authz_filter: configuration to support Ambassador authorization flow (#563)

This PR includes the necessary modifications in support of envoyproxy/envoy#2828.

Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service.

In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter.

Signed-off-by: Gabriel <gsagula@gmail.com>

docs/BUILD

@@ -26,7 +26,7 @@ proto_library(
         "//envoy/config/bootstrap/v2:bootstrap",
         "//envoy/config/filter/accesslog/v2:accesslog",
         "//envoy/config/filter/http/buffer/v2:buffer",
-        "//envoy/config/filter/http/ext_authz/v2:ext_authz",
+        "//envoy/config/filter/http/ext_authz/v2alpha:ext_authz",
         "//envoy/config/filter/http/fault/v2:fault",
         "//envoy/config/filter/http/gzip/v2:gzip",
         "//envoy/config/filter/http/health_check/v2:health_check",

envoy/api/v2/core/http_uri.proto

@@ -2,6 +2,9 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
+import "google/protobuf/duration.proto";
+import "gogoproto/gogo.proto";
+
 import "validate/validate.proto";
 
 // Envoy external URI descriptor
@@ -34,4 +37,11 @@ message HttpUri {
     //
     string cluster = 2 [(validate.rules).string.min_bytes = 1];
   }
+
+  // Sets the maximum duration in milliseconds that a response can take to arrive upon request.
+  google.protobuf.Duration timeout = 3 [
+    (validate.rules).duration.gte = {},
+    (validate.rules).duration.required = true,
+    (gogoproto.stdduration) = true
+  ];
 }

envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -1,26 +0,0 @@
-syntax = "proto3";
-
-package envoy.config.filter.http.ext_authz.v2;
-option go_package = "v2";
-
-import "envoy/api/v2/core/grpc_service.proto";
-
-import "validate/validate.proto";
-
-// [#not-implemented-hide:]
-// External Authorization filter calls out to an external service over the
-// gRPC Authorization API defined by
-// :ref:`external_auth <envoy_api_msg_auth.CheckRequest>`.
-// A failed check will cause this filter to return 403 Forbidden.
-message ExtAuthz {
-
-  // The external authorization gRPC service configuration.
-  envoy.api.v2.core.GrpcService grpc_service = 1;
-
-  // The filter's behaviour in case the external authorization service does
-  // not respond back. If set to true then in case of failure to get a
-  // response back from the authorization service or getting a response that
-  // is NOT denied then traffic will be permitted.
-  // Defaults to false.
-  bool failure_mode_allow = 2;
-}

envoy/config/filter/http/ext_authz/v2alpha/BUILD

@@ -5,5 +5,8 @@ licenses(["notice"])  # Apache 2
 api_proto_library(
     name = "ext_authz",
     srcs = ["ext_authz.proto"],
-    deps = ["//envoy/api/v2/core:grpc_service"],
+    deps = [
+        "//envoy/api/v2/core:grpc_service",
+        "//envoy/api/v2/core:http_uri",
+    ],
 )

envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto

@@ -0,0 +1,34 @@
+syntax = "proto3";
+
+package envoy.config.filter.http.ext_authz.v2alpha;
+option go_package = "v2alpha";
+
+import "envoy/api/v2/core/grpc_service.proto";
+import "envoy/api/v2/core/http_uri.proto";
+
+// The external authorization HTTP service configuration.
+message HttpService {
+  // Sets the HTTP server URI which the authorization requests must be sent to.
+  envoy.api.v2.core.HttpUri server_uri = 1;
+
+  // Sets an optional prefix to the value of authorization request header `path`.
+  string path_prefix = 2;
+}
+
+message ExtAuthz {
+
+  oneof services {
+    // The external authorization gRPC service configuration.
+    envoy.api.v2.core.GrpcService grpc_service = 1;
+
+    // The external authorization HTTP service configuration.
+    HttpService http_service = 3;
+  }
+
+  // The filter's behaviour in case the external authorization service does
+  // not respond back. If set to true then in case of failure to get a
+  // response back from the authorization service or getting a response that
+  // is NOT denied then traffic will be permitted.
+  // Defaults to false.
+  bool failure_mode_allow = 2;
+}

envoy/service/auth/v2alpha/attribute_context.proto

@@ -2,7 +2,7 @@ syntax = "proto3";
 
 // [#proto-status: draft]
 
-package envoy.service.auth.v2;
+package envoy.service.auth.v2alpha;
 
 import "envoy/api/v2/core/address.proto";
 

envoy/service/auth/v2alpha/external_auth.proto

@@ -2,13 +2,14 @@ syntax = "proto3";
 
 // [#proto-status: draft]
 
-package envoy.service.auth.v2;
-option go_package = "v2";
+package envoy.service.auth.v2alpha;
+option go_package = "v2alpha";
 option java_generic_services = true;
 
-import "envoy/service/auth/v2/attribute_context.proto";
+import "envoy/service/auth/v2alpha/attribute_context.proto";
 
 import "google/rpc/status.proto";
+import "validate/validate.proto";
 
 // A generic interface for performing authorization check on incoming
 // requests to a networked service.
@@ -26,4 +27,18 @@ message CheckRequest {
 message CheckResponse {
   // Status `OK` allows the request. Any other status indicates the request should be denied.
   google.rpc.Status status = 1;
+
+  // An optional message that contains HTTP response attributes. This message is
+  // used when the authorization service needs to send custom responses to the
+  // downstream client or, to modify/add request headers being dispatched to the upstream.
+  message HttpResponse {
+    // Http status code.
+    uint32 status_code = 1 [(validate.rules).uint32 = {gte: 100, lt: 600}];
+
+    // Http entity headers.
+    map<string, string> headers = 2;
+
+    // Http entity body.
+    string body = 3;
+  }
 }