1syntax = "proto3";
2
3package envoy.service.auth.v2;
4
5import "envoy/api/v2/core/address.proto";
6import "envoy/api/v2/core/base.proto";
7
8import "google/protobuf/timestamp.proto";
9
10import "udpa/annotations/status.proto";
11
12option java_package = "io.envoyproxy.envoy.service.auth.v2";
13option java_outer_classname = "AttributeContextProto";
14option java_multiple_files = true;
15option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2;authv2";
16option (udpa.annotations.file_status).package_version_status = FROZEN;
17
18// [#protodoc-title: Attribute Context ]
19
20// See :ref:`network filter configuration overview <config_network_filters_ext_authz>`
21// and :ref:`HTTP filter configuration overview <config_http_filters_ext_authz>`.
22
23// An attribute is a piece of metadata that describes an activity on a network.
24// For example, the size of an HTTP request, or the status code of an HTTP response.
25//
26// Each attribute has a type and a name, which is logically defined as a proto message field
27// of the `AttributeContext`. The `AttributeContext` is a collection of individual attributes
28// supported by Envoy authorization system.
29// [#comment: The following items are left out of this proto
30// Request.Auth field for jwt tokens
31// Request.Api for api management
32// Origin peer that originated the request
33// Caching Protocol
34// request_context return values to inject back into the filter chain
35// peer.claims -- from X.509 extensions
36// Configuration
37// - field mask to send
38// - which return values from request_context are copied back
39// - which return values are copied into request_headers]
40// [#next-free-field: 12]
41message AttributeContext {
42 // This message defines attributes for a node that handles a network request.
43 // The node can be either a service or an application that sends, forwards,
44 // or receives the request. Service peers should fill in the `service`,
45 // `principal`, and `labels` as appropriate.
46 // [#next-free-field: 6]
47 message Peer {
48 // The address of the peer, this is typically the IP address.
49 // It can also be UDS path, or others.
50 api.v2.core.Address address = 1;
51
52 // The canonical service name of the peer.
53 // It should be set to :ref:`the HTTP x-envoy-downstream-service-cluster
54 // <config_http_conn_man_headers_downstream-service-cluster>`
55 // If a more trusted source of the service name is available through mTLS/secure naming, it
56 // should be used.
57 string service = 2;
58
59 // The labels associated with the peer.
60 // These could be pod labels for Kubernetes or tags for VMs.
61 // The source of the labels could be an X.509 certificate or other configuration.
62 map<string, string> labels = 3;
63
64 // The authenticated identity of this peer.
65 // For example, the identity associated with the workload such as a service account.
66 // If an X.509 certificate is used to assert the identity this field should be sourced from
67 // `URI Subject Alternative Names`, `DNS Subject Alternate Names` or `Subject` in that order.
68 // The primary identity should be the principal. The principal format is issuer specific.
69 //
70 // Example:
71 // * SPIFFE format is `spiffe://trust-domain/path`
72 // * Google account format is `https://accounts.google.com/{userid}`
73 string principal = 4;
74
75 // The X.509 certificate used to authenticate the identify of this peer.
76 // When present, the certificate contents are encoded in URL and PEM format.
77 string certificate = 5;
78 }
79
80 // Represents a network request, such as an HTTP request.
81 message Request {
82 // The timestamp when the proxy receives the first byte of the request.
83 google.protobuf.Timestamp time = 1;
84
85 // Represents an HTTP request or an HTTP-like request.
86 HttpRequest http = 2;
87 }
88
89 // This message defines attributes for an HTTP request.
90 // HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests.
91 // [#next-free-field: 12]
92 message HttpRequest {
93 // The unique ID for a request, which can be propagated to downstream
94 // systems. The ID should have low probability of collision
95 // within a single day for a specific service.
96 // For HTTP requests, it should be X-Request-ID or equivalent.
97 string id = 1;
98
99 // The HTTP request method, such as `GET`, `POST`.
100 string method = 2;
101
102 // The HTTP request headers. If multiple headers share the same key, they
103 // must be merged according to the HTTP spec. All header keys must be
104 // lower-cased, because HTTP header keys are case-insensitive.
105 map<string, string> headers = 3;
106
107 // The request target, as it appears in the first line of the HTTP request. This includes
108 // the URL path and query-string. No decoding is performed.
109 string path = 4;
110
111 // The HTTP request `Host` or 'Authority` header value.
112 string host = 5;
113
114 // The HTTP URL scheme, such as `http` and `https`. This is set for HTTP/2
115 // requests only. For HTTP/1.1, use "x-forwarded-for" header value to lookup
116 // the scheme of the request.
117 string scheme = 6;
118
119 // This field is always empty, and exists for compatibility reasons. The HTTP URL query is
120 // included in `path` field.
121 string query = 7;
122
123 // This field is always empty, and exists for compatibility reasons. The URL fragment is
124 // not submitted as part of HTTP requests; it is unknowable.
125 string fragment = 8;
126
127 // The HTTP request size in bytes. If unknown, it must be -1.
128 int64 size = 9;
129
130 // The network protocol used with the request, such as "HTTP/1.0", "HTTP/1.1", or "HTTP/2".
131 //
132 // See :repo:`headers.h:ProtocolStrings <source/common/http/headers.h>` for a list of all
133 // possible values.
134 string protocol = 10;
135
136 // The HTTP request body.
137 string body = 11;
138 }
139
140 // The source of a network activity, such as starting a TCP connection.
141 // In a multi hop network activity, the source represents the sender of the
142 // last hop.
143 Peer source = 1;
144
145 // The destination of a network activity, such as accepting a TCP connection.
146 // In a multi hop network activity, the destination represents the receiver of
147 // the last hop.
148 Peer destination = 2;
149
150 // Represents a network request, such as an HTTP request.
151 Request request = 4;
152
153 // This is analogous to http_request.headers, however these contents will not be sent to the
154 // upstream server. Context_extensions provide an extension mechanism for sending additional
155 // information to the auth server without modifying the proto definition. It maps to the
156 // internal opaque context in the filter chain.
157 map<string, string> context_extensions = 10;
158
159 // Dynamic metadata associated with the request.
160 api.v2.core.Metadata metadata_context = 11;
161}
View as plain text