Previously, the update callback was called only when the secret
was received for the first time or when its value changed.

This meant that if the same secret (e.g. trusted CA) was used in
multiple resources, then resources using it but configured after
the secret was already received, remained unconfigured until the
secret's value changed.

The missing callback should have resulted in transport factories
stuck in the "not ready" state, however, because of an incorrect
code, the available secret was processed like inlined validation
context, and only rules from the "secret" part of the validation
context were applied, leading to a complete bypass of rules from
the "default" part.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Co-authored-by: Oliver Liu <yonggangl@google.com>

Description: Remove empty slices off the end of buffers after calls to OwnedImpl::commit. The slices reserved when OwnedImpl::reserve is called will sit unused in cases where the 0 bytes are commited, for example, when socket read returns 0 bytes EAGAIN. Trapped slices act like a memory leak until there is a successful read or the socket is closed.
Risk Level: low
Testing: unit
Docs Changes: n/a
Release Notes: n/a

Signed-off-by: Asra Ali <asraa@google.com>

Previously, TLS inspector didn't support TLSv1.3 and clients configured
to use only TLSv1.3 were not recognized as TLS clients.

Because TLS extensions (SNI, ALPN) were not inspected, those connections
might have been matched to a wrong filter chain, possibly bypassing some
security restrictions in the process.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

… avoid fragmentation

Description: Change OwnedImpl::move to force a copy instead of taking
ownership of slices in cases where the offered slices are below
kCopyThreshold
Risk Level: medium, changes to buffer behavior
Testing: Unit Tests
Docs Changes: n/a
Release Notes:

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

Signed-off-by: Yuchen Dai <silentdai@gmail.com>

Signed-off-by: Tony Allen <tallen@lyft.com>

Signed-off-by: Derek Argueta <darguetap@gmail.com>

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

This ensures that the nullptr check in the recordValue default
handler makes sense, preventing UB when the handler is invoked
on a default constructed mock histogram.

Signed-off-by: Snow Pettersen <kpettersen@netflix.com>

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Kuat Yessenov <kuat@google.com>

…ontext in router/... (#9779)

Signed-off-by: Xin Zhuang <stevenzzz@google.com>

Signed-off-by: Yaroslav Skopets <y.skopets@gmail.com>

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

This patch resolves the TODO from
#2431.
Tests pass on a big-endian machine (IBM Z).

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>

Signed-off-by: kathan24 <kshah@lyft.com>

These changes are required for fully splitting the header map into
discrete types.
1) Prepare for concrete types
2) Fully remove client pipelining support as we don't actually use it
   anywhere and it made the refactor more complicated.
3) As a bonus, remove per-request/response heap allocations for HTTP/1.

Signed-off-by: Matt Klein <mklein@lyft.com>

…mpty. (#10245)

Signed-off-by: Joshua Marantz <jmarantz@google.com>

Signed-off-by: Yan Avlasov <yavlasov@google.com>

Signed-off-by: Kuat Yessenov <kuat@google.com>

Signed-off-by: Kuat Yessenov <kuat@google.com>

Previously, if encodeMetadata were called on a connection for which Envoy was
already dispatching data, it would generate extra frames, then underflow memory
when MetadataEncoder tried to populate their payload.

The codec tried to fully generate each METADATA frame before moving onto the
next one: first, it submitted a payload-less frame to nghttp2's outbound queue;
second, it called sendPendingFrames to pop the frame off of the outbound queue,
causing MetadataEncoder to fill in its payload via a callback; and third, it
asked the MetadataEncoder whether it had any more frames to fill payloads for,
to decide whether to submit the next frame. However, if the connection were in
dispatching mode, sendPendingFrames wouldn't have any effect, so the
MetadataEncoder would report more frames to fill even once enough frames had
been submitted. When the MetadataEncoder tried to pack those frames, it would
trigger debug ASSERT failures, or underflows in prod.

Fix this by submitting all the METADATA frames to nghttp2 before trying to send
any of them.

Also harden MetadataEncoder against a few other library failures that were
previously only checked with debug ASSERTs.

Signed-off-by: Michael Behr <mkbehr@google.com>

…string. (#10165)

Signed-off-by: Joshua Marantz <jmarantz@google.com>

Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>

Signed-off-by: mindyor <or.mindy@gmail.com>

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

…ce_storage_test (#10268)

Signed-off-by: Dan Zhang <danzh@google.com>

Signed-off-by: Snow Pettersen <kpettersen@netflix.com>

…ld. (#10279)

Signed-off-by: Michael Behr <mkbehr@google.com>

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

This is affecting tests, introducing flakes.

Risk level: Low
Testing: CI

Signed-off-by: Harvey Tuch <htuch@google.com>

Signed-off-by: Kuat Yessenov <kuat@google.com>

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

This is a regression from #10566.

Fixes #10655

Signed-off-by: Matt Klein <mklein@lyft.com>

Now that we are Python 3 everywhere, remove explicit python_versions. I haven't made this change yet
to the Thrift extension, as it has explicit PY2/PY3 overrides that I'm guessing relate to external
libs.

Risk level: Low (tooling only)
Testing: bazel.api

Signed-off-by: Harvey Tuch <htuch@google.com>

The HTTP/1 codec implies a connection close following a stream reset of
any kind, including explicit resetStream(). This patch ensures that
codec_impl_fuzz_test completes without any further connection use
following a stream reset.

Fixes oss-fuzz issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21272.

Risk level: Low
Testing: Corpus entry added.

Signed-off-by: Harvey Tuch <htuch@google.com>

This patch introduces the tools/docs for a new flow for protoxform: freeze.
This performs a major version freeze and bump by modifying
package_version_status. Tooling now needs to deal with 3 possible versions (v2,
v3, v4alpha). The following contributions are made in the patch:

* Tooling added to support v2 APIs freeze, transitioning v3 to active and generating v4alpha.
* A new tool, merge_active_shadow.py, is introduced to combine hand-edited active v3 API protos with the v2 implied shadows for deprecated fields.
* The type database now spans v2 and v3 (and implied v4alpha files) 
* api_proto_plugins can now take extra args on the Bazel CLI; this is used to plumb in the freeze arg to protoxform.

Docs are updated to reflect the v3 flow that developers should now
follow.
Part of #10355

This is the tools/docs component of #10601. See #10601 for the resulting
API protos generated by a freeze/fix cycle.

Risk level: Low (tooling only, no API changes yet)
Testing: new golden protos tests for protoxform, unit tests for merge_active_shadow.

Signed-off-by: Harvey Tuch <htuch@google.com>

…10557)

This part of the global rate limiter api is not currently used by envoy, but for anyone implementing the envoy global rate limiter api being able to describe what specific limit you've hit in a human-readable and/or machine-readable way will be useful for debugging, alerting, etc.

Risk Level: Low
Testing: n/a
Docs Changes: n/a
Release Notes: n/a

Fixes #10556

Signed-off-by: David Weitzman <dweitzman@pinterest.com>

This patch performs a major version freeze and bump by modifying
package_version_status, using the tooling developed in #10636.
Specifically:

v2 APIs are frozen (except for where they are the latest in their
package history and still active)
v3 APIs are transitioned to be active
Candidate v4alpha APIs are generated (not used by Envoy yet)
Fixes #10355

Risk level: medium (entire API's files are modified, visually verified
to ensure things look sane, all tests pass)
Testing: CI

Signed-off-by: Harvey Tuch <htuch@google.com>

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

Description: introduce an environment variable that allows consuming projects to only run coverage over private extensions.
Risk Level: low
Testing: locally with Envoy Mobile as a consuming project. And existing coverage run in CI
Docs Changes: inline comment

Signed-off-by: Jose Nino <jnino@lyft.com>

Fixes #10651.

Risk level: Low
Testing: Extended api_version_integration_test to cover this regression.

Signed-off-by: Harvey Tuch <htuch@google.com>

Signed-off-by: Kuat Yessenov <kuat@google.com>

…0647)

Signed-off-by: Tony Allen <tony@allen.gg>

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

Signed-off-by: Yangmin Zhu <ymzhu@google.com>

Signed-off-by: Ruslan Nigmatullin <elessar@dropbox.com>

Since Envoy::Compressor::ZlibCompressorImpl::CompressionStrategy is
simply static_cast'ed to uint64_t the Standard strategy (4)
becomes Z_FIXED (4 as well). This basically disables the use of
dynamic Huffman codes when the gzip filter is configured to use
default values.

Make the Standard strategy equal to 0 to translate to
Z_DEFAULT_STRATEGY.

Contributes to #8448

Signed-off-by: Dmitry Rozhkov <dmitry.rozhkov@linux.intel.com>

…at (#10695)

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>

…ores (#10700)

Signed-off-by: Yan Avlasov <yavlasov@google.com>

Signed-off-by: Matt Klein <mklein@lyft.com>

Signed-off-by: Matt Klein <mklein@lyft.com>

…10708)

Signed-off-by: Henry Yang <hyang@lyft.com>

Signed-off-by: Jose Nino <jnino@lyft.com>

… value (#10578)

Signed-off-by: Adi Suissa-Peleg <adip@google.com>

…10714)

Signed-off-by: Asra Ali <asraa@google.com>