Protos for RBAC support. (envoyproxy#3133)

Added protos to support Role Based Access Control in Envoy.

Also removed existing auth.proto because the new RBAC proto is a replacement of it.

Ealier discussions at
envoyproxy/data-plane-api#586.

Signed-off-by: Limin Wang <liminwang@google.com>

Signed-off-by: Rama <rama.rao@salesforce.com>

api/envoy/api/v2/auth/BUILD

@@ -15,23 +15,6 @@ package_group(
     ],
 )
 
-api_proto_library(
-    name = "auth",
-    srcs = ["auth.proto"],
-    visibility = [":friends"],
-    deps = [
-        ":cert",
-    ],
-)
-
-api_go_proto_library(
-    name = "auth",
-    proto = ":auth",
-    deps = [
-        ":cert_go_proto",
-    ],
-)
-
 api_proto_library(
     name = "cert",
     srcs = ["cert.proto"],

api/envoy/api/v2/route/BUILD

@@ -7,7 +7,6 @@ api_proto_library(
     srcs = ["route.proto"],
     visibility = ["//envoy/api/v2:friends"],
     deps = [
-        "//envoy/api/v2/auth",
         "//envoy/api/v2/core:base",
         "//envoy/type:range",
     ],
@@ -17,7 +16,6 @@ api_go_proto_library(
     name = "route",
     proto = ":route",
     deps = [
-        "//envoy/api/v2/auth:auth_go_proto",
         "//envoy/api/v2/core:base_go_proto",
         "//envoy/type:range_go_proto",
     ],

api/envoy/api/v2/route/route.proto

@@ -5,7 +5,6 @@ option go_package = "route";
 option java_generic_services = true;
 
 import "envoy/api/v2/core/base.proto";
-import "envoy/api/v2/auth/auth.proto";
 import "envoy/type/range.proto";
 
 import "google/protobuf/duration.proto";
@@ -97,9 +96,7 @@ message VirtualHost {
   // Indicates that the virtual host has a CORS policy.
   CorsPolicy cors = 8;
 
-  // [#not-implemented-hide:]
-  // Return a 401/403 when auth checks fail.
-  auth.AuthAction auth = 9;
+  reserved 9;
 
   // The per_filter_config field can be used to provide virtual host-specific
   // configurations for filters. The key should match the filter name, such as
@@ -143,9 +140,7 @@ message Route {
   // Decorator for the matched route.
   Decorator decorator = 5;
 
-  // [#not-implemented-hide:]
-  // Return a 401/403 when auth checks fail.
-  auth.AuthAction auth = 6;
+  reserved 6;
 
   // The per_filter_config field can be used to provide route-specific
   // configurations for filters. The key should match the filter name, such as

api/envoy/config/rbac/v2alpha/BUILD

@@ -0,0 +1,21 @@
+licenses(["notice"])  # Apache 2
+
+load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library")
+
+api_proto_library(
+    name = "rbac",
+    srcs = ["rbac.proto"],
+    deps = [
+        "//envoy/api/v2/core:address",
+        "//envoy/type:string_match",
+    ],
+)
+
+api_go_proto_library(
+    name = "rbac",
+    proto = ":rbac",
+    deps = [
+        "//envoy/api/v2/core:address_go_proto",
+        "//envoy/type:string_match_go_proto",
+    ],
+)

api/envoy/config/rbac/v2alpha/rbac.proto

@@ -0,0 +1,154 @@
+syntax = "proto3";
+
+import "validate/validate.proto";
+import "envoy/api/v2/core/address.proto";
+import "envoy/type/string_match.proto";
+
+package envoy.config.rbac.v2alpha;
+
+// Role Based Access Control (RBAC) provides service-level and method-level access control for a service.
+// The RBAC engine authorizes a request by evaluating the request context (expressed in the form of
+// :ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`) against the RBAC policies.
+//
+// RBAC policies are additive. The policies are examined in order. A request is allowed once a matching policy
+// is found (suppose the `action` is ALLOW).
+//
+// Here is an example of RBAC configuration. It has two policies:
+// * Service account "cluster.local/ns/default/sa/admin" has full access (empty permission entry means full access)
+//   to the service.
+// * Any user (empty principal entry means any user) can read ("GET") the service at paths with prefix "/products" or
+//   suffix "/reviews" when request header "version" set to either "v1" or "v2".
+//
+//   action: ALLOW
+//   policies:
+//     "service-admin":
+//       permissions:
+//       -
+//       principals:
+//         authenticated:
+//           name: "cluster.local/ns/default/sa/admin"
+//     "product-viewer":
+//       permissions:
+//       - paths: [prefix: "/products", suffix: "/reviews"]
+//         methods: ["GET"]
+//         conditions:
+//         - header:
+//             key: "version"
+//             values: [simple: "v1", simple: "v2"]
+//       principals:
+//       -
+//
+message RBAC {
+  // Should we do white-list or black-list style access control.
+  enum Action {
+    // The policies grant access to principals. The rest is denied. This is white-list style
+    // access control. This is the default type.
+    ALLOW = 0;
+
+    // The policies deny access to principals. The rest is allowed. This is black-list style
+    // access control.
+    DENY = 1;
+  }
+
+  Action action = 1;
+
+  // Maps from policy name to policy.
+  map<string, Policy> policies = 2;
+}
+
+// Policy specifies a role and the principals that are assigned/denied the role.
+message Policy {
+ // Required. The set of permissions that define a role.
+ repeated Permission permissions = 1 [(validate.rules).repeated .min_items = 1];
+
+ // Required. List of principals that are assigned/denied the role based on “action”.
+ repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1];
+}
+
+// Specifies how to match an entry in a map.
+message MapEntryMatch {
+  // The key to select an entry from the map.
+  string key = 1;
+
+  // A list of matched values.
+  repeated envoy.type.StringMatch values = 2;
+}
+
+// Specifies how to match IP addresses.
+message IpMatch {
+  // IP addresses in CIDR notation.
+  repeated envoy.api.v2.core.CidrRange cidrs = 1;
+}
+
+// Specifies how to match ports.
+message PortMatch {
+  // Port numbers.
+  repeated uint32 ports = 1;
+}
+
+// Permission defines a permission to access the service.
+message Permission {
+  // Optional. A list of HTTP paths or gRPC methods.
+  // gRPC methods must be presented as fully-qualified name in the form of
+  // packageName.serviceName/methodName.
+  // If this field is unset, it applies to any path.
+  repeated envoy.type.StringMatch paths = 1;
+
+  // Required. A list of HTTP methods (e.g., "GET", "POST").
+  // If this field is unset, it applies to any method.
+  repeated string methods = 2;
+
+  // Definition of a custom condition.
+  message Condition {
+    oneof condition_spec {
+      // Header match. This matches to the "request.http.headers" field in
+      // ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`.
+      // The map key is the header name. The header specifies how the service is accessed.
+      MapEntryMatch header = 1;
+
+      // Destination IP addresses.
+      IpMatch destination_ips = 2;
+
+      // Destination ports.
+      PortMatch destination_ports = 3;
+    }
+  }
+
+  // Optional. Custom conditions.
+  repeated Condition conditions = 3;
+}
+
+// Principal defines an identity or a group of identities.
+message Principal {
+  // Authentication attributes for principal. These could be filled out inside RBAC filter.
+  // Or if an authentication filter is used, they can be provided by the authentication filter.
+  message Authenticated {
+    // Optional. The name of the principal. This matches to the "source.principal" field in
+    // ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`.
+    // If unset, it applies to any user.
+    string name = 1;
+  }
+
+  // Optional. Authenticated attributes that identify the principal.
+  Authenticated authenticated = 1;
+
+  // Definition of a custom attribute to identify the principal.
+  message Attribute {
+    oneof attribute_spec {
+      // Source service name. This matches to the "source.service" field in
+      // ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`.
+      string service = 1;
+
+      // Source IP addresses.
+      IpMatch source_ips = 2;
+
+      // Header match. This matches to the "request.http.headers" field in
+      // ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`.
+      // The map "key" is the header name. The header identifies the client.
+      MapEntryMatch header = 3;
+    }
+  }
+
+  // Optional. Custom attributes that identify the principal.
+  repeated Attribute attributes = 2;
+}

api/envoy/type/BUILD

@@ -23,3 +23,14 @@ api_go_proto_library(
     name = "range",
     proto = ":range",
 )
+
+api_proto_library(
+    name = "string_match",
+    srcs = ["string_match.proto"],
+    visibility = ["//visibility:public"],
+)
+
+api_go_proto_library(
+    name = "string_match",
+    proto = ":string_match",
+)

api/envoy/type/string_match.proto

@@ -0,0 +1,31 @@
+syntax = "proto3";
+
+package envoy.type;
+option go_package = "envoy_type";
+
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
+
+// [#protodoc-title: StringMatch]
+
+// Specifies the way to match a string.
+message StringMatch {
+  oneof match_pattern {
+    // The input string must match exactly the string specified here.
+    // Or it is a "*", which means that it matches any string.
+    string simple = 1;
+
+    // The input string must have the prefix specified here.
+    string prefix = 2;
+
+    // The input string must have the suffix specified here.
+    string suffix = 3;
+
+    // The input string must match the regular expression specified here.
+    // The regex grammar is defined `here
+    // <http://en.cppreference.com/w/cpp/regex/ecmascript>`_.
+    string regex = 4;
+ }
+}
+

api/test/build/BUILD

@@ -28,7 +28,6 @@ api_go_test(
         "//envoy/api/v2:eds_go_grpc",
         "//envoy/api/v2:lds_go_grpc",
         "//envoy/api/v2:rds_go_grpc",
-        "//envoy/api/v2/auth:auth_go_proto",
         "//envoy/api/v2/auth:cert_go_proto",
         "//envoy/config/bootstrap/v2:bootstrap_go_proto",
         "//envoy/service/discovery/v2:ads_go_grpc",

api/test/build/go_build_test.go

@@ -4,7 +4,6 @@ import (
 	"testing"
 
 	_ "github.com/envoyproxy/data-plane-api/api/ads"
-	_ "github.com/envoyproxy/data-plane-api/api/auth"
 	_ "github.com/envoyproxy/data-plane-api/api/bootstrap"
 	_ "github.com/envoyproxy/data-plane-api/api/cds"
 	_ "github.com/envoyproxy/data-plane-api/api/cert"