envoyproxy · phlax · May 14, 2021 · May 13, 2021 · May 16, 2021 · May 16, 2021
diff --git a/bazel/envoy_library.bzl b/bazel/envoy_library.bzl
@@ -115,27 +115,10 @@ EXTENSION_STATUS_VALUES = [
 
 def envoy_cc_extension(
         name,
-        security_posture,
-        category = None,
-        # Only set this for internal, undocumented extensions.
-        undocumented = False,
-        status = "stable",
         tags = [],
         extra_visibility = [],
         visibility = EXTENSION_CONFIG_VISIBILITY,
         **kwargs):
-    if not category:
-        fail("Category not set for %s" % name)
-    if type(category) == "string":
-        category = (category,)
-    for cat in category:
-        if cat not in EXTENSION_CATEGORIES:
-            fail("Unknown extension category for %s: %s" %
-                 (name, cat))
-    if security_posture not in EXTENSION_SECURITY_POSTURES:
-        fail("Unknown extension security posture: " + security_posture)
-    if status not in EXTENSION_STATUS_VALUES:
-        fail("Unknown extension status: " + status)
     if "//visibility:public" not in visibility:
         visibility = visibility + extra_visibility
 

@@ -1,15 +1,33 @@
 # Should match https://github.com/envoyproxy/envoy-mobile/blob/main/envoy_build_config/extensions_build_config.bzl
 # TODO(mattklein123): Actually pull this file from that repo and remove the envoy mobile specific filters.
 EXTENSIONS = {
-    "envoy.clusters.dynamic_forward_proxy": "//source/extensions/clusters/dynamic_forward_proxy:cluster",
-    "envoy.filters.connection_pools.http.generic": "//source/extensions/upstreams/http/generic:config",
-    "envoy.filters.http.buffer": "//source/extensions/filters/http/buffer:config",
-    "envoy.filters.http.dynamic_forward_proxy": "//source/extensions/filters/http/dynamic_forward_proxy:config",
-    "envoy.filters.http.router": "//source/extensions/filters/http/router:config",
-    "envoy.filters.network.http_connection_manager": "//source/extensions/filters/network/http_connection_manager:config",
-    "envoy.stat_sinks.metrics_service": "//source/extensions/stat_sinks/metrics_service:config",
-    "envoy.transport_sockets.raw_buffer": "//source/extensions/transport_sockets/raw_buffer:config",
-    "envoy.transport_sockets.tls": "//source/extensions/transport_sockets/tls:config",
+    "envoy.clusters.dynamic_forward_proxy": {
+        "source": "//source/extensions/clusters/dynamic_forward_proxy:cluster",
+    },
+    "envoy.filters.connection_pools.http.generic": {
+        "source": "//source/extensions/upstreams/http/generic:config",
+    },
+    "envoy.filters.http.buffer": {
+        "source": "//source/extensions/filters/http/buffer:config",
+    },
+    "envoy.filters.http.dynamic_forward_proxy": {
+        "source": "//source/extensions/filters/http/dynamic_forward_proxy:config",
+    },
+    "envoy.filters.http.router": {
+        "source": "//source/extensions/filters/http/router:config",
+    },
+    "envoy.filters.network.http_connection_manager": {
+        "source": "//source/extensions/filters/network/http_connection_manager:config",
+    },
+    "envoy.stat_sinks.metrics_service": {
+        "source": "//source/extensions/stat_sinks/metrics_service:config",
+    },
+    "envoy.transport_sockets.raw_buffer": {
+        "source": "//source/extensions/transport_sockets/raw_buffer:config",
+    },
+    "envoy.transport_sockets.tls": {
+        "source": "//source/extensions/transport_sockets/tls:config",
+    },
 }
 WINDOWS_EXTENSIONS = {}
 EXTENSION_CONFIG_VISIBILITY = ["//:extension_config"]

diff --git a/docs/build.sh b/docs/build.sh
@@ -79,7 +79,7 @@ BAZEL_BUILD_OPTIONS+=(
 
 # Generate RST for the lists of trusted/untrusted extensions in
 # intro/arch_overview/security docs.
-bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/extensions:generate_extension_rst
+bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/docs:generate_extension_rst -- "${GENERATED_RST_DIR}"
 
 # Generate RST for external dependency docs in intro/arch_overview/security.
 bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/dependency:generate_external_dep_rst

diff --git a/source/extensions/BUILD b/source/extensions/BUILD
@@ -1 +1,5 @@
 licenses(["notice"])  # Apache 2
+
+exports_files([
+    "extensions_build_config.bzl",
+])
@@ -15,12 +15,10 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
-    category = "envoy.access_loggers",
     # TODO(#9953) determine if this is core or should be cleaned up.
     extra_visibility = [
         "//test:__subpackages__",
     ],
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         "//include/envoy/registry",
         "//source/common/config:config_provider_lib",

@@ -97,13 +97,11 @@ envoy_cc_extension(
     name = "http_config",
     srcs = ["http_config.cc"],
     hdrs = ["http_config.h"],
-    category = "envoy.access_loggers",
     # TODO(#9953) clean up.
     extra_visibility = [
         "//test/common/access_log:__subpackages__",
         "//test/integration:__subpackages__",
     ],
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         ":config_utils",
         "//include/envoy/server:access_log_config_interface",
@@ -121,13 +119,11 @@ envoy_cc_extension(
     name = "tcp_config",
     srcs = ["tcp_config.cc"],
     hdrs = ["tcp_config.h"],
-    category = "envoy.access_loggers",
     # TODO(#9953) clean up.
     extra_visibility = [
         "//test/common/access_log:__subpackages__",
         "//test/integration:__subpackages__",
     ],
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         ":config_utils",
         "//include/envoy/server:access_log_config_interface",

@@ -61,13 +61,11 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
-    category = "envoy.access_loggers",
     # TODO(#9953) clean up.
     extra_visibility = [
         "//test/common/access_log:__subpackages__",
         "//test/integration:__subpackages__",
     ],
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         "//include/envoy/server:access_log_config_interface",
         "//source/common/common:assert_lib",

@@ -12,11 +12,9 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
-    category = "envoy.access_loggers",
     extra_visibility = [
         "//test:__subpackages__",
     ],
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         "//include/envoy/registry",
         "//source/common/config:config_provider_lib",

@@ -26,9 +26,6 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
-    category = "envoy.access_loggers",
-    security_posture = "unknown",
-    status = "alpha",
     deps = [
         ":wasm_access_log_lib",
         "//include/envoy/registry",

diff --git a/source/extensions/all_extensions.bzl b/source/extensions/all_extensions.bzl
@@ -1,49 +1,31 @@
-load("@bazel_skylib//lib:dicts.bzl", "dicts")
 load("@envoy_build_config//:extensions_build_config.bzl", "EXTENSIONS")
 
-# These extensions are registered using the extension system but are required for the core Envoy build.
-# The map may be overridden by extensions specified in envoy_build_config.
-_required_extensions = {
-    "envoy.common.crypto.utility_lib": "//source/extensions/common/crypto:utility_lib",
-    "envoy.request_id.uuid": "//source/extensions/request_id/uuid:config",
-    "envoy.transport_sockets.tls": "//source/extensions/transport_sockets/tls:config",
-}
-
 # Return the extension cc_library target after select
 def _selected_extension_target(target):
     return target + "_envoy_extension"
 
+def _get_extensions():
+    return {
+        k: v
+        for k, v in EXTENSIONS.items()
+        if v.get("required") or
+           not v.get("builtin")
+    }
+
 # Return all extensions to be compiled into Envoy.
 def envoy_all_extensions(denylist = []):
-    all_extensions = dicts.add(_required_extensions, EXTENSIONS)
-
     # These extensions can be removed on a site specific basis.
-    return [_selected_extension_target(v) for k, v in all_extensions.items() if not k in denylist]
-
-# Core extensions needed to run Envoy's integration tests.
-_core_extensions = [
-    "envoy.access_loggers.file",
-    "envoy.access_loggers.stream",
-    "envoy.filters.http.router",
-    "envoy.filters.http.health_check",
-    "envoy.filters.network.http_connection_manager",
-    "envoy.stat_sinks.statsd",
-    "envoy.transport_sockets.raw_buffer",
-]
+    return [_selected_extension_target(v["source"]) for k, v in _get_extensions().items() if not k in denylist]
 
 # Return all core extensions to be compiled into Envoy.
 def envoy_all_core_extensions():
-    all_extensions = dicts.add(_required_extensions, EXTENSIONS)
-
     # These extensions can be removed on a site specific basis.
-    return [v for k, v in all_extensions.items() if k in _core_extensions]
+    return [v["source"] for k, v in _get_extensions().items() if v.get("core")]
 
 _http_filter_prefix = "envoy.filters.http"
 
 def envoy_all_http_filters():
-    all_extensions = dicts.add(_required_extensions, EXTENSIONS)
-
-    return [_selected_extension_target(v) for k, v in all_extensions.items() if k.startswith(_http_filter_prefix)]
+    return [_selected_extension_target(v["source"]) for k, v in _get_extensions().items() if k.startswith(_http_filter_prefix)]
 
 # All network-layer filters are extensions with names that have the following prefix.
 _network_filter_prefix = "envoy.filters.network"
@@ -53,6 +35,4 @@ _thrift_filter_prefix = "envoy.filters.thrift"
 
 # Return all network-layer filter extensions to be compiled into network-layer filter generic fuzzer.
 def envoy_all_network_filters():
-    all_extensions = dicts.add(_required_extensions, EXTENSIONS)
-
-    return [_selected_extension_target(v) for k, v in all_extensions.items() if (k.startswith(_network_filter_prefix) or k.startswith(_thrift_filter_prefix))]
+    return [_selected_extension_target(v["source"]) for k, v in _get_extensions().items() if (k.startswith(_network_filter_prefix) or k.startswith(_thrift_filter_prefix))]
@@ -16,9 +16,6 @@ envoy_cc_extension(
     hdrs = [
         "config.h",
     ],
-    category = "envoy.bootstrap",
-    security_posture = "unknown",
-    status = "alpha",
     deps = [
         "//include/envoy/registry",
         "//include/envoy/server:bootstrap_extension_config_interface",

@@ -15,8 +15,6 @@ envoy_cc_extension(
         "cluster.h",
         "lb_context.h",
     ],
-    category = "envoy.clusters",
-    security_posture = "requires_trusted_downstream_and_upstream",
     deps = [
         "//source/common/upstream:cluster_factory_lib",
         "//source/common/upstream:upstream_includes",

@@ -12,8 +12,6 @@ envoy_cc_extension(
     name = "cluster",
     srcs = ["cluster.cc"],
     hdrs = ["cluster.h"],
-    category = "envoy.clusters",
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         "//source/common/network:transport_socket_options_lib",
         "//source/common/upstream:cluster_factory_lib",

@@ -42,8 +42,6 @@ envoy_cc_extension(
         "redis_cluster.cc",
         "redis_cluster.h",
     ],
-    category = "envoy.clusters",
-    security_posture = "requires_trusted_downstream_and_upstream",
     deps = [
         "redis_cluster_lb",
         "//include/envoy/api:api_interface",

diff --git a/source/extensions/common/crypto/BUILD b/source/extensions/common/crypto/BUILD
@@ -18,7 +18,6 @@ envoy_cc_extension(
         "crypto_impl.h",
         "utility_impl.h",
     ],
-    category = "DELIBERATELY_OMITTED",
     external_deps = [
         "ssl",
     ],
@@ -27,8 +26,6 @@ envoy_cc_extension(
         "//test/common/config:__subpackages__",
         "//test/common/crypto:__subpackages__",
     ],
-    security_posture = "unknown",
-    undocumented = True,
     deps = [
         "//include/envoy/buffer:buffer_interface",
         "//source/common/common:assert_lib",

@@ -25,8 +25,6 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
-    category = "envoy.compression.compressor",
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         ":compressor_lib",
         "//source/common/http:headers_lib",

@@ -27,8 +27,6 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
-    category = "envoy.compression.decompressor",
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         ":decompressor_lib",
         "//source/common/http:headers_lib",

@@ -26,8 +26,6 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
-    category = "envoy.compression.compressor",
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         ":compressor_lib",
         "//source/common/http:headers_lib",

@@ -29,8 +29,6 @@ envoy_cc_extension(
     name = "config",
     srcs = ["config.cc"],
     hdrs = ["config.h"],
-    category = "envoy.compression.decompressor",
-    security_posture = "robust_to_untrusted_downstream",
     deps = [
         ":zlib_decompressor_impl_lib",
         "//source/common/http:headers_lib",