From 4406edd4e29f5b7e254bdee75ef6354fdf756eb3 Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Fri, 12 Oct 2018 18:40:59 +0000
Subject: [PATCH] rbac: add support for SNI based permissions (#4662)

This commit adds support for SNI based permissions by matching over a
connection's requested server name.

Signed-off-by: Venil Noronha <veniln@vmware.com>

Mirrored from https://github.com/envoyproxy/envoy @ 811ee0dc52951acf2f66190587f92394473c245c
---
 envoy/config/rbac/v2alpha/rbac.proto | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/envoy/config/rbac/v2alpha/rbac.proto b/envoy/config/rbac/v2alpha/rbac.proto
index d7431eb0..9c1b04c2 100644
--- a/envoy/config/rbac/v2alpha/rbac.proto
+++ b/envoy/config/rbac/v2alpha/rbac.proto
@@ -126,6 +126,27 @@ message Permission {
     // match, this permission would not match. Conversely, if the value of `not_rule` would not
     // match, this permission would match.
     Permission not_rule = 8;
+
+    // The request server from the client's connection request. This is
+    // typically TLS SNI.
+    //
+    // .. attention::
+    //
+    //   The behavior of this field may be affected by how Envoy is configured
+    //   as explained below.
+    //
+    //   * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
+    //     filter is not added, and if a `FilterChainMatch` is not defined for
+    //     the :ref:`server name <envoy_api_field_Listener.FilterChainMatch.server_names>`,
+    //     a TLS connection's requested SNI server name will be treated as if it
+    //     wasn't present.
+    //
+    //   * A :ref:`listener filter <arch_overview_listener_filters>` may
+    //     overwrite a connection's requested server name within Envoy.
+    //
+    // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
+    // setup SNI.
+    envoy.type.matcher.StringMatcher requested_server_name = 9;
   }
 }