From 47be8115f582641a227ccbe6e8f7f74c852cbfcc Mon Sep 17 00:00:00 2001
From: "update-envoy[bot]"
 <135279899+update-envoy[bot]@users.noreply.github.com>
Date: Wed, 10 Apr 2024 12:10:57 +0000
Subject: [PATCH] feat: credential injector impl (#30850)

* credential injector impl

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

---------

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Co-authored-by: phlax <phlax@users.noreply.github.com>
Co-authored-by: Adi (Suissa) Peleg <adip@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 5f6842890c67bdadab129a78bf2e521068d69f61
---
 BUILD                                         |  4 +-
 .../v3/credential_injector.proto              | 29 +++++++-----
 .../injected_credentials/generic/v3/BUILD     |  0
 .../generic/v3/generic.proto                  | 47 ++-----------------
 .../injected_credentials/oauth2/v3/BUILD      |  0
 .../oauth2/v3/oauth2.proto                    |  8 ++--
 versioning/BUILD                              |  4 +-
 7 files changed, 29 insertions(+), 63 deletions(-)
 rename envoy/extensions/{ => http}/injected_credentials/generic/v3/BUILD (100%)
 rename envoy/extensions/{ => http}/injected_credentials/generic/v3/generic.proto (51%)
 rename envoy/extensions/{ => http}/injected_credentials/oauth2/v3/BUILD (100%)
 rename envoy/extensions/{ => http}/injected_credentials/oauth2/v3/oauth2.proto (91%)

diff --git a/BUILD b/BUILD
index 613bcf06..57bb807f 100644
--- a/BUILD
+++ b/BUILD
@@ -265,12 +265,12 @@ proto_library(
         "//envoy/extensions/http/early_header_mutation/header_mutation/v3:pkg",
         "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
         "//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
+        "//envoy/extensions/http/injected_credentials/generic/v3:pkg",
+        "//envoy/extensions/http/injected_credentials/oauth2/v3:pkg",
         "//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
         "//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
         "//envoy/extensions/http/stateful_session/cookie/v3:pkg",
         "//envoy/extensions/http/stateful_session/header/v3:pkg",
-        "//envoy/extensions/injected_credentials/generic/v3:pkg",
-        "//envoy/extensions/injected_credentials/oauth2/v3:pkg",
         "//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",
diff --git a/envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto b/envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto
index efa16d3a..5dc8e82b 100644
--- a/envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto
+++ b/envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto
@@ -17,7 +17,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: Credential Injector]
-// [#not-implemented-hide:]
 // Credential Injector :ref:`configuration overview <config_http_filters_credential_injector>`.
 // [#extension: envoy.filters.http.credential_injector]
 
@@ -25,7 +24,8 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 // they can be requested through the OAuth2 client credential grant. The credentials obtained are then injected into the Authorization header
 // of the proxied HTTP requests, utilizing either the Basic or Bearer scheme.
 //
-// If the credential is not present, the request will fail with 401 Unauthorized if fail_if_not_present is set to true.
+// If the credential is not present or there was a failure injecting the credential, the request will fail with ``401 Unauthorized`` unless
+// ``allow_request_without_credential`` is set to ``true``.
 //
 // Notice: This filter is intended to be used for workload authentication, which means that the identity associated with the inserted credential
 // is considered as the identity of the workload behind the envoy proxy(in this case, envoy is typically deployed as a sidecar alongside that
@@ -33,14 +33,13 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 //
 // Here is an example of CredentialInjector configuration with Generic credential, which injects an HTTP Basic Auth credential into the proxied requests.
 //
-//  .. code-block:: yaml
+// .. code-block:: yaml
 //
 //  overwrite: true
-//  fail_if_not_present: true
 //  credential:
 //    name: generic_credential
 //    typed_config:
-//      "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic
+//      "@type": type.googleapis.com/envoy.extensions.http.injected_credentials.generic.v3.Generic
 //      credential:
 //        name: credential
 //        sds_config:
@@ -49,7 +48,8 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 //      header: Authorization
 //
 // credential.yaml for Basic Auth:
-//  .. code-block:: yaml
+//
+// .. code-block:: yaml
 //
 //  resources:
 //  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
@@ -59,8 +59,10 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 //        inline_string: "Basic base64EncodedUsernamePassword"
 //
 // It can also be configured to inject a Bearer token into the proxied requests.
+//
 // credential.yaml for Bearer Token:
-//  .. code-block:: yaml
+//
+// .. code-block:: yaml
 //
 //  resources:
 //  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
@@ -74,12 +76,15 @@ message CredentialInjector {
   // Value defaults to false.
   bool overwrite = 1;
 
-  // Whether to fail the request if the credential is not present.
-  // Value defaults to false.
-  // If set to true, the request will fail with 401 Unauthorized if the credential is not present.
-  bool fail_if_not_present = 2;
+  // Whether to send the request to upstream if the credential is not present or if the credential injection
+  // to the request fails.
+  //
+  // By default, a request will fail with ``401 Unauthorized`` if the
+  // credential is not present or the injection of the credential to the request fails.
+  // If set to true, the request will be sent to upstream without the credential.
+  bool allow_request_without_credential = 2;
 
   // The credential to inject into the proxied requests
-  // TODO add extension-category
+  // [#extension-category: envoy.http.injected_credentials]
   config.core.v3.TypedExtensionConfig credential = 3 [(validate.rules).message = {required: true}];
 }
diff --git a/envoy/extensions/injected_credentials/generic/v3/BUILD b/envoy/extensions/http/injected_credentials/generic/v3/BUILD
similarity index 100%
rename from envoy/extensions/injected_credentials/generic/v3/BUILD
rename to envoy/extensions/http/injected_credentials/generic/v3/BUILD
diff --git a/envoy/extensions/injected_credentials/generic/v3/generic.proto b/envoy/extensions/http/injected_credentials/generic/v3/generic.proto
similarity index 51%
rename from envoy/extensions/injected_credentials/generic/v3/generic.proto
rename to envoy/extensions/http/injected_credentials/generic/v3/generic.proto
index 5519ec10..f81a146f 100644
--- a/envoy/extensions/injected_credentials/generic/v3/generic.proto
+++ b/envoy/extensions/http/injected_credentials/generic/v3/generic.proto
@@ -1,6 +1,6 @@
 syntax = "proto3";
 
-package envoy.extensions.injected_credentials.generic.v3;
+package envoy.extensions.http.injected_credentials.generic.v3;
 
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
 
@@ -9,58 +9,19 @@ import "xds/annotations/v3/status.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
-option java_package = "io.envoyproxy.envoy.extensions.injected_credentials.generic.v3";
+option java_package = "io.envoyproxy.envoy.extensions.http.injected_credentials.generic.v3";
 option java_outer_classname = "GenericProto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/generic/v3;genericv3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/generic/v3;genericv3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: Generic Credential]
-// [#not-implemented-hide:]
-// [#extension: envoy.injected_credentials.generic]
+// [#extension: envoy.http.injected_credentials.generic]
 
 // Generic extension can be used to inject HTTP Basic Auth, Bearer Token, or any arbitrary credential
 // into the proxied requests.
 // The credential will be injected into the specified HTTP request header.
-// Example:
-//
-//  .. code-block:: yaml
-//
-//  credential:
-//    name: generic_credential
-//    typed_config:
-//      "@type": type.googleapis.com/envoy.extensions.injected_credentials.generic.v3.Generic
-//      credential:
-//        name: credential
-//        sds_config:
-//          path_config_source:
-//            path: credential.yaml
-//      header: Authorization
-//
-// credential.yaml for Basic Auth:
-//
-//  .. code-block:: yaml
-//
-//  resources:
-//  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
-//    name: credential
-//    generic_secret:
-//      secret:
-//        inline_string: "Basic base64EncodedUsernamePassword"
-//
-// Refer to [RFC 7617: The 'Basic' HTTP Authentication Scheme](https://www.rfc-editor.org/rfc/rfc7617) for details.
-//
-// credential.yaml for Bearer Token:
-//
-//  .. code-block:: yaml
-//  resources:
-//  - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
-//    name: credential
-//    generic_secret:
-//      secret:
-//        inline_string: "Bearer myToken"
-//
 // Refer to [RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750) for details.
 //
 message Generic {
diff --git a/envoy/extensions/injected_credentials/oauth2/v3/BUILD b/envoy/extensions/http/injected_credentials/oauth2/v3/BUILD
similarity index 100%
rename from envoy/extensions/injected_credentials/oauth2/v3/BUILD
rename to envoy/extensions/http/injected_credentials/oauth2/v3/BUILD
diff --git a/envoy/extensions/injected_credentials/oauth2/v3/oauth2.proto b/envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto
similarity index 91%
rename from envoy/extensions/injected_credentials/oauth2/v3/oauth2.proto
rename to envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto
index bf898933..becf4410 100644
--- a/envoy/extensions/injected_credentials/oauth2/v3/oauth2.proto
+++ b/envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto
@@ -1,6 +1,6 @@
 syntax = "proto3";
 
-package envoy.extensions.injected_credentials.oauth2.v3;
+package envoy.extensions.http.injected_credentials.oauth2.v3;
 
 import "envoy/config/core/v3/http_uri.proto";
 import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
@@ -10,16 +10,16 @@ import "xds/annotations/v3/status.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
 
-option java_package = "io.envoyproxy.envoy.extensions.injected_credentials.oauth2.v3";
+option java_package = "io.envoyproxy.envoy.extensions.http.injected_credentials.oauth2.v3";
 option java_outer_classname = "Oauth2Proto";
 option java_multiple_files = true;
-option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/injected_credentials/oauth2/v3;oauth2v3";
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/oauth2/v3;oauth2v3";
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 option (xds.annotations.v3.file_status).work_in_progress = true;
 
 // [#protodoc-title: OAuth2 Credential]
 // [#not-implemented-hide:]
-// [#extension: envoy.injected_credentials.oauth2]
+// [#extension: envoy.http.injected_credentials.oauth2]
 
 // OAuth2 extension can be used to retrieve an OAuth2 access token from an authorization server and inject it into the
 // proxied requests.
diff --git a/versioning/BUILD b/versioning/BUILD
index 56952b6f..dc5442bb 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -203,12 +203,12 @@ proto_library(
         "//envoy/extensions/http/early_header_mutation/header_mutation/v3:pkg",
         "//envoy/extensions/http/header_formatters/preserve_case/v3:pkg",
         "//envoy/extensions/http/header_validators/envoy_default/v3:pkg",
+        "//envoy/extensions/http/injected_credentials/generic/v3:pkg",
+        "//envoy/extensions/http/injected_credentials/oauth2/v3:pkg",
         "//envoy/extensions/http/original_ip_detection/custom_header/v3:pkg",
         "//envoy/extensions/http/original_ip_detection/xff/v3:pkg",
         "//envoy/extensions/http/stateful_session/cookie/v3:pkg",
         "//envoy/extensions/http/stateful_session/header/v3:pkg",
-        "//envoy/extensions/injected_credentials/generic/v3:pkg",
-        "//envoy/extensions/injected_credentials/oauth2/v3:pkg",
         "//envoy/extensions/internal_redirect/allow_listed_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/previous_routes/v3:pkg",
         "//envoy/extensions/internal_redirect/safe_cross_scheme/v3:pkg",