
     hdrs = ["client_ssl.h"],
+    external_deps = ["envoy_filter_network_client_ssl_auth"],
     deps = [
         "//include/envoy/network:connection_interface",
         "//include/envoy/network:filter_interface",

source/common/filter/auth/client_ssl.cc

@@ -11,7 +11,6 @@
 #include "common/http/headers.h"
 #include "common/http/message_impl.h"
 #include "common/http/utility.h"
-#include "common/json/config_schemas.h"
 #include "common/network/utility.h"
 
 #include "fmt/format.h"
@@ -21,15 +20,13 @@ namespace Filter {
 namespace Auth {
 namespace ClientSsl {
 
-Config::Config(const Json::Object& config, ThreadLocal::SlotAllocator& tls,
+Config::Config(const envoy::api::v2::filter::network::ClientSSLAuth& config, ThreadLocal::SlotAllocator& tls,
                Upstream::ClusterManager& cm, Event::Dispatcher& dispatcher, Stats::Scope& scope,
                Runtime::RandomGenerator& random)
-    : RestApiFetcher(cm, config.getString("auth_api_cluster"), dispatcher, random,
-                     std::chrono::milliseconds(config.getInteger("refresh_delay_ms", 60000))),
-      tls_(tls.allocateSlot()), ip_white_list_(config, "ip_white_list"),
-      stats_(generateStats(scope, config.getString("stat_prefix"))) {
-
-  config.validateSchema(Json::Schema::CLIENT_SSL_NETWORK_FILTER_SCHEMA);
+  : RestApiFetcher(cm, config.auth_api_cluster(), dispatcher, random,
+                   std::chrono::milliseconds(PROTOBUF_GET_MS_OR_DEFAULT(config, refresh_delay, 60000))),
+    tls_(tls.allocateSlot()), ip_white_list_(config.ip_white_list()),
+    stats_(generateStats(scope, config.stat_prefix())) {
 
   if (!cm.get(remote_cluster_name_)) {
     throw EnvoyException(
@@ -41,15 +38,16 @@ Config::Config(const Json::Object& config, ThreadLocal::SlotAllocator& tls,
       [empty](Event::Dispatcher&) -> ThreadLocal::ThreadLocalObjectSharedPtr { return empty; });
 }
 
-ConfigSharedPtr Config::create(const Json::Object& config, ThreadLocal::SlotAllocator& tls,
+ConfigSharedPtr Config::create(const envoy::api::v2::filter::network::ClientSSLAuth& config, ThreadLocal::SlotAllocator& tls,
                                Upstream::ClusterManager& cm, Event::Dispatcher& dispatcher,
                                Stats::Scope& scope, Runtime::RandomGenerator& random) {
   ConfigSharedPtr new_config(new Config(config, tls, cm, dispatcher, scope, random));
   new_config->initialize();
   return new_config;
 }
 
-const AllowedPrincipals& Config::allowedPrincipals() { return tls_->getTyped<AllowedPrincipals>(); }
+const AllowedPrincipals& Config::allowedPrincipals() {
+  return tls_->getTyped<AllowedPrincipals>(); }
 
 GlobalStats Config::generateStats(Stats::Scope& scope, const std::string& prefix) {
   std::string final_prefix = fmt::format("auth.clientssl.{}.", prefix);
@@ -73,7 +71,8 @@ void Config::parseResponse(const Http::Message& message) {
   stats_.total_principals_.set(new_principals->size());
 }
 
-void Config::onFetchFailure(const EnvoyException*) { stats_.update_failure_.inc(); }
+void Config::onFetchFailure(const EnvoyException*) {
+  stats_.update_failure_.inc(); }
 
 static const std::string Path = "/v1/certs/list/approved";
 

source/common/filter/auth/client_ssl.h

@@ -12,9 +12,11 @@
 #include "envoy/upstream/cluster_manager.h"
 
 #include "common/http/rest_api_fetcher.h"
-#include "common/json/json_loader.h"
 #include "common/network/cidr_range.h"
 #include "common/network/utility.h"
+#include "common/protobuf/utility.h"
+
+#include "api/filter/network/client_ssl_auth.pb.h"
 
 namespace Envoy {
 namespace Filter {
@@ -73,16 +75,18 @@ typedef std::shared_ptr<Config> ConfigSharedPtr;
  */
 class Config : public Http::RestApiFetcher {
 public:
-  static ConfigSharedPtr create(const Json::Object& config, ThreadLocal::SlotAllocator& tls,
-                                Upstream::ClusterManager& cm, Event::Dispatcher& dispatcher,
-                                Stats::Scope& scope, Runtime::RandomGenerator& random);
+  static ConfigSharedPtr create(const envoy::api::v2::filter::network::ClientSSLAuth& config,
+                                ThreadLocal::SlotAllocator& tls, Upstream::ClusterManager& cm,
+                                Event::Dispatcher& dispatcher, Stats::Scope& scope,
+                                Runtime::RandomGenerator& random);
 
   const AllowedPrincipals& allowedPrincipals();
   const Network::Address::IpList& ipWhiteList() { return ip_white_list_; }
   GlobalStats& stats() { return stats_; }
 
 private:
-  Config(const Json::Object& config, ThreadLocal::SlotAllocator& tls, Upstream::ClusterManager& cm,
+  Config(const envoy::api::v2::filter::network::ClientSSLAuth& config,
+         ThreadLocal::SlotAllocator& tls, Upstream::ClusterManager& cm,
          Event::Dispatcher& dispatcher, Stats::Scope& scope, Runtime::RandomGenerator& random);
 
   static GlobalStats generateStats(Stats::Scope& scope, const std::string& prefix);

source/common/filter/ratelimit.cc

@@ -3,7 +3,6 @@
 #include <cstdint>
 #include <string>
 
-#include "common/json/config_schemas.h"
 #include "common/tracing/http_tracer_impl.h"
 
 #include "fmt/format.h"
@@ -12,16 +11,15 @@ namespace Envoy {
 namespace RateLimit {
 namespace TcpFilter {
 
-Config::Config(const Json::Object& config, Stats::Scope& scope, Runtime::Loader& runtime)
-    : domain_(config.getString("domain")),
-      stats_(generateStats(config.getString("stat_prefix"), scope)), runtime_(runtime) {
+Config::Config(const envoy::api::v2::filter::network::RateLimit& config, Stats::Scope& scope,
+               Runtime::Loader& runtime)
+    : domain_(config.domain()), stats_(generateStats(config.stat_prefix(), scope)),
+      runtime_(runtime) {
 
-  config.validateSchema(Json::Schema::RATELIMIT_NETWORK_FILTER_SCHEMA);
-
-  for (const Json::ObjectSharedPtr& descriptor : config.getObjectArray("descriptors")) {
+  for (const auto& descriptor : config.descriptors()) {
     Descriptor new_descriptor;
-    for (const Json::ObjectSharedPtr& entry : descriptor->asObjectArray()) {
-      new_descriptor.entries_.push_back({entry->getString("key"), entry->getString("value")});
+    for (const auto& entry : descriptor.entries()) {
+      new_descriptor.entries_.push_back({entry.key(), entry.value()});
     }
     descriptors_.push_back(new_descriptor);
   }

source/common/filter/ratelimit.h

@@ -11,7 +11,7 @@
 #include "envoy/runtime/runtime.h"
 #include "envoy/stats/stats_macros.h"
 
-#include "common/json/json_loader.h"
+#include "api/filter/network/rate_limit.pb.h"
 
 namespace Envoy {
 namespace RateLimit {
@@ -42,7 +42,8 @@ struct InstanceStats {
  */
 class Config {
 public:
-  Config(const Json::Object& config, Stats::Scope& scope, Runtime::Loader& runtime);
+  Config(const envoy::api::v2::filter::network::RateLimit& config, Stats::Scope& scope,
+         Runtime::Loader& runtime);
   const std::string& domain() { return domain_; }
   const std::vector<Descriptor>& descriptors() { return descriptors_; }
   Runtime::Loader& runtime() { return runtime_; }

source/common/http/filter/BUILD

@@ -97,6 +97,7 @@ envoy_cc_library(
 envoy_cc_library(
     name = "ratelimit_includes",
     hdrs = ["ratelimit.h"],
+    external_deps = ["envoy_filter_http_rate_limit"],
     deps = [
         "//include/envoy/http:filter_interface",
         "//include/envoy/local_info:local_info_interface",