External auth filter2 (#296)

Signed-off-by: Mandar U Jog <mjog@google.com>

api/BUILD

@@ -7,12 +7,6 @@ api_proto_library(
     srcs = ["address.proto"],
 )
 
-api_proto_library(
-    name = "auth",
-    srcs = ["auth.proto"],
-    deps = [":sds"],
-)
-
 api_proto_library(
     name = "base",
     srcs = ["base.proto"],
@@ -121,9 +115,9 @@ api_proto_library(
     srcs = ["rds.proto"],
     has_services = 1,
     deps = [
-        ":auth",
         ":base",
         ":discovery",
+        "//api/auth",
     ],
 )
 

api/auth/BUILD

@@ -0,0 +1,15 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "auth",
+    srcs = [
+        "auth.proto",
+        "external_auth.proto",
+    ],
+    deps = [
+        "//api:address",
+        "//api:sds",
+    ],
+)

api/auth/auth.proto

@@ -2,7 +2,7 @@ syntax = "proto3";
 
 // [#proto-status: draft]
 
-package envoy.api.v2;
+package envoy.api.v2.auth;
 
 import "api/sds.proto";
 

api/auth/external_auth.proto

@@ -0,0 +1,147 @@
+syntax = "proto3";
+
+// [#proto-status: draft]
+
+package envoy.api.v2.auth;
+
+import "api/address.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/timestamp.proto";
+import "google/rpc/status.proto";
+
+// Authorization service.
+// Primarily responds with `OK` or `NOT OK`.
+service Authorization {
+  rpc Check(CheckRequest) returns (CheckResponse);
+}
+
+message CheckRequest {
+  // The request attributes.
+  AttributeContext attributes = 1;
+}
+
+message CheckResponse {
+  // Status `OK` allows the request. Any other status indicates the request should be denied.
+  google.rpc.Status status = 1;
+}
+
+// An attribute is a piece of metadata that describes an activity on a network.
+// For example, the size of an HTTP request, or the status code of an HTTP response.
+//
+// Each attribute has a type and a name, which is logically defined as a proto message field.
+// AttributeContext is a collection of individual attributes.
+message AttributeContext {
+  // This message defines attributes for a node that handles a network request.
+  // The node can be either a service or an application that sends, forwards,
+  // or receives the request. Service peers should fill in the `service`,
+  // `principal`, and `labels` as appropriate.
+  message Peer {
+    // The address of the peer, this is typically the IP address.
+    // It can also be UDS, or others.
+    Address address = 1;
+
+    // The canonical service name of the peer.
+    // It should be set to :ref:`x-envoy-downstream-service-cluster
+    // <https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers#x-envoy-downstream-service-cluster>`
+    // If a more trusted source of the service name is available through mTLS/secure naming, it
+    // should be used.
+    string service = 2;
+
+    // The labels associated with the peer.
+    // These could be pod labels for Kubernetes or tags for VMs.
+    // The source of the labels could be an X.509 certificate or other configuration.
+    map<string, string> labels = 3;
+
+    // The authenticated identity of this peer.
+    // For example, the identity associated with the workload such as a service account.
+    // If an X.509 certificate is used to assert the identity this field should be sourced from
+    // `Subject` or `Subject Alternative Names`. The primary identity should be the principal.
+    // The principal format is issuer specific.
+    // For example
+    // SPIFFE format is `spiffe://trust-domain/path`
+    // Google account format is `https://accounts.google.com/{userid}`
+    string principal = 4;
+  }
+
+  // Represents a network request, such as an HTTP request.
+  message Request {
+    oneof request {
+      HTTPRequest http_request = 1;
+    }
+    // The timestamp when the proxy receives the first byte of the request.
+    google.protobuf.Timestamp time = 2;
+  }
+
+  // This message defines attributes for an HTTP request.
+  // HTTP, H2, grpc are all considered http requests.
+  message HTTPRequest {
+    // The unique ID for a request, which can be propagated to downstream
+    // systems. The ID should have low probability of collision
+    // within a single day for a specific service.
+    // For http it should be X-Request-ID or equivalent.
+    // For tcp is should be a connection id.
+    string id = 1;
+
+    // The HTTP request method, such as `GET`, `POST`.
+    string method = 2;
+
+    // The HTTP request headers. If multiple headers share the same key, they
+    // must be merged according to the HTTP spec. All header keys must be
+    // lowercased, because HTTP header keys are case-insensitive.
+    map<string, string> headers = 3;
+
+    // The HTTP URL path.
+    string path = 4;
+
+    // The HTTP request `Host` or 'Authority` header value.
+    string host = 5;
+
+    // The HTTP URL scheme, such as `http` and `https`.
+    string scheme = 6;
+
+    // The HTTP URL query in the format of `name1=value`&name2=value2`, as it
+    // appears in the first line of the HTTP request. No decoding is performed.
+    string query = 7;
+
+    // The HTTP URL fragment. No URL decoding is performed.
+    string fragment = 8;
+
+    // The HTTP request size in bytes. If unknown, it must be -1.
+    int64 size = 9;
+
+    // The network protocol used with the request, such as
+    // "http/1.1", "spdy/3", "h2", "h2c"
+    string protocol = 10;
+  }
+
+  // The source of a network activity, such as starting a TCP connection.
+  // In a multi hop network activity, the source represents the sender of the
+  // last hop.
+  Peer source = 1;
+
+  // The destination of a network activity, such as accepting a TCP connection.
+  // In a multi hop network activity, the destination represents the receiver of
+  // the last hop.
+  Peer destination = 2;
+
+  // Represents a network request, such as an HTTP request.
+  Request request = 4;
+
+  // This is analogous to http_request.headers, however these contents will not be sent to the
+  // upstream server. Context_extensions provide an extension mechanism for sending additional
+  // information to the auth server without modifying the proto definition. It maps to the internal
+  // opaque context in the filter chain.
+  map<string, string> context_extensions = 10;
+}
+
+// The following items are left out of this proto
+// Request.Auth field for jwt tokens
+// Request.Api for api management
+// Origin peer that originated the request
+// Caching Protocol
+// request_context return values to inject back into the filter chain
+// peer.claims -- from X.509 extensions
+// Configuration
+// - field mask to send
+// - which return values from request_context are copied back
+// - which return values are copied into request_headers

api/rds.proto

@@ -2,7 +2,7 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-import "api/auth.proto";
+import "api/auth/auth.proto";
 import "api/base.proto";
 import "api/discovery.proto";
 
@@ -156,7 +156,7 @@ message VirtualHost {
 
   // [#not-implemented-hide:]
   // Return a 401/403 when auth checks fail.
-  AuthAction auth = 9;
+  auth.AuthAction auth = 9;
 }
 
 // A route is both a specification of how to match a request as well as an indication of what to do
@@ -192,7 +192,7 @@ message Route {
 
   // [#not-implemented-hide:]
   // Return a 401/403 when auth checks fail.
-  AuthAction auth = 6;
+  auth.AuthAction auth = 6;
 }
 
 // Compared to the :ref:`cluster <envoy_api_field_RouteAction.cluster>` field that specifies a

bazel/api_build_system.bzl

@@ -28,6 +28,7 @@ def api_py_proto_library(name, srcs = [], deps = [], has_services = 0):
         deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + [
             "@com_lyft_protoc_gen_validate//validate:validate_py",
             "@googleapis//:http_api_protos_py",
+            "@googleapis//:rpc_status_protos_py",
             "@com_github_gogo_protobuf//:gogo_proto_py",
         ],
         visibility = ["//visibility:public"],
@@ -53,6 +54,7 @@ def api_proto_library(name, srcs = [], deps = [], has_services = 0, require_py =
             "@com_google_protobuf//:timestamp_proto",
             "@com_google_protobuf//:wrappers_proto",
             "@googleapis//:http_api_protos_proto",
+            "@googleapis//:rpc_status_protos_lib",
             "@com_github_gogo_protobuf//:gogo_proto",
             "@com_lyft_protoc_gen_validate//validate:validate_proto",
         ],
@@ -69,6 +71,7 @@ def api_proto_library(name, srcs = [], deps = [], has_services = 0, require_py =
         external_deps = [
             "@com_google_protobuf//:cc_wkt_protos",
             "@googleapis//:http_api_protos",
+            "@googleapis//:rpc_status_protos",
             "@com_github_gogo_protobuf//:gogo_proto_cc",
         ],
         visibility = ["//visibility:public"],

bazel/repositories.bzl

@@ -57,7 +57,42 @@ py_proto_library(
     visibility = ["//visibility:public"],
     deps = ["@com_google_protobuf//:protobuf_python"],
 )
-        """,
+filegroup(
+     name = "rpc_status_protos_src",
+     srcs = [
+         "google/rpc/status.proto",
+     ],
+     visibility = ["//visibility:public"],
+)
+
+proto_library(
+     name = "rpc_status_protos_lib",
+     srcs = [":rpc_status_protos_src"],
+     deps = ["@com_google_protobuf//:any_proto"],
+     visibility = ["//visibility:public"],
+)
+cc_proto_library(
+     name = "rpc_status_protos",
+     srcs = ["google/rpc/status.proto"],
+     default_runtime = "@com_google_protobuf//:protobuf",
+     protoc = "@com_google_protobuf//:protoc",
+     deps = [
+         "@com_google_protobuf//:cc_wkt_protos"
+     ],
+     visibility = ["//visibility:public"],
+)
+py_proto_library(
+     name = "rpc_status_protos_py",
+     srcs = [
+         "google/rpc/status.proto",
+     ],
+     include = ".",
+     default_runtime = "@com_google_protobuf//:protobuf_python",
+     protoc = "@com_google_protobuf//:protoc",
+     visibility = ["//visibility:public"],
+     deps = ["@com_google_protobuf//:protobuf_python"],
+)
+""",
     )
 
     native.new_http_archive(