From e536fa46d9eed521ca450b54b339ad6d87e6e8f1 Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Mon, 11 Oct 2021 06:31:53 +0000
Subject: [PATCH] ext_authz: support modifying and removing query string
 parameters when using a gRPC authorization server (#18009)

This PR currently only implements query string modifications when using a gRPC authorization server.

Signed-off-by: John Esmet <john.esmet@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ c42a018d332920f3e523f1a0409b6056bd805853
---
 envoy/config/core/v3/base.proto           |  9 +++++++++
 envoy/service/auth/v3/external_auth.proto | 11 ++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/envoy/config/core/v3/base.proto b/envoy/config/core/v3/base.proto
index dcfc660d..efa8ec51 100644
--- a/envoy/config/core/v3/base.proto
+++ b/envoy/config/core/v3/base.proto
@@ -296,6 +296,15 @@ message RuntimeFeatureFlag {
   string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }
 
+// Query parameter name/value pair.
+message QueryParameter {
+  // The key of the query parameter. Case sensitive.
+  string key = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The value of the query parameter.
+  string value = 2;
+}
+
 // Header name/value pair.
 message HeaderValue {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderValue";
diff --git a/envoy/service/auth/v3/external_auth.proto b/envoy/service/auth/v3/external_auth.proto
index 6e97216a..11fc057d 100644
--- a/envoy/service/auth/v3/external_auth.proto
+++ b/envoy/service/auth/v3/external_auth.proto
@@ -60,7 +60,7 @@ message DeniedHttpResponse {
 }
 
 // HTTP attributes for an OK response.
-// [#next-free-field: 7]
+// [#next-free-field: 9]
 message OkHttpResponse {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.service.auth.v2.OkHttpResponse";
@@ -102,6 +102,15 @@ message OkHttpResponse {
   // to the downstream client on success. Note that the :ref:`append field in HeaderValueOption <envoy_v3_api_field_config.core.v3.HeaderValueOption.append>`
   // defaults to false when used in this message.
   repeated config.core.v3.HeaderValueOption response_headers_to_add = 6;
+
+  // This field allows the authorization service to set (and overwrite) query
+  // string parameters on the original request before it is sent upstream.
+  repeated config.core.v3.QueryParameter query_parameters_to_set = 7;
+
+  // This field allows the authorization service to specify which query parameters
+  // should be removed from the original request before it is sent upstream. Each
+  // element in this list is a case-sensitive query parameter name to be removed.
+  repeated string query_parameters_to_remove = 8;
 }
 
 // Intended for gRPC and Network Authorization servers `only`.