xds: CEL implementation

[shivaspeaks]

This PR contains the core CEL evaluation logic and gRPC environment setup as defined in gRFC A106.

This is being carved out from #12640

[shivaspeaks]

Pasting @AgraVator's comment here from #12640 (comment):

To support future attributes beyond just headers (like the aforementioned transport info or cluster metadata), we might want to consider a more pluggable way to populate MatchContext.

Currently, it has a fixed set of fields. A map-based approach or a registry of attribute providers might make it easier to add new attributes without changing the core MatchContext class every time.

[kannanjgithub]

Currently, it has a fixed set of fields. A map-based approach or a registry of attribute providers might make it easier to add new attributes without changing the core MatchContext class every time.

I don't see what benefit is there in having a different class for each attribute like referer or user-agent. The list of Envoy request attributes is fixed and there is never a need to have some of them provided and other not.

Rather than think in terms of organizing our code in terms of plugin, we should think in terms of providing the evaluation context for the Cel runtime. With A106 supporting only request attributes for now we have this in GrpcCelEnvironment:

  @Override
  public Optional<Object> find(String name) {
    if (name.equals("request")) {
      return Optional.of(new LazyRequestMap(this));
    }
    return Optional.empty();
  }

that provides a map to Cel runtime for evaluating request.* variables. That map is backed by MatchContext (earlier implementation) that only knows about returning values for request.* keys. There is no need to further granularize how MatchContext implements that. One switch-case block will do.
Then for future unified matcher requirements you would check if name.equals("connection") and return a different map backed by something other than MatchContext. At that point we could may be rename MatchContext to RequestMatchContext and have a different one say ConnectionMatchContext the LazyRequestMap for connection variable evaluation uses.

[kannanjgithub]

Negative tests need to be added by creating AST and creating runtime with these disallowed expression types.

[kannanjgithub]

Add some comment why.

[kannanjgithub]

Add a .omitPadding()

BaseEncoding.base64().omitPadding().encode(value);

to keep it consistent with ext_proc filter that omits padding.

[kannanjgithub]

The gRFC says this should be metadata["x-request-id"]`.

[kannanjgithub]

I don't think path, host and method can be null. We should remove nullable and add checkNotNull assertions so it fails if the caller passes null values for any of them.

[Copilot]

Pull request overview

Introduces the foundational CEL (Common Expression Language) runtime integration for gRPC xDS matching (per gRFC A106), including a gRPC request/headers CEL environment, a string-extractor utility, and the build/shading wiring needed to ship CEL with the xDS artifact.

Changes:

• Added CEL runtime utilities for allowed-reference validation, program execution, and request attribute resolution (CelCommon, CelStringExtractor, GrpcCelEnvironment, HeadersWrapper, MatchContext).
• Added unit tests covering CEL environment behavior, disabled features, and string extraction behavior.
• Integrated CEL dependencies into Gradle/Bazel builds and updated shading/relocation rules for the xDS artifact.

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
xds/src/main/java/io/grpc/xds/internal/matcher/CelCommon.java	Defines CEL runtime options/functions and validates allowed references.
xds/src/main/java/io/grpc/xds/internal/matcher/CelStringExtractor.java	Compiles and evaluates CEL expressions intended to produce strings (with optional default).
xds/src/main/java/io/grpc/xds/internal/matcher/GrpcCelEnvironment.java	Provides request variable resolution for CEL evaluation based on gRPC request context.
xds/src/main/java/io/grpc/xds/internal/matcher/HeadersWrapper.java	Exposes request metadata/pseudo-headers as a Map for CEL header lookup.
xds/src/main/java/io/grpc/xds/internal/matcher/MatchContext.java	Simple container/builder for request attributes used by the CEL environment.
xds/src/test/java/io/grpc/xds/internal/matcher/CelCommonTest.java	Tests CelCommon.checkAllowedReferences() allow/deny behavior.
xds/src/test/java/io/grpc/xds/internal/matcher/CelEnvironmentTest.java	Tests the CEL environment and header map behavior, including disabled features.
xds/src/test/java/io/grpc/xds/internal/matcher/CelMatcherTestHelper.java	Test helper for compiling CEL ASTs with restricted declarations.
xds/src/test/java/io/grpc/xds/internal/matcher/CelStringExtractorTest.java	Tests string extraction behavior (success, non-string, eval error, defaults).
xds/build.gradle	Adds CEL dependencies and shading/relocation for the xDS artifact.
xds/BUILD.bazel	Adds CEL dependencies and jarjar relocation rules for Bazel builds.
repositories.bzl	Adds CEL artifacts to the shared Bazel third-party artifact list.
MODULE.bazel	Adds CEL artifacts to Bazel module artifact list.
gradle/libs.versions.toml	Declares CEL versions for Gradle dependency management.
build.gradle	Adds a Maven snapshots repository to all subprojects’ repositories.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.