[fuzz] Create ext authz http fuzzer with dynamic metadata

.bazelrc

@@ -78,6 +78,7 @@ build:asan --copt -O1
 build:asan --copt -fno-optimize-sibling-calls
 
 # Clang ASAN/UBSAN
+build:clang-asan --config=clang
 build:clang-asan --config=asan
 build:clang-asan --linkopt -fuse-ld=lld
 build:clang-asan --linkopt --rtlib=compiler-rt
@@ -322,7 +323,7 @@ build:plain-fuzzer --copt=-fsanitize=fuzzer-no-link
 build:plain-fuzzer --linkopt=-fsanitize=fuzzer-no-link
 
 build:asan-fuzzer --config=plain-fuzzer
-build:asan-fuzzer --config=asan
+build:asan-fuzzer --config=clang-asan
 build:asan-fuzzer --copt=-fno-omit-frame-pointer
 # Remove UBSAN halt_on_error to avoid crashing on protobuf errors.
 build:asan-fuzzer --test_env=UBSAN_OPTIONS=print_stacktrace=1

test/extensions/filters/http/ext_authz/BUILD

@@ -1,6 +1,8 @@
 load(
     "//bazel:envoy_build_system.bzl",
+    "envoy_cc_fuzz_test",
     "envoy_package",
+    "envoy_proto_library",
 )
 load(
     "//test/extensions:extensions_build_system.bzl",
@@ -77,3 +79,31 @@ envoy_extension_cc_test(
         "@envoy_api//envoy/service/auth/v3:pkg_cc_proto",
     ],
 )
+
+envoy_proto_library(
+    name = "ext_authz_fuzz_proto",
+    srcs = ["ext_authz_fuzz.proto"],
+    deps = [
+        "//test/fuzz:common_proto",
+        "@envoy_api//envoy/config/core/v3:pkg",
+        "@envoy_api//envoy/extensions/filters/http/ext_authz/v3:pkg",
+    ],
+)
+
+envoy_cc_fuzz_test(
+    name = "ext_authz_fuzz_test",
+    srcs = ["ext_authz_fuzz_test.cc"],
+    corpus = "ext_authz_corpus",
+    deps = [
+        ":ext_authz_fuzz_proto_cc_proto",
+        "//source/common/http:context_lib",
+        "//source/common/network:address_lib",
+        "//source/extensions/filters/http/ext_authz",
+        "//test/extensions/filters/common/ext_authz:ext_authz_mocks",
+        "//test/extensions/filters/http/common/fuzz:http_filter_fuzzer_lib",
+        "//test/mocks/http:http_mocks",
+        "//test/mocks/network:network_mocks",
+        "//test/mocks/runtime:runtime_mocks",
+        "@envoy_api//envoy/extensions/filters/http/ext_authz/v3:pkg_cc_proto",
+    ],
+)

test/extensions/filters/http/ext_authz/ext_authz_fuzz.proto

@@ -0,0 +1,30 @@
+syntax = "proto3";
+package envoy.extensions.filters.http.ext_authz;
+
+import "envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto";
+import "test/fuzz/common.proto";
+import "envoy/config/core/v3/base.proto";
+import "google/protobuf/empty.proto";
+import "validate/validate.proto";
+
+// We only fuzz a single request per iteration.
+message ExtAuthzTestCase {
+  enum AuthResult {
+    // Possible results for a check call. Taken from
+    // https://github.com/envoyproxy/envoy/blob/945b5833f094dee31d2971cee8d40553bb0fe714/source/extensions/filters/common/ext_authz/ext_authz.h#L65
+    OK = 0;
+    DENIED = 1;
+    ERROR = 2;
+  }
+
+  envoy.extensions.filters.http.ext_authz.v3.ExtAuthz config = 1
+      [(validate.rules).message = {required: true}];
+  // HTTP request data.
+  test.fuzz.HttpData request_data = 2 [(validate.rules).message = {required: true}];
+  // Set default auth check result.
+  AuthResult result = 3;
+  // Filter metadata.
+  envoy.config.core.v3.Metadata filter_metadata = 4;
+  // TODO: Add headers and data to ExtAuthz::Response and check that the request headers and data
+  // were updated.
+}