From 76b7f0785cd07f4f7473ee3a446b3f7de674f56f Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Mon, 27 Mar 2023 15:21:14 +0000
Subject: [PATCH] ext-authz: send SNI in CheckRequest to the authorization
 server (#25775)

Signed-off-by: Harry Bagdi <harrybagdi@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ 89eabf6847cbe0cdb786ae776c73e165483e82a6
---
 .../filters/http/ext_authz/v3/ext_authz.proto       |  8 +++++++-
 envoy/service/auth/v3/attribute_context.proto       | 13 ++++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
index de3192bd..4823ace7 100644
--- a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
+++ b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
@@ -26,7 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 18]
+// [#next-free-field: 19]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
@@ -179,6 +179,12 @@ message ExtAuthz {
   //  consequently the value of *Content-Length* of the authorization request reflects the size of
   //  its payload size.
   type.matcher.v3.ListStringMatcher allowed_headers = 17;
+
+  // Specifies if the TLS session level details like SNI are sent to the external service.
+  //
+  // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the
+  // :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
+  bool include_tls_session = 18;
 }
 
 // Configuration for buffering the request data.
diff --git a/envoy/service/auth/v3/attribute_context.proto b/envoy/service/auth/v3/attribute_context.proto
index 4afa86ae..77af8443 100644
--- a/envoy/service/auth/v3/attribute_context.proto
+++ b/envoy/service/auth/v3/attribute_context.proto
@@ -38,7 +38,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // - field mask to send
 // - which return values from request_context are copied back
 // - which return values are copied into request_headers]
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message AttributeContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.auth.v2.AttributeContext";
@@ -155,6 +155,12 @@ message AttributeContext {
     bytes raw_body = 12;
   }
 
+  // This message defines attributes for the underlying TLS session.
+  message TLSSession {
+    // SNI used for TLS session.
+    string sni = 1;
+  }
+
   // The source of a network activity, such as starting a TCP connection.
   // In a multi hop network activity, the source represents the sender of the
   // last hop.
@@ -176,4 +182,9 @@ message AttributeContext {
 
   // Dynamic metadata associated with the request.
   config.core.v3.Metadata metadata_context = 11;
+
+  // TLS session details of the underlying connection.
+  // This is not populated by default and will be populated if ext_authz filter's
+  // :ref:`include_tls_session <config_http_filters_ext_authz>` is set to true.
+  TLSSession tls_session = 12;
 }