http3: support Http3Options for downstream

[danzh2010]

Commit Message: allow HCM to config Http3Options and use it with other HCM configs, i.e. max_request_headers_kb and headers_with_underscores_action, to setup QuicHttpServerConnectionImpl. And support these configurations in QUIC. Currently the only Http3Options configuration is override_stream_error_on_invalid_http_message.

Additional Description: added Http3 codec stats. Pass it along with Http3Options and other HCM configs.

Risk Level: low
Testing: enable related tests in quic_protocol_integration_test
Docs Changes: updated docs/root/configuration/http/http_conn_man/response_code_details.rst

Part of #12930 #2557

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
API shepherd assignee is @htuch
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #15753 was opened by danzh2010.

see: more, trace.

[alyssawilk]

Nice change!

Once you sort out docs CI, let's check coverage on this one and make sure we've got corner cases tested.

[alyssawilk]

can we factor the Http2 code into HeaderUtility or not enough overlap? or maybe at least stick it in the utility directory, unit terst, and we can use when we switch codec libraries.

[danzh2010]

I moved this method to HeaderUtility, but using it in h2 codec doesn't save many lines, so I didn't use it there.

[alyssawilk]

Ditto, consider moving to utility

[danzh2010]

done

[danzh2010]

@htuch The doc CI fails because this field is annotated with udpa.annotations.security, but doesn't have description in docs/protodoc_manifest.yaml. Do I need to document override_stream_error_on_invalid_http_message, the only field of Http3ProtocolOptions, there? http2_protocol_options doesn't have documentation about its similar fields in protodoc_manifest.yaml.

[htuch]

If there is anything security related, e.g. buffering, update the example manifest YAML as per offline discussion. If not, feel free to drop the security annotation.

[alyssawilk]

Try hiding the field and see if that fixes docs build - it's probably trying to generate docs for the (not hidden) field refering to the (hidden) proto and having problems.
Also please main merge to pick up the Matt moving-all-the-things PR

[danzh2010]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #15753 (comment) was created by @danzh2010.

see: more, trace.

[htuch]

/lgtm api

[alyssawilk]

Cool, just a few more nits and I think this one's good to go

[alyssawilk]

Given we're cloning this, what do you think of just always setting it in initializeAndValidate?

[danzh2010]

Makes sense, then we don't need to check http3_options_.has_override_stream_error_on_invalid_http_message() here.

[danzh2010]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #15753 (comment) was created by @danzh2010.

see: more, trace.

[mattklein123]

Thanks really awesome to see this all coming together. A few comments from a quick pass.

/wait

[mattklein123]

nit: it's kind of strange that this one is uses dot separation and the others are using underscores? Can we be consistent? Is this copied from elsewhere?

[danzh2010]

I saw http2.invalid.header.field and thought any error from external library should use ., no?

[mattklein123]

I think this is probably just a typo. IMO I would make it consistent with the others.

[danzh2010]

done

[mattklein123]

Suggested change

	* @return the Http2 Codec Stats.
	* @return the Http3 Codec Stats.

[danzh2010]

fixed

[mattklein123]

Can this actually happen? If it can, can this log spam?

[danzh2010]

It will be an implementation error if this happens.

[mattklein123]

OK then please use either ASSERT or ENVOY_BUG depending on what you want to do in terms of providing testing. I don't think kind of error handling makes sense.

[danzh2010]

done

[mattklein123]

It kills me that this code is now copied into a third place when we already effectively have it in both the H1 and H2 codec. This is really scary and security sensitive stuff and I feel we shouldn't be making the problem worse (it's in the opposite direction of #10646). Is there any work we can do to share some of this code now? Maybe we can do a different PR to add this helper and call it somehow from both other codecs?

[danzh2010]

I don't want to touch any code in production in this PR because that needs feature protection. Once this PR lands, the other two codec can switch to this utility function.

[mattklein123]

OK fair enough. Can you at least add comments and put TODOs in the other codec places which reference this code and the tracking issue for merging?

[danzh2010]

done

[alyssawilk]

cc @yanavlasov might be a good starter project for one of the envoy-sec folks

[danzh2010]

I refactored the stream error handling a bit. PTAL

[mattklein123]

Thanks LGTM, will defer to @alyssawilk to review the most recent set of changes and merge. Thank you!

[mattklein123]

Do you have a test for this ENVOY_BUG? If not just make it an assert.

[danzh2010]

As long as our implementation is correct, it shouldn't be reached. So I don't know how to trigger it in a meaningful test right now. But I'd like to keep it in production, in case we miss some QUICHE behavior change that could occassionally lead to this in the future.

[mattklein123]

But how will you know the error checking will work if we reach it in production? :) In general we require testing for ENVOY_BUG type logic, so I would still prefer that you switch this to assert if you can't reasonably test it.

[danzh2010]

Okay, I added a unit test in envoy_quic_server_session_test to hit this ENVOY_BUG just to check the ENVOY_BUG works as intended in debug and release build.

[danzh2010]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #15753 (comment) was created by @danzh2010.

see: more, trace.

[alyssawilk]

Nice! just one more nit and good to go.

[alyssawilk]

cc @yanavlasov might be a good starter project for one of the envoy-sec folks

[alyssawilk]

what do you think of making this a default argument? If you'd prefer to be explicit I'd mildly prefer a helper function for brevity.

[danzh2010]

I'd prefer having explicit argument. I changed the function to take an optional bool which if absent means checking override_stream_error_on_invalid_http_message from h3 options.

[alyssawilk]

update comment, please?

[danzh2010]

done

[alyssawilk]

API hasn't changed since the LGTM so I'm going to go ahead and merge.