Include What You Use fix for source/common/protobuf/message_validator_impl.h.

Signed-off-by: Andres Guedez <[email protected]>

Signed-off-by: Yuchen Dai <[email protected]>

Route config need deep validation for virtual host duplication check, regex check, per filter config validation etc, which PGV wasn't enough.

Risk Level: Low
Testing: regression test
Docs Changes: N/A
Release Notes: N/A

Fixes #7939

Signed-off-by: Lizan Zhou <[email protected]>

…n O(1… (#7979)

Signed-off-by: Xin Zhuang <[email protected]>

…7984)

Signed-off-by: Henry Yang <[email protected]>

Since binary proto won't have field names, report at least the field
numbers, as per
https://developers.google.com/protocol-buffers/docs/reference/cpp/google.protobuf.unknown_field_set#UnknownField.

Also fix minor typo encountered while doing this work.

Risk level: Low
Testing: Unit tests added/updated.

Fixes #7937

Signed-off-by: Harvey Tuch <[email protected]>

Signed-off-by: Manish Kumar <[email protected]>

…e command-line. (#7882)

* Add option to switch between fake and real symbol-tables on the command-line.

Signed-off-by: Joshua Marantz <[email protected]>

Some BUILD files are missing build rules to generate go protos. envoyproxy/go-control-plane depends on these protos, so they should be exposed publicly. Added build rules to generate *.pb.go files.

Risk Level: Low
Testing: These rules were copied to google3 and tested internally. Unfortunately, I am having a bit of trouble with bazel build directly on these targets ("Package is considered deleted due to --deleted_packages"). Please let me know if there is a better way to test this change.

Signed-off-by: Teju Nareddy <[email protected]>

Xcode 11 requires at least macOS 10.15 (upcoming) in order to use
either <experimental/filesystem> or C++17 <filesystem>.

Signed-off-by: Piotr Sikora <[email protected]>

…#7920)

Precursor to #7782
Adding scope tracking functionality to the basic alarm functions.

Risk Level: Medium (should be a no-op but is a large enough refactor)
Testing: new unit tests
Docs Changes: n/a
Release Notes: n/a

Signed-off-by: Alyssa Wilk <[email protected]>

Adds support for DNS SAN in ext authz peer validation

Risk Level: Low
Testing: Added
Docs Changes: Added
Release Notes: N/A

Signed-off-by: Rama Chavali <[email protected]>

Description:
File access log shouldn't need read access for a file.

Risk Level: Low
Testing: local in mac, CI
Docs Changes:
Release Notes:
Fixes #7997

Signed-off-by: Lizan Zhou <[email protected]>

…on. (#8002)

This is part of #7980; basically, we want to leverage the recursive pass
that already exists for the deprecated check. This PR does not implement
the recursive behavior yet for unknown fields though, because there is a
ton of churn, so this PR just has the mechanical bits. We switch
plumbing of validation visitor into places such as anyConvert() and
instead pass this to MessageUtil::validate.

There are a bunch of future followups planned in additional PRs:
* Combine the recursive pass for unknown/deprecated check in
  MessageUtil::validate().
* Add mitigation for #5965 by copying to a temporary before recursive
  expansion.
* [Future] consider moving deprecated reporting into a message
  validation visitor handler.

Risk level: Low
Testing: Some new //test/common/protobuf::utility_test unit test.

Signed-off-by: Harvey Tuch <[email protected]>

Trusting the x-forwarded-proto header from trusted proxies.
If Envoy is operating as an edge proxy but has a trusted hop in front, the trusted proxy should be allowed to set x-forwarded-proto and its x-forwarded-proto should be preserved.
Guarded by envoy.reloadable_features.trusted_forwarded_proto, default on.

Risk Level: Medium (L7 header changes) but guarded
Testing: new unit tests
Docs Changes: n/a
Release Notes: inline
Fixes #4496

Signed-off-by: Alyssa Wilk <[email protected]>

…7962)

Adding a build option to default all deprecated protos off, and using it on the debug build.

Risk Level: Low
Testing: new UT
Docs Changes: inline
Release Notes: n/a
Fixes #7548

Signed-off-by: Alyssa Wilk <[email protected]>

Add a parallel native.cc_library to envoy_cc_library
for external projects that consume Envoy's libraries. This allows the consuming
project to disambiguate overlapping include paths when repository overlaying is used,
as it can now include envoy headers via external/envoy/...

Risk Level: Low
Testing: N/A

Signed-off-by: Otto van der Schaaf <[email protected]>

Builds fuzz targets with asan+libfuzzer and runs them against their corpora. Our native bazel builds work, this PR integrates the asan+libfuzzer builds in to CI. The fuzz target binaries will be in your envoy docker build directory.

Invoke with the following for all fuzz targets, or a specified one.
./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.fuzz'
./ci/run_envoy_docker.sh './ci/do_ci.sh bazel.fuzz //test/common/common:utility_fuzz_test'

Risk level: low
Signed-off-by: Asra Ali [email protected]

Signed-off-by: Asra Ali <[email protected]>

This PR adds BoringSSL private key API abstraction, as discussed in #6248. All comments and discussion is welcomed to get the API sufficient for most private key API tasks.

The PR contains the proposed API and the way how it can be used from ssl_socket.h. Also there is some code showing how the PrivateKeyMethodProvider is coming from TLS certificate config. Two example private key method providers are included in the tests.

Description: tls: support BoringSSL private key async functionality
Risk Level: medium
Testing: two basic private key provider implementation
Docs Changes: TLS arch doc, cert.proto doc

Signed-off-by: Ismo Puustinen <[email protected]>

stats: use SymbolTableCreator rather than fakes in a few stray places. (#8006)

Signed-off-by: Joshua Marantz <[email protected]>

This PR contains changes on the xRDS side for SRDS impl, cribbed from http://go/gh/stevenzzzz/pull/8/files#diff-2071ab0887162eac1fd177e89d83175a

* Add onConfigUpdate impl for SRDS subscription
* Remove scoped_config_manager as it's not used now.
* Move ScopedConfigInfo to scoped_config_impl.h/cc
* Add a hash to scopeKey and scopeKeyFragment, so we can look up scopekey by hash value in constant time when SRDS has many scopes.
* Add a initManager parameter to RDS createRdsRouteConfigProvider API interface, when creating RouteConfigProvider after listener/server warmed up, we need to specify a different initManager than the one from factoryContext to avoid an assertion failure. see related:#7617

This PR only latches a SRDS provider into the connection manager, the "conn manager using SRDS to make route decision" plus integration tests will be covered in a following PR.

Risk Level: LOW [not fully implemented].
Testing: unit tests

Signed-off-by: Xin Zhuang <[email protected]>

Follow-up for #7995.

Signed-off-by: Raul Gutierrez Segales <[email protected]>

Bulk update of team to match envoyproxy organization. While at it, cleaned up some venv stuff in
shell_utils.sh.

Risk level: Low
Testing: Synced 157 members from envoyproxy to envoyproxy/assignable.

Signed-off-by: Harvey Tuch <[email protected]>

…ed. (#8018)

Signed-off-by: Henry Yang <[email protected]>

…8017)

This is a one-time movement of all UDPA content from envoyproxy/envoy to
cncf/udpa. The permanent home of UDPA will be
https://github.com/cncf/udpa.

Risk level: Low
Testing: Added UDPA service entry to build_test.

Signed-off-by: Harvey Tuch <[email protected]>