istio · istio-testing · May 23, 2018 · May 17, 2018 · May 21, 2018 · May 22, 2018
@@ -38,7 +38,7 @@ git_repository(
 )
 
 # When updating envoy sha manually please update the sha in istio.deps file also
-ENVOY_SHA = "2b2c299144600fb9e525d21aabf39bf48e64fb1f"
+ENVOY_SHA = "12c470e666d23f1cedaea92cdae6c747d6081dfe"
 
 http_archive(
     name = "envoy",

@@ -4,13 +4,13 @@
 		"name": "ISTIO_API",
 		"repoName": "api",
 		"file": "repositories.bzl",
-		"lastStableSHA": "78da6e6eb4ad4f158fb58e02f94efde4abf4cabf"
+		"lastStableSHA": "9b8e46e9e9710d6a8b50772964ef2194b0b26bd7"
 	},
 	{
 		"_comment": "",
 		"name": "ENVOY_SHA",
 		"repoName": "envoyproxy/envoy",
 		"file": "WORKSPACE",
-		"lastStableSHA": "2b2c299144600fb9e525d21aabf39bf48e64fb1f"
+		"lastStableSHA": "12c470e666d23f1cedaea92cdae6c747d6081dfe"
 	}
 ]
@@ -113,7 +113,7 @@ cc_library(
             actual = "@googletest_git//:googletest_prod",
         )
 
-ISTIO_API = "78da6e6eb4ad4f158fb58e02f94efde4abf4cabf"
+ISTIO_API = "9b8e46e9e9710d6a8b50772964ef2194b0b26bd7"
 
 def mixerapi_repositories(bind=True):
     BUILD = """

@@ -44,14 +44,28 @@ UBUNTU_RELEASE=${UBUNTU_RELEASE:-$(lsb_release -c -s)}
 
 # The proxy binary name.
 SHA="$(git rev-parse --verify HEAD)"
-BINARY_NAME="envoy-alpha-${SHA}.tar.gz"
-SHA256_NAME="envoy-alpha-${SHA}.sha256"
+
+BINARY_NAME="envoy-symbol-${SHA}.tar.gz"
+SHA256_NAME="envoy-symbol-${SHA}.sha256"
 
 # If binary already exists skip.
 gsutil stat "${DST}/${BINARY_NAME}" \
   && { echo 'Binary already exists'; exit 0; } \
   || echo 'Building a new binary.'
 
+# Build the release binary with symbol
+bazel --batch build --config=release-symbol //src/envoy:envoy_tar
+BAZEL_TARGET="bazel-bin/src/envoy/envoy_tar.tar.gz"
+cp -f "${BAZEL_TARGET}" "${BINARY_NAME}"
+sha256sum "${BINARY_NAME}" > "${SHA256_NAME}"
+
+# Copy it to the bucket.
+echo "Copying ${BINARY_NAME} ${SHA256_NAME} to ${DST}/"
+gsutil cp "${BINARY_NAME}" "${SHA256_NAME}" "${DST}/"
+
+BINARY_NAME="envoy-alpha-${SHA}.tar.gz"
+SHA256_NAME="envoy-alpha-${SHA}.sha256"
+
 # Build the release binary
 bazel --batch build --config=release //src/envoy:envoy_tar
 BAZEL_TARGET="bazel-bin/src/envoy/envoy_tar.tar.gz"

@@ -107,8 +107,8 @@ UpstreamAltsTransportSocketConfigFactory::createTransportSocketFactory(
 
 Network::TransportSocketFactoryPtr
 DownstreamAltsTransportSocketConfigFactory::createTransportSocketFactory(
-    const std::string &, const std::vector<std::string> &, bool,
-    const Protobuf::Message &message, TransportSocketFactoryContext &) {
+    const Protobuf::Message &message, TransportSocketFactoryContext &,
+    const std::vector<std::string> &) {
   auto config =
       MessageUtil::downcastAndValidate<const envoy::security::v2::AltsSocket &>(
           message);

@@ -39,8 +39,8 @@ class DownstreamAltsTransportSocketConfigFactory
       public DownstreamTransportSocketConfigFactory {
  public:
   Network::TransportSocketFactoryPtr createTransportSocketFactory(
-      const std::string &, const std::vector<std::string> &, bool,
-      const Protobuf::Message &, TransportSocketFactoryContext &) override;
+      const Protobuf::Message &, TransportSocketFactoryContext &,
+      const std::vector<std::string> &) override;
 };
 }  // namespace Configuration
 }  // namespace Server

@@ -114,8 +114,8 @@ void AuthenticationFilter::rejectRequest(const std::string& message) {
     return;
   }
   state_ = State::REJECTED;
-  Utility::sendLocalReply(*decoder_callbacks_, false, Http::Code::Unauthorized,
-                          message);
+  decoder_callbacks_->sendLocalReply(Http::Code::Unauthorized, message,
+                                     nullptr);
 }
 
 std::unique_ptr<Istio::AuthN::AuthenticatorBase>

@@ -62,16 +62,17 @@ TEST_P(AuthenticationFilterIntegrationTest, EmptyPolicy) {
   createTestServer("src/envoy/http/authn/testdata/envoy_empty.conf", {"http"});
   codec_client_ =
       makeHttpConnection(makeClientConnection((lookupPort("http"))));
-  codec_client_->makeHeaderOnlyRequest(default_request_headers_, *response_);
+  auto response =
+      codec_client_->makeHeaderOnlyRequest(default_request_headers_);
   // Wait for request to upstream[0] (backend)
   waitForNextUpstreamRequest(0);
   // Send backend response.
   upstream_request_->encodeHeaders(Http::TestHeaderMapImpl{{":status", "200"}},
                                    true);
 
-  response_->waitForEndStream();
-  EXPECT_TRUE(response_->complete());
-  EXPECT_STREQ("200", response_->headers().Status()->value().c_str());
+  response->waitForEndStream();
+  EXPECT_TRUE(response->complete());
+  EXPECT_STREQ("200", response->headers().Status()->value().c_str());
 }
 
 TEST_P(AuthenticationFilterIntegrationTest, SourceMTlsFail) {
@@ -82,13 +83,14 @@ TEST_P(AuthenticationFilterIntegrationTest, SourceMTlsFail) {
   // would be rejected.
   codec_client_ =
       makeHttpConnection(makeClientConnection((lookupPort("http"))));
-  codec_client_->makeHeaderOnlyRequest(default_request_headers_, *response_);
+  auto response =
+      codec_client_->makeHeaderOnlyRequest(default_request_headers_);
 
   // Request is rejected, there will be no upstream request (thus no
   // waitForNextUpstreamRequest).
-  response_->waitForEndStream();
-  EXPECT_TRUE(response_->complete());
-  EXPECT_STREQ("401", response_->headers().Status()->value().c_str());
+  response->waitForEndStream();
+  EXPECT_TRUE(response->complete());
+  EXPECT_STREQ("401", response->headers().Status()->value().c_str());
 }
 
 // TODO (diemtvu/lei-tang): add test for MTls success.
@@ -102,13 +104,14 @@ TEST_P(AuthenticationFilterIntegrationTest, OriginJwtRequiredHeaderNoJwtFail) {
   // would be rejected.
   codec_client_ =
       makeHttpConnection(makeClientConnection((lookupPort("http"))));
-  codec_client_->makeHeaderOnlyRequest(default_request_headers_, *response_);
+  auto response =
+      codec_client_->makeHeaderOnlyRequest(default_request_headers_);
 
   // Request is rejected, there will be no upstream request (thus no
   // waitForNextUpstreamRequest).
-  response_->waitForEndStream();
-  EXPECT_TRUE(response_->complete());
-  EXPECT_STREQ("401", response_->headers().Status()->value().c_str());
+  response->waitForEndStream();
+  EXPECT_TRUE(response->complete());
+  EXPECT_STREQ("401", response->headers().Status()->value().c_str());
 }
 
 TEST_P(AuthenticationFilterIntegrationTest, CheckValidJwtPassAuthentication) {
@@ -120,17 +123,18 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckValidJwtPassAuthentication) {
   // the authentication should succeed.
   codec_client_ =
       makeHttpConnection(makeClientConnection((lookupPort("http"))));
-  codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_, *response_);
+  auto response =
+      codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_);
 
   // Wait for request to upstream[0] (backend)
   waitForNextUpstreamRequest(0);
   // Send backend response.
   upstream_request_->encodeHeaders(Http::TestHeaderMapImpl{{":status", "200"}},
                                    true);
 
-  response_->waitForEndStream();
-  EXPECT_TRUE(response_->complete());
-  EXPECT_STREQ("200", response_->headers().Status()->value().c_str());
+  response->waitForEndStream();
+  EXPECT_TRUE(response->complete());
+  EXPECT_STREQ("200", response->headers().Status()->value().c_str());
 }
 
 TEST_P(AuthenticationFilterIntegrationTest, CheckConsumedJwtHeadersAreRemoved) {
@@ -164,11 +168,12 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckConsumedJwtHeadersAreRemoved) {
   // should be generated.
   codec_client_ =
       makeHttpConnection(makeClientConnection((lookupPort("http"))));
-  codec_client_->makeHeaderOnlyRequest(
-      request_headers_with_jwt_at_specified_location, *response_);
+  auto response = codec_client_->makeHeaderOnlyRequest(
+      request_headers_with_jwt_at_specified_location);
 
   // Wait for request to upstream[0] (backend)
   waitForNextUpstreamRequest(0);
+  response->waitForEndStream();
 
   // After Istio authn, the JWT headers consumed by Istio authn should have
   // been removed.
@@ -185,10 +190,12 @@ TEST_P(AuthenticationFilterIntegrationTest, CheckAuthnResultIsExpected) {
   // should be generated.
   codec_client_ =
       makeHttpConnection(makeClientConnection((lookupPort("http"))));
-  codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_, *response_);
+  auto response =
+      codec_client_->makeHeaderOnlyRequest(request_headers_with_jwt_);
 
   // Wait for request to upstream[0] (backend)
   waitForNextUpstreamRequest(0);
+  response->waitForEndStream();
 
   // Authn result should be as expected
   const Envoy::Http::HeaderString &header_value =

@@ -70,8 +70,8 @@ void JwtVerificationFilter::onDone(const JwtAuth::Status& status) {
     // verification failed
     Code code = Code(401);  // Unauthorized
     // return failure reason as message body
-    Utility::sendLocalReply(*decoder_callbacks_, false, code,
-                            JwtAuth::StatusToString(status));
+    decoder_callbacks_->sendLocalReply(code, JwtAuth::StatusToString(status),
+                                       nullptr);
     return;
   }
 

@@ -116,21 +116,20 @@ class JwtVerificationFilterIntegrationTest
     IntegrationCodecClientPtr codec_client;
     FakeHttpConnectionPtr fake_upstream_connection_issuer;
     FakeHttpConnectionPtr fake_upstream_connection_backend;
-    IntegrationStreamDecoderPtr response(
-        new IntegrationStreamDecoder(*dispatcher_));
+    IntegrationStreamDecoderPtr response;
     FakeStreamPtr request_stream_issuer;
     FakeStreamPtr request_stream_backend;
 
     codec_client = makeHttpConnection(lookupPort("http"));
 
     // Send a request to Envoy.
     if (!request_body.empty()) {
-      Http::StreamEncoder& encoder =
-          codec_client->startRequest(request_headers, *response);
+      auto encoder_decoder = codec_client->startRequest(request_headers);
       Buffer::OwnedImpl body(request_body);
-      codec_client->sendData(encoder, body, true);
+      codec_client->sendData(encoder_decoder.first, body, true);
+      response = std::move(encoder_decoder.second);
     } else {
-      codec_client->makeHeaderOnlyRequest(request_headers, *response);
+      response = codec_client->makeHeaderOnlyRequest(request_headers);
     }
 
     // Empty issuer_response_body indicates issuer will not be called.
@@ -372,7 +371,7 @@ TEST_P(JwtVerificationFilterIntegrationTestWithInjectedJwtResult,
   FakeStreamPtr request_stream_backend;
   codec_client = makeHttpConnection(lookupPort("http"));
   // Send a request to Envoy.
-  codec_client->makeHeaderOnlyRequest(headers, *response);
+  response = codec_client->makeHeaderOnlyRequest(headers);
   fake_upstream_connection_backend =
       fake_upstreams_[0]->waitForHttpConnection(*dispatcher_);
   request_stream_backend =

@@ -186,8 +186,8 @@ void Filter::completeCheck(const Status& status) {
   if (!status.ok() && state_ != Responded) {
     state_ = Responded;
     int status_code = ::istio::utils::StatusHttpCode(status.error_code());
-    Utility::sendLocalReply(*decoder_callbacks_, false, Code(status_code),
-                            status.ToString());
+    decoder_callbacks_->sendLocalReply(Code(status_code), status.ToString(),
+                                       nullptr);
     return;
   }
 

@@ -47,10 +47,13 @@ build:clang-msan --copt -fsanitize-memory-track-origins=2
 # Test options
 test --test_env=HEAPCHECK=normal --test_env=PPROF_PATH
 
-# Release builds
+# Release builds without debug symbols.
 build:release -c opt
 build:release --strip=always
 
+# Release builds with debug symbols
+build:release-symbol -c opt
+
 # Add compile option for all C++ files
 build --cxxopt -Wnon-virtual-dtor
 build --cxxopt -Wformat