Skip to content

network: migrate ratelimit, rbac, ext_authz filters to exception free#46111

Merged
yanavlasov merged 1 commit into
envoyproxy:mainfrom
davidvo-lyft:davidvo/27412-network-filters-exception-free
Jul 16, 2026
Merged

network: migrate ratelimit, rbac, ext_authz filters to exception free#46111
yanavlasov merged 1 commit into
envoyproxy:mainfrom
davidvo-lyft:davidvo/27412-network-filters-exception-free

Conversation

@davidvo-lyft

@davidvo-lyft davidvo-lyft commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Migrate the ratelimit, rbac, and ext_authz network filter config factories from the throwing Common::FactoryBase to Common::ExceptionFreeFactoryBase, so config validation returns absl::StatusOr instead of throwing. This mirrors the already merged HTTP twins (#38629, #46035) and continues the exception free migration tracked in #27412. Error messages and failure semantics are unchanged (EnvoyException becomes absl::InvalidArgumentError with identical text).

rbac's factory validation was the only throw in its directory, so its entry is removed from the tools/code_format/config.yaml exception allowlist, locking the directory throw free via check_format. ratelimit and ext_authz keep their entries: both retain throws outside the config validation surface (descriptor formatter, per connection client creation), left for a follow-up.

The network read filter fuzz harness relied on factories throwing for invalid configs (.value() inside a catch (EnvoyException)). It now checks the returned status first, mirroring the HTTP fuzz harness, so error statuses keep exiting setup early instead of escaping as BadStatusOrAccess (caught by the ext_authz_2 corpus entry, a V2 config).

Commit Message: network: migrate ratelimit, rbac, ext_authz filters to exception free

Additional Description: see above

Risk Level: Low. Behavior preserving refactor, no user visible change.

Testing: The three config_test targets and //test/extensions/filters/network/common/fuzz:network_readfilter_fuzz_test (which exercises the migrated error path via the ext_authz_2 corpus) pass in the CI clang image. Added DeprecatedV2TransportApiVersion negative tests for ratelimit and ext_authz; rbac's checkRule expectations converted from EXPECT_THROW to status assertions. check_format passes with the rbac allowlist entry removed.

Docs Changes: N/A

Release Notes: N/A (internal refactor)

Platform Specific Features: N/A

Part of #27412

Generative AI disclosure: Developed with AI assistance (Claude Code); I reviewed and understand every line and take full ownership of the submission.

@davidvo-lyft
davidvo-lyft force-pushed the davidvo/27412-network-filters-exception-free branch 2 times, most recently from 29cb24b to 3c0b0c0 Compare July 14, 2026 17:29
Migrate the ratelimit, rbac, and ext_authz network filter config
factories from the throwing Common::FactoryBase to the in-tree
Common::ExceptionFreeFactoryBase, so createFilterFactoryFromProtoTyped
returns absl::StatusOr instead of throwing during config validation.
The factory scope THROW_IF_NOT_OK(checkTransportVersion(...)) calls in
ratelimit and ext_authz become RETURN_IF_NOT_OK, mirroring their already
merged HTTP twins, and rbac's validate helpers now return absl::Status
with identical error messages. Since rbac's factory throw was the only
throw token in its directory, its entry is removed from the
tools/code_format/config.yaml exception allowlist, locking the directory
throw free via check_format.

The network read filter fuzz harness previously relied on these
factories throwing EnvoyException for invalid configs; it now checks the
returned status before dereferencing, mirroring the HTTP fuzz harness,
so error statuses keep exiting the setup path early instead of escaping
as BadStatusOrAccess.

This continues the exception free migration series tracked in envoyproxy#27412.

Signed-off-by: David Vo <davidvo@lyft.com>
@davidvo-lyft
davidvo-lyft force-pushed the davidvo/27412-network-filters-exception-free branch from 3c0b0c0 to ec198fb Compare July 14, 2026 18:20
@yanavlasov
yanavlasov merged commit 5b51b09 into envoyproxy:main Jul 16, 2026
28 checks passed
yanavlasov pushed a commit that referenced this pull request Jul 17, 2026
The zookeeper_proxy network filter was one of the few remaining network
filters whose config factory still threw `EnvoyException` instead of
returning `absl::StatusOr`, which kept its whole directory on the
`tools/code_format/config.yaml` exception allowlist and outside the
no-throw check. This change switches `ZooKeeperConfigFactory` from
`Common::FactoryBase` to `Common::ExceptionFreeFactoryBase` so
`createFilterFactoryFromProtoTyped` returns
`absl::StatusOr<Network::FilterFactoryCb>`, converts the two config-time
throws (the duplicated-opcode check and the unknown-opcode lookup) to
`absl::InvalidArgumentError` with byte-identical message text, and
removes the zookeeper_proxy entry from the exception allowlist so
check_format now enforces no-throw for the entire directory. The
ZooKeeper filter's data plane was already made exception free in #31485;
these two config-time throws were all that remained, so this finishes
zookeeper_proxy specifically. It continues the exception-free migration
tracked in #27412, following the same pattern as recently merged
network-filter (#46111) and HTTP-filter (#46042) work.

**Commit Message:** zookeeper_proxy: migrate config validation to
exception free

**Additional Description:** `parseLatencyThresholdOverrides` becomes a
public static helper returning
`absl::StatusOr<LatencyThresholdOverrideMap>`; the factory parses before
constructing `ZooKeeperFilterConfig`, whose constructor now takes the
parsed map and can no longer fail.

**Risk Level:** Low. Config-load-time only refactor with no data plane
change; error messages and failure semantics are unchanged
(`EnvoyException` becomes `absl::InvalidArgumentError` with identical
text, surfaced through the same config rejection path).

**Testing:**
- `//test/extensions/filters/network/zookeeper_proxy:config_test` and
`:filter_test` pass in the CI clang docker image. The duplicated-opcode
case was converted from `EXPECT_THROW_WITH_REGEX` to a status matcher
with the identical message substring; a new
`UnknownOpcodeInLatencyThresholdOverrides` test calls the now-public
static helper directly with an out-of-range opcode and asserts
`InvalidArgumentError` with the identical text, covering the error
branch so per-directory coverage does not regress. filter_test's
existing tests run unchanged through the updated `initialize()` helper.
- Countable metric: throw sites in the directory go from 2 to 0 (`grep
-rE 'throw|THROW'`), and the allowlist entry is removed. Mutation proof:
with the allowlist entry removed, injecting a `throw` into filter.cc
makes `check_format` fail with "Don't introduce throws into
exception-free files"; at the parent commit the same injected throw
passes, confirming the directory is now enforced.

**Docs Changes:** N/A

**Release Notes:** N/A (internal refactor, no behavior change; matches
the no-changelog precedent of #46111 and #46042)

**Platform Specific Features:** N/A

Part of #27412

**Generative AI disclosure:** Developed with AI assistance (Claude
Code); I reviewed and understand every line and take full ownership of
the submission.

Signed-off-by: David Vo <davidvo@lyft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants