/
metadata.proto
104 lines (91 loc) · 3.43 KB
/
metadata.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
syntax = "proto3";
package envoy.type.matcher.v3;
import "envoy/type/matcher/v3/value.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher.v3";
option java_outer_classname = "MetadataProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Metadata matcher]
// MetadataMatcher provides a general interface to check if a given value is matched in
// :ref:`Metadata <envoy_api_msg_config.core.v3.Metadata>`. It uses `filter` and `path` to retrieve the value
// from the Metadata and then check if it's matched to the specified value.
//
// For example, for the following Metadata:
//
// .. code-block:: yaml
//
// filter_metadata:
// envoy.filters.http.rbac:
// fields:
// a:
// struct_value:
// fields:
// b:
// struct_value:
// fields:
// c:
// string_value: pro
// t:
// list_value:
// values:
// - string_value: m
// - string_value: n
//
// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro"
// from the Metadata which is matched to the specified prefix match.
//
// .. code-block:: yaml
//
// filter: envoy.filters.http.rbac
// path:
// - key: a
// - key: b
// - key: c
// value:
// string_match:
// prefix: pr
//
// The following MetadataMatcher is matched as the code will match one of the string values in the
// list at the path [a, t].
//
// .. code-block:: yaml
//
// filter: envoy.filters.http.rbac
// path:
// - key: a
// - key: t
// value:
// list_match:
// one_of:
// string_match:
// exact: m
//
// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to
// enforce access control based on dynamic metadata in a request. See :ref:`Permission
// <envoy_api_msg_config.rbac.v3.Permission>` and :ref:`Principal
// <envoy_api_msg_config.rbac.v3.Principal>`.
// [#next-major-version: MetadataMatcher should use StructMatcher]
message MetadataMatcher {
option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.MetadataMatcher";
// Specifies the segment in a path to retrieve value from Metadata.
// Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that
// if the segment key refers to a list, it has to be the last segment in a path.
message PathSegment {
option (udpa.annotations.versioning).previous_message_type =
"envoy.type.matcher.MetadataMatcher.PathSegment";
oneof segment {
option (validate.required) = true;
// If specified, use the key to retrieve the value in a Struct.
string key = 1 [(validate.rules).string = {min_bytes: 1}];
}
}
// The filter name to retrieve the Struct from the Metadata.
string filter = 1 [(validate.rules).string = {min_bytes: 1}];
// The path to retrieve the Value from the Struct.
repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];
// The MetadataMatcher is matched if the value retrieved by path is matched to this value.
ValueMatcher value = 3 [(validate.rules).message = {required: true}];
}