Add validation rules and security annotations for identifiers, CIDR ranges, and matcher inputs

xds/core/v3/authority.proto

@@ -15,8 +15,8 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // xDS authority information.
 message Authority {
-  string name = 1 [(validate.rules).string = {min_len: 1}];
-
+string name = 1 [(validate.rules).string = {min_len: 1, pattern: "^[0-9a-zA-Z_\\-\\.~:]+$"}];
+  
   // .. space reserved for additional authority addressing information, e.g. for
   // resource signing, items such as CA trust chain, cert pinning may be added.
 }

xds/core/v3/cidr.proto

@@ -16,8 +16,8 @@ option go_package = "github.com/cncf/xds/go/xds/core/v3";
 // the subnet mask for a `CIDR <https://tools.ietf.org/html/rfc4632>`_ range.
 message CidrRange {
   // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
-  string address_prefix = 1 [(validate.rules).string = {min_len: 1}];
-
+  string address_prefix = 1 [(validate.rules).string = {address: true}];
+  
   // Length of prefix, e.g. 0, 32. Defaults to 0 when unset.
   google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];
 }

xds/core/v3/resource_locator.proto

@@ -44,13 +44,13 @@ message ResourceLocator {
   // Opaque identifier for the resource. Any '/' will not be escaped during URI
   // encoding and will form part of the URI path. This may end
   // with ‘*’ for glob collection references.
-  string id = 2;
+  string id = 2 [(validate.rules).string = {pattern: "^[0-9a-zA-Z_\\-\\./~:]*$"}];
 
   // Logical authority for resource (not necessarily transport network address).
   // Authorities are opaque in the xDS API, data-plane load balancers will map
   // them to concrete network transports such as an xDS management server, e.g.
   // via envoy.config.core.v3.ConfigSource.
-  string authority = 3;
+  string authority = 3 [(validate.rules).string = {pattern: "^[0-9a-zA-Z_\\-\\.~:]*$"}];
 
   // Fully qualified resource type (as in type URL without types.googleapis.com/
   // prefix).

xds/core/v3/resource_name.proto

@@ -26,12 +26,12 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 message ResourceName {
   // Opaque identifier for the resource. Any '/' will not be escaped during URI
   // encoding and will form part of the URI path.
-  string id = 1;
+  string id = 1 [(validate.rules).string = {pattern: "^[0-9a-zA-Z_\\-\\./~:]*$"}];
 
   // Logical authority for resource (not necessarily transport network address).
   // Authorities are opaque in the xDS API, data-plane load balancers will map
   // them to concrete network transports such as an xDS management server.
-  string authority = 2;
+  string authority = 2 [(validate.rules).string = {pattern: "^[0-9a-zA-Z_\\-\\.~:]*$"}];
 
   // Fully qualified resource type (as in type URL without types.googleapis.com/
   // prefix).

xds/type/matcher/v3/matcher.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
+import "xds/annotations/v3/security.proto";
 import "xds/core/v3/extension.proto";
 import "xds/type/matcher/v3/string.proto";
 
@@ -107,7 +108,10 @@ message Matcher {
   message MatcherTree {
     // A map of configured matchers. Used to allow using a map within a oneof.
     message MatchMap {
-      map<string, OnMatch> map = 1 [(validate.rules).map = {min_pairs: 1}];
+      map<string, OnMatch> map = 1 [
+        (validate.rules).map = {min_pairs: 1},
+        (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+      ];
     }
 
     // Protocol-specific specification of input field to match on.

xds/type/matcher/v3/regex.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
+import "xds/annotations/v3/security.proto";
 import "validate/validate.proto";
 
 option java_package = "com.github.xds.type.matcher.v3";
@@ -42,5 +43,8 @@ message RegexMatcher {
 
   // The regex match string. The string must be supported by the configured
   // engine.
-  string regex = 2 [ (validate.rules).string = {min_len : 1} ];
+  string regex = 2 [
+    (validate.rules).string = {min_len : 1},
+    (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+  ];
 }

xds/type/matcher/v3/string.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package xds.type.matcher.v3;
 
+import "xds/annotations/v3/security.proto";
 import "xds/core/v3/extension.proto";
 import "xds/type/matcher/v3/regex.proto";
 
@@ -25,34 +26,46 @@ message StringMatcher {
     // Examples:
     //
     // * *abc* only matches the value *abc*.
-    string exact = 1;
+    string exact = 1 [(xds.annotations.v3.security).configure_for_untrusted_downstream = true];
 
     // The input string must have the prefix specified here.
     // Note: empty prefix is not allowed, please use regex instead.
     //
     // Examples:
     //
     // * *abc* matches the value *abc.xyz*
-    string prefix = 2 [(validate.rules).string = {min_len: 1}];
+    string prefix = 2 [
+      (validate.rules).string = {min_len: 1},
+      (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+    ];
 
     // The input string must have the suffix specified here.
     // Note: empty prefix is not allowed, please use regex instead.
     //
     // Examples:
     //
     // * *abc* matches the value *xyz.abc*
-    string suffix = 3 [(validate.rules).string = {min_len: 1}];
+    string suffix = 3 [
+      (validate.rules).string = {min_len: 1},
+      (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+    ];
 
     // The input string must match the regular expression specified here.
-    RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}];
+    RegexMatcher safe_regex = 5 [
+      (validate.rules).message = {required: true},
+      (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+    ];
 
     // The input string must have the substring specified here.
     // Note: empty contains match is not allowed, please use regex instead.
     //
     // Examples:
     //
     // * *abc* matches the value *xyz.abc.def*
-    string contains = 7 [(validate.rules).string = {min_len: 1}];
+    string contains = 7 [
+      (validate.rules).string = {min_len: 1},
+      (xds.annotations.v3.security).configure_for_untrusted_downstream = true
+    ];
 
     // Use an extension as the matcher type.
     // [#extension-category: envoy.string_matcher]

xds/type/v3/range.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package xds.type.v3;
 
+import "validate/validate.proto";
+
 option java_package = "com.github.xds.type.v3";
 option java_outer_classname = "RangeProto";
 option java_multiple_files = true;
@@ -16,7 +18,7 @@ message Int64Range {
   int64 start = 1;
 
   // end of the range (exclusive)
-  int64 end = 2;
+  int64 end = 2 [(validate.rules).int64 = {gt_field: "start"}];
 }
 
 // Specifies the int32 start and end of the range using half-open interval
@@ -26,7 +28,7 @@ message Int32Range {
   int32 start = 1;
 
   // end of the range (exclusive)
-  int32 end = 2;
+  int32 end = 2 [(validate.rules).int32 = {gt_field: "start"}];
 }
 
 // Specifies the double start and end of the range using half-open interval
@@ -36,5 +38,5 @@ message DoubleRange {
   double start = 1;
 
   // end of the range (exclusive)
-  double end = 2;
+  double end = 2 [(validate.rules).double = {gt_field: "start"}];
 }