diff --git a/bazel/envoy_library.bzl b/bazel/envoy_library.bzl index 7f9b745a504bc..8fb46f5f646b6 100644 --- a/bazel/envoy_library.bzl +++ b/bazel/envoy_library.bzl @@ -115,27 +115,10 @@ EXTENSION_STATUS_VALUES = [ def envoy_cc_extension( name, - security_posture, - category = None, - # Only set this for internal, undocumented extensions. - undocumented = False, - status = "stable", tags = [], extra_visibility = [], visibility = EXTENSION_CONFIG_VISIBILITY, **kwargs): - if not category: - fail("Category not set for %s" % name) - if type(category) == "string": - category = (category,) - for cat in category: - if cat not in EXTENSION_CATEGORIES: - fail("Unknown extension category for %s: %s" % - (name, cat)) - if security_posture not in EXTENSION_SECURITY_POSTURES: - fail("Unknown extension security posture: " + security_posture) - if status not in EXTENSION_STATUS_VALUES: - fail("Unknown extension status: " + status) if "//visibility:public" not in visibility: visibility = visibility + extra_visibility diff --git a/ci/osx-build-config/extensions_build_config.bzl b/ci/osx-build-config/extensions_build_config.bzl index 40c8fee0685e8..d7b96fc06e617 100644 --- a/ci/osx-build-config/extensions_build_config.bzl +++ b/ci/osx-build-config/extensions_build_config.bzl @@ -1,15 +1,33 @@ # Should match https://github.com/envoyproxy/envoy-mobile/blob/main/envoy_build_config/extensions_build_config.bzl # TODO(mattklein123): Actually pull this file from that repo and remove the envoy mobile specific filters. EXTENSIONS = { - "envoy.clusters.dynamic_forward_proxy": "//source/extensions/clusters/dynamic_forward_proxy:cluster", - "envoy.filters.connection_pools.http.generic": "//source/extensions/upstreams/http/generic:config", - "envoy.filters.http.buffer": "//source/extensions/filters/http/buffer:config", - "envoy.filters.http.dynamic_forward_proxy": "//source/extensions/filters/http/dynamic_forward_proxy:config", - "envoy.filters.http.router": "//source/extensions/filters/http/router:config", - "envoy.filters.network.http_connection_manager": "//source/extensions/filters/network/http_connection_manager:config", - "envoy.stat_sinks.metrics_service": "//source/extensions/stat_sinks/metrics_service:config", - "envoy.transport_sockets.raw_buffer": "//source/extensions/transport_sockets/raw_buffer:config", - "envoy.transport_sockets.tls": "//source/extensions/transport_sockets/tls:config", + "envoy.clusters.dynamic_forward_proxy": { + "source": "//source/extensions/clusters/dynamic_forward_proxy:cluster", + }, + "envoy.filters.connection_pools.http.generic": { + "source": "//source/extensions/upstreams/http/generic:config", + }, + "envoy.filters.http.buffer": { + "source": "//source/extensions/filters/http/buffer:config", + }, + "envoy.filters.http.dynamic_forward_proxy": { + "source": "//source/extensions/filters/http/dynamic_forward_proxy:config", + }, + "envoy.filters.http.router": { + "source": "//source/extensions/filters/http/router:config", + }, + "envoy.filters.network.http_connection_manager": { + "source": "//source/extensions/filters/network/http_connection_manager:config", + }, + "envoy.stat_sinks.metrics_service": { + "source": "//source/extensions/stat_sinks/metrics_service:config", + }, + "envoy.transport_sockets.raw_buffer": { + "source": "//source/extensions/transport_sockets/raw_buffer:config", + }, + "envoy.transport_sockets.tls": { + "source": "//source/extensions/transport_sockets/tls:config", + }, } WINDOWS_EXTENSIONS = {} EXTENSION_CONFIG_VISIBILITY = ["//:extension_config"] diff --git a/docs/build.sh b/docs/build.sh index 6e0b83731ba28..65e8286b93f48 100755 --- a/docs/build.sh +++ b/docs/build.sh @@ -79,7 +79,7 @@ BAZEL_BUILD_OPTIONS+=( # Generate RST for the lists of trusted/untrusted extensions in # intro/arch_overview/security docs. -bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/extensions:generate_extension_rst +bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/docs:generate_extension_rst -- "${GENERATED_RST_DIR}" # Generate RST for external dependency docs in intro/arch_overview/security. bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:generate_external_dep_rst diff --git a/source/extensions/BUILD b/source/extensions/BUILD index 779d1695d3b7c..6a22952e4e586 100644 --- a/source/extensions/BUILD +++ b/source/extensions/BUILD @@ -1 +1,5 @@ licenses(["notice"]) # Apache 2 + +exports_files([ + "extensions_build_config.bzl", +]) diff --git a/source/extensions/access_loggers/file/BUILD b/source/extensions/access_loggers/file/BUILD index 4fc1a97c8bfb2..d053296f6a9b8 100644 --- a/source/extensions/access_loggers/file/BUILD +++ b/source/extensions/access_loggers/file/BUILD @@ -15,12 +15,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.access_loggers", # TODO(#9953) determine if this is core or should be cleaned up. extra_visibility = [ "//test:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/common/config:config_provider_lib", diff --git a/source/extensions/access_loggers/grpc/BUILD b/source/extensions/access_loggers/grpc/BUILD index ebffc533ba20a..043c5dc898a1d 100644 --- a/source/extensions/access_loggers/grpc/BUILD +++ b/source/extensions/access_loggers/grpc/BUILD @@ -97,13 +97,11 @@ envoy_cc_extension( name = "http_config", srcs = ["http_config.cc"], hdrs = ["http_config.h"], - category = "envoy.access_loggers", # TODO(#9953) clean up. extra_visibility = [ "//test/common/access_log:__subpackages__", "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ ":config_utils", "//include/envoy/server:access_log_config_interface", @@ -121,13 +119,11 @@ envoy_cc_extension( name = "tcp_config", srcs = ["tcp_config.cc"], hdrs = ["tcp_config.h"], - category = "envoy.access_loggers", # TODO(#9953) clean up. extra_visibility = [ "//test/common/access_log:__subpackages__", "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ ":config_utils", "//include/envoy/server:access_log_config_interface", diff --git a/source/extensions/access_loggers/open_telemetry/BUILD b/source/extensions/access_loggers/open_telemetry/BUILD index 0c4c07a036964..cb85c6957fbf0 100644 --- a/source/extensions/access_loggers/open_telemetry/BUILD +++ b/source/extensions/access_loggers/open_telemetry/BUILD @@ -61,13 +61,11 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.access_loggers", # TODO(#9953) clean up. extra_visibility = [ "//test/common/access_log:__subpackages__", "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/server:access_log_config_interface", "//source/common/common:assert_lib", diff --git a/source/extensions/access_loggers/stream/BUILD b/source/extensions/access_loggers/stream/BUILD index a35d7ba9cece1..f78092b3aedb3 100644 --- a/source/extensions/access_loggers/stream/BUILD +++ b/source/extensions/access_loggers/stream/BUILD @@ -12,11 +12,9 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.access_loggers", extra_visibility = [ "//test:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/common/config:config_provider_lib", diff --git a/source/extensions/access_loggers/wasm/BUILD b/source/extensions/access_loggers/wasm/BUILD index 0ed93bef9607d..ebe064a25c6f4 100644 --- a/source/extensions/access_loggers/wasm/BUILD +++ b/source/extensions/access_loggers/wasm/BUILD @@ -26,9 +26,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.access_loggers", - security_posture = "unknown", - status = "alpha", deps = [ ":wasm_access_log_lib", "//include/envoy/registry", diff --git a/source/extensions/all_extensions.bzl b/source/extensions/all_extensions.bzl index f1f2f9901850c..e01971168eb5b 100644 --- a/source/extensions/all_extensions.bzl +++ b/source/extensions/all_extensions.bzl @@ -1,49 +1,31 @@ -load("@bazel_skylib//lib:dicts.bzl", "dicts") load("@envoy_build_config//:extensions_build_config.bzl", "EXTENSIONS") -# These extensions are registered using the extension system but are required for the core Envoy build. -# The map may be overridden by extensions specified in envoy_build_config. -_required_extensions = { - "envoy.common.crypto.utility_lib": "//source/extensions/common/crypto:utility_lib", - "envoy.request_id.uuid": "//source/extensions/request_id/uuid:config", - "envoy.transport_sockets.tls": "//source/extensions/transport_sockets/tls:config", -} - # Return the extension cc_library target after select def _selected_extension_target(target): return target + "_envoy_extension" +def _get_extensions(): + return { + k: v + for k, v in EXTENSIONS.items() + if v.get("required") or + not v.get("builtin") + } + # Return all extensions to be compiled into Envoy. def envoy_all_extensions(denylist = []): - all_extensions = dicts.add(_required_extensions, EXTENSIONS) - # These extensions can be removed on a site specific basis. - return [_selected_extension_target(v) for k, v in all_extensions.items() if not k in denylist] - -# Core extensions needed to run Envoy's integration tests. -_core_extensions = [ - "envoy.access_loggers.file", - "envoy.access_loggers.stream", - "envoy.filters.http.router", - "envoy.filters.http.health_check", - "envoy.filters.network.http_connection_manager", - "envoy.stat_sinks.statsd", - "envoy.transport_sockets.raw_buffer", -] + return [_selected_extension_target(v["source"]) for k, v in _get_extensions().items() if not k in denylist] # Return all core extensions to be compiled into Envoy. def envoy_all_core_extensions(): - all_extensions = dicts.add(_required_extensions, EXTENSIONS) - # These extensions can be removed on a site specific basis. - return [v for k, v in all_extensions.items() if k in _core_extensions] + return [v["source"] for k, v in _get_extensions().items() if v.get("core")] _http_filter_prefix = "envoy.filters.http" def envoy_all_http_filters(): - all_extensions = dicts.add(_required_extensions, EXTENSIONS) - - return [_selected_extension_target(v) for k, v in all_extensions.items() if k.startswith(_http_filter_prefix)] + return [_selected_extension_target(v["source"]) for k, v in _get_extensions().items() if k.startswith(_http_filter_prefix)] # All network-layer filters are extensions with names that have the following prefix. _network_filter_prefix = "envoy.filters.network" @@ -53,6 +35,4 @@ _thrift_filter_prefix = "envoy.filters.thrift" # Return all network-layer filter extensions to be compiled into network-layer filter generic fuzzer. def envoy_all_network_filters(): - all_extensions = dicts.add(_required_extensions, EXTENSIONS) - - return [_selected_extension_target(v) for k, v in all_extensions.items() if (k.startswith(_network_filter_prefix) or k.startswith(_thrift_filter_prefix))] + return [_selected_extension_target(v["source"]) for k, v in _get_extensions().items() if (k.startswith(_network_filter_prefix) or k.startswith(_thrift_filter_prefix))] diff --git a/source/extensions/bootstrap/wasm/BUILD b/source/extensions/bootstrap/wasm/BUILD index fe58c86f94c02..3fcc6012c7964 100644 --- a/source/extensions/bootstrap/wasm/BUILD +++ b/source/extensions/bootstrap/wasm/BUILD @@ -16,9 +16,6 @@ envoy_cc_extension( hdrs = [ "config.h", ], - category = "envoy.bootstrap", - security_posture = "unknown", - status = "alpha", deps = [ "//include/envoy/registry", "//include/envoy/server:bootstrap_extension_config_interface", diff --git a/source/extensions/clusters/aggregate/BUILD b/source/extensions/clusters/aggregate/BUILD index 473f140b30da7..38f702f15543c 100644 --- a/source/extensions/clusters/aggregate/BUILD +++ b/source/extensions/clusters/aggregate/BUILD @@ -15,8 +15,6 @@ envoy_cc_extension( "cluster.h", "lb_context.h", ], - category = "envoy.clusters", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ "//source/common/upstream:cluster_factory_lib", "//source/common/upstream:upstream_includes", diff --git a/source/extensions/clusters/dynamic_forward_proxy/BUILD b/source/extensions/clusters/dynamic_forward_proxy/BUILD index 3a6fdf9f10804..36d74421839a1 100644 --- a/source/extensions/clusters/dynamic_forward_proxy/BUILD +++ b/source/extensions/clusters/dynamic_forward_proxy/BUILD @@ -12,8 +12,6 @@ envoy_cc_extension( name = "cluster", srcs = ["cluster.cc"], hdrs = ["cluster.h"], - category = "envoy.clusters", - security_posture = "robust_to_untrusted_downstream", deps = [ "//source/common/network:transport_socket_options_lib", "//source/common/upstream:cluster_factory_lib", diff --git a/source/extensions/clusters/redis/BUILD b/source/extensions/clusters/redis/BUILD index 54577e1483e39..829f517516d24 100644 --- a/source/extensions/clusters/redis/BUILD +++ b/source/extensions/clusters/redis/BUILD @@ -42,8 +42,6 @@ envoy_cc_extension( "redis_cluster.cc", "redis_cluster.h", ], - category = "envoy.clusters", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ "redis_cluster_lb", "//include/envoy/api:api_interface", diff --git a/source/extensions/common/crypto/BUILD b/source/extensions/common/crypto/BUILD index d33b7986b519d..4cd26ae3701ae 100644 --- a/source/extensions/common/crypto/BUILD +++ b/source/extensions/common/crypto/BUILD @@ -18,7 +18,6 @@ envoy_cc_extension( "crypto_impl.h", "utility_impl.h", ], - category = "DELIBERATELY_OMITTED", external_deps = [ "ssl", ], @@ -27,8 +26,6 @@ envoy_cc_extension( "//test/common/config:__subpackages__", "//test/common/crypto:__subpackages__", ], - security_posture = "unknown", - undocumented = True, deps = [ "//include/envoy/buffer:buffer_interface", "//source/common/common:assert_lib", diff --git a/source/extensions/compression/brotli/compressor/BUILD b/source/extensions/compression/brotli/compressor/BUILD index cee2e36945f5e..d190709060059 100644 --- a/source/extensions/compression/brotli/compressor/BUILD +++ b/source/extensions/compression/brotli/compressor/BUILD @@ -25,8 +25,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.compression.compressor", - security_posture = "robust_to_untrusted_downstream", deps = [ ":compressor_lib", "//source/common/http:headers_lib", diff --git a/source/extensions/compression/brotli/decompressor/BUILD b/source/extensions/compression/brotli/decompressor/BUILD index 3667300a8392f..22ae257a84ab9 100644 --- a/source/extensions/compression/brotli/decompressor/BUILD +++ b/source/extensions/compression/brotli/decompressor/BUILD @@ -27,8 +27,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.compression.decompressor", - security_posture = "robust_to_untrusted_downstream", deps = [ ":decompressor_lib", "//source/common/http:headers_lib", diff --git a/source/extensions/compression/gzip/compressor/BUILD b/source/extensions/compression/gzip/compressor/BUILD index 39a7e7c6e9d73..1274b4d8e6ea7 100644 --- a/source/extensions/compression/gzip/compressor/BUILD +++ b/source/extensions/compression/gzip/compressor/BUILD @@ -26,8 +26,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.compression.compressor", - security_posture = "robust_to_untrusted_downstream", deps = [ ":compressor_lib", "//source/common/http:headers_lib", diff --git a/source/extensions/compression/gzip/decompressor/BUILD b/source/extensions/compression/gzip/decompressor/BUILD index 0a1d8766031b9..541aa8bf8df96 100644 --- a/source/extensions/compression/gzip/decompressor/BUILD +++ b/source/extensions/compression/gzip/decompressor/BUILD @@ -29,8 +29,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.compression.decompressor", - security_posture = "robust_to_untrusted_downstream", deps = [ ":zlib_decompressor_impl_lib", "//source/common/http:headers_lib", diff --git a/source/extensions/extensions_build_config.bzl b/source/extensions/extensions_build_config.bzl index 616d7714ef79a..e6c76a8d7e2d9 100644 --- a/source/extensions/extensions_build_config.bzl +++ b/source/extensions/extensions_build_config.bzl @@ -1,274 +1,889 @@ # See bazel/README.md for details on how this system works. EXTENSIONS = { + + "envoy.request_id.uuid": { + "source": "//source/extensions/request_id/uuid:config", + "categories": ["envoy.request_id"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + "builtin": True, + "required": True, + }, + "envoy.common.crypto.utility_lib": { + "source": "//source/extensions/common/crypto:utility_lib", + "required": True, + "categories": ["DELIBERATELY_OMITTED"], + "security_posture": "unknown", + "undocumented": True, + }, + # # Access loggers # - "envoy.access_loggers.file": "//source/extensions/access_loggers/file:config", - "envoy.access_loggers.http_grpc": "//source/extensions/access_loggers/grpc:http_config", - "envoy.access_loggers.tcp_grpc": "//source/extensions/access_loggers/grpc:tcp_config", - "envoy.access_loggers.open_telemetry": "//source/extensions/access_loggers/open_telemetry:config", - "envoy.access_loggers.stream": "//source/extensions/access_loggers/stream:config", - "envoy.access_loggers.wasm": "//source/extensions/access_loggers/wasm:config", + "envoy.access_loggers.file": { + "source": "//source/extensions/access_loggers/file:config", + "categories": ["envoy.access_loggers"], + "security_posture": "robust_to_untrusted_downstream", + "core": True, + }, + "envoy.access_loggers.http_grpc": { + "source": "//source/extensions/access_loggers/grpc:http_config", + "categories": ["envoy.access_loggers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.access_loggers.tcp_grpc": { + "source": "//source/extensions/access_loggers/grpc:tcp_config", + "categories": ["envoy.access_loggers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.access_loggers.open_telemetry": { + "source": "//source/extensions/access_loggers/open_telemetry:config", + "categories": ["envoy.access_loggers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.access_loggers.stream": { + "source": "//source/extensions/access_loggers/stream:config", + "categories": ["envoy.access_loggers"], + "security_posture": "robust_to_untrusted_downstream", + "core": True, + }, + "envoy.access_loggers.wasm": { + "source": "//source/extensions/access_loggers/wasm:config", + "categories": ["envoy.access_loggers"], + "security_posture": "unknown", + "status": "alpha", + }, # # Clusters # - "envoy.clusters.aggregate": "//source/extensions/clusters/aggregate:cluster", - "envoy.clusters.dynamic_forward_proxy": "//source/extensions/clusters/dynamic_forward_proxy:cluster", - "envoy.clusters.redis": "//source/extensions/clusters/redis:redis_cluster", + "envoy.clusters.aggregate": { + "source": "//source/extensions/clusters/aggregate:cluster", + "categories": ["envoy.clusters"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, + "envoy.clusters.dynamic_forward_proxy": { + "source": "//source/extensions/clusters/dynamic_forward_proxy:cluster", + "categories": ["envoy.clusters"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.clusters.redis": { + "source": "//source/extensions/clusters/redis:redis_cluster", + "categories": ["envoy.clusters"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, # # Compression # - "envoy.compression.gzip.compressor": "//source/extensions/compression/gzip/compressor:config", - "envoy.compression.gzip.decompressor": "//source/extensions/compression/gzip/decompressor:config", - "envoy.compression.brotli.compressor": "//source/extensions/compression/brotli/compressor:config", - "envoy.compression.brotli.decompressor": "//source/extensions/compression/brotli/decompressor:config", + "envoy.compression.gzip.compressor": { + "source": "//source/extensions/compression/gzip/compressor:config", + "categories": ["envoy.compression.compressor"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.compression.gzip.decompressor": { + "source": "//source/extensions/compression/gzip/decompressor:config", + "categories": ["envoy.compression.decompressor"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.compression.brotli.compressor": { + "source": "//source/extensions/compression/brotli/compressor:config", + "categories": ["envoy.compression.compressor"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.compression.brotli.decompressor": { + "source": "//source/extensions/compression/brotli/decompressor:config", + "categories": ["envoy.compression.decompressor"], + "security_posture": "robust_to_untrusted_downstream", + }, # # gRPC Credentials Plugins # - "envoy.grpc_credentials.file_based_metadata": "//source/extensions/grpc_credentials/file_based_metadata:config", - "envoy.grpc_credentials.aws_iam": "//source/extensions/grpc_credentials/aws_iam:config", + "envoy.grpc_credentials.file_based_metadata": { + "source": "//source/extensions/grpc_credentials/file_based_metadata:config", + "categories": ["envoy.grpc_credentials"], + "security_posture": "data_plane_agnostic", + "status": "alpha", + }, + "envoy.grpc_credentials.aws_iam": { + "source": "//source/extensions/grpc_credentials/aws_iam:config", + "categories": ["envoy.grpc_credentials"], + "security_posture": "data_plane_agnostic", + "status": "alpha", + }, # # WASM # - "envoy.bootstrap.wasm": "//source/extensions/bootstrap/wasm:config", + "envoy.bootstrap.wasm": { + "source": "//source/extensions/bootstrap/wasm:config", + "categories": ["envoy.bootstrap"], + "security_posture": "unknown", + "status": "alpha", + }, # # Health checkers # - "envoy.health_checkers.redis": "//source/extensions/health_checkers/redis:config", + "envoy.health_checkers.redis": { + "source": "//source/extensions/health_checkers/redis:config", + "categories": ["envoy.health_checkers"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, # # Input Matchers # - "envoy.matching.input_matchers.consistent_hashing": "//source/extensions/matching/input_matchers/consistent_hashing:config", + "envoy.matching.input_matchers.consistent_hashing": { + "source": "//source/extensions/matching/input_matchers/consistent_hashing:config", + "categories": ["envoy.matching.input_matchers"], + "security_posture": "robust_to_untrusted_downstream", + }, # # Generic Inputs # - "envoy.matching.common_inputs.environment_variable": "//source/extensions/matching/common_inputs/environment_variable:config", + "envoy.matching.common_inputs.environment_variable": { + "source": "//source/extensions/matching/common_inputs/environment_variable:config", + "categories": ["envoy.matching.common_inputs"], + "security_posture": "robust_to_untrusted_downstream", + }, # # HTTP filters # - "envoy.filters.http.adaptive_concurrency": "//source/extensions/filters/http/adaptive_concurrency:config", - "envoy.filters.http.admission_control": "//source/extensions/filters/http/admission_control:config", - "envoy.filters.http.aws_lambda": "//source/extensions/filters/http/aws_lambda:config", - "envoy.filters.http.aws_request_signing": "//source/extensions/filters/http/aws_request_signing:config", - "envoy.filters.http.buffer": "//source/extensions/filters/http/buffer:config", - "envoy.filters.http.cache": "//source/extensions/filters/http/cache:config", - "envoy.filters.http.cdn_loop": "//source/extensions/filters/http/cdn_loop:config", - "envoy.filters.http.compressor": "//source/extensions/filters/http/compressor:config", - "envoy.filters.http.cors": "//source/extensions/filters/http/cors:config", - "envoy.filters.http.composite": "//source/extensions/filters/http/composite:config", - "envoy.filters.http.csrf": "//source/extensions/filters/http/csrf:config", - "envoy.filters.http.decompressor": "//source/extensions/filters/http/decompressor:config", - "envoy.filters.http.dynamic_forward_proxy": "//source/extensions/filters/http/dynamic_forward_proxy:config", - "envoy.filters.http.dynamo": "//source/extensions/filters/http/dynamo:config", - "envoy.filters.http.ext_authz": "//source/extensions/filters/http/ext_authz:config", - "envoy.filters.http.ext_proc": "//source/extensions/filters/http/ext_proc:config", - "envoy.filters.http.fault": "//source/extensions/filters/http/fault:config", - "envoy.filters.http.grpc_http1_bridge": "//source/extensions/filters/http/grpc_http1_bridge:config", - "envoy.filters.http.grpc_http1_reverse_bridge": "//source/extensions/filters/http/grpc_http1_reverse_bridge:config", - "envoy.filters.http.grpc_json_transcoder": "//source/extensions/filters/http/grpc_json_transcoder:config", - "envoy.filters.http.grpc_stats": "//source/extensions/filters/http/grpc_stats:config", - "envoy.filters.http.grpc_web": "//source/extensions/filters/http/grpc_web:config", - "envoy.filters.http.gzip": "//source/extensions/filters/http/gzip:config", - "envoy.filters.http.header_to_metadata": "//source/extensions/filters/http/header_to_metadata:config", - "envoy.filters.http.health_check": "//source/extensions/filters/http/health_check:config", - "envoy.filters.http.ip_tagging": "//source/extensions/filters/http/ip_tagging:config", - "envoy.filters.http.jwt_authn": "//source/extensions/filters/http/jwt_authn:config", + "envoy.filters.http.adaptive_concurrency": { + "source": "//source/extensions/filters/http/adaptive_concurrency:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.filters.http.admission_control": { + "source": "//source/extensions/filters/http/admission_control:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.filters.http.aws_lambda": { + "source": "//source/extensions/filters/http/aws_lambda:config", + "categories": ["envoy.filters.http"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, + "envoy.filters.http.aws_request_signing": { + "source": "//source/extensions/filters/http/aws_request_signing:config", + "categories": ["envoy.filters.http"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, + "envoy.filters.http.buffer": { + "source": "//source/extensions/filters/http/buffer:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.cache": { + "source": "//source/extensions/filters/http/cache:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + "status": "wip", + }, + "envoy.filters.http.cdn_loop": { + "source": "//source/extensions/filters/http/cdn_loop:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.filters.http.compressor": { + "source": "//source/extensions/filters/http/compressor:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.cors": { + "source": "//source/extensions/filters/http/cors:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.composite": { + "source": "//source/extensions/filters/http/composite:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.csrf": { + "source": "//source/extensions/filters/http/csrf:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.decompressor": { + "source": "//source/extensions/filters/http/decompressor:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + }, + "envoy.filters.http.dynamic_forward_proxy": { + "source": "//source/extensions/filters/http/dynamic_forward_proxy:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.dynamo": { + "source": "//source/extensions/filters/http/dynamo:config", + "categories": ["envoy.filters.http"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, + "envoy.filters.http.ext_authz": { + "source": "//source/extensions/filters/http/ext_authz:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.ext_proc": { + "source": "//source/extensions/filters/http/ext_proc:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.filters.http.fault": { + "source": "//source/extensions/filters/http/fault:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.grpc_http1_bridge": { + "source": "//source/extensions/filters/http/grpc_http1_bridge:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + }, + "envoy.filters.http.grpc_http1_reverse_bridge": { + "source": "//source/extensions/filters/http/grpc_http1_reverse_bridge:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.filters.http.grpc_json_transcoder": { + "source": "//source/extensions/filters/http/grpc_json_transcoder:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.grpc_stats": { + "source": "//source/extensions/filters/http/grpc_stats:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.filters.http.grpc_web": { + "source": "//source/extensions/filters/http/grpc_web:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.gzip": { + "source": "//source/extensions/filters/http/gzip:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.header_to_metadata": { + "source": "//source/extensions/filters/http/header_to_metadata:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.health_check": { + "source": "//source/extensions/filters/http/health_check:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + "core": True, + }, + "envoy.filters.http.ip_tagging": { + "source": "//source/extensions/filters/http/ip_tagging:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.jwt_authn": { + "source": "//source/extensions/filters/http/jwt_authn:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + "status": "alpha", + }, # Disabled by default - "envoy.filters.http.kill_request": "//source/extensions/filters/http/kill_request:kill_request_config", - "envoy.filters.http.local_ratelimit": "//source/extensions/filters/http/local_ratelimit:config", - "envoy.filters.http.lua": "//source/extensions/filters/http/lua:config", - "envoy.filters.http.oauth2": "//source/extensions/filters/http/oauth2:config", - "envoy.filters.http.on_demand": "//source/extensions/filters/http/on_demand:config", - "envoy.filters.http.original_src": "//source/extensions/filters/http/original_src:config", - "envoy.filters.http.ratelimit": "//source/extensions/filters/http/ratelimit:config", - "envoy.filters.http.rbac": "//source/extensions/filters/http/rbac:config", - "envoy.filters.http.router": "//source/extensions/filters/http/router:config", - "envoy.filters.http.squash": "//source/extensions/filters/http/squash:config", - "envoy.filters.http.tap": "//source/extensions/filters/http/tap:config", - "envoy.filters.http.wasm": "//source/extensions/filters/http/wasm:config", + "envoy.filters.http.kill_request": { + "source": "//source/extensions/filters/http/kill_request:kill_request_config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.local_ratelimit": { + "source": "//source/extensions/filters/http/local_ratelimit:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + }, + "envoy.filters.http.lua": { + "source": "//source/extensions/filters/http/lua:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.oauth2": { + "source": "//source/extensions/filters/http/oauth2:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + "status": "alpha", + }, + "envoy.filters.http.on_demand": { + "source": "//source/extensions/filters/http/on_demand:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.original_src": { + "source": "//source/extensions/filters/http/original_src:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + "status": "alpha", + }, + "envoy.filters.http.ratelimit": { + "source": "//source/extensions/filters/http/ratelimit:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.rbac": { + "source": "//source/extensions/filters/http/rbac:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.http.router": { + "source": "//source/extensions/filters/http/router:config", + "categories": ["envoy.filters.http"], + "security_posture": "robust_to_untrusted_downstream", + "core": True, + }, + "envoy.filters.http.squash": { + "source": "//source/extensions/filters/http/squash:config", + "categories": ["envoy.filters.http"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, + "envoy.filters.http.tap": { + "source": "//source/extensions/filters/http/tap:config", + "categories": ["envoy.filters.http"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, + "envoy.filters.http.wasm": { + "source": "//source/extensions/filters/http/wasm:config", + "categories": ["envoy.filters.http"], + "security_posture": "unknown", + "status": "alpha", + }, # # Listener filters # - "envoy.filters.listener.http_inspector": "//source/extensions/filters/listener/http_inspector:config", + "envoy.filters.listener.http_inspector": { + "source": "//source/extensions/filters/listener/http_inspector:config", + "categories": ["envoy.filters.listener"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, # NOTE: The original_dst filter is implicitly loaded if original_dst functionality is # configured on the listener. Do not remove it in that case or configs will fail to load. - "envoy.filters.listener.original_dst": "//source/extensions/filters/listener/original_dst:config", - "envoy.filters.listener.original_src": "//source/extensions/filters/listener/original_src:config", + "envoy.filters.listener.original_dst": { + "source": "//source/extensions/filters/listener/original_dst:config", + "categories": ["envoy.filters.listener"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.listener.original_src": { + "source": "//source/extensions/filters/listener/original_src:config", + "categories": ["envoy.filters.listener"], + "security_posture": "robust_to_untrusted_downstream", + "status": "alpha", + }, # NOTE: The proxy_protocol filter is implicitly loaded if proxy_protocol functionality is # configured on the listener. Do not remove it in that case or configs will fail to load. - "envoy.filters.listener.proxy_protocol": "//source/extensions/filters/listener/proxy_protocol:config", - "envoy.filters.listener.tls_inspector": "//source/extensions/filters/listener/tls_inspector:config", + "envoy.filters.listener.proxy_protocol": { + "source": "//source/extensions/filters/listener/proxy_protocol:config", + "categories": ["envoy.filters.listener"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.listener.tls_inspector": { + "source": "//source/extensions/filters/listener/tls_inspector:config", + "categories": ["envoy.filters.listener"], + "security_posture": "robust_to_untrusted_downstream", + }, # # Network filters # - "envoy.filters.network.client_ssl_auth": "//source/extensions/filters/network/client_ssl_auth:config", - "envoy.filters.network.direct_response": "//source/extensions/filters/network/direct_response:config", - "envoy.filters.network.dubbo_proxy": "//source/extensions/filters/network/dubbo_proxy:config", - "envoy.filters.network.echo": "//source/extensions/filters/network/echo:config", - "envoy.filters.network.ext_authz": "//source/extensions/filters/network/ext_authz:config", - "envoy.filters.network.http_connection_manager": "//source/extensions/filters/network/http_connection_manager:config", - "envoy.filters.network.kafka_broker": "//source/extensions/filters/network/kafka:kafka_broker_config_lib", - "envoy.filters.network.local_ratelimit": "//source/extensions/filters/network/local_ratelimit:config", - "envoy.filters.network.mongo_proxy": "//source/extensions/filters/network/mongo_proxy:config", - "envoy.filters.network.mysql_proxy": "//source/extensions/filters/network/mysql_proxy:config", - "envoy.filters.network.postgres_proxy": "//source/extensions/filters/network/postgres_proxy:config", - "envoy.filters.network.ratelimit": "//source/extensions/filters/network/ratelimit:config", - "envoy.filters.network.rbac": "//source/extensions/filters/network/rbac:config", - "envoy.filters.network.redis_proxy": "//source/extensions/filters/network/redis_proxy:config", - "envoy.filters.network.rocketmq_proxy": "//source/extensions/filters/network/rocketmq_proxy:config", - "envoy.filters.network.tcp_proxy": "//source/extensions/filters/network/tcp_proxy:config", - "envoy.filters.network.thrift_proxy": "//source/extensions/filters/network/thrift_proxy:config", - "envoy.filters.network.sni_cluster": "//source/extensions/filters/network/sni_cluster:config", - "envoy.filters.network.sni_dynamic_forward_proxy": "//source/extensions/filters/network/sni_dynamic_forward_proxy:config", - "envoy.filters.network.wasm": "//source/extensions/filters/network/wasm:config", - "envoy.filters.network.zookeeper_proxy": "//source/extensions/filters/network/zookeeper_proxy:config", + "envoy.filters.network.client_ssl_auth": { + "source": "//source/extensions/filters/network/client_ssl_auth:config", + "categories": ["envoy.filters.network"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.network.direct_response": { + "source": "//source/extensions/filters/network/direct_response:config", + "categories": ["envoy.filters.network"], + "security_posture": "unknown", + }, + "envoy.filters.network.dubbo_proxy": { + "source": "//source/extensions/filters/network/dubbo_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, + "envoy.filters.network.echo": { + "source": "//source/extensions/filters/network/echo:config", + "categories": ["envoy.filters.network"], + "security_posture": "unknown", + }, + "envoy.filters.network.ext_authz": { + "source": "//source/extensions/filters/network/ext_authz:config", + "categories": ["envoy.filters.network"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.network.http_connection_manager": { + "source": "//source/extensions/filters/network/http_connection_manager:config", + "categories": ["envoy.filters.network"], + "security_posture": "robust_to_untrusted_downstream", + "core": True, + }, + "envoy.filters.network.kafka_broker": { + "source": "//source/extensions/filters/network/kafka:kafka_broker_config_lib", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "wip", + }, + "envoy.filters.network.local_ratelimit": { + "source": "//source/extensions/filters/network/local_ratelimit:config", + "categories": ["envoy.filters.network"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.network.mongo_proxy": { + "source": "//source/extensions/filters/network/mongo_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, + "envoy.filters.network.mysql_proxy": { + "source": "//source/extensions/filters/network/mysql_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, + "envoy.filters.network.postgres_proxy": { + "source": "//source/extensions/filters/network/postgres_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, + "envoy.filters.network.ratelimit": { + "source": "//source/extensions/filters/network/ratelimit:config", + "categories": ["envoy.filters.network"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.network.rbac": { + "source": "//source/extensions/filters/network/rbac:config", + "categories": ["envoy.filters.network"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.network.redis_proxy": { + "source": "//source/extensions/filters/network/redis_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, + "envoy.filters.network.rocketmq_proxy": { + "source": "//source/extensions/filters/network/rocketmq_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, + "envoy.filters.network.tcp_proxy": { + "source": "//source/extensions/filters/network/tcp_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.filters.network.thrift_proxy": { + "source": "//source/extensions/filters/network/thrift_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, + "envoy.filters.network.sni_cluster": { + "source": "//source/extensions/filters/network/sni_cluster:config", + "categories": ["envoy.filters.network"], + "security_posture": "unknown", + }, + "envoy.filters.network.sni_dynamic_forward_proxy": { + "source": "//source/extensions/filters/network/sni_dynamic_forward_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.filters.network.wasm": { + "source": "//source/extensions/filters/network/wasm:config", + "categories": ["envoy.filters.network"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.filters.network.zookeeper_proxy": { + "source": "//source/extensions/filters/network/zookeeper_proxy:config", + "categories": ["envoy.filters.network"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, # # UDP filters # - "envoy.filters.udp_listener.dns_filter": "//source/extensions/filters/udp/dns_filter:config", - "envoy.filters.udp_listener.udp_proxy": "//source/extensions/filters/udp/udp_proxy:config", + "envoy.filters.udp_listener.dns_filter": { + "source": "//source/extensions/filters/udp/dns_filter:config", + "categories": ["envoy.filters.udp_listener"], + "security_posture": "robust_to_untrusted_downstream", + "status": "alpha", + }, + "envoy.filters.udp_listener.udp_proxy": { + "source": "//source/extensions/filters/udp/udp_proxy:config", + "categories": ["envoy.filters.udp_listener"], + "security_posture": "robust_to_untrusted_downstream", + }, # # Resource monitors # - "envoy.resource_monitors.fixed_heap": "//source/extensions/resource_monitors/fixed_heap:config", - "envoy.resource_monitors.injected_resource": "//source/extensions/resource_monitors/injected_resource:config", + "envoy.resource_monitors.fixed_heap": { + "source": "//source/extensions/resource_monitors/fixed_heap:config", + "categories": ["envoy.resource_monitors"], + "security_posture": "data_plane_agnostic", + "status": "alpha", + }, + "envoy.resource_monitors.injected_resource": { + "source": "//source/extensions/resource_monitors/injected_resource:config", + "categories": ["envoy.resource_monitors"], + "security_posture": "data_plane_agnostic", + "status": "alpha", + }, # # Stat sinks # - "envoy.stat_sinks.dog_statsd": "//source/extensions/stat_sinks/dog_statsd:config", - "envoy.stat_sinks.hystrix": "//source/extensions/stat_sinks/hystrix:config", - "envoy.stat_sinks.metrics_service": "//source/extensions/stat_sinks/metrics_service:config", - "envoy.stat_sinks.statsd": "//source/extensions/stat_sinks/statsd:config", - "envoy.stat_sinks.wasm": "//source/extensions/stat_sinks/wasm:config", + "envoy.stat_sinks.dog_statsd": { + "source": "//source/extensions/stat_sinks/dog_statsd:config", + "categories": ["envoy.stats_sinks"], + "security_posture": "data_plane_agnostic", + }, + "envoy.stat_sinks.hystrix": { + "source": "//source/extensions/stat_sinks/hystrix:config", + "categories": ["envoy.stats_sinks"], + "security_posture": "data_plane_agnostic", + }, + "envoy.stat_sinks.metrics_service": { + "source": "//source/extensions/stat_sinks/metrics_service:config", + "categories": ["envoy.stats_sinks"], + "security_posture": "data_plane_agnostic", + }, + "envoy.stat_sinks.statsd": { + "source": "//source/extensions/stat_sinks/statsd:config", + "categories": ["envoy.stats_sinks"], + "security_posture": "data_plane_agnostic", + "core": True, + }, + "envoy.stat_sinks.wasm": { + "source": "//source/extensions/stat_sinks/wasm:config", + "categories": ["envoy.stats_sinks"], + "security_posture": "data_plane_agnostic", + "status": "alpha", + }, # # Thrift filters # - "envoy.filters.thrift.router": "//source/extensions/filters/network/thrift_proxy/router:config", - "envoy.filters.thrift.ratelimit": "//source/extensions/filters/network/thrift_proxy/filters/ratelimit:config", + "envoy.filters.thrift.router": { + "source": "//source/extensions/filters/network/thrift_proxy/router:config", + "categories": ["envoy.thrift_proxy.filters"], + "security_posture": "requires_trusted_downstream_and_upstream", + }, + "envoy.filters.thrift.ratelimit": { + "source": "//source/extensions/filters/network/thrift_proxy/filters/ratelimit:config", + "categories": ["envoy.thrift_proxy.filters"], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, # # Tracers # - "envoy.tracers.dynamic_ot": "//source/extensions/tracers/dynamic_ot:config", - "envoy.tracers.lightstep": "//source/extensions/tracers/lightstep:config", - "envoy.tracers.datadog": "//source/extensions/tracers/datadog:config", - "envoy.tracers.zipkin": "//source/extensions/tracers/zipkin:config", - "envoy.tracers.opencensus": "//source/extensions/tracers/opencensus:config", - "envoy.tracers.xray": "//source/extensions/tracers/xray:config", - "envoy.tracers.skywalking": "//source/extensions/tracers/skywalking:config", + "envoy.tracers.dynamic_ot": { + "source": "//source/extensions/tracers/dynamic_ot:config", + "categories": ["envoy.tracers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.tracers.lightstep": { + "source": "//source/extensions/tracers/lightstep:config", + "categories": ["envoy.tracers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.tracers.datadog": { + "source": "//source/extensions/tracers/datadog:config", + "categories": ["envoy.tracers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.tracers.zipkin": { + "source": "//source/extensions/tracers/zipkin:config", + "categories": ["envoy.tracers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.tracers.opencensus": { + "source": "//source/extensions/tracers/opencensus:config", + "categories": ["envoy.tracers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.tracers.xray": { + "source": "//source/extensions/tracers/xray:config", + "categories": ["envoy.tracers"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.tracers.skywalking": { + "source": "//source/extensions/tracers/skywalking:config", + "categories": ["envoy.tracers"], + "security_posture": "robust_to_untrusted_downstream", + "status": "wip", + }, # # Transport sockets # - "envoy.transport_sockets.alts": "//source/extensions/transport_sockets/alts:config", - "envoy.transport_sockets.upstream_proxy_protocol": "//source/extensions/transport_sockets/proxy_protocol:upstream_config", - "envoy.transport_sockets.raw_buffer": "//source/extensions/transport_sockets/raw_buffer:config", - "envoy.transport_sockets.tap": "//source/extensions/transport_sockets/tap:config", - "envoy.transport_sockets.starttls": "//source/extensions/transport_sockets/starttls:config", + "envoy.transport_sockets.tls": { + "source": "//source/extensions/transport_sockets/tls:config", + "categories": [ + "envoy.transport_sockets.downstream", + "envoy.transport_sockets.upstream", + ], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + "builtin": True, + "required": True, + }, + "envoy.transport_sockets.alts": { + "source": "//source/extensions/transport_sockets/alts:config", + "categories": [ + "envoy.transport_sockets.downstream", + "envoy.transport_sockets.upstream", + ], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + }, + "envoy.transport_sockets.upstream_proxy_protocol": { + "source": "//source/extensions/transport_sockets/proxy_protocol:upstream_config", + "categories": ["envoy.transport_sockets.upstream"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + }, + "envoy.transport_sockets.raw_buffer": { + "source": "//source/extensions/transport_sockets/raw_buffer:config", + "categories": [ + "envoy.transport_sockets.downstream", + "envoy.transport_sockets.upstream", + ], + "security_posture": "requires_trusted_downstream_and_upstream", + "core": True, + }, + "envoy.transport_sockets.tap": { + "source": "//source/extensions/transport_sockets/tap:config", + "categories": [ + "envoy.transport_sockets.downstream", + "envoy.transport_sockets.upstream", + ], + "security_posture": "requires_trusted_downstream_and_upstream", + "status": "alpha", + }, + "envoy.transport_sockets.starttls": { + "source": "//source/extensions/transport_sockets/starttls:config", + "categories": [ + "envoy.transport_sockets.downstream", + "envoy.transport_sockets.upstream", + ], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + }, # # Retry host predicates # - "envoy.retry_host_predicates.previous_hosts": "//source/extensions/retry/host/previous_hosts:config", - "envoy.retry_host_predicates.omit_canary_hosts": "//source/extensions/retry/host/omit_canary_hosts:config", - "envoy.retry_host_predicates.omit_host_metadata": "//source/extensions/retry/host/omit_host_metadata:config", + "envoy.retry_host_predicates.previous_hosts": { + "source": "//source/extensions/retry/host/previous_hosts:config", + "categories": ["envoy.retry_host_predicates"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.retry_host_predicates.omit_canary_hosts": { + "source": "//source/extensions/retry/host/omit_canary_hosts:config", + "categories": ["envoy.retry_host_predicates"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.retry_host_predicates.omit_host_metadata": { + "source": "//source/extensions/retry/host/omit_host_metadata:config", + "categories": ["envoy.retry_host_predicates"], + "security_posture": "robust_to_untrusted_downstream", + }, # # Retry priorities # - "envoy.retry_priorities.previous_priorities": "//source/extensions/retry/priority/previous_priorities:config", + "envoy.retry_priorities.previous_priorities": { + "source": "//source/extensions/retry/priority/previous_priorities:config", + "categories": ["envoy.retry_priorities"], + "security_posture": "robust_to_untrusted_downstream", + }, # # CacheFilter plugins # - "envoy.cache.simple_http_cache": "//source/extensions/filters/http/cache/simple_http_cache:config", - # - # Internal redirect predicates - # - - "envoy.internal_redirect_predicates.allow_listed_routes": "//source/extensions/internal_redirect/allow_listed_routes:config", - "envoy.internal_redirect_predicates.previous_routes": "//source/extensions/internal_redirect/previous_routes:config", - "envoy.internal_redirect_predicates.safe_cross_scheme": "//source/extensions/internal_redirect/safe_cross_scheme:config", + "envoy.cache.simple_http_cache": { + "source": "//source/extensions/filters/http/cache/simple_http_cache:config", + "categories": ["envoy.filters.http.cache"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + "status": "wip", + }, # - # Http Upstreams (excepting envoy.upstreams.http.generic which is hard-coded into the build so not registered here) + # Internal redirect predicates # - "envoy.upstreams.http.http": "//source/extensions/upstreams/http/http:config", - "envoy.upstreams.http.tcp": "//source/extensions/upstreams/http/tcp:config", + "envoy.internal_redirect_predicates.allow_listed_routes": { + "source": "//source/extensions/internal_redirect/allow_listed_routes:config", + "categories": ["envoy.internal_redirect_predicates"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + }, + "envoy.internal_redirect_predicates.previous_routes": { + "source": "//source/extensions/internal_redirect/previous_routes:config", + "categories": ["envoy.internal_redirect_predicates"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + }, + "envoy.internal_redirect_predicates.safe_cross_scheme": { + "source": "//source/extensions/internal_redirect/safe_cross_scheme:config", + "categories": ["envoy.internal_redirect_predicates"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + }, + + # + # TCP Upstreams + # + + "envoy.upstreams.tcp.generic": { + "source": "//source/extensions/upstreams/tcp/generic:config", + "categories": ["envoy.upstreams"], + "security_posture": "robust_to_untrusted_downstream", + "builtin": True, + }, + + # + # Http Upstreams + # + + "envoy.upstreams.http.http_protocol_options": { + "source": "//source/extensions/upstreams/http:config", + "categories": ["envoy.upstreams"], + "security_posture": "robust_to_untrusted_downstream", + "builtin": True, + }, + "envoy.upstreams.http.generic": { + "source": "//source/extensions/upstreams/http/generic:config", + "categories": ["envoy.upstreams"], + "security_posture": "robust_to_untrusted_downstream", + "builtin": True, + }, + "envoy.upstreams.http.http": { + "source": "//source/extensions/upstreams/http/http:config", + "categories": ["envoy.upstreams"], + "security_posture": "robust_to_untrusted_downstream", + }, + "envoy.upstreams.http.tcp": { + "source": "//source/extensions/upstreams/http/tcp:config", + "categories": ["envoy.upstreams"], + "security_posture": "robust_to_untrusted_downstream", + }, # # Watchdog actions # - "envoy.watchdog.profile_action": "//source/extensions/watchdog/profile_action:config", + "envoy.watchdog.profile_action": { + "source": "//source/extensions/watchdog/profile_action:config", + "categories": ["envoy.guarddog_actions"], + "security_posture": "data_plane_agnostic", + "status": "alpha", + }, # # WebAssembly runtimes # - "envoy.wasm.runtime.null": "//source/extensions/wasm_runtime/null:config", - "envoy.wasm.runtime.v8": "//source/extensions/wasm_runtime/v8:config", - "envoy.wasm.runtime.wavm": "//source/extensions/wasm_runtime/wavm:config", - "envoy.wasm.runtime.wasmtime": "//source/extensions/wasm_runtime/wasmtime:config", + "envoy.wasm.runtime.null": { + "source": "//source/extensions/wasm_runtime/null:config", + "categories": ["envoy.wasm.runtime"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.wasm.runtime.v8": { + "source": "//source/extensions/wasm_runtime/v8:config", + "categories": ["envoy.wasm.runtime"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.wasm.runtime.wavm": { + "source": "//source/extensions/wasm_runtime/wavm:config", + "categories": ["envoy.wasm.runtime"], + "security_posture": "unknown", + "status": "alpha", + }, + "envoy.wasm.runtime.wasmtime": { + "source": "//source/extensions/wasm_runtime/wasmtime:config", + "categories": ["envoy.wasm.runtime"], + "security_posture": "unknown", + "status": "alpha", + }, # # Rate limit descriptors # - "envoy.rate_limit_descriptors.expr": "//source/extensions/rate_limit_descriptors/expr:config", + "envoy.rate_limit_descriptors.expr": { + "source": "//source/extensions/rate_limit_descriptors/expr:config", + "categories": ["envoy.rate_limit_descriptors"], + "security_posture": "unknown", + }, # # IO socket # - "envoy.io_socket.user_space": "//source/extensions/io_socket/user_space:config", + "envoy.io_socket.user_space": { + "source": "//source/extensions/io_socket/user_space:config", + "categories": ["envoy.io_socket"], + "security_posture": "unknown", + "status": "wip", + "undocumented": True, + }, # # TLS peer certification validators # - "envoy.tls.cert_validator.spiffe": "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", + "envoy.tls.cert_validator.spiffe": { + "source": "//source/extensions/transport_sockets/tls/cert_validator/spiffe:config", + "categories": ["envoy.tls.cert_validator"], + "security_posture": "unknown", + "status": "wip", + }, # # HTTP header formatters # - "envoy.http.stateful_header_formatters.preserve_case": "//source/extensions/http/header_formatters/preserve_case:preserve_case_formatter", + "envoy.http.stateful_header_formatters.preserve_case": { + "source": "//source/extensions/http/header_formatters/preserve_case:preserve_case_formatter", + "categories": ["envoy.http.stateful_header_formatters"], + "security_posture": "robust_to_untrusted_downstream_and_upstream", + }, } # These can be changed to ["//visibility:public"], for downstream builds which diff --git a/source/extensions/filters/http/adaptive_concurrency/BUILD b/source/extensions/filters/http/adaptive_concurrency/BUILD index 7662d09bc1fd8..8baef84564d7e 100644 --- a/source/extensions/filters/http/adaptive_concurrency/BUILD +++ b/source/extensions/filters/http/adaptive_concurrency/BUILD @@ -30,9 +30,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "unknown", - status = "alpha", deps = [ "//include/envoy/registry", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/admission_control/BUILD b/source/extensions/filters/http/admission_control/BUILD index 9bfd7c4505361..f7b60baf0ef51 100644 --- a/source/extensions/filters/http/admission_control/BUILD +++ b/source/extensions/filters/http/admission_control/BUILD @@ -1,6 +1,7 @@ load( "//bazel:envoy_build_system.bzl", "envoy_cc_extension", + "envoy_cc_library", "envoy_extension_package", ) @@ -11,7 +12,7 @@ licenses(["notice"]) # Apache 2 envoy_extension_package() -envoy_cc_extension( +envoy_cc_library( name = "admission_control_filter_lib", srcs = [ "admission_control.cc", @@ -21,8 +22,6 @@ envoy_cc_extension( "admission_control.h", "thread_local_controller.h", ], - category = "envoy.filters.http", - security_posture = "unknown", deps = [ "//include/envoy/http:filter_interface", "//include/envoy/runtime:runtime_interface", @@ -41,9 +40,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "unknown", - status = "alpha", deps = [ "//include/envoy/registry", "//source/common/common:enum_to_int", diff --git a/source/extensions/filters/http/aws_lambda/BUILD b/source/extensions/filters/http/aws_lambda/BUILD index 1001ba3d87cbf..43544b5eccee7 100644 --- a/source/extensions/filters/http/aws_lambda/BUILD +++ b/source/extensions/filters/http/aws_lambda/BUILD @@ -37,9 +37,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":aws_lambda_filter_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/http/aws_request_signing/BUILD b/source/extensions/filters/http/aws_request_signing/BUILD index f0222a4b954bc..b1bcf820a85e5 100644 --- a/source/extensions/filters/http/aws_request_signing/BUILD +++ b/source/extensions/filters/http/aws_request_signing/BUILD @@ -29,9 +29,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":aws_request_signing_filter_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/http/buffer/BUILD b/source/extensions/filters/http/buffer/BUILD index c38b84635d661..c691bc382862b 100644 --- a/source/extensions/filters/http/buffer/BUILD +++ b/source/extensions/filters/http/buffer/BUILD @@ -37,8 +37,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", # Legacy test use. TODO(#9953) clean up. visibility = ["//visibility:public"], deps = [ diff --git a/source/extensions/filters/http/cache/BUILD b/source/extensions/filters/http/cache/BUILD index 0023acfeefbe8..bd205889fdfa1 100644 --- a/source/extensions/filters/http/cache/BUILD +++ b/source/extensions/filters/http/cache/BUILD @@ -101,9 +101,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream_and_upstream", - status = "wip", deps = [ ":cache_filter_lib", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/cache/simple_http_cache/BUILD b/source/extensions/filters/http/cache/simple_http_cache/BUILD index a9a500e1f9b8e..481380f23591f 100644 --- a/source/extensions/filters/http/cache/simple_http_cache/BUILD +++ b/source/extensions/filters/http/cache/simple_http_cache/BUILD @@ -14,9 +14,6 @@ envoy_cc_extension( name = "config", srcs = ["simple_http_cache.cc"], hdrs = ["simple_http_cache.h"], - category = "envoy.filters.http.cache", - security_posture = "robust_to_untrusted_downstream_and_upstream", - status = "wip", deps = [ "//include/envoy/registry", "//include/envoy/runtime:runtime_interface", diff --git a/source/extensions/filters/http/cdn_loop/BUILD b/source/extensions/filters/http/cdn_loop/BUILD index 291f20b3a7256..b42834465a14f 100644 --- a/source/extensions/filters/http/cdn_loop/BUILD +++ b/source/extensions/filters/http/cdn_loop/BUILD @@ -45,9 +45,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "unknown", - status = "alpha", deps = [ ":filter_lib", ":parser_lib", diff --git a/source/extensions/filters/http/composite/BUILD b/source/extensions/filters/http/composite/BUILD index f3d72798c5b42..63cb62a7c7b00 100644 --- a/source/extensions/filters/http/composite/BUILD +++ b/source/extensions/filters/http/composite/BUILD @@ -45,8 +45,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/source/extensions/filters/http/compressor/BUILD b/source/extensions/filters/http/compressor/BUILD index cec12558d4a93..ad18a973c8649 100644 --- a/source/extensions/filters/http/compressor/BUILD +++ b/source/extensions/filters/http/compressor/BUILD @@ -27,8 +27,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ ":compressor_filter_lib", "//include/envoy/compression/compressor:compressor_config_interface", diff --git a/source/extensions/filters/http/cors/BUILD b/source/extensions/filters/http/cors/BUILD index 719af988af59a..5eb4f63a57246 100644 --- a/source/extensions/filters/http/cors/BUILD +++ b/source/extensions/filters/http/cors/BUILD @@ -31,12 +31,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", # TODO(#9953) clean up. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/source/extensions/filters/http/csrf/BUILD b/source/extensions/filters/http/csrf/BUILD index 9b5af4e5a8788..e8e88ea6fa493 100644 --- a/source/extensions/filters/http/csrf/BUILD +++ b/source/extensions/filters/http/csrf/BUILD @@ -33,8 +33,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/decompressor/BUILD b/source/extensions/filters/http/decompressor/BUILD index fb69254e476b5..78f76c5573f8f 100644 --- a/source/extensions/filters/http/decompressor/BUILD +++ b/source/extensions/filters/http/decompressor/BUILD @@ -33,8 +33,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream_and_upstream", deps = [ ":decompressor_filter_lib", "//include/envoy/compression/decompressor:decompressor_config_interface", diff --git a/source/extensions/filters/http/dynamic_forward_proxy/BUILD b/source/extensions/filters/http/dynamic_forward_proxy/BUILD index 5b0768fe9d2d8..33b202755ec47 100644 --- a/source/extensions/filters/http/dynamic_forward_proxy/BUILD +++ b/source/extensions/filters/http/dynamic_forward_proxy/BUILD @@ -29,8 +29,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/source/extensions/filters/http/dynamo/BUILD b/source/extensions/filters/http/dynamo/BUILD index 4854329af55c1..0abf478922ff3 100644 --- a/source/extensions/filters/http/dynamo/BUILD +++ b/source/extensions/filters/http/dynamo/BUILD @@ -42,8 +42,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ ":dynamo_filter_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/http/ext_authz/BUILD b/source/extensions/filters/http/ext_authz/BUILD index 766e09774d1e2..6314f305e97fa 100644 --- a/source/extensions/filters/http/ext_authz/BUILD +++ b/source/extensions/filters/http/ext_authz/BUILD @@ -40,8 +40,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ ":ext_authz", "//include/envoy/registry", diff --git a/source/extensions/filters/http/ext_proc/BUILD b/source/extensions/filters/http/ext_proc/BUILD index 1468c4d9e0f84..2a2fa5a8885e9 100644 --- a/source/extensions/filters/http/ext_proc/BUILD +++ b/source/extensions/filters/http/ext_proc/BUILD @@ -37,9 +37,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "unknown", - status = "alpha", deps = [ ":client_lib", ":ext_proc", diff --git a/source/extensions/filters/http/fault/BUILD b/source/extensions/filters/http/fault/BUILD index db2a5a61ed97a..3cfe5b8ee205e 100644 --- a/source/extensions/filters/http/fault/BUILD +++ b/source/extensions/filters/http/fault/BUILD @@ -46,8 +46,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/grpc_http1_bridge/BUILD b/source/extensions/filters/http/grpc_http1_bridge/BUILD index 4a1154094c647..4685a8d07c9d1 100644 --- a/source/extensions/filters/http/grpc_http1_bridge/BUILD +++ b/source/extensions/filters/http/grpc_http1_bridge/BUILD @@ -33,14 +33,12 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", # Legacy test use. TODO(#9953) clean up. extra_visibility = [ "//source/exe:__pkg__", "//test/integration:__subpackages__", "//test/server:__subpackages__", ], - security_posture = "unknown", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/source/extensions/filters/http/grpc_http1_reverse_bridge/BUILD b/source/extensions/filters/http/grpc_http1_reverse_bridge/BUILD index be9226b61f545..c4f65adb09a95 100644 --- a/source/extensions/filters/http/grpc_http1_reverse_bridge/BUILD +++ b/source/extensions/filters/http/grpc_http1_reverse_bridge/BUILD @@ -31,9 +31,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "unknown", - status = "alpha", deps = [ ":filter_lib", "//include/envoy/http:filter_interface", diff --git a/source/extensions/filters/http/grpc_json_transcoder/BUILD b/source/extensions/filters/http/grpc_json_transcoder/BUILD index 822264c252cf4..c1ae930c7fc88 100644 --- a/source/extensions/filters/http/grpc_json_transcoder/BUILD +++ b/source/extensions/filters/http/grpc_json_transcoder/BUILD @@ -62,8 +62,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/grpc_stats/BUILD b/source/extensions/filters/http/grpc_stats/BUILD index 10c7558f549f8..078b140e912eb 100644 --- a/source/extensions/filters/http/grpc_stats/BUILD +++ b/source/extensions/filters/http/grpc_stats/BUILD @@ -14,9 +14,6 @@ envoy_cc_extension( name = "config", srcs = ["grpc_stats_filter.cc"], hdrs = ["grpc_stats_filter.h"], - category = "envoy.filters.http", - security_posture = "unknown", - status = "alpha", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/source/extensions/filters/http/grpc_web/BUILD b/source/extensions/filters/http/grpc_web/BUILD index 4a7089ca962eb..f0f341b49708a 100644 --- a/source/extensions/filters/http/grpc_web/BUILD +++ b/source/extensions/filters/http/grpc_web/BUILD @@ -32,8 +32,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/source/extensions/filters/http/gzip/BUILD b/source/extensions/filters/http/gzip/BUILD index d2d9fc86479b4..6503189c9e9df 100644 --- a/source/extensions/filters/http/gzip/BUILD +++ b/source/extensions/filters/http/gzip/BUILD @@ -30,8 +30,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//source/extensions/filters/http:well_known_names", "//source/extensions/filters/http/common:factory_base_lib", diff --git a/source/extensions/filters/http/header_to_metadata/BUILD b/source/extensions/filters/http/header_to_metadata/BUILD index aa13db4517e15..f0e7a6a1c3d01 100644 --- a/source/extensions/filters/http/header_to_metadata/BUILD +++ b/source/extensions/filters/http/header_to_metadata/BUILD @@ -30,8 +30,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/common/protobuf:utility_lib", diff --git a/source/extensions/filters/http/health_check/BUILD b/source/extensions/filters/http/health_check/BUILD index c54f3bf2ad17e..52c1554da2e06 100644 --- a/source/extensions/filters/http/health_check/BUILD +++ b/source/extensions/filters/http/health_check/BUILD @@ -37,14 +37,12 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", # Legacy test use. TODO(#9953) clean up. extra_visibility = [ "//test/common/filter/http:__subpackages__", "//test/integration:__subpackages__", "//test/server:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/common/http:header_utility_lib", diff --git a/source/extensions/filters/http/ip_tagging/BUILD b/source/extensions/filters/http/ip_tagging/BUILD index 2c75ece83a991..443d168101f46 100644 --- a/source/extensions/filters/http/ip_tagging/BUILD +++ b/source/extensions/filters/http/ip_tagging/BUILD @@ -33,12 +33,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", # TODO(#9953) clean up. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/common/protobuf:utility_lib", diff --git a/source/extensions/filters/http/jwt_authn/BUILD b/source/extensions/filters/http/jwt_authn/BUILD index 0d5895dfbd5a6..1b8901fd6d9b8 100644 --- a/source/extensions/filters/http/jwt_authn/BUILD +++ b/source/extensions/filters/http/jwt_authn/BUILD @@ -70,9 +70,6 @@ envoy_cc_extension( name = "config", srcs = ["filter_factory.cc"], hdrs = ["filter_factory.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", - status = "alpha", deps = [ ":filter_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/http/kill_request/BUILD b/source/extensions/filters/http/kill_request/BUILD index 09faef0937421..2a7a21ef355e7 100644 --- a/source/extensions/filters/http/kill_request/BUILD +++ b/source/extensions/filters/http/kill_request/BUILD @@ -30,8 +30,6 @@ envoy_cc_extension( name = "kill_request_config", srcs = ["kill_request_config.cc"], hdrs = ["kill_request_config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/local_ratelimit/BUILD b/source/extensions/filters/http/local_ratelimit/BUILD index f60271193bc67..d409a424fd6bf 100644 --- a/source/extensions/filters/http/local_ratelimit/BUILD +++ b/source/extensions/filters/http/local_ratelimit/BUILD @@ -36,8 +36,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "unknown", deps = [ ":local_ratelimit_lib", "//include/envoy/http:filter_interface", diff --git a/source/extensions/filters/http/lua/BUILD b/source/extensions/filters/http/lua/BUILD index 9d6c381a09892..c4683e8263534 100644 --- a/source/extensions/filters/http/lua/BUILD +++ b/source/extensions/filters/http/lua/BUILD @@ -55,8 +55,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/oauth2/BUILD b/source/extensions/filters/http/oauth2/BUILD index 7fc8a96a6cf31..d7ea3098c4498 100644 --- a/source/extensions/filters/http/oauth2/BUILD +++ b/source/extensions/filters/http/oauth2/BUILD @@ -63,9 +63,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", - status = "alpha", deps = [ ":oauth_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/http/on_demand/BUILD b/source/extensions/filters/http/on_demand/BUILD index 72c5f6b33d564..5c66187881615 100644 --- a/source/extensions/filters/http/on_demand/BUILD +++ b/source/extensions/filters/http/on_demand/BUILD @@ -30,13 +30,11 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", # TODO(#9953) classify and clean up. extra_visibility = [ "//test/common/access_log:__subpackages__", "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/original_src/BUILD b/source/extensions/filters/http/original_src/BUILD index 3181285fc50a8..fe0c2adb6b64c 100644 --- a/source/extensions/filters/http/original_src/BUILD +++ b/source/extensions/filters/http/original_src/BUILD @@ -35,9 +35,6 @@ envoy_cc_extension( name = "config", # The extension build system requires a library named config srcs = ["original_src_config_factory.cc"], hdrs = ["original_src_config_factory.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", - status = "alpha", deps = [ ":config_lib", ":original_src_lib", diff --git a/source/extensions/filters/http/ratelimit/BUILD b/source/extensions/filters/http/ratelimit/BUILD index 78ec6694d2a55..bc845c26ed5a7 100644 --- a/source/extensions/filters/http/ratelimit/BUILD +++ b/source/extensions/filters/http/ratelimit/BUILD @@ -45,8 +45,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", deps = [ ":ratelimit_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/http/rbac/BUILD b/source/extensions/filters/http/rbac/BUILD index 9cd4d9cbedd8e..a0ef997d5e736 100644 --- a/source/extensions/filters/http/rbac/BUILD +++ b/source/extensions/filters/http/rbac/BUILD @@ -13,12 +13,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", # TODO(#9953) clean up. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/extensions/filters/http:well_known_names", diff --git a/source/extensions/filters/http/router/BUILD b/source/extensions/filters/http/router/BUILD index 3d78b2f303e05..8e268cff166c3 100644 --- a/source/extensions/filters/http/router/BUILD +++ b/source/extensions/filters/http/router/BUILD @@ -15,8 +15,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "robust_to_untrusted_downstream", # This is core Envoy config. visibility = ["//visibility:public"], deps = [ diff --git a/source/extensions/filters/http/squash/BUILD b/source/extensions/filters/http/squash/BUILD index e486d07f4a890..ef3c4ca805b8a 100644 --- a/source/extensions/filters/http/squash/BUILD +++ b/source/extensions/filters/http/squash/BUILD @@ -37,8 +37,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ "//include/envoy/registry", "//source/common/protobuf:utility_lib", diff --git a/source/extensions/filters/http/tap/BUILD b/source/extensions/filters/http/tap/BUILD index 9379579d8b804..e1e0f6407e30f 100644 --- a/source/extensions/filters/http/tap/BUILD +++ b/source/extensions/filters/http/tap/BUILD @@ -52,9 +52,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":tap_config_impl", ":tap_filter_lib", diff --git a/source/extensions/filters/http/wasm/BUILD b/source/extensions/filters/http/wasm/BUILD index e399e89290aa4..db3a6d09196ad 100644 --- a/source/extensions/filters/http/wasm/BUILD +++ b/source/extensions/filters/http/wasm/BUILD @@ -30,9 +30,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.http", - security_posture = "unknown", - status = "alpha", deps = [ ":wasm_filter_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/listener/http_inspector/BUILD b/source/extensions/filters/listener/http_inspector/BUILD index 849277d618d12..8426d64e32bf2 100644 --- a/source/extensions/filters/listener/http_inspector/BUILD +++ b/source/extensions/filters/listener/http_inspector/BUILD @@ -31,8 +31,6 @@ envoy_cc_library( envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.filters.listener", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ ":http_inspector_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/listener/original_dst/BUILD b/source/extensions/filters/listener/original_dst/BUILD index 62b0b88f001cf..7ee4f6e013c32 100644 --- a/source/extensions/filters/listener/original_dst/BUILD +++ b/source/extensions/filters/listener/original_dst/BUILD @@ -29,12 +29,10 @@ envoy_cc_library( envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.filters.listener", # TODO(#9953) clean up. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ ":original_dst_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/listener/original_src/BUILD b/source/extensions/filters/listener/original_src/BUILD index 26df22093a3cd..4b952500fa44f 100644 --- a/source/extensions/filters/listener/original_src/BUILD +++ b/source/extensions/filters/listener/original_src/BUILD @@ -38,9 +38,6 @@ envoy_cc_extension( name = "config", # The extension build system requires a library named config srcs = ["original_src_config_factory.cc"], hdrs = ["original_src_config_factory.h"], - category = "envoy.filters.listener", - security_posture = "robust_to_untrusted_downstream", - status = "alpha", deps = [ ":config_lib", ":original_src_lib", diff --git a/source/extensions/filters/listener/proxy_protocol/BUILD b/source/extensions/filters/listener/proxy_protocol/BUILD index 66c21a7b27686..6cff8506baed7 100644 --- a/source/extensions/filters/listener/proxy_protocol/BUILD +++ b/source/extensions/filters/listener/proxy_protocol/BUILD @@ -40,12 +40,10 @@ envoy_cc_library( envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.filters.listener", # TODO(#9953) clean up. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/source/extensions/filters/listener/tls_inspector/BUILD b/source/extensions/filters/listener/tls_inspector/BUILD index 3f6837524e2b2..109d783b2c4f0 100644 --- a/source/extensions/filters/listener/tls_inspector/BUILD +++ b/source/extensions/filters/listener/tls_inspector/BUILD @@ -35,12 +35,10 @@ envoy_cc_library( envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.filters.listener", # TODO(#9953) clean up. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//include/envoy/server:filter_config_interface", diff --git a/source/extensions/filters/network/client_ssl_auth/BUILD b/source/extensions/filters/network/client_ssl_auth/BUILD index 184ef95404aa4..de0b01ec4bab0 100644 --- a/source/extensions/filters/network/client_ssl_auth/BUILD +++ b/source/extensions/filters/network/client_ssl_auth/BUILD @@ -40,8 +40,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "robust_to_untrusted_downstream", deps = [ ":client_ssl_auth", "//include/envoy/registry", diff --git a/source/extensions/filters/network/direct_response/BUILD b/source/extensions/filters/network/direct_response/BUILD index 7954de4042115..5a4b40483b4fc 100644 --- a/source/extensions/filters/network/direct_response/BUILD +++ b/source/extensions/filters/network/direct_response/BUILD @@ -28,8 +28,6 @@ envoy_cc_library( envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.filters.network", - security_posture = "unknown", deps = [ ":filter", "//include/envoy/registry", diff --git a/source/extensions/filters/network/dubbo_proxy/BUILD b/source/extensions/filters/network/dubbo_proxy/BUILD index e051679a29b6d..49ac684e27208 100644 --- a/source/extensions/filters/network/dubbo_proxy/BUILD +++ b/source/extensions/filters/network/dubbo_proxy/BUILD @@ -96,9 +96,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":conn_manager_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/network/echo/BUILD b/source/extensions/filters/network/echo/BUILD index 68270a5dd5e20..2352cb8089531 100644 --- a/source/extensions/filters/network/echo/BUILD +++ b/source/extensions/filters/network/echo/BUILD @@ -28,12 +28,10 @@ envoy_cc_library( envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.filters.network", # TODO(#9953) move echo integration test to extensions. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "unknown", deps = [ ":echo", "//include/envoy/registry", diff --git a/source/extensions/filters/network/ext_authz/BUILD b/source/extensions/filters/network/ext_authz/BUILD index 391fe6e21d72c..7ceb93fa7b805 100644 --- a/source/extensions/filters/network/ext_authz/BUILD +++ b/source/extensions/filters/network/ext_authz/BUILD @@ -37,8 +37,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/common/config:utility_lib", diff --git a/source/extensions/filters/network/http_connection_manager/BUILD b/source/extensions/filters/network/http_connection_manager/BUILD index 60c8ce180e04e..39aba882814bf 100644 --- a/source/extensions/filters/network/http_connection_manager/BUILD +++ b/source/extensions/filters/network/http_connection_manager/BUILD @@ -18,8 +18,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "robust_to_untrusted_downstream", # This is core Envoy config. visibility = ["//visibility:public"], deps = [ diff --git a/source/extensions/filters/network/kafka/BUILD b/source/extensions/filters/network/kafka/BUILD index 01c31e63cc9fe..ccc2401ace47e 100644 --- a/source/extensions/filters/network/kafka/BUILD +++ b/source/extensions/filters/network/kafka/BUILD @@ -18,9 +18,6 @@ envoy_cc_extension( name = "kafka_broker_config_lib", srcs = ["broker/config.cc"], hdrs = ["broker/config.h"], - category = "envoy.filters.network", - security_posture = "requires_trusted_downstream_and_upstream", - status = "wip", deps = [ ":kafka_broker_filter_lib", "//source/extensions/filters/network:well_known_names", diff --git a/source/extensions/filters/network/local_ratelimit/BUILD b/source/extensions/filters/network/local_ratelimit/BUILD index 6e10aaff1de32..c0b757dc8c6e1 100644 --- a/source/extensions/filters/network/local_ratelimit/BUILD +++ b/source/extensions/filters/network/local_ratelimit/BUILD @@ -33,8 +33,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "robust_to_untrusted_downstream", deps = [ "//source/extensions/filters/network:well_known_names", "//source/extensions/filters/network/common:factory_base_lib", diff --git a/source/extensions/filters/network/mongo_proxy/BUILD b/source/extensions/filters/network/mongo_proxy/BUILD index ab1956d777cb0..04a32f0729016 100644 --- a/source/extensions/filters/network/mongo_proxy/BUILD +++ b/source/extensions/filters/network/mongo_proxy/BUILD @@ -107,8 +107,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ ":proxy_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/network/mysql_proxy/BUILD b/source/extensions/filters/network/mysql_proxy/BUILD index d176bad30b970..43d66bdf11c5b 100644 --- a/source/extensions/filters/network/mysql_proxy/BUILD +++ b/source/extensions/filters/network/mysql_proxy/BUILD @@ -107,9 +107,6 @@ envoy_cc_extension( name = "config", srcs = ["mysql_config.cc"], hdrs = ["mysql_config.h"], - category = "envoy.filters.network", - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":filter_lib", "//source/extensions/filters/network:well_known_names", diff --git a/source/extensions/filters/network/postgres_proxy/BUILD b/source/extensions/filters/network/postgres_proxy/BUILD index 398fa80cc67d5..1367aa5c048a0 100644 --- a/source/extensions/filters/network/postgres_proxy/BUILD +++ b/source/extensions/filters/network/postgres_proxy/BUILD @@ -44,9 +44,7 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", repository = "@envoy", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ ":filter", "//source/extensions/filters/network:well_known_names", diff --git a/source/extensions/filters/network/ratelimit/BUILD b/source/extensions/filters/network/ratelimit/BUILD index 2ab3b5ac6787c..35694dc418b8f 100644 --- a/source/extensions/filters/network/ratelimit/BUILD +++ b/source/extensions/filters/network/ratelimit/BUILD @@ -39,8 +39,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "robust_to_untrusted_downstream", deps = [ "//include/envoy/registry", "//source/common/config:utility_lib", diff --git a/source/extensions/filters/network/rbac/BUILD b/source/extensions/filters/network/rbac/BUILD index f5a4f38fdc0ed..be7137d0f8d58 100644 --- a/source/extensions/filters/network/rbac/BUILD +++ b/source/extensions/filters/network/rbac/BUILD @@ -13,8 +13,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "robust_to_untrusted_downstream", deps = [ ":rbac_filter", "//include/envoy/registry", diff --git a/source/extensions/filters/network/redis_proxy/BUILD b/source/extensions/filters/network/redis_proxy/BUILD index 7cf695e2a513b..3d70b7f7c3504 100644 --- a/source/extensions/filters/network/redis_proxy/BUILD +++ b/source/extensions/filters/network/redis_proxy/BUILD @@ -120,12 +120,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", # TODO(#9953) clean up. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "requires_trusted_downstream_and_upstream", deps = [ "//include/envoy/upstream:upstream_interface", "//source/extensions/common/redis:cluster_refresh_manager_lib", diff --git a/source/extensions/filters/network/rocketmq_proxy/BUILD b/source/extensions/filters/network/rocketmq_proxy/BUILD index 4dd07abc6225a..fe9ba3ab5022f 100644 --- a/source/extensions/filters/network/rocketmq_proxy/BUILD +++ b/source/extensions/filters/network/rocketmq_proxy/BUILD @@ -122,9 +122,6 @@ envoy_cc_extension( hdrs = [ "config.h", ], - category = "envoy.filters.network", - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":conn_manager_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/network/sni_cluster/BUILD b/source/extensions/filters/network/sni_cluster/BUILD index 310bf058c1924..f730bd9c49ca6 100644 --- a/source/extensions/filters/network/sni_cluster/BUILD +++ b/source/extensions/filters/network/sni_cluster/BUILD @@ -26,8 +26,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "unknown", deps = [ ":sni_cluster", "//include/envoy/registry", diff --git a/source/extensions/filters/network/sni_dynamic_forward_proxy/BUILD b/source/extensions/filters/network/sni_dynamic_forward_proxy/BUILD index bed8252554bbb..ae0181f77f7fa 100644 --- a/source/extensions/filters/network/sni_dynamic_forward_proxy/BUILD +++ b/source/extensions/filters/network/sni_dynamic_forward_proxy/BUILD @@ -28,9 +28,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "unknown", - status = "alpha", deps = [ ":proxy_filter_lib", "//source/extensions/common/dynamic_forward_proxy:dns_cache_manager_impl", diff --git a/source/extensions/filters/network/tcp_proxy/BUILD b/source/extensions/filters/network/tcp_proxy/BUILD index e1a22d965da99..ea7360966c411 100644 --- a/source/extensions/filters/network/tcp_proxy/BUILD +++ b/source/extensions/filters/network/tcp_proxy/BUILD @@ -15,8 +15,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "robust_to_untrusted_downstream", # This is core Envoy config. visibility = ["//visibility:public"], deps = [ diff --git a/source/extensions/filters/network/thrift_proxy/BUILD b/source/extensions/filters/network/thrift_proxy/BUILD index 47439e4c53eaf..37defe986a917 100644 --- a/source/extensions/filters/network/thrift_proxy/BUILD +++ b/source/extensions/filters/network/thrift_proxy/BUILD @@ -36,8 +36,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ ":app_exception_lib", ":auto_protocol_lib", diff --git a/source/extensions/filters/network/thrift_proxy/filters/ratelimit/BUILD b/source/extensions/filters/network/thrift_proxy/filters/ratelimit/BUILD index b27da3987272e..0d8f61fe19f83 100644 --- a/source/extensions/filters/network/thrift_proxy/filters/ratelimit/BUILD +++ b/source/extensions/filters/network/thrift_proxy/filters/ratelimit/BUILD @@ -32,9 +32,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.thrift_proxy.filters", - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":ratelimit_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/network/thrift_proxy/router/BUILD b/source/extensions/filters/network/thrift_proxy/router/BUILD index e63f180ecc9eb..a16abad3aeb90 100644 --- a/source/extensions/filters/network/thrift_proxy/router/BUILD +++ b/source/extensions/filters/network/thrift_proxy/router/BUILD @@ -13,8 +13,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.thrift_proxy.filters", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ ":router_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/network/wasm/BUILD b/source/extensions/filters/network/wasm/BUILD index 2023fd1f48d8d..e8a47db2acc8a 100644 --- a/source/extensions/filters/network/wasm/BUILD +++ b/source/extensions/filters/network/wasm/BUILD @@ -28,9 +28,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "unknown", - status = "alpha", deps = [ ":wasm_filter_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/network/zookeeper_proxy/BUILD b/source/extensions/filters/network/zookeeper_proxy/BUILD index 10d14b23ae88a..9c72e9961dfe9 100644 --- a/source/extensions/filters/network/zookeeper_proxy/BUILD +++ b/source/extensions/filters/network/zookeeper_proxy/BUILD @@ -43,9 +43,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.network", - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":proxy_lib", "//source/extensions/filters/network:well_known_names", diff --git a/source/extensions/filters/udp/dns_filter/BUILD b/source/extensions/filters/udp/dns_filter/BUILD index 210d68496d0da..ab44521fdd408 100644 --- a/source/extensions/filters/udp/dns_filter/BUILD +++ b/source/extensions/filters/udp/dns_filter/BUILD @@ -52,9 +52,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.udp_listener", - security_posture = "robust_to_untrusted_downstream", - status = "alpha", deps = [ ":dns_filter_lib", "//include/envoy/registry", diff --git a/source/extensions/filters/udp/udp_proxy/BUILD b/source/extensions/filters/udp/udp_proxy/BUILD index b939347604fab..bd8fa7e6b3550 100644 --- a/source/extensions/filters/udp/udp_proxy/BUILD +++ b/source/extensions/filters/udp/udp_proxy/BUILD @@ -45,8 +45,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.filters.udp_listener", - security_posture = "robust_to_untrusted_downstream", deps = [ ":udp_proxy_filter_lib", "//include/envoy/registry", diff --git a/source/extensions/grpc_credentials/aws_iam/BUILD b/source/extensions/grpc_credentials/aws_iam/BUILD index 41e311cc52c55..56099da022710 100644 --- a/source/extensions/grpc_credentials/aws_iam/BUILD +++ b/source/extensions/grpc_credentials/aws_iam/BUILD @@ -14,10 +14,7 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.grpc_credentials", external_deps = ["grpc"], - security_posture = "data_plane_agnostic", - status = "alpha", deps = [ "//include/envoy/grpc:google_grpc_creds_interface", "//include/envoy/registry", diff --git a/source/extensions/grpc_credentials/file_based_metadata/BUILD b/source/extensions/grpc_credentials/file_based_metadata/BUILD index 45f065419f87e..d31637a9c8f3a 100644 --- a/source/extensions/grpc_credentials/file_based_metadata/BUILD +++ b/source/extensions/grpc_credentials/file_based_metadata/BUILD @@ -14,10 +14,7 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.grpc_credentials", external_deps = ["grpc"], - security_posture = "data_plane_agnostic", - status = "alpha", deps = [ "//include/envoy/grpc:google_grpc_creds_interface", "//include/envoy/registry", diff --git a/source/extensions/health_checkers/redis/BUILD b/source/extensions/health_checkers/redis/BUILD index 8689cbecb1076..d6b91654919fa 100644 --- a/source/extensions/health_checkers/redis/BUILD +++ b/source/extensions/health_checkers/redis/BUILD @@ -31,8 +31,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.health_checkers", - security_posture = "requires_trusted_downstream_and_upstream", deps = [ ":redis", ":utility", diff --git a/source/extensions/http/header_formatters/preserve_case/BUILD b/source/extensions/http/header_formatters/preserve_case/BUILD index 6fde9d6725f30..fffdd69fbf5e5 100644 --- a/source/extensions/http/header_formatters/preserve_case/BUILD +++ b/source/extensions/http/header_formatters/preserve_case/BUILD @@ -12,8 +12,6 @@ envoy_cc_extension( name = "preserve_case_formatter", srcs = ["preserve_case_formatter.cc"], hdrs = ["preserve_case_formatter.h"], - category = "envoy.http.stateful_header_formatters", - security_posture = "robust_to_untrusted_downstream_and_upstream", deps = [ "//include/envoy/registry", "@envoy_api//envoy/extensions/http/header_formatters/preserve_case/v3:pkg_cc_proto", diff --git a/source/extensions/internal_redirect/allow_listed_routes/BUILD b/source/extensions/internal_redirect/allow_listed_routes/BUILD index f3186dde09df6..3e5edbe960126 100644 --- a/source/extensions/internal_redirect/allow_listed_routes/BUILD +++ b/source/extensions/internal_redirect/allow_listed_routes/BUILD @@ -24,12 +24,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.internal_redirect_predicates", # TODO(#9953) clean up by moving the redirect test to extensions. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream_and_upstream", deps = [ ":allow_listed_routes_lib", "//include/envoy/registry", diff --git a/source/extensions/internal_redirect/previous_routes/BUILD b/source/extensions/internal_redirect/previous_routes/BUILD index ada41e1ed237e..d208998603f69 100644 --- a/source/extensions/internal_redirect/previous_routes/BUILD +++ b/source/extensions/internal_redirect/previous_routes/BUILD @@ -24,12 +24,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.internal_redirect_predicates", # TODO(#9953) clean up by moving the redirect test to extensions. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream_and_upstream", deps = [ ":previous_routes_lib", "//include/envoy/registry", diff --git a/source/extensions/internal_redirect/safe_cross_scheme/BUILD b/source/extensions/internal_redirect/safe_cross_scheme/BUILD index 5936010fed94a..13fb41de556f6 100644 --- a/source/extensions/internal_redirect/safe_cross_scheme/BUILD +++ b/source/extensions/internal_redirect/safe_cross_scheme/BUILD @@ -23,12 +23,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.internal_redirect_predicates", # TODO(#9953) clean up by moving the redirect test to extensions. extra_visibility = [ "//test/integration:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream_and_upstream", deps = [ ":safe_cross_scheme_lib", "//include/envoy/registry", diff --git a/source/extensions/io_socket/user_space/BUILD b/source/extensions/io_socket/user_space/BUILD index 18a01f6e1eaec..c430f95989417 100644 --- a/source/extensions/io_socket/user_space/BUILD +++ b/source/extensions/io_socket/user_space/BUILD @@ -12,10 +12,6 @@ envoy_extension_package() envoy_cc_extension( name = "config", srcs = ["config.h"], - category = "envoy.io_socket", - security_posture = "unknown", - status = "wip", - undocumented = True, deps = [ ], ) diff --git a/source/extensions/matching/common_inputs/environment_variable/BUILD b/source/extensions/matching/common_inputs/environment_variable/BUILD index cf54b92130a80..2dacd62538db4 100644 --- a/source/extensions/matching/common_inputs/environment_variable/BUILD +++ b/source/extensions/matching/common_inputs/environment_variable/BUILD @@ -22,8 +22,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.matching.common_inputs", - security_posture = "robust_to_untrusted_downstream", deps = [ ":input_lib", "//include/envoy/matcher:matcher_interface", diff --git a/source/extensions/matching/input_matchers/consistent_hashing/BUILD b/source/extensions/matching/input_matchers/consistent_hashing/BUILD index 753f6ae6756a2..0e72af550db3f 100644 --- a/source/extensions/matching/input_matchers/consistent_hashing/BUILD +++ b/source/extensions/matching/input_matchers/consistent_hashing/BUILD @@ -23,8 +23,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.matching.input_matchers", - security_posture = "robust_to_untrusted_downstream", deps = [ ":consistent_hashing_lib", "//include/envoy/matcher:matcher_interface", diff --git a/source/extensions/rate_limit_descriptors/expr/BUILD b/source/extensions/rate_limit_descriptors/expr/BUILD index 088dd84be9c7a..a1f4dc89d881c 100644 --- a/source/extensions/rate_limit_descriptors/expr/BUILD +++ b/source/extensions/rate_limit_descriptors/expr/BUILD @@ -12,14 +12,12 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.rate_limit_descriptors", copts = select({ "//bazel:windows_x86_64": [], # TODO: fix the windows ANTLR build "//conditions:default": [ "-DUSE_CEL_PARSER", ], }), - security_posture = "unknown", deps = [ "//include/envoy/ratelimit:ratelimit_interface", "//include/envoy/registry", diff --git a/source/extensions/request_id/uuid/BUILD b/source/extensions/request_id/uuid/BUILD index 2c09ede8b5594..feb49f7a39014 100644 --- a/source/extensions/request_id/uuid/BUILD +++ b/source/extensions/request_id/uuid/BUILD @@ -16,8 +16,6 @@ envoy_cc_extension( hdrs = [ "config.h", ], - category = "envoy.request_id", - security_posture = "robust_to_untrusted_downstream_and_upstream", visibility = ["//visibility:public"], deps = [ "//include/envoy/http:request_id_extension_interface", diff --git a/source/extensions/resource_monitors/fixed_heap/BUILD b/source/extensions/resource_monitors/fixed_heap/BUILD index 1e856a6b06d7f..f1ce7fa600253 100644 --- a/source/extensions/resource_monitors/fixed_heap/BUILD +++ b/source/extensions/resource_monitors/fixed_heap/BUILD @@ -25,9 +25,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.resource_monitors", - security_posture = "data_plane_agnostic", - status = "alpha", deps = [ ":fixed_heap_monitor", "//include/envoy/registry", diff --git a/source/extensions/resource_monitors/injected_resource/BUILD b/source/extensions/resource_monitors/injected_resource/BUILD index a84b00fbd76b4..50453d2a1bdcf 100644 --- a/source/extensions/resource_monitors/injected_resource/BUILD +++ b/source/extensions/resource_monitors/injected_resource/BUILD @@ -26,14 +26,11 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.resource_monitors", # TODO(#9953) clean up. extra_visibility = [ "//test/integration:__subpackages__", "//test/common/quic/integration:__subpackages__", ], - security_posture = "data_plane_agnostic", - status = "alpha", deps = [ ":injected_resource_monitor", "//include/envoy/registry", diff --git a/source/extensions/retry/host/omit_canary_hosts/BUILD b/source/extensions/retry/host/omit_canary_hosts/BUILD index 734c5df847361..8e3f446d0848b 100644 --- a/source/extensions/retry/host/omit_canary_hosts/BUILD +++ b/source/extensions/retry/host/omit_canary_hosts/BUILD @@ -21,8 +21,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.retry_host_predicates", - security_posture = "robust_to_untrusted_downstream", deps = [ ":omit_canary_hosts_predicate_lib", "//include/envoy/registry", diff --git a/source/extensions/retry/host/omit_host_metadata/BUILD b/source/extensions/retry/host/omit_host_metadata/BUILD index 51813ad4a4b86..92a916dfa28f1 100644 --- a/source/extensions/retry/host/omit_host_metadata/BUILD +++ b/source/extensions/retry/host/omit_host_metadata/BUILD @@ -23,8 +23,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.retry_host_predicates", - security_posture = "robust_to_untrusted_downstream", deps = [ ":omit_host_metadata_predicate_lib", "//include/envoy/registry", diff --git a/source/extensions/retry/host/previous_hosts/BUILD b/source/extensions/retry/host/previous_hosts/BUILD index 81842e7a67889..ae6e4dd7859b3 100644 --- a/source/extensions/retry/host/previous_hosts/BUILD +++ b/source/extensions/retry/host/previous_hosts/BUILD @@ -21,8 +21,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.retry_host_predicates", - security_posture = "robust_to_untrusted_downstream", deps = [ ":previous_hosts_predicate_lib", "//include/envoy/registry", diff --git a/source/extensions/retry/priority/previous_priorities/BUILD b/source/extensions/retry/priority/previous_priorities/BUILD index ae736299dc7f1..6a1da9eba67dc 100644 --- a/source/extensions/retry/priority/previous_priorities/BUILD +++ b/source/extensions/retry/priority/previous_priorities/BUILD @@ -23,8 +23,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.retry_priorities", - security_posture = "robust_to_untrusted_downstream", deps = [ ":previous_priorities_lib", "//include/envoy/registry", diff --git a/source/extensions/stat_sinks/dog_statsd/BUILD b/source/extensions/stat_sinks/dog_statsd/BUILD index a9a269862dd39..7105afc19f24d 100644 --- a/source/extensions/stat_sinks/dog_statsd/BUILD +++ b/source/extensions/stat_sinks/dog_statsd/BUILD @@ -15,8 +15,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.stats_sinks", - security_posture = "data_plane_agnostic", deps = [ "//include/envoy/registry", "//source/common/network:address_lib", diff --git a/source/extensions/stat_sinks/hystrix/BUILD b/source/extensions/stat_sinks/hystrix/BUILD index 1566d97c6de1f..58fa5ed5ea4b4 100644 --- a/source/extensions/stat_sinks/hystrix/BUILD +++ b/source/extensions/stat_sinks/hystrix/BUILD @@ -15,8 +15,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.stats_sinks", - security_posture = "data_plane_agnostic", deps = [ ":hystrix_lib", "//include/envoy/registry", diff --git a/source/extensions/stat_sinks/metrics_service/BUILD b/source/extensions/stat_sinks/metrics_service/BUILD index 28afad7f25ac9..9b95a7760ae4e 100644 --- a/source/extensions/stat_sinks/metrics_service/BUILD +++ b/source/extensions/stat_sinks/metrics_service/BUILD @@ -43,8 +43,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.stats_sinks", - security_posture = "data_plane_agnostic", deps = [ "//include/envoy/registry", "//source/common/common:assert_lib", diff --git a/source/extensions/stat_sinks/statsd/BUILD b/source/extensions/stat_sinks/statsd/BUILD index 8d4c70c3131ab..cdfaddf114db5 100644 --- a/source/extensions/stat_sinks/statsd/BUILD +++ b/source/extensions/stat_sinks/statsd/BUILD @@ -14,8 +14,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.stats_sinks", - security_posture = "data_plane_agnostic", # Legacy test use. TODO(#9953) clean up. deps = [ "//include/envoy/registry", diff --git a/source/extensions/stat_sinks/wasm/BUILD b/source/extensions/stat_sinks/wasm/BUILD index 6c6b6523bb801..e8ee99ab1f29b 100644 --- a/source/extensions/stat_sinks/wasm/BUILD +++ b/source/extensions/stat_sinks/wasm/BUILD @@ -15,9 +15,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.stats_sinks", - security_posture = "data_plane_agnostic", - status = "alpha", deps = [ ":wasm_stat_sink_lib", "//include/envoy/registry", diff --git a/source/extensions/tracers/datadog/BUILD b/source/extensions/tracers/datadog/BUILD index 164a1d73c1f94..0c314374f9683 100644 --- a/source/extensions/tracers/datadog/BUILD +++ b/source/extensions/tracers/datadog/BUILD @@ -34,8 +34,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.tracers", - security_posture = "robust_to_untrusted_downstream", deps = [ ":datadog_tracer_lib", "//source/extensions/tracers/common:factory_base_lib", diff --git a/source/extensions/tracers/dynamic_ot/BUILD b/source/extensions/tracers/dynamic_ot/BUILD index c7ce76f3267f2..8a3bb1937ed38 100644 --- a/source/extensions/tracers/dynamic_ot/BUILD +++ b/source/extensions/tracers/dynamic_ot/BUILD @@ -29,8 +29,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.tracers", - security_posture = "robust_to_untrusted_downstream", deps = [ ":dynamic_opentracing_driver_lib", "//source/extensions/tracers/common:factory_base_lib", diff --git a/source/extensions/tracers/lightstep/BUILD b/source/extensions/tracers/lightstep/BUILD index 72f4ff80f1461..3c9cf3c57e0dc 100644 --- a/source/extensions/tracers/lightstep/BUILD +++ b/source/extensions/tracers/lightstep/BUILD @@ -35,8 +35,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.tracers", - security_posture = "robust_to_untrusted_downstream", deps = [ ":lightstep_tracer_lib", "//source/common/config:datasource_lib", diff --git a/source/extensions/tracers/opencensus/BUILD b/source/extensions/tracers/opencensus/BUILD index a1c414cca9d7e..f661bed6ddf62 100644 --- a/source/extensions/tracers/opencensus/BUILD +++ b/source/extensions/tracers/opencensus/BUILD @@ -16,8 +16,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.tracers", - security_posture = "robust_to_untrusted_downstream", deps = [ ":opencensus_tracer_impl", "//source/extensions/tracers/common:factory_base_lib", diff --git a/source/extensions/tracers/skywalking/BUILD b/source/extensions/tracers/skywalking/BUILD index 41da2c3f61f37..1265cd752cfaf 100644 --- a/source/extensions/tracers/skywalking/BUILD +++ b/source/extensions/tracers/skywalking/BUILD @@ -67,9 +67,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.tracers", - security_posture = "robust_to_untrusted_downstream", - status = "wip", deps = [ ":skywalking_tracer_lib", "//source/common/config:datasource_lib", diff --git a/source/extensions/tracers/xray/BUILD b/source/extensions/tracers/xray/BUILD index 797e8a84e407d..8048e35897e55 100644 --- a/source/extensions/tracers/xray/BUILD +++ b/source/extensions/tracers/xray/BUILD @@ -58,8 +58,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.tracers", - security_posture = "robust_to_untrusted_downstream", deps = [ ":xray_lib", "//source/common/config:datasource_lib", diff --git a/source/extensions/tracers/zipkin/BUILD b/source/extensions/tracers/zipkin/BUILD index 34e00329e121a..0c39a41bf535a 100644 --- a/source/extensions/tracers/zipkin/BUILD +++ b/source/extensions/tracers/zipkin/BUILD @@ -67,12 +67,10 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.tracers", # Legacy test use. TODO(#9953) clean up. extra_visibility = [ "//test/server:__subpackages__", ], - security_posture = "robust_to_untrusted_downstream", deps = [ ":zipkin_lib", "//source/extensions/tracers/common:factory_base_lib", diff --git a/source/extensions/transport_sockets/alts/BUILD b/source/extensions/transport_sockets/alts/BUILD index 587e9a2ecf29d..3e393a3781cc8 100644 --- a/source/extensions/transport_sockets/alts/BUILD +++ b/source/extensions/transport_sockets/alts/BUILD @@ -34,14 +34,9 @@ envoy_cc_extension( hdrs = [ "config.h", ], - category = ( - "envoy.transport_sockets.downstream", - "envoy.transport_sockets.upstream", - ), external_deps = [ "abseil_node_hash_set", ], - security_posture = "robust_to_untrusted_downstream_and_upstream", deps = [ ":tsi_handshaker", ":tsi_socket", diff --git a/source/extensions/transport_sockets/proxy_protocol/BUILD b/source/extensions/transport_sockets/proxy_protocol/BUILD index e268b828524c3..403fb996e900c 100644 --- a/source/extensions/transport_sockets/proxy_protocol/BUILD +++ b/source/extensions/transport_sockets/proxy_protocol/BUILD @@ -13,10 +13,6 @@ envoy_cc_extension( name = "upstream_config", srcs = ["config.cc"], hdrs = ["config.h"], - category = ( - "envoy.transport_sockets.upstream", - ), - security_posture = "robust_to_untrusted_downstream_and_upstream", # header generated in Envoy, so can't be faked deps = [ ":upstream_proxy_protocol", "//include/envoy/network:transport_socket_interface", diff --git a/source/extensions/transport_sockets/raw_buffer/BUILD b/source/extensions/transport_sockets/raw_buffer/BUILD index 94a2bee0a980a..9c9ad99107d71 100644 --- a/source/extensions/transport_sockets/raw_buffer/BUILD +++ b/source/extensions/transport_sockets/raw_buffer/BUILD @@ -14,11 +14,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = ( - "envoy.transport_sockets.downstream", - "envoy.transport_sockets.upstream", - ), - security_posture = "requires_trusted_downstream_and_upstream", # This is core Envoy config. visibility = ["//visibility:public"], deps = [ diff --git a/source/extensions/transport_sockets/starttls/BUILD b/source/extensions/transport_sockets/starttls/BUILD index f3414c9837e37..31b016d9d97cc 100644 --- a/source/extensions/transport_sockets/starttls/BUILD +++ b/source/extensions/transport_sockets/starttls/BUILD @@ -15,11 +15,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = ( - "envoy.transport_sockets.downstream", - "envoy.transport_sockets.upstream", - ), - security_posture = "robust_to_untrusted_downstream_and_upstream", visibility = ["//visibility:public"], deps = [ ":starttls_socket_lib", diff --git a/source/extensions/transport_sockets/tap/BUILD b/source/extensions/transport_sockets/tap/BUILD index e97cb4f1255c3..6875dfe77b82e 100644 --- a/source/extensions/transport_sockets/tap/BUILD +++ b/source/extensions/transport_sockets/tap/BUILD @@ -51,17 +51,11 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = ( - "envoy.transport_sockets.downstream", - "envoy.transport_sockets.upstream", - ), # TODO(#9953) clean up. extra_visibility = [ "//test/common/access_log:__subpackages__", "//test/integration:__subpackages__", ], - security_posture = "requires_trusted_downstream_and_upstream", - status = "alpha", deps = [ ":tap_config_impl", ":tap_lib", diff --git a/source/extensions/transport_sockets/tls/BUILD b/source/extensions/transport_sockets/tls/BUILD index 29dfa2be2a9dc..766ba6ff34914 100644 --- a/source/extensions/transport_sockets/tls/BUILD +++ b/source/extensions/transport_sockets/tls/BUILD @@ -15,11 +15,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = ( - "envoy.transport_sockets.downstream", - "envoy.transport_sockets.upstream", - ), - security_posture = "robust_to_untrusted_downstream_and_upstream", # TLS is core functionality. visibility = ["//visibility:public"], deps = [ diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD index d6f74254f3a07..812d2f17b7d1c 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/BUILD @@ -16,14 +16,11 @@ envoy_cc_extension( hdrs = [ "spiffe_validator.h", ], - category = "envoy.tls.cert_validator", external_deps = [ "ssl", "abseil_base", "abseil_hash", ], - security_posture = "unknown", - status = "wip", visibility = ["//visibility:public"], deps = [ "//include/envoy/ssl:context_config_interface", diff --git a/source/extensions/upstreams/http/BUILD b/source/extensions/upstreams/http/BUILD index 198a0b12b4fc1..247274b2fa85b 100644 --- a/source/extensions/upstreams/http/BUILD +++ b/source/extensions/upstreams/http/BUILD @@ -12,8 +12,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.upstreams", - security_posture = "robust_to_untrusted_downstream", # This is core Envoy config. visibility = ["//visibility:public"], deps = [ diff --git a/source/extensions/upstreams/http/generic/BUILD b/source/extensions/upstreams/http/generic/BUILD index 1e2c0d2119e7a..759f4626f205b 100644 --- a/source/extensions/upstreams/http/generic/BUILD +++ b/source/extensions/upstreams/http/generic/BUILD @@ -16,8 +16,6 @@ envoy_cc_extension( hdrs = [ "config.h", ], - category = "envoy.upstreams", - security_posture = "robust_to_untrusted_downstream", visibility = ["//visibility:public"], deps = [ "//source/extensions/upstreams/http/http:upstream_request_lib", diff --git a/source/extensions/upstreams/http/http/BUILD b/source/extensions/upstreams/http/http/BUILD index 132d065cabb3b..4a4bd1be575f0 100644 --- a/source/extensions/upstreams/http/http/BUILD +++ b/source/extensions/upstreams/http/http/BUILD @@ -17,8 +17,6 @@ envoy_cc_extension( hdrs = [ "config.h", ], - category = "envoy.upstreams", - security_posture = "robust_to_untrusted_downstream", visibility = ["//visibility:public"], deps = [ ":upstream_request_lib", diff --git a/source/extensions/upstreams/http/tcp/BUILD b/source/extensions/upstreams/http/tcp/BUILD index 46169ea4b14cc..95b2d94dbae47 100644 --- a/source/extensions/upstreams/http/tcp/BUILD +++ b/source/extensions/upstreams/http/tcp/BUILD @@ -17,8 +17,6 @@ envoy_cc_extension( hdrs = [ "config.h", ], - category = "envoy.upstreams", - security_posture = "robust_to_untrusted_downstream", visibility = ["//visibility:public"], deps = [ ":upstream_request_lib", diff --git a/source/extensions/upstreams/tcp/generic/BUILD b/source/extensions/upstreams/tcp/generic/BUILD index 2320d1ea51ef1..673d44aeae318 100644 --- a/source/extensions/upstreams/tcp/generic/BUILD +++ b/source/extensions/upstreams/tcp/generic/BUILD @@ -16,8 +16,6 @@ envoy_cc_extension( hdrs = [ "config.h", ], - category = "envoy.upstreams", - security_posture = "robust_to_untrusted_downstream", visibility = ["//visibility:public"], deps = [ "//source/common/http:codec_client_lib", diff --git a/source/extensions/wasm_runtime/null/BUILD b/source/extensions/wasm_runtime/null/BUILD index e66dce75d6f3d..1dbb4846e20b4 100644 --- a/source/extensions/wasm_runtime/null/BUILD +++ b/source/extensions/wasm_runtime/null/BUILD @@ -11,9 +11,6 @@ envoy_extension_package() envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.wasm.runtime", - security_posture = "unknown", - status = "alpha", deps = [ "//include/envoy/registry", "//source/extensions/common/wasm:wasm_runtime_factory_interface", diff --git a/source/extensions/wasm_runtime/v8/BUILD b/source/extensions/wasm_runtime/v8/BUILD index 8024375f64463..45dd6833558f5 100644 --- a/source/extensions/wasm_runtime/v8/BUILD +++ b/source/extensions/wasm_runtime/v8/BUILD @@ -12,9 +12,6 @@ envoy_extension_package() envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.wasm.runtime", - security_posture = "unknown", - status = "alpha", deps = [ "//include/envoy/registry", "//source/extensions/common/wasm:wasm_runtime_factory_interface", diff --git a/source/extensions/wasm_runtime/wasmtime/BUILD b/source/extensions/wasm_runtime/wasmtime/BUILD index 47923bd0caa34..83ee6552fe39a 100644 --- a/source/extensions/wasm_runtime/wasmtime/BUILD +++ b/source/extensions/wasm_runtime/wasmtime/BUILD @@ -12,9 +12,6 @@ envoy_extension_package() envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.wasm.runtime", - security_posture = "unknown", - status = "alpha", deps = [ "//include/envoy/registry", "//source/extensions/common/wasm:wasm_runtime_factory_interface", diff --git a/source/extensions/wasm_runtime/wavm/BUILD b/source/extensions/wasm_runtime/wavm/BUILD index f2b8c69ae785d..cca25e7aaace4 100644 --- a/source/extensions/wasm_runtime/wavm/BUILD +++ b/source/extensions/wasm_runtime/wavm/BUILD @@ -12,9 +12,6 @@ envoy_extension_package() envoy_cc_extension( name = "config", srcs = ["config.cc"], - category = "envoy.wasm.runtime", - security_posture = "unknown", - status = "alpha", deps = [ "//include/envoy/registry", "//source/extensions/common/wasm:wasm_runtime_factory_interface", diff --git a/source/extensions/watchdog/profile_action/BUILD b/source/extensions/watchdog/profile_action/BUILD index 8da916b007ad9..6c0ab2f392d6a 100644 --- a/source/extensions/watchdog/profile_action/BUILD +++ b/source/extensions/watchdog/profile_action/BUILD @@ -33,9 +33,6 @@ envoy_cc_extension( name = "config", srcs = ["config.cc"], hdrs = ["config.h"], - category = "envoy.guarddog_actions", - security_posture = "data_plane_agnostic", - status = "alpha", deps = [ ":profile_action_lib", "//include/envoy/registry", diff --git a/test/extensions/filters/network/common/fuzz/BUILD b/test/extensions/filters/network/common/fuzz/BUILD index 41b2869c3d84e..c27cea334c5a2 100644 --- a/test/extensions/filters/network/common/fuzz/BUILD +++ b/test/extensions/filters/network/common/fuzz/BUILD @@ -12,6 +12,10 @@ load( licenses(["notice"]) # Apache 2 +exports_files([ + "uber_per_readfilter.cc", +]) + envoy_package() envoy_proto_library( diff --git a/tools/dependency/validate.py b/tools/dependency/validate.py index 032852e31a6e6..bc5281ebe5b8c 100755 --- a/tools/dependency/validate.py +++ b/tools/dependency/validate.py @@ -152,7 +152,7 @@ def list_extensions(self): Returns: Dictionary items from source/extensions/extensions_build_config.bzl. """ - return extensions_build_config.EXTENSIONS.items() + return [(k, v["source"]) for k, v in extensions_build_config.EXTENSIONS.items()] class Validator(object): diff --git a/tools/docs/BUILD b/tools/docs/BUILD new file mode 100644 index 0000000000000..1d17258e577ea --- /dev/null +++ b/tools/docs/BUILD @@ -0,0 +1,14 @@ +load("@rules_python//python:defs.bzl", "py_binary") +load("//bazel:envoy_build_system.bzl", "envoy_package") + +licenses(["notice"]) # Apache 2 + +envoy_package() + +py_binary( + name = "generate_extension_rst", + srcs = ["generate_extension_rst.py"], + args = ["$(location //tools/extensions:extension_db)"], + data = ["//tools/extensions:extension_db"], + visibility = ["//visibility:public"], +) diff --git a/tools/extensions/generate_extension_rst.py b/tools/docs/generate_extension_rst.py similarity index 68% rename from tools/extensions/generate_extension_rst.py rename to tools/docs/generate_extension_rst.py index 9199873f7079c..79d85b8cbb807 100644 --- a/tools/extensions/generate_extension_rst.py +++ b/tools/docs/generate_extension_rst.py @@ -6,7 +6,7 @@ import json import os import pathlib -import subprocess +import sys def format_item(extension, metadata): @@ -20,20 +20,9 @@ def format_item(extension, metadata): if __name__ == '__main__': - try: - generated_rst_dir = os.environ["GENERATED_RST_DIR"] - except KeyError: - raise SystemExit( - "Path to an output directory must be specified with GENERATED_RST_DIR env var") + extension_db_path = sys.argv[1] + generated_rst_dir = sys.argv[2] security_rst_root = os.path.join(generated_rst_dir, "intro/arch_overview/security") - - try: - extension_db_path = os.environ["EXTENSION_DB_PATH"] - except KeyError: - raise SystemExit( - "Path to a json extension db must be specified with EXTENSION_DB_PATH env var") - if not os.path.exists(extension_db_path): - subprocess.run("tools/extensions/generate_extension_db".split(), check=True) extension_db = json.loads(pathlib.Path(extension_db_path).read_text()) pathlib.Path(security_rst_root).mkdir(parents=True, exist_ok=True) diff --git a/tools/extensions/BUILD b/tools/extensions/BUILD index 43f21c21d2075..7ae377036f076 100644 --- a/tools/extensions/BUILD +++ b/tools/extensions/BUILD @@ -1,6 +1,5 @@ load("@rules_python//python:defs.bzl", "py_binary") load("//bazel:envoy_build_system.bzl", "envoy_package") -load("//source/extensions:all_extensions.bzl", "envoy_all_extensions") licenses(["notice"]) # Apache 2 @@ -9,17 +8,15 @@ envoy_package() py_binary( name = "generate_extension_db", srcs = ["generate_extension_db.py"], - data = [ - "@com_github_bazelbuild_buildtools//buildozer:buildozer", - ] + envoy_all_extensions(), - python_version = "PY3", - srcs_version = "PY3", - visibility = ["//visibility:public"], ) -py_binary( - name = "generate_extension_rst", - srcs = ["generate_extension_rst.py"], - data = [":generate_extension_db"], - visibility = ["//visibility:public"], +genrule( + name = "extension_db", + outs = ["extension_db.json"], + cmd = "$(location :generate_extension_db) > $@", + tools = [ + ":generate_extension_db", + "//source/extensions:extensions_build_config.bzl", + "//test/extensions/filters/network/common/fuzz:uber_per_readfilter.cc", + ], ) diff --git a/tools/extensions/generate_extension_db.py b/tools/extensions/generate_extension_db.py index ec689e701e010..2b19b4dcf0f39 100644 --- a/tools/extensions/generate_extension_db.py +++ b/tools/extensions/generate_extension_db.py @@ -3,40 +3,19 @@ # Generate an extension database, a JSON file mapping from qualified well known # extension name to metadata derived from the envoy_cc_extension target. -# This script expects a copy of the envoy source to be located at /source -# Alternatively, you can specify a path to the source dir with `ENVOY_SRCDIR` - -# You must specify the target file to save the generated json db to. -# You can do this either as an arg to this script/target or with the env var -# `EXTENSION_DB_PATH` - -import ast import json -import os import pathlib import re -import subprocess import sys from importlib.util import spec_from_loader, module_from_spec from importlib.machinery import SourceFileLoader -BUILDOZER_PATH = os.path.abspath( - "external/com_github_bazelbuild_buildtools/buildozer/buildozer_/buildozer") - -ENVOY_SRCDIR = os.getenv('ENVOY_SRCDIR', '/source') - -if not os.path.exists(ENVOY_SRCDIR): - raise SystemExit( - "Envoy source must either be located at /source, or ENVOY_SRCDIR env var must be set") - # source/extensions/extensions_build_config.bzl must have a .bzl suffix for Starlark # import, so we are forced to do this workaround. _extensions_build_config_spec = spec_from_loader( 'extensions_build_config', - SourceFileLoader( - 'extensions_build_config', - os.path.join(ENVOY_SRCDIR, 'source/extensions/extensions_build_config.bzl'))) + SourceFileLoader('extensions_build_config', 'source/extensions/extensions_build_config.bzl')) extensions_build_config = module_from_spec(_extensions_build_config_spec) _extensions_build_config_spec.loader.exec_module(extensions_build_config) @@ -45,15 +24,9 @@ class ExtensionDbError(Exception): pass -def is_missing(value): - return value == '(missing)' - - def num_read_filters_fuzzed(): data = pathlib.Path( - os.path.join( - ENVOY_SRCDIR, - 'test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc')).read_text() + 'test/extensions/filters/network/common/fuzz/uber_per_readfilter.cc').read_text() # Hack-ish! We only search the first 50 lines to capture the filters in filterNames(). return len(re.findall('NetworkFilterNames::get()', ''.join(data.splitlines()[:50]))) @@ -66,68 +39,33 @@ def num_robust_to_downstream_network_filters(db): ]) -def get_extension_metadata(target): - if not BUILDOZER_PATH: - raise ExtensionDbError('Buildozer not found!') - r = subprocess.run( - [BUILDOZER_PATH, '-stdout', 'print security_posture status undocumented category', target], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - rout = r.stdout.decode('utf-8').strip().split(' ') - security_posture, status, undocumented = rout[:3] - categories = ' '.join(rout[3:]) - if is_missing(security_posture): +def validate_extension(name, extension): + if not extension.get("security_posture"): raise ExtensionDbError( - 'Missing security posture for %s. Please make sure the target is an envoy_cc_extension and security_posture is set' - % target) - if is_missing(categories): + f"Missing security posture for {name}. " + "Please make sure the target is an envoy_cc_extension and security_posture is set") + + if not extension.get("categories"): raise ExtensionDbError( - 'Missing extension category for %s. Please make sure the target is an envoy_cc_extension and category is set' - % target) - # evaluate tuples/lists - # wrap strings in a list - categories = ( - ast.literal_eval(categories) if ('[' in categories or '(' in categories) else [categories]) - return { - 'security_posture': security_posture, - 'undocumented': False if is_missing(undocumented) else bool(undocumented), - 'status': 'stable' if is_missing(status) else status, - 'categories': categories, - } + f"Missing extension categories for {name}. " + "Please make sure the target is an envoy_cc_extension and category is set") if __name__ == '__main__': - try: - output_path = os.getenv("EXTENSION_DB_PATH") or sys.argv[1] - except IndexError: - raise SystemExit( - "Output path must be either specified as arg or with EXTENSION_DB_PATH env var") - extension_db = {} # Include all extensions from source/extensions/extensions_build_config.bzl - all_extensions = {} - all_extensions.update(extensions_build_config.EXTENSIONS) - for extension, target in all_extensions.items(): - extension_db[extension] = get_extension_metadata(target) + for name, extension in extensions_build_config.EXTENSIONS.items(): + # //source/extensions/common/crypto:utility_lib has been added to `EXTENSIONS` + # but unlike the `builtin` extensions was not originally included here so has been excluded + if extension["categories"] == ["DELIBERATELY_OMITTED"]: + continue + extension_db[name] = dict(undocumented=False, status="stable") + extension_db[name].update(extension) + validate_extension(name, extension_db[name]) if num_robust_to_downstream_network_filters(extension_db) != num_read_filters_fuzzed(): raise ExtensionDbError( 'Check that all network filters robust against untrusted' 'downstreams are fuzzed by adding them to filterNames() in' 'test/extensions/filters/network/common/uber_per_readfilter.cc') - # The TLS and generic upstream extensions are hard-coded into the build, so - # not in source/extensions/extensions_build_config.bzl - # TODO(mattklein123): Read these special keys from all_extensions.bzl or a shared location to - # avoid duplicate logic. - extension_db['envoy.transport_sockets.tls'] = get_extension_metadata( - '//source/extensions/transport_sockets/tls:config') - extension_db['envoy.upstreams.http.generic'] = get_extension_metadata( - '//source/extensions/upstreams/http/generic:config') - extension_db['envoy.upstreams.tcp.generic'] = get_extension_metadata( - '//source/extensions/upstreams/tcp/generic:config') - extension_db['envoy.upstreams.http.http_protocol_options'] = get_extension_metadata( - '//source/extensions/upstreams/http:config') - extension_db['envoy.request_id.uuid'] = get_extension_metadata( - '//source/extensions/request_id/uuid:config') - - pathlib.Path(os.path.dirname(output_path)).mkdir(parents=True, exist_ok=True) - pathlib.Path(output_path).write_text(json.dumps(extension_db)) + + sys.stdout.write(json.dumps(extension_db)) diff --git a/tools/protodoc/BUILD b/tools/protodoc/BUILD index d9eeb6ac203fb..c0e494ba32976 100644 --- a/tools/protodoc/BUILD +++ b/tools/protodoc/BUILD @@ -24,6 +24,7 @@ py_binary( data = [ "//docs:protodoc_manifest.yaml", "//docs:v2_mapping.json", + "//tools/extensions:extension_db", ], visibility = ["//visibility:public"], deps = [ diff --git a/tools/protodoc/protodoc.py b/tools/protodoc/protodoc.py index 74141e011c6fe..26582693094c9 100755 --- a/tools/protodoc/protodoc.py +++ b/tools/protodoc/protodoc.py @@ -6,8 +6,6 @@ from collections import defaultdict import json import functools -import os -import pathlib import sys from google.protobuf import json_format @@ -115,7 +113,10 @@ 'This extension is work-in-progress. Functionality is incomplete and it is not intended for production use.', } -EXTENSION_DB = json.loads(pathlib.Path(os.getenv('EXTENSION_DB_PATH')).read_text()) +r = runfiles.Create() + +with open(r.Rlocation('envoy/tools/extensions/extension_db.json'), 'r') as f: + EXTENSION_DB = json.load(f) # create an index of extension categories from extension db EXTENSION_CATEGORIES = {} @@ -656,7 +657,6 @@ class RstFormatVisitor(visitor.Visitor): """ def __init__(self): - r = runfiles.Create() with open(r.Rlocation('envoy/docs/v2_mapping.json'), 'r') as f: self.v2_mapping = json.load(f)