|
| 1 | +/* |
| 2 | + * Copyright 2025 The gRPC Authors |
| 3 | + * |
| 4 | + * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | + * you may not use this file except in compliance with the License. |
| 6 | + * You may obtain a copy of the License at |
| 7 | + * |
| 8 | + * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | + * |
| 10 | + * Unless required by applicable law or agreed to in writing, software |
| 11 | + * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | + * See the License for the specific language governing permissions and |
| 14 | + * limitations under the License. |
| 15 | + */ |
| 16 | + |
| 17 | +package io.grpc.xds.internal.extauthz; |
| 18 | + |
| 19 | +import com.google.auto.value.AutoValue; |
| 20 | +import com.google.common.collect.ImmutableList; |
| 21 | +import io.grpc.Status; |
| 22 | +import io.grpc.xds.internal.Matchers; |
| 23 | +import io.grpc.xds.internal.grpcservice.GrpcServiceConfig; |
| 24 | +import io.grpc.xds.internal.headermutations.HeaderMutationRulesConfig; |
| 25 | +import java.util.Optional; |
| 26 | + |
| 27 | +/** |
| 28 | + * Represents the configuration for the external authorization (ext_authz) filter. This class |
| 29 | + * encapsulates the settings defined in the |
| 30 | + * {@link io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3.ExtAuthz} proto, providing a |
| 31 | + * structured, immutable representation for use within gRPC. It includes configurations for the gRPC |
| 32 | + * service used for authorization, header mutation rules, and other filter behaviors. |
| 33 | + */ |
| 34 | +@AutoValue |
| 35 | +public abstract class ExtAuthzConfig { |
| 36 | + |
| 37 | + /** Creates a new builder for creating {@link ExtAuthzConfig} instances. */ |
| 38 | + public static Builder builder() { |
| 39 | + return new AutoValue_ExtAuthzConfig.Builder().allowedHeaders(ImmutableList.of()) |
| 40 | + .disallowedHeaders(ImmutableList.of()).statusOnError(Status.PERMISSION_DENIED) |
| 41 | + .filterEnabled(Matchers.FractionMatcher.create(100, 100)); |
| 42 | + } |
| 43 | + |
| 44 | + /** |
| 45 | + * The gRPC service configuration for the external authorization service. This is a required |
| 46 | + * field. |
| 47 | + * |
| 48 | + * @see ExtAuthz#getGrpcService() |
| 49 | + */ |
| 50 | + public abstract GrpcServiceConfig grpcService(); |
| 51 | + |
| 52 | + /** |
| 53 | + * Changes the filter's behavior on errors from the authorization service. If {@code true}, the |
| 54 | + * filter will accept the request even if the authorization service fails or returns an error. |
| 55 | + * |
| 56 | + * @see ExtAuthz#getFailureModeAllow() |
| 57 | + */ |
| 58 | + public abstract boolean failureModeAllow(); |
| 59 | + |
| 60 | + /** |
| 61 | + * Determines if the {@code x-envoy-auth-failure-mode-allowed} header is added to the request when |
| 62 | + * {@link #failureModeAllow()} is true. |
| 63 | + * |
| 64 | + * @see ExtAuthz#getFailureModeAllowHeaderAdd() |
| 65 | + */ |
| 66 | + public abstract boolean failureModeAllowHeaderAdd(); |
| 67 | + |
| 68 | + /** |
| 69 | + * Specifies if the peer certificate is sent to the external authorization service. |
| 70 | + * |
| 71 | + * @see ExtAuthz#getIncludePeerCertificate() |
| 72 | + */ |
| 73 | + public abstract boolean includePeerCertificate(); |
| 74 | + |
| 75 | + /** |
| 76 | + * The gRPC status returned to the client when the authorization server returns an error or is |
| 77 | + * unreachable. Defaults to {@code PERMISSION_DENIED}. |
| 78 | + * |
| 79 | + * @see io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3.ExtAuthz#getStatusOnError() |
| 80 | + */ |
| 81 | + public abstract Status statusOnError(); |
| 82 | + |
| 83 | + /** |
| 84 | + * Specifies whether to deny requests when the filter is disabled. Defaults to {@code false}. |
| 85 | + * |
| 86 | + * @see ExtAuthz#getDenyAtDisable() |
| 87 | + */ |
| 88 | + public abstract boolean denyAtDisable(); |
| 89 | + |
| 90 | + /** |
| 91 | + * The fraction of requests that will be checked by the authorization service. Defaults to all |
| 92 | + * requests. |
| 93 | + * |
| 94 | + * @see ExtAuthz#getFilterEnabled() |
| 95 | + */ |
| 96 | + public abstract Matchers.FractionMatcher filterEnabled(); |
| 97 | + |
| 98 | + /** |
| 99 | + * Specifies which request headers are sent to the authorization service. If empty, all headers |
| 100 | + * are sent. |
| 101 | + * |
| 102 | + * @see ExtAuthz#getAllowedHeaders() |
| 103 | + */ |
| 104 | + public abstract ImmutableList<Matchers.StringMatcher> allowedHeaders(); |
| 105 | + |
| 106 | + /** |
| 107 | + * Specifies which request headers are not sent to the authorization service. This overrides |
| 108 | + * {@link #allowedHeaders()}. |
| 109 | + * |
| 110 | + * @see ExtAuthz#getDisallowedHeaders() |
| 111 | + */ |
| 112 | + public abstract ImmutableList<Matchers.StringMatcher> disallowedHeaders(); |
| 113 | + |
| 114 | + /** |
| 115 | + * Rules for what modifications an ext_authz server may make to request headers. |
| 116 | + * |
| 117 | + * @see ExtAuthz#getDecoderHeaderMutationRules() |
| 118 | + */ |
| 119 | + public abstract Optional<HeaderMutationRulesConfig> decoderHeaderMutationRules(); |
| 120 | + |
| 121 | + @AutoValue.Builder |
| 122 | + public abstract static class Builder { |
| 123 | + public abstract Builder grpcService(GrpcServiceConfig grpcService); |
| 124 | + |
| 125 | + public abstract Builder failureModeAllow(boolean failureModeAllow); |
| 126 | + |
| 127 | + public abstract Builder failureModeAllowHeaderAdd(boolean failureModeAllowHeaderAdd); |
| 128 | + |
| 129 | + public abstract Builder includePeerCertificate(boolean includePeerCertificate); |
| 130 | + |
| 131 | + public abstract Builder statusOnError(Status statusOnError); |
| 132 | + |
| 133 | + public abstract Builder denyAtDisable(boolean denyAtDisable); |
| 134 | + |
| 135 | + public abstract Builder filterEnabled(Matchers.FractionMatcher filterEnabled); |
| 136 | + |
| 137 | + public abstract Builder allowedHeaders(Iterable<Matchers.StringMatcher> allowedHeaders); |
| 138 | + |
| 139 | + public abstract Builder disallowedHeaders(Iterable<Matchers.StringMatcher> disallowedHeaders); |
| 140 | + |
| 141 | + public abstract Builder decoderHeaderMutationRules(HeaderMutationRulesConfig rules); |
| 142 | + |
| 143 | + public abstract ExtAuthzConfig build(); |
| 144 | + } |
| 145 | +} |
0 commit comments