Introduce host simplification rules

Today, Envoy only supports a single wildcard ("*") in virtual host
domain entries, which must be either a prefix or suffix. This
limitation greatly simplifies the virtual host matching logic, but it
is also inherently limiting.

This change introduces a repeated list of "host simplification rules"
at the RouteConfiguration level, that provide a way to substitute away
other dynamic portions of the domain without changing what is sent
upstream.

For example, to match something like
`*.foo.*.example.org` you might write a simplification rule like:
`([^.]+[.]foo[.])([^.]+)([.]example[.]org)` with a substitution of
`\1bar\3`. This then allows a virtual host domain entry of
`*.foo.bar.example.org` to match
`baz.foo.bar.example.org` or `wowza.foo.qux.example.org`.

Host simplification rules are processed in the order they are defined.

Signed-off-by: Ryan Anderson <[email protected]>

Author: pugmajere

api/envoy/config/route/v3/route.proto

@@ -5,6 +5,7 @@ package envoy.config.route.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/route/v3/route_components.proto";
+import "envoy/type/matcher/v3/regex.proto";
 
 import "google/protobuf/any.proto";
 import "google/protobuf/wrappers.proto";
@@ -155,6 +156,14 @@ message RouteConfiguration {
   // For instance, if the metadata is intended for the Router filter,
   // the filter name should be specified as ``envoy.filters.http.router``.
   core.v3.Metadata metadata = 17;
+
+  // The host simplification rules are a set of regex substitutions
+  // that can modify the :authority used when matching
+  // VirtualHosts. It will not change what is sent upstream. This can
+  // be used to implement multiple-wildcard matching, by converting
+  // all but one of the wildcards into a static string.
+  // This is similar to ignore_port_in_host_matching (above), but more flexible.
+  repeated type.matcher.v3.RegexMatchAndSubstitute host_simplification_rules = 18;
 }
 
 message Vhds {

changelogs/current.yaml

@@ -359,5 +359,10 @@ new_features:
     Added a new metric ``db_build_epoch`` to track the build timestamp of the MaxMind geolocation database files.
     This can be used to monitor the freshness of the databases currently in use by the filter.
     See `MaxMind DB build_epoch <https://maxmind.github.io/MaxMind-DB/#build_epoch>`_ for more details.
+- area: http
+  change: |
+    Added support for :ref:`host_simplification_rules <envoy_v3_api_field_config.route.v3.RouteConfiguration.host_simplification_rules>` to allow for
+    regular expression substitutions to "simplify" a host before doing
+    virtual host matching.
 
 deprecated:

source/common/router/config_impl.cc

@@ -1929,6 +1929,17 @@ RouteMatcher::RouteMatcher(const envoy::config::route::v3::RouteConfiguration& r
       }
     }
   }
+  for (const auto& simplification_rule : route_config.host_simplification_rules()) {
+    auto result =
+        Regex::Utility::parseRegex(simplification_rule.pattern(), factory_context.regexEngine());
+
+    SET_AND_RETURN_IF_NOT_OK(result.status(), creation_status);
+
+    std::unique_ptr<SimplificationRule> rule = std::make_unique<SimplificationRule>(
+        std::move(*result), simplification_rule.substitution());
+
+    host_simplification_rules_.push_back(std::move(rule));
+  }
 }
 
 const VirtualHostImpl* RouteMatcher::findVirtualHost(const Http::RequestHeaderMap& headers) const {
@@ -1952,6 +1963,16 @@ const VirtualHostImpl* RouteMatcher::findVirtualHost(const Http::RequestHeaderMa
       host_header_value = host_header_value.substr(0, port_start);
     }
   }
+
+  // If any host simplification rules exist, process them in order to
+  // rewrite the host header used when looking up virtual hosts. (This
+  // is notionally similar to the handling of
+  // `ignore_port_in_host_matching`, but more flexible.)
+  for (const auto& simplifier : host_simplification_rules_) {
+    host_header_value =
+        simplifier->matcher->replaceAll(host_header_value, simplifier->substitution);
+  }
+
   // TODO (@rshriram) Match Origin header in WebSocket
   // request with VHost, using wildcard match
   // Lower-case the value of the host header, as hostnames are case insensitive.

source/common/router/config_impl.h

@@ -9,6 +9,7 @@
 #include <string>
 #include <vector>
 
+#include "envoy/config/common/matcher/v3/matcher.pb.h"
 #include "envoy/config/core/v3/base.pb.h"
 #include "envoy/config/route/v3/route.pb.h"
 #include "envoy/config/route/v3/route_components.pb.h"
@@ -1255,6 +1256,12 @@ class RouteListMatchActionFactory : public Matcher::ActionFactory<RouteActionCon
 
 DECLARE_FACTORY(RouteListMatchActionFactory);
 
+// Helper structure to keep the matcher and substitution together.
+struct SimplificationRule {
+  const Regex::CompiledMatcherPtr matcher;
+  const std::string substitution;
+};
+
 /**
  * Wraps the route configuration which matches an incoming request headers to a backend cluster.
  * This is split out mainly to help with unit testing.
@@ -1303,6 +1310,8 @@ class RouteMatcher {
 
   VirtualHostImplSharedPtr default_virtual_host_;
   const bool ignore_port_in_host_matching_{false};
+
+  std::vector<std::unique_ptr<SimplificationRule>> host_simplification_rules_;
 };
 
 /**

test/common/router/config_impl_test.cc

@@ -2495,6 +2495,62 @@ TEST_F(RouteMatcherTest, IgnorePortInHostMatching) {
   }
 }
 
+// Tests that host_simplification_rules mutate/simplify the host used
+// for picking the virtualhost when matching
+TEST_F(RouteMatcherTest, HostSimplificationRules) {
+  const std::string yaml = R"EOF(
+host_simplification_rules:
+- pattern:
+    regex: "^(foo[.])([^.]+)([.]example[.]org)$"
+  substitution: \1bar\3
+virtual_hosts:
+- name: local_service
+  domains: ["foo.bar.example.org"]
+  routes:
+  - match:
+      prefix: ""
+    name: "business-specific-route"
+    route:
+      cluster: local_service_grpc
+- name: catchall_host
+  domains:
+  - "*"
+  routes:
+  - match:
+      prefix: ""
+    name: "default-route"
+    route:
+      cluster: default_catch_all_service
+  )EOF";
+  auto route_configuration = parseRouteConfigurationFromYaml(yaml);
+
+  factory_context_.cluster_manager_.initializeClusters(
+      {"local_service_grpc", "default_catch_all_service"}, {});
+  {
+    TestConfigImpl config(route_configuration, factory_context_, true, creation_status_);
+    // First, the trivial, no substitution needed, but should happen anyway:
+    EXPECT_EQ(config.route(genHeaders("foo.bar.example.org", "/foo", "GET"), 0)->routeName(),
+              "business-specific-route");
+    // Matches, but requires the substitution to happen:
+    EXPECT_EQ(config.route(genHeaders("foo.baz.example.org", "/foo", "GET"), 0)->routeName(),
+              "business-specific-route");
+    // Matches, require substitution, longer replaceable section
+    EXPECT_EQ(
+        config.route(genHeaders("foo.barbazquxfoobang.example.org", "/foo", "GET"), 0)->routeName(),
+        "business-specific-route");
+    // Shouldn't match, but has a related substring:
+    EXPECT_EQ(config.route(genHeaders("qux.foo.baz.example.org", "/foo", "GET"), 0)->routeName(),
+              "default-route");
+    // Shouldn't match (trivial)
+    EXPECT_EQ(config.route(genHeaders("12.34.56.78:1234", "/foo", "GET"), 0)->routeName(),
+              "default-route");
+    EXPECT_EQ(config.route(genHeaders("www.foo.com:8090", "/foo", "GET"), 0)->routeName(),
+              "default-route");
+    EXPECT_EQ(config.route(genHeaders("[12:34:56:7890::]:8090", "/foo", "GET"), 0)->routeName(),
+              "default-route");
+  }
+}
+
 TEST_F(RouteMatcherTest, Priority) {
   const std::string yaml = R"EOF(
 virtual_hosts: