A2a: Add support for request body.

[tyxia]

Commit Message:
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #43766 was opened by tyxia.

see: more, trace.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the A2a HTTP filter by introducing robust support for processing and validating request bodies, specifically for POST requests. The filter now buffers the request body to perform JSON-RPC 2.0 validation, ensuring that only well-formed and compliant messages proceed. A configurable maximum request body size prevents resource exhaustion from excessively large payloads. This change improves the filter's ability to enforce protocol adherence and provides clearer error responses for invalid requests.

Highlights

• Request Body Processing: The A2a HTTP filter now supports processing request bodies for POST requests, enabling it to buffer and parse incoming data.
• Configurable Body Size Limit: A new max_request_body_size configuration option has been introduced, allowing administrators to set a limit on the size of the request body that the filter will buffer. Requests exceeding this limit are rejected with a 400 Bad Request.
• JSON-RPC 2.0 Validation: The filter now performs validation of the request body to ensure it conforms to the JSON-RPC 2.0 specification. Malformed JSON or requests missing required JSON-RPC fields are rejected.
• Improved Error Handling: Enhanced error handling provides specific local replies for invalid JSON, incomplete JSON, and oversized request bodies, improving diagnostic capabilities.
• Integration Tests: Comprehensive integration tests have been added to verify the new request body processing logic, including scenarios for valid requests, size limits, invalid JSON, and chunked data.

Changelog

• api/envoy/extensions/filters/http/a2a/v3/a2a.proto
  • Added max_request_body_size field to the A2a filter configuration, allowing a maximum size for the request body to be specified.
• source/extensions/filters/http/a2a/BUILD
  • Removed unused abseil-cpp dependencies (absl/strings, absl/strings:string_view).
• source/extensions/filters/http/a2a/a2a_filter.cc
  • Updated decodeHeaders to stop iteration for POST requests to buffer the body for parsing.
  • Added logic to set the decoder buffer limit based on max_request_body_size.
  • Implemented decodeData to incrementally parse the request body, validate JSON-RPC 2.0, and enforce the body size limit.
  • Introduced handleParseError to send local replies for parsing failures.
  • Added completeParsing to finalize parsing state and handle post-parsing validation and metadata setting.
• source/extensions/filters/http/a2a/a2a_filter.h
  • Included new headers for Logger, Protobuf, and Server filter configuration.
  • Defined MetadataKeys namespace for A2a filter metadata.
  • Added parser_, bytes_parsed_, and parsing_complete_ members to A2aFilter to manage body parsing state.
  • Declared handleParseError and completeParsing methods.
• test/extensions/filters/http/a2a/BUILD
  • Added a new envoy_cc_test target for a2a_filter_integration_test.
• test/extensions/filters/http/a2a/a2a_filter_integration_test.cc
  • Added a new integration test file to cover various scenarios for the A2a filter's request body processing.
  • Included tests for valid A2a POST requests, large request bodies, default size limits, invalid JSON, missing JSON-RPC fields, wrong content types, and chunked requests.
• test/extensions/filters/http/a2a/a2a_filter_test.cc
  • Included source/common/buffer/buffer_impl.h.
  • Updated test fixture constructor to correctly initialize A2aFilterStats.
  • Removed several redundant ValidPostRequest tests.
  • Added tests for ValidDeleteRequest.
  • Introduced new unit tests for decodeData covering invalid JSON, partial JSON, body too large, fragmented buffers, resumed parsing, incomplete streams, non-JSON passthrough, and parsing completion.

Activity

• The pull request introduces new functionality for the A2a HTTP filter to handle request bodies.
• The author, tyxia, has implemented the core logic for buffering, parsing, and validating JSON-RPC 2.0 requests.
• New integration tests have been added to ensure the robustness and correctness of the new features.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for parsing the request body in the A2A filter, including JSON-RPC validation and handling of body size limits, by implementing the decodeData method and adding new member variables for parsing state, along with comprehensive unit and integration tests. A security audit confirms no high-severity vulnerabilities were introduced, as the implementation correctly handles untrusted input through strict size limits, safe JSON parsing, proper state management, and secure error handling. However, the review identified minor issues such as an inconsistency between a log message and DELETE request logic, a leftover debug log statement, and commented-out code that should be removed.

[tyxia]

/assign @botengyao @yanavlasov @agrawroh

PTAL, Thanks

[botengyao]

lgtm, thanks!

[botengyao]

I think the follow-up will be store some attributes to the dynamic metadata so it can be consumed.

[tyxia]

dynamic metadata is just one option, it is weakly typed and has slow performance. But it works well with RBAC and ext_authz to enable access control in A2A

In Envoy, filter state is generally preferred as it is strongly typed and has better performance, which also could enable broader use case with native c++ filter

[botengyao]

Yes, the RBAC and ext_authz are the major things for dynamic_metadata for the easy-use.