1syntax = "proto3";
2
3package envoy.service.auth.v4alpha;
4
5import "envoy/config/core/v4alpha/address.proto";
6import "envoy/config/core/v4alpha/base.proto";
7
8import "google/protobuf/timestamp.proto";
9
10import "udpa/annotations/status.proto";
11import "udpa/annotations/versioning.proto";
12
13option java_package = "io.envoyproxy.envoy.service.auth.v4alpha";
14option java_outer_classname = "AttributeContextProto";
15option java_multiple_files = true;
16option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
17
18// [#protodoc-title: Attribute Context ]
19
20// See :ref:`network filter configuration overview <config_network_filters_ext_authz>`
21// and :ref:`HTTP filter configuration overview <config_http_filters_ext_authz>`.
22
23// An attribute is a piece of metadata that describes an activity on a network.
24// For example, the size of an HTTP request, or the status code of an HTTP response.
25//
26// Each attribute has a type and a name, which is logically defined as a proto message field
27// of the `AttributeContext`. The `AttributeContext` is a collection of individual attributes
28// supported by Envoy authorization system.
29// [#comment: The following items are left out of this proto
30// Request.Auth field for jwt tokens
31// Request.Api for api management
32// Origin peer that originated the request
33// Caching Protocol
34// request_context return values to inject back into the filter chain
35// peer.claims -- from X.509 extensions
36// Configuration
37// - field mask to send
38// - which return values from request_context are copied back
39// - which return values are copied into request_headers]
40// [#next-free-field: 12]
41message AttributeContext {
42 option (udpa.annotations.versioning).previous_message_type =
43 "envoy.service.auth.v3.AttributeContext";
44
45 // This message defines attributes for a node that handles a network request.
46 // The node can be either a service or an application that sends, forwards,
47 // or receives the request. Service peers should fill in the `service`,
48 // `principal`, and `labels` as appropriate.
49 // [#next-free-field: 6]
50 message Peer {
51 option (udpa.annotations.versioning).previous_message_type =
52 "envoy.service.auth.v3.AttributeContext.Peer";
53
54 // The address of the peer, this is typically the IP address.
55 // It can also be UDS path, or others.
56 config.core.v4alpha.Address address = 1;
57
58 // The canonical service name of the peer.
59 // It should be set to :ref:`the HTTP x-envoy-downstream-service-cluster
60 // <config_http_conn_man_headers_downstream-service-cluster>`
61 // If a more trusted source of the service name is available through mTLS/secure naming, it
62 // should be used.
63 string service = 2;
64
65 // The labels associated with the peer.
66 // These could be pod labels for Kubernetes or tags for VMs.
67 // The source of the labels could be an X.509 certificate or other configuration.
68 map<string, string> labels = 3;
69
70 // The authenticated identity of this peer.
71 // For example, the identity associated with the workload such as a service account.
72 // If an X.509 certificate is used to assert the identity this field should be sourced from
73 // `URI Subject Alternative Names`, `DNS Subject Alternate Names` or `Subject` in that order.
74 // The primary identity should be the principal. The principal format is issuer specific.
75 //
76 // Example:
77 // * SPIFFE format is `spiffe://trust-domain/path`
78 // * Google account format is `https://accounts.google.com/{userid}`
79 string principal = 4;
80
81 // The X.509 certificate used to authenticate the identify of this peer.
82 // When present, the certificate contents are encoded in URL and PEM format.
83 string certificate = 5;
84 }
85
86 // Represents a network request, such as an HTTP request.
87 message Request {
88 option (udpa.annotations.versioning).previous_message_type =
89 "envoy.service.auth.v3.AttributeContext.Request";
90
91 // The timestamp when the proxy receives the first byte of the request.
92 google.protobuf.Timestamp time = 1;
93
94 // Represents an HTTP request or an HTTP-like request.
95 HttpRequest http = 2;
96 }
97
98 // This message defines attributes for an HTTP request.
99 // HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests.
100 // [#next-free-field: 13]
101 message HttpRequest {
102 option (udpa.annotations.versioning).previous_message_type =
103 "envoy.service.auth.v3.AttributeContext.HttpRequest";
104
105 // The unique ID for a request, which can be propagated to downstream
106 // systems. The ID should have low probability of collision
107 // within a single day for a specific service.
108 // For HTTP requests, it should be X-Request-ID or equivalent.
109 string id = 1;
110
111 // The HTTP request method, such as `GET`, `POST`.
112 string method = 2;
113
114 // The HTTP request headers. If multiple headers share the same key, they
115 // must be merged according to the HTTP spec. All header keys must be
116 // lower-cased, because HTTP header keys are case-insensitive.
117 map<string, string> headers = 3;
118
119 // The request target, as it appears in the first line of the HTTP request. This includes
120 // the URL path and query-string. No decoding is performed.
121 string path = 4;
122
123 // The HTTP request `Host` or 'Authority` header value.
124 string host = 5;
125
126 // The HTTP URL scheme, such as `http` and `https`.
127 string scheme = 6;
128
129 // This field is always empty, and exists for compatibility reasons. The HTTP URL query is
130 // included in `path` field.
131 string query = 7;
132
133 // This field is always empty, and exists for compatibility reasons. The URL fragment is
134 // not submitted as part of HTTP requests; it is unknowable.
135 string fragment = 8;
136
137 // The HTTP request size in bytes. If unknown, it must be -1.
138 int64 size = 9;
139
140 // The network protocol used with the request, such as "HTTP/1.0", "HTTP/1.1", or "HTTP/2".
141 //
142 // See :repo:`headers.h:ProtocolStrings <source/common/http/headers.h>` for a list of all
143 // possible values.
144 string protocol = 10;
145
146 // The HTTP request body.
147 string body = 11;
148
149 // The HTTP request body in bytes. This is used instead of
150 // :ref:`body <envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.body>` when
151 // :ref:`pack_as_bytes <envoy_api_field_extensions.filters.http.ext_authz.v4alpha.BufferSettings.pack_as_bytes>`
152 // is set to true.
153 bytes raw_body = 12;
154 }
155
156 // The source of a network activity, such as starting a TCP connection.
157 // In a multi hop network activity, the source represents the sender of the
158 // last hop.
159 Peer source = 1;
160
161 // The destination of a network activity, such as accepting a TCP connection.
162 // In a multi hop network activity, the destination represents the receiver of
163 // the last hop.
164 Peer destination = 2;
165
166 // Represents a network request, such as an HTTP request.
167 Request request = 4;
168
169 // This is analogous to http_request.headers, however these contents will not be sent to the
170 // upstream server. Context_extensions provide an extension mechanism for sending additional
171 // information to the auth server without modifying the proto definition. It maps to the
172 // internal opaque context in the filter chain.
173 map<string, string> context_extensions = 10;
174
175 // Dynamic metadata associated with the request.
176 config.core.v4alpha.Metadata metadata_context = 11;
177}
View as plain text