From b19ca0ca01ead68b68acfcac81a689434be2c914 Mon Sep 17 00:00:00 2001 From: "data-plane-api(CircleCI)" Date: Tue, 6 Oct 2020 22:40:35 +0000 Subject: [PATCH] ext_authz: add metadata matcher (#13404) Signed-off-by: Yangmin Zhu Mirrored from https://github.com/envoyproxy/envoy @ 06604048eb8dd40294370cb35d650c2869626eaa --- .../filters/http/ext_authz/v3/ext_authz.proto | 7 ++- .../http/ext_authz/v4alpha/ext_authz.proto | 7 ++- .../filters/network/ext_authz/v3/BUILD | 1 + .../network/ext_authz/v3/ext_authz.proto | 7 ++- .../filters/network/ext_authz/v4alpha/BUILD | 14 +++++ .../network/ext_authz/v4alpha/ext_authz.proto | 59 +++++++++++++++++++ 6 files changed, 92 insertions(+), 3 deletions(-) create mode 100644 envoy/extensions/filters/network/ext_authz/v4alpha/BUILD create mode 100644 envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto diff --git a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto index 07f88331..39525880 100644 --- a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +++ b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -6,6 +6,7 @@ import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/config_source.proto"; import "envoy/config/core/v3/grpc_service.proto"; import "envoy/config/core/v3/http_uri.proto"; +import "envoy/type/matcher/v3/metadata.proto"; import "envoy/type/matcher/v3/string.proto"; import "envoy/type/v3/http_status.proto"; @@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // External Authorization :ref:`configuration overview `. // [#extension: envoy.filters.http.ext_authz] -// [#next-free-field: 14] +// [#next-free-field: 15] message ExtAuthz { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.ExtAuthz"; @@ -103,6 +104,10 @@ message ExtAuthz { // If this field is not specified, the filter will be enabled for all requests. config.core.v3.RuntimeFractionalPercent filter_enabled = 9; + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14; + // Specifies whether to deny the requests, when the filter is disabled. // If :ref:`runtime_key ` is specified, // Envoy will lookup the runtime key to determine whether to deny request for diff --git a/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto b/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto index 72b50023..ec8854f5 100644 --- a/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto +++ b/envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto @@ -6,6 +6,7 @@ import "envoy/config/core/v4alpha/base.proto"; import "envoy/config/core/v4alpha/config_source.proto"; import "envoy/config/core/v4alpha/grpc_service.proto"; import "envoy/config/core/v4alpha/http_uri.proto"; +import "envoy/type/matcher/v4alpha/metadata.proto"; import "envoy/type/matcher/v4alpha/string.proto"; import "envoy/type/v3/http_status.proto"; @@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // External Authorization :ref:`configuration overview `. // [#extension: envoy.filters.http.ext_authz] -// [#next-free-field: 14] +// [#next-free-field: 15] message ExtAuthz { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.filters.http.ext_authz.v3.ExtAuthz"; @@ -103,6 +104,10 @@ message ExtAuthz { // If this field is not specified, the filter will be enabled for all requests. config.core.v4alpha.RuntimeFractionalPercent filter_enabled = 9; + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + type.matcher.v4alpha.MetadataMatcher filter_enabled_metadata = 14; + // Specifies whether to deny the requests, when the filter is disabled. // If :ref:`runtime_key ` is specified, // Envoy will lookup the runtime key to determine whether to deny request for diff --git a/envoy/extensions/filters/network/ext_authz/v3/BUILD b/envoy/extensions/filters/network/ext_authz/v3/BUILD index a4e298b4..a5c5b57b 100644 --- a/envoy/extensions/filters/network/ext_authz/v3/BUILD +++ b/envoy/extensions/filters/network/ext_authz/v3/BUILD @@ -8,6 +8,7 @@ api_proto_package( deps = [ "//envoy/config/core/v3:pkg", "//envoy/config/filter/network/ext_authz/v2:pkg", + "//envoy/type/matcher/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", ], ) diff --git a/envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto b/envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto index 4499b80c..78f4167c 100644 --- a/envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto +++ b/envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto @@ -4,6 +4,7 @@ package envoy.extensions.filters.network.ext_authz.v3; import "envoy/config/core/v3/config_source.proto"; import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/type/matcher/v3/metadata.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; @@ -23,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // gRPC Authorization API defined by // :ref:`CheckRequest `. // A failed check will cause this filter to close the TCP connection. -// [#next-free-field: 6] +// [#next-free-field: 7] message ExtAuthz { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.ext_authz.v2.ExtAuthz"; @@ -51,4 +52,8 @@ message ExtAuthz { // version of Check{Request,Response} used on the wire. config.core.v3.ApiVersion transport_api_version = 5 [(validate.rules).enum = {defined_only: true}]; + + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + type.matcher.v3.MetadataMatcher filter_enabled_metadata = 6; } diff --git a/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD b/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD new file mode 100644 index 00000000..6d146b1c --- /dev/null +++ b/envoy/extensions/filters/network/ext_authz/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v4alpha:pkg", + "//envoy/extensions/filters/network/ext_authz/v3:pkg", + "//envoy/type/matcher/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto b/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto new file mode 100644 index 00000000..f877a3ed --- /dev/null +++ b/envoy/extensions/filters/network/ext_authz/v4alpha/ext_authz.proto @@ -0,0 +1,59 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.ext_authz.v4alpha; + +import "envoy/config/core/v4alpha/config_source.proto"; +import "envoy/config/core/v4alpha/grpc_service.proto"; +import "envoy/type/matcher/v4alpha/metadata.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.ext_authz.v4alpha"; +option java_outer_classname = "ExtAuthzProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: Network External Authorization ] +// The network layer external authorization service configuration +// :ref:`configuration overview `. +// [#extension: envoy.filters.network.ext_authz] + +// External Authorization filter calls out to an external service over the +// gRPC Authorization API defined by +// :ref:`CheckRequest `. +// A failed check will cause this filter to close the TCP connection. +// [#next-free-field: 7] +message ExtAuthz { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.filters.network.ext_authz.v3.ExtAuthz"; + + // The prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // The external authorization gRPC service configuration. + // The default timeout is set to 200ms by this filter. + config.core.v4alpha.GrpcService grpc_service = 2; + + // The filter's behaviour in case the external authorization service does + // not respond back. When it is set to true, Envoy will also allow traffic in case of + // communication failure between authorization service and the proxy. + // Defaults to false. + bool failure_mode_allow = 3; + + // Specifies if the peer certificate is sent to the external service. + // + // When this field is true, Envoy will include the peer X.509 certificate, if available, in the + // :ref:`certificate`. + bool include_peer_certificate = 4; + + // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and + // version of Check{Request,Response} used on the wire. + config.core.v4alpha.ApiVersion transport_api_version = 5 + [(validate.rules).enum = {defined_only: true}]; + + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + type.matcher.v4alpha.MetadataMatcher filter_enabled_metadata = 6; +}