extauth

package
v1.1.0-rc3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 18, 2021 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	GatewayExtauth_ApiVersion_name = map[int32]string{
		0: "GLOO_MESH_AUTO",
		1: "ENVOY_AUTO",
		2: "V3",
	}
	GatewayExtauth_ApiVersion_value = map[string]int32{
		"GLOO_MESH_AUTO": 0,
		"ENVOY_AUTO":     1,
		"V3":             2,
	}
)

Enum value maps for GatewayExtauth_ApiVersion.

View Source
var File_github_com_solo_io_gloo_mesh_api_networking_v1_extauth_extauth_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type BufferSettings

type BufferSettings struct {

	// Sets the maximum size of a message body that the filter will hold in memory. Envoy will return
	// *HTTP 413* and will *not* initiate the authorization process when buffer reaches the number
	// set in this field. Note that this setting will have precedence over failure_mode_allow.
	// Defaults to 4KB.
	MaxRequestBytes uint32 `protobuf:"varint,1,opt,name=max_request_bytes,json=maxRequestBytes,proto3" json:"max_request_bytes,omitempty"`
	// When this field is true, Envoy will buffer the message until *max_request_bytes* is reached.
	// The authorization request will be dispatched and no 413 HTTP error will be returned by the
	// filter.
	AllowPartialMessage bool `protobuf:"varint,2,opt,name=allow_partial_message,json=allowPartialMessage,proto3" json:"allow_partial_message,omitempty"`
	// When this field is true, Envoy will send the body sent to the external authorization service with raw bytes.
	PackAsBytes bool `protobuf:"varint,3,opt,name=pack_as_bytes,json=packAsBytes,proto3" json:"pack_as_bytes,omitempty"`
	// contains filtered or unexported fields
}

Configuration for buffering the request data.

func (*BufferSettings) Descriptor deprecated

func (*BufferSettings) Descriptor() ([]byte, []int)

Deprecated: Use BufferSettings.ProtoReflect.Descriptor instead.

func (*BufferSettings) Equal

func (m *BufferSettings) Equal(that interface{}) bool

Equal function

func (*BufferSettings) GetAllowPartialMessage

func (x *BufferSettings) GetAllowPartialMessage() bool

func (*BufferSettings) GetMaxRequestBytes

func (x *BufferSettings) GetMaxRequestBytes() uint32

func (*BufferSettings) GetPackAsBytes

func (x *BufferSettings) GetPackAsBytes() bool

func (*BufferSettings) ProtoMessage

func (*BufferSettings) ProtoMessage()

func (*BufferSettings) ProtoReflect

func (x *BufferSettings) ProtoReflect() protoreflect.Message

func (*BufferSettings) Reset

func (x *BufferSettings) Reset()

func (*BufferSettings) String

func (x *BufferSettings) String() string

type CustomAuth

type CustomAuth struct {

	// When a request matches the route or traffic policy on which this configuration is defined,
	// Gloo Mesh will add the given context_extensions to the request that is sent to the external authorization server.
	// This allows the server to base the auth decision on metadata that you define on the source of the request.
	//
	// This attribute is analogous to Envoy's config.filter.http.ext_authz.v2.CheckSettings. See the official
	// [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto.html?highlight=ext_authz#config-filter-http-ext-authz-v2-checksettings)
	// for more details.
	ContextExtensions map[string]string `` /* 200-byte string literal not displayed */
	// contains filtered or unexported fields
}

Gloo Mesh is not expected to configure the ext auth server in this case. This is used with custom auth servers.

func (*CustomAuth) Descriptor deprecated

func (*CustomAuth) Descriptor() ([]byte, []int)

Deprecated: Use CustomAuth.ProtoReflect.Descriptor instead.

func (*CustomAuth) Equal

func (m *CustomAuth) Equal(that interface{}) bool

Equal function

func (*CustomAuth) GetContextExtensions

func (x *CustomAuth) GetContextExtensions() map[string]string

func (*CustomAuth) ProtoMessage

func (*CustomAuth) ProtoMessage()

func (*CustomAuth) ProtoReflect

func (x *CustomAuth) ProtoReflect() protoreflect.Message

func (*CustomAuth) Reset

func (x *CustomAuth) Reset()

func (*CustomAuth) String

func (x *CustomAuth) String() string

type GatewayExtauth

type GatewayExtauth struct {

	// The destination ref for the envoy external authentication service to ask about auth decisions.
	//
	// The fqdn used by envoy for extauth requests is derived from the kube service or is the first hostname
	// in an external service destination.
	// IMPORTANT: Envoy's extauth requests go to the port chosen from the destination that has the name or protocol of
	// the extauth service protocol (i.e., grpc or http). In practice, this means the port handling extauth requests
	// should be named grpc and/or have protocol GRPC (both case-insensitive), unless `http_service` is configured.
	//
	// If omitted, defaults to the expected format for the discovered extauth service shipped with Gloo Mesh Enterprise:
	//   Name: ext-auth-service-$POD_NAMESPACE-$CLUSTER_NAME
	//   Namespace: $POD_NAMESPACE
	ExtauthzRef *v1.ObjectRef `protobuf:"bytes,1,opt,name=extauthz_ref,json=extauthzRef,proto3" json:"extauthz_ref,omitempty"`
	// If this is set, communication to the upstream will be via HTTP and not GRPC.
	HttpService *HttpService `protobuf:"bytes,2,opt,name=http_service,json=httpService,proto3" json:"http_service,omitempty"`
	// Timeout for the ext auth service to respond. Defaults to 2000ms. (OIDC requests to external IDPs can be slow)
	// For latency critical applications, this value should be tuned much lower, as extauth is on the request path.
	RequestTimeout *duration.Duration `protobuf:"bytes,3,opt,name=request_timeout,json=requestTimeout,proto3" json:"request_timeout,omitempty"`
	// In case of a failure or timeout querying the auth server, normally a request is denied.
	// if this is set to true, the request will be allowed.
	FailureModeAllow bool `protobuf:"varint,4,opt,name=failure_mode_allow,json=failureModeAllow,proto3" json:"failure_mode_allow,omitempty"`
	// Set this if you also want to send the body of the request, and not just the headers.
	RequestBody *BufferSettings `protobuf:"bytes,5,opt,name=request_body,json=requestBody,proto3" json:"request_body,omitempty"`
	// Clears route cache in order to allow the external authorization service to correctly affect
	// routing decisions. Filter clears all cached routes when:
	//
	// 1. The field is set to *true*.
	//
	// 2. The status returned from the authorization service is a HTTP 200 or gRPC 0.
	//
	// 3. At least one *authorization response header* is added to the client request, or is used for
	// altering another client request header.
	//
	ClearRouteCache bool `protobuf:"varint,6,opt,name=clear_route_cache,json=clearRouteCache,proto3" json:"clear_route_cache,omitempty"`
	// Sets the HTTP status that is returned to the client when there is a network error between the
	// filter and the authorization server. The default status is HTTP 403 Forbidden.
	// If set, this must be one of the following:
	// - 100
	// - 200 201 202 203 204 205 206 207 208 226
	// - 300 301 302 303 304 305 307 308
	// - 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 421 422 423 424 426 428 429 431
	// - 500 501 502 503 504 505 506 507 508 510 511
	StatusOnError uint32 `protobuf:"varint,7,opt,name=status_on_error,json=statusOnError,proto3" json:"status_on_error,omitempty"`
	// Determines the API version for the `ext_authz` transport protocol that will be used by Envoy
	// to communicate with the auth server. Defaults to `V3`. For more info, see the `transport_api_version` field
	// [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#extensions-filters-http-ext-authz-v3-extauthz).
	TransportApiVersion GatewayExtauth_ApiVersion `` /* 189-byte string literal not displayed */
	// Optional additional prefix to use when emitting statistics.
	// This allows to distinguish emitted statistics between configured ext_authz filters in an HTTP filter chain.
	StatPrefix string `protobuf:"bytes,9,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"`
	// contains filtered or unexported fields
}

Enterprise-Only: Configure the Extauth Filter on a Gateway

func (*GatewayExtauth) Descriptor deprecated

func (*GatewayExtauth) Descriptor() ([]byte, []int)

Deprecated: Use GatewayExtauth.ProtoReflect.Descriptor instead.

func (*GatewayExtauth) Equal

func (m *GatewayExtauth) Equal(that interface{}) bool

Equal function

func (*GatewayExtauth) GetClearRouteCache

func (x *GatewayExtauth) GetClearRouteCache() bool

func (*GatewayExtauth) GetExtauthzRef

func (x *GatewayExtauth) GetExtauthzRef() *v1.ObjectRef

func (*GatewayExtauth) GetFailureModeAllow

func (x *GatewayExtauth) GetFailureModeAllow() bool

func (*GatewayExtauth) GetHttpService

func (x *GatewayExtauth) GetHttpService() *HttpService

func (*GatewayExtauth) GetRequestBody

func (x *GatewayExtauth) GetRequestBody() *BufferSettings

func (*GatewayExtauth) GetRequestTimeout

func (x *GatewayExtauth) GetRequestTimeout() *duration.Duration

func (*GatewayExtauth) GetStatPrefix

func (x *GatewayExtauth) GetStatPrefix() string

func (*GatewayExtauth) GetStatusOnError

func (x *GatewayExtauth) GetStatusOnError() uint32

func (*GatewayExtauth) GetTransportApiVersion

func (x *GatewayExtauth) GetTransportApiVersion() GatewayExtauth_ApiVersion

func (*GatewayExtauth) ProtoMessage

func (*GatewayExtauth) ProtoMessage()

func (*GatewayExtauth) ProtoReflect

func (x *GatewayExtauth) ProtoReflect() protoreflect.Message

func (*GatewayExtauth) Reset

func (x *GatewayExtauth) Reset()

func (*GatewayExtauth) String

func (x *GatewayExtauth) String() string

type GatewayExtauth_ApiVersion

type GatewayExtauth_ApiVersion int32

Describes the transport protocol version to use when envoy connects to the ext auth server.

const (
	// Use transport version that matches the version the default enterprise ext-auth-service uses.
	GatewayExtauth_GLOO_MESH_AUTO GatewayExtauth_ApiVersion = 0
	// Use envoy's auto transport version. This will change as envoy cycles through transport api versions.
	GatewayExtauth_ENVOY_AUTO GatewayExtauth_ApiVersion = 1
	// Use v3 API.
	GatewayExtauth_V3 GatewayExtauth_ApiVersion = 2
)

func (GatewayExtauth_ApiVersion) Descriptor

func (GatewayExtauth_ApiVersion) Enum

func (GatewayExtauth_ApiVersion) EnumDescriptor deprecated

func (GatewayExtauth_ApiVersion) EnumDescriptor() ([]byte, []int)

Deprecated: Use GatewayExtauth_ApiVersion.Descriptor instead.

func (GatewayExtauth_ApiVersion) Number

func (GatewayExtauth_ApiVersion) String

func (x GatewayExtauth_ApiVersion) String() string

func (GatewayExtauth_ApiVersion) Type

type HttpService

type HttpService struct {

	// Sets a prefix to the value of authorization request header *Path*.
	PathPrefix string                `protobuf:"bytes,1,opt,name=path_prefix,json=pathPrefix,proto3" json:"path_prefix,omitempty"`
	Request    *HttpService_Request  `protobuf:"bytes,2,opt,name=request,proto3" json:"request,omitempty"`
	Response   *HttpService_Response `protobuf:"bytes,3,opt,name=response,proto3" json:"response,omitempty"`
	// contains filtered or unexported fields
}

func (*HttpService) Descriptor deprecated

func (*HttpService) Descriptor() ([]byte, []int)

Deprecated: Use HttpService.ProtoReflect.Descriptor instead.

func (*HttpService) Equal

func (m *HttpService) Equal(that interface{}) bool

Equal function

func (*HttpService) GetPathPrefix

func (x *HttpService) GetPathPrefix() string

func (*HttpService) GetRequest

func (x *HttpService) GetRequest() *HttpService_Request

func (*HttpService) GetResponse

func (x *HttpService) GetResponse() *HttpService_Response

func (*HttpService) ProtoMessage

func (*HttpService) ProtoMessage()

func (*HttpService) ProtoReflect

func (x *HttpService) ProtoReflect() protoreflect.Message

func (*HttpService) Reset

func (x *HttpService) Reset()

func (*HttpService) String

func (x *HttpService) String() string

type HttpService_Request

type HttpService_Request struct {

	// These headers will be copied from the incoming request to the request going
	// to the auth server. Note that in addition to the user's supplied matchers:
	//
	// 1. *Host*, *Method*, *Path* and *Content-Length* are automatically included to the list.
	//
	// 2. *Content-Length* will be set to 0 and the request to the authorization service will not have
	// a message body.
	AllowedHeaders []string `protobuf:"bytes,1,rep,name=allowed_headers,json=allowedHeaders,proto3" json:"allowed_headers,omitempty"`
	// These headers that will be included to the request to authorization service. Note that
	// client request of the same key will be overridden.
	HeadersToAdd map[string]string `` /* 187-byte string literal not displayed */
	// contains filtered or unexported fields
}

func (*HttpService_Request) Descriptor deprecated

func (*HttpService_Request) Descriptor() ([]byte, []int)

Deprecated: Use HttpService_Request.ProtoReflect.Descriptor instead.

func (*HttpService_Request) Equal

func (m *HttpService_Request) Equal(that interface{}) bool

Equal function

func (*HttpService_Request) GetAllowedHeaders

func (x *HttpService_Request) GetAllowedHeaders() []string

func (*HttpService_Request) GetHeadersToAdd

func (x *HttpService_Request) GetHeadersToAdd() map[string]string

func (*HttpService_Request) ProtoMessage

func (*HttpService_Request) ProtoMessage()

func (*HttpService_Request) ProtoReflect

func (x *HttpService_Request) ProtoReflect() protoreflect.Message

func (*HttpService_Request) Reset

func (x *HttpService_Request) Reset()

func (*HttpService_Request) String

func (x *HttpService_Request) String() string

type HttpService_Response

type HttpService_Response struct {

	// When this is set, authorization response headers that have a will be added to the original client request and sent to the upstream.
	// Note that coexistent headers will be overridden.
	AllowedUpstreamHeaders []string `` /* 129-byte string literal not displayed */
	// When this. is set, authorization response headers that will be added to the client's response when auth request is denied.
	// Note that when this list is *not* set, all the authorization response headers, except *Authority
	// (Host)* will be in the response to the client. When a header is included in this list, *Path*,
	// *Status*, *Content-Length*, *WWW-Authenticate* and *Location* are automatically added.
	AllowedClientHeaders []string `protobuf:"bytes,2,rep,name=allowed_client_headers,json=allowedClientHeaders,proto3" json:"allowed_client_headers,omitempty"`
	// contains filtered or unexported fields
}

func (*HttpService_Response) Descriptor deprecated

func (*HttpService_Response) Descriptor() ([]byte, []int)

Deprecated: Use HttpService_Response.ProtoReflect.Descriptor instead.

func (*HttpService_Response) Equal

func (m *HttpService_Response) Equal(that interface{}) bool

Equal function

func (*HttpService_Response) GetAllowedClientHeaders

func (x *HttpService_Response) GetAllowedClientHeaders() []string

func (*HttpService_Response) GetAllowedUpstreamHeaders

func (x *HttpService_Response) GetAllowedUpstreamHeaders() []string

func (*HttpService_Response) ProtoMessage

func (*HttpService_Response) ProtoMessage()

func (*HttpService_Response) ProtoReflect

func (x *HttpService_Response) ProtoReflect() protoreflect.Message

func (*HttpService_Response) Reset

func (x *HttpService_Response) Reset()

func (*HttpService_Response) String

func (x *HttpService_Response) String() string

type RouteExtauth

type RouteExtauth struct {

	// Types that are assignable to Spec:
	//	*RouteExtauth_Disable
	//	*RouteExtauth_ConfigRef
	//	*RouteExtauth_CustomAuth
	Spec isRouteExtauth_Spec `protobuf_oneof:"spec"`
	// contains filtered or unexported fields
}

Extauth configuration for a Route or TrafficPolicy. Configures extauth for individual HTTP routes

func (*RouteExtauth) Descriptor deprecated

func (*RouteExtauth) Descriptor() ([]byte, []int)

Deprecated: Use RouteExtauth.ProtoReflect.Descriptor instead.

func (*RouteExtauth) Equal

func (m *RouteExtauth) Equal(that interface{}) bool

Equal function

func (*RouteExtauth) GetConfigRef

func (x *RouteExtauth) GetConfigRef() *v1.ObjectRef

func (*RouteExtauth) GetCustomAuth

func (x *RouteExtauth) GetCustomAuth() *CustomAuth

func (*RouteExtauth) GetDisable

func (x *RouteExtauth) GetDisable() bool

func (*RouteExtauth) GetSpec

func (m *RouteExtauth) GetSpec() isRouteExtauth_Spec

func (*RouteExtauth) ProtoMessage

func (*RouteExtauth) ProtoMessage()

func (*RouteExtauth) ProtoReflect

func (x *RouteExtauth) ProtoReflect() protoreflect.Message

func (*RouteExtauth) Reset

func (x *RouteExtauth) Reset()

func (*RouteExtauth) String

func (x *RouteExtauth) String() string

type RouteExtauth_ConfigRef

type RouteExtauth_ConfigRef struct {
	// A reference to an AuthConfig. This is used to configure the mesh clients to identify themselves by
	// matching their client identifier to the extauth server config for the same AuthConfig.
	ConfigRef *v1.ObjectRef `protobuf:"bytes,2,opt,name=config_ref,json=configRef,proto3,oneof"`
}

type RouteExtauth_CustomAuth

type RouteExtauth_CustomAuth struct {
	// Use this field if you are running your own custom extauth server.
	CustomAuth *CustomAuth `protobuf:"bytes,3,opt,name=custom_auth,json=customAuth,proto3,oneof"`
}

type RouteExtauth_Disable

type RouteExtauth_Disable struct {
	//  Set to true to disable auth on the route.
	Disable bool `protobuf:"varint,1,opt,name=disable,proto3,oneof"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL