Subset dev.cel environment in CelCommon and add regression test

Author: shivaspeaks

xds/src/main/java/io/grpc/xds/internal/matcher/CelCommon.java

@@ -30,16 +30,47 @@
 final class CelCommon {
   private static final CelOptions CEL_OPTIONS = CelOptions.newBuilder()
       .enableComprehension(false)
-      .enableStringConversion(false)
-      .enableStringConcatenation(false)
-      .enableListConcatenation(false)
       .maxRegexProgramSize(100)
       .build();
+
+  private static final dev.cel.checker.CelStandardDeclarations DECLARATIONS = 
+      dev.cel.checker.CelStandardDeclarations.newBuilder()
+          .filterFunctions((func, over) -> {
+            if (func == dev.cel.checker.CelStandardDeclarations.StandardFunction.STRING) {
+              return false;
+            }
+            if (func == dev.cel.checker.CelStandardDeclarations.StandardFunction.ADD) {
+              String id = over.celOverloadDecl().overloadId();
+              return !id.equals("add_string") && !id.equals("add_list");
+            }
+            return true;
+          })
+          .build();
+
+  private static final dev.cel.runtime.CelStandardFunctions FUNCTIONS = 
+      dev.cel.runtime.CelStandardFunctions.newBuilder()
+          .filterFunctions((func, over) -> {
+            if (func == dev.cel.runtime.CelStandardFunctions.StandardFunction.STRING) {
+              return false;
+            }
+            if (func == dev.cel.runtime.CelStandardFunctions.StandardFunction.ADD) {
+              String id = over.toString();
+              return !id.equals("ADD_STRING") && !id.equals("ADD_LIST");
+            }
+            return true;
+          })
+          .build();
+
   static final CelCompiler COMPILER = CelCompilerFactory.standardCelCompilerBuilder()
+      .setStandardEnvironmentEnabled(false)
+      .setStandardDeclarations(DECLARATIONS)
       .addVar("request", SimpleType.DYN)
       .setOptions(CEL_OPTIONS)
       .build();
+
   static final CelRuntime RUNTIME = CelRuntimeFactory.standardCelRuntimeBuilder()
+      .setStandardEnvironmentEnabled(false)
+      .setStandardFunctions(FUNCTIONS)
       .setOptions(CEL_OPTIONS)
       .build();
 

xds/src/test/java/io/grpc/xds/internal/matcher/CelEnvironmentTest.java

@@ -149,6 +149,41 @@ public void headers_binaryHeader() {
     assertThat(headers.containsKey("test-bin")).isTrue();
   }
 
+  @Test
+  public void celEnvironment_disabledFeatures_throwsValidationException() {
+    // String concatenation
+    try {
+      io.grpc.xds.internal.matcher.CelCommon.COMPILER.compile("'a' + 'b'").getAst();
+      org.junit.Assert.fail("String concatenation should be disabled");
+    } catch (dev.cel.common.CelValidationException e) {
+      assertThat(e).hasMessageThat().contains("found no matching overload for '_+_'");
+    }
+
+    // List concatenation
+    try {
+      io.grpc.xds.internal.matcher.CelCommon.COMPILER.compile("[1] + [2]").getAst();
+      org.junit.Assert.fail("List concatenation should be disabled");
+    } catch (dev.cel.common.CelValidationException e) {
+      assertThat(e).hasMessageThat().contains("found no matching overload for '_+_'");
+    }
+
+    // String conversion
+    try {
+      io.grpc.xds.internal.matcher.CelCommon.COMPILER.compile("string(1)").getAst();
+      org.junit.Assert.fail("String conversion should be disabled");
+    } catch (dev.cel.common.CelValidationException e) {
+      assertThat(e).hasMessageThat().contains("undeclared reference to 'string'");
+    }
+
+    // Comprehensions
+    try {
+      io.grpc.xds.internal.matcher.CelCommon.COMPILER.compile("[1, 2, 3].all(x, x > 0)").getAst();
+      org.junit.Assert.fail("Comprehensions should be disabled");
+    } catch (dev.cel.common.CelValidationException e) {
+      assertThat(e).hasMessageThat().contains("undeclared reference to 'all'");
+    }
+  }
+
   @Test
   public void celEnvironment_method_fallback() {
     MatchContext context = mock(MatchContext.class);