add auth_config to vhost/route (#199)

Signed-off-by: James Fang <54740235@qq.com>
7 years ago · 7d9e737e85
parent 971fb1b70f
commit 7d9e737e85
3 changed files with 63 additions and 0 deletions
--- a/api/BUILD
+++ b/api/BUILD
@ -8,6 +8,7 @@ proto_library(
    name = "go_protos",
    srcs = [
        "address.proto",
+        "auth.proto",
        "base.proto",
        "bootstrap.proto",
        "cds.proto",
@ -53,6 +54,12 @@ api_proto_library(
    srcs = ["address.proto"],
 )

+api_proto_library(
+    name = "auth",
+    srcs = ["auth.proto"],
+    deps = [":sds"],
+)
+
 api_proto_library(
    name = "base",
    srcs = ["base.proto"],
@ -159,6 +166,7 @@ api_proto_library(
    srcs = ["rds.proto"],
    has_services = 1,
    deps = [
+        ":auth",
        ":base",
        ":discovery",
    ],
--- a/api/auth.proto
+++ b/api/auth.proto
@ -0,0 +1,46 @@
+syntax = "proto3";
+
+package envoy.api.v2;
+
+import "api/sds.proto";
+
+message AuthAction {
+  // Should we do white-list or black-list style access control.
+  enum ActionType {
+    // Request matches all rules are allowed, otherwise denied.
+    ALLOW = 0;
+    // Request matches all rules or missing required auth fields are denied,
+    // otherwise allowed.
+    DENY = 1;
+  }
+
+  ActionType action_type = 1;
+
+  // Logic AND that requires all rules match.
+  message AndRule {
+    repeated Rule rules = 1;
+  }
+
+  // Logic OR that requires at least one rule matches.
+  message OrRule {
+    repeated Rule rules = 1;
+  }
+
+  // Check peer identity using X.509 certificate.
+  message X509Rule {
+    // How to validate peer certificates.
+    CertificateValidationContext validation_context = 3;
+  }
+
+  // Element type of AndRule/OrRule, it chooses among different type of rule.
+  message Rule {
+    oneof rule_specifier {
+      AndRule and_rule = 1;
+      OrRule or_rule = 2;
+      X509Rule x509_rule = 3;
+    }
+  }
+
+  // List of rules
+  repeated Rule rule = 2;
+}
--- a/api/rds.proto
+++ b/api/rds.proto
@ -6,6 +6,7 @@ syntax = "proto3";

 package envoy.api.v2;

+import "api/auth.proto";
 import "api/base.proto";
 import "api/discovery.proto";

@ -334,6 +335,10 @@ message Route {

  // Decorator for matched route.
  Decorator decorator = 5;
+
+  // Return a 401/403 when auth checks fail.
+  // [V2-API-DIFF] new in v2.
+  AuthAction auth = 6;
 }

 // A virtual cluster is a way of specifying a regex matching rule against
@ -499,6 +504,10 @@ message VirtualHost {

  // Indicates that the virtual host has a CORS policy.
  CorsPolicy cors = 8;
+
+  // Return a 401/403 when auth checks fail.
+  // [V2-API-DIFF] new in v2.
+  AuthAction auth = 9;
 }

 message RouteConfiguration {