From e724bf6b9a894dfff3f82f385f4edaa4c3e8ecbf Mon Sep 17 00:00:00 2001
From: "update-envoy[bot]"
 <135279899+update-envoy[bot]@users.noreply.github.com>
Date: Tue, 12 Mar 2024 05:21:14 +0000
Subject: [PATCH] jwt_authn: Add subject constraints for JwtProviders (#32374)

Adds new `subjects` config field to restrict subjects accepted from a `JwtProvider` partially implementing #31455
Risk Level: Low
Testing: Unit testing
Docs Changes: Added `subjects` description inline in proto.
Release Notes: Attached
Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md): Feature is opt in, without specifying the config, there's no behavior change.

Signed-off-by: Matthew Jones <mattjo@squareup.com>

Mirrored from https://github.com/envoyproxy/envoy @ 08231e383fc3fb1c3bb207774d8295995759552a
---
 .../extensions/filters/http/jwt_authn/v3/BUILD  |  1 +
 .../filters/http/jwt_authn/v3/config.proto      | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/envoy/extensions/filters/http/jwt_authn/v3/BUILD b/envoy/extensions/filters/http/jwt_authn/v3/BUILD
index cea648f6..fd0f6d5f 100644
--- a/envoy/extensions/filters/http/jwt_authn/v3/BUILD
+++ b/envoy/extensions/filters/http/jwt_authn/v3/BUILD
@@ -8,6 +8,7 @@ api_proto_package(
     deps = [
         "//envoy/config/core/v3:pkg",
         "//envoy/config/route/v3:pkg",
+        "//envoy/type/matcher/v3:pkg",
         "@com_github_cncf_xds//udpa/annotations:pkg",
     ],
 )
diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
index d8bfd7d1..1256a40b 100644
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@@ -5,6 +5,7 @@ package envoy.extensions.filters.http.jwt_authn.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/http_uri.proto";
 import "envoy/config/route/v3/route_components.proto";
+import "envoy/type/matcher/v3/string.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
@@ -53,7 +54,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //       cache_duration:
 //         seconds: 300
 //
-// [#next-free-field: 19]
+// [#next-free-field: 20]
 message JwtProvider {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";
@@ -104,6 +105,20 @@ message JwtProvider {
   //
   repeated string audiences = 2;
 
+  // Restrict the `subjects <https://tools.ietf.org/html/rfc7519#section-4.1.2>`_
+  // that the JwtProvider can assert. For instance, this could implement JWT-SVID
+  // `subject restrictions <https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md#31-subject>`_.
+  // If not specified, will not check subjects in the token.
+  //
+  // Example:
+  //
+  // .. code-block:: yaml
+  //
+  //     subjects:
+  //       prefix: spiffe://spiffe.example.com/
+  //
+  type.matcher.v3.StringMatcher subjects = 19;
+
   // `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to
   // validate signature of a JWT. This field specifies where to fetch JWKS.
   oneof jwks_source_specifier {