...

Text file src/github.com/emissary-ingress/emissary/v3/api/envoy/service/auth/v2/attribute_context.proto

Documentation: github.com/emissary-ingress/emissary/v3/api/envoy/service/auth/v2

     1syntax = "proto3";
     2
     3package envoy.service.auth.v2;
     4
     5import "envoy/api/v2/core/address.proto";
     6import "envoy/api/v2/core/base.proto";
     7
     8import "google/protobuf/timestamp.proto";
     9
    10import "udpa/annotations/status.proto";
    11
    12option java_package = "io.envoyproxy.envoy.service.auth.v2";
    13option java_outer_classname = "AttributeContextProto";
    14option java_multiple_files = true;
    15option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2;authv2";
    16option (udpa.annotations.file_status).package_version_status = FROZEN;
    17
    18// [#protodoc-title: Attribute Context ]
    19
    20// See :ref:`network filter configuration overview <config_network_filters_ext_authz>`
    21// and :ref:`HTTP filter configuration overview <config_http_filters_ext_authz>`.
    22
    23// An attribute is a piece of metadata that describes an activity on a network.
    24// For example, the size of an HTTP request, or the status code of an HTTP response.
    25//
    26// Each attribute has a type and a name, which is logically defined as a proto message field
    27// of the `AttributeContext`. The `AttributeContext` is a collection of individual attributes
    28// supported by Envoy authorization system.
    29// [#comment: The following items are left out of this proto
    30// Request.Auth field for jwt tokens
    31// Request.Api for api management
    32// Origin peer that originated the request
    33// Caching Protocol
    34// request_context return values to inject back into the filter chain
    35// peer.claims -- from X.509 extensions
    36// Configuration
    37// - field mask to send
    38// - which return values from request_context are copied back
    39// - which return values are copied into request_headers]
    40// [#next-free-field: 12]
    41message AttributeContext {
    42  // This message defines attributes for a node that handles a network request.
    43  // The node can be either a service or an application that sends, forwards,
    44  // or receives the request. Service peers should fill in the `service`,
    45  // `principal`, and `labels` as appropriate.
    46  // [#next-free-field: 6]
    47  message Peer {
    48    // The address of the peer, this is typically the IP address.
    49    // It can also be UDS path, or others.
    50    api.v2.core.Address address = 1;
    51
    52    // The canonical service name of the peer.
    53    // It should be set to :ref:`the HTTP x-envoy-downstream-service-cluster
    54    // <config_http_conn_man_headers_downstream-service-cluster>`
    55    // If a more trusted source of the service name is available through mTLS/secure naming, it
    56    // should be used.
    57    string service = 2;
    58
    59    // The labels associated with the peer.
    60    // These could be pod labels for Kubernetes or tags for VMs.
    61    // The source of the labels could be an X.509 certificate or other configuration.
    62    map<string, string> labels = 3;
    63
    64    // The authenticated identity of this peer.
    65    // For example, the identity associated with the workload such as a service account.
    66    // If an X.509 certificate is used to assert the identity this field should be sourced from
    67    // `URI Subject Alternative Names`, `DNS Subject Alternate Names` or `Subject` in that order.
    68    // The primary identity should be the principal. The principal format is issuer specific.
    69    //
    70    // Example:
    71    // *    SPIFFE format is `spiffe://trust-domain/path`
    72    // *    Google account format is `https://accounts.google.com/{userid}`
    73    string principal = 4;
    74
    75    // The X.509 certificate used to authenticate the identify of this peer.
    76    // When present, the certificate contents are encoded in URL and PEM format.
    77    string certificate = 5;
    78  }
    79
    80  // Represents a network request, such as an HTTP request.
    81  message Request {
    82    // The timestamp when the proxy receives the first byte of the request.
    83    google.protobuf.Timestamp time = 1;
    84
    85    // Represents an HTTP request or an HTTP-like request.
    86    HttpRequest http = 2;
    87  }
    88
    89  // This message defines attributes for an HTTP request.
    90  // HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests.
    91  // [#next-free-field: 12]
    92  message HttpRequest {
    93    // The unique ID for a request, which can be propagated to downstream
    94    // systems. The ID should have low probability of collision
    95    // within a single day for a specific service.
    96    // For HTTP requests, it should be X-Request-ID or equivalent.
    97    string id = 1;
    98
    99    // The HTTP request method, such as `GET`, `POST`.
   100    string method = 2;
   101
   102    // The HTTP request headers. If multiple headers share the same key, they
   103    // must be merged according to the HTTP spec. All header keys must be
   104    // lower-cased, because HTTP header keys are case-insensitive.
   105    map<string, string> headers = 3;
   106
   107    // The request target, as it appears in the first line of the HTTP request. This includes
   108    // the URL path and query-string. No decoding is performed.
   109    string path = 4;
   110
   111    // The HTTP request `Host` or 'Authority` header value.
   112    string host = 5;
   113
   114    // The HTTP URL scheme, such as `http` and `https`. This is set for HTTP/2
   115    // requests only. For HTTP/1.1, use "x-forwarded-for" header value to lookup
   116    // the scheme of the request.
   117    string scheme = 6;
   118
   119    // This field is always empty, and exists for compatibility reasons. The HTTP URL query is
   120    // included in `path` field.
   121    string query = 7;
   122
   123    // This field is always empty, and exists for compatibility reasons. The URL fragment is
   124    // not submitted as part of HTTP requests; it is unknowable.
   125    string fragment = 8;
   126
   127    // The HTTP request size in bytes. If unknown, it must be -1.
   128    int64 size = 9;
   129
   130    // The network protocol used with the request, such as "HTTP/1.0", "HTTP/1.1", or "HTTP/2".
   131    //
   132    // See :repo:`headers.h:ProtocolStrings <source/common/http/headers.h>` for a list of all
   133    // possible values.
   134    string protocol = 10;
   135
   136    // The HTTP request body.
   137    string body = 11;
   138  }
   139
   140  // The source of a network activity, such as starting a TCP connection.
   141  // In a multi hop network activity, the source represents the sender of the
   142  // last hop.
   143  Peer source = 1;
   144
   145  // The destination of a network activity, such as accepting a TCP connection.
   146  // In a multi hop network activity, the destination represents the receiver of
   147  // the last hop.
   148  Peer destination = 2;
   149
   150  // Represents a network request, such as an HTTP request.
   151  Request request = 4;
   152
   153  // This is analogous to http_request.headers, however these contents will not be sent to the
   154  // upstream server. Context_extensions provide an extension mechanism for sending additional
   155  // information to the auth server without modifying the proto definition. It maps to the
   156  // internal opaque context in the filter chain.
   157  map<string, string> context_extensions = 10;
   158
   159  // Dynamic metadata associated with the request.
   160  api.v2.core.Metadata metadata_context = 11;
   161}

View as plain text