deps: bump up cel-cpp to v0.11.0 (#39334)

## Description

This PR bumps up the version of `cel-cpp` to v0.11.0.

There are some major changes where we now have `cel::expr::ParsedExpr`
instead of `google::api::expr::v1alpha1::ParsedExpr`. We are doing the
conversion in the code to keep it backward compatible. We should remove
it in a follow-up PR by migrating everything to use
`cel::expr::ParsedExpr` instead.

---

**Commit Message:** deps: bump up `cel-cpp` to v0.11.0
**Additional Description:** Bump up the version of `cel-cpp` to v0.11.0
**Risk Level:** Low
**Testing:** CI
**Docs Changes:** N/A
**Release Notes:** N/A

---------

Signed-off-by: Rohit Agrawal <[email protected]>

Author: agrawroh

bazel/foreign_cc/cel-cpp.patch

@@ -0,0 +1,88 @@
+From d88b2a2d81e62335708057b3a044abada46de2a3 Mon Sep 17 00:00:00 2001
+From: Rohit Agrawal <[email protected]>
+Date: Tue, 6 May 2025 17:30:08 +0900
+Subject: [PATCH] Patches for cel-cpp v0.11.0
+
+Signed-off-by: Rohit Agrawal <[email protected]>
+---
+ common/internal/byte_string.cc |  8 ++++++++
+ common/value.h                 |  2 +-
+ common/values/value_variant.h  | 10 ++++++++++
+ runtime/type_registry.h        |  4 ++--
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/common/internal/byte_string.cc b/common/internal/byte_string.cc
+index e01c797f8..12345678a 100644
+--- a/common/internal/byte_string.cc
++++ b/common/internal/byte_string.cc
+@@ -104,6 +104,14 @@
+ 
+ ByteString::ByteString(Allocator<> allocator, absl::string_view string) {
+   ABSL_DCHECK_LE(string.size(), max_size());
++
++  // Check for null data pointer in the string_view
++  if (string.data() == nullptr) {
++    // Handle null data by creating an empty ByteString
++    SetSmallEmpty(allocator.arena());
++    return;
++  }
++
+   auto* arena = allocator.arena();
+   if (string.size() <= kSmallByteStringCapacity) {
+     SetSmall(arena, string);
+diff --git a/common/value.h b/common/value.h
+index 06a03c13d..9f5d77980 100644
+--- a/common/value.h
++++ b/common/value.h
+@@ -2733,7 +2733,7 @@
+     absl::Nonnull<const google::protobuf::DescriptorPool*> descriptor_pool,
+     absl::Nonnull<google::protobuf::MessageFactory*> message_factory,
+     absl::Nonnull<google::protobuf::Arena*> arena) const {
+-  ABSL_DCHECK_GT(qualifiers.size(), 0);
++  ABSL_DCHECK_GT(static_cast<int>(qualifiers.size()), 0);
+   ABSL_DCHECK(descriptor_pool != nullptr);
+   ABSL_DCHECK(message_factory != nullptr);
+   ABSL_DCHECK(arena != nullptr);
+diff --git a/common/values/value_variant.h b/common/values/value_variant.h
+index 61c19ce5f..fc7969bc8 100644
+--- a/common/values/value_variant.h
++++ b/common/values/value_variant.h
+@@ -732,6 +732,13 @@
+       const bool rhs_trivial =
+           (rhs.flags_ & ValueFlags::kNonTrivial) == ValueFlags::kNone;
+       if (lhs_trivial && rhs_trivial) {
++        // We need to suppress the compiler warnings about memory manipulation.
++        // The memcpy usage here is intentional for performance optimization
++        // Only suppress this warning on GCC, as Clang doesn't have this warning
++#if defined(__GNUC__) && !defined(__clang__)
++#pragma GCC diagnostic push
++#pragma GCC diagnostic ignored "-Wclass-memaccess"
++#endif
+         alignas(ValueVariant) std::byte tmp[sizeof(ValueVariant)];
+         // NOLINTNEXTLINE(bugprone-undefined-memory-manipulation)
+         std::memcpy(tmp, std::addressof(lhs), sizeof(ValueVariant));
+@@ -740,6 +747,9 @@
+                     sizeof(ValueVariant));
+         // NOLINTNEXTLINE(bugprone-undefined-memory-manipulation)
+         std::memcpy(std::addressof(rhs), tmp, sizeof(ValueVariant));
++#if defined(__GNUC__) && !defined(__clang__)
++#pragma GCC diagnostic pop
++#endif
+       } else {
+         SlowSwap(lhs, rhs, lhs_trivial, rhs_trivial);
+       }
+diff --git a/runtime/type_registry.h b/runtime/type_registry.h
+index 2b247946c..3e5ad423b 100644
+--- a/runtime/type_registry.h
++++ b/runtime/type_registry.h
+@@ -77,8 +77,8 @@
+   // Move-only
+   TypeRegistry(const TypeRegistry& other) = delete;
+   TypeRegistry& operator=(TypeRegistry& other) = delete;
+-  TypeRegistry(TypeRegistry&& other) = default;
+-  TypeRegistry& operator=(TypeRegistry&& other) = default;
++  TypeRegistry(TypeRegistry&& other) = delete;
++  TypeRegistry& operator=(TypeRegistry&& other) = delete;
+ 
+   // Registers a type such that it can be accessed by name, i.e. `type(foo) ==
+   // my_type`. Where `my_type` is the type being registered.

bazel/repositories.bzl

@@ -506,7 +506,29 @@ def _com_github_facebook_zstd():
 
 def _com_google_cel_cpp():
     external_http_archive(
-        "com_google_cel_cpp",
+        name = "com_google_cel_cpp",
+        patch_args = ["-p1"],
+        patches = ["@envoy//bazel/foreign_cc:cel-cpp.patch"],
+    )
+
+    # Load required dependencies that cel-cpp expects.
+    external_http_archive("com_google_cel_spec")
+
+    # cel-cpp references ``@antlr4-cpp-runtime//:antlr4-cpp-runtime`` but it internally
+    # defines ``antlr4_runtimes`` with a cpp target.
+    # We are creating a repository alias to avoid duplicating the ANTLR4 dependency.
+    native.new_local_repository(
+        name = "antlr4-cpp-runtime",
+        path = ".",
+        build_file_content = """
+package(default_visibility = ["//visibility:public"])
+
+# Alias to cel-cpp's embedded ANTLR4 runtime.
+alias(
+    name = "antlr4-cpp-runtime",
+    actual = "@antlr4_runtimes//:cpp",
+)
+""",
     )
 
 def _com_github_google_perfetto():

bazel/repository_locations.bzl

@@ -1301,12 +1301,44 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         license = "googleurl",
         license_url = "https://quiche.googlesource.com/googleurl/+/{version}/LICENSE",
     ),
+    com_google_cel_spec = dict(
+        project_name = "Common Expression Language (CEL) spec",
+        project_desc = "Common Expression Language (CEL) spec and conformance tests",
+        project_url = "https://opensource.google/projects/cel",
+        version = "0.24.0",
+        sha256 = "5cba6b0029e727d1f4d8fd134de4e747cecc0bc293d026017d7edc48058d09f7",
+        strip_prefix = "cel-spec-{version}",
+        urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
+        use_category = ["dataplane_ext"],
+        extensions = [
+            "envoy.access_loggers.extension_filters.cel",
+            "envoy.access_loggers.wasm",
+            "envoy.bootstrap.wasm",
+            "envoy.rate_limit_descriptors.expr",
+            "envoy.filters.http.ext_proc",
+            "envoy.filters.http.rate_limit_quota",
+            "envoy.filters.http.rbac",
+            "envoy.filters.http.wasm",
+            "envoy.filters.network.rbac",
+            "envoy.filters.network.wasm",
+            "envoy.stat_sinks.wasm",
+            "envoy.formatter.cel",
+            "envoy.matching.inputs.cel_data_input",
+            "envoy.matching.matchers.cel_matcher",
+            "envoy.tracers.opentelemetry",
+            "envoy.tracers.opentelemetry.samplers.cel",
+        ],
+        release_date = "2025-05-09",
+        cpe = "N/A",
+        license = "Apache-2.0",
+        license_url = "https://github.com/google/cel-spec/blob/v{version}/LICENSE",
+    ),
     com_google_cel_cpp = dict(
         project_name = "Common Expression Language (CEL) C++ library",
         project_desc = "Common Expression Language (CEL) C++ library",
         project_url = "https://opensource.google/projects/cel",
-        version = "0.10.0",
-        sha256 = "dd06b708a9f4c3728e76037ec9fb14fc9f6d9c9980e5d5f3a1d047f3855a8b98",
+        version = "0.11.0",
+        sha256 = "777f6780a3cc72264c3cc3279cc92affbaefb2bdc01aaff88463cca5b6167e1d",
         strip_prefix = "cel-cpp-{version}",
         urls = ["https://github.com/google/cel-cpp/archive/v{version}.tar.gz"],
         use_category = ["dataplane_ext"],
@@ -1328,7 +1360,7 @@ REPOSITORY_LOCATIONS_SPEC = dict(
             "envoy.tracers.opentelemetry",
             "envoy.tracers.opentelemetry.samplers.cel",
         ],
-        release_date = "2024-10-25",
+        release_date = "2025-04-03",
         cpe = "N/A",
         license = "Apache-2.0",
         license_url = "https://github.com/google/cel-cpp/blob/v{version}/LICENSE",

source/extensions/access_loggers/filters/cel/cel.cc

@@ -9,23 +9,25 @@ namespace CEL {
 namespace Expr = Envoy::Extensions::Filters::Common::Expr;
 
 CELAccessLogExtensionFilter::CELAccessLogExtensionFilter(
-    const ::Envoy::LocalInfo::LocalInfo& local_info, Expr::BuilderInstanceSharedPtr builder,
-    const google::api::expr::v1alpha1::Expr& input_expr)
+    const ::Envoy::LocalInfo::LocalInfo& local_info,
+    Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder,
+    const cel::expr::Expr& input_expr)
     : local_info_(local_info), builder_(builder), parsed_expr_(input_expr) {
-  compiled_expr_ = Expr::createExpression(builder_->builder(), parsed_expr_);
+  compiled_expr_ =
+      Extensions::Filters::Common::Expr::createExpression(builder_->builder(), parsed_expr_);
 }
 
 bool CELAccessLogExtensionFilter::evaluate(const Formatter::HttpFormatterContext& log_context,
                                            const StreamInfo::StreamInfo& stream_info) const {
-  Protobuf::Arena arena;
-  auto eval_status = Expr::evaluate(*compiled_expr_, arena, &local_info_, stream_info,
-                                    &log_context.requestHeaders(), &log_context.responseHeaders(),
-                                    &log_context.responseTrailers());
-  if (!eval_status.has_value() || eval_status.value().IsError()) {
+  ProtobufWkt::Arena arena;
+  const auto result = Extensions::Filters::Common::Expr::evaluate(
+      *compiled_expr_.get(), arena, &local_info_, stream_info, &log_context.requestHeaders(),
+      &log_context.responseHeaders(), &log_context.responseTrailers());
+  if (!result.has_value() || result.value().IsError()) {
     return false;
   }
-  auto result = eval_status.value();
-  return result.IsBool() ? result.BoolOrDie() : false;
+  auto eval_result = result.value();
+  return eval_result.IsBool() ? eval_result.BoolOrDie() : false;
 }
 
 } // namespace CEL

source/extensions/access_loggers/filters/cel/cel.h

@@ -21,15 +21,15 @@ class CELAccessLogExtensionFilter : public AccessLog::Filter {
 public:
   CELAccessLogExtensionFilter(const ::Envoy::LocalInfo::LocalInfo& local_info,
                               Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr,
-                              const google::api::expr::v1alpha1::Expr&);
+                              const cel::expr::Expr&);
 
   bool evaluate(const Formatter::HttpFormatterContext& log_context,
                 const StreamInfo::StreamInfo& stream_info) const override;
 
 private:
   const ::Envoy::LocalInfo::LocalInfo& local_info_;
   Extensions::Filters::Common::Expr::BuilderInstanceSharedPtr builder_;
-  const google::api::expr::v1alpha1::Expr parsed_expr_;
+  const cel::expr::Expr parsed_expr_;
   Extensions::Filters::Common::Expr::ExpressionPtr compiled_expr_;
 };
 

source/extensions/common/wasm/foreign.cc

@@ -138,7 +138,7 @@ RegisterForeignFunction registerClearRouteCacheForeignFunction(
 class ExpressionFactory : public Logger::Loggable<Logger::Id::wasm> {
 protected:
   struct ExpressionData {
-    google::api::expr::v1alpha1::ParsedExpr parsed_expr_;
+    cel::expr::ParsedExpr parsed_expr_;
     Filters::Common::Expr::ExpressionPtr compiled_expr_;
   };
 
@@ -203,16 +203,21 @@ class CreateExpressionFactory : public ExpressionFactory {
       auto token = expr_context.createToken();
       auto& handler = expr_context.getExpression(token);
 
-      handler.parsed_expr_ = parse_status.value();
+      const auto& parsed_expr = parse_status.value();
+      handler.parsed_expr_ = parsed_expr;
+
+      std::vector<absl::Status> warnings;
       auto cel_expression_status = expr_context.builder()->CreateExpression(
-          &handler.parsed_expr_.expr(), &handler.parsed_expr_.source_info());
+          &handler.parsed_expr_.expr(), &handler.parsed_expr_.source_info(), &warnings);
+
       if (!cel_expression_status.ok()) {
         ENVOY_LOG(info, "expr_create compile error: {}", cel_expression_status.status().message());
         expr_context.deleteExpression(token);
         return WasmResult::BadArgument;
       }
 
       handler.compiled_expr_ = std::move(cel_expression_status.value());
+
       auto result = reinterpret_cast<uint32_t*>(alloc_result(sizeof(uint32_t)));
       *result = token;
       return WasmResult::Ok;

source/extensions/filters/common/expr/evaluator.cc

@@ -149,35 +149,21 @@ BuilderInstanceSharedPtr getBuilder(Server::Configuration::CommonFactoryContext&
       [] { return std::make_shared<BuilderInstance>(createBuilder(nullptr)); });
 }
 
-// Converts from CEL canonical to CEL v1alpha1
-absl::optional<google::api::expr::v1alpha1::Expr>
-getExpr(const ::xds::type::v3::CelExpression& expression) {
-  ::cel::expr::Expr expr;
+absl::optional<cel::expr::Expr> getExpr(const ::xds::type::v3::CelExpression& expression) {
   if (expression.has_cel_expr_checked()) {
-    expr = expression.cel_expr_checked().expr();
+    return expression.cel_expr_checked().expr();
   } else if (expression.has_cel_expr_parsed()) {
-    expr = expression.cel_expr_parsed().expr();
+    return expression.cel_expr_parsed().expr();
   } else {
     return {};
   }
-
-  std::string data;
-  if (!expr.SerializeToString(&data)) {
-    return {};
-  }
-
-  // Parse the string into the target namespace message
-  google::api::expr::v1alpha1::Expr v1alpha1Expr;
-  if (!v1alpha1Expr.ParseFromString(data)) {
-    return {};
-  }
-
-  return v1alpha1Expr;
 }
 
-ExpressionPtr createExpression(Builder& builder, const google::api::expr::v1alpha1::Expr& expr) {
-  google::api::expr::v1alpha1::SourceInfo source_info;
-  auto cel_expression_status = builder.CreateExpression(&expr, &source_info);
+ExpressionPtr createExpression(Builder& builder, const cel::expr::Expr& expr) {
+  cel::expr::SourceInfo source_info;
+  std::vector<absl::Status> warnings;
+
+  auto cel_expression_status = builder.CreateExpression(&expr, &source_info, &warnings);
   if (!cel_expression_status.ok()) {
     throw CelException(
         absl::StrCat("failed to create an expression: ", cel_expression_status.status().message()));
@@ -186,11 +172,11 @@ ExpressionPtr createExpression(Builder& builder, const google::api::expr::v1alph
 }
 
 absl::optional<CelValue> evaluate(const Expression& expr, Protobuf::Arena& arena,
-                                  const LocalInfo::LocalInfo* local_info,
+                                  const ::Envoy::LocalInfo::LocalInfo* local_info,
                                   const StreamInfo::StreamInfo& info,
-                                  const Http::RequestHeaderMap* request_headers,
-                                  const Http::ResponseHeaderMap* response_headers,
-                                  const Http::ResponseTrailerMap* response_trailers) {
+                                  const ::Envoy::Http::RequestHeaderMap* request_headers,
+                                  const ::Envoy::Http::ResponseHeaderMap* response_headers,
+                                  const ::Envoy::Http::ResponseTrailerMap* response_trailers) {
   auto activation =
       createActivation(local_info, info, request_headers, response_headers, response_trailers);
   auto eval_status = expr.Evaluate(*activation, &arena);

source/extensions/filters/common/expr/evaluator.h

@@ -18,6 +18,7 @@
 #include "eval/public/cel_value.h"
 
 #include "xds/type/v3/cel.pb.h"
+#include "cel/expr/syntax.pb.h"
 
 #if defined(__GNUC__)
 #pragma GCC diagnostic pop
@@ -94,13 +95,11 @@ BuilderPtr createBuilder(Protobuf::Arena* arena);
 // Gets the singleton expression builder. Must be called on the main thread.
 BuilderInstanceSharedPtr getBuilder(Server::Configuration::CommonFactoryContext& context);
 
-// Converts from CEL canonical to CEL v1alpha1
-absl::optional<google::api::expr::v1alpha1::Expr>
-getExpr(const ::xds::type::v3::CelExpression& expression);
+absl::optional<cel::expr::Expr> getExpr(const ::xds::type::v3::CelExpression& expression);
 
-// Creates an interpretable expression from a protobuf representation.
+// Creates an interpretable expression from the new CEL expr format.
 // Throws an exception if fails to construct a runtime expression.
-ExpressionPtr createExpression(Builder& builder, const google::api::expr::v1alpha1::Expr& expr);
+ExpressionPtr createExpression(Builder& builder, const cel::expr::Expr& expr);
 
 // Evaluates an expression for a request. The arena is used to hold intermediate computational
 // results and potentially the final value.

source/extensions/filters/common/rbac/matchers.h

@@ -14,6 +14,8 @@
 #include "source/extensions/filters/common/rbac/matcher_interface.h"
 #include "source/extensions/path/match/uri_template/uri_template_match.h"
 
+#include "cel/expr/syntax.pb.h"
+
 namespace Envoy {
 namespace Extensions {
 namespace Filters {
@@ -187,7 +189,20 @@ class PolicyMatcher : public Matcher, NonCopyable {
                 ProtobufMessage::ValidationVisitor& validation_visitor,
                 Server::Configuration::CommonFactoryContext& context)
       : permissions_(policy.permissions(), validation_visitor, context),
-        principals_(policy.principals(), context), condition_(policy.condition()) {
+        principals_(policy.principals(), context), condition_([&policy]() {
+          if (policy.has_condition()) {
+            std::string serialized;
+            if (!policy.condition().SerializeToString(&serialized)) {
+              throw EnvoyException("Failed to serialize RBAC policy condition");
+            }
+            cel::expr::Expr new_expr;
+            if (!new_expr.ParseFromString(serialized)) {
+              throw EnvoyException("Failed to convert RBAC policy condition to new format");
+            }
+            return new_expr;
+          }
+          return cel::expr::Expr{};
+        }()) {
     if (policy.has_condition()) {
       expr_ = Expr::createExpression(*builder, condition_);
     }
@@ -199,7 +214,7 @@ class PolicyMatcher : public Matcher, NonCopyable {
 private:
   const OrMatcher permissions_;
   const OrMatcher principals_;
-  const google::api::expr::v1alpha1::Expr condition_;
+  const cel::expr::Expr condition_;
   Expr::ExpressionPtr expr_;
 };