From 26ae6e39fa43cf0d786486c3323584f3ad9c50ff Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Wed, 7 Nov 2018 00:29:08 +0000
Subject: [PATCH] extauth: Add route config for http ExtAuth filter (ability to
 disable; modify context extensions) (#4878)

Added an ability to add context extensions on a per virtualhost
oute\weighted-cluster to the ext auth filter.
This will allow adding custom extra data to the check request on a per-route basis. This can be used to create a more sophisticated authorization policy.

Risk Level: Low-Medium (opt-in, no impact for existing users)
Testing: Added unit tests to new code; manual testing.
Docs Changes: added usage example in docs/root/configuration/http_filters/ext_authz_filter.rst
Release Notes: added notes to version_history.rst

Signed-off-by: Yuval Kohavi <yuval.kohavi@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ 15c5befd43fb9ee9b145cc87e507beb801726316
---
 .../http/ext_authz/v2alpha/ext_authz.proto    | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
index ffb983bb..5947f0b5 100644
--- a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
@@ -7,6 +7,8 @@ import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/grpc_service.proto";
 import "envoy/api/v2/core/http_uri.proto";
 
+import "validate/validate.proto";
+
 // [#protodoc-title: External Authorization ]
 // The external authorization service configuration
 // :ref:`configuration overview <config_http_filters_ext_authz>`.
@@ -88,3 +90,36 @@ message HttpService {
   // authorization server. Note that these will override the headers coming from the downstream.
   repeated envoy.api.v2.core.HeaderValue authorization_headers_to_add = 6;
 }
+
+// Extra settings on a per virtualhost/route/weighter-cluster level.
+message ExtAuthzPerRoute {
+  oneof override {
+    option (validate.required) = true;
+
+    // Disable the ext auth filter for this particular vhost or route.
+    // If disabled is specified in multiple per-filter-configs, the most specific one will be used.
+    bool disabled = 1 [(validate.rules).bool.const = true];
+
+    // Check request settings for this route.
+    CheckSettings check_settings = 2 [(validate.rules).message.required = true];
+  }
+}
+
+// Extra settings for the check request. You can use this to provide extra context for the
+// ext-authz server on specific virtual hosts \ routes. For example, adding a context extension on
+// the virtual host level can give the ext-authz server information on what virtual host is used
+// without needing to parse the host header.
+// If CheckSettings is specified in multiple per-filter-configs, they will be merged in order,
+// and the result will be be used.
+message CheckSettings {
+  // Context extensions to set on the CheckRequest's
+  // :ref:`AttributeContext.context_extensions<envoy_api_field_service.auth.v2alpha.AttributeContext.context_extensions>`
+  //
+  // Merge semantics for this field are such that keys from more specific configs override.
+  //
+  // .. note::
+  //
+  //   These settings are only applied to a filter configured with a
+  //   :ref:`grpc_service<envoy_api_field_config.filter.http.ext_authz.v2alpha.ExtAuthz.grpc_service>`.
+  map<string, string> context_extensions = 1;
+}