CEL variable resolver

Author: sergiitk

xds/src/main/java/io/grpc/xds/internal/MetadataHelper.java

@@ -60,4 +60,8 @@ public static String deserializeHeader(Metadata metadata, String headerName) {
     Iterable<String> values = metadata.getAll(key);
     return values == null ? null : String.join(",", values);
   }
+
+  public static boolean containsHeader(Metadata metadata, String headerName) {
+    return metadata.containsKey(Metadata.Key.of(headerName, Metadata.ASCII_STRING_MARSHALLER));
+  }
 }

xds/src/main/java/io/grpc/xds/internal/matchers/CelMatcher.java

@@ -76,10 +76,6 @@ public String description() {
 
   @Override
   public boolean test(HttpMatchInput httpMatchInput) {
-    // if (httpMatchInput.headers().keys().isEmpty()) {
-    //   return false;
-    // }
-    // TODO(sergiitk): [IMPL] convert headers to cel args
-    return program.eval(httpMatchInput.serverCall(), httpMatchInput.headers());
+    return program.eval(httpMatchInput);
   }
 }

xds/src/main/java/io/grpc/xds/internal/matchers/GrpcCelEnvironment.java

@@ -16,24 +16,31 @@
 
 package io.grpc.xds.internal.matchers;
 
-import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableMap;
+import com.google.common.base.Splitter;
 import dev.cel.common.CelAbstractSyntaxTree;
+import dev.cel.common.CelErrorCode;
 import dev.cel.common.CelOptions;
+import dev.cel.common.CelRuntimeException;
 import dev.cel.common.types.SimpleType;
 import dev.cel.runtime.CelEvaluationException;
 import dev.cel.runtime.CelRuntime;
 import dev.cel.runtime.CelRuntimeFactory;
-import io.grpc.Metadata;
-import io.grpc.ServerCall;
+import dev.cel.runtime.CelVariableResolver;
 import io.grpc.Status;
-import io.grpc.xds.internal.MetadataHelper;
+import java.util.List;
+import java.util.Optional;
+import javax.annotation.Nullable;
 
 /** Unified Matcher API: xds.type.matcher.v3.CelMatcher. */
 public class GrpcCelEnvironment  {
+  private static final CelOptions CEL_OPTIONS = CelOptions
+      .current()
+      .comprehensionMaxIterations(0)
+      .resolveTypeDependencies(false)
+      .build();
   private static final CelRuntime CEL_RUNTIME = CelRuntimeFactory
       .standardCelRuntimeBuilder()
-      .setOptions(CelOptions.current().comprehensionMaxIterations(0).build())
+      .setOptions(CEL_OPTIONS)
       .build();
 
   private final CelRuntime.Program program;
@@ -45,17 +52,61 @@ public class GrpcCelEnvironment  {
     this.program = CEL_RUNTIME.createProgram(ast);
   }
 
-  public boolean eval(ServerCall<?, ?> serverCall, Metadata metadata) {
-    ImmutableMap.Builder<String, Object> requestBuilder = ImmutableMap.<String, Object>builder()
-        .put("method", "POST")
-        .put("host", Strings.nullToEmpty(serverCall.getAuthority()))
-        .put("path", "/" + serverCall.getMethodDescriptor().getFullMethodName())
-        .put("headers", MetadataHelper.metadataToHeaders(metadata));
-    // TODO(sergiitk): handle other pseudo-headers
+  public boolean eval(HttpMatchInput httpMatchInput) {
     try {
-      return (boolean) program.eval(ImmutableMap.of("request", requestBuilder.build()));
-    } catch (CelEvaluationException e) {
+      GrpcCelVariableResolver requestResolver = new GrpcCelVariableResolver(httpMatchInput);
+      return (boolean) program.eval(requestResolver);
+    } catch (CelEvaluationException | ClassCastException e) {
       throw Status.fromThrowable(e).asRuntimeException();
     }
   }
+
+  static class GrpcCelVariableResolver implements CelVariableResolver {
+    private static final Splitter SPLITTER = Splitter.on('.').limit(2);
+    private final HttpMatchInput httpMatchInput;
+
+    GrpcCelVariableResolver(HttpMatchInput httpMatchInput) {
+      this.httpMatchInput = httpMatchInput;
+    }
+
+    @Override
+    public Optional<Object> find(String name) {
+      List<String> components = SPLITTER.splitToList(name);
+      if (components.size() < 2 || !components.get(0).equals("request")) {
+        return Optional.empty();
+      }
+      return Optional.ofNullable(getRequestField(components.get(1)));
+    }
+
+    @Nullable
+    private Object getRequestField(String requestField) {
+      switch (requestField) {
+        case "headers":
+          return httpMatchInput.getHeadersWrapper();
+        case "host":
+          return httpMatchInput.getHost();
+        case "id":
+          return httpMatchInput.getHeadersWrapper().get("x-request-id");
+        case "method":
+          return httpMatchInput.getMethod();
+        case "path":
+        case "url_path":
+          return httpMatchInput.getPath();
+        case "query":
+          return "";
+        case "referer":
+          return httpMatchInput.getHeadersWrapper().get("referer");
+        case "useragent":
+          return httpMatchInput.getHeadersWrapper().get("user-agent");
+        default:
+          // Throwing instead of Optional.empty() prevents evaluation non-boolean result type
+          // when comparing unknown fields, f.e. `request.protocol == 'HTTP'` will silently
+          // fail because `null == "HTTP" is not a valid CEL operation.
+          throw new CelRuntimeException(
+              // Similar to dev.cel.runtime.DescriptorMessageProvider#selectField
+              new IllegalArgumentException("request." + requestField),
+              CelErrorCode.ATTRIBUTE_NOT_FOUND);
+      }
+    }
+  }
 }

xds/src/main/java/io/grpc/xds/internal/matchers/HeadersWrapper.java

@@ -0,0 +1,160 @@
+/*
+ * Copyright 2024 The gRPC Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.grpc.xds.internal.matchers;
+
+import com.google.common.base.Objects;
+import com.google.common.collect.ImmutableSet;
+import com.google.errorprone.annotations.DoNotCall;
+import io.grpc.xds.internal.MetadataHelper;
+import java.util.AbstractMap;
+import java.util.Collection;
+import java.util.Set;
+import java.util.function.BiFunction;
+import java.util.function.Function;
+import javax.annotation.Nullable;
+
+public final class HeadersWrapper extends AbstractMap<String, String> {
+  private static final ImmutableSet<String> PSEUDO_HEADERS =
+      ImmutableSet.of(":method", ":authority", ":path");
+  private final HttpMatchInput httpMatchInput;
+
+  HeadersWrapper(HttpMatchInput httpMatchInput) {
+    this.httpMatchInput = httpMatchInput;
+  }
+
+  @Override
+  @Nullable
+  public String get(Object key) {
+    String headerName = (String) key;
+    // Pseudo-headers.
+    switch (headerName) {
+      case ":method":
+        return httpMatchInput.getMethod();
+      case ":authority":
+        return httpMatchInput.getHost();
+      case ":path":
+        return httpMatchInput.getPath();
+      default:
+        return MetadataHelper.deserializeHeader(httpMatchInput.metadata(), headerName);
+    }
+  }
+
+  @Override
+  public String getOrDefault(Object key, String defaultValue) {
+    String value = get(key);
+    return value != null ? value : defaultValue;
+  }
+
+  @Override
+  public boolean containsKey(Object key) {
+    String headerName = (String) key;
+    if (PSEUDO_HEADERS.contains(headerName)) {
+      return true;
+    }
+    return MetadataHelper.containsHeader(httpMatchInput.metadata(), headerName);
+  }
+
+  @Override
+  public Set<String> keySet() {
+    return ImmutableSet.<String>builder()
+        .addAll(httpMatchInput.metadata().keys())
+        .addAll(PSEUDO_HEADERS).build();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public Set<Entry<String, String>> entrySet() {
+    throw new UnsupportedOperationException(
+        "Should not be called to prevent resolving header values.");
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public Collection<String> values() {
+    throw new UnsupportedOperationException(
+        "Should not be called to prevent resolving header values.");
+  }
+
+  @Override
+  public String toString() {
+    // Prevent iterating to avoid resolving all values on "key not found".
+    return getClass().getName() + "@" + Integer.toHexString(hashCode());
+  }
+
+  @Override public int hashCode() {
+    return Objects.hashCode(httpMatchInput.serverCall(), httpMatchInput.metadata());
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public void replaceAll(BiFunction<? super String, ? super String, ? extends String> function) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public String putIfAbsent(String key, String value) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public boolean remove(Object key, Object value) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public boolean replace(String key, String oldValue, String newValue) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public String replace(String key, String value) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public String computeIfAbsent(
+      String key, Function<? super String, ? extends String> mappingFunction) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public String computeIfPresent(
+      String key, BiFunction<? super String, ? super String, ? extends String> remappingFunction) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public String compute(
+      String key, BiFunction<? super String, ? super String, ? extends String> remappingFunction) {
+    throw new UnsupportedOperationException();
+  }
+
+  @Override
+  @DoNotCall("Always throws UnsupportedOperationException")
+  public String merge(
+      String key, String value,
+      BiFunction<? super String, ? super String, ? extends String> remappingFunction) {
+    throw new UnsupportedOperationException();
+  }
+}

xds/src/main/java/io/grpc/xds/internal/matchers/HttpMatchInput.java

@@ -18,17 +18,44 @@
 package io.grpc.xds.internal.matchers;
 
 import com.google.auto.value.AutoValue;
+import com.google.auto.value.extension.memoized.Memoized;
+import com.google.common.base.Strings;
 import io.grpc.Metadata;
 import io.grpc.ServerCall;
+import io.grpc.xds.internal.MetadataHelper;
+import java.util.Map;
+import javax.annotation.Nullable;
 
 @AutoValue
 public abstract class HttpMatchInput {
-  public abstract Metadata headers();
+  public abstract Metadata metadata();
 
   // TODO(sergiitk): [IMPL] consider
   public abstract ServerCall<?, ?> serverCall();
 
-  public static HttpMatchInput create(Metadata headers, ServerCall<?, ?> serverCall) {
-    return new AutoValue_HttpMatchInput(headers, serverCall);
+  public static HttpMatchInput create(Metadata metadata, ServerCall<?, ?> serverCall) {
+    return new AutoValue_HttpMatchInput(metadata, serverCall);
+  }
+
+  public String getMethod() {
+    return "POST";
+  }
+
+  public String getHost() {
+    return Strings.nullToEmpty(serverCall().getAuthority());
+  }
+
+  public String getPath() {
+    return "/" + serverCall().getMethodDescriptor().getFullMethodName();
+  }
+
+  @Nullable
+  public String getHeader(String headerName) {
+    return MetadataHelper.deserializeHeader(metadata(), headerName);
+  }
+
+  @Memoized
+  public Map<String, String> getHeadersWrapper() {
+    return new HeadersWrapper(this);
   }
 }