Merge branch 'master' into envoyproxygh-5808

.bazelignore

@@ -1,2 +1,3 @@
 api
 examples/grpc-bridge/script
+tools/clang_tools

.bazelrc

@@ -27,9 +27,10 @@ build:linux --copt=-fPIC
 # We already have absl in the build, define absl=1 to tell googletest to use absl for backtrace.
 build --define absl=1
 
-# Pass PATH, CC and CXX variables from the environment.
+# Pass PATH, CC, CXX and LLVM_CONFIG variables from the environment.
 build --action_env=CC
 build --action_env=CXX
+build --action_env=LLVM_CONFIG
 build --action_env=PATH
 
 # Common flags for sanitizers
@@ -84,14 +85,17 @@ build:clang-tsan --linkopt -fuse-ld=lld
 # Needed due to https://github.com/libevent/libevent/issues/777
 build:clang-tsan --copt -DEVENT__DISABLE_DEBUG_MODE
 
-# Clang MSAN - broken today since we need to rebuild lib[std]c++ and external deps with MSAN
-# support (see https://github.com/envoyproxy/envoy/issues/443).
+# Clang MSAN - this is the base config for remote-msan and docker-msan. To run this config without
+# our build image, follow https://github.com/google/sanitizers/wiki/MemorySanitizerLibcxxHowTo
+# with libc++ instruction and provide corresponding `--copt` and `--linkopt` as well.
 build:clang-msan --action_env=ENVOY_MSAN=1
 build:clang-msan --config=sanitizer
 build:clang-msan --define ENVOY_CONFIG_MSAN=1
 build:clang-msan --copt -fsanitize=memory
 build:clang-msan --linkopt -fsanitize=memory
 build:clang-msan --copt -fsanitize-memory-track-origins=2
+# MSAN needs -O1 to get reasonable performance.
+build:clang-msan --copt -O1
 
 # Clang with libc++
 build:libc++ --config=clang
@@ -125,6 +129,10 @@ build:rbe-toolchain-clang-libc++ --action_env=CXXFLAGS=-stdlib=libc++
 build:rbe-toolchain-clang-libc++ --action_env=LDFLAGS=-stdlib=libc++
 build:rbe-toolchain-clang-libc++ --define force_libcpp=enabled
 
+build:rbe-toolchain-msan --linkopt=-L/opt/libcxx_msan/lib
+build:rbe-toolchain-msan --linkopt=-Wl,-rpath,/opt/libcxx_msan/lib
+build:rbe-toolchain-msan --config=clang-msan
+
 build:rbe-toolchain-gcc --config=rbe-toolchain
 build:rbe-toolchain-gcc --crosstool_top=@rbe_ubuntu_gcc//cc:toolchain
 build:rbe-toolchain-gcc --extra_toolchains=@rbe_ubuntu_gcc//config:cc-toolchain
@@ -146,6 +154,10 @@ build:remote-clang-libc++ --config=rbe-toolchain-clang-libc++
 build:remote-gcc --config=remote
 build:remote-gcc --config=rbe-toolchain-gcc
 
+build:remote-msan --config=remote
+build:remote-msan --config=rbe-toolchain-clang-libc++
+build:remote-msan --config=rbe-toolchain-msan
+
 # Docker sandbox
 # NOTE: Update this from https://github.com/envoyproxy/envoy-build-tools/blob/master/toolchains/rbe_toolchains_config.bzl#L7
 build:docker-sandbox --experimental_docker_image=envoyproxy/envoy-build-ubuntu@sha256:f0b2453c3587e3297f5caf5e97fbf57c97592c96136209ec13fe2795aae2c896
@@ -166,6 +178,10 @@ build:docker-clang-libc++ --config=rbe-toolchain-clang-libc++
 build:docker-gcc --config=docker-sandbox
 build:docker-gcc --config=rbe-toolchain-gcc
 
+build:docker-msan --config=docker-sandbox
+build:docker-msan --config=rbe-toolchain-clang-libc++
+build:docker-msan --config=rbe-toolchain-msan
+
 # CI configurations
 build:remote-ci --remote_cache=grpcs://remotebuildexecution.googleapis.com
 build:remote-ci --remote_executor=grpcs://remotebuildexecution.googleapis.com

.clang-tidy

@@ -4,6 +4,7 @@ Checks:          'abseil-*,
                   clang-diagnostic-*,
                   misc-unused-using-decls,
                   modernize-*,
+                  -modernize-pass-by-value,
                   -modernize-use-trailing-return-type,
                   performance-*,
                   readability-braces-around-statements,

CODEOWNERS

@@ -55,7 +55,7 @@ extensions/filters/common/original_src @snowp @klarose
 # adaptive concurrency limit extension.
 /*/extensions/filters/http/adaptive_concurrency @tonya11en @mattklein123
 # http inspector
-/*/extensions/filters/listener/http_inspector @crazyxy @PiotrSikora @lizan
+/*/extensions/filters/listener/http_inspector @yxue @PiotrSikora @lizan
 # attribute context
 /*/extensions/filters/common/expr @kyessenov @yangminzhu
 # webassembly common extension
@@ -91,3 +91,4 @@ extensions/filters/common/original_src @snowp @klarose
 /*/extensions/filters/network/tcp_proxy @alyssawilk @zuercher
 /*/extensions/filters/network/echo @htuch @alyssawilk
 /*/extensions/filters/udp/udp_proxy @mattklein123 @danzh2010
+/*/extensions/clusters/aggregate @yxue @snowp

OWNERS.md

@@ -10,7 +10,7 @@ routing PRs, questions, etc. to the right place.
   * Catch-all, "all the things", and generally trying to make himself obsolete as fast as
     possible.
 * Harvey Tuch ([htuch](https://github.com/htuch)) ([email protected])
-  * APIs, xDS, gRPC, configuration, Bazel/build, base server (startup, etc.), Python, and Bash.
+  * APIs, xDS, UDPA, gRPC, configuration, security, Python, and Bash.
 * Alyssa Wilk ([alyssawilk](https://github.com/alyssawilk)) ([email protected])
   * HTTP, flow control, cluster manager, load balancing, and core networking (listeners,
     connections, etc.).
@@ -25,6 +25,8 @@ routing PRs, questions, etc. to the right place.
 
 # Maintainers
 
+* Asra Ali ([asraa](https://github.com/asraa)) ([email protected])
+  * Fuzzing, security, headers, HTTP/gRPC, router, access log, tests.
 * Jose Nino ([junr03](https://github.com/junr03)) ([email protected])
   * Outlier detection, HTTP routing, xDS, configuration/operational questions.
 * Dan Noé ([dnoe](https://github.com/dnoe)) ([email protected])
@@ -39,7 +41,6 @@ routing PRs, questions, etc. to the right place.
 * All maintainers
 * Piotr Sikora ([PiotrSikora](https://github.com/PiotrSikora)) ([email protected])
 * Yan Avlasov ([yanavlasov](https://github.com/yanavlasov)) ([email protected])
-* Asra Ali ([asraa](https://github.com/asraa)) ([email protected])
 
 # Emeritus maintainers
 

SECURITY.md

@@ -185,16 +185,16 @@ These steps should be completed 1-3 days after the Release Date. The retrospecti
 ## Private Distributors List
 
 This list is intended to be used primarily to provide actionable information to
-multiple distribution vendors at once. This list is not intended for
-individuals to find out about security issues.
+multiple distribution vendors as well as a *limited* set of high impact end users at once. *This
+list is not intended in the general case for end users to find out about security issues*.
 
 ### Embargo Policy
 
 The information members receive on cncf-envoy-distributors-announce must not be made public, shared, nor
 even hinted at anywhere beyond the need-to-know within your specific team except with the list's
 explicit approval. This holds true until the public disclosure date/time that was agreed upon by the
 list. Members of the list and others may not use the information for anything other than getting the
-issue fixed for your respective distribution's users.
+issue fixed for your respective users.
 
 Before any information from the list is shared with respective members of your team required to fix
 said issue, they must agree to the same terms and only find out information on a need-to-know basis.
@@ -246,7 +246,7 @@ could be in the form of the following:
 ### Membership Criteria
 
 To be eligible for the cncf-envoy-distributors-announce mailing list, your
-distribution should:
+use of Envoy should:
 
 1. Be either:
    1. An actively maintained distribution of Envoy components. An example is
@@ -261,11 +261,36 @@ distribution should:
       marketing copy, etc.) that it is built on top of Envoy. E.g.,
       "SuperAwesomeCloudProvider's Envoy as a Service (EaaS)". An infrastructure
       service that uses Envoy for a product but does not publicly say they are
-      using Envoy does not qualify. This is essentially IaaS or PaaS, if you use
-      Envoy to support a SaaS, e.g. "SuperAwesomeCatVideoService", this does not
-      qualify.
-2. Have a user or customer base not limited to your own organization. We will use the size
-   of the user or customer base as part of the criteria to determine
+      using Envoy does not *generally* qualify (see option 3 that follows). This is essentially IaaS
+      or PaaS. If you use Envoy to support a SaaS, e.g. "SuperAwesomeCatVideoService", this does not
+      *generally* qualify.
+
+   OR
+
+   3. An end user of Envoy that satisfies the following requirements:
+       1. Is "well known" to the Envoy community. Being "well known" is fully subjective and
+          determined by the Envoy maintainers and security team. Becoming "well known" would
+          generally be achieved by activities such as: PR contributions, either code or
+          documentation; helping other end users on Slack, GitHub, and the mailing lists; speaking
+          about use of Envoy at conferences; writing about use of Envoy in blog posts; sponsoring
+          Envoy conferences, meetups, and other activities; etc. This is a more strict variant of
+          item 5 below.
+       2. Is of sufficient size, scale, and impact to make your inclusion on the list
+          worthwhile. The definition of size, scale, and impact is fully subjective and
+          determined by the Envoy maintainers and security team. The definition will not be
+          discussed further in this document.
+       3. You *must* smoke test and then widely deploy security patches promptly and report back
+          success or failure ASAP. Furthermore, the Envoy maintainers may occasionally ask you to
+          smoke test especially risky public PRs before they are merged. Not performing these tasks
+          in a reasonably prompt timeframe will result in removal from the list. This is a more
+          strict variant of item 7 below.
+       4. In order to balance inclusion in the list versus a greater chance of accidental
+          disclosure, end users added to the list via this option will be limited to a total of
+          **10** slots. Periodic review (see below) may allow new slots to open, so please continue
+          to apply if it seems your organization would otherwise qualify. The security team also
+          reserves the right to change this limit in the future.
+2. Have a user or customer base not limited to your own organization (except for option 3 above).
+   We will use the size of the user or customer base as part of the criteria to determine
    eligibility.
 3. Have a publicly verifiable track record up to present day of fixing security
    issues.
@@ -286,7 +311,7 @@ distribution should:
     e-mail updates. This e-mail address will be [shared with the Envoy community](#Members).
 
 Note that Envoy maintainers are members of the Envoy security team. [Members of the Envoy security
-team](OWNERS.md#envoy-security-team) and the organizations that they represents are implicitly
+team](OWNERS.md#envoy-security-team) and the organizations that they represent are implicitly
 included in the private distributor list. These organizations do not need to meet the above list of
 criteria with the exception of the acceptance of the embargo policy.
 
@@ -306,11 +331,20 @@ Subject: Seven-Corp Membership to cncf-envoy-distributors-announce
 Below are each criterion and why I think we, Seven-Corp, qualify.
 
 > 1. Be an actively maintained distribution of Envoy components OR offer Envoy as a publicly
-     available service in which the product clearly states that it is built on top of Envoy.
+     available service in which the product clearly states that it is built on top of Envoy OR
+     be a well known end user of sufficient size, scale, and impact to make your
+     inclusion worthwhile.
 
 We distribute the "Seven" distribution of Envoy [link]. We have been doing
 this since 1999 before proxies were even cool.
 
+OR
+
+We use Envoy for our #1 rated cat video service and have 40 billion MAU, proxying 40 trillion^2 RPS
+through Envoy at the edge. Secure cat videos are our top priority. We also contribute a lot to the Envoy
+community by implementing features, not making Matt ask for documentation or tests, and writing blog
+posts about efficient Envoy cat video serving.
+
 > 2. Have a user or customer base not limited to your own organization. Please specify an
 >    approximate size of your user or customer base, including the number of
 >    production deployments.
@@ -361,21 +395,29 @@ CrashOverride will vouch for the "Seven" distribution joining the distribution l
       individuals come and go. A good example is [email protected], a bad example is
       [email protected]. You must accept the invite sent to this address or you will not receive any
       e-mail updates. This e-mail address will be shared with the Envoy community.
+
+[email protected]
 ```
 
+### Review of membership criteria
+
+In all cases, members of the distribution list will be reviewed on a yearly basis by the maintainers
+and security team to ensure they still qualify for inclusion on the list.
+
 ### Members
 
-| E-mail                                                | Organization  |
-|-------------------------------------------------------|:-------------:|
-| [email protected]                      | Aspen Mesh    |
-| [email protected]                      | AWS           |
-| [email protected]                                    | Cilium        |
-| [email protected]                 | Cloud Foundry |
-| [email protected]                                  | Datawire      |
-| [email protected]             | Google        |
-| [email protected]                                   | IBM           |
-| [email protected] | Istio         |
-| [email protected]                                   | Red Hat       |
-| [email protected]                                | solo.io       |
-| [email protected]                             | Tetrate       |
-| [email protected]                                   | VMware        |
+| E-mail                                                | Organization  | End User | Last Review |
+|-------------------------------------------------------|:-------------:|:--------:|:-----------:|
+| [email protected]                      | Aspen Mesh    | No       | 12/19       |
+| [email protected]                      | AWS           | No       | 12/19       |
+| [email protected]                                    | Cilium        | No       | 12/19       |
+| [email protected]                 | Cloud Foundry | No       | 12/19       |
+| [email protected]                                  | Datawire      | No       | 12/19       |
+| [email protected]             | Google        | No       | 12/19       |
+| [email protected]                                   | IBM           | No       | 12/19       |
+| [email protected] | Istio         | No       | 12/19       |
+| [email protected]                                   | Red Hat       | No       | 12/19       |
+| [email protected]                                | solo.io       | No       | 12/19       |
+| [email protected]                             | Tetrate       | No       | 12/19       |
+| [email protected]                                   | VMware        | No       | 12/19       |
+| [email protected]                          | Pinterest     | Yes      | 12/19       |

api/bazel/api_build_system.bzl

@@ -68,7 +68,7 @@ def _api_py_proto_library(name, srcs = [], deps = []):
 
 # This defines googleapis py_proto_library. The repository does not provide its definition and requires
 # overriding it in the consuming project (see https://github.com/grpc/grpc/issues/19255 for more details).
-def py_proto_library(name, deps = []):
+def py_proto_library(name, deps = [], plugin = None):
     srcs = [dep[:-6] + ".proto" if dep.endswith("_proto") else dep for dep in deps]
     proto_deps = []
 
@@ -77,6 +77,10 @@ def py_proto_library(name, deps = []):
     # As a workaround, manually specify the proto dependencies for the imported python rules.
     if name == "annotations_py_proto":
         proto_deps = proto_deps + [":http_py_proto"]
+
+    # py_proto_library does not support plugin as an argument yet at gRPC v1.25.0:
+    # https://github.com/grpc/grpc/blob/v1.25.0/bazel/python_rules.bzl#L72.
+    # plugin should also be passed in here when gRPC version is greater than v1.25.x.
     _py_proto_library(
         name = name,
         srcs = srcs,

api/bazel/external_proto_deps.bzl

@@ -17,7 +17,7 @@ EXTERNAL_PROTO_IMPORT_BAZEL_DEP_MAP = {
 
 # This maps from the Bazel proto_library target to the Go language binding target for external dependencies.
 EXTERNAL_PROTO_GO_BAZEL_DEP_MAP = {
-    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:cel_go_proto",
+    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto",
     "@opencensus_proto//opencensus/proto/trace/v1:trace_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto_go",
     "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_and_config_proto_go",
 }

api/bazel/repository_locations.bzl

@@ -7,16 +7,16 @@ OPENCENSUS_PROTO_SHA256 = "faeb93f293ff715b0cb530d273901c0e2e99277b9ed1c0a0326bc
 PGV_GIT_SHA = "a18376249eb51cdd517f67fe8703897322812e6d"  # Nov 5, 2019
 PGV_SHA256 = "8e45a3582e7fa9d0005ad6ff1ed9208e793b847f1c455d2bbe5b1c580338ffaf"
 
-GOOGLEAPIS_GIT_SHA = "be480e391cc88a75cf2a81960ef79c80d5012068"  # Jul 24, 2019
-GOOGLEAPIS_SHA = "c1969e5b72eab6d9b6cfcff748e45ba57294aeea1d96fd04cd081995de0605c2"
+GOOGLEAPIS_GIT_SHA = "82944da21578a53b74e547774cf62ed31a05b841"  # Dec 2, 2019
+GOOGLEAPIS_SHA = "a45019af4d3290f02eaeb1ce10990166978c807cb33a9692141a076ba46d1405"
 
 PROMETHEUS_GIT_SHA = "99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c"  # Nov 17, 2017
 PROMETHEUS_SHA = "783bdaf8ee0464b35ec0c8704871e1e72afa0005c3f3587f65d9d6694bf3911b"
 
 KAFKA_SOURCE_SHA = "ae7a1696c0a0302b43c5b21e515c37e6ecd365941f68a510a7e442eebddf39a1"  # 2.2.0-rc2
 
-UDPA_GIT_SHA = "015fc86d90f4045a56f831bcdfa560bc455450e2"  # Oct 4, 2019
-UDPA_SHA256 = "2f2b4bdb718250531f3ed9c2010272f04bbca92af70348714fd3687e86acc1f7"
+UDPA_GIT_SHA = "d1f2ba7f5ba62c55b7466409e7f972c93e957d2b"  # Dec 6, 2019
+UDPA_SHA256 = "0271fb8ad2ec9ade21e4c7737dd128d2a8d8edebe911b777e2fc2585414aa045"
 
 ZIPKINAPI_RELEASE = "0.2.2"  # Aug 23, 2019
 ZIPKINAPI_SHA256 = "688c4fe170821dd589f36ec45aaadc03a618a40283bc1f97da8fa11686fc816b"

api/docs/BUILD

@@ -22,6 +22,7 @@ proto_library(
         "//envoy/api/v2/route:pkg",
         "//envoy/config/accesslog/v2:pkg",
         "//envoy/config/bootstrap/v2:pkg",
+        "//envoy/config/cluster/aggregate/v2alpha:pkg",
         "//envoy/config/cluster/dynamic_forward_proxy/v2alpha:pkg",
         "//envoy/config/cluster/redis:pkg",
         "//envoy/config/common/dynamic_forward_proxy/v2alpha:pkg",
@@ -65,6 +66,7 @@ proto_library(
         "//envoy/config/filter/network/zookeeper_proxy/v1alpha1:pkg",
         "//envoy/config/filter/thrift/rate_limit/v2alpha1:pkg",
         "//envoy/config/filter/thrift/router/v2alpha1:pkg",
+        "//envoy/config/filter/udp/udp_proxy/v2alpha:pkg",
         "//envoy/config/grpc_credential/v2alpha:pkg",
         "//envoy/config/health_checker/redis/v2:pkg",
         "//envoy/config/listener/v2:pkg",
@@ -92,5 +94,7 @@ proto_library(
         "//envoy/service/trace/v2:pkg",
         "//envoy/type:pkg",
         "//envoy/type/matcher:pkg",
+        "//envoy/type/metadata/v2:pkg",
+        "//envoy/type/tracing/v2:pkg",
     ],
 )

api/envoy/admin/v2alpha/certs.proto

@@ -2,9 +2,9 @@ syntax = "proto3";
 
 package envoy.admin.v2alpha;
 
+option java_package = "io.envoyproxy.envoy.admin.v2alpha";
 option java_outer_classname = "CertsProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.admin.v2alpha";
 
 import "google/protobuf/timestamp.proto";
 

api/envoy/admin/v2alpha/clusters.proto

@@ -2,9 +2,9 @@ syntax = "proto3";
 
 package envoy.admin.v2alpha;
 
+option java_package = "io.envoyproxy.envoy.admin.v2alpha";
 option java_outer_classname = "ClustersProto";
 option java_multiple_files = true;
-option java_package = "io.envoyproxy.envoy.admin.v2alpha";
 
 import "envoy/admin/v2alpha/metrics.proto";
 import "envoy/api/v2/core/address.proto";