Add decoder header mutation rules (#34182)

* add header mutation rules

Signed-off-by: antoniovleonti <leonti@google.com>

* fix spelling errors

Signed-off-by: antoniovleonti <leonti@google.com>

* use proto field link in proto doc string

Signed-off-by: antoniovleonti <leonti@google.com>

* Fix proto link

Signed-off-by: antoniovleonti <leonti@google.com>

* fix changelog proto link too

Signed-off-by: antoniovleonti <leonti@google.com>

* use correct link in changelog

Signed-off-by: antoniovleonti <leonti@google.com>

* fix integration test

Signed-off-by: antoniovleonti <leonti@google.com>

* remove redundant LowerCaseString conversion

Signed-off-by: antoniovleonti <leonti@google.com>

* use decoder_header_mutation_rules as optional field

Signed-off-by: antoniovleonti <leonti@google.com>

* remove lambda from check header func

Signed-off-by: antoniovleonti <leonti@google.com>

* fix doc reference/link

Signed-off-by: antoniovleonti <leonti@google.com>

* formatting fixes

Signed-off-by: antoniovleonti <leonti@google.com>

---------

Signed-off-by: antoniovleonti <leonti@google.com>
Signed-off-by: Antonio V. Leonti <53806445+antoniovleonti@users.noreply.github.com>

Mirrored from https://github.com/envoyproxy/envoy @ 74f327dc8b5a0f8ab67d7a47535c88cc89fed681

envoy/extensions/filters/http/ext_authz/v3/BUILD

@@ -7,6 +7,7 @@ licenses(["notice"])  # Apache 2
 api_proto_package(
     deps = [
         "//envoy/annotations:pkg",
+        "//envoy/config/common/mutation_rules/v3:pkg",
         "//envoy/config/core/v3:pkg",
         "//envoy/type/matcher/v3:pkg",
         "//envoy/type/v3:pkg",

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.ext_authz.v3;
 
+import "envoy/config/common/mutation_rules/v3/mutation_rules.proto";
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
@@ -28,10 +29,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 26]
+// [#next-free-field: 27]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
-      "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
+      "envoy.config.filter.http.ext_authz.v3.ExtAuthz";
 
   reserved 4;
 
@@ -261,6 +262,23 @@ message ExtAuthz {
   // It's recommended you set this to true unless you already rely on the old behavior. False is the
   // default only for backwards compatibility.
   bool encode_raw_headers = 23;
+
+  // Rules for what modifications an ext_authz server may make to the request headers before
+  // continuing decoding / forwarding upstream.
+  //
+  // If set to anything, enables header mutation checking against configured rules. Note that
+  // :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
+  // has defaults that change ext_authz behavior. Also note that if this field is set to anything,
+  // ext_authz can no longer append to :-prefixed headers.
+  //
+  // If empty, header mutation rule checking is completely disabled.
+  //
+  // Regardless of what is configured here, ext_authz cannot remove :-prefixed headers.
+  //
+  // This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
+  // correctness checks for all header / query parameter mutations (e.g. for invalid characters).
+  // This field allows the filter to reject mutations to specific headers.
+  config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;
 }
 
 // Configuration for buffering the request data.