Merge pull request #181 from solo-io/sync-apis/gloo-master/v1.9.0-beta9

Sync APIs. @tag-name=v1.9.0-beta9

api/gloo/enterprise.gloo/v1/auth_config.proto

@@ -156,11 +156,11 @@ message HttpService {
     Request request = 2;
 
     message Response {
-        // When this is set, authorization response headers that have a will be added to the original client request and sent to the upstream.
+        // When this is set, authorization response headers that have a header in this list will be added to the original client request and sent to the upstream.
         // Note that coexistent headers will be overridden.
         repeated string allowed_upstream_headers = 1;
 
-        // When this. is set, authorization response headers that will be added to the client's response when auth request is denied.
+        // When this is set, authorization response headers in this list will be added to the client's response when the auth request is denied.
         // Note that when this list is *not* set, all the authorization response headers, except *Authority
         // (Host)* will be in the response to the client. When a header is included in this list, *Path*,
         // *Status*, *Content-Length*, *WWW-Authenticate* and *Location* are automatically added.
@@ -727,6 +727,7 @@ message PassThroughAuth {
 
     oneof protocol {
         PassThroughGrpc grpc = 1;
+        PassThroughHttp http = 2;
     }
 
     // Custom config to be passed per request to the passthrough auth service.
@@ -746,6 +747,96 @@ message PassThroughGrpc {
     google.protobuf.Duration connection_timeout = 2;
 }
 
+// Authorizes requests by making a POST HTTP/1 request to a custom HTTP auth server
+// Assumes the request is authorized if the server returns a OK (200) status code,
+// else the request is unauthorized.
+message PassThroughHttp {
+    // Required: URL of the passthrough http service, is a fully qualified domain name.
+    // Example: http://ext-auth-service.svc.local:9001. Path provided in the URL will be respected.
+    // To use https, provide the cert in the HTTPS_PASSTHROUGH_CA_CERT environment variable to the ext-auth-service
+    // pod as a base64-encoded string
+    string url = 1;
+
+    /* The passthrough http request can be configured to pass through the incoming request body,
+     the ext-auth state (which is shared between different auth methods within one ext-auth instance), and
+     the [filterMetadata](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/data_sharing_between_filters#metadata)
+     The body of the passthrough auth request will be a JSON as follows:
+     {
+       "body" : string,
+       "state": object (map[string]interface{}),
+       "filterMetadata": object (map[string]protobuf.Struct),
+       "config": object (protobuf.Struct),
+     }
+     `config` is the struct block specified under the passthrough auth configuration.
+     If `passthrough_body`, `passthrough_state`, `passthrough_filter_metadata`, and `config` are all false/nil,
+     the body of the auth request will remain empty. Setting any of these will increase latency slightly due to
+     JSON marshalling.
+
+    */
+    message Request {
+        // These headers will be copied from the incoming request to the request going
+        // to the auth server. By default, no headers are copied from the incoming request.
+        // Pseudo-headers such as `:Path`, and `:Method` can not be specified here.
+        repeated string allowed_headers = 1;
+
+        // These headers that will be included to the request to authorization service. Note that
+        // client request of the same key will be overridden.
+        // Pseudo-headers such as `:Path`, and `:Method` can not be specified here.
+        map<string, string> headers_to_add = 2;
+
+        // Whether or not to include the ext-auth state object in the passthrough request body.
+        // If this is set to true, it is expected that the state is returned in the HTTP response from the
+        // passthrough service. The state received from the response will be the state that is shared with
+        // other ext-auth service methods.
+        // If pass_through_body, pass_through_filter_metadata and pass_through_state are false,
+        // the authorization request body will be empty. A non-empty body will increase latency times
+        // slightly, so this is set to false by default, and should only be set to to true if the
+        // extauth state is needed in the auth request.
+        bool pass_through_state = 3;
+
+        // Whether or not to include the filter metadata in the passthrough request body.
+        // If pass_through_body, pass_through_filter_metadata and pass_through_state are false,
+        // the authorization request body will be empty. A non-empty body will increase latency times
+        // slightly, so this is set to false by default, and should only be set to to true if the
+        // filter metadata is needed in the auth request.
+        bool pass_through_filter_metadata = 4;
+
+        // Whether or not to include the body in the passthrough request body.
+        // If pass_through_body, pass_through_filter_metadata and pass_through_state are false,
+        // the authorization request body will be empty. A non-empty body will increase latency times
+        // slightly, so this is set to false by default, and should only be set to to true if the
+        // request body is needed in the auth request.
+        bool pass_through_body = 5;
+    }
+    Request request = 3;
+
+    message Response {
+        // When this is set, authorization response headers that have a header in this list will be added to the original client request and sent to the upstream
+        // when the auth request is successful. These will be appended to any request headers that already exist.
+        // If this is empty, by default, no authorization response headers will be added to the upstream request.
+        repeated string allowed_upstream_headers = 1;
+
+        // When this is set, authorization response headers in this list will be added to the client's response when the auth request is denied.
+        // If the response header already exists, it will replace the response header.
+        // If this is empty, by default, no authorization response headers will be added to the client response.
+        repeated string allowed_client_headers_on_denied = 2;
+
+        // If this is set to true, the body of the response from the http passthrough auth server is expected to have shape
+        // {
+        //   "state": object (map[string]interface{})
+        // }
+        // The state will be marshalled from the response body and this is the state that will be passed on to other auth configs.
+        // Because of the marshalling from JSON to Go map, this will add some latency to the request.
+        // If the marshalling fails, the authorization check will fail and the request will be unauthorized after the ext-auth-service pod
+        // logs the marshal error.
+        bool read_state_from_response = 3;
+    }
+    Response response = 4;
+
+    // Timeout for the auth server to respond. Defaults to 5s
+    google.protobuf.Duration connection_timeout = 8;
+}
+
 /*
 @solo-kit:xds-service=ExtAuthDiscoveryService
 @solo-kit:resource.no_references

api/gloo/gateway/v1/external_options.proto

@@ -230,4 +230,4 @@ message RouteOption {
 
   // Route options. See Route for delegation behavior.
   gloo.solo.io.RouteOptions options = 3;
-}
+}

api/gloo/gloo/external/envoy/api/v2/cluster/outlier_detection.proto

@@ -113,4 +113,4 @@ message OutlierDetection {
     // is set to true.
     google.protobuf.UInt32Value enforcing_local_origin_success_rate = 15
     [(validate.rules).uint32.lte = 100];
-}
+}

api/gloo/gloo/external/envoy/api/v2/core/health_check.proto

@@ -274,4 +274,4 @@ enum HealthStatus {
 
     // Degraded.
     DEGRADED = 5;
-}
+}

api/gloo/gloo/external/envoy/api/v2/route/route.proto

@@ -1300,4 +1300,4 @@ message QueryParameterMatcher {
     // the right of the equals sign in "key=value") must match the regex.
     // E.g., the regex "\d+$" will match "123" but not "a123" or "123a".
     google.protobuf.BoolValue regex = 4;
-}
+}

api/gloo/gloo/external/envoy/config/filter/http/gzip/v2/gzip.proto

@@ -79,4 +79,4 @@ message Gzip {
     // which will produce a 4096 bytes window. For more details about this parameter, please refer to
     // zlib manual > deflateInit2.
     google.protobuf.UInt32Value window_bits = 9 [(validate.rules).uint32 = {lte: 15 gte: 9}];
-}
+}

api/gloo/gloo/external/envoy/extensions/advanced_http/advanced_http.proto

@@ -106,4 +106,4 @@ message JsonKey {
 
     // The path to retrieve the Value.
     repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];
-}
+}

api/gloo/gloo/external/envoy/extensions/filters/http/csrf/v3/csrf.proto

@@ -56,4 +56,4 @@ message CsrfPolicy {
   // More information on how this can be configured via runtime can be found
   // :ref:`here <csrf-configuration>`.
   repeated type.matcher.v3.StringMatcher additional_origins = 3;
-}
+}

api/gloo/gloo/external/envoy/extensions/filters/http/wasm/v3/wasm.proto

@@ -24,4 +24,4 @@ option java_multiple_files = true;
 message Wasm {
   // General Plugin configuration.
   .solo.io.envoy.extensions.wasm.v3.PluginConfig config = 1;
-}
+}

api/gloo/gloo/external/envoy/extensions/transformation/transformation.proto

@@ -283,4 +283,4 @@ message Passthrough {}
 
 message MergeExtractorsToBody {}
 
-message HeaderBodyTransform {}
+message HeaderBodyTransform {}

api/gloo/gloo/external/envoy/extensions/xff_offset/solo_xff_offset_filter.proto

@@ -12,4 +12,4 @@ message SoloXffOffset {
   // The amount of addresses from the left of x-forwarded-for (xff) header
   // which should be skipped to get the client address.
   uint32 offset = 1;
-}
+}

api/gloo/gloo/external/envoy/type/range.proto

@@ -31,4 +31,4 @@ message DoubleRange {
 
     // end of the range (exclusive)
     double end = 2;
-}
+}

api/gloo/gloo/external/envoy/type/v3/http.proto

@@ -25,4 +25,4 @@ option go_package = "github.com/solo-io/solo-apis/pkg/api/gloo.solo.io/external/
 
 import "extproto/ext.proto";
 option (extproto.hash_all) = true;
-option (extproto.equal_all) = true;
+option (extproto.equal_all) = true;

api/gloo/gloo/external/udpa/annotations/sensitive.proto

@@ -12,4 +12,4 @@ extend google.protobuf.FieldOptions {
   // Protobuf functions such as `TextFormat::PrintToString`.
   bool sensitive = 168928285;
 }
-option go_package = "github.com/solo-io/solo-apis/pkg/api/gloo.solo.io/external/udpa/annotations";
+option go_package = "github.com/solo-io/solo-apis/pkg/api/gloo.solo.io/external/udpa/annotations";

api/gloo/gloo/v1/endpoint.proto

@@ -39,4 +39,4 @@ message Endpoint {
 message HealthCheckConfig {
     // hostname to use for the endpoint health checks if provided.
     string hostname = 1;
-}
+}

api/gloo/gloo/v1/enterprise/options/ratelimit/ratelimit.proto

@@ -84,4 +84,4 @@ message RateLimitRouteExtension {
     // Define individual rate limits here. Each rate limit will be evaluated, if any rate limit
     // would be throttled, the entire request returns a 429 (gets throttled)
     repeated ratelimit.api.solo.io.RateLimitActions rate_limits = 2;
-}
+}

api/gloo/gloo/v1/enterprise/options/rbac/rbac.proto

@@ -52,4 +52,4 @@ message Permissions {
     string path_prefix = 1;
     // What http methods (GET, POST, ...) are allowed.
     repeated string methods = 2;
-}
+}

api/gloo/gloo/v1/enterprise/options/waf/waf.proto

@@ -41,4 +41,4 @@ message CoreRuleSet {
         // String representing the core rule set custom config options
         string custom_settings_file = 3;
     }
-}
+}

api/gloo/gloo/v1/extensions.proto

@@ -14,4 +14,4 @@ message Extensions {
 
 message Extension {
     google.protobuf.Struct config = 1;
-}
+}

api/gloo/gloo/v1/failover.proto

@@ -122,4 +122,4 @@ message Locality {
     // into smaller chunks of sub-zones so they can be load balanced
     // independently.
     string sub_zone = 3;
-}
+}

api/gloo/gloo/v1/options/advanced_http/advanced_http.proto

@@ -81,4 +81,4 @@ message JsonKey {
 
     // The path to retrieve the Value.
     repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];
-}
+}

api/gloo/gloo/v1/options/cors/cors.proto

@@ -38,4 +38,4 @@ message CorsPolicy {
     // Optional, only applies to route-specific CORS Policies, defaults to false.
     // If set, the CORS Policy (specified on the virtual host) will be disabled for this route.
     bool disable_for_route = 8;
-}
+}

api/gloo/gloo/v1/options/grpc/grpc.proto

@@ -47,4 +47,4 @@ message DestinationSpec {
   // Parameters describe how to extract the function parameters from the
   // request.
   transformation.options.gloo.solo.io.Parameters parameters = 4;
-}
+}

api/gloo/gloo/v1/options/grpc_json/grpc_json.proto

@@ -157,4 +157,4 @@ message GrpcJsonTranscoder {
     //  the ``google/rpc/error_details.proto`` should be included in the configured
     //  :ref:`proto descriptor set <config_grpc_json_generate_proto_descriptor_set>`.
     bool convert_grpc_status = 9;
-}
+}

api/gloo/gloo/v1/options/grpc_web/grpc_web.proto

@@ -13,4 +13,4 @@ import "github.com/solo-io/solo-apis/api/gloo/gloo/v1/options/transformation/par
 message GrpcWeb {
   // Disable grpc web support.
   bool disable = 1;
-}
+}

api/gloo/gloo/v1/options/rest/rest.proto

@@ -28,4 +28,4 @@ message DestinationSpec {
     transformation.options.gloo.solo.io.Parameters parameters = 2;
 
     envoy.api.v2.filter.http.TransformationTemplate response_transformation = 3;
-}
+}

api/gloo/gloo/v1/options/service_spec.proto

@@ -22,4 +22,4 @@ message ServiceSpec {
         rest.options.gloo.solo.io.ServiceSpec rest = 1;
         grpc.options.gloo.solo.io.ServiceSpec grpc = 2;
     }
-}
+}

api/gloo/gloo/v1/options/static/static.proto

@@ -63,4 +63,4 @@ message Host {
 
     // (Enterprise Only): Host specific health checking configuration.
     HealthCheckConfig health_check_config = 3;
-}
+}

api/gloo/gloo/v1/options/stats/stats.proto

@@ -42,4 +42,4 @@ message VirtualCluster {
 
     // If specified, statistics will be exposed only for requests matching the given HTTP method.
     string method = 3;
-}
+}

api/gloo/gloo/v1/options/tcp/tcp.proto

@@ -29,4 +29,4 @@ message TcpProxySettings {
     // payloads over a shared HTTP tunnel. If this message is absent, the payload
     // will be proxied upstream as per usual.
     TunnelingConfig tunneling_config = 12;
-}
+}

api/gloo/gloo/v1/options/tracing/tracing.proto

@@ -91,4 +91,4 @@ message TracingTagLiteral {
     string tag = 1;
     // Static literal value to populate the tag value.
     string value = 2;
-}
+}

api/gloo/gloo/v1/options/transformation/transformation.proto

@@ -82,4 +82,4 @@ message Transformation {
         envoy.config.transformer.xslt.v2.XsltTransformation xslt_transformation = 3;
 
     }
-}
+}

api/gloo/gloo/v1/options/wasm/wasm.proto

@@ -84,4 +84,4 @@ message FilterStage {
     Stage stage = 1;
     // How this filter should be placed relative to the stage
     Predicate predicate = 2;
-}
+}

api/gloo/gloo/v1/proxy.proto

@@ -387,7 +387,6 @@ message DirectResponseAction {
     string body = 2;
 }
 
-
 message UpstreamGroupStatus {
 	enum State {
 			// Pending status indicates the resource has not yet been validated

api/gloo/gloo/v1/ssl.proto

@@ -125,4 +125,4 @@ message SslParameters {
     ProtocolVersion maximum_protocol_version = 2;
     repeated string cipher_suites = 3;
     repeated string ecdh_curves = 4;
-}
+}

api/gloo/gloo/v1/subset.proto

@@ -8,4 +8,4 @@ option (extproto.hash_all) = true;
 
 message Subset {
    map<string, string> values = 1;
-}
+}