rbac: add filter state object option (#23828)

Signed-off-by: Kuat Yessenov kuat@google.com Commit Message: Add another option to read principal from the filter state instead of metadata. The use case is passing the value from a network filter to an HTTP filter (RBAC), and the dynamic metadata does not support inheritance. For tunneled requests, the principal needs to be set at the tunnel connection, not the internal connection used for HTTP processing. Risk Level: low Testing: unit Docs Changes: none Release Notes: none Mirrored from https://github.com/envoyproxy/envoy @ 91eccaf7d75161676e90adae58722c4bfa7d0c2e
2 years ago · af5349f5f5
parent 9847b7deee
commit af5349f5f5
2 changed files with 34 additions and 1 deletions
--- a/envoy/config/rbac/v3/rbac.proto
+++ b/envoy/config/rbac/v3/rbac.proto
@ -5,6 +5,7 @@ package envoy.config.rbac.v3;
 import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/extension.proto";
 import "envoy/config/route/v3/route_components.proto";
+import "envoy/type/matcher/v3/filter_state.proto";
 import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/path.proto";
 import "envoy/type/matcher/v3/string.proto";
@ -229,7 +230,7 @@ message Permission {

 // Principal defines an identity or a group of identities for a downstream
 // subject.
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message Principal {
  option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Principal";

@ -304,6 +305,9 @@ message Principal {
    // Metadata that describes additional information about the principal.
    type.matcher.v3.MetadataMatcher metadata = 7;

+    // Identifies the principal using a filter state object.
+    type.matcher.v3.FilterStateMatcher filter_state = 12;
+
    // Negates matching the provided principal. For instance, if the value of
    // ``not_id`` would match, this principal would not match. Conversely, if the
    // value of ``not_id`` would not match, this principal would match.
--- a/envoy/type/matcher/v3/filter_state.proto
+++ b/envoy/type/matcher/v3/filter_state.proto
@ -0,0 +1,29 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "envoy/type/matcher/v3/string.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "FilterStateProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Filter state matcher]
+
+// FilterStateMatcher provides a general interface for matching the filter state objects.
+message FilterStateMatcher {
+  // The filter state key to retrieve the object.
+  string key = 1 [(validate.rules).string = {min_len: 1}];
+
+  oneof matcher {
+    option (validate.required) = true;
+
+    // Matches the filter state object as a string value.
+    StringMatcher string_match = 2;
+  }
+}