ext_authz: support modifying and removing query string parameters when using a gRPC authorization server (#18009)

This PR currently only implements query string modifications when using a gRPC authorization server. Signed-off-by: John Esmet <john.esmet@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ c42a018d332920f3e523f1a0409b6056bd805853
3 years ago · e536fa46d9
parent b1213c8f49
commit e536fa46d9
2 changed files with 19 additions and 1 deletions
--- a/envoy/config/core/v3/base.proto
+++ b/envoy/config/core/v3/base.proto
@ -296,6 +296,15 @@ message RuntimeFeatureFlag {
  string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }

+// Query parameter name/value pair.
+message QueryParameter {
+  // The key of the query parameter. Case sensitive.
+  string key = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The value of the query parameter.
+  string value = 2;
+}
+
 // Header name/value pair.
 message HeaderValue {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderValue";
--- a/envoy/service/auth/v3/external_auth.proto
+++ b/envoy/service/auth/v3/external_auth.proto
@ -60,7 +60,7 @@ message DeniedHttpResponse {
 }

 // HTTP attributes for an OK response.
-// [#next-free-field: 7]
+// [#next-free-field: 9]
 message OkHttpResponse {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.service.auth.v2.OkHttpResponse";
@ -102,6 +102,15 @@ message OkHttpResponse {
  // to the downstream client on success. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>`
  // defaults to false when used in this message.
  repeated config.core.v3.HeaderValueOption response_headers_to_add = 6;
+
+  // This field allows the authorization service to set (and overwrite) query
+  // string parameters on the original request before it is sent upstream.
+  repeated config.core.v3.QueryParameter query_parameters_to_set = 7;
+
+  // This field allows the authorization service to specify which query parameters
+  // should be removed from the original request before it is sent upstream. Each
+  // element in this list is a case-sensitive query parameter name to be removed.
+  repeated string query_parameters_to_remove = 8;
 }

 // Intended for gRPC and Network Authorization servers `only`.