From cd96bf6960841db8740b9de2b18ce988929bd4ba Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Mon, 11 Nov 2019 17:54:51 +0000
Subject: [PATCH] ext_authz: Set the peer's certificate in the source
 attributes (#8327)

Set the downstream client X.509 certificate in the source Peer AttributeContext

Risk Level: low
Testing: Tests updated and extended.
Docs Changes: New API additions are documented.
Release Notes: Added.

Fixes #8326

Signed-off-by: Steve Larkin <steve.larkin@volvocars.com>

Mirrored from https://github.com/envoyproxy/envoy @ 766f3fb8dbdafce402631c43c16fda46ed003462
---
 envoy/config/filter/http/ext_authz/v2/ext_authz.proto     | 8 +++++++-
 .../config/filter/http/ext_authz/v3alpha/ext_authz.proto  | 8 +++++++-
 envoy/config/filter/network/ext_authz/v2/ext_authz.proto  | 6 ++++++
 .../filter/network/ext_authz/v3alpha/ext_authz.proto      | 6 ++++++
 envoy/service/auth/v2/attribute_context.proto             | 5 +++++
 envoy/service/auth/v3alpha/attribute_context.proto        | 5 +++++
 6 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
index 475b354f..0f70acfc 100644
--- a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
@@ -17,7 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message ExtAuthz {
   // External authorization service configuration.
   oneof services {
@@ -90,6 +90,12 @@ message ExtAuthz {
   //
   // If this field is not specified, the filter will be enabled for all requests.
   api.v2.core.RuntimeFractionalPercent filter_enabled = 9;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v2.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 10;
 }
 
 // Configuration for buffering the request data.
diff --git a/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto b/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto
index 615887e3..c884f6eb 100644
--- a/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto
@@ -17,7 +17,7 @@ import "validate/validate.proto";
 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 
-// [#next-free-field: 10]
+// [#next-free-field: 11]
 message ExtAuthz {
   reserved 4;
 
@@ -88,6 +88,12 @@ message ExtAuthz {
   //
   // If this field is not specified, the filter will be enabled for all requests.
   api.v3alpha.core.RuntimeFractionalPercent filter_enabled = 9;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v3alpha.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 10;
 }
 
 // Configuration for buffering the request data.
diff --git a/envoy/config/filter/network/ext_authz/v2/ext_authz.proto b/envoy/config/filter/network/ext_authz/v2/ext_authz.proto
index bc9ed5d5..9b8e2b7a 100644
--- a/envoy/config/filter/network/ext_authz/v2/ext_authz.proto
+++ b/envoy/config/filter/network/ext_authz/v2/ext_authz.proto
@@ -31,4 +31,10 @@ message ExtAuthz {
   // communication failure between authorization service and the proxy.
   // Defaults to false.
   bool failure_mode_allow = 3;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v2.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 4;
 }
diff --git a/envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto b/envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto
index 574fd170..97c6e4d4 100644
--- a/envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto
+++ b/envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto
@@ -31,4 +31,10 @@ message ExtAuthz {
   // communication failure between authorization service and the proxy.
   // Defaults to false.
   bool failure_mode_allow = 3;
+
+  // Specifies if the peer certificate is sent to the external service.
+  //
+  // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
+  // :ref:`certificate<envoy_api_field_service.auth.v3alpha.AttributeContext.Peer.certificate>`.
+  bool include_peer_certificate = 4;
 }
diff --git a/envoy/service/auth/v2/attribute_context.proto b/envoy/service/auth/v2/attribute_context.proto
index 6fd24ea1..a694b137 100644
--- a/envoy/service/auth/v2/attribute_context.proto
+++ b/envoy/service/auth/v2/attribute_context.proto
@@ -39,6 +39,7 @@ message AttributeContext {
   // The node can be either a service or an application that sends, forwards,
   // or receives the request. Service peers should fill in the `service`,
   // `principal`, and `labels` as appropriate.
+  // [#next-free-field: 6]
   message Peer {
     // The address of the peer, this is typically the IP address.
     // It can also be UDS path, or others.
@@ -66,6 +67,10 @@ message AttributeContext {
     // *    SPIFFE format is `spiffe://trust-domain/path`
     // *    Google account format is `https://accounts.google.com/{userid}`
     string principal = 4;
+
+    // The X.509 certificate used to authenticate the identify of this peer.
+    // When present, the certificate contents are encoded in URL and PEM format.
+    string certificate = 5;
   }
 
   // Represents a network request, such as an HTTP request.
diff --git a/envoy/service/auth/v3alpha/attribute_context.proto b/envoy/service/auth/v3alpha/attribute_context.proto
index 24214aa2..22e05959 100644
--- a/envoy/service/auth/v3alpha/attribute_context.proto
+++ b/envoy/service/auth/v3alpha/attribute_context.proto
@@ -39,6 +39,7 @@ message AttributeContext {
   // The node can be either a service or an application that sends, forwards,
   // or receives the request. Service peers should fill in the `service`,
   // `principal`, and `labels` as appropriate.
+  // [#next-free-field: 6]
   message Peer {
     // The address of the peer, this is typically the IP address.
     // It can also be UDS path, or others.
@@ -66,6 +67,10 @@ message AttributeContext {
     // *    SPIFFE format is `spiffe://trust-domain/path`
     // *    Google account format is `https://accounts.google.com/{userid}`
     string principal = 4;
+
+    // The X.509 certificate used to authenticate the identify of this peer.
+    // When present, the certificate contents are encoded in URL and PEM format.
+    string certificate = 5;
   }
 
   // Represents a network request, such as an HTTP request.