[filters] Add RBAC condition fuzzer (CEL expressions)

[asraa]

This adds a fuzzer for CEL expression matching. These conditions are used in the RBAC filter for complementing the existing principal/permission model.

About a quarter of the execution time is coming from google::api::expr::runtime::RegisterBuiltinFunctions. The test runs locally at about 250 exec/sec.

See: #7716

Risk Level: Low
Testing: Converted unit tests into corpus entries

Re-open of #8752 -- all history the same, merged to up to date master, and pushed all changes.
/review @htuch

[htuch]

This is really cool. A few point comments, looks like the right way to model this problem.
/wait

[htuch]

Does this only happen during proto validation? If so, maybe move Expr::evaluate outside the try/catch, to allow the fuzzer to discover any surprise evaluation exceptions.

[asraa]

Ahh... it's an awkward case. The CEL expressions that are fuzzed have some required proto constraints that aren't enforced in proto validations, so they'll get caught in the code by an exception (for example, an expr_kind must be set).

[htuch]

Can we add a dedicated EnvoyException subclass for this and do a narrower catch around that?

[asraa]

Done! We throw CelException's for errors thrown in the CEL library

[htuch]

LGTM modulo the one question around making the exception catch more precise.

[kyessenov]

Thanks! @TristonianJones FYI.

[htuch]

LGTM once CI passes.

[htuch]

Thanks!