rbac: add delay_deny implementation in RBAC network filter

[yangminzhu]

Commit Message: If specified, the RBAC network filter will delay the specified duration before actually closing the connection.
Additional Description: This implements #33771.
Risk Level: Low
Testing: Added Unit Test and Integration Test
Manual Local Test Log:

[2024-04-30 11:03:14.080][22663692][debug][rbac] [source/extensions/filters/network/rbac/rbac_filter.cc:95] checking connection: requestedServerName: , sourceIP: 127.0.0.1:54006, directRemoteIP: 127.0.0.1:54006,remoteIP: 127.0.0.1:54006, localAddress: 127.0.0.1:10000, ssl: none, dynamicMetadata:
[2024-04-30 11:03:14.080][22663692][debug][rbac] [source/extensions/filters/network/rbac/rbac_filter.cc:201] enforced denied, matched policy none
[2024-04-30 11:03:14.080][22663692][debug][rbac] [source/extensions/filters/network/rbac/rbac_filter.cc:129] connection will be delay denied in 1000ms

Docs Changes: N/A
Release Notes: Updated version history
Platform Specific Features: N/A
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @wbpcode
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #33875 was opened by yangminzhu.

see: more, trace.

[yangminzhu]

cc @kyessenov , @lambdai

[yangminzhu]

@wbpcode , @lambdai could you take another look if the api looks good? also wondering who should be reviewing the actual code changes? thanks.

[wbpcode]

/lgtm api

(PS: sorry for the delay, I was on vacation last days.

[wbpcode]

should we drain the data to avoid buffering the data when we wait the timer?

[yangminzhu]

Would it be good enough if we just disable the read after line 123 with callbacks_->connection().readDisable(true);? That way we stop reading any data if we determined the authz result is deny regardless if it is immediate or delay deny? cc @lambdai

[wbpcode]

@yangminzhu could you merge the main and resolve the conflict? Thanks.

[wbpcode]

assign this to @yanavlasov for final review and because @yanavlasov is the code owner (and senior maintainer)

[yanavlasov]

/wait

[yanavlasov]

An optional suggestion for a better name. Feel free to ignore.

Suggested change

	google.protobuf.Duration delay_deny = 8;
	google.protobuf.Duration close_delay = 8;

[yanavlasov]

This does not really test that disconnect occurred after configured delay. You can use simulated time for that. Check out MultiplexedIntegrationTestWithSimulatedTime

[yangminzhu]

@yanavlasov I checked MultiplexedIntegrationTestWithSimulatedTime and found it uses the Event::TestUsingSimulatedTime but not quite understand how it works.

The MultiplexedIntegrationTestWithSimulatedTime uses timeSystem().advanceTimeWait in its test case but the same statement doesn't seem working in the RBAC integration:

I subclassed TestUsingSimulatedTime and tried the same but it just never triggers the timer in the RBAC filter as the tcp_client->waitForDisconnect() is blocked forever, also tried simTime().advanceTimeWait but it is still not working.

would you mind expand a little bit how to use the simulated time in the integration test? thanks.