api: audit_log api specific to RBAC http filters (#26001)

Signed-off-by: Luwei Ge <lwge@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 4d57ba2805458b9141e01a7e293857ed2fc7fd5a

envoy/config/rbac/v3/rbac.proto

@@ -95,6 +95,36 @@ message RBAC {
     LOG = 2;
   }
 
+  message AuditLoggingOptions {
+    // Deny and allow here refer to RBAC decisions, not actions.
+    enum AuditCondition {
+      // Never audit.
+      NONE = 0;
+
+      // Audit when RBAC denies the request.
+      ON_DENY = 1;
+
+      // Audit when RBAC allows the request.
+      ON_ALLOW = 2;
+
+      // Audit whether RBAC allows or denies the request.
+      ON_DENY_AND_ALLOW = 3;
+    }
+
+    // Condition for the audit logging to happen.
+    // If this condition is met, all the audit loggers configured here will be invoked.
+    //
+    // [#not-implemented-hide:]
+    AuditCondition audit_condition = 1 [(validate.rules).enum = {defined_only: true}];
+
+    // Configurations for RBAC-based authorization audit loggers.
+    //
+    // [#not-implemented-hide:]
+    // [#extension-category: envoy.rbac.audit_loggers]
+    repeated core.v3.TypedExtensionConfig audit_loggers = 2
+        [(validate.rules).repeated = {min_items: 1}];
+  }
+
   // The action to take if a policy matches. Every action either allows or denies a request,
   // and can also carry out action-specific operations.
   //
@@ -114,6 +144,12 @@ message RBAC {
   // Maps from policy name to policy. A match occurs when at least one policy matches the request.
   // The policies are evaluated in lexicographic order of the policy name.
   map<string, Policy> policies = 2;
+
+  // Audit logging options that include the condition for audit logging to happen
+  // and audit logger configurations.
+  //
+  // [#not-implemented-hide:]
+  AuditLoggingOptions audit_logging_options = 3;
 }
 
 // Policy specifies a role and the principals that are assigned/denied the role.