From b7fe36b20cfa205e30df83bb227086411b38076a Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Sun, 20 Oct 2024 13:52:01 +0900 Subject: [PATCH 01/15] feat(api): HTTP APIKey Auth Filter Signed-off-by: Kensei Nakada --- api/BUILD | 1 + .../filters/http/api_key_auth/v3/BUILD | 12 ++++ .../http/api_key_auth/v3/api_key_auth.proto | 69 +++++++++++++++++++ api/versioning/BUILD | 1 + 4 files changed, 83 insertions(+) create mode 100644 api/envoy/extensions/filters/http/api_key_auth/v3/BUILD create mode 100644 api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto diff --git a/api/BUILD b/api/BUILD index 096373e79fc7..1feb1ac3c4ae 100644 --- a/api/BUILD +++ b/api/BUILD @@ -159,6 +159,7 @@ proto_library( "//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg", "//envoy/extensions/filters/http/admission_control/v3:pkg", "//envoy/extensions/filters/http/alternate_protocols_cache/v3:pkg", + "//envoy/extensions/filters/http/api_key_auth/v3:pkg", "//envoy/extensions/filters/http/aws_lambda/v3:pkg", "//envoy/extensions/filters/http/aws_request_signing/v3:pkg", "//envoy/extensions/filters/http/bandwidth_limit/v3:pkg", diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/BUILD b/api/envoy/extensions/filters/http/api_key_auth/v3/BUILD new file mode 100644 index 000000000000..09a37ad16b83 --- /dev/null +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/BUILD @@ -0,0 +1,12 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v3:pkg", + "@com_github_cncf_xds//udpa/annotations:pkg", + ], +) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto new file mode 100644 index 000000000000..14796d87ffbd --- /dev/null +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -0,0 +1,69 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.api_key_auth.v3; + +import "envoy/config/core/v3/base.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.api_key_auth.v3"; +option java_outer_classname = "ApiKeyAuthProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/api_key_auth/v3;api_key_authv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: APIKey Auth] +// APIKey Auth :ref:`configuration overview `. +// [#extension: envoy.filters.http.api_key_auth] + +// Basic HTTP authentication. +// +// Example: +// +// .. code-block:: yaml +// +// location: HEADER +// name: X-API-KEY +// keys: +// inline_string: |- +// apikey1:user1 +// apikey2:user2 +// +message APIKeyAuth { + enum APIKeyLocation { + // The API key is expected to be in a header. + HEADER = 0; + + // The API key is expected to be in a query parameter. + QUERY = 1; + + // The API key is expected to be in a cookie. + COOKIE = 2; + } + + // The location of the API key. + APIKeyLocation location = 1; + + // The name of the header, query parameter, or cookie that contains the API key. + string name = 2; + + // keys used to authenticate the user. + // It should be a map of apikey to user. + config.core.v3.DataSource keys = 3 [(udpa.annotations.sensitive) = true]; + + // The header name to forward an authenticated user. + // + // If it is not specified, the username will not be forwarded. + string forward_username_header = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; +} + +// Extra settings that may be added to per-route configuration for +// a virtual host or a cluster. +message APIKeyAuthPerRoute { + // keys used to authenticate the user for this route. + config.core.v3.DataSource keys = 1 + [(validate.rules).message = {required: true}, (udpa.annotations.sensitive) = true]; +} diff --git a/api/versioning/BUILD b/api/versioning/BUILD index bfc572f7f3bd..146a4f2bd7b2 100644 --- a/api/versioning/BUILD +++ b/api/versioning/BUILD @@ -97,6 +97,7 @@ proto_library( "//envoy/extensions/filters/http/adaptive_concurrency/v3:pkg", "//envoy/extensions/filters/http/admission_control/v3:pkg", "//envoy/extensions/filters/http/alternate_protocols_cache/v3:pkg", + "//envoy/extensions/filters/http/api_key_auth/v3:pkg", "//envoy/extensions/filters/http/aws_lambda/v3:pkg", "//envoy/extensions/filters/http/aws_request_signing/v3:pkg", "//envoy/extensions/filters/http/bandwidth_limit/v3:pkg", From 38d893bf9378a8fc2aa4bbad389ab89dd053525a Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Mon, 21 Oct 2024 21:16:16 +0900 Subject: [PATCH 02/15] fix: define location via oneof Signed-off-by: Kensei Nakada --- .../http/api_key_auth/v3/api_key_auth.proto | 36 ++++++++----------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 14796d87ffbd..f229c2cdcd58 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -18,46 +18,38 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // APIKey Auth :ref:`configuration overview `. // [#extension: envoy.filters.http.api_key_auth] -// Basic HTTP authentication. +// API Key HTTP authentication. // // Example: // // .. code-block:: yaml // -// location: HEADER -// name: X-API-KEY +// authentication_header: "X-API-KEY" // keys: // inline_string: |- // apikey1:user1 // apikey2:user2 // message APIKeyAuth { - enum APIKeyLocation { - // The API key is expected to be in a header. - HEADER = 0; - - // The API key is expected to be in a query parameter. - QUERY = 1; - - // The API key is expected to be in a cookie. - COOKIE = 2; - } - - // The location of the API key. - APIKeyLocation location = 1; - - // The name of the header, query parameter, or cookie that contains the API key. - string name = 2; - // keys used to authenticate the user. // It should be a map of apikey to user. - config.core.v3.DataSource keys = 3 [(udpa.annotations.sensitive) = true]; + config.core.v3.DataSource keys = 1 [(udpa.annotations.sensitive) = true]; // The header name to forward an authenticated user. // // If it is not specified, the username will not be forwarded. - string forward_username_header = 4 + string forward_username_header = 2 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The location of the API key. + oneof location { + // The header name to fetch the key. + string authentication_header = 3; + // The query parameter name to fetch the key. + string authentication_query = 4; + // The cookie name to fetch the key. + string authentication_cookie = 5; + } } // Extra settings that may be added to per-route configuration for From 851c6614895d8b235c1d074cd73523671a9ba35b Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Tue, 22 Oct 2024 11:10:24 +0900 Subject: [PATCH 03/15] fix: eliminate oneof to follow the style guide Signed-off-by: Kensei Nakada --- .../http/api_key_auth/v3/api_key_auth.proto | 34 ++++++++----------- 1 file changed, 14 insertions(+), 20 deletions(-) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index f229c2cdcd58..4d3c48ab4201 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -27,35 +27,29 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // authentication_header: "X-API-KEY" // keys: // inline_string: |- -// apikey1:user1 -// apikey2:user2 +// clientID1:apiKey1 +// clientID2:apiKey2 // message APIKeyAuth { - // keys used to authenticate the user. - // It should be a map of apikey to user. + // keys used to authenticate the client. + // It should be a map of apikey to client. config.core.v3.DataSource keys = 1 [(udpa.annotations.sensitive) = true]; - // The header name to forward an authenticated user. - // - // If it is not specified, the username will not be forwarded. - string forward_username_header = 2 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; - - // The location of the API key. - oneof location { - // The header name to fetch the key. - string authentication_header = 3; - // The query parameter name to fetch the key. - string authentication_query = 4; - // The cookie name to fetch the key. - string authentication_cookie = 5; - } + // The header name to fetch the key. + // Only one of authentication_header, authentication_query, or authentication_cookie should be set. + string authentication_header = 2; + // The query parameter name to fetch the key. + // Only one of authentication_header, authentication_query, or authentication_cookie should be set. + string authentication_query = 3; + // The cookie name to fetch the key. + // Only one of authentication_header, authentication_query, or authentication_cookie should be set. + string authentication_cookie = 4; } // Extra settings that may be added to per-route configuration for // a virtual host or a cluster. message APIKeyAuthPerRoute { - // keys used to authenticate the user for this route. + // keys used to authenticate the client for this route. config.core.v3.DataSource keys = 1 [(validate.rules).message = {required: true}, (udpa.annotations.sensitive) = true]; } From 7626b80bac53e66fa7b3f8d66c9408aa5b27dd10 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Tue, 22 Oct 2024 12:03:03 +0900 Subject: [PATCH 04/15] chore: fix wording on the spec Signed-off-by: Kensei Nakada --- .../extensions/filters/http/api_key_auth/v3/api_key_auth.proto | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 4d3c48ab4201..3c8d7bf41eff 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -32,7 +32,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // message APIKeyAuth { // keys used to authenticate the client. - // It should be a map of apikey to client. + // It should be a map of clientID to apiKey. + // The clientID serves solely for identification purposes and isn't used for authentication. config.core.v3.DataSource keys = 1 [(udpa.annotations.sensitive) = true]; // The header name to fetch the key. From 98841dcff3b18c46440629459dca82b640ecbc84 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Thu, 24 Oct 2024 09:22:57 +0900 Subject: [PATCH 05/15] fix: clarify in case of multiple values in the header Signed-off-by: Kensei Nakada --- .../extensions/filters/http/api_key_auth/v3/api_key_auth.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 3c8d7bf41eff..4969aa6651d9 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -37,6 +37,7 @@ message APIKeyAuth { config.core.v3.DataSource keys = 1 [(udpa.annotations.sensitive) = true]; // The header name to fetch the key. + // If multiple values are present in the given header, the filter rejects the request. // Only one of authentication_header, authentication_query, or authentication_cookie should be set. string authentication_header = 2; // The query parameter name to fetch the key. From 1f5cfadf9e3e7d369bae76b94181a02709b69fe7 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Thu, 31 Oct 2024 22:23:47 +0900 Subject: [PATCH 06/15] fix: use APIKeyAuth in per-route config Signed-off-by: Kensei Nakada --- .../filters/http/api_key_auth/v3/api_key_auth.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 4969aa6651d9..7af3c884a476 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -51,7 +51,7 @@ message APIKeyAuth { // Extra settings that may be added to per-route configuration for // a virtual host or a cluster. message APIKeyAuthPerRoute { - // keys used to authenticate the client for this route. - config.core.v3.DataSource keys = 1 - [(validate.rules).message = {required: true}, (udpa.annotations.sensitive) = true]; + // The API key auth configuration to use for this route. + // Leave this empty to disable API key auth for this route. + APIKeyAuth api_key_auth = 1 } From cf0959259401ff72970164cd5893e3a9025f9830 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Fri, 1 Nov 2024 01:43:57 +0900 Subject: [PATCH 07/15] chore: format proto file Signed-off-by: Kensei Nakada --- .../filters/http/api_key_auth/v3/api_key_auth.proto | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 7af3c884a476..1675e42353b8 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -32,7 +32,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // message APIKeyAuth { // keys used to authenticate the client. - // It should be a map of clientID to apiKey. + // It should be a map of clientID to apiKey. // The clientID serves solely for identification purposes and isn't used for authentication. config.core.v3.DataSource keys = 1 [(udpa.annotations.sensitive) = true]; @@ -40,9 +40,11 @@ message APIKeyAuth { // If multiple values are present in the given header, the filter rejects the request. // Only one of authentication_header, authentication_query, or authentication_cookie should be set. string authentication_header = 2; + // The query parameter name to fetch the key. // Only one of authentication_header, authentication_query, or authentication_cookie should be set. string authentication_query = 3; + // The cookie name to fetch the key. // Only one of authentication_header, authentication_query, or authentication_cookie should be set. string authentication_cookie = 4; @@ -53,5 +55,5 @@ message APIKeyAuth { message APIKeyAuthPerRoute { // The API key auth configuration to use for this route. // Leave this empty to disable API key auth for this route. - APIKeyAuth api_key_auth = 1 + APIKeyAuth api_key_auth = 1; } From 39d32d5ead26d59677786b8ef7921962ef35c697 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Fri, 1 Nov 2024 11:16:22 +0900 Subject: [PATCH 08/15] fix: register in extensions_metadata.yaml Signed-off-by: Kensei Nakada --- .../filters/http/api_key_auth/v3/api_key_auth.proto | 9 +-------- source/extensions/extensions_metadata.yaml | 7 +++++++ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 1675e42353b8..0066bceff017 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -15,6 +15,7 @@ option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/fil option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: APIKey Auth] +// [#not-implemented-hide:] // APIKey Auth :ref:`configuration overview `. // [#extension: envoy.filters.http.api_key_auth] @@ -49,11 +50,3 @@ message APIKeyAuth { // Only one of authentication_header, authentication_query, or authentication_cookie should be set. string authentication_cookie = 4; } - -// Extra settings that may be added to per-route configuration for -// a virtual host or a cluster. -message APIKeyAuthPerRoute { - // The API key auth configuration to use for this route. - // Leave this empty to disable API key auth for this route. - APIKeyAuth api_key_auth = 1; -} diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 14bc8765b4b9..035c9bb38020 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -1688,6 +1688,13 @@ envoy.http.early_header_mutation.header_mutation: status: alpha type_urls: - envoy.extensions.http.early_header_mutation.header_mutation.v3.HeaderMutation +envoy.filters.http.basic_auth: + categories: + - envoy.filters.http + security_posture: robust_to_untrusted_downstream + status: alpha + type_urls: + - envoy.extensions.filters.http.api_key_auth.v3.APIKeyAuth envoy.filters.http.custom_response: categories: - envoy.filters.http From 59f119d9333476bcad210189aff14d77b15dbffc Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Fri, 1 Nov 2024 11:39:07 +0900 Subject: [PATCH 09/15] chore: typo fix Signed-off-by: Kensei Nakada --- source/extensions/extensions_metadata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 035c9bb38020..8569c0ac2827 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -1688,7 +1688,7 @@ envoy.http.early_header_mutation.header_mutation: status: alpha type_urls: - envoy.extensions.http.early_header_mutation.header_mutation.v3.HeaderMutation -envoy.filters.http.basic_auth: +envoy.filters.http.api_key_auth: categories: - envoy.filters.http security_posture: robust_to_untrusted_downstream From 43fa0981497580a793a86d071659f527b6625e89 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Fri, 1 Nov 2024 12:07:11 +0900 Subject: [PATCH 10/15] fix: tag wip on option Signed-off-by: Kensei Nakada --- .../extensions/filters/http/api_key_auth/v3/api_key_auth.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 0066bceff017..18ade71fddb7 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -13,6 +13,7 @@ option java_outer_classname = "ApiKeyAuthProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/api_key_auth/v3;api_key_authv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; // [#protodoc-title: APIKey Auth] // [#not-implemented-hide:] From 5c16d2b9fc0b4f454faf337f5d64df6cf5ef05c6 Mon Sep 17 00:00:00 2001 From: Kensei Nakada Date: Fri, 1 Nov 2024 12:36:48 +0900 Subject: [PATCH 11/15] fix: import things correctly Signed-off-by: Kensei Nakada --- api/envoy/extensions/filters/http/api_key_auth/v3/BUILD | 1 + .../extensions/filters/http/api_key_auth/v3/api_key_auth.proto | 1 + 2 files changed, 2 insertions(+) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/BUILD b/api/envoy/extensions/filters/http/api_key_auth/v3/BUILD index 09a37ad16b83..628f71321fba 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/BUILD +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/BUILD @@ -8,5 +8,6 @@ api_proto_package( deps = [ "//envoy/config/core/v3:pkg", "@com_github_cncf_xds//udpa/annotations:pkg", + "@com_github_cncf_xds//xds/annotations/v3:pkg", ], ) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 18ade71fddb7..e5d60dedcb7f 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -7,6 +7,7 @@ import "envoy/config/core/v3/base.proto"; import "udpa/annotations/sensitive.proto"; import "udpa/annotations/status.proto"; import "validate/validate.proto"; +import "xds/annotations/v3/status.proto"; option java_package = "io.envoyproxy.envoy.extensions.filters.http.api_key_auth.v3"; option java_outer_classname = "ApiKeyAuthProto"; From 187911e6428cd8795052bbec80ddc0b1cd5a8889 Mon Sep 17 00:00:00 2001 From: "wangbaiping(wbpcode)" Date: Fri, 1 Nov 2024 03:43:45 +0000 Subject: [PATCH 12/15] fix format Signed-off-by: wangbaiping(wbpcode) --- .../filters/http/api_key_auth/v3/api_key_auth.proto | 2 -- bazel/repositories_extra.bzl | 2 +- source/extensions/extensions_metadata.yaml | 7 ------- 3 files changed, 1 insertion(+), 10 deletions(-) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index e5d60dedcb7f..46b7192681c0 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -6,7 +6,6 @@ import "envoy/config/core/v3/base.proto"; import "udpa/annotations/sensitive.proto"; import "udpa/annotations/status.proto"; -import "validate/validate.proto"; import "xds/annotations/v3/status.proto"; option java_package = "io.envoyproxy.envoy.extensions.filters.http.api_key_auth.v3"; @@ -14,7 +13,6 @@ option java_outer_classname = "ApiKeyAuthProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/api_key_auth/v3;api_key_authv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; -option (xds.annotations.v3.file_status).work_in_progress = true; // [#protodoc-title: APIKey Auth] // [#not-implemented-hide:] diff --git a/bazel/repositories_extra.bzl b/bazel/repositories_extra.bzl index b92dd461ba70..57e38937f27a 100644 --- a/bazel/repositories_extra.bzl +++ b/bazel/repositories_extra.bzl @@ -15,7 +15,7 @@ PYTHON_MINOR_VERSION = _python_minor_version(PYTHON_VERSION) # Envoy deps that rely on a first stage of dependency loading in envoy_dependencies(). def envoy_dependencies_extra( python_version = PYTHON_VERSION, - ignore_root_user_error = False): + ignore_root_user_error = True): bazel_features_deps() emsdk_deps() raze_fetch_remote_crates() diff --git a/source/extensions/extensions_metadata.yaml b/source/extensions/extensions_metadata.yaml index 8569c0ac2827..14bc8765b4b9 100644 --- a/source/extensions/extensions_metadata.yaml +++ b/source/extensions/extensions_metadata.yaml @@ -1688,13 +1688,6 @@ envoy.http.early_header_mutation.header_mutation: status: alpha type_urls: - envoy.extensions.http.early_header_mutation.header_mutation.v3.HeaderMutation -envoy.filters.http.api_key_auth: - categories: - - envoy.filters.http - security_posture: robust_to_untrusted_downstream - status: alpha - type_urls: - - envoy.extensions.filters.http.api_key_auth.v3.APIKeyAuth envoy.filters.http.custom_response: categories: - envoy.filters.http From c189f50cafe4856bb1b36208a9afd56e4565c63b Mon Sep 17 00:00:00 2001 From: "wangbaiping(wbpcode)" Date: Fri, 1 Nov 2024 03:44:19 +0000 Subject: [PATCH 13/15] fix format Signed-off-by: wangbaiping(wbpcode) --- .../extensions/filters/http/api_key_auth/v3/api_key_auth.proto | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 46b7192681c0..3b4210c9e320 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -4,9 +4,10 @@ package envoy.extensions.filters.http.api_key_auth.v3; import "envoy/config/core/v3/base.proto"; +import "xds/annotations/v3/status.proto"; + import "udpa/annotations/sensitive.proto"; import "udpa/annotations/status.proto"; -import "xds/annotations/v3/status.proto"; option java_package = "io.envoyproxy.envoy.extensions.filters.http.api_key_auth.v3"; option java_outer_classname = "ApiKeyAuthProto"; From 3f4687e23f922b18fe5940f2b7003046ee658275 Mon Sep 17 00:00:00 2001 From: "wangbaiping(wbpcode)" Date: Fri, 1 Nov 2024 03:45:32 +0000 Subject: [PATCH 14/15] fix format Signed-off-by: wangbaiping(wbpcode) --- .../extensions/filters/http/api_key_auth/v3/api_key_auth.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto index 3b4210c9e320..0ea66523bdf6 100644 --- a/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +++ b/api/envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto @@ -14,6 +14,7 @@ option java_outer_classname = "ApiKeyAuthProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/api_key_auth/v3;api_key_authv3"; option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; // [#protodoc-title: APIKey Auth] // [#not-implemented-hide:] From 2ba008ba9ec4849ae41dbd8295a3c3994b5549a8 Mon Sep 17 00:00:00 2001 From: "wangbaiping(wbpcode)" Date: Fri, 1 Nov 2024 03:48:40 +0000 Subject: [PATCH 15/15] revert unnecessary change Signed-off-by: wangbaiping(wbpcode) --- bazel/repositories_extra.bzl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bazel/repositories_extra.bzl b/bazel/repositories_extra.bzl index 57e38937f27a..b92dd461ba70 100644 --- a/bazel/repositories_extra.bzl +++ b/bazel/repositories_extra.bzl @@ -15,7 +15,7 @@ PYTHON_MINOR_VERSION = _python_minor_version(PYTHON_VERSION) # Envoy deps that rely on a first stage of dependency loading in envoy_dependencies(). def envoy_dependencies_extra( python_version = PYTHON_VERSION, - ignore_root_user_error = True): + ignore_root_user_error = False): bazel_features_deps() emsdk_deps() raze_fetch_remote_crates()