/proc/self/cwd/source/common/router/router_ratelimit.cc

Source (jump to first uncovered line)
#include "source/common/router/router_ratelimit.h"

#include <cstdint>
#include <memory>
#include <string>
#include <vector>

#include "envoy/config/core/v3/base.pb.h"
#include "envoy/config/route/v3/route_components.pb.h"

#include "source/common/common/assert.h"
#include "source/common/common/empty_string.h"
#include "source/common/config/metadata.h"
#include "source/common/config/utility.h"
#include "source/common/http/matching/data_impl.h"
#include "source/common/matcher/matcher.h"
#include "source/common/protobuf/utility.h"

namespace Envoy {
namespace Router {

namespace {
bool populateDescriptor(const std::vector<RateLimit::DescriptorProducerPtr>& actions,
                        std::vector<RateLimit::DescriptorEntry>& descriptor_entries,
                        const std::string& local_service_cluster,
                        const Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo& info) {
  bool result = true;
  for (const RateLimit::DescriptorProducerPtr& action : actions) {
    RateLimit::DescriptorEntry descriptor_entry;
    result = result &&
             action->populateDescriptor(descriptor_entry, local_service_cluster, headers, info);
    if (!result) {
      break;
    }
    if (!descriptor_entry.key_.empty()) {
      descriptor_entries.push_back(descriptor_entry);
    }
  }
  return result;
}

class RateLimitDescriptorValidationVisitor
    : public Matcher::MatchTreeValidationVisitor<Http::HttpMatchingData> {
public:
  absl::Status performDataInputValidation(const Matcher::DataInputFactory<Http::HttpMatchingData>&,
                                          absl::string_view) override {
    return absl::OkStatus();
  }
};

class MatchInputRateLimitDescriptor : public RateLimit::DescriptorProducer {
public:
  MatchInputRateLimitDescriptor(const std::string& descriptor_key,
                                Matcher::DataInputPtr<Http::HttpMatchingData>&& data_input)
      : descriptor_key_(descriptor_key), data_input_(std::move(data_input)) {}

  // Ratelimit::DescriptorProducer
  bool populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry, const std::string&,
                          const Http::RequestHeaderMap& headers,
                          const StreamInfo::StreamInfo& info) const override {
    Http::Matching::HttpMatchingDataImpl data(info);
    data.onRequestHeaders(headers);
    auto result = data_input_->get(data);
    if (absl::holds_alternative<absl::monostate>(result.data_)) {
      return false;
    }
    const std::string& str = absl::get<std::string>(result.data_);
    if (!str.empty()) {
      descriptor_entry = {descriptor_key_, str};
    }
    return true;
  }

private:
  const std::string descriptor_key_;
  Matcher::DataInputPtr<Http::HttpMatchingData> data_input_;
};

} // namespace

const uint64_t RateLimitPolicyImpl::MAX_STAGE_NUMBER = 10UL;

bool DynamicMetadataRateLimitOverride::populateOverride(
    RateLimit::Descriptor& descriptor, const envoy::config::core::v3::Metadata* metadata) const {
  const ProtobufWkt::Value& metadata_value =
      Envoy::Config::Metadata::metadataValue(metadata, metadata_key_);
  if (metadata_value.kind_case() != ProtobufWkt::Value::kStructValue) {
    return false;
  }

  const auto& override_value = metadata_value.struct_value().fields();
  const auto& limit_it = override_value.find("requests_per_unit");
  const auto& unit_it = override_value.find("unit");
  if (limit_it != override_value.end() &&
      limit_it->second.kind_case() == ProtobufWkt::Value::kNumberValue &&
      unit_it != override_value.end() &&
      unit_it->second.kind_case() == ProtobufWkt::Value::kStringValue) {
    envoy::type::v3::RateLimitUnit unit;
    if (envoy::type::v3::RateLimitUnit_Parse(unit_it->second.string_value(), &unit)) {
      descriptor.limit_.emplace(RateLimit::RateLimitOverride{
          static_cast<uint32_t>(limit_it->second.number_value()), unit});
      return true;
    }
  }
  return false;
}

bool SourceClusterAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
                                             const std::string& local_service_cluster,
                                             const Http::RequestHeaderMap&,
                                             const StreamInfo::StreamInfo&) const {
  descriptor_entry = {"source_cluster", local_service_cluster};
  return true;
}

bool DestinationClusterAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
                                                  const std::string&, const Http::RequestHeaderMap&,
                                                  const StreamInfo::StreamInfo& info) const {
  if (info.route() == nullptr || info.route()->routeEntry() == nullptr) {
    return false;
  }
  descriptor_entry = {"destination_cluster", info.route()->routeEntry()->clusterName()};
  return true;
}

bool RequestHeadersAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
                                              const std::string&,
                                              const Http::RequestHeaderMap& headers,
                                              const StreamInfo::StreamInfo&) const {
  const auto header_value = headers.get(header_name_);

  // If header is not present in the request and if skip_if_absent is true skip this descriptor,
  // while calling rate limiting service. If skip_if_absent is false, do not call rate limiting
  // service.
  if (header_value.empty()) {
    return skip_if_absent_;
  }
  // TODO(https://github.com/envoyproxy/envoy/issues/13454): Potentially populate all header values.
  descriptor_entry = {descriptor_key_, std::string(header_value[0]->value().getStringView())};
  return true;
}

bool RemoteAddressAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
                                             const std::string&, const Http::RequestHeaderMap&,
                                             const StreamInfo::StreamInfo& info) const {
  const Network::Address::InstanceConstSharedPtr& remote_address =
      info.downstreamAddressProvider().remoteAddress();
  if (remote_address->type() != Network::Address::Type::Ip) {
    return false;
  }

  descriptor_entry = {"remote_address", remote_address->ip()->addressAsString()};

  return true;
}

bool MaskedRemoteAddressAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
                                                   const std::string&,
                                                   const Http::RequestHeaderMap&,
                                                   const StreamInfo::StreamInfo& info) const {
  const Network::Address::InstanceConstSharedPtr& remote_address =
      info.downstreamAddressProvider().remoteAddress();
  if (remote_address->type() != Network::Address::Type::Ip) {
    return false;
  }

  uint32_t mask_len = v4_prefix_mask_len_;
  if (remote_address->ip()->version() == Network::Address::IpVersion::v6) {
    mask_len = v6_prefix_mask_len_;
  }

  // TODO: increase the efficiency, avoid string transform back and forth
  Network::Address::CidrRange cidr_entry =
      Network::Address::CidrRange::create(remote_address->ip()->addressAsString(), mask_len);
  descriptor_entry = {"masked_remote_address", cidr_entry.asString()};

  return true;
}

bool GenericKeyAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
                                          const std::string&, const Http::RequestHeaderMap&,
                                          const StreamInfo::StreamInfo&) const {
  descriptor_entry = {descriptor_key_, descriptor_value_};
  return true;
}

MetaDataAction::MetaDataAction(const envoy::config::route::v3::RateLimit::Action::MetaData& action)
    : metadata_key_(action.metadata_key()), descriptor_key_(action.descriptor_key()),
      default_value_(action.default_value()), source_(action.source()),
      skip_if_absent_(action.skip_if_absent()) {}

MetaDataAction::MetaDataAction(
    const envoy::config::route::v3::RateLimit::Action::DynamicMetaData& action)
    : metadata_key_(action.metadata_key()), descriptor_key_(action.descriptor_key()),
      default_value_(action.default_value()),
      source_(envoy::config::route::v3::RateLimit::Action::MetaData::DYNAMIC),
      skip_if_absent_(false) {}

bool MetaDataAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
                                        const std::string&, const Http::RequestHeaderMap&,
                                        const StreamInfo::StreamInfo& info) const {
  const envoy::config::core::v3::Metadata* metadata_source;

  switch (source_) {
    PANIC_ON_PROTO_ENUM_SENTINEL_VALUES;
  case envoy::config::route::v3::RateLimit::Action::MetaData::DYNAMIC:
    metadata_source = &info.dynamicMetadata();
    break;
  case envoy::config::route::v3::RateLimit::Action::MetaData::ROUTE_ENTRY:
    metadata_source = &info.route()->metadata();
    break;
  }

  const std::string metadata_string_value =
      Envoy::Config::Metadata::metadataValue(metadata_source, metadata_key_).string_value();

  if (!metadata_string_value.empty()) {
    descriptor_entry = {descriptor_key_, metadata_string_value};
    return true;
  } else if (metadata_string_value.empty() && !default_value_.empty()) {
    descriptor_entry = {descriptor_key_, default_value_};
    return true;
  }

  // If the metadata key is not present and no default value is set, skip this
  // descriptor if skip_if_absent is true. If skip_if_absent is false, do not
  // call rate limiting service.
  return skip_if_absent_;
}

HeaderValueMatchAction::HeaderValueMatchAction(
    const envoy::config::route::v3::RateLimit::Action::HeaderValueMatch& action)
    : descriptor_value_(action.descriptor_value()),
      descriptor_key_(!action.descriptor_key().empty() ? action.descriptor_key() : "header_match"),
      expect_match_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(action, expect_match, true)),
      action_headers_(Http::HeaderUtility::buildHeaderDataVector(action.headers())) {}

bool HeaderValueMatchAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
                                                const std::string&,
                                                const Http::RequestHeaderMap& headers,
                                                const StreamInfo::StreamInfo&) const {
  if (expect_match_ == Http::HeaderUtility::matchHeaders(headers, action_headers_)) {
    descriptor_entry = {descriptor_key_, descriptor_value_};
    return true;
  } else {
    return false;
  }
}

QueryParameterValueMatchAction::QueryParameterValueMatchAction(
    const envoy::config::route::v3::RateLimit::Action::QueryParameterValueMatch& action)
    : descriptor_value_(action.descriptor_value()),
      descriptor_key_(!action.descriptor_key().empty() ? action.descriptor_key() : "query_match"),
      expect_match_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(action, expect_match, true)),
      action_query_parameters_(buildQueryParameterMatcherVector(action)) {}

bool QueryParameterValueMatchAction::populateDescriptor(
    RateLimit::DescriptorEntry& descriptor_entry, const std::string&,
    const Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo&) const {
  Http::Utility::QueryParamsMulti query_parameters =
      Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(headers.getPathValue());
  if (expect_match_ ==
      ConfigUtility::matchQueryParams(query_parameters, action_query_parameters_)) {
    descriptor_entry = {descriptor_key_, descriptor_value_};
    return true;
  } else {
    return false;
  }
}

std::vector<ConfigUtility::QueryParameterMatcherPtr>
QueryParameterValueMatchAction::buildQueryParameterMatcherVector(
    const envoy::config::route::v3::RateLimit::Action::QueryParameterValueMatch& action) {
  std::vector<ConfigUtility::QueryParameterMatcherPtr> ret;
  for (const auto& query_parameter : action.query_parameters()) {
    ret.push_back(std::make_unique<ConfigUtility::QueryParameterMatcher>(query_parameter));
  }
  return ret;
}

RateLimitPolicyEntryImpl::RateLimitPolicyEntryImpl(
    const envoy::config::route::v3::RateLimit& config,
    Server::Configuration::CommonFactoryContext& context)
    : disable_key_(config.disable_key()),
      stage_(static_cast<uint64_t>(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, stage, 0))) {
  for (const auto& action : config.actions()) {
    switch (action.action_specifier_case()) {
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kSourceCluster:
      actions_.emplace_back(new SourceClusterAction());
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kDestinationCluster:
      actions_.emplace_back(new DestinationClusterAction());
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kRequestHeaders:
      actions_.emplace_back(new RequestHeadersAction(action.request_headers()));
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kRemoteAddress:
      actions_.emplace_back(new RemoteAddressAction());
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kGenericKey:
      actions_.emplace_back(new GenericKeyAction(action.generic_key()));
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kDynamicMetadata:
      actions_.emplace_back(new MetaDataAction(action.dynamic_metadata()));
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kMetadata:
      actions_.emplace_back(new MetaDataAction(action.metadata()));
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kHeaderValueMatch:
      actions_.emplace_back(new HeaderValueMatchAction(action.header_value_match()));
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kExtension: {
      ProtobufMessage::ValidationVisitor& validator = context.messageValidationVisitor();
      auto* factory = Envoy::Config::Utility::getFactory<RateLimit::DescriptorProducerFactory>(
          action.extension());
      if (!factory) {
        // If no descriptor extension is found, fallback to using HTTP matcher
        // input functions. Note that if the same extension name or type was
        // dual registered as an extension descriptor and an HTTP matcher input
        // function, the descriptor extension takes priority.
        RateLimitDescriptorValidationVisitor validation_visitor;
        Matcher::MatchInputFactory<Http::HttpMatchingData> input_factory(validator,
                                                                         validation_visitor);
        Matcher::DataInputFactoryCb<Http::HttpMatchingData> data_input_cb =
            input_factory.createDataInput(action.extension());
        actions_.emplace_back(std::make_unique<MatchInputRateLimitDescriptor>(
            action.extension().name(), data_input_cb()));
        break;
      }
      auto message = Envoy::Config::Utility::translateAnyToFactoryConfig(
          action.extension().typed_config(), validator, *factory);
      RateLimit::DescriptorProducerPtr producer =
          factory->createDescriptorProducerFromProto(*message, context);
      if (producer) {
        actions_.emplace_back(std::move(producer));
      } else {
        throwEnvoyExceptionOrPanic(
            absl::StrCat("Rate limit descriptor extension failed: ", action.extension().name()));
      }
      break;
    }
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kMaskedRemoteAddress:
      actions_.emplace_back(new MaskedRemoteAddressAction(action.masked_remote_address()));
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::
        kQueryParameterValueMatch:
      actions_.emplace_back(
          new QueryParameterValueMatchAction(action.query_parameter_value_match()));
      break;
    case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::ACTION_SPECIFIER_NOT_SET:
      throwEnvoyExceptionOrPanic("invalid config");
    }
  }
  if (config.has_limit()) {
    switch (config.limit().override_specifier_case()) {
    case envoy::config::route::v3::RateLimit_Override::OverrideSpecifierCase::kDynamicMetadata:
      limit_override_.emplace(
          new DynamicMetadataRateLimitOverride(config.limit().dynamic_metadata()));
      break;
    case envoy::config::route::v3::RateLimit_Override::OverrideSpecifierCase::
        OVERRIDE_SPECIFIER_NOT_SET:
      throwEnvoyExceptionOrPanic("invalid config");
    }
  }
}

void RateLimitPolicyEntryImpl::populateDescriptors(std::vector<RateLimit::Descriptor>& descriptors,
                                                   const std::string& local_service_cluster,
                                                   const Http::RequestHeaderMap& headers,
                                                   const StreamInfo::StreamInfo& info) const {
  RateLimit::Descriptor descriptor;
  bool result =
      populateDescriptor(actions_, descriptor.entries_, local_service_cluster, headers, info);

  if (limit_override_) {
    limit_override_.value()->populateOverride(descriptor, &info.dynamicMetadata());
  }

  if (result) {
    descriptors.emplace_back(descriptor);
  }
}

void RateLimitPolicyEntryImpl::populateLocalDescriptors(
    std::vector<Envoy::RateLimit::LocalDescriptor>& descriptors,
    const std::string& local_service_cluster, const Http::RequestHeaderMap& headers,
    const StreamInfo::StreamInfo& info) const {
  RateLimit::LocalDescriptor descriptor({});
  bool result =
      populateDescriptor(actions_, descriptor.entries_, local_service_cluster, headers, info);
  if (result) {
    descriptors.emplace_back(descriptor);
  }
}

RateLimitPolicyImpl::RateLimitPolicyImpl()
    : rate_limit_entries_reference_(RateLimitPolicyImpl::MAX_STAGE_NUMBER + 1) {}

RateLimitPolicyImpl::RateLimitPolicyImpl(
    const Protobuf::RepeatedPtrField<envoy::config::route::v3::RateLimit>& rate_limits,
    Server::Configuration::CommonFactoryContext& context)
    : RateLimitPolicyImpl() {
  for (const auto& rate_limit : rate_limits) {
    std::unique_ptr<RateLimitPolicyEntry> rate_limit_policy_entry(
        new RateLimitPolicyEntryImpl(rate_limit, context));
    uint64_t stage = rate_limit_policy_entry->stage();
    ASSERT(stage < rate_limit_entries_reference_.size());
    rate_limit_entries_reference_[stage].emplace_back(*rate_limit_policy_entry);
    rate_limit_entries_.emplace_back(std::move(rate_limit_policy_entry));
  }
}

const std::vector<std::reference_wrapper<const Router::RateLimitPolicyEntry>>&
RateLimitPolicyImpl::getApplicableRateLimit(uint64_t stage) const {
  ASSERT(stage < rate_limit_entries_reference_.size());
  return rate_limit_entries_reference_[stage];
}

} // namespace Router
} // namespace Envoy

Coverage Report

Created: 2023-11-12 09:30

Line	Count	Source (jump to first uncovered line)
1		#include "source/common/router/router_ratelimit.h"
2
3		#include <cstdint>
4		#include <memory>
5		#include <string>
6		#include <vector>
7
8		#include "envoy/config/core/v3/base.pb.h"
9		#include "envoy/config/route/v3/route_components.pb.h"
10
11		#include "source/common/common/assert.h"
12		#include "source/common/common/empty_string.h"
13		#include "source/common/config/metadata.h"
14		#include "source/common/config/utility.h"
15		#include "source/common/http/matching/data_impl.h"
16		#include "source/common/matcher/matcher.h"
17		#include "source/common/protobuf/utility.h"
18
19		namespace Envoy {
20		namespace Router {
21
22		namespace {
23		bool populateDescriptor(const std::vector<RateLimit::DescriptorProducerPtr>& actions,
24		std::vector<RateLimit::DescriptorEntry>& descriptor_entries,
25		const std::string& local_service_cluster,
26	0	const Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo& info) {
27	0	bool result = true;
28	0	for (const RateLimit::DescriptorProducerPtr& action : actions) {
29	0	RateLimit::DescriptorEntry descriptor_entry;
30	0	result = result &&
31	0	action->populateDescriptor(descriptor_entry, local_service_cluster, headers, info);
32	0	if (!result) {
33	0	break;
34	0	}
35	0	if (!descriptor_entry.key_.empty()) {
36	0	descriptor_entries.push_back(descriptor_entry);
37	0	}
38	0	}
39	0	return result;
40	0	}
41
42		class RateLimitDescriptorValidationVisitor
43		: public Matcher::MatchTreeValidationVisitor<Http::HttpMatchingData> {
44		public:
45		absl::Status performDataInputValidation(const Matcher::DataInputFactory<Http::HttpMatchingData>&,
46	1.61k	absl::string_view) override {
47	1.61k	return absl::OkStatus();
48	1.61k	}
49		};
50
51		class MatchInputRateLimitDescriptor : public RateLimit::DescriptorProducer {
52		public:
53		MatchInputRateLimitDescriptor(const std::string& descriptor_key,
54		Matcher::DataInputPtr<Http::HttpMatchingData>&& data_input)
55	1.60k	: descriptor_key_(descriptor_key), data_input_(std::move(data_input)) {}
56
57		// Ratelimit::DescriptorProducer
58		bool populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry, const std::string&,
59		const Http::RequestHeaderMap& headers,
60	0	const StreamInfo::StreamInfo& info) const override {
61	0	Http::Matching::HttpMatchingDataImpl data(info);
62	0	data.onRequestHeaders(headers);
63	0	auto result = data_input_->get(data);
64	0	if (absl::holds_alternative<absl::monostate>(result.data_)) {
65	0	return false;
66	0	}
67	0	const std::string& str = absl::get<std::string>(result.data_);
68	0	if (!str.empty()) {
69	0	descriptor_entry = {descriptor_key_, str};
70	0	}
71	0	return true;
72	0	}
73
74		private:
75		const std::string descriptor_key_;
76		Matcher::DataInputPtr<Http::HttpMatchingData> data_input_;
77		};
78
79		} // namespace
80
81		const uint64_t RateLimitPolicyImpl::MAX_STAGE_NUMBER = 10UL;
82
83		bool DynamicMetadataRateLimitOverride::populateOverride(
84	0	RateLimit::Descriptor& descriptor, const envoy::config::core::v3::Metadata* metadata) const {
85	0	const ProtobufWkt::Value& metadata_value =
86	0	Envoy::Config::Metadata::metadataValue(metadata, metadata_key_);
87	0	if (metadata_value.kind_case() != ProtobufWkt::Value::kStructValue) {
88	0	return false;
89	0	}
90
91	0	const auto& override_value = metadata_value.struct_value().fields();
92	0	const auto& limit_it = override_value.find("requests_per_unit");
93	0	const auto& unit_it = override_value.find("unit");
94	0	if (limit_it != override_value.end() &&
95	0	limit_it->second.kind_case() == ProtobufWkt::Value::kNumberValue &&
96	0	unit_it != override_value.end() &&
97	0	unit_it->second.kind_case() == ProtobufWkt::Value::kStringValue) {
98	0	envoy::type::v3::RateLimitUnit unit;
99	0	if (envoy::type::v3::RateLimitUnit_Parse(unit_it->second.string_value(), &unit)) {
100	0	descriptor.limit_.emplace(RateLimit::RateLimitOverride{
101	0	static_cast<uint32_t>(limit_it->second.number_value()), unit});
102	0	return true;
103	0	}
104	0	}
105	0	return false;
106	0	}
107
108		bool SourceClusterAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
109		const std::string& local_service_cluster,
110		const Http::RequestHeaderMap&,
111	0	const StreamInfo::StreamInfo&) const {
112	0	descriptor_entry = {"source_cluster", local_service_cluster};
113	0	return true;
114	0	}
115
116		bool DestinationClusterAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
117		const std::string&, const Http::RequestHeaderMap&,
118	0	const StreamInfo::StreamInfo& info) const {
119	0	if (info.route() == nullptr \|\| info.route()->routeEntry() == nullptr) {
120	0	return false;
121	0	}
122	0	descriptor_entry = {"destination_cluster", info.route()->routeEntry()->clusterName()};
123	0	return true;
124	0	}
125
126		bool RequestHeadersAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
127		const std::string&,
128		const Http::RequestHeaderMap& headers,
129	0	const StreamInfo::StreamInfo&) const {
130	0	const auto header_value = headers.get(header_name_);
131
132		// If header is not present in the request and if skip_if_absent is true skip this descriptor,
133		// while calling rate limiting service. If skip_if_absent is false, do not call rate limiting
134		// service.
135	0	if (header_value.empty()) {
136	0	return skip_if_absent_;
137	0	}
138		// TODO(https://github.com/envoyproxy/envoy/issues/13454): Potentially populate all header values.
139	0	descriptor_entry = {descriptor_key_, std::string(header_value[0]->value().getStringView())};
140	0	return true;
141	0	}
142
143		bool RemoteAddressAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
144		const std::string&, const Http::RequestHeaderMap&,
145	0	const StreamInfo::StreamInfo& info) const {
146	0	const Network::Address::InstanceConstSharedPtr& remote_address =
147	0	info.downstreamAddressProvider().remoteAddress();
148	0	if (remote_address->type() != Network::Address::Type::Ip) {
149	0	return false;
150	0	}
151
152	0	descriptor_entry = {"remote_address", remote_address->ip()->addressAsString()};
153
154	0	return true;
155	0	}
156
157		bool MaskedRemoteAddressAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
158		const std::string&,
159		const Http::RequestHeaderMap&,
160	0	const StreamInfo::StreamInfo& info) const {
161	0	const Network::Address::InstanceConstSharedPtr& remote_address =
162	0	info.downstreamAddressProvider().remoteAddress();
163	0	if (remote_address->type() != Network::Address::Type::Ip) {
164	0	return false;
165	0	}
166
167	0	uint32_t mask_len = v4_prefix_mask_len_;
168	0	if (remote_address->ip()->version() == Network::Address::IpVersion::v6) {
169	0	mask_len = v6_prefix_mask_len_;
170	0	}
171
172		// TODO: increase the efficiency, avoid string transform back and forth
173	0	Network::Address::CidrRange cidr_entry =
174	0	Network::Address::CidrRange::create(remote_address->ip()->addressAsString(), mask_len);
175	0	descriptor_entry = {"masked_remote_address", cidr_entry.asString()};
176
177	0	return true;
178	0	}
179
180		bool GenericKeyAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
181		const std::string&, const Http::RequestHeaderMap&,
182	0	const StreamInfo::StreamInfo&) const {
183	0	descriptor_entry = {descriptor_key_, descriptor_value_};
184	0	return true;
185	0	}
186
187		MetaDataAction::MetaDataAction(const envoy::config::route::v3::RateLimit::Action::MetaData& action)
188		: metadata_key_(action.metadata_key()), descriptor_key_(action.descriptor_key()),
189		default_value_(action.default_value()), source_(action.source()),
190	3.96k	skip_if_absent_(action.skip_if_absent()) {}
191
192		MetaDataAction::MetaDataAction(
193		const envoy::config::route::v3::RateLimit::Action::DynamicMetaData& action)
194		: metadata_key_(action.metadata_key()), descriptor_key_(action.descriptor_key()),
195		default_value_(action.default_value()),
196		source_(envoy::config::route::v3::RateLimit::Action::MetaData::DYNAMIC),
197	315	skip_if_absent_(false) {}
198
199		bool MetaDataAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
200		const std::string&, const Http::RequestHeaderMap&,
201	0	const StreamInfo::StreamInfo& info) const {
202	0	const envoy::config::core::v3::Metadata* metadata_source;
203
204	0	switch (source_) {
205	0	PANIC_ON_PROTO_ENUM_SENTINEL_VALUES;
206	0	case envoy::config::route::v3::RateLimit::Action::MetaData::DYNAMIC:
207	0	metadata_source = &info.dynamicMetadata();
208	0	break;
209	0	case envoy::config::route::v3::RateLimit::Action::MetaData::ROUTE_ENTRY:
210	0	metadata_source = &info.route()->metadata();
211	0	break;
212	0	}
213
214	0	const std::string metadata_string_value =
215	0	Envoy::Config::Metadata::metadataValue(metadata_source, metadata_key_).string_value();
216
217	0	if (!metadata_string_value.empty()) {
218	0	descriptor_entry = {descriptor_key_, metadata_string_value};
219	0	return true;
220	0	} else if (metadata_string_value.empty() && !default_value_.empty()) {
221	0	descriptor_entry = {descriptor_key_, default_value_};
222	0	return true;
223	0	}
224
225		// If the metadata key is not present and no default value is set, skip this
226		// descriptor if skip_if_absent is true. If skip_if_absent is false, do not
227		// call rate limiting service.
228	0	return skip_if_absent_;
229	0	}
230
231		HeaderValueMatchAction::HeaderValueMatchAction(
232		const envoy::config::route::v3::RateLimit::Action::HeaderValueMatch& action)
233		: descriptor_value_(action.descriptor_value()),
234		descriptor_key_(!action.descriptor_key().empty() ? action.descriptor_key() : "header_match"),
235		expect_match_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(action, expect_match, true)),
236	1.73k	action_headers_(Http::HeaderUtility::buildHeaderDataVector(action.headers())) {}
237
238		bool HeaderValueMatchAction::populateDescriptor(RateLimit::DescriptorEntry& descriptor_entry,
239		const std::string&,
240		const Http::RequestHeaderMap& headers,
241	0	const StreamInfo::StreamInfo&) const {
242	0	if (expect_match_ == Http::HeaderUtility::matchHeaders(headers, action_headers_)) {
243	0	descriptor_entry = {descriptor_key_, descriptor_value_};
244	0	return true;
245	0	} else {
246	0	return false;
247	0	}
248	0	}
249
250		QueryParameterValueMatchAction::QueryParameterValueMatchAction(
251		const envoy::config::route::v3::RateLimit::Action::QueryParameterValueMatch& action)
252		: descriptor_value_(action.descriptor_value()),
253		descriptor_key_(!action.descriptor_key().empty() ? action.descriptor_key() : "query_match"),
254		expect_match_(PROTOBUF_GET_WRAPPED_OR_DEFAULT(action, expect_match, true)),
255	2.14k	action_query_parameters_(buildQueryParameterMatcherVector(action)) {}
256
257		bool QueryParameterValueMatchAction::populateDescriptor(
258		RateLimit::DescriptorEntry& descriptor_entry, const std::string&,
259	0	const Http::RequestHeaderMap& headers, const StreamInfo::StreamInfo&) const {
260	0	Http::Utility::QueryParamsMulti query_parameters =
261	0	Http::Utility::QueryParamsMulti::parseAndDecodeQueryString(headers.getPathValue());
262	0	if (expect_match_ ==
263	0	ConfigUtility::matchQueryParams(query_parameters, action_query_parameters_)) {
264	0	descriptor_entry = {descriptor_key_, descriptor_value_};
265	0	return true;
266	0	} else {
267	0	return false;
268	0	}
269	0	}
270
271		std::vector<ConfigUtility::QueryParameterMatcherPtr>
272		QueryParameterValueMatchAction::buildQueryParameterMatcherVector(
273	2.14k	const envoy::config::route::v3::RateLimit::Action::QueryParameterValueMatch& action) {
274	2.14k	std::vector<ConfigUtility::QueryParameterMatcherPtr> ret;
275	3.23k	for (const auto& query_parameter : action.query_parameters()) {
276	3.23k	ret.push_back(std::make_unique<ConfigUtility::QueryParameterMatcher>(query_parameter));
277	3.23k	}
278	2.14k	return ret;
279	2.14k	}
280
281		RateLimitPolicyEntryImpl::RateLimitPolicyEntryImpl(
282		const envoy::config::route::v3::RateLimit& config,
283		Server::Configuration::CommonFactoryContext& context)
284		: disable_key_(config.disable_key()),
285	19.2k	stage_(static_cast<uint64_t>(PROTOBUF_GET_WRAPPED_OR_DEFAULT(config, stage, 0))) {
286	60.9k	for (const auto& action : config.actions()) {
287	60.9k	switch (action.action_specifier_case()) {
288	11.1k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kSourceCluster:
289	11.1k	actions_.emplace_back(new SourceClusterAction());
290	11.1k	break;
291	10.9k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kDestinationCluster:
292	10.9k	actions_.emplace_back(new DestinationClusterAction());
293	10.9k	break;
294	2.29k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kRequestHeaders:
295	2.29k	actions_.emplace_back(new RequestHeadersAction(action.request_headers()));
296	2.29k	break;
297	9.30k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kRemoteAddress:
298	9.30k	actions_.emplace_back(new RemoteAddressAction());
299	9.30k	break;
300	9.13k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kGenericKey:
301	9.13k	actions_.emplace_back(new GenericKeyAction(action.generic_key()));
302	9.13k	break;
303	315	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kDynamicMetadata:
304	315	actions_.emplace_back(new MetaDataAction(action.dynamic_metadata()));
305	315	break;
306	3.96k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kMetadata:
307	3.96k	actions_.emplace_back(new MetaDataAction(action.metadata()));
308	3.96k	break;
309	1.73k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kHeaderValueMatch:
310	1.73k	actions_.emplace_back(new HeaderValueMatchAction(action.header_value_match()));
311	1.73k	break;
312	1.68k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kExtension: {
313	1.68k	ProtobufMessage::ValidationVisitor& validator = context.messageValidationVisitor();
314	1.68k	auto* factory = Envoy::Config::Utility::getFactory<RateLimit::DescriptorProducerFactory>(
315	1.68k	action.extension());
316	1.68k	if (!factory) {
317		// If no descriptor extension is found, fallback to using HTTP matcher
318		// input functions. Note that if the same extension name or type was
319		// dual registered as an extension descriptor and an HTTP matcher input
320		// function, the descriptor extension takes priority.
321	1.67k	RateLimitDescriptorValidationVisitor validation_visitor;
322	1.67k	Matcher::MatchInputFactory<Http::HttpMatchingData> input_factory(validator,
323	1.67k	validation_visitor);
324	1.67k	Matcher::DataInputFactoryCb<Http::HttpMatchingData> data_input_cb =
325	1.67k	input_factory.createDataInput(action.extension());
326	1.67k	actions_.emplace_back(std::make_unique<MatchInputRateLimitDescriptor>(
327	1.67k	action.extension().name(), data_input_cb()));
328	1.67k	break;
329	1.67k	}
330	2	auto message = Envoy::Config::Utility::translateAnyToFactoryConfig(
331	2	action.extension().typed_config(), validator, *factory);
332	2	RateLimit::DescriptorProducerPtr producer =
333	2	factory->createDescriptorProducerFromProto(*message, context);
334	2	if (producer) {
335	0	actions_.emplace_back(std::move(producer));
336	2	} else {
337	2	throwEnvoyExceptionOrPanic(
338	2	absl::StrCat("Rate limit descriptor extension failed: ", action.extension().name()));
339	2	}
340	0	break;
341	2	}
342	8.26k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::kMaskedRemoteAddress:
343	8.26k	actions_.emplace_back(new MaskedRemoteAddressAction(action.masked_remote_address()));
344	8.26k	break;
345	2.14k	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::
346	2.14k	kQueryParameterValueMatch:
347	2.14k	actions_.emplace_back(
348	2.14k	new QueryParameterValueMatchAction(action.query_parameter_value_match()));
349	2.14k	break;
350	0	case envoy::config::route::v3::RateLimit::Action::ActionSpecifierCase::ACTION_SPECIFIER_NOT_SET:
351	0	throwEnvoyExceptionOrPanic("invalid config");
352	60.9k	}
353	60.9k	}
354	19.1k	if (config.has_limit()) {
355	858	switch (config.limit().override_specifier_case()) {
356	858	case envoy::config::route::v3::RateLimit_Override::OverrideSpecifierCase::kDynamicMetadata:
357	858	limit_override_.emplace(
358	858	new DynamicMetadataRateLimitOverride(config.limit().dynamic_metadata()));
359	858	break;
360	0	case envoy::config::route::v3::RateLimit_Override::OverrideSpecifierCase::
361	0	OVERRIDE_SPECIFIER_NOT_SET:
362	0	throwEnvoyExceptionOrPanic("invalid config");
363	858	}
364	858	}
365	19.1k	}
366
367		void RateLimitPolicyEntryImpl::populateDescriptors(std::vector<RateLimit::Descriptor>& descriptors,
368		const std::string& local_service_cluster,
369		const Http::RequestHeaderMap& headers,
370	0	const StreamInfo::StreamInfo& info) const {
371	0	RateLimit::Descriptor descriptor;
372	0	bool result =
373	0	populateDescriptor(actions_, descriptor.entries_, local_service_cluster, headers, info);
374
375	0	if (limit_override_) {
376	0	limit_override_.value()->populateOverride(descriptor, &info.dynamicMetadata());
377	0	}
378
379	0	if (result) {
380	0	descriptors.emplace_back(descriptor);
381	0	}
382	0	}
383
384		void RateLimitPolicyEntryImpl::populateLocalDescriptors(
385		std::vector<Envoy::RateLimit::LocalDescriptor>& descriptors,
386		const std::string& local_service_cluster, const Http::RequestHeaderMap& headers,
387	0	const StreamInfo::StreamInfo& info) const {
388	0	RateLimit::LocalDescriptor descriptor({});
389	0	bool result =
390	0	populateDescriptor(actions_, descriptor.entries_, local_service_cluster, headers, info);
391	0	if (result) {
392	0	descriptors.emplace_back(descriptor);
393	0	}
394	0	}
395
396		RateLimitPolicyImpl::RateLimitPolicyImpl()
397	6.45k	: rate_limit_entries_reference_(RateLimitPolicyImpl::MAX_STAGE_NUMBER + 1) {}
398
399		RateLimitPolicyImpl::RateLimitPolicyImpl(
400		const Protobuf::RepeatedPtrField<envoy::config::route::v3::RateLimit>& rate_limits,
401		Server::Configuration::CommonFactoryContext& context)
402	6.45k	: RateLimitPolicyImpl() {
403	19.2k	for (const auto& rate_limit : rate_limits) {
404	19.2k	std::unique_ptr<RateLimitPolicyEntry> rate_limit_policy_entry(
405	19.2k	new RateLimitPolicyEntryImpl(rate_limit, context));
406	19.2k	uint64_t stage = rate_limit_policy_entry->stage();
407	19.2k	ASSERT(stage < rate_limit_entries_reference_.size());
408	19.2k	rate_limit_entries_reference_[stage].emplace_back(*rate_limit_policy_entry);
409	19.2k	rate_limit_entries_.emplace_back(std::move(rate_limit_policy_entry));
410	19.2k	}
411	6.45k	}
412
413		const std::vector<std::reference_wrapper<const Router::RateLimitPolicyEntry>>&
414	0	RateLimitPolicyImpl::getApplicableRateLimit(uint64_t stage) const {
415	0	ASSERT(stage < rate_limit_entries_reference_.size());
416	0	return rate_limit_entries_reference_[stage];
417	0	}
418
419		} // namespace Router
420		} // namespace Envoy