authz_filter: configuration to support Ambassador authorization flow (e…

…nvoyproxy#563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel <[email protected]>
jmarantz · Apr 2, 2018 · f88047c · f88047c
1 parent c4590ec
commit f88047c
Show file tree

Hide file tree

Showing 8 changed files with 68 additions and 32 deletions.
diff --git a/docs/BUILD b/docs/BUILD
@@ -26,7 +26,7 @@ proto_library(
         "//envoy/config/bootstrap/v2:bootstrap",
         "//envoy/config/filter/accesslog/v2:accesslog",
         "//envoy/config/filter/http/buffer/v2:buffer",
-        "//envoy/config/filter/http/ext_authz/v2:ext_authz",
+        "//envoy/config/filter/http/ext_authz/v2alpha:ext_authz",
         "//envoy/config/filter/http/fault/v2:fault",
         "//envoy/config/filter/http/gzip/v2:gzip",
         "//envoy/config/filter/http/health_check/v2:health_check",

diff --git a/envoy/api/v2/core/http_uri.proto b/envoy/api/v2/core/http_uri.proto
@@ -2,6 +2,9 @@ syntax = "proto3";
 
 package envoy.api.v2.core;
 
+import "google/protobuf/duration.proto";
+import "gogoproto/gogo.proto";
+
 import "validate/validate.proto";
 
 // Envoy external URI descriptor
@@ -34,4 +37,11 @@ message HttpUri {
     //
     string cluster = 2 [(validate.rules).string.min_bytes = 1];
   }
+
+  // Sets the maximum duration in milliseconds that a response can take to arrive upon request.
+  google.protobuf.Duration timeout = 3 [
+    (validate.rules).duration.gte = {},
+    (validate.rules).duration.required = true,
+    (gogoproto.stdduration) = true
+  ];
 }
diff --git a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
diff --git a/envoy/config/filter/http/ext_authz/v2/BUILD → ...onfig/filter/http/ext_authz/v2alpha/BUILD b/envoy/config/filter/http/ext_authz/v2/BUILD → ...onfig/filter/http/ext_authz/v2alpha/BUILD
@@ -5,5 +5,8 @@ licenses(["notice"])  # Apache 2
 api_proto_library(
     name = "ext_authz",
     srcs = ["ext_authz.proto"],
-    deps = ["//envoy/api/v2/core:grpc_service"],
+    deps = [
+        "//envoy/api/v2/core:grpc_service",
+        "//envoy/api/v2/core:http_uri",
+    ],
 )
diff --git a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
@@ -0,0 +1,34 @@
+syntax = "proto3";
+
+package envoy.config.filter.http.ext_authz.v2alpha;
+option go_package = "v2alpha";
+
+import "envoy/api/v2/core/grpc_service.proto";
+import "envoy/api/v2/core/http_uri.proto";
+
+// The external authorization HTTP service configuration.
+message HttpService {
+  // Sets the HTTP server URI which the authorization requests must be sent to.
+  envoy.api.v2.core.HttpUri server_uri = 1;
+
+  // Sets an optional prefix to the value of authorization request header `path`.
+  string path_prefix = 2;
+}
+
+message ExtAuthz {
+
+  oneof services {
+    // The external authorization gRPC service configuration.
+    envoy.api.v2.core.GrpcService grpc_service = 1;
+
+    // The external authorization HTTP service configuration.
+    HttpService http_service = 3;
+  }
+
+  // The filter's behaviour in case the external authorization service does
+  // not respond back. If set to true then in case of failure to get a
+  // response back from the authorization service or getting a response that
+  // is NOT denied then traffic will be permitted.
+  // Defaults to false.
+  bool failure_mode_allow = 2;
+}
diff --git a/envoy/service/auth/v2/BUILD → envoy/service/auth/v2alpha/BUILD b/envoy/service/auth/v2/BUILD → envoy/service/auth/v2alpha/BUILD
diff --git a/...y/service/auth/v2/attribute_context.proto → ...vice/auth/v2alpha/attribute_context.proto b/...y/service/auth/v2/attribute_context.proto → ...vice/auth/v2alpha/attribute_context.proto
@@ -2,7 +2,7 @@ syntax = "proto3";
 
 // [#proto-status: draft]
 
-package envoy.service.auth.v2;
+package envoy.service.auth.v2alpha;
 
 import "envoy/api/v2/core/address.proto";
 

diff --git a/envoy/service/auth/v2/external_auth.proto → .../service/auth/v2alpha/external_auth.proto b/envoy/service/auth/v2/external_auth.proto → .../service/auth/v2alpha/external_auth.proto
@@ -2,13 +2,14 @@ syntax = "proto3";
 
 // [#proto-status: draft]
 
-package envoy.service.auth.v2;
-option go_package = "v2";
+package envoy.service.auth.v2alpha;
+option go_package = "v2alpha";
 option java_generic_services = true;
 
-import "envoy/service/auth/v2/attribute_context.proto";
+import "envoy/service/auth/v2alpha/attribute_context.proto";
 
 import "google/rpc/status.proto";
+import "validate/validate.proto";
 
 // A generic interface for performing authorization check on incoming
 // requests to a networked service.
@@ -26,4 +27,18 @@ message CheckRequest {
 message CheckResponse {
   // Status `OK` allows the request. Any other status indicates the request should be denied.
   google.rpc.Status status = 1;
+
+  // An optional message that contains HTTP response attributes. This message is
+  // used when the authorization service needs to send custom responses to the
+  // downstream client or, to modify/add request headers being dispatched to the upstream.
+  message HttpResponse {
+    // Http status code.
+    uint32 status_code = 1 [(validate.rules).uint32 = {gte: 100, lt: 600}];
+
+    // Http entity headers.
+    map<string, string> headers = 2;
+
+    // Http entity body.
+    string body = 3;
+  }
 }