From a29483497d9342d4e6419dd99723cb40fae96670 Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Wed, 5 Sep 2018 02:01:42 +0000
Subject: [PATCH] rbac: update the authenticated.user to a StringMatcher.
 (#4250)

This PR added a new principal_name of type StringMatcher to rbac Authenticated and mark the existing user field as deprecated. This gives us more flexibility to express more matching rules against peer certificate.

Risk Level: Low
Testing: Added unit tests

Signed-off-by: Yangmin Zhu <ymzhu@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 5d731878fd0134ca15d5904450a64dab0ff577a9
---
 envoy/config/rbac/v2alpha/BUILD      |  2 ++
 envoy/config/rbac/v2alpha/rbac.proto | 16 ++++++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/envoy/config/rbac/v2alpha/BUILD b/envoy/config/rbac/v2alpha/BUILD
index f24c8594..c97a2f82 100644
--- a/envoy/config/rbac/v2alpha/BUILD
+++ b/envoy/config/rbac/v2alpha/BUILD
@@ -10,6 +10,7 @@ api_proto_library_internal(
         "//envoy/api/v2/core:address",
         "//envoy/api/v2/route",
         "//envoy/type/matcher:metadata",
+        "//envoy/type/matcher:string",
     ],
 )
 
@@ -20,5 +21,6 @@ api_go_proto_library(
         "//envoy/api/v2/core:address_go_proto",
         "//envoy/api/v2/route:route_go_proto",
         "//envoy/type/matcher:metadata_go_proto",
+        "//envoy/type/matcher:string_go_proto",
     ],
 )
diff --git a/envoy/config/rbac/v2alpha/rbac.proto b/envoy/config/rbac/v2alpha/rbac.proto
index 3f1f3ead..c5d8f1d8 100644
--- a/envoy/config/rbac/v2alpha/rbac.proto
+++ b/envoy/config/rbac/v2alpha/rbac.proto
@@ -4,6 +4,7 @@ import "validate/validate.proto";
 import "envoy/api/v2/core/address.proto";
 import "envoy/api/v2/route/route.proto";
 import "envoy/type/matcher/metadata.proto";
+import "envoy/type/matcher/string.proto";
 
 package envoy.config.rbac.v2alpha;
 option go_package = "v2alpha";
@@ -30,8 +31,12 @@ option go_package = "v2alpha";
 //       permissions:
 //         - any: true
 //       principals:
-//         - authenticated: { name: "cluster.local/ns/default/sa/admin" }
-//         - authenticated: { name: "cluster.local/ns/default/sa/superuser" }
+//         - authenticated:
+//             principal_name:
+//               exact: "cluster.local/ns/default/sa/admin"
+//         - authenticated:
+//             principal_name:
+//               exact: "cluster.local/ns/default/sa/superuser"
 //     "product-viewer":
 //       permissions:
 //           - and_rules:
@@ -135,9 +140,12 @@ message Principal {
 
   // Authentication attributes for a downstream.
   message Authenticated {
-    // The name of the principal. If set, the URI SAN is used from the certificate, otherwise the
+    reserved 1;
+    reserved "name";
+
+    // The name of the principal. If set, The URI SAN is used from the certificate, otherwise the
     // subject field is used. If unset, it applies to any user that is authenticated.
-    string name = 1;
+    envoy.type.matcher.StringMatcher principal_name = 2;
   }
 
   oneof identifier {