grpc 1.55.0 → 1.56.0.pre3

data/src/core/ext/xds/xds_http_rbac_filter.cc

@@ -19,9 +19,9 @@
 #include "src/core/ext/xds/xds_http_rbac_filter.h"
 
 #include <stddef.h>
+#include <stdint.h>
 
 #include <algorithm>
-#include <cstdint>
 #include <string>
 #include <utility>
 
@@ -42,10 +42,17 @@
 #include "google/protobuf/wrappers.upb.h"
 #include "upb/collections/map.h"
 
+#include <grpc/support/json.h>
+
 #include "src/core/ext/filters/rbac/rbac_filter.h"
 #include "src/core/ext/filters/rbac/rbac_service_config_parser.h"
 #include "src/core/ext/xds/upb_utils.h"
+#include "src/core/ext/xds/xds_audit_logger_registry.h"
+#include "src/core/ext/xds/xds_bootstrap_grpc.h"
+#include "src/core/ext/xds/xds_client.h"
 #include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/gpr/string.h"
+#include "src/core/lib/gprpp/env.h"
 #include "src/core/lib/json/json.h"
 #include "src/core/lib/json/json_writer.h"
 
@@ -53,16 +60,27 @@ namespace grpc_core {
 
 namespace {
 
+// TODO(lwge): Remove once the feature is stable.
+bool XdsRbacAuditLoggingEnabled() {
+  auto value = GetEnv("GRPC_EXPERIMENTAL_XDS_RBAC_AUDIT_LOGGING");
+  if (!value.has_value()) return false;
+  bool parsed_value;
+  bool parse_succeeded = gpr_parse_bool_value(value->c_str(), &parsed_value);
+  return parse_succeeded && parsed_value;
+}
+
 Json ParseRegexMatcherToJson(
     const envoy_type_matcher_v3_RegexMatcher* regex_matcher) {
-  return Json::Object(
-      {{"regex", UpbStringToStdString(envoy_type_matcher_v3_RegexMatcher_regex(
-                     regex_matcher))}});
+  return Json::FromObject(
+      {{"regex",
+        Json::FromString(UpbStringToStdString(
+            envoy_type_matcher_v3_RegexMatcher_regex(regex_matcher)))}});
 }
 
 Json ParseInt64RangeToJson(const envoy_type_v3_Int64Range* range) {
-  return Json::Object{{"start", envoy_type_v3_Int64Range_start(range)},
-                      {"end", envoy_type_v3_Int64Range_end(range)}};
+  return Json::FromObject(
+      {{"start", Json::FromNumber(envoy_type_v3_Int64Range_start(range))},
+       {"end", Json::FromNumber(envoy_type_v3_Int64Range_end(range))}});
 }
 
 Json ParseHeaderMatcherToJson(const envoy_config_route_v3_HeaderMatcher* header,
@@ -77,13 +95,13 @@ Json ParseHeaderMatcherToJson(const envoy_config_route_v3_HeaderMatcher* header,
     } else if (absl::StartsWith(name, "grpc-")) {
       errors->AddError("'grpc-' prefixes not allowed in header");
     }
-    header_json.emplace("name", std::move(name));
+    header_json.emplace("name", Json::FromString(std::move(name)));
   }
   if (envoy_config_route_v3_HeaderMatcher_has_exact_match(header)) {
     header_json.emplace(
         "exactMatch",
-        UpbStringToStdString(
-            envoy_config_route_v3_HeaderMatcher_exact_match(header)));
+        Json::FromString(UpbStringToStdString(
+            envoy_config_route_v3_HeaderMatcher_exact_match(header))));
   } else if (envoy_config_route_v3_HeaderMatcher_has_safe_regex_match(header)) {
     header_json.emplace(
         "safeRegexMatch",
@@ -97,28 +115,30 @@ Json ParseHeaderMatcherToJson(const envoy_config_route_v3_HeaderMatcher* header,
   } else if (envoy_config_route_v3_HeaderMatcher_has_present_match(header)) {
     header_json.emplace(
         "presentMatch",
-        envoy_config_route_v3_HeaderMatcher_present_match(header));
+        Json::FromBool(
+            envoy_config_route_v3_HeaderMatcher_present_match(header)));
   } else if (envoy_config_route_v3_HeaderMatcher_has_prefix_match(header)) {
     header_json.emplace(
         "prefixMatch",
-        UpbStringToStdString(
-            envoy_config_route_v3_HeaderMatcher_prefix_match(header)));
+        Json::FromString(UpbStringToStdString(
+            envoy_config_route_v3_HeaderMatcher_prefix_match(header))));
   } else if (envoy_config_route_v3_HeaderMatcher_has_suffix_match(header)) {
     header_json.emplace(
         "suffixMatch",
-        UpbStringToStdString(
-            envoy_config_route_v3_HeaderMatcher_suffix_match(header)));
+        Json::FromString(UpbStringToStdString(
+            envoy_config_route_v3_HeaderMatcher_suffix_match(header))));
   } else if (envoy_config_route_v3_HeaderMatcher_has_contains_match(header)) {
     header_json.emplace(
         "containsMatch",
-        UpbStringToStdString(
-            envoy_config_route_v3_HeaderMatcher_contains_match(header)));
+        Json::FromString(UpbStringToStdString(
+            envoy_config_route_v3_HeaderMatcher_contains_match(header))));
   } else {
     errors->AddError("invalid route header matcher specified");
   }
-  header_json.emplace("invertMatch",
-                      envoy_config_route_v3_HeaderMatcher_invert_match(header));
-  return header_json;
+  header_json.emplace(
+      "invertMatch",
+      Json::FromBool(envoy_config_route_v3_HeaderMatcher_invert_match(header)));
+  return Json::FromObject(std::move(header_json));
 }
 
 Json ParseStringMatcherToJson(
@@ -127,30 +147,31 @@ Json ParseStringMatcherToJson(
   Json::Object json;
   if (envoy_type_matcher_v3_StringMatcher_has_exact(matcher)) {
     json.emplace("exact",
-                 UpbStringToStdString(
-                     envoy_type_matcher_v3_StringMatcher_exact(matcher)));
+                 Json::FromString(UpbStringToStdString(
+                     envoy_type_matcher_v3_StringMatcher_exact(matcher))));
   } else if (envoy_type_matcher_v3_StringMatcher_has_prefix(matcher)) {
     json.emplace("prefix",
-                 UpbStringToStdString(
-                     envoy_type_matcher_v3_StringMatcher_prefix(matcher)));
+                 Json::FromString(UpbStringToStdString(
+                     envoy_type_matcher_v3_StringMatcher_prefix(matcher))));
   } else if (envoy_type_matcher_v3_StringMatcher_has_suffix(matcher)) {
     json.emplace("suffix",
-                 UpbStringToStdString(
-                     envoy_type_matcher_v3_StringMatcher_suffix(matcher)));
+                 Json::FromString(UpbStringToStdString(
+                     envoy_type_matcher_v3_StringMatcher_suffix(matcher))));
   } else if (envoy_type_matcher_v3_StringMatcher_has_safe_regex(matcher)) {
     json.emplace("safeRegex",
                  ParseRegexMatcherToJson(
                      envoy_type_matcher_v3_StringMatcher_safe_regex(matcher)));
   } else if (envoy_type_matcher_v3_StringMatcher_has_contains(matcher)) {
     json.emplace("contains",
-                 UpbStringToStdString(
-                     envoy_type_matcher_v3_StringMatcher_contains(matcher)));
+                 Json::FromString(UpbStringToStdString(
+                     envoy_type_matcher_v3_StringMatcher_contains(matcher))));
   } else {
     errors->AddError("invalid match pattern");
   }
-  json.emplace("ignoreCase",
-               envoy_type_matcher_v3_StringMatcher_ignore_case(matcher));
-  return json;
+  json.emplace(
+      "ignoreCase",
+      Json::FromBool(envoy_type_matcher_v3_StringMatcher_ignore_case(matcher)));
+  return Json::FromObject(std::move(json));
 }
 
 Json ParsePathMatcherToJson(const envoy_type_matcher_v3_PathMatcher* matcher,
@@ -162,30 +183,32 @@ Json ParsePathMatcherToJson(const envoy_type_matcher_v3_PathMatcher* matcher,
     return Json();
   }
   Json path_json = ParseStringMatcherToJson(path, errors);
-  return Json::Object{{"path", std::move(path_json)}};
+  return Json::FromObject({{"path", std::move(path_json)}});
 }
 
 Json ParseCidrRangeToJson(const envoy_config_core_v3_CidrRange* range) {
   Json::Object json;
   json.emplace("addressPrefix",
-               UpbStringToStdString(
-                   envoy_config_core_v3_CidrRange_address_prefix(range)));
+               Json::FromString(UpbStringToStdString(
+                   envoy_config_core_v3_CidrRange_address_prefix(range))));
   const auto* prefix_len = envoy_config_core_v3_CidrRange_prefix_len(range);
   if (prefix_len != nullptr) {
-    json.emplace("prefixLen", google_protobuf_UInt32Value_value(prefix_len));
+    json.emplace(
+        "prefixLen",
+        Json::FromNumber(google_protobuf_UInt32Value_value(prefix_len)));
   }
-  return json;
+  return Json::FromObject(std::move(json));
 }
 
 Json ParseMetadataMatcherToJson(
     const envoy_type_matcher_v3_MetadataMatcher* metadata_matcher) {
-  Json::Object json;
   // The fields "filter", "path" and "value" are irrelevant to gRPC as per
   // https://github.com/grpc/proposal/blob/master/A41-xds-rbac.md and are not
   // being parsed.
-  json.emplace("invert",
-               envoy_type_matcher_v3_MetadataMatcher_invert(metadata_matcher));
-  return json;
+  return Json::FromObject({
+      {"invert", Json::FromBool(envoy_type_matcher_v3_MetadataMatcher_invert(
+                     metadata_matcher))},
+  });
 }
 
 Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
@@ -205,7 +228,8 @@ Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
       Json permission_json = ParsePermissionToJson(rules[i], errors);
       rules_json.emplace_back(std::move(permission_json));
     }
-    return Json::Object({{"rules", std::move(rules_json)}});
+    return Json::FromObject(
+        {{"rules", Json::FromArray(std::move(rules_json))}});
   };
   if (envoy_config_rbac_v3_Permission_has_and_rules(permission)) {
     ValidationErrors::ScopedField field(errors, ".and_permission");
@@ -219,8 +243,8 @@ Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
     Json permission_set_json = parse_permission_set_to_json(or_rules);
     permission_json.emplace("orRules", std::move(permission_set_json));
   } else if (envoy_config_rbac_v3_Permission_has_any(permission)) {
-    permission_json.emplace("any",
-                            envoy_config_rbac_v3_Permission_any(permission));
+    permission_json.emplace(
+        "any", Json::FromBool(envoy_config_rbac_v3_Permission_any(permission)));
   } else if (envoy_config_rbac_v3_Permission_has_header(permission)) {
     ValidationErrors::ScopedField field(errors, ".header");
     Json header_json = ParseHeaderMatcherToJson(
@@ -239,7 +263,8 @@ Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
   } else if (envoy_config_rbac_v3_Permission_has_destination_port(permission)) {
     permission_json.emplace(
         "destinationPort",
-        envoy_config_rbac_v3_Permission_destination_port(permission));
+        Json::FromNumber(
+            envoy_config_rbac_v3_Permission_destination_port(permission)));
   } else if (envoy_config_rbac_v3_Permission_has_metadata(permission)) {
     permission_json.emplace(
         "metadata", ParseMetadataMatcherToJson(
@@ -260,7 +285,7 @@ Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
   } else {
     errors->AddError("invalid rule");
   }
-  return permission_json;
+  return Json::FromObject(std::move(permission_json));
 }
 
 Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
@@ -280,7 +305,7 @@ Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
       Json principal_json = ParsePrincipalToJson(ids[i], errors);
       ids_json.emplace_back(std::move(principal_json));
     }
-    return Json::Object({{"ids", std::move(ids_json)}});
+    return Json::FromObject({{"ids", Json::FromArray(std::move(ids_json))}});
   };
   if (envoy_config_rbac_v3_Principal_has_and_ids(principal)) {
     ValidationErrors::ScopedField field(errors, ".and_ids");
@@ -293,8 +318,8 @@ Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
     Json principal_set_json = parse_principal_set_to_json(or_rules);
     principal_json.emplace("orIds", std::move(principal_set_json));
   } else if (envoy_config_rbac_v3_Principal_has_any(principal)) {
-    principal_json.emplace("any",
-                           envoy_config_rbac_v3_Principal_any(principal));
+    principal_json.emplace(
+        "any", Json::FromBool(envoy_config_rbac_v3_Principal_any(principal)));
   } else if (envoy_config_rbac_v3_Principal_has_authenticated(principal)) {
     Json::Object authenticated_json;
     const auto* principal_name =
@@ -307,7 +332,8 @@ Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
           ParseStringMatcherToJson(principal_name, errors);
       authenticated_json["principalName"] = std::move(principal_name_json);
     }
-    principal_json["authenticated"] = std::move(authenticated_json);
+    principal_json["authenticated"] =
+        Json::FromObject(std::move(authenticated_json));
   } else if (envoy_config_rbac_v3_Principal_has_source_ip(principal)) {
     principal_json.emplace(
         "sourceIp", ParseCidrRangeToJson(
@@ -343,7 +369,7 @@ Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
   } else {
     errors->AddError("invalid rule");
   }
-  return principal_json;
+  return Json::FromObject(std::move(principal_json));
 }
 
 Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
@@ -359,7 +385,8 @@ Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
     Json permission_json = ParsePermissionToJson(permissions[i], errors);
     permissions_json.emplace_back(std::move(permission_json));
   }
-  policy_json.emplace("permissions", std::move(permissions_json));
+  policy_json.emplace("permissions",
+                      Json::FromArray(std::move(permissions_json)));
   Json::Array principals_json;
   const envoy_config_rbac_v3_Principal* const* principals =
       envoy_config_rbac_v3_Policy_principals(policy, &size);
@@ -369,7 +396,8 @@ Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
     Json principal_json = ParsePrincipalToJson(principals[i], errors);
     principals_json.emplace_back(std::move(principal_json));
   }
-  policy_json.emplace("principals", std::move(principals_json));
+  policy_json.emplace("principals",
+                      Json::FromArray(std::move(principals_json)));
   if (envoy_config_rbac_v3_Policy_has_condition(policy)) {
     ValidationErrors::ScopedField field(errors, ".condition");
     errors->AddError("condition not supported");
@@ -378,10 +406,33 @@ Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
     ValidationErrors::ScopedField field(errors, ".checked_condition");
     errors->AddError("checked condition not supported");
   }
-  return policy_json;
+  return Json::FromObject(std::move(policy_json));
+}
+
+Json ParseAuditLoggerConfigsToJson(
+    const XdsResourceType::DecodeContext& context,
+    const envoy_config_rbac_v3_RBAC_AuditLoggingOptions* audit_logging_options,
+    ValidationErrors* errors) {
+  Json::Array logger_configs_json;
+  size_t size;
+  const auto& registry =
+      static_cast<const GrpcXdsBootstrap&>(context.client->bootstrap())
+          .audit_logger_registry();
+  const envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig* const*
+      logger_configs =
+          envoy_config_rbac_v3_RBAC_AuditLoggingOptions_logger_configs(
+              audit_logging_options, &size);
+  for (size_t i = 0; i < size; ++i) {
+    ValidationErrors::ScopedField field(
+        errors, absl::StrCat(".logger_configs[", i, "]"));
+    logger_configs_json.emplace_back(registry.ConvertXdsAuditLoggerConfig(
+        context, logger_configs[i], errors));
+  }
+  return Json::FromArray(logger_configs_json);
 }
 
-Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
+Json ParseHttpRbacToJson(const XdsResourceType::DecodeContext& context,
+                         const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
                          ValidationErrors* errors) {
   Json::Object rbac_json;
   const auto* rules = envoy_extensions_filters_http_rbac_v3_RBAC_rules(rbac);
@@ -390,10 +441,11 @@ Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
     int action = envoy_config_rbac_v3_RBAC_action(rules);
     // Treat Log action as RBAC being absent
     if (action == envoy_config_rbac_v3_RBAC_LOG) {
-      return rbac_json;
+      return Json::FromObject({});
     }
     Json::Object inner_rbac_json;
-    inner_rbac_json.emplace("action", envoy_config_rbac_v3_RBAC_action(rules));
+    inner_rbac_json.emplace(
+        "action", Json::FromNumber(envoy_config_rbac_v3_RBAC_action(rules)));
     if (envoy_config_rbac_v3_RBAC_policies_size(rules) != 0) {
       Json::Object policies_object;
       size_t iter = kUpb_Map_Begin;
@@ -410,11 +462,40 @@ Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
             envoy_config_rbac_v3_RBAC_PoliciesEntry_value(entry), errors);
         policies_object.emplace(std::string(key), std::move(policy));
       }
-      inner_rbac_json.emplace("policies", std::move(policies_object));
+      inner_rbac_json.emplace("policies",
+                              Json::FromObject(std::move(policies_object)));
+    }
+    // Flatten the nested messages defined in rbac.proto
+    if (XdsRbacAuditLoggingEnabled() &&
+        envoy_config_rbac_v3_RBAC_has_audit_logging_options(rules)) {
+      ValidationErrors::ScopedField field(errors, ".audit_logging_options");
+      const auto* audit_logging_options =
+          envoy_config_rbac_v3_RBAC_audit_logging_options(rules);
+      int32_t audit_condition =
+          envoy_config_rbac_v3_RBAC_AuditLoggingOptions_audit_condition(
+              audit_logging_options);
+      switch (audit_condition) {
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_NONE:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_DENY:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_ALLOW:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_DENY_AND_ALLOW:
+          inner_rbac_json.emplace("audit_condition",
+                                  Json::FromNumber(audit_condition));
+          break;
+        default:
+          ValidationErrors::ScopedField field(errors, ".audit_condition");
+          errors->AddError("invalid audit condition");
+      }
+      if (envoy_config_rbac_v3_RBAC_AuditLoggingOptions_has_logger_configs(
+              audit_logging_options)) {
+        inner_rbac_json.emplace("audit_loggers",
+                                ParseAuditLoggerConfigsToJson(
+                                    context, audit_logging_options, errors));
+      }
     }
-    rbac_json.emplace("rules", std::move(inner_rbac_json));
+    rbac_json.emplace("rules", Json::FromObject(std::move(inner_rbac_json)));
   }
-  return rbac_json;
+  return Json::FromObject(std::move(rbac_json));
 }
 
 }  // namespace
@@ -448,7 +529,8 @@ XdsHttpRbacFilter::GenerateFilterConfig(
     errors->AddError("could not parse HTTP RBAC filter config");
     return absl::nullopt;
   }
-  return FilterConfig{ConfigProtoName(), ParseHttpRbacToJson(rbac, errors)};
+  return FilterConfig{ConfigProtoName(),
+                      ParseHttpRbacToJson(context, rbac, errors)};
 }
 
 absl::optional<XdsHttpFilterImpl::FilterConfig>
@@ -473,10 +555,10 @@ XdsHttpRbacFilter::GenerateFilterConfigOverride(
   const auto* rbac =
       envoy_extensions_filters_http_rbac_v3_RBACPerRoute_rbac(rbac_per_route);
   if (rbac == nullptr) {
-    rbac_json = Json::Object();
+    rbac_json = Json::FromObject({});
   } else {
     ValidationErrors::ScopedField field(errors, ".rbac");
-    rbac_json = ParseHttpRbacToJson(rbac, errors);
+    rbac_json = ParseHttpRbacToJson(context, rbac, errors);
   }
   return FilterConfig{OverrideConfigProtoName(), std::move(rbac_json)};
 }
@@ -493,12 +575,17 @@ ChannelArgs XdsHttpRbacFilter::ModifyChannelArgs(
 absl::StatusOr<XdsHttpFilterImpl::ServiceConfigJsonEntry>
 XdsHttpRbacFilter::GenerateServiceConfig(
     const FilterConfig& hcm_filter_config,
-    const FilterConfig* filter_config_override) const {
-  Json policy_json = filter_config_override != nullptr
-                         ? filter_config_override->config
-                         : hcm_filter_config.config;
-  // The policy JSON may be empty, that's allowed.
-  return ServiceConfigJsonEntry{"rbacPolicy", JsonDump(policy_json)};
+    const FilterConfig* filter_config_override,
+    absl::string_view filter_name) const {
+  const Json& policy_json = filter_config_override != nullptr
+                                ? filter_config_override->config
+                                : hcm_filter_config.config;
+  auto json_object = policy_json.object();
+  json_object.emplace("filter_name",
+                      Json::FromString(std::string(filter_name)));
+  // The policy JSON may be empty other than the filter name, that's allowed.
+  return ServiceConfigJsonEntry{"rbacPolicy",
+                                JsonDump(Json::FromObject(json_object))};
 }
 
 }  // namespace grpc_core

data/src/core/ext/xds/xds_http_rbac_filter.h

@@ -48,7 +48,8 @@ class XdsHttpRbacFilter : public XdsHttpFilterImpl {
   ChannelArgs ModifyChannelArgs(const ChannelArgs& args) const override;
   absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
       const FilterConfig& hcm_filter_config,
-      const FilterConfig* filter_config_override) const override;
+      const FilterConfig* filter_config_override,
+      absl::string_view filter_name) const override;
   bool IsSupportedOnClients() const override { return false; }
   bool IsSupportedOnServers() const override { return true; }
 };

data/src/core/ext/xds/xds_http_stateful_session_filter.cc

@@ -31,6 +31,8 @@
 #include "envoy/extensions/http/stateful_session/cookie/v3/cookie.upbdefs.h"
 #include "envoy/type/http/v3/cookie.upb.h"
 
+#include <grpc/support/json.h>
+
 #include "src/core/ext/filters/stateful_session/stateful_session_filter.h"
 #include "src/core/ext/filters/stateful_session/stateful_session_service_config_parser.h"
 #include "src/core/ext/xds/upb_utils.h"
@@ -119,20 +121,20 @@ Json::Object ValidateStatefulSession(
     ValidationErrors::ScopedField field(errors, ".name");
     errors->AddError("field not present");
   }
-  cookie_config["name"] = std::move(cookie_name);
+  cookie_config["name"] = Json::FromString(std::move(cookie_name));
   // ttl
   {
     ValidationErrors::ScopedField field(errors, ".ttl");
     const auto* duration = envoy_type_http_v3_Cookie_ttl(cookie);
     if (duration != nullptr) {
       Duration ttl = ParseDuration(duration, errors);
-      cookie_config["ttl"] = ttl.ToJsonString();
+      cookie_config["ttl"] = Json::FromString(ttl.ToJsonString());
     }
   }
   // path
   std::string path =
       UpbStringToStdString(envoy_type_http_v3_Cookie_path(cookie));
-  if (!path.empty()) cookie_config["path"] = std::move(path);
+  if (!path.empty()) cookie_config["path"] = Json::FromString(std::move(path));
   return cookie_config;
 }
 
@@ -156,9 +158,9 @@ XdsHttpStatefulSessionFilter::GenerateFilterConfig(
     errors->AddError("could not parse stateful session filter config");
     return absl::nullopt;
   }
-  return FilterConfig{
-      ConfigProtoName(),
-      ValidateStatefulSession(context, stateful_session, errors)};
+  return FilterConfig{ConfigProtoName(),
+                      Json::FromObject(ValidateStatefulSession(
+                          context, stateful_session, errors))};
 }
 
 absl::optional<XdsHttpFilterImpl::FilterConfig>
@@ -192,7 +194,8 @@ XdsHttpStatefulSessionFilter::GenerateFilterConfigOverride(
       config = ValidateStatefulSession(context, stateful_session, errors);
     }
   }
-  return FilterConfig{OverrideConfigProtoName(), Json(std::move(config))};
+  return FilterConfig{OverrideConfigProtoName(),
+                      Json::FromObject(std::move(config))};
 }
 
 const grpc_channel_filter* XdsHttpStatefulSessionFilter::channel_filter()
@@ -208,10 +211,11 @@ ChannelArgs XdsHttpStatefulSessionFilter::ModifyChannelArgs(
 absl::StatusOr<XdsHttpFilterImpl::ServiceConfigJsonEntry>
 XdsHttpStatefulSessionFilter::GenerateServiceConfig(
     const FilterConfig& hcm_filter_config,
-    const FilterConfig* filter_config_override) const {
-  Json config = filter_config_override != nullptr
-                    ? filter_config_override->config
-                    : hcm_filter_config.config;
+    const FilterConfig* filter_config_override,
+    absl::string_view /*filter_name*/) const {
+  const Json& config = filter_config_override != nullptr
+                           ? filter_config_override->config
+                           : hcm_filter_config.config;
   return ServiceConfigJsonEntry{"stateful_session", JsonDump(config)};
 }
 

data/src/core/ext/xds/xds_http_stateful_session_filter.h

@@ -48,7 +48,8 @@ class XdsHttpStatefulSessionFilter : public XdsHttpFilterImpl {
   ChannelArgs ModifyChannelArgs(const ChannelArgs& args) const override;
   absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
       const FilterConfig& hcm_filter_config,
-      const FilterConfig* filter_config_override) const override;
+      const FilterConfig* filter_config_override,
+      absl::string_view filter_name) const override;
   bool IsSupportedOnClients() const override { return true; }
   bool IsSupportedOnServers() const override { return false; }
 };

data/src/core/ext/xds/xds_lb_policy_registry.cc

@@ -33,6 +33,8 @@
 #include "envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.upb.h"
 #include "google/protobuf/wrappers.upb.h"
 
+#include <grpc/support/json.h>
+
 #include "src/core/ext/xds/xds_common_types.h"
 #include "src/core/lib/config/core_configuration.h"
 #include "src/core/lib/gprpp/time.h"
@@ -51,7 +53,7 @@ class RoundRobinLbPolicyConfigFactory
       const XdsResourceType::DecodeContext& /*context*/,
       absl::string_view /*configuration*/, ValidationErrors* /*errors*/,
       int /*recursion_depth*/) override {
-    return Json::Object{{"round_robin", Json::Object()}};
+    return Json::Object{{"round_robin", Json::FromObject({})}};
   }
 
   absl::string_view type() override { return Type(); }
@@ -84,7 +86,7 @@ class ClientSideWeightedRoundRobinLbPolicyConfigFactory
             resource);
     if (enable_oob_load_report != nullptr &&
         google_protobuf_BoolValue_value(enable_oob_load_report)) {
-      config["enableOobLoadReport"] = true;
+      config["enableOobLoadReport"] = Json::FromBool(true);
     }
     // oob_reporting_period
     auto* duration_proto =
@@ -93,7 +95,7 @@ class ClientSideWeightedRoundRobinLbPolicyConfigFactory
     if (duration_proto != nullptr) {
       ValidationErrors::ScopedField field(errors, ".oob_reporting_period");
       Duration duration = ParseDuration(duration_proto, errors);
-      config["oobReportingPeriod"] = duration.ToJsonString();
+      config["oobReportingPeriod"] = Json::FromString(duration.ToJsonString());
     }
     // blackout_period
     duration_proto =
@@ -102,7 +104,7 @@ class ClientSideWeightedRoundRobinLbPolicyConfigFactory
     if (duration_proto != nullptr) {
       ValidationErrors::ScopedField field(errors, ".blackout_period");
       Duration duration = ParseDuration(duration_proto, errors);
-      config["blackoutPeriod"] = duration.ToJsonString();
+      config["blackoutPeriod"] = Json::FromString(duration.ToJsonString());
     }
     // weight_update_period
     duration_proto =
@@ -111,7 +113,7 @@ class ClientSideWeightedRoundRobinLbPolicyConfigFactory
     if (duration_proto != nullptr) {
       ValidationErrors::ScopedField field(errors, ".weight_update_period");
       Duration duration = ParseDuration(duration_proto, errors);
-      config["weightUpdatePeriod"] = duration.ToJsonString();
+      config["weightUpdatePeriod"] = Json::FromString(duration.ToJsonString());
     }
     // weight_expiration_period
     duration_proto =
@@ -120,7 +122,8 @@ class ClientSideWeightedRoundRobinLbPolicyConfigFactory
     if (duration_proto != nullptr) {
       ValidationErrors::ScopedField field(errors, ".weight_expiration_period");
       Duration duration = ParseDuration(duration_proto, errors);
-      config["weightExpirationPeriod"] = duration.ToJsonString();
+      config["weightExpirationPeriod"] =
+          Json::FromString(duration.ToJsonString());
     }
     // error_utilization_penalty
     auto* error_utilization_penalty =
@@ -133,9 +136,10 @@ class ClientSideWeightedRoundRobinLbPolicyConfigFactory
       if (value < 0.0) {
         errors->AddError("value must be non-negative");
       }
-      config["errorUtilizationPenalty"] = value;
+      config["errorUtilizationPenalty"] = Json::FromNumber(value);
     }
-    return Json::Object{{"weighted_round_robin", std::move(config)}};
+    return Json::Object{
+        {"weighted_round_robin", Json::FromObject(std::move(config))}};
   }
 
   absl::string_view type() override { return Type(); }
@@ -197,10 +201,10 @@ class RingHashLbPolicyConfigFactory
     }
     return Json::Object{
         {"ring_hash_experimental",
-         Json::Object{
-             {"minRingSize", min_ring_size},
-             {"maxRingSize", max_ring_size},
-         }},
+         Json::FromObject({
+             {"minRingSize", Json::FromNumber(min_ring_size)},
+             {"maxRingSize", Json::FromNumber(max_ring_size)},
+         })},
     };
   }
 
@@ -238,7 +242,8 @@ class WrrLocalityLbPolicyConfigFactory
         context, endpoint_picking_policy, errors, recursion_depth + 1);
     return Json::Object{
         {"xds_wrr_locality_experimental",
-         Json::Object{{"childPolicy", std::move(child_policy)}}}};
+         Json::FromObject(
+             {{"childPolicy", Json::FromArray(std::move(child_policy))}})}};
   }
 
   absl::string_view type() override { return Type(); }
@@ -306,8 +311,9 @@ Json::Array XdsLbPolicyRegistry::ConvertXdsLbPolicyConfig(
     if (serialized_value != nullptr) {
       auto config_factory_it = policy_config_factories_.find(extension->type);
       if (config_factory_it != policy_config_factories_.end()) {
-        return Json::Array{config_factory_it->second->ConvertXdsLbPolicyConfig(
-            this, context, *serialized_value, errors, recursion_depth)};
+        return Json::Array{Json::FromObject(
+            config_factory_it->second->ConvertXdsLbPolicyConfig(
+                this, context, *serialized_value, errors, recursion_depth))};
       }
     }
     // Check for custom LB policy type.
@@ -316,7 +322,7 @@ Json::Array XdsLbPolicyRegistry::ConvertXdsLbPolicyConfig(
         CoreConfiguration::Get().lb_policy_registry().LoadBalancingPolicyExists(
             extension->type, nullptr)) {
       return Json::Array{
-          Json::Object{{std::string(extension->type), std::move(*json)}}};
+          Json::FromObject({{std::string(extension->type), std::move(*json)}})};
     }
     // Unsupported type.  Continue to next entry.
   }

data/src/core/ext/xds/xds_listener.cc

@@ -37,6 +37,7 @@
 #include "envoy/config/listener/v3/listener.upb.h"
 #include "envoy/config/listener/v3/listener.upbdefs.h"
 #include "envoy/config/listener/v3/listener_components.upb.h"
+#include "envoy/config/rbac/v3/rbac.upb.h"
 #include "envoy/config/route/v3/route.upb.h"
 #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb.h"
 #include "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upbdefs.h"