grpc 1.50.0 → 1.51.0

data/src/core/ext/xds/xds_http_rbac_filter.cc

@@ -25,13 +25,11 @@
 #include <map>
 #include <string>
 #include <utility>
-#include <vector>
 
-#include "absl/status/status.h"
 #include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
-#include "absl/strings/str_join.h"
 #include "absl/strings/string_view.h"
+#include "absl/types/variant.h"
 #include "envoy/config/core/v3/address.upb.h"
 #include "envoy/config/rbac/v3/rbac.upb.h"
 #include "envoy/config/route/v3/route_components.upb.h"
@@ -43,6 +41,7 @@
 #include "envoy/type/matcher/v3/string.upb.h"
 #include "envoy/type/v3/range.upb.h"
 #include "google/protobuf/wrappers.upb.h"
+#include "upb/upb.h"
 
 #include "src/core/ext/filters/rbac/rbac_filter.h"
 #include "src/core/ext/filters/rbac/rbac_service_config_parser.h"
@@ -52,12 +51,6 @@
 
 namespace grpc_core {
 
-const char* kXdsHttpRbacFilterConfigName =
-    "envoy.extensions.filters.http.rbac.v3.RBAC";
-
-const char* kXdsHttpRbacFilterConfigOverrideName =
-    "envoy.extensions.filters.http.rbac.v3.RBACPerRoute";
-
 namespace {
 
 Json ParseRegexMatcherToJson(
@@ -72,18 +65,20 @@ Json ParseInt64RangeToJson(const envoy_type_v3_Int64Range* range) {
                       {"end", envoy_type_v3_Int64Range_end(range)}};
 }
 
-absl::StatusOr<Json> ParseHeaderMatcherToJson(
-    const envoy_config_route_v3_HeaderMatcher* header) {
+Json ParseHeaderMatcherToJson(const envoy_config_route_v3_HeaderMatcher* header,
+                              ValidationErrors* errors) {
   Json::Object header_json;
-  std::vector<std::string> errors;
-  std::string name =
-      UpbStringToStdString(envoy_config_route_v3_HeaderMatcher_name(header));
-  if (name == ":scheme") {
-    errors.emplace_back("':scheme' not allowed in header");
-  } else if (absl::StartsWith(name, "grpc-")) {
-    errors.emplace_back("'grpc-' prefixes not allowed in header");
+  {
+    ValidationErrors::ScopedField field(errors, ".name");
+    std::string name =
+        UpbStringToStdString(envoy_config_route_v3_HeaderMatcher_name(header));
+    if (name == ":scheme") {
+      errors->AddError("':scheme' not allowed in header");
+    } else if (absl::StartsWith(name, "grpc-")) {
+      errors->AddError("'grpc-' prefixes not allowed in header");
+    }
+    header_json.emplace("name", std::move(name));
   }
-  header_json.emplace("name", std::move(name));
   if (envoy_config_route_v3_HeaderMatcher_has_exact_match(header)) {
     header_json.emplace(
         "exactMatch",
@@ -119,19 +114,16 @@ absl::StatusOr<Json> ParseHeaderMatcherToJson(
         UpbStringToStdString(
             envoy_config_route_v3_HeaderMatcher_contains_match(header)));
   } else {
-    errors.emplace_back("Invalid route header matcher specified.");
-  }
-  if (!errors.empty()) {
-    return absl::InvalidArgumentError(absl::StrCat(
-        "errors parsing HeaderMatcher: [", absl::StrJoin(errors, "; "), "]"));
+    errors->AddError("invalid route header matcher specified");
   }
   header_json.emplace("invertMatch",
                       envoy_config_route_v3_HeaderMatcher_invert_match(header));
   return header_json;
 }
 
-absl::StatusOr<Json> ParseStringMatcherToJson(
-    const envoy_type_matcher_v3_StringMatcher* matcher) {
+Json ParseStringMatcherToJson(
+    const envoy_type_matcher_v3_StringMatcher* matcher,
+    ValidationErrors* errors) {
   Json::Object json;
   if (envoy_type_matcher_v3_StringMatcher_has_exact(matcher)) {
     json.emplace("exact",
@@ -154,30 +146,23 @@ absl::StatusOr<Json> ParseStringMatcherToJson(
                  UpbStringToStdString(
                      envoy_type_matcher_v3_StringMatcher_contains(matcher)));
   } else {
-    return absl::InvalidArgumentError("StringMatcher: Invalid match pattern");
+    errors->AddError("invalid match pattern");
   }
   json.emplace("ignoreCase",
                envoy_type_matcher_v3_StringMatcher_ignore_case(matcher));
   return json;
 }
 
-absl::StatusOr<Json> ParsePathMatcherToJson(
-    const envoy_type_matcher_v3_PathMatcher* matcher) {
+Json ParsePathMatcherToJson(const envoy_type_matcher_v3_PathMatcher* matcher,
+                            ValidationErrors* errors) {
+  ValidationErrors::ScopedField field(errors, ".path");
   const auto* path = envoy_type_matcher_v3_PathMatcher_path(matcher);
   if (path == nullptr) {
-    return absl::InvalidArgumentError("PathMatcher has empty path");
-  }
-  Json::Object json;
-  auto path_json = ParseStringMatcherToJson(path);
-  if (!path_json.ok()) {
-    return path_json;
+    errors->AddError("field not present");
+    return Json();
   }
-  json.emplace("path", std::move(*path_json));
-  return json;
-}
-
-Json ParseUInt32ValueToJson(const google_protobuf_UInt32Value* value) {
-  return Json::Object{{"value", google_protobuf_UInt32Value_value(value)}};
+  Json path_json = ParseStringMatcherToJson(path, errors);
+  return Json::Object{{"path", std::move(path_json)}};
 }
 
 Json ParseCidrRangeToJson(const envoy_config_core_v3_CidrRange* range) {
@@ -187,7 +172,7 @@ Json ParseCidrRangeToJson(const envoy_config_core_v3_CidrRange* range) {
                    envoy_config_core_v3_CidrRange_address_prefix(range)));
   const auto* prefix_len = envoy_config_core_v3_CidrRange_prefix_len(range);
   if (prefix_len != nullptr) {
-    json.emplace("prefixLen", ParseUInt32ValueToJson(prefix_len));
+    json.emplace("prefixLen", google_protobuf_UInt32Value_value(prefix_len));
   }
   return json;
 }
@@ -203,65 +188,49 @@ Json ParseMetadataMatcherToJson(
   return json;
 }
 
-absl::StatusOr<Json> ParsePermissionToJson(
-    const envoy_config_rbac_v3_Permission* permission) {
+Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
+                           ValidationErrors* errors) {
   Json::Object permission_json;
   // Helper function to parse Permission::Set to JSON. Used by `and_rules` and
   // `or_rules`.
   auto parse_permission_set_to_json =
-      [](const envoy_config_rbac_v3_Permission_Set* set)
-      -> absl::StatusOr<Json> {
-    std::vector<std::string> errors;
+      [errors](const envoy_config_rbac_v3_Permission_Set* set) -> Json {
     Json::Array rules_json;
     size_t size;
     const envoy_config_rbac_v3_Permission* const* rules =
         envoy_config_rbac_v3_Permission_Set_rules(set, &size);
     for (size_t i = 0; i < size; ++i) {
-      auto permission_json = ParsePermissionToJson(rules[i]);
-      if (!permission_json.ok()) {
-        errors.emplace_back(permission_json.status().message());
-      } else {
-        rules_json.emplace_back(std::move(*permission_json));
-      }
-    }
-    if (!errors.empty()) {
-      return absl::InvalidArgumentError(absl::StrCat(
-          "errors parsing Set: [", absl::StrJoin(errors, "; "), "]"));
+      ValidationErrors::ScopedField field(errors,
+                                          absl::StrCat(".rules[", i, "]"));
+      Json permission_json = ParsePermissionToJson(rules[i], errors);
+      rules_json.emplace_back(std::move(permission_json));
     }
     return Json::Object({{"rules", std::move(rules_json)}});
   };
   if (envoy_config_rbac_v3_Permission_has_and_rules(permission)) {
+    ValidationErrors::ScopedField field(errors, ".and_permission");
     const auto* and_rules =
         envoy_config_rbac_v3_Permission_and_rules(permission);
-    auto permission_set_json = parse_permission_set_to_json(and_rules);
-    if (!permission_set_json.ok()) {
-      return permission_set_json;
-    }
-    permission_json.emplace("andRules", std::move(*permission_set_json));
+    Json permission_set_json = parse_permission_set_to_json(and_rules);
+    permission_json.emplace("andRules", std::move(permission_set_json));
   } else if (envoy_config_rbac_v3_Permission_has_or_rules(permission)) {
+    ValidationErrors::ScopedField field(errors, ".or_permission");
     const auto* or_rules = envoy_config_rbac_v3_Permission_or_rules(permission);
-    auto permission_set_json = parse_permission_set_to_json(or_rules);
-    if (!permission_set_json.ok()) {
-      return permission_set_json;
-    }
-    permission_json.emplace("orRules", std::move(*permission_set_json));
+    Json permission_set_json = parse_permission_set_to_json(or_rules);
+    permission_json.emplace("orRules", std::move(permission_set_json));
   } else if (envoy_config_rbac_v3_Permission_has_any(permission)) {
     permission_json.emplace("any",
                             envoy_config_rbac_v3_Permission_any(permission));
   } else if (envoy_config_rbac_v3_Permission_has_header(permission)) {
-    auto header_json = ParseHeaderMatcherToJson(
-        envoy_config_rbac_v3_Permission_header(permission));
-    if (!header_json.ok()) {
-      return header_json;
-    }
-    permission_json.emplace("header", std::move(*header_json));
+    ValidationErrors::ScopedField field(errors, ".header");
+    Json header_json = ParseHeaderMatcherToJson(
+        envoy_config_rbac_v3_Permission_header(permission), errors);
+    permission_json.emplace("header", std::move(header_json));
   } else if (envoy_config_rbac_v3_Permission_has_url_path(permission)) {
-    auto url_path_json = ParsePathMatcherToJson(
-        envoy_config_rbac_v3_Permission_url_path(permission));
-    if (!url_path_json.ok()) {
-      return url_path_json;
-    }
-    permission_json.emplace("urlPath", std::move(*url_path_json));
+    ValidationErrors::ScopedField field(errors, ".url_path");
+    Json url_path_json = ParsePathMatcherToJson(
+        envoy_config_rbac_v3_Permission_url_path(permission), errors);
+    permission_json.emplace("urlPath", std::move(url_path_json));
   } else if (envoy_config_rbac_v3_Permission_has_destination_ip(permission)) {
     permission_json.emplace(
         "destinationIp",
@@ -276,69 +245,53 @@ absl::StatusOr<Json> ParsePermissionToJson(
         "metadata", ParseMetadataMatcherToJson(
                         envoy_config_rbac_v3_Permission_metadata(permission)));
   } else if (envoy_config_rbac_v3_Permission_has_not_rule(permission)) {
-    auto not_rule_json = ParsePermissionToJson(
-        envoy_config_rbac_v3_Permission_not_rule(permission));
-    if (!not_rule_json.ok()) {
-      return not_rule_json;
-    }
-    permission_json.emplace("notRule", std::move(*not_rule_json));
+    ValidationErrors::ScopedField field(errors, ".not_rule");
+    Json not_rule_json = ParsePermissionToJson(
+        envoy_config_rbac_v3_Permission_not_rule(permission), errors);
+    permission_json.emplace("notRule", std::move(not_rule_json));
   } else if (envoy_config_rbac_v3_Permission_has_requested_server_name(
                  permission)) {
-    auto requested_server_name_json = ParseStringMatcherToJson(
-        envoy_config_rbac_v3_Permission_requested_server_name(permission));
-    if (!requested_server_name_json.ok()) {
-      return requested_server_name_json;
-    }
+    ValidationErrors::ScopedField field(errors, ".requested_server_name");
+    Json requested_server_name_json = ParseStringMatcherToJson(
+        envoy_config_rbac_v3_Permission_requested_server_name(permission),
+        errors);
     permission_json.emplace("requestedServerName",
-                            std::move(*requested_server_name_json));
+                            std::move(requested_server_name_json));
   } else {
-    return absl::InvalidArgumentError("Permission: Invalid rule");
+    errors->AddError("invalid rule");
   }
   return permission_json;
 }
 
-absl::StatusOr<Json> ParsePrincipalToJson(
-    const envoy_config_rbac_v3_Principal* principal) {
+Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
+                          ValidationErrors* errors) {
   Json::Object principal_json;
   // Helper function to parse Principal::Set to JSON. Used by `and_ids` and
   // `or_ids`.
   auto parse_principal_set_to_json =
-      [](const envoy_config_rbac_v3_Principal_Set* set)
-      -> absl::StatusOr<Json> {
-    Json::Object json;
-    std::vector<std::string> errors;
+      [errors](const envoy_config_rbac_v3_Principal_Set* set) -> Json {
     Json::Array ids_json;
     size_t size;
     const envoy_config_rbac_v3_Principal* const* ids =
         envoy_config_rbac_v3_Principal_Set_ids(set, &size);
     for (size_t i = 0; i < size; ++i) {
-      auto principal_json = ParsePrincipalToJson(ids[i]);
-      if (!principal_json.ok()) {
-        errors.emplace_back(principal_json.status().message());
-      } else {
-        ids_json.emplace_back(std::move(*principal_json));
-      }
-    }
-    if (!errors.empty()) {
-      return absl::InvalidArgumentError(absl::StrCat(
-          "errors parsing Set: [", absl::StrJoin(errors, "; "), "]"));
+      ValidationErrors::ScopedField field(errors,
+                                          absl::StrCat(".ids[", i, "]"));
+      Json principal_json = ParsePrincipalToJson(ids[i], errors);
+      ids_json.emplace_back(std::move(principal_json));
     }
     return Json::Object({{"ids", std::move(ids_json)}});
   };
   if (envoy_config_rbac_v3_Principal_has_and_ids(principal)) {
+    ValidationErrors::ScopedField field(errors, ".and_ids");
     const auto* and_rules = envoy_config_rbac_v3_Principal_and_ids(principal);
-    auto principal_set_json = parse_principal_set_to_json(and_rules);
-    if (!principal_set_json.ok()) {
-      return principal_set_json;
-    }
-    principal_json.emplace("andIds", std::move(*principal_set_json));
+    Json principal_set_json = parse_principal_set_to_json(and_rules);
+    principal_json.emplace("andIds", std::move(principal_set_json));
   } else if (envoy_config_rbac_v3_Principal_has_or_ids(principal)) {
+    ValidationErrors::ScopedField field(errors, ".or_ids");
     const auto* or_rules = envoy_config_rbac_v3_Principal_or_ids(principal);
-    auto principal_set_json = parse_principal_set_to_json(or_rules);
-    if (!principal_set_json.ok()) {
-      return principal_set_json;
-    }
-    principal_json.emplace("orIds", std::move(*principal_set_json));
+    Json principal_set_json = parse_principal_set_to_json(or_rules);
+    principal_json.emplace("orIds", std::move(principal_set_json));
   } else if (envoy_config_rbac_v3_Principal_has_any(principal)) {
     principal_json.emplace("any",
                            envoy_config_rbac_v3_Principal_any(principal));
@@ -350,12 +303,12 @@ absl::StatusOr<Json> ParsePrincipalToJson(
         envoy_config_rbac_v3_Principal_Authenticated_principal_name(
             envoy_config_rbac_v3_Principal_authenticated(principal));
     if (principal_name != nullptr) {
-      auto principal_name_json = ParseStringMatcherToJson(principal_name);
-      if (!principal_name_json.ok()) {
-        return principal_name_json;
-      }
+      ValidationErrors::ScopedField field(errors,
+                                          ".authenticated.principal_name");
+      Json principal_name_json =
+          ParseStringMatcherToJson(principal_name, errors);
       authenticated_json->emplace("principalName",
-                                  std::move(*principal_name_json));
+                                  std::move(principal_name_json));
     }
   } else if (envoy_config_rbac_v3_Principal_has_source_ip(principal)) {
     principal_json.emplace(
@@ -371,84 +324,71 @@ absl::StatusOr<Json> ParsePrincipalToJson(
         "remoteIp", ParseCidrRangeToJson(
                         envoy_config_rbac_v3_Principal_remote_ip(principal)));
   } else if (envoy_config_rbac_v3_Principal_has_header(principal)) {
-    auto header_json = ParseHeaderMatcherToJson(
-        envoy_config_rbac_v3_Principal_header(principal));
-    if (!header_json.ok()) {
-      return header_json;
-    }
-    principal_json.emplace("header", std::move(*header_json));
+    ValidationErrors::ScopedField field(errors, ".header");
+    Json header_json = ParseHeaderMatcherToJson(
+        envoy_config_rbac_v3_Principal_header(principal), errors);
+    principal_json.emplace("header", std::move(header_json));
   } else if (envoy_config_rbac_v3_Principal_has_url_path(principal)) {
-    auto url_path_json = ParsePathMatcherToJson(
-        envoy_config_rbac_v3_Principal_url_path(principal));
-    if (!url_path_json.ok()) {
-      return url_path_json;
-    }
-    principal_json.emplace("urlPath", std::move(*url_path_json));
+    ValidationErrors::ScopedField field(errors, ".url_path");
+    Json url_path_json = ParsePathMatcherToJson(
+        envoy_config_rbac_v3_Principal_url_path(principal), errors);
+    principal_json.emplace("urlPath", std::move(url_path_json));
   } else if (envoy_config_rbac_v3_Principal_has_metadata(principal)) {
     principal_json.emplace(
         "metadata", ParseMetadataMatcherToJson(
                         envoy_config_rbac_v3_Principal_metadata(principal)));
   } else if (envoy_config_rbac_v3_Principal_has_not_id(principal)) {
-    auto not_id_json =
-        ParsePrincipalToJson(envoy_config_rbac_v3_Principal_not_id(principal));
-    if (!not_id_json.ok()) {
-      return not_id_json;
-    }
-    principal_json.emplace("notId", std::move(*not_id_json));
+    ValidationErrors::ScopedField field(errors, ".not_id");
+    Json not_id_json = ParsePrincipalToJson(
+        envoy_config_rbac_v3_Principal_not_id(principal), errors);
+    principal_json.emplace("notId", std::move(not_id_json));
   } else {
-    return absl::InvalidArgumentError("Principal: Invalid rule");
+    errors->AddError("invalid rule");
   }
   return principal_json;
 }
 
-absl::StatusOr<Json> ParsePolicyToJson(
-    const envoy_config_rbac_v3_Policy* policy) {
+Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
+                       ValidationErrors* errors) {
   Json::Object policy_json;
-  std::vector<std::string> errors;
   size_t size;
   Json::Array permissions_json;
   const envoy_config_rbac_v3_Permission* const* permissions =
       envoy_config_rbac_v3_Policy_permissions(policy, &size);
   for (size_t i = 0; i < size; ++i) {
-    auto permission_json = ParsePermissionToJson(permissions[i]);
-    if (!permission_json.ok()) {
-      errors.emplace_back(permission_json.status().message());
-    } else {
-      permissions_json.emplace_back(std::move(*permission_json));
-    }
+    ValidationErrors::ScopedField field(errors,
+                                        absl::StrCat(".permissions[", i, "]"));
+    Json permission_json = ParsePermissionToJson(permissions[i], errors);
+    permissions_json.emplace_back(std::move(permission_json));
   }
   policy_json.emplace("permissions", std::move(permissions_json));
   Json::Array principals_json;
   const envoy_config_rbac_v3_Principal* const* principals =
       envoy_config_rbac_v3_Policy_principals(policy, &size);
   for (size_t i = 0; i < size; ++i) {
-    auto principal_json = ParsePrincipalToJson(principals[i]);
-    if (!principal_json.ok()) {
-      errors.emplace_back(principal_json.status().message());
-    } else {
-      principals_json.emplace_back(std::move(*principal_json));
-    }
+    ValidationErrors::ScopedField field(errors,
+                                        absl::StrCat(".principals[", i, "]"));
+    Json principal_json = ParsePrincipalToJson(principals[i], errors);
+    principals_json.emplace_back(std::move(principal_json));
   }
   policy_json.emplace("principals", std::move(principals_json));
   if (envoy_config_rbac_v3_Policy_has_condition(policy)) {
-    errors.emplace_back("Policy: condition not supported");
+    ValidationErrors::ScopedField field(errors, ".condition");
+    errors->AddError("condition not supported");
   }
   if (envoy_config_rbac_v3_Policy_has_checked_condition(policy)) {
-    errors.emplace_back("Policy: checked condition not supported");
-  }
-  if (!errors.empty()) {
-    return absl::InvalidArgumentError(absl::StrCat(
-        "errors parsing Policy: [", absl::StrJoin(errors, "; "), "]"));
+    ValidationErrors::ScopedField field(errors, ".checked_condition");
+    errors->AddError("checked condition not supported");
   }
   return policy_json;
 }
 
-absl::StatusOr<Json> ParseHttpRbacToJson(
-    const envoy_extensions_filters_http_rbac_v3_RBAC* rbac) {
+Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
+                         ValidationErrors* errors) {
   Json::Object rbac_json;
-  std::vector<std::string> errors;
   const auto* rules = envoy_extensions_filters_http_rbac_v3_RBAC_rules(rbac);
   if (rules != nullptr) {
+    ValidationErrors::ScopedField field(errors, ".rules");
     int action = envoy_config_rbac_v3_RBAC_action(rules);
     // Treat Log action as RBAC being absent
     if (action == envoy_config_rbac_v3_RBAC_LOG) {
@@ -464,77 +404,82 @@ absl::StatusOr<Json> ParseHttpRbacToJson(
         if (entry == nullptr) {
           break;
         }
-        auto policy = ParsePolicyToJson(
-            envoy_config_rbac_v3_RBAC_PoliciesEntry_value(entry));
-        if (!policy.ok()) {
-          errors.emplace_back(absl::StrCat(
-              "RBAC PoliciesEntry key:",
-              UpbStringToStdString(
-                  envoy_config_rbac_v3_RBAC_PoliciesEntry_key(entry)),
-              " error:", policy.status().message()));
-        } else {
-          policies_object.emplace(
-              UpbStringToStdString(
-                  envoy_config_rbac_v3_RBAC_PoliciesEntry_key(entry)),
-              std::move(*policy));
-        }
+        absl::string_view key =
+            UpbStringToAbsl(envoy_config_rbac_v3_RBAC_PoliciesEntry_key(entry));
+        ValidationErrors::ScopedField field(
+            errors, absl::StrCat(".policies[", key, "]"));
+        Json policy = ParsePolicyToJson(
+            envoy_config_rbac_v3_RBAC_PoliciesEntry_value(entry), errors);
+        policies_object.emplace(std::string(key), std::move(policy));
       }
       inner_rbac_json.emplace("policies", std::move(policies_object));
     }
     rbac_json.emplace("rules", std::move(inner_rbac_json));
   }
-  if (!errors.empty()) {
-    return absl::InvalidArgumentError(absl::StrCat(
-        "errors parsing RBAC: [", absl::StrJoin(errors, "; "), "]"));
-  }
   return rbac_json;
 }
 
 }  // namespace
 
+absl::string_view XdsHttpRbacFilter::ConfigProtoName() const {
+  return "envoy.extensions.filters.http.rbac.v3.RBAC";
+}
+
+absl::string_view XdsHttpRbacFilter::OverrideConfigProtoName() const {
+  return "envoy.extensions.filters.http.rbac.v3.RBACPerRoute";
+}
+
 void XdsHttpRbacFilter::PopulateSymtab(upb_DefPool* symtab) const {
   envoy_extensions_filters_http_rbac_v3_RBAC_getmsgdef(symtab);
 }
 
-absl::StatusOr<XdsHttpFilterImpl::FilterConfig>
-XdsHttpRbacFilter::GenerateFilterConfig(upb_StringView serialized_filter_config,
-                                        upb_Arena* arena) const {
-  absl::StatusOr<Json> rbac_json;
+absl::optional<XdsHttpFilterImpl::FilterConfig>
+XdsHttpRbacFilter::GenerateFilterConfig(XdsExtension extension,
+                                        upb_Arena* arena,
+                                        ValidationErrors* errors) const {
+  absl::string_view* serialized_filter_config =
+      absl::get_if<absl::string_view>(&extension.value);
+  if (serialized_filter_config == nullptr) {
+    errors->AddError("could not parse HTTP RBAC filter config");
+    return absl::nullopt;
+  }
   auto* rbac = envoy_extensions_filters_http_rbac_v3_RBAC_parse(
-      serialized_filter_config.data, serialized_filter_config.size, arena);
+      serialized_filter_config->data(), serialized_filter_config->size(),
+      arena);
   if (rbac == nullptr) {
-    return absl::InvalidArgumentError(
-        "could not parse HTTP RBAC filter config");
-  }
-  rbac_json = ParseHttpRbacToJson(rbac);
-  if (!rbac_json.ok()) {
-    return rbac_json.status();
+    errors->AddError("could not parse HTTP RBAC filter config");
+    return absl::nullopt;
   }
-  return FilterConfig{kXdsHttpRbacFilterConfigName, std::move(*rbac_json)};
+  return FilterConfig{ConfigProtoName(), ParseHttpRbacToJson(rbac, errors)};
 }
 
-absl::StatusOr<XdsHttpFilterImpl::FilterConfig>
+absl::optional<XdsHttpFilterImpl::FilterConfig>
 XdsHttpRbacFilter::GenerateFilterConfigOverride(
-    upb_StringView serialized_filter_config, upb_Arena* arena) const {
+    XdsExtension extension, upb_Arena* arena, ValidationErrors* errors) const {
+  absl::string_view* serialized_filter_config =
+      absl::get_if<absl::string_view>(&extension.value);
+  if (serialized_filter_config == nullptr) {
+    errors->AddError("could not parse RBACPerRoute");
+    return absl::nullopt;
+  }
   auto* rbac_per_route =
       envoy_extensions_filters_http_rbac_v3_RBACPerRoute_parse(
-          serialized_filter_config.data, serialized_filter_config.size, arena);
+          serialized_filter_config->data(), serialized_filter_config->size(),
+          arena);
   if (rbac_per_route == nullptr) {
-    return absl::InvalidArgumentError("could not parse RBACPerRoute");
+    errors->AddError("could not parse RBACPerRoute");
+    return absl::nullopt;
   }
-  absl::StatusOr<Json> rbac_json;
+  Json rbac_json;
   const auto* rbac =
       envoy_extensions_filters_http_rbac_v3_RBACPerRoute_rbac(rbac_per_route);
   if (rbac == nullptr) {
     rbac_json = Json::Object();
   } else {
-    rbac_json = ParseHttpRbacToJson(rbac);
-    if (!rbac_json.ok()) {
-      return rbac_json.status();
-    }
+    ValidationErrors::ScopedField field(errors, ".rbac");
+    rbac_json = ParseHttpRbacToJson(rbac, errors);
   }
-  return FilterConfig{kXdsHttpRbacFilterConfigOverrideName,
-                      std::move(*rbac_json)};
+  return FilterConfig{OverrideConfigProtoName(), std::move(rbac_json)};
 }
 
 const grpc_channel_filter* XdsHttpRbacFilter::channel_filter() const {

data/src/core/ext/xds/xds_http_rbac_filter.h

@@ -20,39 +20,36 @@
 #include <grpc/support/port_platform.h>
 
 #include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+#include "absl/types/optional.h"
 #include "upb/arena.h"
 #include "upb/def.h"
-#include "upb/upb.h"
 
+#include "src/core/ext/xds/xds_common_types.h"
 #include "src/core/ext/xds/xds_http_filters.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/channel_fwd.h"
+#include "src/core/lib/gprpp/validation_errors.h"
 
 namespace grpc_core {
 
-extern const char* kXdsHttpRbacFilterConfigName;
-extern const char* kXdsHttpRbacFilterConfigOverrideName;
-
 class XdsHttpRbacFilter : public XdsHttpFilterImpl {
  public:
+  absl::string_view ConfigProtoName() const override;
+  absl::string_view OverrideConfigProtoName() const override;
   void PopulateSymtab(upb_DefPool* symtab) const override;
-
-  absl::StatusOr<FilterConfig> GenerateFilterConfig(
-      upb_StringView serialized_filter_config, upb_Arena* arena) const override;
-
-  absl::StatusOr<FilterConfig> GenerateFilterConfigOverride(
-      upb_StringView serialized_filter_config, upb_Arena* arena) const override;
-
+  absl::optional<FilterConfig> GenerateFilterConfig(
+      XdsExtension extension, upb_Arena* arena,
+      ValidationErrors* errors) const override;
+  absl::optional<FilterConfig> GenerateFilterConfigOverride(
+      XdsExtension extension, upb_Arena* arena,
+      ValidationErrors* errors) const override;
   const grpc_channel_filter* channel_filter() const override;
-
   ChannelArgs ModifyChannelArgs(const ChannelArgs& args) const override;
-
   absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
       const FilterConfig& hcm_filter_config,
       const FilterConfig* filter_config_override) const override;
-
   bool IsSupportedOnClients() const override { return false; }
-
   bool IsSupportedOnServers() const override { return true; }
 };