envoyproxy · mattklein123 · Oct 16, 2020 · Sep 18, 2020 · Sep 25, 2020 · Sep 28, 2020
diff --git a/api/envoy/config/route/v3/route_components.proto b/api/envoy/config/route/v3/route_components.proto
@@ -1495,7 +1495,7 @@ message VirtualCluster {
 message RateLimit {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit";
 
-  // [#next-free-field: 8]
+  // [#next-free-field: 9]
   message Action {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.route.RateLimit.Action";
@@ -1617,7 +1617,7 @@ message RateLimit {
     //
     // .. code-block:: cpp
     //
-    //   ("<descriptor_key>", "<value_queried_from_metadata>")
+    //   ("<descriptor_key>", "<value_queried_from_dynamic_metadata>")
     message DynamicMetaData {
       // The key to use in the descriptor entry.
       string descriptor_key = 1 [(validate.rules).string = {min_bytes: 1}];
@@ -1631,6 +1631,24 @@ message RateLimit {
       string default_value = 3;
     }
 
+    // The following descriptor entry is appended when the filter metadata contains a key value:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("<descriptor_key>", "<value_queried_from_filter_metadata>")
+    message FilterMetaData {
+      // The key to use in the descriptor entry.
+      string descriptor_key = 1 [(validate.rules).string = {min_bytes: 1}];
+
+      // Metadata struct that defines the key and path to retrieve the string value. A match will
+      // only happen if the value in the filter metadata is of type string.
+      type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}];
+
+      // An optional value to use if *metadata_key* is empty. If not set and
+      // no value is present under the metadata_key then no descriptor is generated.
+      string default_value = 3;
+    }
+
     oneof action_specifier {
       option (validate.required) = true;
 
@@ -1654,6 +1672,9 @@ message RateLimit {
 
       // Rate limit on dynamic metadata.
       DynamicMetaData dynamic_metadata = 7;
+
+      // Rate limit on filter metadata.
+      FilterMetaData filter_metadata = 8;
     }
   }
 

diff --git a/api/envoy/config/route/v4alpha/route_components.proto b/api/envoy/config/route/v4alpha/route_components.proto
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -106,6 +106,7 @@ New Features
 * ratelimit: added :ref:`enable_x_ratelimit_headers <envoy_v3_api_msg_extensions.filters.http.ratelimit.v3.RateLimit>` option to enable `X-RateLimit-*` headers as defined in `draft RFC <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>`_.
 * ratelimit: added :ref:`per route config <envoy_v3_api_msg_extensions.filters.http.ratelimit.v3.RateLimitPerRoute>` for rate limit filter.
 * ratelimit: added support for optional :ref:`descriptor_key <envoy_v3_api_field_config.route.v3.RateLimit.Action.generic_key>` to Generic Key action.
+* ratelimit: added support for optional :ref:`descriptor_key <envoy_v3_api_field_config.route.v3.RateLimit.Action.filter_metadata>` to Filter Metadata action.
 * rbac filter: added the name of the matched policy to the response code detail when a request is rejected by the RBAC filter.
 * rbac filter: added a log action to the :ref:`RBAC filter <envoy_v3_api_msg_config.rbac.v3.RBAC>` which sets dynamic metadata to inform access loggers whether to log.
 * redis: added fault injection support :ref:`fault injection for redis proxy <envoy_v3_api_field_extensions.filters.network.redis_proxy.v3.RedisProxy.faults>`, described further in :ref:`configuration documentation <config_network_filters_redis_proxy>`.

diff --git a/generated_api_shadow/envoy/config/route/v3/route_components.proto b/generated_api_shadow/envoy/config/route/v3/route_components.proto
diff --git a/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto b/generated_api_shadow/envoy/config/route/v4alpha/route_components.proto
diff --git a/source/common/router/router_ratelimit.cc b/source/common/router/router_ratelimit.cc
@@ -124,6 +124,30 @@ bool DynamicMetaDataAction::populateDescriptor(
   return false;
 }
 
+FilterMetaDataAction::FilterMetaDataAction(
+    const envoy::config::route::v3::RateLimit::Action::FilterMetaData& action)
+    : metadata_key_(action.metadata_key()), descriptor_key_(action.descriptor_key()),
+      default_value_(action.default_value()) {}
+
+bool FilterMetaDataAction::populateDescriptor(const Router::RouteEntry& route,
+                                              RateLimit::Descriptor& descriptor, const std::string&,
+                                              const Http::HeaderMap&,
+                                              const Network::Address::Instance&,
+                                              const envoy::config::core::v3::Metadata*) const {
+  const ProtobufWkt::Value& metadata_value =
+      Envoy::Config::Metadata::metadataValue(&route.metadata(), metadata_key_);
+
+  if (!metadata_value.string_value().empty()) {
+    descriptor.entries_.push_back({descriptor_key_, metadata_value.string_value()});
+    return true;
+  } else if (metadata_value.string_value().empty() && !default_value_.empty()) {
+    descriptor.entries_.push_back({descriptor_key_, default_value_});
+    return true;
+  }
+
+  return false;
+}
+
 HeaderValueMatchAction::HeaderValueMatchAction(
     const envoy::config::route::v3::RateLimit::Action::HeaderValueMatch& action)
     : descriptor_value_(action.descriptor_value()),
@@ -167,6 +191,9 @@ RateLimitPolicyEntryImpl::RateLimitPolicyEntryImpl(
     case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kDynamicMetadata:
       actions_.emplace_back(new DynamicMetaDataAction(action.dynamic_metadata()));
       break;
+    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kFilterMetadata:
+      actions_.emplace_back(new FilterMetaDataAction(action.filter_metadata()));
+      break;
     case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kHeaderValueMatch:
       actions_.emplace_back(new HeaderValueMatchAction(action.header_value_match()));
       break;

diff --git a/source/common/router/router_ratelimit.h b/source/common/router/router_ratelimit.h
@@ -131,6 +131,24 @@ class DynamicMetaDataAction : public RateLimitAction {
   const std::string default_value_;
 };
 
+/**
+ * Action for filter metadata rate limiting.
+ */
+class FilterMetaDataAction : public RateLimitAction {
+public:
+  FilterMetaDataAction(const envoy::config::route::v3::RateLimit::Action::FilterMetaData& action);
+  // Router::RateLimitAction
+  bool populateDescriptor(const Router::RouteEntry& route, RateLimit::Descriptor& descriptor,
+                          const std::string& local_service_cluster, const Http::HeaderMap& headers,
+                          const Network::Address::Instance& remote_address,
+                          const envoy::config::core::v3::Metadata* dynamic_metadata) const override;
+
+private:
+  const Envoy::Config::MetadataKey metadata_key_;
+  const std::string descriptor_key_;
+  const std::string default_value_;
+};
+
 /**
  * Action for header value match rate limiting.
  */