syntax = "proto3";

// [#proto-status: draft]

package envoy.api.v2.auth;
option go_package = "auth";

import "envoy/api/v2/auth/cert.proto";

message AuthAction {
  // Should we do white-list or black-list style access control.
  enum ActionType {
    // Request matches all rules are allowed, otherwise denied.
    ALLOW = 0;
    // Request matches all rules or missing required auth fields are denied,
    // otherwise allowed.
    DENY = 1;
  }

  ActionType action_type = 1;

  // Logic AND that requires all rules match.
  message AndRule {
    repeated Rule rules = 1;
  }

  // Logic OR that requires at least one rule matches.
  message OrRule {
    repeated Rule rules = 1;
  }

  // Check peer identity using X.509 certificate.
  message X509Rule {
    // How to validate peer certificates.
    CertificateValidationContext validation_context = 3;
  }

  // Element type of AndRule/OrRule, it chooses among different type of rule.
  message Rule {
    oneof rule_specifier {
      AndRule and_rule = 1;
      OrRule or_rule = 2;
      X509Rule x509_rule = 3;
    }
  }

  // List of rules
  repeated Rule rules = 2;
}