Skip to content

Commit

Permalink
Merge branch 'main' into rbac-delay-deny
Browse files Browse the repository at this point in the history 
Signed-off-by: Yangmin Zhu <ymzhu@uber.com>
  • Loading branch information
@yangminzhu
yangminzhu committed Jun 20, 2024
2 parents 3ae5fef + 7faeb05 commit 5281a76
Show file tree
Hide file tree
Showing 13 changed files with 430 additions and 254 deletions.
52 changes: 26 additions & 26 deletions CODEOWNERS
View file
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,14 @@
# original_src common extension
extensions/filters/common/original_src @klarose @mattklein123
# dubbo_proxy extension
/*/extensions/filters/network/dubbo_proxy @zyfjeff @lizan @wbpcode
/*/extensions/filters/network/dubbo_proxy @zyfjeff @wbpcode
# cdn_loop extension
/*/extensions/filters/http/cdn_loop @justin-mp @penguingao @alyssawilk
# external processing filter
/*/extensions/filters/http/ext_proc @gbrail @stevenzzzz @tyxia @mattklein123 @htuch @yanavlasov
/*/extensions/filters/common/mutation_rules @gbrail @tyxia @mattklein123 @htuch @yanavlasov
# jwt_authn http filter extension
/*/extensions/filters/http/jwt_authn @taoxuy @lizan
/*/extensions/filters/http/jwt_authn @taoxuy @lizan @UNOWNED
# grpc_field_extraction http filter extension
/*/extensions/filters/http/grpc_field_extraction @taoxuy @nareddyt @yanavlasov
# grpc_http1_reverse_bridge http filter extension
Expand All @@ -42,29 +42,29 @@ extensions/filters/common/original_src @klarose @mattklein123
# tcp_stats transport socket extension
/*/extensions/transport_sockets/tcp_stats @ggreenway @mattklein123
# tls transport socket extension
/*/extensions/transport_sockets/tls @lizan @ggreenway
/*/extensions/transport_sockets/tls @RyanTheOptimist @ggreenway @botengyao
# tls SPIFFE certificate validator extension
/*/extensions/transport_sockets/tls/cert_validator/spiffe @mathetake @lizan
/*/extensions/transport_sockets/tls/cert_validator/spiffe @mathetake @botengyao @UNOWNED
# proxy protocol socket extension
/*/extensions/transport_sockets/proxy_protocol @alyssawilk @wez470
# common transport socket
/*/extensions/transport_sockets/common @alyssawilk @wez470
# starttls transport socket
/*/extensions/transport_sockets/starttls @cpakulski @lizan
/*/extensions/transport_sockets/starttls @cpakulski @botengyao @UNOWNED
# proxy transport socket
/*extensions/transport_sockets/http_11_proxy @alyssawilk @ryantheoptimist
# internal upstream transport socket
/*/extensions/transport_sockets/internal_upstream @kyessenov @alyssawilk
# sni_cluster extension
/*/extensions/filters/network/sni_cluster @rshriram @lizan
/*/extensions/filters/network/sni_cluster @rshriram @UNOWNED
# sni_dynamic_forward_proxy extension
/*/extensions/filters/network/sni_dynamic_forward_proxy @rshriram @lizan
/*/extensions/filters/network/sni_dynamic_forward_proxy @rshriram @UNOWNED
# tracers.datadog extension
/*/extensions/tracers/datadog @dmehala @mattklein123
# tracers.xray extension
/*/extensions/tracers/xray @suniltheta @mattklein123
# tracers.skywalking extension
/*/extensions/tracers/skywalking @wbpcode @lizan @Shikugawa
/*/extensions/tracers/skywalking @wbpcode @Shikugawa
# tracers.opentelemetry extension
/*/extensions/tracers/opentelemetry @alexanderellis @htuch
# quic extension
Expand Down Expand Up @@ -97,32 +97,32 @@ extensions/filters/common/original_src @klarose @mattklein123
# admission control extension.
/*/extensions/filters/http/admission_control @tonya11en @mattklein123
# http inspector
/*/extensions/filters/listener/http_inspector @yxue @lizan
/*/extensions/filters/listener/http_inspector @yxue @wbpcode
# attribute context
/*/extensions/filters/common/expr @kyessenov @yangminzhu @lizan @tyxia
/*/extensions/filters/common/expr @kyessenov @yangminzhu @tyxia
# webassembly access logger extensions
/*/extensions/access_loggers/wasm @mpwarres @lizan
/*/extensions/access_loggers/wasm @mpwarres @lizan @UNOWNED
# webassembly bootstrap extensions
/*/extensions/bootstrap/wasm @mpwarres @lizan
/*/extensions/bootstrap/wasm @mpwarres @lizan @UNOWNED
# webassembly http extensions
/*/extensions/filters/http/wasm @mpwarres @lizan
/*/extensions/filters/http/wasm @mpwarres @lizan @UNOWNED
# webassembly network extensions
/*/extensions/filters/network/wasm @mpwarres @lizan
/*/extensions/filters/network/wasm @mpwarres @lizan @UNOWNED
# webassembly common extension
/*/extensions/common/wasm @mpwarres @lizan
/*/extensions/common/wasm @mpwarres @lizan @UNOWNED
# webassembly runtimes
/*/extensions/wasm_runtime/ @mpwarres @lizan
/*/extensions/wasm_runtime/ @mpwarres @lizan @UNOWNED
# common matcher
/*/extensions/common/matcher @mattklein123 @yangminzhu
/*/extensions/common/proxy_protocol @alyssawilk @wez470
/*/extensions/filters/http/grpc_http1_bridge @jose @mattklein123
/*/extensions/filters/http/fault @rshriram @alyssawilk
/*/extensions/filters/common/fault @rshriram @alyssawilk
/*/extensions/filters/http/grpc_json_transcoder @taoxuy @nareddyt @lizan
/*/extensions/filters/http/grpc_json_transcoder @taoxuy @nareddyt @lizan @UNOWNED
/*/extensions/filters/http/router @alyssawilk @mattklein123
/*/extensions/filters/common/rbac/matchers @conqerAtapple @ggreenway @alyssawilk
/*/extensions/filters/http/grpc_web @fengli79 @lizan
/*/extensions/filters/http/grpc_stats @kyessenov @lizan
/*/extensions/filters/http/grpc_web @fengli79 @lizan @UNOWNED
/*/extensions/filters/http/grpc_stats @kyessenov @botengyao
/*/extensions/filters/http/connect_grpc_bridge @jchadwick-buf @mattklein123
/*/extensions/filters/common/original_src @klarose @mattklein123
/*/extensions/filters/listener/tls_inspector @ggreenway @KBaichoo
Expand All @@ -135,7 +135,7 @@ extensions/filters/common/original_src @klarose @mattklein123
/*/extensions/stat_sinks/metrics_service @ramaraochavali @jmarantz
/*/extensions/stat_sinks/open_telemetry @ohadvano @mattklein123
# webassembly stat-sink extensions
/*/extensions/stat_sinks/wasm @mpwarres @lizan
/*/extensions/stat_sinks/wasm @mpwarres @lizan @UNOWNED
/*/extensions/resource_monitors/injected_resource @eziskind @htuch
/*/extensions/resource_monitors/common @eziskind @htuch @nezdolik
/*/extensions/resource_monitors/fixed_heap @eziskind @htuch @nezdolik
Expand Down Expand Up @@ -170,7 +170,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
# HTTP Kill Request
/*/extensions/filters/http/kill_request @qqustc @htuch
# Rate limit expression descriptor
/*/extensions/rate_limit_descriptors/expr @kyessenov @lizan
/*/extensions/rate_limit_descriptors/expr @kyessenov @UNOWNED
# hash input matcher
/*/extensions/matching/input_matchers/consistent_hashing @donyu @mattklein123
# runtime fraction input matcher
Expand Down Expand Up @@ -210,7 +210,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
# set_metadata extension
/*/extensions/filters/http/set_metadata @aguinet @mattklein123
# Formatters
/*/extensions/formatter/metadata @cpakulski @lizan
/*/extensions/formatter/metadata @cpakulski @UNOWNED
/*/extensions/formatter/cel @kyessenov @zirain
# IP address input matcher
/*/extensions/matching/input_matchers/ip @aguinet @mattklein123
Expand Down Expand Up @@ -281,7 +281,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
/*/extensions/filters/http/ext_authz @esmet @tyxia @ggreenway
/*/extensions/filters/network/ext_authz @esmet @tyxia @ggreenway
# original dst
/*/extensions/filters/listener/original_dst @kyessenov @lizan
/*/extensions/filters/listener/original_dst @kyessenov @UNOWNED
# mongo proxy
/*/extensions/filters/network/mongo_proxy @mythra @giantcroc @mattklein123
# formatter
Expand Down Expand Up @@ -312,7 +312,7 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
# path rewrite by pattern
/*/extensions/path/rewrite/uri_template @alyssawilk @yanjunxiang-google
# Dubbo codec
/*/extensions/common/dubbo @wbpcode @lizan
/*/extensions/common/dubbo @wbpcode @UNOWNED
# upstream load balancing policies
/*/extensions/load_balancing_policies/common @wbpcode @tonya11en @nezdolik
/*/extensions/load_balancing_policies/least_request @wbpcode @tonya11en @nezdolik
Expand Down Expand Up @@ -378,15 +378,15 @@ extensions/filters/http/oauth2 @derekargueta @mattklein123
/mobile/ @RyanTheOptimist @alyssawilk @abeyad @fredyw

# Contrib
/contrib/exe/ @mattklein123 @lizan
/contrib/exe/ @mattklein123 @UNOWNED
/contrib/client_ssl_auth/ @UNOWNED @UNOWNED
/contrib/checksum/ @ravenblackx @phlax
/contrib/common/sqlutils/ @cpakulski @cpakulski
/contrib/dynamo/ @UNOWNED @UNOWNED
/contrib/golang/ @doujiang24 @wangfakang @StarryVae @spacewander @antJack
/contrib/squash/ @yuval-k @alyssawilk
/contrib/kafka/ @mattklein123 @adamkotwasinski
/contrib/rocketmq_proxy/ @aaron-ai @lizhanhui @lizan
/contrib/rocketmq_proxy/ @aaron-ai @lizhanhui
/contrib/mysql_proxy/ @rshriram @venilnoronha
/contrib/postgres_proxy/ @fabriziomello @cpakulski
/contrib/sxg/ @cpapazian @alyssawilk
Expand Down
6 changes: 3 additions & 3 deletions OWNERS.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,6 @@ routing PRs, questions, etc. to the right place.
* Stephan Zuercher ([zuercher](https://github.com/zuercher)) (zuercher@gmail.com)
* Load balancing, upstream clusters and cluster manager, logging, complex HTTP routing
(metadata, etc.), and macOS build.
* Lizan Zhou ([lizan](https://github.com/lizan)) (lizan.j@gmail.com)
* gRPC, gRPC/JSON transcoding, and core networking (transport socket abstractions), Bazel, build
issues, and CI in general.
* Greg Greenway ([ggreenway](https://github.com/ggreenway)) (ggreenway@apple.com)
* TLS, TCP proxy, listeners, and HTTP proxy/connection pooling.
* Yan Avlasov ([yanavlasov](https://github.com/yanavlasov)) (yavlasov@google.com)
Expand Down Expand Up @@ -74,6 +71,8 @@ without further review.
* Wasm
* doujiang24 ([doujiang24] https://github.com/doujiang24) (doujiang24@gmail.com)
* Golang
* Lizan Zhou ([lizan](https://github.com/lizan)) (lizan.j@gmail.com)
* Wasm, JWT, gRPC-JSON transcoder

# Envoy security team

Expand Down Expand Up @@ -107,6 +106,7 @@ without further review.
* JP Simard ([jpsim](https://github.com/jpsim)) (jp@lyft.com)
* Rafal Augustyniak ([Augustyniak](https://github.com/Augustyniak)) (raugustyniak@lyft.com)
* Snow Pettersen ([snowp](https://github.com/snowp)) (aickck@gmail.com)
* Lizan Zhou ([lizan](https://github.com/lizan)) (lizan.j@gmail.com)

# Friends of Envoy

Expand Down
8 changes: 8 additions & 0 deletions changelogs/current.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,9 @@ minor_behavior_changes:
``%UPSTREAM_REMOTE_PORT%`` and ``%UPSTREAM_REMOTE_ADDRESS_WITHOUT_PORT%`` access log format specifiers.
This behavior can be reverted by setting the runtime guard
``envoy.reloadable_features.upstream_remote_address_use_connection`` to false.
- area: access_log
change: |
The ``%CEL%`` formatter support call functions.
- area: http
change: |
Changing header validation checks in the substitution format utility and CEL code to do RCF complaint header validation.
Expand Down Expand Up @@ -353,6 +356,11 @@ new_features:
change: |
Added :ref:`bypass_overload_manager <envoy_v3_api_field_config.listener.v3.Listener.bypass_overload_manager>`
to bypass the overload manager for a listener. When set to true, the listener will not be subject to overload protection.
- area: rbac
change: |
The RBAC filter will now log the enforced rule to the dynamic metadata field
"enforced_effective_policy_id" and the result to the dynamic metadata field
"enforced_engine_result". These are only populated if a non-shadow engine exists.
- area: rbac
change: |
Added :ref:`delay_deny <envoy_v3_api_msg_extensions.filters.network.rbac.v3.RBAC>` to support deny connection after
Expand Down
44 changes: 22 additions & 22 deletions source/common/formatter/substitution_formatter.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,29 +26,29 @@ const std::regex& SubstitutionFormatParser::commandWithArgsRegex() {
// formatter command string.
//
// clang-format off
// Non-capturing group specifying optional :LENGTH ----------------------
// |
// Non-capturing group specifying optional (SUBCOMMAND)--- |
// | |
// Non-capturing group specifying mandatory COMMAND | |
// which uses only A-Z, 0-9 and _ characters | |
// Group is used only to specify allowed characters. | |
// | | |
// | | |
// _________________ _______________ _____________
// | | | | | |
// Non-capturing group specifying optional :LENGTH -------------------------------
// |
// Non-capturing group specifying optional (SUBCOMMAND)--- |
// | |
// Non-capturing group specifying mandatory COMMAND | |
// which uses only A-Z, 0-9 and _ characters | |
// Group is used only to specify allowed characters. | |
// | | |
// | | |
// ____________________ _____________________ _____________
// | | | | | |
CONSTRUCT_ON_FIRST_USE(std::regex,
R"EOF(^%((?:[A-Z]|[0-9]|_)+)(?:\(([^\)]*)\))?(?::([0-9]+))?%)EOF");
// |__________________| |______| |______|
// | | |
// Capturing group specifying COMMAND -- | |
// The index of this group is 1. | |
// | |
// Capturing group for SUBCOMMAND. If present, it will ----- |
// contain SUBCOMMAND without "(" and ")". The index |
// of SUBCOMMAND group is 2. |
// |
// Capturing group for LENGTH. If present, it will -------------------------
R"EOF(^%((?:[A-Z]|[0-9]|_)+)(?:\(([^\)]*|[^\}]*)\))?(?::([0-9]+))?%)EOF");
// |__________________| |______________| |______|
// | | |
// Capturing group specifying COMMAND -- | |
// The index of this group is 1. | |
// | |
// Capturing group for SUBCOMMAND. If present, it will -------- |
// contain SUBCOMMAND without ")%". The index |
// of SUBCOMMAND group is 2. |
// |
// Capturing group for LENGTH. If present, it will --------------------------------
// contain just number without ":". The index of
// LENGTH group is 3.
// clang-format on
Expand Down
Loading

0 comments on commit 5281a76

Please sign in to comment.