Complete migration from protoc-gen-validate to protovalidate v1.0.0

Signed-off-by: Matthieu MOREL <[email protected]>

Author: mmorel-35

api/bazel/api_build_system.bzl

@@ -149,14 +149,14 @@ def api_proto_package(
         has_services = has_services,
     )
 
-    compilers = ["@io_bazel_rules_go//proto:go_proto", "@com_envoyproxy_protoc_gen_validate//bazel/go:pgv_plugin_go", "@envoy_api//bazel:vtprotobuf_plugin_go"]
+    compilers = ["@io_bazel_rules_go//proto:go_proto", "@envoy_api//bazel:vtprotobuf_plugin_go"]
     if has_services:
-        compilers = ["@io_bazel_rules_go//proto:go_proto", "@io_bazel_rules_go//proto:go_grpc_v2", "@com_envoyproxy_protoc_gen_validate//bazel/go:pgv_plugin_go", "@envoy_api//bazel:vtprotobuf_plugin_go"]
+        compilers = ["@io_bazel_rules_go//proto:go_proto", "@io_bazel_rules_go//proto:go_grpc_v2", "@envoy_api//bazel:vtprotobuf_plugin_go"]
 
     deps = (
         [_go_proto_mapping(dep) for dep in deps] +
         [
-            "@com_envoyproxy_protoc_gen_validate//validate:go_default_library",
+            "@build_buf_gen_go_bufbuild_protovalidate_protocolbuffers_go//buf/validate",
             "@org_golang_google_genproto_googleapis_api//annotations:annotations",
             "@org_golang_google_genproto_googleapis_rpc//status:status",
             "@org_golang_google_protobuf//types/known/anypb:go_default_library",

api/bazel/repositories.bzl

@@ -22,6 +22,9 @@ def api_dependencies():
     external_http_archive(
         name = "com_github_bufbuild_protovalidate",
     )
+    external_http_archive(
+        name = "com_github_bufbuild_protovalidate_cc",
+    )
     external_http_archive(
         name = "com_google_googleapis",
     )

api/bazel/repository_locations.bzl

@@ -25,6 +25,19 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "Apache-2.0",
         license_url = "https://github.com/bufbuild/protovalidate/blob/v{version}/LICENSE",
     ),
+    com_github_bufbuild_protovalidate_cc = dict(
+        project_name = "protovalidate-cc",
+        project_desc = "C++ Protocol Buffer Validation Library",
+        project_url = "https://github.com/bufbuild/protovalidate-cc",
+        use_category = ["api"],
+        sha256 = "4270d3babf1d883fd89139d80d002ad0b2dd1f16656c905514ee2d41cf9a2cb8",
+        version = "1.0.0",
+        urls = ["https://github.com/bufbuild/protovalidate-cc/archive/refs/tags/v{version}.tar.gz"],
+        strip_prefix = "protovalidate-cc-{version}",
+        release_date = "2025-09-18",
+        license = "Apache-2.0",
+        license_url = "https://github.com/bufbuild/protovalidate-cc/blob/v{version}/LICENSE",
+    ),
     rules_jvm_external = dict(
         project_name = "Java Rules for Bazel",
         project_desc = "Bazel rules for Java",

mobile/.bazelrc

@@ -51,8 +51,8 @@ build:rules_xcodeproj --define=apple.experimental.tree_artifact_outputs=0
 # Disable global index store to work around https://github.com/buildbuddy-io/rules_xcodeproj/issues/1878
 build:rules_xcodeproj --features=-swift.use_global_index_store
 
-# Override PGV validation with NOP functions for binary size savings.
-build --@com_envoyproxy_protoc_gen_validate//bazel:template-flavor=nop
+# Note: protovalidate (the successor to protoc-gen-validate) performs runtime validation
+# and does not require compile-time code generation or build flags.
 
 build:mobile-dbg-common --compilation_mode=dbg
 # Enable source map for debugging in IDEs

source/common/protobuf/BUILD

@@ -223,6 +223,7 @@ envoy_cc_library(
         "//source/common/common:utility_lib",
         "//source/common/protobuf:visitor_lib",
         "//source/common/runtime:runtime_features_lib",
+        "@com_github_bufbuild_protovalidate_cc//buf/validate:validator",
         "@com_github_cncf_xds//udpa/annotations:pkg_cc_proto",
         "@com_google_protobuf//:protobuf",
         "@envoy_api//envoy/annotations:pkg_cc_proto",

source/common/protobuf/utility.cc

@@ -17,9 +17,9 @@
 #include "source/common/runtime/runtime_features.h"
 
 #include "absl/strings/match.h"
+#include "buf/validate/validator.h"
 #include "udpa/annotations/sensitive.pb.h"
 #include "udpa/annotations/status.pb.h"
-#include "validate/validate.h"
 #include "xds/annotations/v3/status.pb.h"
 
 using namespace std::chrono_literals;
@@ -364,32 +364,55 @@ void MessageUtil::validateDurationFields(const Protobuf::Message& message, bool
 
 namespace {
 
-class PgvCheckVisitor : public ProtobufMessage::ConstProtoVisitor {
+class ProtovalidateCheckVisitor : public ProtobufMessage::ConstProtoVisitor {
 public:
+  ProtovalidateCheckVisitor() {
+    // Initialize the validator factory once
+    auto factory_result = buf::validate::ValidatorFactory::New();
+    if (!factory_result.ok()) {
+      PANIC(fmt::format("Failed to create protovalidate ValidatorFactory: {}",
+                        factory_result.status().ToString()));
+    }
+    factory_ = std::move(factory_result.value());
+  }
+
   absl::Status onMessage(const Protobuf::Message& message,
                          absl::Span<const Protobuf::Message* const>,
                          bool was_any_or_top_level) override {
-    Protobuf::ReflectableMessage reflectable_message = createReflectableMessage(message);
-    std::string err;
-    // PGV verification is itself recursive up to the point at which it hits an Any message. As
-    // such, to avoid N^2 checking of the tree, we only perform an additional check at the point
-    // at which PGV would have stopped because it does not itself check within Any messages.
-    if (was_any_or_top_level &&
-        !pgv::BaseValidator::AbstractCheckMessage(*reflectable_message, &err)) {
-      std::string error = fmt::format("{}: Proto constraint validation failed ({})",
-                                      reflectable_message->DebugString(), err);
-      return absl::InvalidArgumentError(error);
+    // Protovalidate validation is recursive, similar to PGV. We only perform an additional
+    // check at the top level or when encountering Any messages to avoid N^2 checking.
+    if (was_any_or_top_level) {
+      google::protobuf::Arena arena;
+      auto validator = factory_->NewValidator(&arena, false);
+      auto result = validator.Validate(message);
+      if (!result.ok()) {
+        return absl::InvalidArgumentError(
+            fmt::format("Proto constraint validation failed: {}", result.status().ToString()));
+      }
+      const auto& violations = result.value();
+      if (violations.violations_size() > 0) {
+        std::string error_msg = "Proto constraint validation failed:";
+        for (int i = 0; i < violations.violations_size(); ++i) {
+          const auto& violation = violations.violations(i);
+          error_msg += fmt::format("\n  - Field '{}': {}", violation.field_path(),
+                                   violation.message());
+        }
+        return absl::InvalidArgumentError(error_msg);
+      }
     }
     return absl::OkStatus();
   }
 
   void onField(const Protobuf::Message&, const Protobuf::FieldDescriptor&) override {}
+
+private:
+  std::unique_ptr<buf::validate::ValidatorFactory> factory_;
 };
 
 } // namespace
 
 void MessageUtil::recursivePgvCheck(const Protobuf::Message& message) {
-  PgvCheckVisitor visitor;
+  ProtovalidateCheckVisitor visitor;
   THROW_IF_NOT_OK(ProtobufMessage::traverseMessage(visitor, message, true));
 }
 

source/common/protobuf/yaml_utility.cc

@@ -18,7 +18,6 @@
 #include "udpa/annotations/sensitive.pb.h"
 #include "udpa/annotations/status.pb.h"
 #include "utf8_validity.h"
-#include "validate/validate.h"
 #include "xds/annotations/v3/status.pb.h"
 #include "yaml-cpp/yaml.h"
 

test/extensions/filters/network/common/fuzz/BUILD

@@ -40,26 +40,9 @@ envoy_proto_library(
     ],
 )
 
-envoy_cc_test_library(
-    name = "vig_anymap_ext_lib",
-    srcs = ["validated_input_generator_any_map_extensions.cc"],
-    hdrs = ["validated_input_generator_any_map_extensions.h"],
-    deps = [
-        "//source/extensions/access_loggers/file:config",
-        "//source/extensions/http/early_header_mutation/header_mutation:config",
-        "//source/extensions/http/header_validators/envoy_default:config",
-        "//source/extensions/http/original_ip_detection/custom_header:config",
-        "//source/extensions/http/original_ip_detection/xff:config",
-        "//source/extensions/matching/actions/format_string:config",
-        "//source/extensions/matching/common_inputs/environment_variable:config",
-        "//source/extensions/matching/input_matchers/consistent_hashing:config",
-        "//source/extensions/matching/input_matchers/ip:config",
-        "//source/extensions/request_id/uuid:config",
-        "//test/fuzz:validated_input_generator_lib",
-        "@envoy_api//envoy/config/route/v3:pkg_cc_proto",
-        "@envoy_api//envoy/config/trace/v3:pkg_cc_proto",
-    ],
-)
+# Note: vig_anymap_ext_lib has been removed as part of the protoc-gen-validate
+# to protovalidate migration. The library was an extension of validated_input_generator_lib
+# which has been removed due to incompatibility with protovalidate's runtime validation.
 
 envoy_cc_test_library(
     name = "uber_readfilter_lib",
@@ -93,7 +76,6 @@ envoy_cc_fuzz_test(
     rbe_pool = "6gig",
     deps = [
         ":uber_readfilter_lib",
-        ":vig_anymap_ext_lib",
         "//source/common/config:utility_lib",
         "//source/common/http:rds_lib",
         "//test/config:utility_lib",
@@ -140,7 +122,6 @@ envoy_cc_fuzz_test(
     # these up via the NamedNetworkFilterConfigFactory.
     deps = [
         ":uber_writefilter_lib",
-        ":vig_anymap_ext_lib",
         "//source/common/config:utility_lib",
         "//test/config:utility_lib",
     ] + envoy_filters_from_selected(WRITEFILTER_FUZZ_FILTERS),

test/extensions/filters/network/common/fuzz/network_readfilter_fuzz_test.cc

@@ -5,7 +5,6 @@
 #include "test/config/utility.h"
 #include "test/extensions/filters/network/common/fuzz/network_readfilter_fuzz.pb.validate.h"
 #include "test/extensions/filters/network/common/fuzz/uber_readfilter.h"
-#include "test/extensions/filters/network/common/fuzz/validated_input_generator_any_map_extensions.h"
 #include "test/fuzz/fuzz_runner.h"
 #include "test/test_common/test_runtime.h"
 
@@ -100,10 +99,8 @@ static void TestOneProtoInput(const test::extensions::filters::network::FilterFu
         // Replaying a corpus through the fuzzer will not be affected by the
         // post-processor mutation.
         ensuredValidFilter(seed, input->mutable_config());
-
-        ProtobufMessage::ValidatedInputGenerator generator(
-            seed, ProtobufMessage::composeFiltersAnyMap(), 20);
-        ProtobufMessage::traverseMessage(generator, *input, true);
+        // Note: ValidatedInputGenerator removed as part of protovalidate migration.
+        // Fuzzer now relies solely on libprotobuf-mutator for input generation.
       }};
 
   try {

test/extensions/filters/network/common/fuzz/network_writefilter_fuzz_test.cc

@@ -5,7 +5,6 @@
 #include "test/config/utility.h"
 #include "test/extensions/filters/network/common/fuzz/network_writefilter_fuzz.pb.validate.h"
 #include "test/extensions/filters/network/common/fuzz/uber_writefilter.h"
-#include "test/extensions/filters/network/common/fuzz/validated_input_generator_any_map_extensions.h"
 #include "test/fuzz/fuzz_runner.h"
 
 namespace Envoy {
@@ -39,9 +38,8 @@ DEFINE_PROTO_FUZZER(const test::extensions::filters::network::FilterFuzzTestCase
         input->mutable_config()->mutable_typed_config()->set_type_url(
             absl::StrCat("type.googleapis.com/",
                          factory->createEmptyConfigProto()->GetDescriptor()->full_name()));
-        ProtobufMessage::ValidatedInputGenerator generator(
-            seed, ProtobufMessage::composeFiltersAnyMap(), 20);
-        ProtobufMessage::traverseMessage(generator, *input, true);
+        // Note: ValidatedInputGenerator removed as part of protovalidate migration.
+        // Fuzzer now relies solely on libprotobuf-mutator for input generation.
       }};
   try {
     TestUtility::validate(input);