Merge remote-tracking branch 'upstream/main' into fuzz_bug_65802

Signed-off-by: Adi Suissa-Peleg <adip@google.com>

CODEOWNERS

@@ -249,9 +249,9 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /*/extensions/filters/http/rbac @yangminzhu @yanavlasov
 /*/extensions/filters/common/rbac @yangminzhu @yanavlasov
 # tap
-/*/extensions/filters/http/tap @mattklein123 @daixiang0
-/*/extensions/common/tap @mattklein123 @daixiang0
-/*/extensions/transport_sockets/tap @mattklein123 @daixiang0
+/*/extensions/filters/http/tap @mattklein123 @xu1zhou
+/*/extensions/common/tap @mattklein123 @xu1zhou
+/*/extensions/transport_sockets/tap @mattklein123 @xu1zhou
 # local rate limit
 /*/extensions/filters/network/local_ratelimit @mattklein123 @wbpcode
 /*/extensions/filters/listener/local_ratelimit @mattklein123 @JuniorHsu
@@ -324,6 +324,8 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /*/extensions/http/early_header_mutation/header_mutation @wbpcode @UNOWNED
 # Network matching extensions
 /*/extensions/matching/network/ @kyessenov @mattklein123
+# String matching extensions
+/*/extensions/string_matcher/ @ggreenway @UNOWNED
 # Header mutation
 /*/extensions/filters/http/header_mutation @wbpcode @htuch @soulxu
 # Health checkers
@@ -363,7 +365,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
 /*/extensions/path/uri_template_lib/proto @alyssawilk @yanjunxiang-google
 
 # mobile
-/mobile/ @RyanTheOptimist @alyssawilk @abeyad
+/mobile/ @RyanTheOptimist @alyssawilk @abeyad @fredyw
 
 # Contrib
 /contrib/exe/ @mattklein123 @lizan

api/BUILD

@@ -317,6 +317,7 @@ proto_library(
         "//envoy/extensions/stat_sinks/graphite_statsd/v3:pkg",
         "//envoy/extensions/stat_sinks/open_telemetry/v3:pkg",
         "//envoy/extensions/stat_sinks/wasm/v3:pkg",
+        "//envoy/extensions/string_matcher/lua/v3:pkg",
         "//envoy/extensions/tracers/opentelemetry/resource_detectors/v3:pkg",
         "//envoy/extensions/tracers/opentelemetry/samplers/v3:pkg",
         "//envoy/extensions/transport_sockets/alts/v3:pkg",

api/envoy/config/accesslog/v3/accesslog.proto

@@ -256,6 +256,7 @@ message ResponseFlagFilter {
         in: "OM"
         in: "DF"
         in: "DO"
+        in: "DR"
       }
     }
   }];

api/envoy/config/core/v3/base.proto

@@ -432,9 +432,28 @@ message DataSource {
 }
 
 // The message specifies the retry policy of remote data source when fetching fails.
+// [#next-free-field: 7]
 message RetryPolicy {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RetryPolicy";
 
+  // See :ref:`RetryPriority <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_priority>`.
+  message RetryPriority {
+    string name = 1 [(validate.rules).string = {min_len: 1}];
+
+    oneof config_type {
+      google.protobuf.Any typed_config = 2;
+    }
+  }
+
+  // See :ref:`RetryHostPredicate <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_host_predicate>`.
+  message RetryHostPredicate {
+    string name = 1 [(validate.rules).string = {min_len: 1}];
+
+    oneof config_type {
+      google.protobuf.Any typed_config = 2;
+    }
+  }
+
   // Specifies parameters that control :ref:`retry backoff strategy <envoy_v3_api_msg_config.core.v3.BackoffStrategy>`.
   // This parameter is optional, in which case the default base interval is 1000 milliseconds. The
   // default maximum interval is 10 times the base interval.
@@ -444,6 +463,18 @@ message RetryPolicy {
   // defaults to 1.
   google.protobuf.UInt32Value num_retries = 2
       [(udpa.annotations.field_migrate).rename = "max_retries"];
+
+  // For details, see :ref:`retry_on <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_on>`.
+  string retry_on = 3;
+
+  // For details, see :ref:`retry_priority <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_priority>`.
+  RetryPriority retry_priority = 4;
+
+  // For details, see :ref:`RetryHostPredicate <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_host_predicate>`.
+  repeated RetryHostPredicate retry_host_predicate = 5;
+
+  // For details, see :ref:`host_selection_retry_max_attempts <envoy_v3_api_field_config.route.v3.RetryPolicy.host_selection_retry_max_attempts>`.
+  int64 host_selection_retry_max_attempts = 6;
 }
 
 // The message specifies how to fetch data from remote and how to verify it.

api/envoy/config/core/v3/grpc_service.proto

@@ -25,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // gRPC service configuration. This is used by :ref:`ApiConfigSource
 // <envoy_v3_api_msg_config.core.v3.ApiConfigSource>` and filter configurations.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message GrpcService {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService";
 
@@ -300,4 +300,8 @@ message GrpcService {
   // documentation on :ref:`custom request headers
   // <config_http_conn_man_headers_custom_request_headers>`.
   repeated HeaderValue initial_metadata = 5;
+
+  // Optional default retry policy for streams toward the service.
+  // If an async stream doesn't have retry policy configured in its stream options, this retry policy is used.
+  RetryPolicy retry_policy = 6;
 }

api/envoy/data/accesslog/v3/accesslog.proto

@@ -271,7 +271,7 @@ message AccessLogCommon {
 }
 
 // Flags indicating occurrences during request/response processing.
-// [#next-free-field: 28]
+// [#next-free-field: 29]
 message ResponseFlags {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.data.accesslog.v2.ResponseFlags";
@@ -372,6 +372,9 @@ message ResponseFlags {
 
   // Indicates a DNS resolution failed.
   bool dns_resolution_failure = 27;
+
+  // Indicates a downstream remote codec level reset was received on the stream
+  bool downstream_remote_reset = 28;
 }
 
 // Properties of a negotiated TLS connection.

api/envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto

@@ -4,6 +4,8 @@ package envoy.extensions.filters.http.aws_request_signing.v3;
 
 import "envoy/type/matcher/v3/string.proto";
 
+import "google/protobuf/duration.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -19,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.aws_request_signing]
 
 // Top level configuration for the AWS request signing filter.
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message AwsRequestSigning {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.aws_request_signing.v2alpha.AwsRequestSigning";
@@ -32,6 +34,16 @@ message AwsRequestSigning {
     AWS_SIGV4A = 1;
   }
 
+  message QueryString {
+    // Optional expiration time for the query string parameters. As query string parameter based requests are replayable, in effect representing
+    // an API call that has already been authenticated, it is recommended to keep this expiration time as short as feasible.
+    // This value will default to 5 seconds and has a maximum value of 3600 seconds (1 hour).
+    google.protobuf.Duration expiration_time = 1 [(validate.rules).duration = {
+      lte {seconds: 3600}
+      gte {seconds: 1}
+    }];
+  }
+
   // The `service namespace
   // <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces>`_
   // of the HTTP endpoint.
@@ -54,7 +66,7 @@ message AwsRequestSigning {
   //
   // Example: '*'
   //
-  // By configuring a region set, a sigv4a signed request can be sent to multiple regions, rather than being
+  // By configuring a region set, a SigV4A signed request can be sent to multiple regions, rather than being
   // valid for only a single region destination.
   string region = 2;
 
@@ -87,6 +99,14 @@ message AwsRequestSigning {
 
   // Optional Signing algorithm specifier, either ``AWS_SIGV4`` or ``AWS_SIGV4A``, defaulting to ``AWS_SIGV4``.
   SigningAlgorithm signing_algorithm = 6;
+
+  // If set, use the query string to store output of SigV4 or SigV4A calculation, rather than HTTP headers. The ``Authorization`` header will not be modified if ``query_string``
+  // is configured.
+  //
+  // Example:
+  // query_string: {}
+  //
+  QueryString query_string = 7;
 }
 
 message AwsRequestSigningPerRoute {

api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -74,7 +74,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 14]
+// [#next-free-field: 15]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -137,6 +137,11 @@ message OAuth2Config {
   // If this value is not set, it will default to ``0s``. In this case, the expiry must be set by
   // the authorization server or the OAuth flow will fail.
   google.protobuf.Duration default_expires_in = 13;
+
+  // Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid.
+  // Automatic access token refresh will be performed for these requests, if enabled.
+  // This behavior can be useful for AJAX requests.
+  repeated config.route.v3.HeaderMatcher deny_redirect_matcher = 14;
 }
 
 // Filter config.

api/envoy/extensions/string_matcher/lua/v3/BUILD

@@ -0,0 +1,12 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+    ],
+)

api/envoy/extensions/string_matcher/lua/v3/lua.proto

@@ -0,0 +1,37 @@
+syntax = "proto3";
+
+package envoy.extensions.string_matcher.lua.v3;
+
+import "envoy/config/core/v3/base.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.string_matcher.lua.v3";
+option java_outer_classname = "LuaProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/string_matcher/lua/v3;luav3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Lua StringMatcher]
+// A Lua StringMatcher allows executing a Lua script to determine if a string is a match. The configured source
+// code must define a function named `envoy_match`. If the function returns true, the string is considered a match.
+// Any other result, including an execution error, is considered a non-match.
+//
+// Example:
+//
+// .. code-block:: yaml
+//
+//   source_code:
+//     inline_string: |
+//       function envoy_match(str)
+//           -- Do something.
+//           return true
+//       end
+//
+// [#extension: envoy.string_matcher.lua]
+
+message Lua {
+  // The Lua code that Envoy will execute
+  config.core.v3.DataSource source_code = 1 [(validate.rules).message = {required: true}];
+}

api/envoy/type/matcher/v3/BUILD

@@ -9,5 +9,6 @@ api_proto_package(
         "//envoy/annotations:pkg",
         "//envoy/type/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
+        "@com_github_cncf_xds//xds/core/v3:pkg",
     ],
 )

api/envoy/type/matcher/v3/string.proto

@@ -4,6 +4,8 @@ package envoy.type.matcher.v3;
 
 import "envoy/type/matcher/v3/regex.proto";
 
+import "xds/core/v3/extension.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -17,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: String matcher]
 
 // Specifies the way to match a string.
-// [#next-free-field: 8]
+// [#next-free-field: 9]
 message StringMatcher {
   option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StringMatcher";
 
@@ -61,6 +63,10 @@ message StringMatcher {
     //
     // * ``abc`` matches the value ``xyz.abc.def``
     string contains = 7 [(validate.rules).string = {min_len: 1}];
+
+    // Use an extension as the matcher type.
+    // [#extension-category: envoy.string_matcher]
+    xds.core.v3.TypedExtensionConfig custom = 8;
   }
 
   // If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. This

api/versioning/BUILD

@@ -256,6 +256,7 @@ proto_library(
         "//envoy/extensions/stat_sinks/graphite_statsd/v3:pkg",
         "//envoy/extensions/stat_sinks/open_telemetry/v3:pkg",
         "//envoy/extensions/stat_sinks/wasm/v3:pkg",
+        "//envoy/extensions/string_matcher/lua/v3:pkg",
         "//envoy/extensions/tracers/opentelemetry/resource_detectors/v3:pkg",
         "//envoy/extensions/tracers/opentelemetry/samplers/v3:pkg",
         "//envoy/extensions/transport_sockets/alts/v3:pkg",

bazel/repository_locations.bzl

@@ -480,6 +480,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         extensions = [
             "envoy.filters.http.lua",
             "envoy.router.cluster_specifier_plugin.lua",
+            "envoy.string_matcher.lua",
         ],
         cpe = "cpe:2.3:a:luajit:luajit:*",
         license = "MIT",
@@ -1209,12 +1210,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "QUICHE",
         project_desc = "QUICHE (QUIC, HTTP/2, Etc) is Google‘s implementation of QUIC and related protocols",
         project_url = "https://github.com/google/quiche",
-        version = "3373df94b3713d4e3ef69ee54ba6e7b6aaaebcc0",
-        sha256 = "fab452b368990d31a241f18a96fad613377752ff114b7584d0e7eb8cfe5464fe",
+        version = "6f0b1d204da73155e21c683650dbebe05a36d781",
+        sha256 = "9023e5fa8c830543c04124dd994f3f8c60d8377e82e116cf1145cd846e686f90",
         urls = ["https://github.com/google/quiche/archive/{version}.tar.gz"],
         strip_prefix = "quiche-{version}",
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2024-02-29",
+        release_date = "2024-03-05",
         cpe = "N/A",
         license = "BSD-3-Clause",
         license_url = "https://github.com/google/quiche/blob/{version}/LICENSE",