You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
5.4 KiB
125 lines
5.4 KiB
syntax = "proto3"; |
|
|
|
package envoy.service.auth.v3; |
|
|
|
import "envoy/config/core/v3/base.proto"; |
|
import "envoy/service/auth/v3/attribute_context.proto"; |
|
import "envoy/type/v3/http_status.proto"; |
|
|
|
import "google/protobuf/struct.proto"; |
|
import "google/rpc/status.proto"; |
|
|
|
import "udpa/annotations/status.proto"; |
|
import "udpa/annotations/versioning.proto"; |
|
import "validate/validate.proto"; |
|
|
|
option java_package = "io.envoyproxy.envoy.service.auth.v3"; |
|
option java_outer_classname = "ExternalAuthProto"; |
|
option java_multiple_files = true; |
|
option java_generic_services = true; |
|
option (udpa.annotations.file_status).package_version_status = ACTIVE; |
|
|
|
// [#protodoc-title: Authorization Service ] |
|
|
|
// The authorization service request messages used by external authorization :ref:`network filter |
|
// <config_network_filters_ext_authz>` and :ref:`HTTP filter <config_http_filters_ext_authz>`. |
|
|
|
// A generic interface for performing authorization check on incoming |
|
// requests to a networked service. |
|
service Authorization { |
|
// Performs authorization check based on the attributes associated with the |
|
// incoming request, and returns status `OK` or not `OK`. |
|
rpc Check(CheckRequest) returns (CheckResponse) { |
|
} |
|
} |
|
|
|
message CheckRequest { |
|
option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest"; |
|
|
|
// The request attributes. |
|
AttributeContext attributes = 1; |
|
} |
|
|
|
// HTTP attributes for a denied response. |
|
message DeniedHttpResponse { |
|
option (udpa.annotations.versioning).previous_message_type = |
|
"envoy.service.auth.v2.DeniedHttpResponse"; |
|
|
|
// This field allows the authorization service to send a HTTP response status |
|
// code to the downstream client other than 403 (Forbidden). |
|
type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}]; |
|
|
|
// This field allows the authorization service to send HTTP response headers |
|
// to the downstream client. |
|
repeated config.core.v3.HeaderValueOption headers = 2; |
|
|
|
// This field allows the authorization service to send a response body data |
|
// to the downstream client. |
|
string body = 3; |
|
} |
|
|
|
// HTTP attributes for an OK response. |
|
// [#next-free-field: 6] |
|
message OkHttpResponse { |
|
option (udpa.annotations.versioning).previous_message_type = |
|
"envoy.service.auth.v2.OkHttpResponse"; |
|
|
|
// HTTP entity headers in addition to the original request headers. This allows the authorization |
|
// service to append, to add or to override headers from the original request before |
|
// dispatching it to the upstream. By setting `append` field to `true` in the `HeaderValueOption`, |
|
// the filter will append the correspondent header value to the matched request header. Note that |
|
// by Leaving `append` as false, the filter will either add a new header, or override an existing |
|
// one if there is a match. |
|
repeated config.core.v3.HeaderValueOption headers = 2; |
|
|
|
// HTTP entity headers to remove from the original request before dispatching |
|
// it to the upstream. This allows the authorization service to act on auth |
|
// related headers (like `Authorization`), process them, and consume them. |
|
// Under this model, the upstream will either receive the request (if it's |
|
// authorized) or not receive it (if it's not), but will not see headers |
|
// containing authorization credentials. |
|
// |
|
// Pseudo headers (such as `:authority`, `:method`, `:path` etc), as well as |
|
// the header `Host`, may not be removed as that would make the request |
|
// malformed. If mentioned in `headers_to_remove` these special headers will |
|
// be ignored. |
|
// |
|
// When using the HTTP service this must instead be set by the HTTP |
|
// authorization service as a comma separated list like so: |
|
// ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``. |
|
repeated string headers_to_remove = 5; |
|
|
|
// This field has been deprecated in favor of :ref:`CheckResponse.dynamic_metadata |
|
// <envoy_v3_api_field_service.auth.v3.CheckResponse.dynamic_metadata>`. Until it is removed, |
|
// setting this field overrides :ref:`CheckResponse.dynamic_metadata |
|
// <envoy_v3_api_field_service.auth.v3.CheckResponse.dynamic_metadata>`. |
|
google.protobuf.Struct dynamic_metadata = 3 [deprecated = true]; |
|
} |
|
|
|
// Intended for gRPC and Network Authorization servers `only`. |
|
message CheckResponse { |
|
option (udpa.annotations.versioning).previous_message_type = |
|
"envoy.service.auth.v2.CheckResponse"; |
|
|
|
// Status `OK` allows the request. Any other status indicates the request should be denied. |
|
google.rpc.Status status = 1; |
|
|
|
// An message that contains HTTP response attributes. This message is |
|
// used when the authorization service needs to send custom responses to the |
|
// downstream client or, to modify/add request headers being dispatched to the upstream. |
|
oneof http_response { |
|
// Supplies http attributes for a denied response. |
|
DeniedHttpResponse denied_response = 2; |
|
|
|
// Supplies http attributes for an ok response. |
|
OkHttpResponse ok_response = 3; |
|
} |
|
|
|
// Optional response metadata that will be emitted as dynamic metadata to be consumed by the next |
|
// filter. This metadata lives in a namespace specified by the canonical name of extension filter |
|
// that requires it: |
|
// |
|
// - :ref:`envoy.filters.http.ext_authz <config_http_filters_ext_authz_dynamic_metadata>` for HTTP filter. |
|
// - :ref:`envoy.filters.network.ext_authz <config_network_filters_ext_authz_dynamic_metadata>` for network filter. |
|
google.protobuf.Struct dynamic_metadata = 4; |
|
}
|
|
|