xds: Implementation of Unified Matcher and CEL Integration

[shivaspeaks]

Implements gRFC A106: xDS Unified Matcher and CEL Integration
grpc/proposal#520

[l46kok]

Sorry about the drive-by -- I happened to notice this while putting together an unrelated PR in CEL-Java. I'll hold off on submitting it on our end.

[ejona86]

Move this to the testing code so we don't need a dependency on the Cel compiler. It looks unused for production.

[l46kok]

You should be able to compare directly against the overload enum instead of the stringified form (ex: over != AddOverload.ADD_STRING).

[asheshvidyut]

Reviewing for learning purposes.

[shivaspeaks]

Note on CEL Allowed Functions and Overload IDs
During the implementation of the reference validation in CelCommon.java, I found that the CEL library represents standard operators and some conversion functions in the AST with an empty name in CelReference.name(), relying instead on specific overloadIds (e.g., equals for ==, index_map for map lookup [], and divide_int64 for /).

To enforce the gRFC A106 allowed list while supporting these permitted operations, I updated checkAllowedReferences to also validate overloadIds when the reference name is empty. Consequently, I added the following specific overload IDs to the ALLOWED_FUNCTIONS set to match the gRFC intent:

• equals (maps to ==)
• index_map (maps to map indexing [])
• divide_int64 (maps to /)
• int64_to_int64, string_to_int64, etc. (maps to int() conversions)

[kannanjgithub]

The overload ids for standard functions will have suffixes like size_string, size_int64, etc and we should check that the overload id starts with one of these rather than use contains. Applies for timestamp and duration also.
We shouldn't limit overload IDs to specific data type (int64) as divide_int64, and instead should check for starts with divide.
I think we should use regex instead of individually checking each.
We really should have unit tests for each to make sure it is as we expect.
As we are matching by overload id equals for ==, we shouldn't have "equals" in the list.

[kannanjgithub]

We should check for all overload ids in the list.

[kannanjgithub]

No need to double catch. Just check for default value here and decide whether to return default or to throw.

[shivaspeaks]

But the gRFC explicitly suggests that

If set, and the CEL expression evaluates to an error or a non-string type, this default value will be returned instead.

So the defaultValue check needs to be in catch.

[kannanjgithub]

My comment was to avoid the double catch statement. Can we not make it a single one?

[kannanjgithub]

Can we move the "CEL foundation" classes to a separate PR so the ext-proc filter that needs Cel string extraction but not the unified matcher functionality can be unblocked sooner?

1. CelCommon.java
2. CelStringExtractor.java
3. CelMatcher.java
4. GrpcCelEnvironment.java
5. HeadersWrapper.java
6. CelStateMatcher.java

[kannanjgithub]

Actually, hold off on the above separate PR request. I might have misunderstood about the need to use CEL expression evaluator in the ext-proc filter. The grfc mentions that all CEL request attributes will be supported, not that we must evaluate them using the CEL runtime engine.

[kannanjgithub]

I have concluded that ext-proc filter indeed needs to use the CEL evaluation logic to support sending attributes. So do proceed with the suggested refactoring into a separate PR as mentioned above.

[kannanjgithub]

The CelVariableResolver is intended to resolve the root of an expression, while the engine itself handles the navigation (dots and brackets) using the objects you provide.
Remove these lines.

By manually splitting request.headers in your find method, you are doing the engine's job for it, which creates several issues:

1. Redundancy: If you manually split request.headers, but the user writes request["headers"], your SPLITTER (which looks for a dot) might not trigger the same way, leading to inconsistent results.
2. Shadowing: If you resolve request.headers as a single string name, you might accidentally "shadow" the engine's ability to treat request as a map/object.
3. Fragility: If the user writes request.headers['x-user-id'], your manual splitter might get confused by the brackets or complex paths.

[kannanjgithub]

equals, not equals, logical and/or/not never have suffixes. We should therefore do exact matching for these. Have another set

private static final ImmutableSet<String> ALLOWED_EXACT_OVERLOAD_IDS = ImmutableSet.of(
          "equals", "not_equals", "logical_and", "logical_or", "logical_not");

and do

if (ALLOWED_EXACT_OVERLOAD_IDS.contains(id)
                || ALLOWED_OVERLOAD_ID_PREFIX_PATTERN.matcher(id).matches()) {
              allowed = true;

[kannanjgithub]

Change the logic to reject any non-empty name when overloadIds is present. Because if a reference has a name, it's not a standard operator or a variable (handled by the first if), so it must be something we don't support, such as custom functions.

[shivaspeaks]

Oh, so standard allowed functions never have a name in the AST, so we should remove ALLOWED_FUNCTIONS, which is now an obsolete list here?

[kannanjgithub]

Add negate to this list and unit test for it

 @Test
 public void checkAllowedReferences_negation() throws Exception {
     assertAllowed("-(1) == -1");
     assertAllowed("-(1.0) == -1.0");
  }

[kannanjgithub]

Can we move the "CEL foundation" classes to a separate PR so the ext-proc filter that needs Cel string extraction but not the unified matcher functionality can be unblocked sooner?

1. CelCommon.java
2. CelStringExtractor.java
3. CelMatcher.java
4. GrpcCelEnvironment.java
5. HeadersWrapper.java
6. CelStateMatcher.java

We can remove CelMatcher and CelStateMatcher from this list (for the separate PR, since ext-proc doesn't need the matching functionality) with the following changes to unit tests:

• CelMatcherTestHelper.java: Delete the compile(String expression) method that returns a CelMatcher.
• CelEnvironmentTest.java: Delete the test cases that use CelMatcher.

Move these unit tests with the separate PR.

CelCommonTest.java
CelEnvironmentTest.java
CelStringExtractorTest.java

[kannanjgithub]

A106 said only request variable will be supported but for use by ext-proc A93, we need response supported as well.

[AgraVator]

I noticed that GrpcCelEnvironment.java and MatchContext.java currently only provide support for request variables (headers, method, path, etc.). However, gRFC A103 (Composite Filter) explicitly mentions the need for source and connection variables (e.g., source.address, source.port, connection.tls_version) for server-side matching.

Is there a plan to extend MatchContext and the variable resolver in this PR to include these transport attributes, or should this be tracked as a follow-up task?

[shivaspeaks]

I believe these needs to be added as part of Composite filter implementation itself. This gives you the framework for it. It's mentioned in gRFC 103:

In addition to the CEL request attributes described in A106, we will also add support for some additional CEL attributes that we expect to be useful for the composite filter.

[AgraVator]

To support future attributes beyond just headers (like the aforementioned transport info or cluster metadata), we might want to consider a more pluggable way to populate MatchContext.

Currently, it has a fixed set of fields. A map-based approach or a registry of attribute providers might make it easier to add new attributes without changing the core MatchContext class every time

[AgraVator]

can we revert the whitespace changes in this file ?