From 2f0951e6979abc02e572e55359f0d0a8da8b5cdf Mon Sep 17 00:00:00 2001
From: Michael Puncel <mpuncel@squareup.com>
Date: Fri, 7 Aug 2020 17:01:31 -0400
Subject: [PATCH 1/3] lua API: add base64Escape function to stream handle

This makes it easy for Lua filters to base64 escape strings without
needing to provide their own base64 helper.

Signed-off-by: Michael Puncel <mpuncel@squareup.com>
---
 .../http/http_filters/lua_filter.rst          |  8 ++++++
 docs/root/version_history/current.rst         |  1 +
 .../extensions/filters/http/lua/lua_filter.cc | 11 ++++++++
 .../extensions/filters/http/lua/lua_filter.h  | 10 ++++++-
 .../filters/http/lua/lua_filter_test.cc       | 27 +++++++++++++++++++
 5 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/docs/root/configuration/http/http_filters/lua_filter.rst b/docs/root/configuration/http/http_filters/lua_filter.rst
index 8e6f8eeffef8..320bb278076b 100644
--- a/docs/root/configuration/http/http_filters/lua_filter.rst
+++ b/docs/root/configuration/http/http_filters/lua_filter.rst
@@ -424,6 +424,14 @@ the length of the signature. *data* is the content which will be hashed. *dataLe
 The function returns a pair. If the first element is *true*, the second element will be empty
 which means signature is verified; otherwise, the second element will store the error message.
 
+base64Escape()
+^^^^^^^^^^^^^^
+.. code-block:: lua
+
+  local base64_encoded = handle:base64Escape("input string")
+
+Encodes the input string as base64. This can be useful for escaping binary data.
+
 .. _config_http_filters_lua_header_wrapper:
 
 Header object API
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
index 01a2b7235bee..c982a74ac153 100644
--- a/docs/root/version_history/current.rst
+++ b/docs/root/version_history/current.rst
@@ -58,6 +58,7 @@ New Features
 * http: introduced new HTTP/1 and HTTP/2 codec implementations that will remove the use of exceptions for control flow due to high risk factors and instead use error statuses. The old behavior is used by default, but the new codecs can be enabled for testing by setting the runtime feature `envoy.reloadable_features.new_codec_behavior` to true. The new codecs will be in development for one month, and then enabled by default while the old codecs are deprecated.
 * load balancer: added a :ref:`configuration<envoy_v3_api_msg_config.cluster.v3.Cluster.LeastRequestLbConfig>` option to specify the active request bias used by the least request load balancer.
 * lua: added Lua APIs to access :ref:`SSL connection info <config_http_filters_lua_ssl_socket_info>` object.
+* lua: added Lua API for base64 escaping a string.
 * postgres network filter: :ref:`metadata <config_network_filters_postgres_proxy_dynamic_metadata>` is produced based on SQL query.
 * ratelimit: added :ref:`enable_x_ratelimit_headers <envoy_v3_api_msg_extensions.filters.http.ratelimit.v3.RateLimit>` option to enable `X-RateLimit-*` headers as defined in `draft RFC <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>`_.
 * router: added new
diff --git a/source/extensions/filters/http/lua/lua_filter.cc b/source/extensions/filters/http/lua/lua_filter.cc
index 0053443cd549..dea1e8ada016 100644
--- a/source/extensions/filters/http/lua/lua_filter.cc
+++ b/source/extensions/filters/http/lua/lua_filter.cc
@@ -12,6 +12,8 @@
 #include "common/crypto/utility.h"
 #include "common/http/message_impl.h"
 
+#include "absl/strings/escaping.h"
+
 namespace Envoy {
 namespace Extensions {
 namespace HttpFilters {
@@ -599,6 +601,15 @@ int StreamHandleWrapper::luaImportPublicKey(lua_State* state) {
   return 1;
 }
 
+int StreamHandleWrapper::luaBase64Escape(lua_State* state) {
+  // Get input string
+  absl::string_view input = luaL_checkstring(state, 2);
+  auto output = absl::Base64Escape(input);
+  lua_pushlstring(state, output.data(), output.length());
+
+  return 1;
+}
+
 FilterConfig::FilterConfig(const envoy::extensions::filters::http::lua::v3::Lua& proto_config,
                            ThreadLocal::SlotAllocator& tls,
                            Upstream::ClusterManager& cluster_manager, Api::Api& api)
diff --git a/source/extensions/filters/http/lua/lua_filter.h b/source/extensions/filters/http/lua/lua_filter.h
index 24909a95d649..fe4afc50257a 100644
--- a/source/extensions/filters/http/lua/lua_filter.h
+++ b/source/extensions/filters/http/lua/lua_filter.h
@@ -165,7 +165,8 @@ class StreamHandleWrapper : public Filters::Common::Lua::BaseLuaObject<StreamHan
             {"streamInfo", static_luaStreamInfo},
             {"connection", static_luaConnection},
             {"importPublicKey", static_luaImportPublicKey},
-            {"verifySignature", static_luaVerifySignature}};
+            {"verifySignature", static_luaVerifySignature},
+            {"base64Escape", static_luaBase64Escape}};
   }
 
 private:
@@ -268,6 +269,13 @@ class StreamHandleWrapper : public Filters::Common::Lua::BaseLuaObject<StreamHan
    */
   DECLARE_LUA_CLOSURE(StreamHandleWrapper, luaBodyIterator);
 
+  /**
+   * Base64 escape a string.
+   * @param1 (string) string to be base64 escaped.
+   * @return (string) base64 escaped string.
+   */
+  DECLARE_LUA_FUNCTION(StreamHandleWrapper, luaBase64Escape);
+
   int doSynchronousHttpCall(lua_State* state, Tracing::Span& span);
   int doAsynchronousHttpCall(lua_State* state, Tracing::Span& span);
 
diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc
index f0893c1e8c0a..35a44c0c697d 100644
--- a/test/extensions/filters/http/lua/lua_filter_test.cc
+++ b/test/extensions/filters/http/lua/lua_filter_test.cc
@@ -2191,6 +2191,33 @@ TEST_F(LuaHttpFilterTest, LuaFilterRefSourceCodeNotExist) {
   EXPECT_EQ(nullptr, request_headers.get(Http::LowerCaseString("hello")));
 }
 
+TEST_F(LuaHttpFilterTest, LuaFilterBase64Escape) {
+  const std::string SCRIPT{R"EOF(
+    function envoy_on_request(request_handle)
+      local base64Encoded = request_handle:base64Escape("foobar")
+      request_handle:logTrace(base64Encoded)
+    end
+
+    function envoy_on_response(request_handle)
+      local base64Encoded = request_handle:base64Escape("barfoo")
+      request_handle:logTrace(base64Encoded)
+    end
+  )EOF"};
+
+  InSequence s;
+  setup(SCRIPT);
+
+  Http::TestRequestHeaderMapImpl request_headers{{":path", "/"}};
+
+  EXPECT_CALL(*filter_, scriptLog(spdlog::level::trace, StrEq("Zm9vYmFy")));
+  EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(request_headers, true));
+
+  Http::TestResponseHeaderMapImpl response_headers{{":status", "200"}};
+
+  EXPECT_CALL(*filter_, scriptLog(spdlog::level::trace, StrEq("YmFyZm9v")));
+  EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->encodeHeaders(response_headers, true));
+}
+
 } // namespace
 } // namespace Lua
 } // namespace HttpFilters

From 061fc34fccd875ba26099021891a93a5b129bb3e Mon Sep 17 00:00:00 2001
From: Michael Puncel <mpuncel@squareup.com>
Date: Fri, 7 Aug 2020 19:37:38 -0400
Subject: [PATCH 2/3] address PR comments

Signed-off-by: Michael Puncel <mpuncel@squareup.com>
---
 source/extensions/filters/http/lua/lua_filter.cc    | 2 +-
 test/extensions/filters/http/lua/lua_filter_test.cc | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/source/extensions/filters/http/lua/lua_filter.cc b/source/extensions/filters/http/lua/lua_filter.cc
index dea1e8ada016..4a3431df1d7e 100644
--- a/source/extensions/filters/http/lua/lua_filter.cc
+++ b/source/extensions/filters/http/lua/lua_filter.cc
@@ -602,7 +602,7 @@ int StreamHandleWrapper::luaImportPublicKey(lua_State* state) {
 }
 
 int StreamHandleWrapper::luaBase64Escape(lua_State* state) {
-  // Get input string
+  // Get input string.
   absl::string_view input = luaL_checkstring(state, 2);
   auto output = absl::Base64Escape(input);
   lua_pushlstring(state, output.data(), output.length());
diff --git a/test/extensions/filters/http/lua/lua_filter_test.cc b/test/extensions/filters/http/lua/lua_filter_test.cc
index 35a44c0c697d..801eaae5ea22 100644
--- a/test/extensions/filters/http/lua/lua_filter_test.cc
+++ b/test/extensions/filters/http/lua/lua_filter_test.cc
@@ -2198,9 +2198,9 @@ TEST_F(LuaHttpFilterTest, LuaFilterBase64Escape) {
       request_handle:logTrace(base64Encoded)
     end
 
-    function envoy_on_response(request_handle)
-      local base64Encoded = request_handle:base64Escape("barfoo")
-      request_handle:logTrace(base64Encoded)
+    function envoy_on_response(response_handle)
+      local base64Encoded = response_handle:base64Escape("barfoo")
+      response_handle:logTrace(base64Encoded)
     end
   )EOF"};
 

From 8ca191d09f629e7d3af1104c6230ce1476b143b4 Mon Sep 17 00:00:00 2001
From: Michael Puncel <mpuncel@squareup.com>
Date: Tue, 11 Aug 2020 12:50:35 -0400
Subject: [PATCH 3/3] add cross link to new lua function from version history

Signed-off-by: Michael Puncel <mpuncel@squareup.com>
---
 docs/root/configuration/http/http_filters/lua_filter.rst | 2 ++
 docs/root/version_history/current.rst                    | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/root/configuration/http/http_filters/lua_filter.rst b/docs/root/configuration/http/http_filters/lua_filter.rst
index 320bb278076b..5d335e69591f 100644
--- a/docs/root/configuration/http/http_filters/lua_filter.rst
+++ b/docs/root/configuration/http/http_filters/lua_filter.rst
@@ -424,6 +424,8 @@ the length of the signature. *data* is the content which will be hashed. *dataLe
 The function returns a pair. If the first element is *true*, the second element will be empty
 which means signature is verified; otherwise, the second element will store the error message.
 
+.. _config_http_filters_lua_stream_handle_api_base64_escape:
+
 base64Escape()
 ^^^^^^^^^^^^^^
 .. code-block:: lua
diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
index c982a74ac153..afc276cdd706 100644
--- a/docs/root/version_history/current.rst
+++ b/docs/root/version_history/current.rst
@@ -58,7 +58,7 @@ New Features
 * http: introduced new HTTP/1 and HTTP/2 codec implementations that will remove the use of exceptions for control flow due to high risk factors and instead use error statuses. The old behavior is used by default, but the new codecs can be enabled for testing by setting the runtime feature `envoy.reloadable_features.new_codec_behavior` to true. The new codecs will be in development for one month, and then enabled by default while the old codecs are deprecated.
 * load balancer: added a :ref:`configuration<envoy_v3_api_msg_config.cluster.v3.Cluster.LeastRequestLbConfig>` option to specify the active request bias used by the least request load balancer.
 * lua: added Lua APIs to access :ref:`SSL connection info <config_http_filters_lua_ssl_socket_info>` object.
-* lua: added Lua API for base64 escaping a string.
+* lua: added Lua API for :ref:`base64 escaping a string <config_http_filters_lua_stream_handle_api_base64_escape>`.
 * postgres network filter: :ref:`metadata <config_network_filters_postgres_proxy_dynamic_metadata>` is produced based on SQL query.
 * ratelimit: added :ref:`enable_x_ratelimit_headers <envoy_v3_api_msg_extensions.filters.http.ratelimit.v3.RateLimit>` option to enable `X-RateLimit-*` headers as defined in `draft RFC <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>`_.
 * router: added new