From f88047c0d470352ad1bf6a97dd64155bc65047a0 Mon Sep 17 00:00:00 2001 From: Gabriel Sagula Date: Mon, 2 Apr 2018 08:33:21 -0700 Subject: [PATCH] authz_filter: configuration to support Ambassador authorization flow (#563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel --- docs/BUILD | 2 +- envoy/api/v2/core/http_uri.proto | 10 ++++++ .../filter/http/ext_authz/v2/ext_authz.proto | 26 -------------- .../http/ext_authz/{v2 => v2alpha}/BUILD | 5 ++- .../http/ext_authz/v2alpha/ext_authz.proto | 34 +++++++++++++++++++ envoy/service/auth/{v2 => v2alpha}/BUILD | 0 .../{v2 => v2alpha}/attribute_context.proto | 2 +- .../auth/{v2 => v2alpha}/external_auth.proto | 21 ++++++++++-- 8 files changed, 68 insertions(+), 32 deletions(-) delete mode 100644 envoy/config/filter/http/ext_authz/v2/ext_authz.proto rename envoy/config/filter/http/ext_authz/{v2 => v2alpha}/BUILD (62%) create mode 100644 envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto rename envoy/service/auth/{v2 => v2alpha}/BUILD (100%) rename envoy/service/auth/{v2 => v2alpha}/attribute_context.proto (99%) rename envoy/service/auth/{v2 => v2alpha}/external_auth.proto (51%) diff --git a/docs/BUILD b/docs/BUILD index 5bb0beb57..f9a1c04d4 100644 --- a/docs/BUILD +++ b/docs/BUILD @@ -26,7 +26,7 @@ proto_library( "//envoy/config/bootstrap/v2:bootstrap", "//envoy/config/filter/accesslog/v2:accesslog", "//envoy/config/filter/http/buffer/v2:buffer", - "//envoy/config/filter/http/ext_authz/v2:ext_authz", + "//envoy/config/filter/http/ext_authz/v2alpha:ext_authz", "//envoy/config/filter/http/fault/v2:fault", "//envoy/config/filter/http/gzip/v2:gzip", "//envoy/config/filter/http/health_check/v2:health_check", diff --git a/envoy/api/v2/core/http_uri.proto b/envoy/api/v2/core/http_uri.proto index 5587e4391..92097778b 100644 --- a/envoy/api/v2/core/http_uri.proto +++ b/envoy/api/v2/core/http_uri.proto @@ -2,6 +2,9 @@ syntax = "proto3"; package envoy.api.v2.core; +import "google/protobuf/duration.proto"; +import "gogoproto/gogo.proto"; + import "validate/validate.proto"; // Envoy external URI descriptor @@ -34,4 +37,11 @@ message HttpUri { // string cluster = 2 [(validate.rules).string.min_bytes = 1]; } + + // Sets the maximum duration in milliseconds that a response can take to arrive upon request. + google.protobuf.Duration timeout = 3 [ + (validate.rules).duration.gte = {}, + (validate.rules).duration.required = true, + (gogoproto.stdduration) = true + ]; } diff --git a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2/ext_authz.proto deleted file mode 100644 index 8365c054e..000000000 --- a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto +++ /dev/null @@ -1,26 +0,0 @@ -syntax = "proto3"; - -package envoy.config.filter.http.ext_authz.v2; -option go_package = "v2"; - -import "envoy/api/v2/core/grpc_service.proto"; - -import "validate/validate.proto"; - -// [#not-implemented-hide:] -// External Authorization filter calls out to an external service over the -// gRPC Authorization API defined by -// :ref:`external_auth `. -// A failed check will cause this filter to return 403 Forbidden. -message ExtAuthz { - - // The external authorization gRPC service configuration. - envoy.api.v2.core.GrpcService grpc_service = 1; - - // The filter's behaviour in case the external authorization service does - // not respond back. If set to true then in case of failure to get a - // response back from the authorization service or getting a response that - // is NOT denied then traffic will be permitted. - // Defaults to false. - bool failure_mode_allow = 2; -} diff --git a/envoy/config/filter/http/ext_authz/v2/BUILD b/envoy/config/filter/http/ext_authz/v2alpha/BUILD similarity index 62% rename from envoy/config/filter/http/ext_authz/v2/BUILD rename to envoy/config/filter/http/ext_authz/v2alpha/BUILD index 22dc89152..62e7fc3d6 100644 --- a/envoy/config/filter/http/ext_authz/v2/BUILD +++ b/envoy/config/filter/http/ext_authz/v2alpha/BUILD @@ -5,5 +5,8 @@ licenses(["notice"]) # Apache 2 api_proto_library( name = "ext_authz", srcs = ["ext_authz.proto"], - deps = ["//envoy/api/v2/core:grpc_service"], + deps = [ + "//envoy/api/v2/core:grpc_service", + "//envoy/api/v2/core:http_uri", + ], ) diff --git a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto new file mode 100644 index 000000000..a9392b855 --- /dev/null +++ b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto @@ -0,0 +1,34 @@ +syntax = "proto3"; + +package envoy.config.filter.http.ext_authz.v2alpha; +option go_package = "v2alpha"; + +import "envoy/api/v2/core/grpc_service.proto"; +import "envoy/api/v2/core/http_uri.proto"; + +// The external authorization HTTP service configuration. +message HttpService { + // Sets the HTTP server URI which the authorization requests must be sent to. + envoy.api.v2.core.HttpUri server_uri = 1; + + // Sets an optional prefix to the value of authorization request header `path`. + string path_prefix = 2; +} + +message ExtAuthz { + + oneof services { + // The external authorization gRPC service configuration. + envoy.api.v2.core.GrpcService grpc_service = 1; + + // The external authorization HTTP service configuration. + HttpService http_service = 3; + } + + // The filter's behaviour in case the external authorization service does + // not respond back. If set to true then in case of failure to get a + // response back from the authorization service or getting a response that + // is NOT denied then traffic will be permitted. + // Defaults to false. + bool failure_mode_allow = 2; +} diff --git a/envoy/service/auth/v2/BUILD b/envoy/service/auth/v2alpha/BUILD similarity index 100% rename from envoy/service/auth/v2/BUILD rename to envoy/service/auth/v2alpha/BUILD diff --git a/envoy/service/auth/v2/attribute_context.proto b/envoy/service/auth/v2alpha/attribute_context.proto similarity index 99% rename from envoy/service/auth/v2/attribute_context.proto rename to envoy/service/auth/v2alpha/attribute_context.proto index e27c798ff..a8c4bd0b4 100644 --- a/envoy/service/auth/v2/attribute_context.proto +++ b/envoy/service/auth/v2alpha/attribute_context.proto @@ -2,7 +2,7 @@ syntax = "proto3"; // [#proto-status: draft] -package envoy.service.auth.v2; +package envoy.service.auth.v2alpha; import "envoy/api/v2/core/address.proto"; diff --git a/envoy/service/auth/v2/external_auth.proto b/envoy/service/auth/v2alpha/external_auth.proto similarity index 51% rename from envoy/service/auth/v2/external_auth.proto rename to envoy/service/auth/v2alpha/external_auth.proto index c5f571a65..29acfa29c 100644 --- a/envoy/service/auth/v2/external_auth.proto +++ b/envoy/service/auth/v2alpha/external_auth.proto @@ -2,13 +2,14 @@ syntax = "proto3"; // [#proto-status: draft] -package envoy.service.auth.v2; -option go_package = "v2"; +package envoy.service.auth.v2alpha; +option go_package = "v2alpha"; option java_generic_services = true; -import "envoy/service/auth/v2/attribute_context.proto"; +import "envoy/service/auth/v2alpha/attribute_context.proto"; import "google/rpc/status.proto"; +import "validate/validate.proto"; // A generic interface for performing authorization check on incoming // requests to a networked service. @@ -26,4 +27,18 @@ message CheckRequest { message CheckResponse { // Status `OK` allows the request. Any other status indicates the request should be denied. google.rpc.Status status = 1; + + // An optional message that contains HTTP response attributes. This message is + // used when the authorization service needs to send custom responses to the + // downstream client or, to modify/add request headers being dispatched to the upstream. + message HttpResponse { + // Http status code. + uint32 status_code = 1 [(validate.rules).uint32 = {gte: 100, lt: 600}]; + + // Http entity headers. + map headers = 2; + + // Http entity body. + string body = 3; + } }