ext_authz: Add support for headers_to_remove (#12984)

Add support for the letting the authorization service tell Envoy which auth related headers to remove once the authorization server is done with them, so that the upstream does not see them.

Signed-off-by: Martin Matusiak <numerodix@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ 228c8ad78433c19b61eeaf9aad1c38ec1f2c75cc

envoy/extensions/filters/http/cdn_loop/v3alpha/cdn_loop.proto

@@ -25,7 +25,7 @@ message CdnLoopConfig {
   // pseudonym or hostname the CDN is in control of.
   //
   // cdn_id must not be empty.
-  string cdn_id = 1 [(validate.rules).string = {min_bytes: 1}];
+  string cdn_id = 1 [(validate.rules).string = {min_len: 1}];
 
   // The maximum allowed count of cdn_id in the downstream CDN-Loop
   // request header.

envoy/service/auth/v3/external_auth.proto

@@ -59,6 +59,7 @@ message DeniedHttpResponse {
 }
 
 // HTTP attributes for an OK response.
+// [#next-free-field: 6]
 message OkHttpResponse {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.auth.v2.OkHttpResponse";
@@ -71,6 +72,23 @@ message OkHttpResponse {
   // one if there is a match.
   repeated config.core.v3.HeaderValueOption headers = 2;
 
+  // HTTP entity headers to remove from the original request before dispatching
+  // it to the upstream. This allows the authorization service to act on auth
+  // related headers (like `Authorization`), process them, and consume them.
+  // Under this model, the upstream will either receive the request (if it's
+  // authorized) or not receive it (if it's not), but will not see headers
+  // containing authorization credentials.
+  //
+  // Pseudo headers (such as `:authority`, `:method`, `:path` etc), as well as
+  // the header `Host`, may not be removed as that would make the request
+  // malformed. If mentioned in `headers_to_remove` these special headers will
+  // be ignored.
+  //
+  // When using the HTTP service this must instead be set by the HTTP
+  // authorization service as a comma separated list like so:
+  // ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``.
+  repeated string headers_to_remove = 5;
+
   // This field has been deprecated in favor of :ref:`CheckResponse.dynamic_metadata
   // <envoy_v3_api_field_service.auth.v3.CheckResponse.dynamic_metadata>`. Until it is removed,
   // setting this field overrides :ref:`CheckResponse.dynamic_metadata

envoy/service/auth/v4alpha/external_auth.proto

@@ -59,6 +59,7 @@ message DeniedHttpResponse {
 }
 
 // HTTP attributes for an OK response.
+// [#next-free-field: 6]
 message OkHttpResponse {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.auth.v3.OkHttpResponse";
@@ -74,6 +75,23 @@ message OkHttpResponse {
   // by Leaving `append` as false, the filter will either add a new header, or override an existing
   // one if there is a match.
   repeated config.core.v4alpha.HeaderValueOption headers = 2;
+
+  // HTTP entity headers to remove from the original request before dispatching
+  // it to the upstream. This allows the authorization service to act on auth
+  // related headers (like `Authorization`), process them, and consume them.
+  // Under this model, the upstream will either receive the request (if it's
+  // authorized) or not receive it (if it's not), but will not see headers
+  // containing authorization credentials.
+  //
+  // Pseudo headers (such as `:authority`, `:method`, `:path` etc), as well as
+  // the header `Host`, may not be removed as that would make the request
+  // malformed. If mentioned in `headers_to_remove` these special headers will
+  // be ignored.
+  //
+  // When using the HTTP service this must instead be set by the HTTP
+  // authorization service as a comma separated list like so:
+  // ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``.
+  repeated string headers_to_remove = 5;
 }
 
 // Intended for gRPC and Network Authorization servers `only`.