address comments

Author: shivaspeaks

xds/src/main/java/io/grpc/xds/internal/matcher/CelCommon.java

@@ -51,36 +51,30 @@ final class CelCommon {
           })
           .build();
 
-  /**
-   * Set of allowed function names based on gRFC A106.
-   */
-  private static final ImmutableSet<String> ALLOWED_FUNCTIONS = ImmutableSet.of(
-      "size", "matches", "contains", "startsWith", "endsWith", "timestamp", "duration",
-      "int", "uint", "double", "string", "bytes", "bool", "==", "!=", ">", "<", ">=", "<=",
-      "&&", "||", "!", "+", "-", "*", "/", "%", "in", "has", "or");
+
+
+  private static final ImmutableSet<String> ALLOWED_EXACT_OVERLOAD_IDS = ImmutableSet.of(
+      "equals", "not_equals", "logical_and", "logical_or", "logical_not");
 
   /**
    * Regular expression pattern to validate internal CEL overload IDs.
    *
    * <p>
    * Standard CEL operators and conversion functions often have empty names in the
-   * AST
-   * and are identified solely by their overload IDs (e.g., {@code equals} for
-   * {@code ==},
-   * {@code divide_int64} for {@code /}).
+   * AST and are identified solely by their overload IDs (e.g., {@code equals} for
+   * {@code ==}, {@code divide_int64} for {@code /}).
    *
    * <p>
    * This pattern matches allowed overload IDs by their prefixes (e.g.,
-   * {@code divide},
-   * {@code size}), optionally followed by numeric types (e.g., {@code int64}) and
-   * type-specific
-   * suffixes (e.g., {@code _string}, {@code _int64}).
+   * {@code divide}, {@code size}), optionally followed by numeric types 
+   * (e.g., {@code int64}) and type-specific suffixes (e.g., {@code _string}, 
+   * {@code _int64}).
    */
-  private static final Pattern ALLOWED_OVERLOAD_ID_PATTERN = Pattern.compile(
+  private static final Pattern ALLOWED_OVERLOAD_ID_PREFIX_PATTERN = Pattern.compile(
       "^(size|matches|contains|startsWith|endsWith|starts_with|ends_with|"
           + "timestamp|duration|in|index|has|int|uint|double|string|bytes|bool|"
-          + "equals|not_equals|less|less_equals|greater|greater_equals|"
-          + "add|subtract|multiply|divide|modulo|logical_and|logical_or|logical_not)"
+          + "less|less_equals|greater|greater_equals|"
+          + "add|subtract|multiply|divide|modulo|negate)"
           + "[0-9]*(_.*)?$");
 
   static final CelRuntime RUNTIME = CelRuntimeFactory.standardCelRuntimeBuilder()
@@ -110,7 +104,8 @@ static void checkAllowedReferences(CelAbstractSyntaxTree ast) {
         if (name.isEmpty()) {
           boolean allowed = false;
           for (String id : ref.overloadIds()) {
-            if (ALLOWED_OVERLOAD_ID_PATTERN.matcher(id).matches()) {
+            if (ALLOWED_EXACT_OVERLOAD_IDS.contains(id)
+                || ALLOWED_OVERLOAD_ID_PREFIX_PATTERN.matcher(id).matches()) {
               allowed = true;
               break;
             }
@@ -120,9 +115,9 @@ static void checkAllowedReferences(CelAbstractSyntaxTree ast) {
                 "CEL expression references unknown function with overload IDs: "
                     + ref.overloadIds());
           }
-        } else if (!ALLOWED_FUNCTIONS.contains(name)) {
+        } else {
           throw new IllegalArgumentException(
-              "CEL expression references unknown function: " + name);
+              "CEL expression references unsupported named function: " + name);
         }
       }
     }

xds/src/main/java/io/grpc/xds/internal/matcher/CelStringExtractor.java

@@ -66,23 +66,22 @@ public static CelStringExtractor compile(CelAbstractSyntaxTree ast)
    * fails.
    */
   public String extract(Object input) throws CelEvaluationException {
-    Object result;
-    try {
-      if (input instanceof CelVariableResolver) {
-        result = program.eval((CelVariableResolver) input);
-      } else {
-        throw new CelEvaluationException(
-            "Unsupported input type for CEL evaluation: " + input.getClass().getName());
-      }
-    } catch (CelEvaluationException e) {
-      if (defaultValue != null) {
-        return defaultValue;
-      }
-      throw e;
-    }
+    if (input instanceof CelVariableResolver) {
+      try {
+        Object result = program.eval((CelVariableResolver) input);
 
-    if (result instanceof String) {
-      return (String) result;
+        if (result instanceof String) {
+          return (String) result;
+        }
+      } catch (CelEvaluationException e) {
+        if (defaultValue == null) {
+          throw e;
+        }
+      }
+    } else if (defaultValue == null) {
+      throw new CelEvaluationException(
+          "Unsupported input type for CEL evaluation: "
+              + (input == null ? "null" : input.getClass().getName()));
     }
     return defaultValue;
   }

xds/src/main/java/io/grpc/xds/internal/matcher/GrpcCelEnvironment.java

@@ -16,12 +16,10 @@
 
 package io.grpc.xds.internal.matcher;
 
-import com.google.common.base.Splitter;
 import com.google.common.collect.ImmutableSet;
 import dev.cel.runtime.CelVariableResolver;
 import io.grpc.Metadata;
 import java.util.AbstractMap;
-import java.util.List;
 import java.util.Optional;
 import java.util.Set;
 import javax.annotation.Nullable;
@@ -30,7 +28,6 @@
  * CEL Environment for gRPC xDS matching.
  */
 final class GrpcCelEnvironment implements CelVariableResolver {
-  private static final Splitter SPLITTER = Splitter.on('.').limit(2);
   private final MatchContext context;
 
   GrpcCelEnvironment(MatchContext context) {
@@ -42,10 +39,6 @@ public Optional<Object> find(String name) {
     if (name.equals("request")) {
       return Optional.of(new LazyRequestMap(this));
     }
-    List<String> components = SPLITTER.splitToList(name);
-    if (components.size() == 2 && components.get(0).equals("request")) {
-      return Optional.ofNullable(getRequestField(components.get(1)));
-    }
     return Optional.empty();
   }
 

xds/src/test/java/io/grpc/xds/internal/matcher/CelCommonTest.java

@@ -122,4 +122,10 @@ public void checkAllowedReferences_unknownVariable_throws() throws Exception {
           .contains("CEL expression references unknown variable: unknown_var");
     }
   }
+
+  @Test
+  public void checkAllowedReferences_negation() throws Exception {
+    assertAllowed("-(1) == -1");
+    assertAllowed("-(1.0) == -1.0");
+  }
 }

xds/src/test/java/io/grpc/xds/internal/matcher/CelEnvironmentTest.java

@@ -91,9 +91,13 @@ public void celEnvironment_resolvesRequestField() {
 
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
 
-    Optional<Object> result = env.find("request.path");
+    Optional<Object> result = env.find("request");
     assertThat(result.isPresent()).isTrue();
-    assertThat(result.get()).isEqualTo("/foo");
+    assertThat(result.get()).isInstanceOf(Map.class);
+    
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
+    assertThat(requestMap.get("path")).isEqualTo("/foo");
   }
 
   @Test
@@ -201,9 +205,11 @@ public void celEnvironment_method_fallback() {
 
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
 
-    Optional<Object> result = env.find("request.method");
+    Optional<Object> result = env.find("request");
     assertThat(result.isPresent()).isTrue();
-    assertThat(result.get()).isEqualTo("POST");
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
+    assertThat(requestMap.get("method")).isEqualTo("POST");
   }
 
   @Test
@@ -233,15 +239,15 @@ public void celEnvironment_timeField_supportedButNull() {
     MatchContext context = MatchContext.newBuilder().build();
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
 
-    Optional<Object> result = env.find("request.time");
-    assertThat(result.isPresent()).isFalse();
-    
-    // But it should be present in the map key set
-    Map<?, ?> requestMap = (Map<?, ?>) env.find("request").get();
+    Optional<Object> result = env.find("request");
+    assertThat(result.isPresent()).isTrue();
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
     assertThat(requestMap.containsKey("time")).isTrue();
     assertThat(requestMap.get("time")).isNull();
   }
 
+
   @Test
   public void headersWrapper_size() {
     Metadata metadata = new Metadata();
@@ -265,24 +271,32 @@ public void celEnvironment_accessAllFields() {
         .setMethod("GET")
         .build();
 
-
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
-
-    assertThat(env.find("request.host").get()).isEqualTo("host");
-    assertThat(env.find("request.id").get()).isEqualTo("id");
-    assertThat(env.find("request.method").get()).isEqualTo("GET");
-    assertThat(env.find("request.scheme").get()).isEqualTo("");
-    assertThat(env.find("request.protocol").get()).isEqualTo("");
-    assertThat(env.find("request.query").get())
-        .isEqualTo("");
-    assertThat(env.find("request.headers").get()).isInstanceOf(HeadersWrapper.class);
+    Optional<Object> result = env.find("request");
+    assertThat(result.isPresent()).isTrue();
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
+
+    assertThat(requestMap.get("host")).isEqualTo("host");
+    assertThat(requestMap.get("id")).isEqualTo("id");
+    assertThat(requestMap.get("method")).isEqualTo("GET");
+    assertThat(requestMap.get("scheme")).isEqualTo("");
+    assertThat(requestMap.get("protocol")).isEqualTo("");
+    assertThat(requestMap.get("query")).isEqualTo("");
+    assertThat(requestMap.get("headers")).isInstanceOf(HeadersWrapper.class);
   }
 
   @Test
   public void celEnvironment_find_unknownField() {
     MatchContext context = MatchContext.newBuilder().build();
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
-    assertThat(env.find("request.unknown").isPresent()).isFalse();
+    
+    Optional<Object> result = env.find("request");
+    assertThat(result.isPresent()).isTrue();
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
+    assertThat(requestMap.get("unknown")).isNull();
+    
     assertThat(env.find("other").isPresent()).isFalse();
   }
 
@@ -426,8 +440,12 @@ public void celEnvironment_resolvesRefererAndUserAgent() {
         .build();
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
 
-    assertThat(env.find("request.referer").get()).isEqualTo("http://example.com");
-    assertThat(env.find("request.useragent").get()).isEqualTo("grpc-test");
+    Optional<Object> result = env.find("request");
+    assertThat(result.isPresent()).isTrue();
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
+    assertThat(requestMap.get("referer")).isEqualTo("http://example.com");
+    assertThat(requestMap.get("useragent")).isEqualTo("grpc-test");
   }
 
   @Test
@@ -441,8 +459,11 @@ public void celEnvironment_joinsMultipleHeaderValues() {
         .build();
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
 
-    // Tests the String.join logic in getHeader
-    assertThat(env.find("request.referer").get()).isEqualTo("v1,v2");
+    Optional<Object> result = env.find("request");
+    assertThat(result.isPresent()).isTrue();
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
+    assertThat(requestMap.get("referer")).isEqualTo("v1,v2");
   }
 
   @Test
@@ -451,7 +472,12 @@ public void celEnvironment_find_invalidFormat() {
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
 
     assertThat(env.find("other.path").isPresent()).isFalse();
-    assertThat(env.find("request.a.b").isPresent()).isFalse();
+    
+    Optional<Object> result = env.find("request");
+    assertThat(result.isPresent()).isTrue();
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
+    assertThat(requestMap.get("a")).isNull();
   }
 
   @Test
@@ -469,7 +495,11 @@ public void celEnvironment_missingHeader_returnsEmptyString() {
     MatchContext context = MatchContext.newBuilder().build();
     GrpcCelEnvironment env = new GrpcCelEnvironment(context);
 
-    assertThat(env.find("request.referer").get()).isEqualTo("");
+    Optional<Object> result = env.find("request");
+    assertThat(result.isPresent()).isTrue();
+    @SuppressWarnings("unchecked")
+    Map<String, Object> requestMap = (Map<String, Object>) result.get();
+    assertThat(requestMap.get("referer")).isEqualTo("");
   }