[http]: Fine grained path normalization controls implementation

include/envoy/http/header_map.h

@@ -19,8 +19,15 @@
 #include "absl/strings/string_view.h"
 
 namespace Envoy {
-namespace Http {
+namespace Extensions {
+namespace NetworkFilters {
+namespace HttpConnectionManager {
 
+class HttpConnectionManagerConfig;
+}
+} // namespace NetworkFilters
+} // namespace Extensions
+namespace Http {
 // Used by ASSERTs to validate internal consistency. E.g. valid HTTP header keys/values should
 // never contain embedded NULLs.
 static inline bool validHeaderString(absl::string_view s) {
@@ -807,6 +814,14 @@ class RequestHeaderMap
 public:
   INLINE_REQ_STRING_HEADERS(DEFINE_INLINE_STRING_HEADER)
   INLINE_REQ_NUMERIC_HEADERS(DEFINE_INLINE_NUMERIC_HEADER)
+  virtual absl::string_view getForwardingPath() PURE;
+  virtual absl::string_view getFilterPath() PURE;
+
+private:
+  friend class Envoy::Extensions::NetworkFilters::HttpConnectionManager::
+      HttpConnectionManagerConfig;
+  virtual void setForwardingPath(absl::string_view path) PURE;
+  virtual void setFilterPath(absl::string_view path) PURE;
 };
 using RequestHeaderMapPtr = std::unique_ptr<RequestHeaderMap>;
 using RequestHeaderMapOptRef = OptRef<RequestHeaderMap>;

source/common/http/BUILD

@@ -443,8 +443,10 @@ envoy_cc_library(
         ":legacy_path_canonicalizer",
         "//include/envoy/http:header_map_interface",
         "//source/common/common:logger_lib",
+        "//source/common/protobuf:utility_lib",
         "//source/common/runtime:runtime_features_lib",
         "@com_googlesource_googleurl//url:envoy_url",
+        "@envoy_api//envoy/type/http/v3:pkg_cc_proto",
     ],
 )
 

source/common/http/conn_manager_config.h

@@ -466,6 +466,8 @@ class ConnectionManagerConfig {
    * @return LocalReply configuration which supplies mapping for local reply generated by Envoy.
    */
   virtual const LocalReply::LocalReply& localReply() const PURE;
+
+  virtual void normalizePath(Http::RequestHeaderMap&) const PURE;
 };
 } // namespace Http
 } // namespace Envoy

source/common/http/conn_manager_utility.cc

@@ -439,6 +439,10 @@ bool ConnectionManagerUtility::maybeNormalizePath(RequestHeaderMap& request_head
     return true; // It's as valid as it is going to get.
   }
   bool is_valid_path = true;
+  config.normalizePath(request_headers);
+  if (!config.shouldNormalizePath() && !config.shouldMergeSlashes()) {
+    return true;
+  }
   if (config.shouldNormalizePath()) {
     is_valid_path = PathUtil::canonicalPath(request_headers);
   }

source/common/http/header_map_impl.h

@@ -461,6 +461,8 @@ class RequestHeaderMapImpl final : public TypedHeaderMapImpl<RequestHeaderMap>,
   INLINE_REQ_NUMERIC_HEADERS(DEFINE_INLINE_HEADER_NUMERIC_FUNCS)
   INLINE_REQ_RESP_STRING_HEADERS(DEFINE_INLINE_HEADER_STRING_FUNCS)
   INLINE_REQ_RESP_NUMERIC_HEADERS(DEFINE_INLINE_HEADER_NUMERIC_FUNCS)
+  absl::string_view getForwardingPath() override { return forwarding_path_; }
+  absl::string_view getFilterPath() override { return filter_path_; }
 
 protected:
   // NOTE: Because inline_headers_ is a variable size member, it must be the last member in the
@@ -478,9 +480,11 @@ class RequestHeaderMapImpl final : public TypedHeaderMapImpl<RequestHeaderMap>,
     INLINE_REQ_RESP_STRING_HEADERS(DEFINE_HEADER_HANDLE)
     INLINE_REQ_RESP_NUMERIC_HEADERS(DEFINE_HEADER_HANDLE)
   };
-
+  void setForwardingPath(absl::string_view path) override { forwarding_path_ = path; }
+  void setFilterPath(absl::string_view path) override { filter_path_ = path; }
+  std::string forwarding_path_;
+  std::string filter_path_;
   using HeaderHandles = ConstSingleton<HeaderHandleValues>;
-
   RequestHeaderMapImpl() { clearInline(); }
 
   HeaderEntryImpl* inline_headers_[];

source/common/http/path_utility.cc

@@ -1,5 +1,7 @@
 #include "common/http/path_utility.h"
 
+#include "envoy/common/exception.h"
+
 #include "common/common/logger.h"
 #include "common/http/legacy_path_canonicalizer.h"
 #include "common/runtime/runtime_features.h"
@@ -35,16 +37,56 @@ absl::optional<std::string> canonicalizePath(absl::string_view original_path) {
 bool PathUtil::canonicalPath(RequestHeaderMap& headers) {
   ASSERT(headers.Path());
   const auto original_path = headers.getPathValue();
-  // canonicalPath is supposed to apply on path component in URL instead of :path header
+  const absl::optional<std::string> normalized_path = PathTransformer::rfcNormalize(original_path);
+  if (!normalized_path.has_value()) {
+    return false;
+  }
+  headers.setPath(normalized_path.value());
+  return true;
+}
+
+void PathUtil::mergeSlashes(RequestHeaderMap& headers) {
+  ASSERT(headers.Path());
+  const auto original_path = headers.getPathValue();
+  const absl::optional<std::string> normalized =
+      PathTransformer::mergeSlashes(original_path).value();
+  if (normalized.has_value()) {
+    headers.setPath(normalized.value());
+  }
+}
+
+absl::string_view PathUtil::removeQueryAndFragment(const absl::string_view path) {
+  absl::string_view ret = path;
+  // Trim query parameters and/or fragment if present.
+  size_t offset = ret.find_first_of("?#");
+  if (offset != absl::string_view::npos) {
+    ret.remove_suffix(ret.length() - offset);
+  }
+  return ret;
+}
+
+absl::optional<std::string> PathTransformer::mergeSlashes(absl::string_view original_path) {
+  const absl::string_view::size_type query_start = original_path.find('?');
+  const absl::string_view path = original_path.substr(0, query_start);
+  const absl::string_view query = absl::ClippedSubstr(original_path, query_start);
+  if (path.find("//") == absl::string_view::npos) {
+    return std::string(original_path);
+  }
+  const absl::string_view path_prefix = absl::StartsWith(path, "/") ? "/" : absl::string_view();
+  const absl::string_view path_suffix = absl::EndsWith(path, "/") ? "/" : absl::string_view();
+  return absl::StrCat(path_prefix, absl::StrJoin(absl::StrSplit(path, '/', absl::SkipEmpty()), "/"),
+                      path_suffix, query);
+}
+
+absl::optional<std::string> PathTransformer::rfcNormalize(absl::string_view original_path) {
   const auto query_pos = original_path.find('?');
   auto normalized_path_opt = canonicalizePath(
       query_pos == original_path.npos
           ? original_path
           : absl::string_view(original_path.data(), query_pos) // '?' is not included
   );
-
   if (!normalized_path_opt.has_value()) {
-    return false;
+    return {};
   }
   auto& normalized_path = normalized_path_opt.value();
   const absl::string_view query_suffix =
@@ -54,35 +96,41 @@ bool PathUtil::canonicalPath(RequestHeaderMap& headers) {
   if (!query_suffix.empty()) {
     normalized_path.insert(normalized_path.end(), query_suffix.begin(), query_suffix.end());
   }
-  headers.setPath(normalized_path);
-  return true;
+  return normalized_path;
 }
 
-void PathUtil::mergeSlashes(RequestHeaderMap& headers) {
-  ASSERT(headers.Path());
-  const auto original_path = headers.getPathValue();
-  // Only operate on path component in URL.
-  const absl::string_view::size_type query_start = original_path.find('?');
-  const absl::string_view path = original_path.substr(0, query_start);
-  const absl::string_view query = absl::ClippedSubstr(original_path, query_start);
-  if (path.find("//") == absl::string_view::npos) {
-    return;
+PathTransformer::PathTransformer(
+    envoy::type::http::v3::PathTransformation const& path_transformation) {
+  const auto& operations = path_transformation.operations();
+  std::vector<uint64_t> operation_hashes;
+  for (auto const& operation : operations) {
+    uint64_t operation_hash = MessageUtil::hash(operation);
+    if (find(operation_hashes.begin(), operation_hashes.end(), operation_hash) !=
+        operation_hashes.end()) {
+      // Currently we only have RFC normalization and merge slashes, don't expect duplicates for
+      // these transformations.
+      throw EnvoyException("Duplicate path transformation");
+    }
+    if (operation.has_normalize_path_rfc_3986()) {
+      transformations_.emplace_back(PathTransformer::rfcNormalize);
+    } else if (operation.has_merge_slashes()) {
+      transformations_.emplace_back(PathTransformer::mergeSlashes);
+    }
+    operation_hashes.push_back(operation_hash);
   }
-  const absl::string_view path_prefix = absl::StartsWith(path, "/") ? "/" : absl::string_view();
-  const absl::string_view path_suffix = absl::EndsWith(path, "/") ? "/" : absl::string_view();
-  headers.setPath(absl::StrCat(path_prefix,
-                               absl::StrJoin(absl::StrSplit(path, '/', absl::SkipEmpty()), "/"),
-                               path_suffix, query));
 }
 
-absl::string_view PathUtil::removeQueryAndFragment(const absl::string_view path) {
-  absl::string_view ret = path;
-  // Trim query parameters and/or fragment if present.
-  size_t offset = ret.find_first_of("?#");
-  if (offset != absl::string_view::npos) {
-    ret.remove_suffix(ret.length() - offset);
+absl::optional<std::string> PathTransformer::transform(absl::string_view original) const {
+  absl::optional<std::string> path_string = std::string(original);
+  absl::string_view path_string_view = original;
+  for (Transformation const& transformation : transformations_) {
+    path_string = transformation(path_string_view);
+    if (!path_string.has_value()) {
+      return {};
+    }
+    path_string_view = path_string.value();
   }
-  return ret;
+  return path_string;
 }
 
 } // namespace Http

source/common/http/path_utility.h

@@ -1,6 +1,12 @@
 #pragma once
 
+#include <list>
+
 #include "envoy/http/header_map.h"
+#include "envoy/type/http/v3/path_transformation.pb.h"
+
+#include "common/protobuf/protobuf.h"
+#include "common/protobuf/utility.h"
 
 #include "absl/strings/string_view.h"
 
@@ -24,5 +30,24 @@ class PathUtil {
   static absl::string_view removeQueryAndFragment(const absl::string_view path);
 };
 
+class PathTransformer {
+public:
+  PathTransformer(envoy::type::http::v3::PathTransformation const& path_transformation);
+
+  // Take a string_view as argument and return an optional string.
+  // The optional will be null if the transformation fail.
+  absl::optional<std::string> transform(const absl::string_view original_path) const;
+
+  static absl::optional<std::string> mergeSlashes(absl::string_view original_path);
+
+  static absl::optional<std::string> rfcNormalize(absl::string_view original_path);
+
+private:
+  using Transformation = std::function<absl::optional<std::string>(absl::string_view)>;
+  // A sequence of transformations specified by path_transformation.operations()
+  // Transformations will be applied to a path string in order in transform().
+  std::list<Transformation> transformations_;
+};
+
 } // namespace Http
 } // namespace Envoy

source/common/router/config_impl.cc

@@ -567,6 +567,11 @@ void RouteEntryImplBase::finalizeRequestHeaders(Http::RequestHeaderMap& headers,
     request_headers_parser_->evaluateHeaders(headers, stream_info);
   }
 
+  // Restore the forwarding path if none of the filter mutate the path.
+  if (headers.Path() && headers.getFilterPath() == headers.getPathValue()) {
+    headers.setPath(std::string(headers.getForwardingPath()));
+  }
+
   if (!host_rewrite_.empty()) {
     headers.setHost(host_rewrite_);
   } else if (auto_host_rewrite_header_) {

source/extensions/filters/network/http_connection_manager/BUILD

@@ -38,6 +38,7 @@ envoy_cc_extension(
         "//source/common/filter/http:filter_config_discovery_lib",
         "//source/common/http:conn_manager_lib",
         "//source/common/http:default_server_string_lib",
+        "//source/common/http:path_utility_lib",
         "//source/common/http:request_id_extension_lib",
         "//source/common/http:utility_lib",
         "//source/common/http/http1:codec_lib",

source/extensions/filters/network/http_connection_manager/config.cc

@@ -27,6 +27,7 @@
 #include "common/http/http2/codec_impl.h"
 #include "common/http/http3/quic_codec_factory.h"
 #include "common/http/http3/well_known_names.h"
+#include "common/http/path_utility.h"
 #include "common/http/request_id_extension_impl.h"
 #include "common/http/utility.h"
 #include "common/local_reply/local_reply.h"
@@ -266,6 +267,16 @@ HttpConnectionManagerConfig::HttpConnectionManagerConfig(
     idle_timeout_ = absl::nullopt;
   }
 
+  // If the path normalization options has been set.
+  if (config.has_path_normalization_options()) {
+    normalize_path_ = false;
+    merge_slashes_ = false;
+    forwarding_path_transformer_ = std::make_unique<Http::PathTransformer>(
+        config.path_normalization_options().forwarding_transformation());
+    filter_path_transformer_ = std::make_unique<Http::PathTransformer>(
+        config.path_normalization_options().http_filter_transformation());
+  }
+
   if (config.strip_any_host_port() && config.strip_matching_host_port()) {
     throw EnvoyException(fmt::format(
         "Error: Only one of `strip_matching_host_port` or `strip_any_host_port` can be set."));

source/extensions/filters/network/http_connection_manager/config.h

@@ -23,6 +23,7 @@
 #include "common/http/date_provider_impl.h"
 #include "common/http/http1/codec_stats.h"
 #include "common/http/http2/codec_stats.h"
+#include "common/http/path_utility.h"
 #include "common/json/json_loader.h"
 #include "common/local_reply/local_reply.h"
 #include "common/router/rds_impl.h"
@@ -179,6 +180,23 @@ class HttpConnectionManagerConfig : Logger::Loggable<Logger::Id::config>,
   }
   std::chrono::milliseconds delayedCloseTimeout() const override { return delayed_close_timeout_; }
   const LocalReply::LocalReply& localReply() const override { return *local_reply_; }
+  void normalizePath(Http::RequestHeaderMap& request_headers) const override {
+    if (forwarding_path_transformer_ == nullptr) {
+      return;
+    }
+    const auto original_path = request_headers.getPathValue();
+    absl::optional<std::string> forwarding_path =
+        forwarding_path_transformer_->transform(original_path);
+    absl::optional<std::string> filter_path;
+    if (forwarding_path.has_value()) {
+      request_headers.setForwardingPath(forwarding_path.value());
+      filter_path = filter_path_transformer_->transform(forwarding_path.value());
+    }
+    if (filter_path.has_value()) {
+      request_headers.setPath(filter_path.value());
+      request_headers.setFilterPath(filter_path.value());
+    }
+  }
 
 private:
   enum class CodecType { HTTP1, HTTP2, HTTP3, AUTO };
@@ -251,8 +269,8 @@ class HttpConnectionManagerConfig : Logger::Loggable<Logger::Id::config>,
   const bool proxy_100_continue_;
   const bool stream_error_on_invalid_http_messaging_;
   std::chrono::milliseconds delayed_close_timeout_;
-  const bool normalize_path_;
-  const bool merge_slashes_;
+  bool normalize_path_;
+  bool merge_slashes_;
   Http::StripPortType strip_port_type_;
   const envoy::config::core::v3::HttpProtocolOptions::HeadersWithUnderscoresAction
       headers_with_underscores_action_;
@@ -264,6 +282,8 @@ class HttpConnectionManagerConfig : Logger::Loggable<Logger::Id::config>,
   static const uint64_t RequestTimeoutMs = 0;
   // request header timeout is disabled by default
   static const uint64_t RequestHeaderTimeoutMs = 0;
+  std::unique_ptr<Http::PathTransformer> forwarding_path_transformer_;
+  std::unique_ptr<Http::PathTransformer> filter_path_transformer_;
 };
 
 /**

source/server/admin/admin.h

@@ -194,6 +194,7 @@ class AdminImpl : public Admin,
       return runCallback(path_and_query, response_headers, response, filter);
     };
   }
+  void normalizePath(Http::RequestHeaderMap&) const override {}
 
 private:
   /**

test/common/http/conn_manager_impl_fuzz_test.cc

@@ -198,6 +198,7 @@ class FuzzConfig : public ConnectionManagerConfig {
   const Http::Http1Settings& http1Settings() const override { return http1_settings_; }
   bool shouldNormalizePath() const override { return false; }
   bool shouldMergeSlashes() const override { return false; }
+  void normalizePath(Http::RequestHeaderMap&) const override {}
   Http::StripPortType stripPortType() const override { return Http::StripPortType::None; }
   envoy::config::core::v3::HttpProtocolOptions::HeadersWithUnderscoresAction
   headersWithUnderscoresAction() const override {

test/common/http/conn_manager_impl_test_base.h

@@ -133,6 +133,7 @@ class HttpConnectionManagerImplTest : public testing::Test, public ConnectionMan
   const Http::Http1Settings& http1Settings() const override { return http1_settings_; }
   bool shouldNormalizePath() const override { return normalize_path_; }
   bool shouldMergeSlashes() const override { return merge_slashes_; }
+  void normalizePath(Http::RequestHeaderMap&) const override {}
   Http::StripPortType stripPortType() const override { return strip_port_type_; }
   const RequestIDExtensionSharedPtr& requestIDExtension() override { return request_id_extension_; }
   envoy::config::core::v3::HttpProtocolOptions::HeadersWithUnderscoresAction