ext_authz: add metadata matcher (#13404)

Signed-off-by: Yangmin Zhu <ymzhu@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 06604048eb8dd40294370cb35d650c2869626eaa

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -6,6 +6,7 @@ import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 import "envoy/config/core/v3/http_uri.proto";
+import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "envoy/type/v3/http_status.proto";
 
@@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 14]
+// [#next-free-field: 15]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
@@ -103,6 +104,10 @@ message ExtAuthz {
   // If this field is not specified, the filter will be enabled for all requests.
   config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
 
+  // Specifies if the filter is enabled with metadata matcher.
+  // If this field is not specified, the filter will be enabled for all requests.
+  type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
+
   // Specifies whether to deny the requests, when the filter is disabled.
   // If :ref:`runtime_key <envoy_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
   // Envoy will lookup the runtime key to determine whether to deny request for

envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto

@@ -6,6 +6,7 @@ import "envoy/config/core/v4alpha/base.proto";
 import "envoy/config/core/v4alpha/config_source.proto";
 import "envoy/config/core/v4alpha/grpc_service.proto";
 import "envoy/config/core/v4alpha/http_uri.proto";
+import "envoy/type/matcher/v4alpha/metadata.proto";
 import "envoy/type/matcher/v4alpha/string.proto";
 import "envoy/type/v3/http_status.proto";
 
@@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 14]
+// [#next-free-field: 15]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.extensions.filters.http.ext_authz.v3.ExtAuthz";
@@ -103,6 +104,10 @@ message ExtAuthz {
   // If this field is not specified, the filter will be enabled for all requests.
   config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 9;
 
+  // Specifies if the filter is enabled with metadata matcher.
+  // If this field is not specified, the filter will be enabled for all requests.
+  type.matcher.v4alpha.MetadataMatcher filter_enabled_metadata = 14;
+
   // Specifies whether to deny the requests, when the filter is disabled.
   // If :ref:`runtime_key <envoy_api_field_config.core.v4alpha.RuntimeFeatureFlag.runtime_key>` is specified,
   // Envoy will lookup the runtime key to determine whether to deny request for

envoy/extensions/filters/network/ext_authz/v3/BUILD

@@ -8,6 +8,7 @@ api_proto_package(
     deps = [
         "//envoy/config/core/v3:pkg",
         "//envoy/config/filter/network/ext_authz/v2:pkg",
+        "//envoy/type/matcher/v3:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
     ],
 )

envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto

@@ -4,6 +4,7 @@ package envoy.extensions.filters.network.ext_authz.v3;
 
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
+import "envoy/type/matcher/v3/metadata.proto";
 
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
@@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // gRPC Authorization API defined by
 // :ref:`CheckRequest <envoy_api_msg_service.auth.v3.CheckRequest>`.
 // A failed check will cause this filter to close the TCP connection.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.ext_authz.v2.ExtAuthz";
@@ -51,4 +52,8 @@ message ExtAuthz {
   // version of Check{Request,Response} used on the wire.
   config.core.v3.ApiVersion transport_api_version = 5
       [(validate.rules).enum = {defined_only: true}];
+
+  // Specifies if the filter is enabled with metadata matcher.
+  // If this field is not specified, the filter will be enabled for all requests.
+  type.matcher.v3.MetadataMatcher filter_enabled_metadata = 6;
 }

envoy/extensions/filters/network/ext_authz/v4alpha/BUILD

@@ -0,0 +1,14 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v4alpha:pkg",
+        "//envoy/extensions/filters/network/ext_authz/v3:pkg",
+        "//envoy/type/matcher/v4alpha:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto

@@ -0,0 +1,59 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.ext_authz.v4alpha;
+
+import "envoy/config/core/v4alpha/config_source.proto";
+import "envoy/config/core/v4alpha/grpc_service.proto";
+import "envoy/type/matcher/v4alpha/metadata.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.ext_authz.v4alpha";
+option java_outer_classname = "ExtAuthzProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: Network External Authorization ]
+// The network layer external authorization service configuration
+// :ref:`configuration overview <config_network_filters_ext_authz>`.
+// [#extension: envoy.filters.network.ext_authz]
+
+// External Authorization filter calls out to an external service over the
+// gRPC Authorization API defined by
+// :ref:`CheckRequest <envoy_api_msg_service.auth.v4alpha.CheckRequest>`.
+// A failed check will cause this filter to close the TCP connection.
+// [#next-free-field: 7]
+message ExtAuthz {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.filters.network.ext_authz.v3.ExtAuthz";
+
+  // The prefix to use when emitting statistics.
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The external authorization gRPC service configuration.
+  // The default timeout is set to 200ms by this filter.
+  config.core.v4alpha.GrpcService grpc_service = 2;
+
+  // The filter's behaviour in case the external authorization service does
+  // not respond back. When it is set to true, Envoy will also allow traffic in case of
+  // communication failure between authorization service and the proxy.
+  // Defaults to false.
+  bool failure_mode_allow = 3;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v4alpha.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 4;
+
+  // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
+  // version of Check{Request,Response} used on the wire.
+  config.core.v4alpha.ApiVersion transport_api_version = 5
+      [(validate.rules).enum = {defined_only: true}];
+
+  // Specifies if the filter is enabled with metadata matcher.
+  // If this field is not specified, the filter will be enabled for all requests.
+  type.matcher.v4alpha.MetadataMatcher filter_enabled_metadata = 6;
+}