grpc 1.55.3 → 1.56.0.pre3

data/src/core/ext/xds/xds_common_types.cc

@@ -45,6 +45,8 @@
 #include "upb/upb.hpp"
 #include "xds/type/v3/typed_struct.upb.h"
 
+#include <grpc/support/json.h>
+
 #include "src/core/ext/xds/upb_utils.h"
 #include "src/core/ext/xds/xds_bootstrap_grpc.h"
 #include "src/core/ext/xds/xds_client.h"
@@ -486,7 +488,7 @@ absl::optional<XdsExtension> ExtractXdsExtension(
         errors, absl::StrCat(".value[", extension.type, "]"));
     auto* protobuf_struct = xds_type_v3_TypedStruct_value(typed_struct);
     if (protobuf_struct == nullptr) {
-      extension.value = Json::Object();  // Default to empty object.
+      extension.value = Json::FromObject({});  // Default to empty object.
     } else {
       auto json = ParseProtobufStructToJson(context, protobuf_struct);
       if (!json.ok()) {

data/src/core/ext/xds/xds_http_fault_filter.cc

@@ -34,6 +34,7 @@
 #include "google/protobuf/wrappers.upb.h"
 
 #include <grpc/status.h>
+#include <grpc/support/json.h>
 
 #include "src/core/ext/filters/fault_injection/fault_injection_filter.h"
 #include "src/core/ext/filters/fault_injection/fault_injection_service_config_parser.h"
@@ -139,14 +140,14 @@ XdsHttpFaultFilter::GenerateFilterConfig(
     }
     // Set the abort_code, even if it's OK
     fault_injection_policy_json["abortCode"] =
-        grpc_status_code_to_string(abort_grpc_status_code);
+        Json::FromString(grpc_status_code_to_string(abort_grpc_status_code));
     // Set the headers if we enabled header abort injection control
     if (envoy_extensions_filters_http_fault_v3_FaultAbort_has_header_abort(
             fault_abort)) {
       fault_injection_policy_json["abortCodeHeader"] =
-          "x-envoy-fault-abort-grpc-request";
+          Json::FromString("x-envoy-fault-abort-grpc-request");
       fault_injection_policy_json["abortPercentageHeader"] =
-          "x-envoy-fault-abort-percentage";
+          Json::FromString("x-envoy-fault-abort-percentage");
     }
     // Set the fraction percent
     auto* percent =
@@ -154,9 +155,9 @@ XdsHttpFaultFilter::GenerateFilterConfig(
             fault_abort);
     if (percent != nullptr) {
       fault_injection_policy_json["abortPercentageNumerator"] =
-          envoy_type_v3_FractionalPercent_numerator(percent);
+          Json::FromNumber(envoy_type_v3_FractionalPercent_numerator(percent));
       fault_injection_policy_json["abortPercentageDenominator"] =
-          GetDenominator(percent);
+          Json::FromNumber(GetDenominator(percent));
     }
   }
   // Section 2: Parse the delay injection config
@@ -171,15 +172,16 @@ XdsHttpFaultFilter::GenerateFilterConfig(
     if (delay_duration != nullptr) {
       ValidationErrors::ScopedField field(errors, ".fixed_delay");
       Duration duration = ParseDuration(delay_duration, errors);
-      fault_injection_policy_json["delay"] = duration.ToJsonString();
+      fault_injection_policy_json["delay"] =
+          Json::FromString(duration.ToJsonString());
     }
     // Set the headers if we enabled header delay injection control
     if (envoy_extensions_filters_common_fault_v3_FaultDelay_has_header_delay(
             fault_delay)) {
       fault_injection_policy_json["delayHeader"] =
-          "x-envoy-fault-delay-request";
+          Json::FromString("x-envoy-fault-delay-request");
       fault_injection_policy_json["delayPercentageHeader"] =
-          "x-envoy-fault-delay-request-percentage";
+          Json::FromString("x-envoy-fault-delay-request-percentage");
     }
     // Set the fraction percent
     auto* percent =
@@ -187,9 +189,9 @@ XdsHttpFaultFilter::GenerateFilterConfig(
             fault_delay);
     if (percent != nullptr) {
       fault_injection_policy_json["delayPercentageNumerator"] =
-          envoy_type_v3_FractionalPercent_numerator(percent);
+          Json::FromNumber(envoy_type_v3_FractionalPercent_numerator(percent));
       fault_injection_policy_json["delayPercentageDenominator"] =
-          GetDenominator(percent);
+          Json::FromNumber(GetDenominator(percent));
     }
   }
   // Section 3: Parse the maximum active faults
@@ -198,10 +200,10 @@ XdsHttpFaultFilter::GenerateFilterConfig(
           http_fault);
   if (max_fault_wrapper != nullptr) {
     fault_injection_policy_json["maxFaults"] =
-        google_protobuf_UInt32Value_value(max_fault_wrapper);
+        Json::FromNumber(google_protobuf_UInt32Value_value(max_fault_wrapper));
   }
   return FilterConfig{ConfigProtoName(),
-                      std::move(fault_injection_policy_json)};
+                      Json::FromObject(std::move(fault_injection_policy_json))};
 }
 
 absl::optional<XdsHttpFilterImpl::FilterConfig>
@@ -225,7 +227,8 @@ ChannelArgs XdsHttpFaultFilter::ModifyChannelArgs(
 absl::StatusOr<XdsHttpFilterImpl::ServiceConfigJsonEntry>
 XdsHttpFaultFilter::GenerateServiceConfig(
     const FilterConfig& hcm_filter_config,
-    const FilterConfig* filter_config_override) const {
+    const FilterConfig* filter_config_override,
+    absl::string_view /*filter_name*/) const {
   Json policy_json = filter_config_override != nullptr
                          ? filter_config_override->config
                          : hcm_filter_config.config;

data/src/core/ext/xds/xds_http_fault_filter.h

@@ -48,7 +48,8 @@ class XdsHttpFaultFilter : public XdsHttpFilterImpl {
   ChannelArgs ModifyChannelArgs(const ChannelArgs& args) const override;
   absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
       const FilterConfig& hcm_filter_config,
-      const FilterConfig* filter_config_override) const override;
+      const FilterConfig* filter_config_override,
+      absl::string_view filter_name) const override;
   bool IsSupportedOnClients() const override { return true; }
   bool IsSupportedOnServers() const override { return false; }
 };

data/src/core/ext/xds/xds_http_filters.h

@@ -112,7 +112,8 @@ class XdsHttpFilterImpl {
   // there is no override in any of those locations.
   virtual absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
       const FilterConfig& hcm_filter_config,
-      const FilterConfig* filter_config_override) const = 0;
+      const FilterConfig* filter_config_override,
+      absl::string_view filter_name) const = 0;
 
   // Returns true if the filter is supported on clients; false otherwise
   virtual bool IsSupportedOnClients() const = 0;
@@ -138,7 +139,8 @@ class XdsHttpRouterFilter : public XdsHttpFilterImpl {
   const grpc_channel_filter* channel_filter() const override { return nullptr; }
   absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
       const FilterConfig& /*hcm_filter_config*/,
-      const FilterConfig* /*filter_config_override*/) const override {
+      const FilterConfig* /*filter_config_override*/,
+      absl::string_view /*filter_name*/) const override {
     // This will never be called, since channel_filter() returns null.
     return absl::UnimplementedError("router filter should never be called");
   }

data/src/core/ext/xds/xds_http_rbac_filter.cc

@@ -19,9 +19,9 @@
 #include "src/core/ext/xds/xds_http_rbac_filter.h"
 
 #include <stddef.h>
+#include <stdint.h>
 
 #include <algorithm>
-#include <cstdint>
 #include <string>
 #include <utility>
 
@@ -42,10 +42,17 @@
 #include "google/protobuf/wrappers.upb.h"
 #include "upb/collections/map.h"
 
+#include <grpc/support/json.h>
+
 #include "src/core/ext/filters/rbac/rbac_filter.h"
 #include "src/core/ext/filters/rbac/rbac_service_config_parser.h"
 #include "src/core/ext/xds/upb_utils.h"
+#include "src/core/ext/xds/xds_audit_logger_registry.h"
+#include "src/core/ext/xds/xds_bootstrap_grpc.h"
+#include "src/core/ext/xds/xds_client.h"
 #include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/gpr/string.h"
+#include "src/core/lib/gprpp/env.h"
 #include "src/core/lib/json/json.h"
 #include "src/core/lib/json/json_writer.h"
 
@@ -53,16 +60,27 @@ namespace grpc_core {
 
 namespace {
 
+// TODO(lwge): Remove once the feature is stable.
+bool XdsRbacAuditLoggingEnabled() {
+  auto value = GetEnv("GRPC_EXPERIMENTAL_XDS_RBAC_AUDIT_LOGGING");
+  if (!value.has_value()) return false;
+  bool parsed_value;
+  bool parse_succeeded = gpr_parse_bool_value(value->c_str(), &parsed_value);
+  return parse_succeeded && parsed_value;
+}
+
 Json ParseRegexMatcherToJson(
     const envoy_type_matcher_v3_RegexMatcher* regex_matcher) {
-  return Json::Object(
-      {{"regex", UpbStringToStdString(envoy_type_matcher_v3_RegexMatcher_regex(
-                     regex_matcher))}});
+  return Json::FromObject(
+      {{"regex",
+        Json::FromString(UpbStringToStdString(
+            envoy_type_matcher_v3_RegexMatcher_regex(regex_matcher)))}});
 }
 
 Json ParseInt64RangeToJson(const envoy_type_v3_Int64Range* range) {
-  return Json::Object{{"start", envoy_type_v3_Int64Range_start(range)},
-                      {"end", envoy_type_v3_Int64Range_end(range)}};
+  return Json::FromObject(
+      {{"start", Json::FromNumber(envoy_type_v3_Int64Range_start(range))},
+       {"end", Json::FromNumber(envoy_type_v3_Int64Range_end(range))}});
 }
 
 Json ParseHeaderMatcherToJson(const envoy_config_route_v3_HeaderMatcher* header,
@@ -77,13 +95,13 @@ Json ParseHeaderMatcherToJson(const envoy_config_route_v3_HeaderMatcher* header,
     } else if (absl::StartsWith(name, "grpc-")) {
       errors->AddError("'grpc-' prefixes not allowed in header");
     }
-    header_json.emplace("name", std::move(name));
+    header_json.emplace("name", Json::FromString(std::move(name)));
   }
   if (envoy_config_route_v3_HeaderMatcher_has_exact_match(header)) {
     header_json.emplace(
         "exactMatch",
-        UpbStringToStdString(
-            envoy_config_route_v3_HeaderMatcher_exact_match(header)));
+        Json::FromString(UpbStringToStdString(
+            envoy_config_route_v3_HeaderMatcher_exact_match(header))));
   } else if (envoy_config_route_v3_HeaderMatcher_has_safe_regex_match(header)) {
     header_json.emplace(
         "safeRegexMatch",
@@ -97,28 +115,30 @@ Json ParseHeaderMatcherToJson(const envoy_config_route_v3_HeaderMatcher* header,
   } else if (envoy_config_route_v3_HeaderMatcher_has_present_match(header)) {
     header_json.emplace(
         "presentMatch",
-        envoy_config_route_v3_HeaderMatcher_present_match(header));
+        Json::FromBool(
+            envoy_config_route_v3_HeaderMatcher_present_match(header)));
   } else if (envoy_config_route_v3_HeaderMatcher_has_prefix_match(header)) {
     header_json.emplace(
         "prefixMatch",
-        UpbStringToStdString(
-            envoy_config_route_v3_HeaderMatcher_prefix_match(header)));
+        Json::FromString(UpbStringToStdString(
+            envoy_config_route_v3_HeaderMatcher_prefix_match(header))));
   } else if (envoy_config_route_v3_HeaderMatcher_has_suffix_match(header)) {
     header_json.emplace(
         "suffixMatch",
-        UpbStringToStdString(
-            envoy_config_route_v3_HeaderMatcher_suffix_match(header)));
+        Json::FromString(UpbStringToStdString(
+            envoy_config_route_v3_HeaderMatcher_suffix_match(header))));
   } else if (envoy_config_route_v3_HeaderMatcher_has_contains_match(header)) {
     header_json.emplace(
         "containsMatch",
-        UpbStringToStdString(
-            envoy_config_route_v3_HeaderMatcher_contains_match(header)));
+        Json::FromString(UpbStringToStdString(
+            envoy_config_route_v3_HeaderMatcher_contains_match(header))));
   } else {
     errors->AddError("invalid route header matcher specified");
   }
-  header_json.emplace("invertMatch",
-                      envoy_config_route_v3_HeaderMatcher_invert_match(header));
-  return header_json;
+  header_json.emplace(
+      "invertMatch",
+      Json::FromBool(envoy_config_route_v3_HeaderMatcher_invert_match(header)));
+  return Json::FromObject(std::move(header_json));
 }
 
 Json ParseStringMatcherToJson(
@@ -127,30 +147,31 @@ Json ParseStringMatcherToJson(
   Json::Object json;
   if (envoy_type_matcher_v3_StringMatcher_has_exact(matcher)) {
     json.emplace("exact",
-                 UpbStringToStdString(
-                     envoy_type_matcher_v3_StringMatcher_exact(matcher)));
+                 Json::FromString(UpbStringToStdString(
+                     envoy_type_matcher_v3_StringMatcher_exact(matcher))));
   } else if (envoy_type_matcher_v3_StringMatcher_has_prefix(matcher)) {
     json.emplace("prefix",
-                 UpbStringToStdString(
-                     envoy_type_matcher_v3_StringMatcher_prefix(matcher)));
+                 Json::FromString(UpbStringToStdString(
+                     envoy_type_matcher_v3_StringMatcher_prefix(matcher))));
   } else if (envoy_type_matcher_v3_StringMatcher_has_suffix(matcher)) {
     json.emplace("suffix",
-                 UpbStringToStdString(
-                     envoy_type_matcher_v3_StringMatcher_suffix(matcher)));
+                 Json::FromString(UpbStringToStdString(
+                     envoy_type_matcher_v3_StringMatcher_suffix(matcher))));
   } else if (envoy_type_matcher_v3_StringMatcher_has_safe_regex(matcher)) {
     json.emplace("safeRegex",
                  ParseRegexMatcherToJson(
                      envoy_type_matcher_v3_StringMatcher_safe_regex(matcher)));
   } else if (envoy_type_matcher_v3_StringMatcher_has_contains(matcher)) {
     json.emplace("contains",
-                 UpbStringToStdString(
-                     envoy_type_matcher_v3_StringMatcher_contains(matcher)));
+                 Json::FromString(UpbStringToStdString(
+                     envoy_type_matcher_v3_StringMatcher_contains(matcher))));
   } else {
     errors->AddError("invalid match pattern");
   }
-  json.emplace("ignoreCase",
-               envoy_type_matcher_v3_StringMatcher_ignore_case(matcher));
-  return json;
+  json.emplace(
+      "ignoreCase",
+      Json::FromBool(envoy_type_matcher_v3_StringMatcher_ignore_case(matcher)));
+  return Json::FromObject(std::move(json));
 }
 
 Json ParsePathMatcherToJson(const envoy_type_matcher_v3_PathMatcher* matcher,
@@ -162,30 +183,32 @@ Json ParsePathMatcherToJson(const envoy_type_matcher_v3_PathMatcher* matcher,
     return Json();
   }
   Json path_json = ParseStringMatcherToJson(path, errors);
-  return Json::Object{{"path", std::move(path_json)}};
+  return Json::FromObject({{"path", std::move(path_json)}});
 }
 
 Json ParseCidrRangeToJson(const envoy_config_core_v3_CidrRange* range) {
   Json::Object json;
   json.emplace("addressPrefix",
-               UpbStringToStdString(
-                   envoy_config_core_v3_CidrRange_address_prefix(range)));
+               Json::FromString(UpbStringToStdString(
+                   envoy_config_core_v3_CidrRange_address_prefix(range))));
   const auto* prefix_len = envoy_config_core_v3_CidrRange_prefix_len(range);
   if (prefix_len != nullptr) {
-    json.emplace("prefixLen", google_protobuf_UInt32Value_value(prefix_len));
+    json.emplace(
+        "prefixLen",
+        Json::FromNumber(google_protobuf_UInt32Value_value(prefix_len)));
   }
-  return json;
+  return Json::FromObject(std::move(json));
 }
 
 Json ParseMetadataMatcherToJson(
     const envoy_type_matcher_v3_MetadataMatcher* metadata_matcher) {
-  Json::Object json;
   // The fields "filter", "path" and "value" are irrelevant to gRPC as per
   // https://github.com/grpc/proposal/blob/master/A41-xds-rbac.md and are not
   // being parsed.
-  json.emplace("invert",
-               envoy_type_matcher_v3_MetadataMatcher_invert(metadata_matcher));
-  return json;
+  return Json::FromObject({
+      {"invert", Json::FromBool(envoy_type_matcher_v3_MetadataMatcher_invert(
+                     metadata_matcher))},
+  });
 }
 
 Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
@@ -205,7 +228,8 @@ Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
       Json permission_json = ParsePermissionToJson(rules[i], errors);
       rules_json.emplace_back(std::move(permission_json));
     }
-    return Json::Object({{"rules", std::move(rules_json)}});
+    return Json::FromObject(
+        {{"rules", Json::FromArray(std::move(rules_json))}});
   };
   if (envoy_config_rbac_v3_Permission_has_and_rules(permission)) {
     ValidationErrors::ScopedField field(errors, ".and_permission");
@@ -219,8 +243,8 @@ Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
     Json permission_set_json = parse_permission_set_to_json(or_rules);
     permission_json.emplace("orRules", std::move(permission_set_json));
   } else if (envoy_config_rbac_v3_Permission_has_any(permission)) {
-    permission_json.emplace("any",
-                            envoy_config_rbac_v3_Permission_any(permission));
+    permission_json.emplace(
+        "any", Json::FromBool(envoy_config_rbac_v3_Permission_any(permission)));
   } else if (envoy_config_rbac_v3_Permission_has_header(permission)) {
     ValidationErrors::ScopedField field(errors, ".header");
     Json header_json = ParseHeaderMatcherToJson(
@@ -239,7 +263,8 @@ Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
   } else if (envoy_config_rbac_v3_Permission_has_destination_port(permission)) {
     permission_json.emplace(
         "destinationPort",
-        envoy_config_rbac_v3_Permission_destination_port(permission));
+        Json::FromNumber(
+            envoy_config_rbac_v3_Permission_destination_port(permission)));
   } else if (envoy_config_rbac_v3_Permission_has_metadata(permission)) {
     permission_json.emplace(
         "metadata", ParseMetadataMatcherToJson(
@@ -260,7 +285,7 @@ Json ParsePermissionToJson(const envoy_config_rbac_v3_Permission* permission,
   } else {
     errors->AddError("invalid rule");
   }
-  return permission_json;
+  return Json::FromObject(std::move(permission_json));
 }
 
 Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
@@ -280,7 +305,7 @@ Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
       Json principal_json = ParsePrincipalToJson(ids[i], errors);
       ids_json.emplace_back(std::move(principal_json));
     }
-    return Json::Object({{"ids", std::move(ids_json)}});
+    return Json::FromObject({{"ids", Json::FromArray(std::move(ids_json))}});
   };
   if (envoy_config_rbac_v3_Principal_has_and_ids(principal)) {
     ValidationErrors::ScopedField field(errors, ".and_ids");
@@ -293,8 +318,8 @@ Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
     Json principal_set_json = parse_principal_set_to_json(or_rules);
     principal_json.emplace("orIds", std::move(principal_set_json));
   } else if (envoy_config_rbac_v3_Principal_has_any(principal)) {
-    principal_json.emplace("any",
-                           envoy_config_rbac_v3_Principal_any(principal));
+    principal_json.emplace(
+        "any", Json::FromBool(envoy_config_rbac_v3_Principal_any(principal)));
   } else if (envoy_config_rbac_v3_Principal_has_authenticated(principal)) {
     Json::Object authenticated_json;
     const auto* principal_name =
@@ -307,7 +332,8 @@ Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
           ParseStringMatcherToJson(principal_name, errors);
       authenticated_json["principalName"] = std::move(principal_name_json);
     }
-    principal_json["authenticated"] = std::move(authenticated_json);
+    principal_json["authenticated"] =
+        Json::FromObject(std::move(authenticated_json));
   } else if (envoy_config_rbac_v3_Principal_has_source_ip(principal)) {
     principal_json.emplace(
         "sourceIp", ParseCidrRangeToJson(
@@ -343,7 +369,7 @@ Json ParsePrincipalToJson(const envoy_config_rbac_v3_Principal* principal,
   } else {
     errors->AddError("invalid rule");
   }
-  return principal_json;
+  return Json::FromObject(std::move(principal_json));
 }
 
 Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
@@ -359,7 +385,8 @@ Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
     Json permission_json = ParsePermissionToJson(permissions[i], errors);
     permissions_json.emplace_back(std::move(permission_json));
   }
-  policy_json.emplace("permissions", std::move(permissions_json));
+  policy_json.emplace("permissions",
+                      Json::FromArray(std::move(permissions_json)));
   Json::Array principals_json;
   const envoy_config_rbac_v3_Principal* const* principals =
       envoy_config_rbac_v3_Policy_principals(policy, &size);
@@ -369,7 +396,8 @@ Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
     Json principal_json = ParsePrincipalToJson(principals[i], errors);
     principals_json.emplace_back(std::move(principal_json));
   }
-  policy_json.emplace("principals", std::move(principals_json));
+  policy_json.emplace("principals",
+                      Json::FromArray(std::move(principals_json)));
   if (envoy_config_rbac_v3_Policy_has_condition(policy)) {
     ValidationErrors::ScopedField field(errors, ".condition");
     errors->AddError("condition not supported");
@@ -378,10 +406,33 @@ Json ParsePolicyToJson(const envoy_config_rbac_v3_Policy* policy,
     ValidationErrors::ScopedField field(errors, ".checked_condition");
     errors->AddError("checked condition not supported");
   }
-  return policy_json;
+  return Json::FromObject(std::move(policy_json));
+}
+
+Json ParseAuditLoggerConfigsToJson(
+    const XdsResourceType::DecodeContext& context,
+    const envoy_config_rbac_v3_RBAC_AuditLoggingOptions* audit_logging_options,
+    ValidationErrors* errors) {
+  Json::Array logger_configs_json;
+  size_t size;
+  const auto& registry =
+      static_cast<const GrpcXdsBootstrap&>(context.client->bootstrap())
+          .audit_logger_registry();
+  const envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig* const*
+      logger_configs =
+          envoy_config_rbac_v3_RBAC_AuditLoggingOptions_logger_configs(
+              audit_logging_options, &size);
+  for (size_t i = 0; i < size; ++i) {
+    ValidationErrors::ScopedField field(
+        errors, absl::StrCat(".logger_configs[", i, "]"));
+    logger_configs_json.emplace_back(registry.ConvertXdsAuditLoggerConfig(
+        context, logger_configs[i], errors));
+  }
+  return Json::FromArray(logger_configs_json);
 }
 
-Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
+Json ParseHttpRbacToJson(const XdsResourceType::DecodeContext& context,
+                         const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
                          ValidationErrors* errors) {
   Json::Object rbac_json;
   const auto* rules = envoy_extensions_filters_http_rbac_v3_RBAC_rules(rbac);
@@ -390,10 +441,11 @@ Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
     int action = envoy_config_rbac_v3_RBAC_action(rules);
     // Treat Log action as RBAC being absent
     if (action == envoy_config_rbac_v3_RBAC_LOG) {
-      return rbac_json;
+      return Json::FromObject({});
     }
     Json::Object inner_rbac_json;
-    inner_rbac_json.emplace("action", envoy_config_rbac_v3_RBAC_action(rules));
+    inner_rbac_json.emplace(
+        "action", Json::FromNumber(envoy_config_rbac_v3_RBAC_action(rules)));
     if (envoy_config_rbac_v3_RBAC_policies_size(rules) != 0) {
       Json::Object policies_object;
       size_t iter = kUpb_Map_Begin;
@@ -410,11 +462,40 @@ Json ParseHttpRbacToJson(const envoy_extensions_filters_http_rbac_v3_RBAC* rbac,
             envoy_config_rbac_v3_RBAC_PoliciesEntry_value(entry), errors);
         policies_object.emplace(std::string(key), std::move(policy));
       }
-      inner_rbac_json.emplace("policies", std::move(policies_object));
+      inner_rbac_json.emplace("policies",
+                              Json::FromObject(std::move(policies_object)));
+    }
+    // Flatten the nested messages defined in rbac.proto
+    if (XdsRbacAuditLoggingEnabled() &&
+        envoy_config_rbac_v3_RBAC_has_audit_logging_options(rules)) {
+      ValidationErrors::ScopedField field(errors, ".audit_logging_options");
+      const auto* audit_logging_options =
+          envoy_config_rbac_v3_RBAC_audit_logging_options(rules);
+      int32_t audit_condition =
+          envoy_config_rbac_v3_RBAC_AuditLoggingOptions_audit_condition(
+              audit_logging_options);
+      switch (audit_condition) {
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_NONE:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_DENY:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_ALLOW:
+        case envoy_config_rbac_v3_RBAC_AuditLoggingOptions_ON_DENY_AND_ALLOW:
+          inner_rbac_json.emplace("audit_condition",
+                                  Json::FromNumber(audit_condition));
+          break;
+        default:
+          ValidationErrors::ScopedField field(errors, ".audit_condition");
+          errors->AddError("invalid audit condition");
+      }
+      if (envoy_config_rbac_v3_RBAC_AuditLoggingOptions_has_logger_configs(
+              audit_logging_options)) {
+        inner_rbac_json.emplace("audit_loggers",
+                                ParseAuditLoggerConfigsToJson(
+                                    context, audit_logging_options, errors));
+      }
     }
-    rbac_json.emplace("rules", std::move(inner_rbac_json));
+    rbac_json.emplace("rules", Json::FromObject(std::move(inner_rbac_json)));
   }
-  return rbac_json;
+  return Json::FromObject(std::move(rbac_json));
 }
 
 }  // namespace
@@ -448,7 +529,8 @@ XdsHttpRbacFilter::GenerateFilterConfig(
     errors->AddError("could not parse HTTP RBAC filter config");
     return absl::nullopt;
   }
-  return FilterConfig{ConfigProtoName(), ParseHttpRbacToJson(rbac, errors)};
+  return FilterConfig{ConfigProtoName(),
+                      ParseHttpRbacToJson(context, rbac, errors)};
 }
 
 absl::optional<XdsHttpFilterImpl::FilterConfig>
@@ -473,10 +555,10 @@ XdsHttpRbacFilter::GenerateFilterConfigOverride(
   const auto* rbac =
       envoy_extensions_filters_http_rbac_v3_RBACPerRoute_rbac(rbac_per_route);
   if (rbac == nullptr) {
-    rbac_json = Json::Object();
+    rbac_json = Json::FromObject({});
   } else {
     ValidationErrors::ScopedField field(errors, ".rbac");
-    rbac_json = ParseHttpRbacToJson(rbac, errors);
+    rbac_json = ParseHttpRbacToJson(context, rbac, errors);
   }
   return FilterConfig{OverrideConfigProtoName(), std::move(rbac_json)};
 }
@@ -493,12 +575,17 @@ ChannelArgs XdsHttpRbacFilter::ModifyChannelArgs(
 absl::StatusOr<XdsHttpFilterImpl::ServiceConfigJsonEntry>
 XdsHttpRbacFilter::GenerateServiceConfig(
     const FilterConfig& hcm_filter_config,
-    const FilterConfig* filter_config_override) const {
-  Json policy_json = filter_config_override != nullptr
-                         ? filter_config_override->config
-                         : hcm_filter_config.config;
-  // The policy JSON may be empty, that's allowed.
-  return ServiceConfigJsonEntry{"rbacPolicy", JsonDump(policy_json)};
+    const FilterConfig* filter_config_override,
+    absl::string_view filter_name) const {
+  const Json& policy_json = filter_config_override != nullptr
+                                ? filter_config_override->config
+                                : hcm_filter_config.config;
+  auto json_object = policy_json.object();
+  json_object.emplace("filter_name",
+                      Json::FromString(std::string(filter_name)));
+  // The policy JSON may be empty other than the filter name, that's allowed.
+  return ServiceConfigJsonEntry{"rbacPolicy",
+                                JsonDump(Json::FromObject(json_object))};
 }
 
 }  // namespace grpc_core

data/src/core/ext/xds/xds_http_rbac_filter.h

@@ -48,7 +48,8 @@ class XdsHttpRbacFilter : public XdsHttpFilterImpl {
   ChannelArgs ModifyChannelArgs(const ChannelArgs& args) const override;
   absl::StatusOr<ServiceConfigJsonEntry> GenerateServiceConfig(
       const FilterConfig& hcm_filter_config,
-      const FilterConfig* filter_config_override) const override;
+      const FilterConfig* filter_config_override,
+      absl::string_view filter_name) const override;
   bool IsSupportedOnClients() const override { return false; }
   bool IsSupportedOnServers() const override { return true; }
 };

data/src/core/ext/xds/xds_http_stateful_session_filter.cc

@@ -31,6 +31,8 @@
 #include "envoy/extensions/http/stateful_session/cookie/v3/cookie.upbdefs.h"
 #include "envoy/type/http/v3/cookie.upb.h"
 
+#include <grpc/support/json.h>
+
 #include "src/core/ext/filters/stateful_session/stateful_session_filter.h"
 #include "src/core/ext/filters/stateful_session/stateful_session_service_config_parser.h"
 #include "src/core/ext/xds/upb_utils.h"
@@ -119,20 +121,20 @@ Json::Object ValidateStatefulSession(
     ValidationErrors::ScopedField field(errors, ".name");
     errors->AddError("field not present");
   }
-  cookie_config["name"] = std::move(cookie_name);
+  cookie_config["name"] = Json::FromString(std::move(cookie_name));
   // ttl
   {
     ValidationErrors::ScopedField field(errors, ".ttl");
     const auto* duration = envoy_type_http_v3_Cookie_ttl(cookie);
     if (duration != nullptr) {
       Duration ttl = ParseDuration(duration, errors);
-      cookie_config["ttl"] = ttl.ToJsonString();
+      cookie_config["ttl"] = Json::FromString(ttl.ToJsonString());
     }
   }
   // path
   std::string path =
       UpbStringToStdString(envoy_type_http_v3_Cookie_path(cookie));
-  if (!path.empty()) cookie_config["path"] = std::move(path);
+  if (!path.empty()) cookie_config["path"] = Json::FromString(std::move(path));
   return cookie_config;
 }
 
@@ -156,9 +158,9 @@ XdsHttpStatefulSessionFilter::GenerateFilterConfig(
     errors->AddError("could not parse stateful session filter config");
     return absl::nullopt;
   }
-  return FilterConfig{
-      ConfigProtoName(),
-      ValidateStatefulSession(context, stateful_session, errors)};
+  return FilterConfig{ConfigProtoName(),
+                      Json::FromObject(ValidateStatefulSession(
+                          context, stateful_session, errors))};
 }
 
 absl::optional<XdsHttpFilterImpl::FilterConfig>
@@ -192,7 +194,8 @@ XdsHttpStatefulSessionFilter::GenerateFilterConfigOverride(
       config = ValidateStatefulSession(context, stateful_session, errors);
     }
   }
-  return FilterConfig{OverrideConfigProtoName(), Json(std::move(config))};
+  return FilterConfig{OverrideConfigProtoName(),
+                      Json::FromObject(std::move(config))};
 }
 
 const grpc_channel_filter* XdsHttpStatefulSessionFilter::channel_filter()
@@ -208,10 +211,11 @@ ChannelArgs XdsHttpStatefulSessionFilter::ModifyChannelArgs(
 absl::StatusOr<XdsHttpFilterImpl::ServiceConfigJsonEntry>
 XdsHttpStatefulSessionFilter::GenerateServiceConfig(
     const FilterConfig& hcm_filter_config,
-    const FilterConfig* filter_config_override) const {
-  Json config = filter_config_override != nullptr
-                    ? filter_config_override->config
-                    : hcm_filter_config.config;
+    const FilterConfig* filter_config_override,
+    absl::string_view /*filter_name*/) const {
+  const Json& config = filter_config_override != nullptr
+                           ? filter_config_override->config
+                           : hcm_filter_config.config;
   return ServiceConfigJsonEntry{"stateful_session", JsonDump(config)};
 }