2.5 initial attempt

.bazelignore

@@ -1,8 +1,7 @@
 # only directories can be ignored, and no globbing
 api
 examples/grpc-bridge/script
-mobile
 tools/clang_tools
+test/extensions/quic_listeners/quiche
 tools/dev/src
 .project
-envoy-filter-example

.bazelrc

@@ -22,7 +22,7 @@ build --tool_java_runtime_version=remotejdk_11
 build --platform_mappings=bazel/platform_mappings
 # silence absl logspam.
 build --copt=-DABSL_MIN_LOG_LEVEL=4
-build --define envoy_mobile_listener=enabled
+build --define envoy_mobile_listener=disabled
 build --experimental_repository_downloader_retries=2
 
 # Pass PATH, CC, CXX and LLVM_CONFIG variables from the environment.
@@ -80,8 +80,6 @@ build:sanitizer --linkopt -ldl
 
 # Common flags for Clang
 build:clang --action_env=BAZEL_COMPILER=clang
-build:clang --action_env=CC=clang --action_env=CXX=clang++
-build:clang --linkopt=-fuse-ld=lld
 
 # Flags for Clang + PCH
 build:clang-pch --spawn_strategy=local
@@ -339,7 +337,7 @@ build:compile-time-options --@envoy//source/extensions/filters/http/kill_request
 
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/main/toolchains/rbe_toolchains_config.bzl#L8
-build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:cmake-fdd65c6270a8507a18d5acd6cf19a18cb695e4fa@sha256:06d3d10a99cce5bf4036be65190f192a30503fa93b9df3c119fd1260d3ed7024
+build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu:7304f974de2724617b7492ccb4c9c58cd420353a
 build:docker-sandbox --spawn_strategy=docker
 build:docker-sandbox --strategy=Javac=docker
 build:docker-sandbox --strategy=Closure=docker
@@ -526,3 +524,5 @@ common:debug --config=debug-tests
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc
 try-import %workspace%/local_tsan.bazelrc
+
+import %workspace%/maistra/bazelrc

.clang-format

@@ -5,7 +5,6 @@ ColumnLimit: 100
 DerivePointerAlignment: false
 PointerAlignment: Left
 SortIncludes: false
-TypenameMacros: ['STACK_OF']
 ...
 
 ---

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,6 @@
 blank_issues_enabled: false
 contact_links:
-- name: "Crash bug"
-  url: https://github.com/envoyproxy/envoy/security/policy
-  about: "Please file any crash bug (including asserts in debug builds) with envoy-security@googlegroups.com."
+- name: "Issues"
+  url: https://issues.redhat.com/browse/OSSM
+  about: "Issues for this repository are tracked in Red Hat Jira."
+

.gitignore

@@ -1,5 +1,6 @@
 # Dot files, disallow by default, and enable explicitly
 \.*
+!\.gitleaks.toml
 !\.azure-pipelines
 !\.bazelci
 !\.bazelignore
@@ -29,27 +30,42 @@ BROWSE
 /build
 /build_*
 *.bzlc
+.cache
+.clangd
+.classpath
+.clwb/
 /ci/bazel-*
 compile_commands.json
 cscope.*
+.deps
+.devcontainer.json
 /docs/landing_source/.bundle
 /generated
+.idea/
+.project
 *.pyc
 **/pyformat
 SOURCE_VERSION
-*.s??
+.settings/
+*.sw*
 tags
 TAGS
 /test/coverage/BUILD
 /tools/spelling/.aspell.en.pws
+.vimrc
+.vs
+.vscode
 clang-tidy-fixes.yaml
+.gdb_history
 clang.bazelrc
 user.bazelrc
 CMakeLists.txt
+/patches
 cmake-build-debug
 /linux
 bazel.output.txt
 *~
+.coverage
 **/.DS_Store
 **/*.iml
 tools/dev/src

.gitleaks.toml

@@ -0,0 +1,26 @@
+title = "Maistra Envoy gitleaks configuration"
+
+# The following rule lists all affected files and folders
+# to account for all known files so any additions can be flagged.
+# To be complete each file should have a regexp to identify
+# the specific key in question (todo). 
+[[rules]]
+   description = "PRIVATE KEY CHECK PATHS"
+   regex = '''-----BEGIN ((EC|PGP|DSA|RSA|OPENSSH) )?PRIVATE KEY( BLOCK)?-----'''
+   tags = ["key"]
+   [rules.allowlist]
+      description = "test files"
+      paths = [
+         '''^test/common/grpc/service_key.json$''',
+         '''^test/common/quic/envoy_quic_proof_source_test.cc$''',
+         '''^test/extensions/filters/http/jwt_authn/test_common.h$''',
+         '''^contrib/cryptomb/private_key_providers/test/config_test.cc$''',
+         '''^contrib/sxg/filters/http/test/filter_test.cc$''',
+         '''^test/extensions/transport_sockets/tls/test_data/(.*?).(pem|key)$''',
+         '''^test/extensions/transport_sockets/tls/ocsp/test_data/(.*?).(pem|key)$''',
+         '''^test/config/integration/certs/(.*?).(pem|key)$''',
+         '''^contrib/cryptomb/private_key_providers/test/test_data/(.*?).(pem|key)$''',
+         '''^examples/_extra_certs/(.*?).(pem|key)$''',
+         '''^examples/(.*?)(yaml)$''',
+      ]
+

0001-Fix-the-cxx-builtin-directories-for-maistra-proxy.patch

@@ -0,0 +1,30 @@
+From 25a587052e8589914b3a08313ab9ccd292a216e2 Mon Sep 17 00:00:00 2001
+From: Jonh Wendell <jonh.wendell@redhat.com>
+Date: Fri, 5 Feb 2021 15:29:42 -0500
+Subject: [PATCH] Fix the cxx builtin directories for maistra proxy
+
+---
+ toolchain/cc_toolchain_config.bzl | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/toolchain/cc_toolchain_config.bzl b/toolchain/cc_toolchain_config.bzl
+index 4c7b327..452ac6d 100644
+--- a/toolchain/cc_toolchain_config.bzl
++++ b/toolchain/cc_toolchain_config.bzl
+@@ -161,8 +161,11 @@ def _impl(ctx):
+         # we just need to include them here so that bazel doesn't complain on
+         # "this rule is missing dependency declarations for the following files included".
+         cxx_builtin_include_directories = [
+-            "external/emscripten_toolchain/upstream/emscripten/system/include/libcxx",
+-            "external/emscripten_toolchain/upstream/emscripten/system/include/libc",
++            "/opt/emsdk/upstream/emscripten/system/include/libcxx",
++            "/opt/emsdk/upstream/emscripten/system/include/libc",
++            "/opt/emsdk/upstream/emscripten/system/include/compat",
++            "/opt/emsdk/upstream/emscripten/system/lib/libc/musl/arch/emscripten/bits",
++            "/opt/emsdk/upstream/emscripten/system/include/wasi",
+         ],
+         features = [cxx17_feature, no_canonical_prefixes_feature, opt_feature],
+     )
+-- 
+2.29.2
+

BUILD

@@ -1,5 +1,6 @@
 load("//bazel:envoy_build_system.bzl", "envoy_package")
 load("//tools/base:envoy_python.bzl", "envoy_py_namespace")
+load("//bazel:envoy_library.bzl", "envoy_cc_library")
 
 licenses(["notice"])  # Apache 2
 
@@ -74,3 +75,17 @@ package_group(
         "//mobile/...",
     ],
 )
+
+envoy_cc_library(
+    name = "openssl_impl_lib",
+    srcs = [
+        "openssl_impl.cc",
+    ],
+    hdrs = [
+        "openssl_impl.h",
+    ],
+    external_deps = [
+        "ssl",
+        "bssl_wrapper_lib",
+    ],
+)

CODEOWNERS

@@ -254,9 +254,9 @@ extensions/filters/http/oauth2 @derekargueta @snowp
 /*/extensions/tracers/common @wbpcode @Shikugawa @basvanbeek
 /*/extensions/tracers/common/ot @wbpcode @Shikugawa @basvanbeek
 # ext_authz
-/*/extensions/filters/common/ext_authz @esmet @pradeepcrao @ggreenway
-/*/extensions/filters/http/ext_authz @esmet @pradeepcrao @ggreenway
-/*/extensions/filters/network/ext_authz @esmet @pradeepcrao @ggreenway
+/*/extensions/filters/common/ext_authz @esmet @gsagula @pradeepcrao @ggreenway
+/*/extensions/filters/http/ext_authz @esmet @gsagula @pradeepcrao @ggreenway
+/*/extensions/filters/network/ext_authz @esmet @gsagula @pradeepcrao @ggreenway
 # original dst
 /*/extensions/filters/listener/original_dst @kyessenov @lizan
 # mongo proxy

README.md

@@ -1,3 +1,7 @@
+# Issues for this repository are disabled
+
+Issues for this repository are tracked in Red Hat Jira. Please head to <https://issues.redhat.com/browse/OSSM> in order to browse or open an issue.
+
 ![Envoy Logo](https://github.com/envoyproxy/artwork/blob/main/PNG/Envoy_Logo_Final_PANTONE.png)
 
 [Cloud-native high-performance edge/middle/service proxy](https://www.envoyproxy.io/)

WORKSPACE

@@ -8,7 +8,7 @@ load("//bazel:api_repositories.bzl", "envoy_api_dependencies")
 
 envoy_api_dependencies()
 
-load("//bazel:repositories.bzl", "envoy_dependencies")
+load("//bazel:repositories.bzl", "envoy_dependencies", "BUILD_ALL_CONTENT")
 
 envoy_dependencies()
 
@@ -23,3 +23,14 @@ envoy_python_dependencies()
 load("//bazel:dependency_imports.bzl", "envoy_dependency_imports")
 
 envoy_dependency_imports()
+
+new_local_repository(
+    name = "openssl",
+    build_file = "openssl.BUILD",
+    path = "/usr/lib64/",
+)
+new_local_repository(
+    name = "emscripten_toolchain",
+    path = "/opt/emsdk/",
+    build_file_content = BUILD_ALL_CONTENT,
+)

antlr_s390x_ossm_1526.patch

@@ -0,0 +1,11 @@
+--- a/runtime/Cpp/runtime/src/Lexer.cpp
++++ b/runtime/Cpp/runtime/src/Lexer.cpp
+@@ -73,7 +73,7 @@
+     tokenStartCharIndex = _input->index();
+     tokenStartCharPositionInLine = getInterpreter<atn::LexerATNSimulator>()->getCharPositionInLine();
+     tokenStartLine = getInterpreter<atn::LexerATNSimulator>()->getLine();
+-    _text = "";
++    _text.clear();
+     do {
+       type = Token::INVALID_TYPE;
+       size_t ttype;

api/envoy/config/listener/v3/listener_components.proto

@@ -228,12 +228,6 @@ message FilterChain {
   // connections established with the listener. Order matters as the filters are
   // processed sequentially as connection events happen. Note: If the filter
   // list is empty, the connection will close by default.
-  //
-  // For QUIC listeners, network filters other than HTTP Connection Manager (HCM)
-  // can be created, but due to differences in the connection implementation compared
-  // to TCP, the onData() method will never be called. Therefore, network filters
-  // for QUIC listeners should only expect to do work at the start of a new connection
-  // (i.e. in onNewConnection()). HCM must be the last (or only) filter in the chain.
   repeated Filter filters = 3;
 
   // Whether the listener should expect a PROXY protocol V1 header on new

bazel/dependency_imports.bzl

@@ -17,7 +17,7 @@ load("@aspect_bazel_lib//lib:repositories.bzl", "register_jq_toolchains", "regis
 load("@com_google_cel_cpp//bazel:deps.bzl", "parser_deps")
 
 # go version for rules_go
-GO_VERSION = "1.18"
+GO_VERSION = "1.20.7"
 
 JQ_VERSION = "1.6"
 YQ_VERSION = "4.24.4"

bazel/envoy_internal.bzl

@@ -7,7 +7,7 @@ def envoy_copts(repository, test = False):
     posix_options = [
         "-Wall",
         "-Wextra",
-        "-Werror",
+#        "-Werror", FIXME: https://issues.redhat.com/browse/OSSM-1201
         "-Wnon-virtual-dtor",
         "-Woverloaded-virtual",
         "-Wold-style-cast",

bazel/external/openssl_includes-1.patch

@@ -0,0 +1,13 @@
+diff --git a/ssl/packet_locl.h b/ssl/packet_locl.h
+index 860360b8b2..49c719285f 100644
+--- a/ssl/packet_locl.h
++++ b/ssl/packet_locl.h
+@@ -426,7 +426,7 @@ __owur static ossl_inline int PACKET_memdup(const PACKET *pkt,
+     if (length == 0)
+         return 1;
+
+-    *data = OPENSSL_memdup(pkt->curr, length);
++    *data = (unsigned char *)OPENSSL_memdup(pkt->curr, length);
+     if (*data == NULL)
+         return 0;
+

bazel/external/openssl_includes.BUILD

@@ -0,0 +1,25 @@
+load("@rules_cc//cc:defs.bzl", "cc_library")
+
+cc_library(
+    name = "openssl_includes_lib",
+    hdrs = [
+        "e_os.h",
+        "include/internal/dane.h",
+        "include/internal/nelem.h",
+        "include/internal/numbers.h",
+        "include/internal/refcount.h",
+        "include/internal/tsan_assist.h",
+        "ssl/packet_locl.h",
+        "ssl/record/record.h",
+        "ssl/ssl_locl.h",
+        "ssl/statem/statem.h",
+    ],
+    copts = ["-Wno-error=error"],
+    includes = [
+        "include",
+        "ssl",
+        "ssl/record",
+        "ssl/statem",
+    ],
+    visibility = ["//visibility:public"],
+)

bazel/external/quiche-s390x-support.patch

@@ -0,0 +1,18 @@
+diff --git a/quiche/common/quiche_endian.h b/quiche/common/quiche_endian.h
+index 30639ccd37..64fb00246d 100644
+--- a/quiche/common/quiche_endian.h
++++ b/quiche/common/quiche_endian.h
+@@ -23,7 +23,12 @@ enum Endianness {
+ class QUICHE_EXPORT_PRIVATE QuicheEndian {
+  public:
+   // Convert |x| from host order (little endian) to network order (big endian).
+-#if defined(__clang__) || \
++#if defined(__BYTE_ORDER__) && defined(__ORDER_BIG_ENDIAN__) && \
++    __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
++  static uint16_t HostToNet16(uint16_t x) { return x; }
++  static uint32_t HostToNet32(uint32_t x) { return x; }
++  static uint64_t HostToNet64(uint64_t x) { return x; }
++#elif defined(__clang__) || \
+     (defined(__GNUC__) && \
+      ((__GNUC__ == 4 && __GNUC_MINOR__ >= 8) || __GNUC__ >= 5))
+   static uint16_t HostToNet16(uint16_t x) { return __builtin_bswap16(x); }