Add OAuth filter (#11268)

This was written by Derek Argueta originally. Some more
work might be needed to make it more generic.

Risk Level: low, new filter
Testing: unit tests included
Docs Changes: filter docs added

Signed-off-by: Snow Pettersen <snowp@lyft.com>
Co-authored-by: Derek Argueta <darguetap@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ c6bfd7f9f52468d576781a9b1fe9ea5d3f9086c9

BUILD

@@ -190,6 +190,7 @@ proto_library(
         "//envoy/extensions/filters/http/ip_tagging/v3:pkg",
         "//envoy/extensions/filters/http/jwt_authn/v3:pkg",
         "//envoy/extensions/filters/http/lua/v3:pkg",
+        "//envoy/extensions/filters/http/oauth2/v3alpha:pkg",
         "//envoy/extensions/filters/http/on_demand/v3:pkg",
         "//envoy/extensions/filters/http/original_src/v3:pkg",
         "//envoy/extensions/filters/http/ratelimit/v3:pkg",

envoy/extensions/filters/http/oauth2/v3alpha/BUILD

@@ -0,0 +1,15 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "//envoy/config/route/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/v3:pkg",
+        "//envoy/type/matcher/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/filters/http/oauth2/v3alpha/oauth.proto

@@ -0,0 +1,83 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.oauth2.v3alpha;
+
+import "envoy/config/core/v3/http_uri.proto";
+import "envoy/config/route/v3/route_components.proto";
+import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
+import "envoy/type/matcher/v3/path.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v3alpha";
+option java_outer_classname = "OauthProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: OAuth]
+// OAuth :ref:`configuration overview <config_http_filters_oauth>`.
+// [#extension: envoy.filters.http.oauth2]
+//
+
+message OAuth2Credentials {
+  // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.
+  string client_id = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server.
+  transport_sockets.tls.v3.SdsSecretConfig token_secret = 2
+      [(validate.rules).message = {required: true}];
+
+  // Configures how the secret token should be created.
+  oneof token_formation {
+    option (validate.required) = true;
+
+    // If present, the secret token will be a HMAC using the provided secret.
+    transport_sockets.tls.v3.SdsSecretConfig hmac_secret = 3
+        [(validate.rules).message = {required: true}];
+  }
+}
+
+// OAuth config
+//
+// [#next-free-field: 9]
+message OAuth2Config {
+  // Endpoint on the authorization server to retrieve the access token from.
+  config.core.v3.HttpUri token_endpoint = 1;
+
+  // The endpoint redirect to for authorization in response to unauthorized requests.
+  string authorization_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
+
+  // Credentials used for OAuth.
+  OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}];
+
+  // The redirect URI passed to the authorization endpoint. Supports header formatting
+  // tokens. For more information, including details on header value syntax, see the
+  // documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.
+  //
+  // This URI should not contain any query parameters.
+  string redirect_uri = 4 [(validate.rules).string = {min_bytes: 1}];
+
+  // Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.
+  type.matcher.v3.PathMatcher redirect_path_matcher = 5
+      [(validate.rules).message = {required: true}];
+
+  // The path to sign a user out, clearing their credential cookies.
+  type.matcher.v3.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}];
+
+  // Forward the OAuth token as a Bearer to upstream web service.
+  bool forward_bearer_token = 7;
+
+  // Any request that matches any of the provided matchers will be passed through without OAuth validation.
+  repeated config.route.v3.HeaderMatcher pass_through_matcher = 8;
+}
+
+// Filter config.
+message OAuth2 {
+  // Leave this empty to disable OAuth2 for a specific route, using per filter config.
+  OAuth2Config config = 1;
+}

envoy/extensions/filters/http/oauth2/v4alpha/BUILD

@@ -0,0 +1,16 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v4alpha:pkg",
+        "//envoy/config/route/v4alpha:pkg",
+        "//envoy/extensions/filters/http/oauth2/v3alpha:pkg",
+        "//envoy/extensions/transport_sockets/tls/v4alpha:pkg",
+        "//envoy/type/matcher/v4alpha:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/filters/http/oauth2/v4alpha/oauth.proto

@@ -0,0 +1,92 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.oauth2.v4alpha;
+
+import "envoy/config/core/v4alpha/http_uri.proto";
+import "envoy/config/route/v4alpha/route_components.proto";
+import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto";
+import "envoy/type/matcher/v4alpha/path.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v4alpha";
+option java_outer_classname = "OauthProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).work_in_progress = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: OAuth]
+// OAuth :ref:`configuration overview <config_http_filters_oauth>`.
+// [#extension: envoy.filters.http.oauth2]
+//
+
+message OAuth2Credentials {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Credentials";
+
+  // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server.
+  string client_id = 1 [(validate.rules).string = {min_bytes: 1}];
+
+  // The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server.
+  transport_sockets.tls.v4alpha.SdsSecretConfig token_secret = 2
+      [(validate.rules).message = {required: true}];
+
+  // Configures how the secret token should be created.
+  oneof token_formation {
+    option (validate.required) = true;
+
+    // If present, the secret token will be a HMAC using the provided secret.
+    transport_sockets.tls.v4alpha.SdsSecretConfig hmac_secret = 3
+        [(validate.rules).message = {required: true}];
+  }
+}
+
+// OAuth config
+//
+// [#next-free-field: 9]
+message OAuth2Config {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2Config";
+
+  // Endpoint on the authorization server to retrieve the access token from.
+  config.core.v4alpha.HttpUri token_endpoint = 1;
+
+  // The endpoint redirect to for authorization in response to unauthorized requests.
+  string authorization_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
+
+  // Credentials used for OAuth.
+  OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}];
+
+  // The redirect URI passed to the authorization endpoint. Supports header formatting
+  // tokens. For more information, including details on header value syntax, see the
+  // documentation on :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.
+  //
+  // This URI should not contain any query parameters.
+  string redirect_uri = 4 [(validate.rules).string = {min_bytes: 1}];
+
+  // Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server.
+  type.matcher.v4alpha.PathMatcher redirect_path_matcher = 5
+      [(validate.rules).message = {required: true}];
+
+  // The path to sign a user out, clearing their credential cookies.
+  type.matcher.v4alpha.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}];
+
+  // Forward the OAuth token as a Bearer to upstream web service.
+  bool forward_bearer_token = 7;
+
+  // Any request that matches any of the provided matchers will be passed through without OAuth validation.
+  repeated config.route.v4alpha.HeaderMatcher pass_through_matcher = 8;
+}
+
+// Filter config.
+message OAuth2 {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.filters.http.oauth2.v3alpha.OAuth2";
+
+  // Leave this empty to disable OAuth2 for a specific route, using per filter config.
+  OAuth2Config config = 1;
+}

versioning/BUILD

@@ -73,6 +73,7 @@ proto_library(
         "//envoy/extensions/filters/http/ip_tagging/v3:pkg",
         "//envoy/extensions/filters/http/jwt_authn/v3:pkg",
         "//envoy/extensions/filters/http/lua/v3:pkg",
+        "//envoy/extensions/filters/http/oauth2/v3alpha:pkg",
         "//envoy/extensions/filters/http/on_demand/v3:pkg",
         "//envoy/extensions/filters/http/original_src/v3:pkg",
         "//envoy/extensions/filters/http/ratelimit/v3:pkg",