From 74d5df7c7aca710c37a6b63b2bc05f74be82b70c Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" Date: Thu, 27 Aug 2020 12:20:58 -0500 Subject: [PATCH] xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569) --- .changelog/8569.txt | 3 + agent/agent.go | 14 +- agent/consul/discoverychain/compile.go | 7 +- agent/proxycfg/manager.go | 6 + agent/proxycfg/manager_test.go | 8 +- agent/proxycfg/snapshot.go | 97 +- agent/proxycfg/state.go | 122 +- agent/proxycfg/state_test.go | 180 ++- agent/proxycfg/testing.go | 41 +- agent/structs/config_entry_discoverychain.go | 9 + .../config_entry_discoverychain_test.go | 10 + agent/structs/intention.go | 8 + agent/structs/intention_oss.go | 8 + agent/xds/golden_test.go | 7 +- agent/xds/listeners.go | 424 ++++-- agent/xds/listeners_test.go | 187 ++- agent/xds/rbac.go | 374 +++++ agent/xds/rbac_test.go | 259 ++++ agent/xds/response.go | 10 + agent/xds/routes.go | 9 - agent/xds/server.go | 113 +- agent/xds/server_test.go | 170 +-- ...th-chain-and-overrides.envoy-1-12-x.golden | 13 +- ...th-chain-and-overrides.envoy-1-13-x.golden | 13 +- ...th-chain-and-overrides.envoy-1-14-x.golden | 13 +- ...th-chain-and-overrides.envoy-1-15-x.golden | 13 +- ...ith-chain-external-sni.envoy-1-12-x.golden | 13 +- ...ith-chain-external-sni.envoy-1-13-x.golden | 13 +- ...ith-chain-external-sni.envoy-1-14-x.golden | 13 +- ...ith-chain-external-sni.envoy-1-15-x.golden | 13 +- ...-proxy-with-grpc-chain.envoy-1-12-x.golden | 13 +- ...-proxy-with-grpc-chain.envoy-1-13-x.golden | 13 +- ...-proxy-with-grpc-chain.envoy-1-14-x.golden | 13 +- ...-proxy-with-grpc-chain.envoy-1-15-x.golden | 13 +- ...-proxy-with-http-chain.envoy-1-12-x.golden | 13 +- ...-proxy-with-http-chain.envoy-1-13-x.golden | 13 +- ...-proxy-with-http-chain.envoy-1-14-x.golden | 13 +- ...-proxy-with-http-chain.envoy-1-15-x.golden | 13 +- ...proxy-with-http2-chain.envoy-1-12-x.golden | 13 +- ...proxy-with-http2-chain.envoy-1-13-x.golden | 13 +- ...proxy-with-http2-chain.envoy-1-14-x.golden | 13 +- ...proxy-with-http2-chain.envoy-1-15-x.golden | 13 +- ...-through-local-gateway.envoy-1-12-x.golden | 13 +- ...-through-local-gateway.envoy-1-13-x.golden | 13 +- ...-through-local-gateway.envoy-1-14-x.golden | 13 +- ...-through-local-gateway.envoy-1-15-x.golden | 13 +- ...through-remote-gateway.envoy-1-12-x.golden | 13 +- ...through-remote-gateway.envoy-1-13-x.golden | 13 +- ...through-remote-gateway.envoy-1-14-x.golden | 13 +- ...through-remote-gateway.envoy-1-15-x.golden | 13 +- ...t-proxy-with-tcp-chain.envoy-1-12-x.golden | 13 +- ...t-proxy-with-tcp-chain.envoy-1-13-x.golden | 13 +- ...t-proxy-with-tcp-chain.envoy-1-14-x.golden | 13 +- ...t-proxy-with-tcp-chain.envoy-1-15-x.golden | 13 +- ...-listener-http-2-typed.envoy-1-12-x.golden | 131 ++ ...-listener-http-2-typed.envoy-1-13-x.golden | 131 ++ ...-listener-http-2-typed.envoy-1-14-x.golden | 131 ++ ...-listener-http-2-typed.envoy-1-15-x.golden | 131 ++ ...public-listener-http-2.envoy-1-12-x.golden | 130 ++ ...public-listener-http-2.envoy-1-13-x.golden | 130 ++ ...public-listener-http-2.envoy-1-14-x.golden | 130 ++ ...public-listener-http-2.envoy-1-15-x.golden | 130 ++ ...-listener-http-missing.envoy-1-12-x.golden | 107 ++ ...-listener-http-missing.envoy-1-13-x.golden | 107 ++ ...-listener-http-missing.envoy-1-14-x.golden | 107 ++ ...-listener-http-missing.envoy-1-15-x.golden | 107 ++ ...ic-listener-http-typed.envoy-1-12-x.golden | 131 ++ ...ic-listener-http-typed.envoy-1-13-x.golden | 131 ++ ...ic-listener-http-typed.envoy-1-14-x.golden | 131 ++ ...ic-listener-http-typed.envoy-1-15-x.golden | 131 ++ ...m-public-listener-http.envoy-1-12-x.golden | 130 ++ ...m-public-listener-http.envoy-1-13-x.golden | 130 ++ ...m-public-listener-http.envoy-1-14-x.golden | 130 ++ ...m-public-listener-http.envoy-1-15-x.golden | 130 ++ ...custom-public-listener.envoy-1-12-x.golden | 13 +- ...custom-public-listener.envoy-1-13-x.golden | 13 +- ...custom-public-listener.envoy-1-14-x.golden | 13 +- ...custom-public-listener.envoy-1-15-x.golden | 13 +- ...nored-with-disco-chain.envoy-1-12-x.golden | 13 +- ...nored-with-disco-chain.envoy-1-13-x.golden | 13 +- ...nored-with-disco-chain.envoy-1-14-x.golden | 13 +- ...nored-with-disco-chain.envoy-1-15-x.golden | 13 +- .../custom-upstream.envoy-1-12-x.golden | 13 +- .../custom-upstream.envoy-1-13-x.golden | 13 +- .../custom-upstream.envoy-1-14-x.golden | 13 +- .../custom-upstream.envoy-1-15-x.golden | 13 +- .../listeners/defaults.envoy-1-12-x.golden | 13 +- .../listeners/defaults.envoy-1-13-x.golden | 13 +- .../listeners/defaults.envoy-1-14-x.golden | 13 +- .../listeners/defaults.envoy-1-15-x.golden | 13 +- ...-paths-local-app-paths.envoy-1-12-x.golden | 13 +- ...-paths-local-app-paths.envoy-1-13-x.golden | 13 +- ...-paths-local-app-paths.envoy-1-14-x.golden | 13 +- ...-paths-local-app-paths.envoy-1-15-x.golden | 13 +- ...aths-new-cluster-http2.envoy-1-12-x.golden | 13 +- ...aths-new-cluster-http2.envoy-1-13-x.golden | 13 +- ...aths-new-cluster-http2.envoy-1-14-x.golden | 13 +- ...aths-new-cluster-http2.envoy-1-15-x.golden | 13 +- .../http-public-listener.envoy-1-12-x.golden | 24 +- .../http-public-listener.envoy-1-13-x.golden | 24 +- .../http-public-listener.envoy-1-14-x.golden | 24 +- .../http-public-listener.envoy-1-15-x.golden | 24 +- .../http-upstream.envoy-1-12-x.golden | 13 +- .../http-upstream.envoy-1-13-x.golden | 13 +- .../http-upstream.envoy-1-14-x.golden | 13 +- .../http-upstream.envoy-1-15-x.golden | 13 +- ...ener-bind-address-port.envoy-1-12-x.golden | 13 +- ...ener-bind-address-port.envoy-1-13-x.golden | 13 +- ...ener-bind-address-port.envoy-1-14-x.golden | 13 +- ...ener-bind-address-port.envoy-1-15-x.golden | 13 +- .../listener-bind-address.envoy-1-12-x.golden | 13 +- .../listener-bind-address.envoy-1-13-x.golden | 13 +- .../listener-bind-address.envoy-1-14-x.golden | 13 +- .../listener-bind-address.envoy-1-15-x.golden | 13 +- .../listener-bind-port.envoy-1-12-x.golden | 13 +- .../listener-bind-port.envoy-1-13-x.golden | 13 +- .../listener-bind-port.envoy-1-14-x.golden | 13 +- .../listener-bind-port.envoy-1-15-x.golden | 13 +- ...with-resolver-redirect.envoy-1-12-x.golden | 13 +- ...with-resolver-redirect.envoy-1-13-x.golden | 13 +- ...with-resolver-redirect.envoy-1-14-x.golden | 13 +- ...with-resolver-redirect.envoy-1-15-x.golden | 13 +- ...m-and-tagged-addresses.envoy-1-12-x.golden | 144 +- ...m-and-tagged-addresses.envoy-1-13-x.golden | 144 +- ...m-and-tagged-addresses.envoy-1-14-x.golden | 144 +- ...m-and-tagged-addresses.envoy-1-15-x.golden | 144 +- ...ng-gateway-no-api-cert.envoy-1-12-x.golden | 54 +- ...ng-gateway-no-api-cert.envoy-1-13-x.golden | 54 +- ...ng-gateway-no-api-cert.envoy-1-14-x.golden | 54 +- ...ng-gateway-no-api-cert.envoy-1-15-x.golden | 54 +- ...ateway-service-subsets.envoy-1-12-x.golden | 108 +- ...ateway-service-subsets.envoy-1-13-x.golden | 108 +- ...ateway-service-subsets.envoy-1-14-x.golden | 108 +- ...ateway-service-subsets.envoy-1-15-x.golden | 108 +- .../terminating-gateway.envoy-1-12-x.golden | 72 +- .../terminating-gateway.envoy-1-13-x.golden | 72 +- .../terminating-gateway.envoy-1-14-x.golden | 72 +- .../terminating-gateway.envoy-1-15-x.golden | 72 +- .../rbac/default-allow-kitchen-sink.golden | 72 + .../rbac/default-allow-one-deny.golden | 31 + ...default-allow-service-wildcard-deny.golden | 31 + .../rbac/default-deny-allow-deny.golden | 49 + .../rbac/default-deny-kitchen-sink.golden | 71 + .../rbac/default-deny-mixed-precedence.golden | 30 + .../rbac/default-deny-one-allow.golden | 30 + ...default-deny-service-wildcard-allow.golden | 30 + agent/xds/testing.go | 45 +- go.mod | 1 - .../connect/envoy/case-basic/verify.bats | 13 + .../connect/envoy/case-http/verify.bats | 35 +- test/integration/connect/envoy/helpers.bash | 21 +- .../connect/envoy/test-envoy-versions.sh | 24 +- .../config/filter/http/rbac/v2/rbac.pb.go | 142 ++ .../filter/http/rbac/v2/rbac.pb.validate.go | 196 +++ .../network/ext_authz/v2/ext_authz.pb.go | 123 -- .../ext_authz/v2/ext_authz.pb.validate.go | 122 -- .../config/filter/network/rbac/v2/rbac.pb.go | 150 ++ .../network/rbac/v2/rbac.pb.validate.go | 130 ++ .../envoy/config/rbac/v2/rbac.pb.go | 734 ++++++++++ .../envoy/config/rbac/v2/rbac.pb.validate.go | 856 ++++++++++++ .../service/auth/v2alpha/external_auth.pb.go | 125 -- .../auth/v2alpha/external_auth.pb.validate.go | 37 - .../api/expr/v1alpha1/cel_service.pb.go | 195 +++ .../api/expr/v1alpha1/checked.pb.go | 1144 ++++++++++++++++ .../expr/v1alpha1/conformance_service.pb.go | 742 ++++++++++ .../googleapis/api/expr/v1alpha1/eval.pb.go | 351 +++++ .../api/expr/v1alpha1/explain.pb.go | 162 +++ .../googleapis/api/expr/v1alpha1/syntax.pb.go | 1208 +++++++++++++++++ .../googleapis/api/expr/v1alpha1/value.pb.go | 503 +++++++ vendor/modules.txt | 6 +- 170 files changed, 11467 insertions(+), 3120 deletions(-) create mode 100644 .changelog/8569.txt create mode 100644 agent/xds/rbac.go create mode 100644 agent/xds/rbac_test.go create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-12-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-13-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-14-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-15-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-12-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-13-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-14-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-15-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-12-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-13-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-14-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-15-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-12-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-13-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-14-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-15-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-12-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-13-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-14-x.golden create mode 100644 agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-15-x.golden create mode 100644 agent/xds/testdata/rbac/default-allow-kitchen-sink.golden create mode 100644 agent/xds/testdata/rbac/default-allow-one-deny.golden create mode 100644 agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden create mode 100644 agent/xds/testdata/rbac/default-deny-allow-deny.golden create mode 100644 agent/xds/testdata/rbac/default-deny-kitchen-sink.golden create mode 100644 agent/xds/testdata/rbac/default-deny-mixed-precedence.golden create mode 100644 agent/xds/testdata/rbac/default-deny-one-allow.golden create mode 100644 agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden create mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2/rbac.pb.go create mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2/rbac.pb.validate.go delete mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2/ext_authz.pb.go delete mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.go create mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2/rbac.pb.go create mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2/rbac.pb.validate.go create mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2/rbac.pb.go create mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2/rbac.pb.validate.go delete mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha/external_auth.pb.go delete mode 100644 vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha/external_auth.pb.validate.go create mode 100644 vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/cel_service.pb.go create mode 100644 vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go create mode 100644 vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/conformance_service.pb.go create mode 100644 vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go create mode 100644 vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go create mode 100644 vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go create mode 100644 vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go diff --git a/.changelog/8569.txt b/.changelog/8569.txt new file mode 100644 index 0000000000..a9986a7ba7 --- /dev/null +++ b/.changelog/8569.txt @@ -0,0 +1,3 @@ +```release-note:feature +xds: use envoy's rbac filter to handle intentions entirely within envoy +``` diff --git a/agent/agent.go b/agent/agent.go index 0f83e070a1..71f011a51b 100644 --- a/agent/agent.go +++ b/agent/agent.go @@ -548,6 +548,16 @@ func (a *Agent) Start(ctx context.Context) error { return err } + var intentionDefaultAllow bool + switch a.config.ACLDefaultPolicy { + case "allow": + intentionDefaultAllow = true + case "deny": + intentionDefaultAllow = false + default: + return fmt.Errorf("unexpected ACL default policy value of %q", a.config.ACLDefaultPolicy) + } + // Start the proxy config manager. a.proxyConfig, err = proxycfg.NewManager(proxycfg.ManagerConfig{ Cache: a.cache, @@ -562,7 +572,8 @@ func (a *Agent) Start(ctx context.Context) error { Domain: a.config.DNSDomain, AltDomain: a.config.DNSAltDomain, }, - TLSConfigurator: a.tlsConfigurator, + TLSConfigurator: a.tlsConfigurator, + IntentionDefaultAllow: intentionDefaultAllow, }) if err != nil { return err @@ -655,7 +666,6 @@ func (a *Agent) listenAndServeGRPC() error { xdsServer := &xds.Server{ Logger: a.logger, CfgMgr: a.proxyConfig, - Authz: a, ResolveToken: a.resolveToken, CheckFetcher: a, CfgFetcher: a, diff --git a/agent/consul/discoverychain/compile.go b/agent/consul/discoverychain/compile.go index f5bbd1ba4d..ca43b4da71 100644 --- a/agent/consul/discoverychain/compile.go +++ b/agent/consul/discoverychain/compile.go @@ -1009,10 +1009,5 @@ func defaultIfEmpty(val, defaultVal string) string { } func enableAdvancedRoutingForProtocol(protocol string) bool { - switch protocol { - case "http", "http2", "grpc": - return true - default: - return false - } + return structs.IsProtocolHTTPLike(protocol) } diff --git a/agent/proxycfg/manager.go b/agent/proxycfg/manager.go index 7d8163f924..c703da4f06 100644 --- a/agent/proxycfg/manager.go +++ b/agent/proxycfg/manager.go @@ -70,6 +70,11 @@ type ManagerConfig struct { // logger is the agent's logger to be used for logging logs. Logger hclog.Logger TLSConfigurator *tlsutil.Configurator + + // IntentionDefaultAllow is set by the agent so that we can pass this + // information to proxies that need to make intention decisions on their + // own. + IntentionDefaultAllow bool } // NewManager constructs a manager from the provided agent cache. @@ -192,6 +197,7 @@ func (m *Manager) ensureProxyServiceLocked(ns *structs.NodeService, token string state.cache = m.Cache state.source = m.Source state.dnsConfig = m.DNSConfig + state.intentionDefaultAllow = m.IntentionDefaultAllow if m.TLSConfigurator != nil { state.serverSNIFn = m.TLSConfigurator.ServerSNI } diff --git a/agent/proxycfg/manager_test.go b/agent/proxycfg/manager_test.go index bcd1a476ba..e59d0df955 100644 --- a/agent/proxycfg/manager_test.go +++ b/agent/proxycfg/manager_test.go @@ -221,6 +221,8 @@ func TestManager_BasicLifecycle(t *testing.T) { }, PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{}, WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{}, + Intentions: TestIntentions().Matches[0], + IntentionsSet: true, }, Datacenter: "dc1", }, @@ -269,6 +271,8 @@ func TestManager_BasicLifecycle(t *testing.T) { }, PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{}, WatchedServiceChecks: map[structs.ServiceID][]structs.CheckType{}, + Intentions: TestIntentions().Matches[0], + IntentionsSet: true, }, Datacenter: "dc1", }, @@ -286,7 +290,7 @@ func TestManager_BasicLifecycle(t *testing.T) { // Setup initial values types.roots.Set(rootsCacheKey, roots) types.leaf.Set(leafCacheKey, leaf) - types.intentions.Set(intentionCacheKey, TestIntentions(t)) + types.intentions.Set(intentionCacheKey, TestIntentions()) tt.setup(t, types) expectSnapCopy, err := copystructure.Copy(tt.expectSnap) @@ -334,7 +338,7 @@ func testManager_BasicLifecycle( state.TriggerSyncChanges = func() {} // Create manager - m, err := NewManager(ManagerConfig{c, state, source, DNSConfig{}, logger, nil}) + m, err := NewManager(ManagerConfig{c, state, source, DNSConfig{}, logger, nil, false}) require.NoError(err) // And run it diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index b5f6e6f696..03d548fc91 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -42,6 +42,12 @@ type configSnapshotConnectProxy struct { WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection PreparedQueryEndpoints map[string]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints + + // NOTE: Intentions stores a list of lists as returned by the Intentions + // Match RPC. So far we only use the first list as the list of matching + // intentions. + Intentions structs.Intentions + IntentionsSet bool } func (c *configSnapshotConnectProxy) IsEmpty() bool { @@ -49,6 +55,7 @@ func (c *configSnapshotConnectProxy) IsEmpty() bool { return true } return c.Leaf == nil && + !c.IntentionsSet && len(c.DiscoveryChain) == 0 && len(c.WatchedUpstreams) == 0 && len(c.WatchedUpstreamEndpoints) == 0 && @@ -71,6 +78,14 @@ type configSnapshotTerminatingGateway struct { // are no longer linked to the gateway. WatchedIntentions map[structs.ServiceName]context.CancelFunc + // NOTE: Intentions stores a map of list of lists as returned by the Intentions + // Match RPC. So far we only use the first list as the list of matching + // intentions. + // + // A key being present implies that we have gotten at least one watch reply for the + // service. This is logically the same as ConnectProxy.IntentionsSet==true + Intentions map[structs.ServiceName]structs.Intentions + // WatchedLeaves is a map of ServiceName to a cancel function. // This cancel function is tied to the watch of leaf certs for linked services. // As with WatchedServices, leaf watches will be cancelled when services @@ -82,6 +97,16 @@ type configSnapshotTerminatingGateway struct { // on the service that the caller is trying to reach. ServiceLeaves map[structs.ServiceName]*structs.IssuedCert + // WatchedConfigs is a map of ServiceName to a cancel function. This cancel + // function is tied to the watch of service configs for linked services. As + // with WatchedServices, service config watches will be cancelled when + // services are no longer linked to the gateway. + WatchedConfigs map[structs.ServiceName]context.CancelFunc + + // ServiceConfigs is a map of service name to the resolved service config + // for that service. + ServiceConfigs map[structs.ServiceName]*structs.ServiceConfigResponse + // WatchedResolvers is a map of ServiceName to a cancel function. // This cancel function is tied to the watch of resolvers for linked services. // As with WatchedServices, resolver watches will be cancelled when services @@ -90,7 +115,8 @@ type configSnapshotTerminatingGateway struct { // ServiceResolvers is a map of service name to an associated // service-resolver config entry for that service. - ServiceResolvers map[structs.ServiceName]*structs.ServiceResolverConfigEntry + ServiceResolvers map[structs.ServiceName]*structs.ServiceResolverConfigEntry + ServiceResolversSet map[structs.ServiceName]bool // ServiceGroups is a map of service name to the service instances of that // service in the local datacenter. @@ -106,6 +132,38 @@ type configSnapshotTerminatingGateway struct { HostnameServices map[structs.ServiceName]structs.CheckServiceNodes } +// ValidServices returns the list of service keys that have enough data to be emitted. +func (c *configSnapshotTerminatingGateway) ValidServices() []structs.ServiceName { + out := make([]structs.ServiceName, 0, len(c.ServiceGroups)) + for svc := range c.ServiceGroups { + // It only counts if ALL of our watches have come back (with data or not). + + // Skip the service if we don't know if there is a resolver or not. + if _, ok := c.ServiceResolversSet[svc]; !ok { + continue + } + + // Skip the service if we don't have a cert to present for mTLS. + if cert, ok := c.ServiceLeaves[svc]; !ok || cert == nil { + continue + } + + // Skip the service if we haven't gotten our intentions yet. + if _, intentionsSet := c.Intentions[svc]; !intentionsSet { + continue + } + + // Skip the service if we haven't gotten our service config yet to know + // the protocol. + if _, ok := c.ServiceConfigs[svc]; !ok { + continue + } + + out = append(out, svc) + } + return out +} + func (c *configSnapshotTerminatingGateway) IsEmpty() bool { if c == nil { return true @@ -113,10 +171,14 @@ func (c *configSnapshotTerminatingGateway) IsEmpty() bool { return len(c.ServiceLeaves) == 0 && len(c.WatchedLeaves) == 0 && len(c.WatchedIntentions) == 0 && + len(c.Intentions) == 0 && len(c.ServiceGroups) == 0 && len(c.WatchedServices) == 0 && len(c.ServiceResolvers) == 0 && + len(c.ServiceResolversSet) == 0 && len(c.WatchedResolvers) == 0 && + len(c.ServiceConfigs) == 0 && + len(c.WatchedConfigs) == 0 && len(c.GatewayServices) == 0 && len(c.HostnameServices) == 0 } @@ -252,15 +314,16 @@ func (k *IngressListenerKey) RouteName() string { // It is meant to be point-in-time coherent and is used to deliver the current // config state to observers who need it to be pushed in (e.g. XDS server). type ConfigSnapshot struct { - Kind structs.ServiceKind - Service string - ProxyID structs.ServiceID - Address string - Port int - ServiceMeta map[string]string - TaggedAddresses map[string]structs.ServiceAddress - Proxy structs.ConnectProxyConfig - Datacenter string + Kind structs.ServiceKind + Service string + ProxyID structs.ServiceID + Address string + Port int + ServiceMeta map[string]string + TaggedAddresses map[string]structs.ServiceAddress + Proxy structs.ConnectProxyConfig + Datacenter string + IntentionDefaultAllow bool ServerSNIFn ServerSNIFunc Roots *structs.IndexedCARoots @@ -276,24 +339,28 @@ type ConfigSnapshot struct { // ingress-gateway specific IngressGateway configSnapshotIngressGateway - - // Skip intentions for now as we don't push those down yet, just pre-warm them. } // Valid returns whether or not the snapshot has all required fields filled yet. func (s *ConfigSnapshot) Valid() bool { switch s.Kind { case structs.ServiceKindConnectProxy: - return s.Roots != nil && s.ConnectProxy.Leaf != nil + return s.Roots != nil && + s.ConnectProxy.Leaf != nil && + s.ConnectProxy.IntentionsSet + case structs.ServiceKindTerminatingGateway: return s.Roots != nil + case structs.ServiceKindMeshGateway: if s.ServiceMeta[structs.MetaWANFederationKey] == "1" { if len(s.MeshGateway.ConsulServers) == 0 { return false } } - return s.Roots != nil && (s.MeshGateway.WatchedServicesSet || len(s.MeshGateway.ServiceGroups) > 0) + return s.Roots != nil && + (s.MeshGateway.WatchedServicesSet || len(s.MeshGateway.ServiceGroups) > 0) + case structs.ServiceKindIngressGateway: return s.Roots != nil && s.IngressGateway.Leaf != nil && @@ -323,6 +390,8 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) { snap.TerminatingGateway.WatchedServices = nil snap.TerminatingGateway.WatchedIntentions = nil snap.TerminatingGateway.WatchedLeaves = nil + snap.TerminatingGateway.WatchedConfigs = nil + snap.TerminatingGateway.WatchedResolvers = nil case structs.ServiceKindMeshGateway: snap.MeshGateway.WatchedDatacenters = nil snap.MeshGateway.WatchedServices = nil diff --git a/agent/proxycfg/state.go b/agent/proxycfg/state.go index 83e6a02d4c..d9a826a1b6 100644 --- a/agent/proxycfg/state.go +++ b/agent/proxycfg/state.go @@ -37,6 +37,7 @@ const ( gatewayConfigWatchID = "gateway-config" externalServiceIDPrefix = "external-service:" serviceLeafIDPrefix = "service-leaf:" + serviceConfigIDPrefix = "service-config:" serviceResolverIDPrefix = "service-resolver:" serviceIntentionsIDPrefix = "service-intentions:" svcChecksWatchIDPrefix = cachetype.ServiceHTTPChecksName + ":" @@ -50,11 +51,12 @@ const ( // is discarded and a new one created. type state struct { // logger, source and cache are required to be set before calling Watch. - logger hclog.Logger - source *structs.QuerySource - cache CacheNotifier - dnsConfig DNSConfig - serverSNIFn ServerSNIFunc + logger hclog.Logger + source *structs.QuerySource + cache CacheNotifier + dnsConfig DNSConfig + serverSNIFn ServerSNIFunc + intentionDefaultAllow bool // ctx and cancel store the context created during initWatches call ctx context.Context @@ -523,16 +525,17 @@ func (s *state) initWatchesIngressGateway() error { func (s *state) initialConfigSnapshot() ConfigSnapshot { snap := ConfigSnapshot{ - Kind: s.kind, - Service: s.service, - ProxyID: s.proxyID, - Address: s.address, - Port: s.port, - ServiceMeta: s.meta, - TaggedAddresses: s.taggedAddresses, - Proxy: s.proxyCfg, - Datacenter: s.source.Datacenter, - ServerSNIFn: s.serverSNIFn, + Kind: s.kind, + Service: s.service, + ProxyID: s.proxyID, + Address: s.address, + Port: s.port, + ServiceMeta: s.meta, + TaggedAddresses: s.taggedAddresses, + Proxy: s.proxyCfg, + Datacenter: s.source.Datacenter, + ServerSNIFn: s.serverSNIFn, + IntentionDefaultAllow: s.intentionDefaultAllow, } switch s.kind { @@ -546,12 +549,16 @@ func (s *state) initialConfigSnapshot() ConfigSnapshot { snap.ConnectProxy.PreparedQueryEndpoints = make(map[string]structs.CheckServiceNodes) case structs.ServiceKindTerminatingGateway: snap.TerminatingGateway.WatchedServices = make(map[structs.ServiceName]context.CancelFunc) - snap.TerminatingGateway.WatchedLeaves = make(map[structs.ServiceName]context.CancelFunc) snap.TerminatingGateway.WatchedIntentions = make(map[structs.ServiceName]context.CancelFunc) - snap.TerminatingGateway.WatchedResolvers = make(map[structs.ServiceName]context.CancelFunc) + snap.TerminatingGateway.Intentions = make(map[structs.ServiceName]structs.Intentions) + snap.TerminatingGateway.WatchedLeaves = make(map[structs.ServiceName]context.CancelFunc) snap.TerminatingGateway.ServiceLeaves = make(map[structs.ServiceName]*structs.IssuedCert) - snap.TerminatingGateway.ServiceGroups = make(map[structs.ServiceName]structs.CheckServiceNodes) + snap.TerminatingGateway.WatchedConfigs = make(map[structs.ServiceName]context.CancelFunc) + snap.TerminatingGateway.ServiceConfigs = make(map[structs.ServiceName]*structs.ServiceConfigResponse) + snap.TerminatingGateway.WatchedResolvers = make(map[structs.ServiceName]context.CancelFunc) snap.TerminatingGateway.ServiceResolvers = make(map[structs.ServiceName]*structs.ServiceResolverConfigEntry) + snap.TerminatingGateway.ServiceResolversSet = make(map[structs.ServiceName]bool) + snap.TerminatingGateway.ServiceGroups = make(map[structs.ServiceName]structs.CheckServiceNodes) snap.TerminatingGateway.GatewayServices = make(map[structs.ServiceName]structs.GatewayService) snap.TerminatingGateway.HostnameServices = make(map[structs.ServiceName]structs.CheckServiceNodes) case structs.ServiceKindMeshGateway: @@ -691,7 +698,17 @@ func (s *state) handleUpdateConnectProxy(u cache.UpdateEvent, snap *ConfigSnapsh } snap.Roots = roots case u.CorrelationID == intentionsWatchID: - // no-op: Intentions don't get stored in the snapshot, calls to ConnectAuthorize will fetch them from the cache + resp, ok := u.Result.(*structs.IndexedIntentionMatches) + if !ok { + return fmt.Errorf("invalid type for response: %T", u.Result) + } + if len(resp.Matches) > 0 { + // RPC supports matching multiple services at once but we only ever + // query with the one service we represent currently so just pick + // the one result set up. + snap.ConnectProxy.Intentions = resp.Matches[0] + } + snap.ConnectProxy.IntentionsSet = true case strings.HasPrefix(u.CorrelationID, "upstream:"+preparedQueryIDPrefix): resp, ok := u.Result.(*structs.PreparedQueryExecuteResponse) @@ -1000,6 +1017,28 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config snap.TerminatingGateway.WatchedLeaves[svc.Service] = cancel } + // Watch service configs for the service. + // These are used to determine the protocol for the target service. + if _, ok := snap.TerminatingGateway.WatchedConfigs[svc.Service]; !ok { + ctx, cancel := context.WithCancel(s.ctx) + err := s.cache.Notify(ctx, cachetype.ResolvedServiceConfigName, &structs.ServiceConfigRequest{ + Datacenter: s.source.Datacenter, + QueryOptions: structs.QueryOptions{Token: s.token}, + Name: svc.Service.Name, + EnterpriseMeta: svc.Service.EnterpriseMeta, + }, serviceConfigIDPrefix+svc.Service.String(), s.ch) + + if err != nil { + logger.Error("failed to register watch for a resolved service config", + "service", svc.Service.String(), + "error", err, + ) + cancel() + return err + } + snap.TerminatingGateway.WatchedConfigs[svc.Service] = cancel + } + // Watch service resolvers for the service // These are used to create clusters and endpoints for the service subsets if _, ok := snap.TerminatingGateway.WatchedResolvers[svc.Service]; !ok { @@ -1058,12 +1097,23 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config } } + // Cancel service config watches for services that were not in the update + for sn, cancelFn := range snap.TerminatingGateway.WatchedConfigs { + if _, ok := svcMap[sn]; !ok { + logger.Debug("canceling watch for resolved service config", "service", sn.String()) + delete(snap.TerminatingGateway.WatchedConfigs, sn) + delete(snap.TerminatingGateway.ServiceConfigs, sn) + cancelFn() + } + } + // Cancel service-resolver watches for services that were not in the update for sn, cancelFn := range snap.TerminatingGateway.WatchedResolvers { if _, ok := svcMap[sn]; !ok { logger.Debug("canceling watch for service-resolver", "service", sn.String()) delete(snap.TerminatingGateway.WatchedResolvers, sn) delete(snap.TerminatingGateway.ServiceResolvers, sn) + delete(snap.TerminatingGateway.ServiceResolversSet, sn) cancelFn() } } @@ -1073,9 +1123,7 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config if _, ok := svcMap[sn]; !ok { logger.Debug("canceling watch for intention", "service", sn.String()) delete(snap.TerminatingGateway.WatchedIntentions, sn) - - // No additional deletions needed, since intentions aren't stored in snapshot - + delete(snap.TerminatingGateway.Intentions, sn) cancelFn() } } @@ -1105,21 +1153,43 @@ func (s *state) handleUpdateTerminatingGateway(u cache.UpdateEvent, snap *Config sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceLeafIDPrefix)) snap.TerminatingGateway.ServiceLeaves[sn] = leaf - case strings.HasPrefix(u.CorrelationID, "service-resolver:"): + case strings.HasPrefix(u.CorrelationID, serviceConfigIDPrefix): + serviceConfig, ok := u.Result.(*structs.ServiceConfigResponse) + if !ok { + return fmt.Errorf("invalid type for response: %T", u.Result) + } + + sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceConfigIDPrefix)) + snap.TerminatingGateway.ServiceConfigs[sn] = serviceConfig + + case strings.HasPrefix(u.CorrelationID, serviceResolverIDPrefix): configEntries, ok := u.Result.(*structs.IndexedConfigEntries) if !ok { return fmt.Errorf("invalid type for response: %T", u.Result) } + sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceResolverIDPrefix)) // There should only ever be one entry for a service resolver within a namespace if len(configEntries.Entries) == 1 { if resolver, ok := configEntries.Entries[0].(*structs.ServiceResolverConfigEntry); ok { - snap.TerminatingGateway.ServiceResolvers[structs.NewServiceName(resolver.Name, &resolver.EnterpriseMeta)] = resolver + snap.TerminatingGateway.ServiceResolvers[sn] = resolver } } + snap.TerminatingGateway.ServiceResolversSet[sn] = true - // nolint: staticcheck // github.com/dominikh/go-tools/issues/580 case strings.HasPrefix(u.CorrelationID, serviceIntentionsIDPrefix): - // no-op: Intentions don't get stored in the snapshot, calls to ConnectAuthorize will fetch them from the cache + resp, ok := u.Result.(*structs.IndexedIntentionMatches) + if !ok { + return fmt.Errorf("invalid type for response: %T", u.Result) + } + + sn := structs.ServiceNameFromString(strings.TrimPrefix(u.CorrelationID, serviceIntentionsIDPrefix)) + + if len(resp.Matches) > 0 { + // RPC supports matching multiple services at once but we only ever + // query with the one service we represent currently so just pick + // the one result set up. + snap.TerminatingGateway.Intentions[sn] = resp.Matches[0] + } default: // do nothing diff --git a/agent/proxycfg/state_test.go b/agent/proxycfg/state_test.go index 6f2f686901..a907144f84 100644 --- a/agent/proxycfg/state_test.go +++ b/agent/proxycfg/state_test.go @@ -223,6 +223,17 @@ func genVerifyResolverWatch(expectedService, expectedDatacenter, expectedKind st } } +func genVerifyResolvedConfigWatch(expectedService string, expectedDatacenter string) verifyWatchRequest { + return func(t testing.TB, cacheType string, request cache.Request) { + require.Equal(t, cachetype.ResolvedServiceConfigName, cacheType) + + reqReal, ok := request.(*structs.ServiceConfigRequest) + require.True(t, ok) + require.Equal(t, expectedDatacenter, reqReal.Datacenter) + require.Equal(t, expectedService, reqReal.Name) + } +} + func genVerifyIntentionWatch(expectedService string, expectedDatacenter string) verifyWatchRequest { return func(t testing.TB, cacheType string, request cache.Request) { require.Equal(t, cachetype.IntentionMatchName, cacheType) @@ -422,6 +433,8 @@ func TestState_WatchesAndUpdates(t *testing.T) { ns.Proxy.MeshGateway.Mode = meshGatewayProxyConfigValue } + ixnMatch := TestIntentions() + stage0 := verificationStage{ requiredWatches: map[string]verifyWatchRequest{ rootsWatchID: genVerifyRootsWatch("dc1"), @@ -481,6 +494,11 @@ func TestState_WatchesAndUpdates(t *testing.T) { Result: issuedCert, Err: nil, }, + { + CorrelationID: intentionsWatchID, + Result: ixnMatch, + Err: nil, + }, { CorrelationID: "discovery-chain:api", Result: &structs.DiscoveryChainResponse{ @@ -555,6 +573,9 @@ func TestState_WatchesAndUpdates(t *testing.T) { require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks) require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints) + + require.True(t, snap.ConnectProxy.IntentionsSet) + require.Equal(t, ixnMatch.Matches[0], snap.ConnectProxy.Intentions) }, } @@ -581,6 +602,9 @@ func TestState_WatchesAndUpdates(t *testing.T) { require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks) require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints) + + require.True(t, snap.ConnectProxy.IntentionsSet) + require.Equal(t, ixnMatch.Matches[0], snap.ConnectProxy.Intentions) }, } @@ -599,9 +623,46 @@ func TestState_WatchesAndUpdates(t *testing.T) { db := structs.NewServiceName("db", nil) dbStr := db.String() + billing := structs.NewServiceName("billing", nil) + api := structs.NewServiceName("api", nil) apiStr := api.String() + dbIxnMatch := &structs.IndexedIntentionMatches{ + Matches: []structs.Intentions{ + []*structs.Intention{ + { + ID: "abc-123", + SourceNS: "default", + SourceName: "api", + DestinationNS: "default", + DestinationName: "db", + Action: structs.IntentionActionAllow, + }, + }, + }, + } + + dbConfig := &structs.ServiceConfigResponse{ + ProxyConfig: map[string]interface{}{ + "protocol": "grpc", + }, + } + + dbResolver := &structs.IndexedConfigEntries{ + Kind: structs.ServiceResolver, + Entries: []structs.ConfigEntry{ + &structs.ServiceResolverConfigEntry{ + Name: "db", + Kind: structs.ServiceResolver, + Redirect: &structs.ServiceResolverRedirect{ + Service: "db", + Datacenter: "dc2", + }, + }, + }, + } + cases := map[string]testCase{ "initial-gateway": { ns: structs.NodeService{ @@ -1105,7 +1166,7 @@ func TestState_WatchesAndUpdates(t *testing.T) { Result: &structs.IndexedGatewayServices{ Services: structs.GatewayServices{ { - Service: structs.NewServiceName("db", nil), + Service: db, Gateway: structs.NewServiceName("terminating-gateway", nil), }, }, @@ -1115,7 +1176,10 @@ func TestState_WatchesAndUpdates(t *testing.T) { }, verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { require.True(t, snap.Valid(), "gateway with service list is valid") + require.Len(t, snap.TerminatingGateway.ValidServices(), 0) + require.Len(t, snap.TerminatingGateway.WatchedServices, 1) + require.Contains(t, snap.TerminatingGateway.WatchedServices, db) }, }, { @@ -1125,15 +1189,15 @@ func TestState_WatchesAndUpdates(t *testing.T) { Result: &structs.IndexedGatewayServices{ Services: structs.GatewayServices{ { - Service: structs.NewServiceName("db", nil), + Service: db, Gateway: structs.NewServiceName("terminating-gateway", nil), }, { - Service: structs.NewServiceName("billing", nil), + Service: billing, Gateway: structs.NewServiceName("terminating-gateway", nil), }, { - Service: structs.NewServiceName("api", nil), + Service: api, Gateway: structs.NewServiceName("terminating-gateway", nil), }, }, @@ -1142,11 +1206,9 @@ func TestState_WatchesAndUpdates(t *testing.T) { }, }, verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { - db := structs.NewServiceName("db", nil) - billing := structs.NewServiceName("billing", nil) - api := structs.NewServiceName("api", nil) - require.True(t, snap.Valid(), "gateway with service list is valid") + require.Len(t, snap.TerminatingGateway.ValidServices(), 0) + require.Len(t, snap.TerminatingGateway.WatchedServices, 3) require.Contains(t, snap.TerminatingGateway.WatchedServices, db) require.Contains(t, snap.TerminatingGateway.WatchedServices, billing) @@ -1162,6 +1224,11 @@ func TestState_WatchesAndUpdates(t *testing.T) { require.Contains(t, snap.TerminatingGateway.WatchedLeaves, billing) require.Contains(t, snap.TerminatingGateway.WatchedLeaves, api) + require.Len(t, snap.TerminatingGateway.WatchedConfigs, 3) + require.Contains(t, snap.TerminatingGateway.WatchedConfigs, db) + require.Contains(t, snap.TerminatingGateway.WatchedConfigs, billing) + require.Contains(t, snap.TerminatingGateway.WatchedConfigs, api) + require.Len(t, snap.TerminatingGateway.WatchedResolvers, 3) require.Contains(t, snap.TerminatingGateway.WatchedResolvers, db) require.Contains(t, snap.TerminatingGateway.WatchedResolvers, billing) @@ -1198,8 +1265,11 @@ func TestState_WatchesAndUpdates(t *testing.T) { }, }, verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { + require.True(t, snap.Valid(), "gateway with service list is valid") + require.Len(t, snap.TerminatingGateway.ValidServices(), 0) + require.Len(t, snap.TerminatingGateway.ServiceGroups, 1) - require.Equal(t, snap.TerminatingGateway.ServiceGroups[structs.NewServiceName("db", nil)], + require.Equal(t, snap.TerminatingGateway.ServiceGroups[db], structs.CheckServiceNodes{ { Node: &structs.Node{ @@ -1263,6 +1333,9 @@ func TestState_WatchesAndUpdates(t *testing.T) { }, }, verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { + require.True(t, snap.Valid(), "gateway with service list is valid") + require.Len(t, snap.TerminatingGateway.ValidServices(), 0) + require.Len(t, snap.TerminatingGateway.ServiceGroups, 2) expect := structs.CheckServiceNodes{ { @@ -1299,11 +1372,10 @@ func TestState_WatchesAndUpdates(t *testing.T) { }, }, } - sn := structs.NewServiceName("api", nil) - require.Equal(t, snap.TerminatingGateway.ServiceGroups[sn], expect) + require.Equal(t, snap.TerminatingGateway.ServiceGroups[api], expect) // The instance in node3 should not be present in HostnameDatacenters because it has a valid IP - require.ElementsMatch(t, snap.TerminatingGateway.HostnameServices[sn], expect[:2]) + require.ElementsMatch(t, snap.TerminatingGateway.HostnameServices[api], expect[:2]) }, }, { @@ -1318,7 +1390,50 @@ func TestState_WatchesAndUpdates(t *testing.T) { }, }, verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { - require.Equal(t, snap.TerminatingGateway.ServiceLeaves[structs.NewServiceName("db", nil)], issuedCert) + require.True(t, snap.Valid(), "gateway with service list is valid") + require.Len(t, snap.TerminatingGateway.ValidServices(), 0) + + require.Equal(t, snap.TerminatingGateway.ServiceLeaves[db], issuedCert) + }, + }, + { + requiredWatches: map[string]verifyWatchRequest{ + serviceIntentionsIDPrefix + dbStr: genVerifyIntentionWatch("db", "dc1"), + }, + events: []cache.UpdateEvent{ + { + CorrelationID: serviceIntentionsIDPrefix + dbStr, + Result: dbIxnMatch, + Err: nil, + }, + }, + verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { + require.True(t, snap.Valid(), "gateway with service list is valid") + require.Len(t, snap.TerminatingGateway.ValidServices(), 0) + + require.Len(t, snap.TerminatingGateway.Intentions, 1) + dbIxn, ok := snap.TerminatingGateway.Intentions[db] + require.True(t, ok) + require.Equal(t, dbIxnMatch.Matches[0], dbIxn) + }, + }, + { + requiredWatches: map[string]verifyWatchRequest{ + serviceConfigIDPrefix + dbStr: genVerifyResolvedConfigWatch("db", "dc1"), + }, + events: []cache.UpdateEvent{ + { + CorrelationID: serviceConfigIDPrefix + dbStr, + Result: dbConfig, + Err: nil, + }, + }, + verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { + require.True(t, snap.Valid(), "gateway with service list is valid") + require.Len(t, snap.TerminatingGateway.ValidServices(), 0) + + require.Len(t, snap.TerminatingGateway.ServiceConfigs, 1) + require.Equal(t, snap.TerminatingGateway.ServiceConfigs[db], dbConfig) }, }, { @@ -1328,32 +1443,20 @@ func TestState_WatchesAndUpdates(t *testing.T) { events: []cache.UpdateEvent{ { CorrelationID: "service-resolver:" + dbStr, - Result: &structs.IndexedConfigEntries{ - Kind: structs.ServiceResolver, - Entries: []structs.ConfigEntry{ - &structs.ServiceResolverConfigEntry{ - Name: "db", - Kind: structs.ServiceResolver, - Redirect: &structs.ServiceResolverRedirect{ - Service: "db", - Datacenter: "dc2", - }, - }, - }, - }, - Err: nil, + Result: dbResolver, + Err: nil, }, }, verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { - want := &structs.ServiceResolverConfigEntry{ - Kind: structs.ServiceResolver, - Name: "db", - Redirect: &structs.ServiceResolverRedirect{ - Service: "db", - Datacenter: "dc2", - }, - } - require.Equal(t, want, snap.TerminatingGateway.ServiceResolvers[structs.NewServiceName("db", nil)]) + require.True(t, snap.Valid(), "gateway with service list is valid") + // Finally we have everything we need + require.Equal(t, []structs.ServiceName{db}, snap.TerminatingGateway.ValidServices()) + + require.Len(t, snap.TerminatingGateway.ServiceResolversSet, 1) + require.True(t, snap.TerminatingGateway.ServiceResolversSet[db]) + + require.Len(t, snap.TerminatingGateway.ServiceResolvers, 1) + require.Equal(t, dbResolver.Entries[0], snap.TerminatingGateway.ServiceResolvers[db]) }, }, { @@ -1363,7 +1466,7 @@ func TestState_WatchesAndUpdates(t *testing.T) { Result: &structs.IndexedGatewayServices{ Services: structs.GatewayServices{ { - Service: structs.NewServiceName("billing", nil), + Service: billing, Gateway: structs.NewServiceName("terminating-gateway", nil), }, }, @@ -1372,9 +1475,8 @@ func TestState_WatchesAndUpdates(t *testing.T) { }, }, verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) { - billing := structs.NewServiceName("billing", nil) - require.True(t, snap.Valid(), "gateway with service list is valid") + require.Len(t, snap.TerminatingGateway.ValidServices(), 0) // All the watches should have been cancelled for db require.Len(t, snap.TerminatingGateway.WatchedServices, 1) diff --git a/agent/proxycfg/testing.go b/agent/proxycfg/testing.go index 291c06762d..a534b3a7c1 100644 --- a/agent/proxycfg/testing.go +++ b/agent/proxycfg/testing.go @@ -99,7 +99,7 @@ func TestLeafForCA(t testing.T, ca *structs.CARoot) *structs.IssuedCert { // TestIntentions returns a sample intentions match result useful to // mocking service discovery cache results. -func TestIntentions(t testing.T) *structs.IndexedIntentionMatches { +func TestIntentions() *structs.IndexedIntentionMatches { return &structs.IndexedIntentionMatches{ Matches: []structs.Intentions{ []*structs.Intention{ @@ -685,6 +685,8 @@ func TestConfigSnapshot(t testing.T) *ConfigSnapshot { PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{ "prepared_query:geo-cache": TestUpstreamNodes(t), }, + Intentions: nil, // no intentions defined + IntentionsSet: true, }, Datacenter: "dc1", } @@ -1793,6 +1795,12 @@ func testConfigSnapshotTerminatingGateway(t testing.T, populateServices bool) *C db: dbNodes, cache: cacheNodes, }, + ServiceResolversSet: map[structs.ServiceName]bool{ + web: true, + api: true, + db: true, + cache: true, + }, GatewayServices: map[structs.ServiceName]structs.GatewayService{ web: { Service: web, @@ -1817,20 +1825,43 @@ func testConfigSnapshotTerminatingGateway(t testing.T, populateServices bool) *C cache: {cacheNodes[0], cacheNodes[1]}, }, } + + snap.TerminatingGateway.ServiceConfigs = map[structs.ServiceName]*structs.ServiceConfigResponse{ + web: { + ProxyConfig: map[string]interface{}{"protocol": "tcp"}, + }, + api: { + ProxyConfig: map[string]interface{}{"protocol": "tcp"}, + }, + db: { + ProxyConfig: map[string]interface{}{"protocol": "tcp"}, + }, + cache: { + ProxyConfig: map[string]interface{}{"protocol": "tcp"}, + }, + } + snap.TerminatingGateway.Intentions = map[structs.ServiceName]structs.Intentions{ + // no intentions defined for thse services + web: nil, + api: nil, + db: nil, + cache: nil, + } + snap.TerminatingGateway.ServiceLeaves = map[structs.ServiceName]*structs.IssuedCert{ - structs.NewServiceName("web", nil): { + web: { CertPEM: golden(t, "test-leaf-cert"), PrivateKeyPEM: golden(t, "test-leaf-key"), }, - structs.NewServiceName("api", nil): { + api: { CertPEM: golden(t, "alt-test-leaf-cert"), PrivateKeyPEM: golden(t, "alt-test-leaf-key"), }, - structs.NewServiceName("db", nil): { + db: { CertPEM: golden(t, "db-test-leaf-cert"), PrivateKeyPEM: golden(t, "db-test-leaf-key"), }, - structs.NewServiceName("cache", nil): { + cache: { CertPEM: golden(t, "cache-test-leaf-cert"), PrivateKeyPEM: golden(t, "cache-test-leaf-key"), }, diff --git a/agent/structs/config_entry_discoverychain.go b/agent/structs/config_entry_discoverychain.go index 81a6e421a5..04cf32353a 100644 --- a/agent/structs/config_entry_discoverychain.go +++ b/agent/structs/config_entry_discoverychain.go @@ -1212,3 +1212,12 @@ func defaultIfEmpty(val, defaultVal string) string { } return defaultVal } + +func IsProtocolHTTPLike(protocol string) bool { + switch protocol { + case "http", "http2", "grpc": + return true + default: + return false + } +} diff --git a/agent/structs/config_entry_discoverychain_test.go b/agent/structs/config_entry_discoverychain_test.go index 7b7a2feef3..5f332e9bbe 100644 --- a/agent/structs/config_entry_discoverychain_test.go +++ b/agent/structs/config_entry_discoverychain_test.go @@ -8,6 +8,7 @@ import ( "time" "github.com/hashicorp/consul/acl" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -1162,3 +1163,12 @@ func TestValidateServiceSubset(t *testing.T) { }) } } + +func TestIsProtocolHTTPLike(t *testing.T) { + assert.False(t, IsProtocolHTTPLike("")) + assert.False(t, IsProtocolHTTPLike("tcp")) + + assert.True(t, IsProtocolHTTPLike("http")) + assert.True(t, IsProtocolHTTPLike("http2")) + assert.True(t, IsProtocolHTTPLike("grpc")) +} diff --git a/agent/structs/intention.go b/agent/structs/intention.go index b6bb1d71f0..aa57587cf8 100644 --- a/agent/structs/intention.go +++ b/agent/structs/intention.go @@ -359,6 +359,14 @@ func (x *Intention) EstimateSize() int { return size } +func (x *Intention) SourceServiceName() ServiceName { + return NewServiceName(x.SourceName, x.SourceEnterpriseMeta()) +} + +func (x *Intention) DestinationServiceName() ServiceName { + return NewServiceName(x.DestinationName, x.DestinationEnterpriseMeta()) +} + // IntentionAction is the action that the intention represents. This // can be "allow" or "deny". type IntentionAction string diff --git a/agent/structs/intention_oss.go b/agent/structs/intention_oss.go index e2ae21bbf8..75e14996ae 100644 --- a/agent/structs/intention_oss.go +++ b/agent/structs/intention_oss.go @@ -6,6 +6,14 @@ import ( "github.com/hashicorp/consul/acl" ) +func (ixn *Intention) SourceEnterpriseMeta() *EnterpriseMeta { + return DefaultEnterpriseMeta() +} + +func (ixn *Intention) DestinationEnterpriseMeta() *EnterpriseMeta { + return DefaultEnterpriseMeta() +} + // FillAuthzContext can fill in an acl.AuthorizerContext object to setup // extra parameters for ACL enforcement. In OSS there is currently nothing // extra to be done. diff --git a/agent/xds/golden_test.go b/agent/xds/golden_test.go index 7b264b7afc..dd285d24f6 100644 --- a/agent/xds/golden_test.go +++ b/agent/xds/golden_test.go @@ -9,6 +9,7 @@ import ( envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2" "github.com/golang/protobuf/jsonpb" + "github.com/golang/protobuf/proto" "github.com/hashicorp/go-version" "github.com/stretchr/testify/require" ) @@ -55,11 +56,15 @@ func golden(t *testing.T, name, subname, got string) string { } func responseToJSON(t *testing.T, r *envoy.DiscoveryResponse) string { + return protoToJSON(t, r) +} + +func protoToJSON(t *testing.T, pb proto.Message) string { t.Helper() m := jsonpb.Marshaler{ Indent: " ", } - gotJSON, err := m.MarshalToString(r) + gotJSON, err := m.MarshalToString(pb) require.NoError(t, err) return gotJSON } diff --git a/agent/xds/listeners.go b/agent/xds/listeners.go index 1a834db775..ae78ffa9dc 100644 --- a/agent/xds/listeners.go +++ b/agent/xds/listeners.go @@ -15,7 +15,6 @@ import ( envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" envoylistener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" envoyroute "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" - extauthz "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2" envoyhttp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2" envoytcp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/tcp_proxy/v2" envoytype "github.com/envoyproxy/go-control-plane/envoy/type" @@ -23,6 +22,7 @@ import ( "github.com/envoyproxy/go-control-plane/pkg/wellknown" "github.com/golang/protobuf/jsonpb" "github.com/golang/protobuf/proto" + pbtypes "github.com/golang/protobuf/ptypes" "github.com/golang/protobuf/ptypes/any" pbstruct "github.com/golang/protobuf/ptypes/struct" "github.com/golang/protobuf/ptypes/wrappers" @@ -313,8 +313,17 @@ func (s *Server) makeIngressGatewayListeners(address string, cfgSnap *proxycfg.C } else { // If multiple upstreams share this port, make a special listener for the protocol. listener := makeListener(listenerKey.Protocol, address, listenerKey.Port) - filter, err := makeListenerFilter( - true, listenerKey.Protocol, listenerKey.RouteName(), "", "ingress_upstream_", "", false) + opts := listenerFilterOpts{ + useRDS: true, + protocol: listenerKey.Protocol, + filterName: listenerKey.RouteName(), + cluster: "", + statPrefix: "ingress_upstream_", + routePath: "", + ingress: false, + httpAuthzFilter: nil, + } + filter, err := makeListenerFilter(opts) if err != nil { return nil, err } @@ -395,23 +404,104 @@ func makeListenerFromUserConfig(configJSON string) (*envoy.Listener, error) { return &l, err } -// Ensure that the first filter in each filter chain of a public listener is the -// authz filter to prevent unauthorized access and that every filter chain uses -// our TLS certs. We might allow users to work around this later if there is a -// good use case but this is actually a feature for now as it allows them to -// specify custom listener params in config but still get our certs delivered -// dynamically and intentions enforced without coming up with some complicated -// templating/merging solution. -func injectConnectFilters(cInfo connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error { - authFilter, err := makeExtAuthFilter(cInfo.Token) +// Ensure that the first filter in each filter chain of a public listener is +// the authz filter to prevent unauthorized access. +func (s *Server) injectConnectFilters(_ connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error { + authzFilter, err := makeRBACNetworkFilter( + cfgSnap.ConnectProxy.Intentions, + cfgSnap.IntentionDefaultAllow, + ) if err != nil { return err } + for idx := range listener.FilterChains { // Insert our authz filter before any others listener.FilterChains[idx].Filters = - append([]*envoylistener.Filter{authFilter}, listener.FilterChains[idx].Filters...) + append([]*envoylistener.Filter{ + authzFilter, + }, listener.FilterChains[idx].Filters...) + } + return nil +} +const httpConnectionManagerNewName = "envoy.filters.network.http_connection_manager" + +// Locate the existing http connect manager L4 filter and inject our RBAC filter at the top. +func (s *Server) injectHTTPFilterOnFilterChains( + listener *envoy.Listener, + authzFilter *envoyhttp.HttpFilter, +) error { + for chainIdx, chain := range listener.FilterChains { + var ( + hcmFilter *envoylistener.Filter + hcmFilterIdx int + ) + + for filterIdx, filter := range chain.Filters { + if filter.Name == wellknown.HTTPConnectionManager || + filter.Name == httpConnectionManagerNewName { + hcmFilter = filter + hcmFilterIdx = filterIdx + break + } + } + if hcmFilter == nil { + return fmt.Errorf( + "filter chain %d lacks either a %q or %q filter", + chainIdx, + wellknown.HTTPConnectionManager, + httpConnectionManagerNewName, + ) + } + + var ( + hcm envoyhttp.HttpConnectionManager + isTyped bool + ) + switch x := hcmFilter.ConfigType.(type) { + case *envoylistener.Filter_Config: + if err := conversion.StructToMessage(x.Config, &hcm); err != nil { + return err + } + isTyped = false + case *envoylistener.Filter_TypedConfig: + if err := pbtypes.UnmarshalAny(x.TypedConfig, &hcm); err != nil { + return err + } + isTyped = true + default: + return fmt.Errorf( + "filter chain %d has a %q filter with an unsupported config type: %T", + chainIdx, + hcmFilter.Name, + x, + ) + } + + // Insert our authz filter before any others + hcm.HttpFilters = append([]*envoyhttp.HttpFilter{ + authzFilter, + }, hcm.HttpFilters...) + + // And persist the modified filter. + newFilter, err := makeFilter(hcmFilter.Name, &hcm, isTyped) + if err != nil { + return err + } + chain.Filters[hcmFilterIdx] = newFilter + } + + return nil +} + +// Ensure every filter chain uses our TLS certs. We might allow users to work +// around this later if there is a good use case but this is actually a feature +// for now as it allows them to specify custom listener params in config but +// still get our certs delivered dynamically and intentions enforced without +// coming up with some complicated templating/merging solution. +func (s *Server) injectConnectTLSOnFilterChains(_ connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener *envoy.Listener) error { + for idx := range listener.FilterChains { listener.FilterChains[idx].TlsContext = &envoyauth.DownstreamTlsContext{ CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf()), RequireClientCertificate: &wrappers.BoolValue{Value: true}, @@ -436,9 +526,12 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf if err != nil { return l, err } - // In the happy path don't return yet as we need to inject TLS config still. + // In the happy path don't return yet as we need to inject TLS and authz config still. } + // This controls if we do L4 or L7 intention checks. + useHTTPFilter := structs.IsProtocolHTTPLike(cfg.Protocol) + if l == nil { // No user config, use default listener addr := cfgSnap.Address @@ -460,8 +553,27 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf l = makeListener(PublicListenerName, addr, port) - filter, err := makeListenerFilter( - false, cfg.Protocol, "public_listener", LocalAppClusterName, "", "", true) + opts := listenerFilterOpts{ + useRDS: false, + protocol: cfg.Protocol, + filterName: "public_listener", + cluster: LocalAppClusterName, + statPrefix: "", + routePath: "", + ingress: true, + } + + if useHTTPFilter { + opts.httpAuthzFilter, err = makeRBACHTTPFilter( + cfgSnap.ConnectProxy.Intentions, + cfgSnap.IntentionDefaultAllow, + ) + if err != nil { + return nil, err + } + } + + filter, err := makeListenerFilter(opts) if err != nil { return nil, err } @@ -472,9 +584,39 @@ func (s *Server) makePublicListener(cInfo connectionInfo, cfgSnap *proxycfg.Conf }, }, } + + } else if useHTTPFilter { + httpAuthzFilter, err := makeRBACHTTPFilter( + cfgSnap.ConnectProxy.Intentions, + cfgSnap.IntentionDefaultAllow, + ) + if err != nil { + return nil, err + } + + // We're using the listener escape hatch, so try our best to inject the + // HTTP RBAC filter, but if we can't then just inject the RBAC Network + // filter instead. + if err := s.injectHTTPFilterOnFilterChains(l, httpAuthzFilter); err != nil { + s.Logger.Warn( + "could not inject the HTTP RBAC filter to enforce intentions on user-provided 'envoy_public_listener_json' config; falling back on the RBAC network filter instead", + "proxy", cfgSnap.ProxyID, + "error", err, + ) + useHTTPFilter = false + } + } + + if !useHTTPFilter { + if err := s.injectConnectFilters(cInfo, cfgSnap, l); err != nil { + return nil, err + } + } + + if err := s.injectConnectTLSOnFilterChains(cInfo, cfgSnap, l); err != nil { + return nil, err } - err = injectConnectFilters(cInfo, cfgSnap, l) return l, err } @@ -505,7 +647,17 @@ func (s *Server) makeExposedCheckListener(cfgSnap *proxycfg.ConfigSnapshot, clus filterName := fmt.Sprintf("exposed_path_filter_%s_%d", strippedPath, path.ListenerPort) - f, err := makeListenerFilter(false, path.Protocol, filterName, cluster, "", path.Path, true) + opts := listenerFilterOpts{ + useRDS: false, + protocol: path.Protocol, + filterName: filterName, + cluster: cluster, + statPrefix: "", + routePath: path.Path, + ingress: true, + httpAuthzFilter: nil, + } + f, err := makeListenerFilter(opts) if err != nil { return nil, err } @@ -557,20 +709,35 @@ func (s *Server) makeTerminatingGatewayListener( // Make a FilterChain for each linked service // Match on the cluster name, - for svc := range cfgSnap.TerminatingGateway.ServiceGroups { + for _, svc := range cfgSnap.TerminatingGateway.ValidServices() { clusterName := connect.ServiceSNI(svc.Name, "", svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain) + + // Resolvers are optional. resolver, hasResolver := cfgSnap.TerminatingGateway.ServiceResolvers[svc] - // Skip the service if we don't have a cert to present for mTLS - if cert, ok := cfgSnap.TerminatingGateway.ServiceLeaves[svc]; !ok || cert == nil { - // TODO (gateways) (freddy) Should the error suggest that the issue may be ACLs? (need service:write on service) - s.Logger.Named(logging.TerminatingGateway). - Error("no client certificate available for linked service, skipping filter chain creation", - "service", svc.String(), "error", err) - continue + intentions := cfgSnap.TerminatingGateway.Intentions[svc] + svcConfig := cfgSnap.TerminatingGateway.ServiceConfigs[svc] + + cfg, err := ParseProxyConfig(svcConfig.ProxyConfig) + if err != nil { + // Don't hard fail on a config typo, just warn. The parse func returns + // default config if there is an error so it's safe to continue. + s.Logger.Named(logging.TerminatingGateway).Warn( + "failed to parse Connect.Proxy.Config for linked service", + "service", svc.String(), + "error", err, + ) } - clusterChain, err := s.sniFilterChainTerminatingGateway(cInfo, cfgSnap, name, clusterName, svc) + clusterChain, err := s.makeFilterChainTerminatingGateway( + cInfo, + cfgSnap, + name, + clusterName, + svc, + intentions, + cfg.Protocol, + ) if err != nil { return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err) } @@ -580,13 +747,21 @@ func (s *Server) makeTerminatingGatewayListener( if hasResolver { // generate 1 filter chain for each service subset for subsetName := range resolver.Subsets { - clusterName := connect.ServiceSNI(svc.Name, subsetName, svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain) + subsetClusterName := connect.ServiceSNI(svc.Name, subsetName, svc.NamespaceOrDefault(), cfgSnap.Datacenter, cfgSnap.Roots.TrustDomain) - clusterChain, err := s.sniFilterChainTerminatingGateway(cInfo, cfgSnap, name, clusterName, svc) + subsetClusterChain, err := s.makeFilterChainTerminatingGateway( + cInfo, + cfgSnap, + name, + subsetClusterName, + svc, + intentions, + cfg.Protocol, + ) if err != nil { - return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", clusterName, err) + return nil, fmt.Errorf("failed to make filter chain for cluster %q: %v", subsetClusterName, err) } - l.FilterChains = append(l.FilterChains, clusterChain) + l.FilterChains = append(l.FilterChains, subsetClusterChain) } } } @@ -608,41 +783,70 @@ func (s *Server) makeTerminatingGatewayListener( return l, nil } -func (s *Server) sniFilterChainTerminatingGateway( - cInfo connectionInfo, +func (s *Server) makeFilterChainTerminatingGateway( + _ connectionInfo, cfgSnap *proxycfg.ConfigSnapshot, listener, cluster string, service structs.ServiceName, + intentions structs.Intentions, + protocol string, ) (*envoylistener.FilterChain, error) { - - authFilter, err := makeExtAuthFilter(cInfo.Token) - if err != nil { - return nil, err - } - sniCluster, err := makeSNIClusterFilter() - if err != nil { - return nil, err - } - - // The cluster name here doesn't matter as the sni_cluster filter will fill it in for us. - statPrefix := fmt.Sprintf("terminating_gateway_%s_%s_", service.NamespaceOrDefault(), service.Name) - tcpProxy, err := makeTCPProxyFilter(listener, "", statPrefix) - if err != nil { - return nil, err - } - - return &envoylistener.FilterChain{ + filterChain := &envoylistener.FilterChain{ FilterChainMatch: makeSNIFilterChainMatch(cluster), - Filters: []*envoylistener.Filter{ - authFilter, - sniCluster, - tcpProxy, - }, + Filters: make([]*envoylistener.Filter, 0, 3), TlsContext: &envoyauth.DownstreamTlsContext{ CommonTlsContext: makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.TerminatingGateway.ServiceLeaves[service]), RequireClientCertificate: &wrappers.BoolValue{Value: true}, }, - }, err + } + + // This controls if we do L4 or L7 intention checks. + useHTTPFilter := structs.IsProtocolHTTPLike(protocol) + + // If this is L4, the first filter we setup is to do intention checks. + if !useHTTPFilter { + authFilter, err := makeRBACNetworkFilter( + intentions, + cfgSnap.IntentionDefaultAllow, + ) + if err != nil { + return nil, err + } + filterChain.Filters = append(filterChain.Filters, authFilter) + } + + // Lastly we setup the actual proxying component. For L4 this is a straight + // tcp proxy. For L7 this is a very hands-off HTTP proxy just to inject an + // HTTP filter to do intention checks here instead. + statPrefix := fmt.Sprintf("terminating_gateway_%s_%s_", service.NamespaceOrDefault(), service.Name) + opts := listenerFilterOpts{ + useRDS: false, + protocol: protocol, + filterName: listener, + cluster: cluster, + statPrefix: statPrefix, + routePath: "", + ingress: false, + } + + if useHTTPFilter { + var err error + opts.httpAuthzFilter, err = makeRBACHTTPFilter( + intentions, + cfgSnap.IntentionDefaultAllow, + ) + if err != nil { + return nil, err + } + } + + filter, err := makeListenerFilter(opts) + if err != nil { + return nil, err + } + filterChain.Filters = append(filterChain.Filters, filter) + + return filterChain, nil } func (s *Server) makeMeshGatewayListener(name, addr string, port int, cfgSnap *proxycfg.ConfigSnapshot) (*envoy.Listener, error) { @@ -791,8 +995,17 @@ func (s *Server) makeUpstreamListenerForDiscoveryChain( clusterName = CustomizeClusterName(target.Name, chain) } - filter, err := makeListenerFilter( - useRDS, cfg.Protocol, upstreamID, clusterName, "upstream_", "", false) + opts := listenerFilterOpts{ + useRDS: useRDS, + protocol: cfg.Protocol, + filterName: upstreamID, + cluster: clusterName, + statPrefix: "upstream_", + routePath: "", + ingress: false, + httpAuthzFilter: nil, + } + filter, err := makeListenerFilter(opts) if err != nil { return nil, err } @@ -855,26 +1068,34 @@ func getAndModifyUpstreamConfigForListener(logger hclog.Logger, u *structs.Upstr return cfg } -func makeListenerFilter( - useRDS bool, - protocol, filterName, cluster, statPrefix, routePath string, ingress bool) (*envoylistener.Filter, error) { +type listenerFilterOpts struct { + useRDS bool + protocol string + filterName string + cluster string + statPrefix string + routePath string + ingress bool + httpAuthzFilter *envoyhttp.HttpFilter +} - switch protocol { +func makeListenerFilter(opts listenerFilterOpts) (*envoylistener.Filter, error) { + switch opts.protocol { case "grpc": - return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, true, true) + return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, true, true, opts.httpAuthzFilter) case "http2": - return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, false, true) + return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, false, true, opts.httpAuthzFilter) case "http": - return makeHTTPFilter(useRDS, filterName, cluster, statPrefix, routePath, ingress, false, false) + return makeHTTPFilter(opts.useRDS, opts.filterName, opts.cluster, opts.statPrefix, opts.routePath, opts.ingress, false, false, opts.httpAuthzFilter) case "tcp": fallthrough default: - if useRDS { + if opts.useRDS { return nil, fmt.Errorf("RDS is not compatible with the tcp proxy filter") - } else if cluster == "" { + } else if opts.cluster == "" { return nil, fmt.Errorf("cluster name is required for a tcp proxy filter") } - return makeTCPProxyFilter(filterName, cluster, statPrefix) + return makeTCPProxyFilter(opts.filterName, opts.cluster, opts.statPrefix) } } @@ -898,7 +1119,7 @@ func makeTCPProxyFilter(filterName, cluster, statPrefix string) (*envoylistener. StatPrefix: makeStatPrefix("tcp", statPrefix, filterName), ClusterSpecifier: &envoytcp.TcpProxy_Cluster{Cluster: cluster}, } - return makeFilter("envoy.tcp_proxy", cfg) + return makeFilter("envoy.tcp_proxy", cfg, false) } func makeStatPrefix(protocol, prefix, filterName string) string { @@ -912,6 +1133,7 @@ func makeHTTPFilter( useRDS bool, filterName, cluster, statPrefix, routePath string, ingress, grpc, http2 bool, + authzFilter *envoyhttp.HttpFilter, ) (*envoylistener.Filter, error) { op := envoyhttp.HttpConnectionManager_Tracing_INGRESS if !ingress { @@ -1001,43 +1223,51 @@ func makeHTTPFilter( cfg.Http2ProtocolOptions = &envoycore.Http2ProtocolOptions{} } + // Like injectConnectFilters for L4, here we ensure that the first filter + // (other than the "envoy.grpc_http1_bridge" filter) in the http filter + // chain of a public listener is the authz filter to prevent unauthorized + // access and that every filter chain uses our TLS certs. + if authzFilter != nil { + cfg.HttpFilters = append([]*envoyhttp.HttpFilter{authzFilter}, cfg.HttpFilters...) + } + if grpc { - // Add grpc bridge before router + // Add grpc bridge before router and authz cfg.HttpFilters = append([]*envoyhttp.HttpFilter{{ Name: "envoy.grpc_http1_bridge", ConfigType: &envoyhttp.HttpFilter_Config{Config: &pbstruct.Struct{}}, }}, cfg.HttpFilters...) } - return makeFilter("envoy.http_connection_manager", cfg) + return makeFilter("envoy.http_connection_manager", cfg, false) } -func makeExtAuthFilter(token string) (*envoylistener.Filter, error) { - cfg := &extauthz.ExtAuthz{ - StatPrefix: "connect_authz", - GrpcService: &envoycore.GrpcService{ - // Attach token header so we can authorize the callbacks. Technically - // authorize is not really protected data but we locked down the HTTP - // implementation to need service:write and since we have the token that - // has that it's pretty reasonable to set it up here. - InitialMetadata: []*envoycore.HeaderValue{ - { - Key: "x-consul-token", - Value: token, - }, - }, - TargetSpecifier: &envoycore.GrpcService_EnvoyGrpc_{ - EnvoyGrpc: &envoycore.GrpcService_EnvoyGrpc{ - ClusterName: LocalAgentClusterName, - }, - }, - }, - FailureModeAllow: false, +func makeFilter(name string, cfg proto.Message, typed bool) (*envoylistener.Filter, error) { + filter := &envoylistener.Filter{ + Name: name, } - return makeFilter("envoy.ext_authz", cfg) + if typed { + any, err := pbtypes.MarshalAny(cfg) + if err != nil { + return nil, err + } + + filter.ConfigType = &envoylistener.Filter_TypedConfig{TypedConfig: any} + } else { + // Ridiculous dance to make that struct into pbstruct.Struct by... encoding it + // as JSON and decoding again!! + cfgStruct, err := conversion.MessageToStruct(cfg) + if err != nil { + return nil, err + } + + filter.ConfigType = &envoylistener.Filter_Config{Config: cfgStruct} + } + + return filter, nil } -func makeFilter(name string, cfg proto.Message) (*envoylistener.Filter, error) { +func makeEnvoyHTTPFilter(name string, cfg proto.Message) (*envoyhttp.HttpFilter, error) { // Ridiculous dance to make that struct into pbstruct.Struct by... encoding it // as JSON and decoding again!! cfgStruct, err := conversion.MessageToStruct(cfg) @@ -1045,9 +1275,9 @@ func makeFilter(name string, cfg proto.Message) (*envoylistener.Filter, error) { return nil, err } - return &envoylistener.Filter{ + return &envoyhttp.HttpFilter{ Name: name, - ConfigType: &envoylistener.Filter_Config{Config: cfgStruct}, + ConfigType: &envoyhttp.HttpFilter_Config{Config: cfgStruct}, }, nil } diff --git a/agent/xds/listeners_test.go b/agent/xds/listeners_test.go index 77fed27ebd..b972eaf5d7 100644 --- a/agent/xds/listeners_test.go +++ b/agent/xds/listeners_test.go @@ -2,13 +2,13 @@ package xds import ( "bytes" - "fmt" "path/filepath" "sort" "testing" "text/template" envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2" + "github.com/envoyproxy/go-control-plane/pkg/wellknown" "github.com/hashicorp/consul/agent/proxycfg" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/xds/proxysupport" @@ -80,6 +80,66 @@ func TestListenersFromSnapshot(t *testing.T) { }) }, }, + { + name: "custom-public-listener-http", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Config["protocol"] = "http" + snap.Proxy.Config["envoy_public_listener_json"] = + customHTTPListenerJSON(t, customHTTPListenerJSONOptions{ + Name: "custom-public-listen", + }) + }, + }, + { + name: "custom-public-listener-http-typed", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Config["protocol"] = "http" + snap.Proxy.Config["envoy_public_listener_json"] = + customHTTPListenerJSON(t, customHTTPListenerJSONOptions{ + Name: "custom-public-listen", + TypedConfig: true, + }) + }, + }, + { + name: "custom-public-listener-http-2", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Config["protocol"] = "http" + snap.Proxy.Config["envoy_public_listener_json"] = + customHTTPListenerJSON(t, customHTTPListenerJSONOptions{ + Name: "custom-public-listen", + HTTPConnectionManagerName: httpConnectionManagerNewName, + }) + }, + }, + { + name: "custom-public-listener-http-2-typed", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Config["protocol"] = "http" + snap.Proxy.Config["envoy_public_listener_json"] = + customHTTPListenerJSON(t, customHTTPListenerJSONOptions{ + Name: "custom-public-listen", + HTTPConnectionManagerName: httpConnectionManagerNewName, + TypedConfig: true, + }) + }, + }, + { + name: "custom-public-listener-http-missing", + create: proxycfg.TestConfigSnapshot, + setup: func(snap *proxycfg.ConfigSnapshot) { + snap.Proxy.Config["protocol"] = "http" + snap.Proxy.Config["envoy_public_listener_json"] = + customListenerJSON(t, customListenerJSONOptions{ + Name: "custom-public-listen", + IncludeType: false, + }) + }, + }, { name: "custom-public-listener-typed", create: proxycfg.TestConfigSnapshot, @@ -500,11 +560,7 @@ func TestListenersFromSnapshot(t *testing.T) { } } -func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot, token string) map[string]string { - tokenVal := "" - if token != "" { - tokenVal = fmt.Sprintf(",\n"+`"value": "%s"`, token) - } +func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot) map[string]string { return map[string]string{ "public_listener": `{ "@type": "type.googleapis.com/envoy.api.v2.Listener", @@ -520,18 +576,9 @@ func expectListenerJSONResources(t *testing.T, snap *proxycfg.ConfigSnapshot, to "tlsContext": ` + expectedPublicTLSContextJSON(t, snap) + `, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token" - ` + tokenVal + ` - } - ] + "rules": { }, "stat_prefix": "connect_authz" } @@ -622,15 +669,14 @@ func expectListenerJSONFromResources(snap *proxycfg.ConfigSnapshot, v, n uint64, }` } -func expectListenerJSON(t *testing.T, snap *proxycfg.ConfigSnapshot, token string, v, n uint64) string { - return expectListenerJSONFromResources(snap, v, n, expectListenerJSONResources(t, snap, token)) +func expectListenerJSON(t *testing.T, snap *proxycfg.ConfigSnapshot, v, n uint64) string { + return expectListenerJSONFromResources(snap, v, n, expectListenerJSONResources(t, snap)) } type customListenerJSONOptions struct { - Name string - IncludeType bool - OverrideAuthz bool - TLSContext string + Name string + IncludeType bool + TLSContext string } const customListenerJSONTpl = `{ @@ -650,25 +696,6 @@ const customListenerJSONTpl = `{ "tlsContext": {{ .TLSContext }}, {{- end }} "filters": [ - {{ if .OverrideAuthz -}} - { - "name": "envoy.ext_authz", - "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] - }, - "stat_prefix": "connect_authz" - } - }, - {{- end }} { "name": "envoy.tcp_proxy", "config": { @@ -681,12 +708,82 @@ const customListenerJSONTpl = `{ ] }` -var customListenerJSONTemplate = template.Must(template.New("").Parse(customListenerJSONTpl)) +type customHTTPListenerJSONOptions struct { + Name string + HTTPConnectionManagerName string + TypedConfig bool +} + +const customHTTPListenerJSONTpl = `{ + "name": "{{ .Name }}", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "{{ .HTTPConnectionManagerName }}", + {{ if .TypedConfig -}} + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + {{ else -}} + "config": { + {{- end }} + "http_filters": [ + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] +}` + +var ( + customListenerJSONTemplate = template.Must(template.New("").Parse(customListenerJSONTpl)) + customHTTPListenerJSONTemplate = template.Must(template.New("").Parse(customHTTPListenerJSONTpl)) +) func customListenerJSON(t *testing.T, opts customListenerJSONOptions) string { t.Helper() var buf bytes.Buffer - err := customListenerJSONTemplate.Execute(&buf, opts) - require.NoError(t, err) + require.NoError(t, customListenerJSONTemplate.Execute(&buf, opts)) + return buf.String() +} + +func customHTTPListenerJSON(t *testing.T, opts customHTTPListenerJSONOptions) string { + t.Helper() + if opts.HTTPConnectionManagerName == "" { + opts.HTTPConnectionManagerName = wellknown.HTTPConnectionManager + } + var buf bytes.Buffer + require.NoError(t, customHTTPListenerJSONTemplate.Execute(&buf, opts)) return buf.String() } diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go new file mode 100644 index 0000000000..da9f03b953 --- /dev/null +++ b/agent/xds/rbac.go @@ -0,0 +1,374 @@ +package xds + +import ( + "fmt" + "sort" + + envoylistener "github.com/envoyproxy/go-control-plane/envoy/api/v2/listener" + envoyhttprbac "github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2" + envoyhttp "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2" + envoynetrbac "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2" + envoyrbac "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2" + envoymatcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" + "github.com/hashicorp/consul/agent/structs" +) + +func makeRBACNetworkFilter(intentions structs.Intentions, intentionDefaultAllow bool) (*envoylistener.Filter, error) { + rules, err := makeRBACRules(intentions, intentionDefaultAllow) + if err != nil { + return nil, err + } + + cfg := &envoynetrbac.RBAC{ + StatPrefix: "connect_authz", + Rules: rules, + } + return makeFilter("envoy.filters.network.rbac", cfg, false) +} + +func makeRBACHTTPFilter(intentions structs.Intentions, intentionDefaultAllow bool) (*envoyhttp.HttpFilter, error) { + rules, err := makeRBACRules(intentions, intentionDefaultAllow) + if err != nil { + return nil, err + } + + cfg := &envoyhttprbac.RBAC{ + Rules: rules, + } + return makeEnvoyHTTPFilter("envoy.filters.http.rbac", cfg) +} + +type rbacIntention struct { + Source structs.ServiceName + NotSources []structs.ServiceName + Allow bool + Precedence int + Skip bool +} + +func (r *rbacIntention) Simplify() { + r.NotSources = simplifyNotSourceSlice(r.NotSources) +} + +func simplifyNotSourceSlice(notSources []structs.ServiceName) []structs.ServiceName { + if len(notSources) <= 1 { + return notSources + } + + // Collapse NotSources elements together if any element is a subset of + // another. + + // Sort, keeping the least wildcarded elements first. + sort.SliceStable(notSources, func(i, j int) bool { + return countWild(notSources[i]) < countWild(notSources[j]) + }) + + keep := make([]structs.ServiceName, 0, len(notSources)) + for i := 0; i < len(notSources); i++ { + si := notSources[i] + remove := false + for j := i + 1; j < len(notSources); j++ { + sj := notSources[j] + + if ixnSourceMatches(si, sj) { + remove = true + break + } + } + if !remove { + keep = append(keep, si) + } + } + + return keep +} + +// makeRBACRules translates Consul intentions into RBAC Policies for Envoy. +// +// Consul lets you define up to 9 different kinds of intentions that apply at +// different levels of precedence (this is limited to 4 if not using Consul +// Enterprise). Each intention in this flat list (sorted by precedence) can either +// be an allow rule or a deny rule. Here’s a concrete example of this at work: +// +// intern/trusted-app => billing/payment-svc : ALLOW (prec=9) +// intern/* => billing/payment-svc : DENY (prec=8) +// */* => billing/payment-svc : ALLOW (prec=7) +// ::: ACL default policy ::: : DENY (prec=N/A) +// +// In contrast, Envoy lets you either configure a filter to be based on an +// allow-list or a deny-list based on the action attribute of the RBAC rules +// struct. +// +// On the surface it would seem that the configuration model of Consul +// intentions is incompatible with that of Envoy’s RBAC engine. For any given +// destination service Consul’s model requires evaluating a list of rules and +// short circuiting later rules once an earlier rule matches. After a rule is +// found to match then we decide if it is allow/deny. Envoy on the other hand +// requires the rules to express all conditions to allow access or all conditions +// to deny access. +// +// Despite the surface incompatibility it is possible to marry these two +// models. For clarity I’ll rewrite the earlier example intentions in an +// abbreviated form: +// +// A : ALLOW +// B : DENY +// C : ALLOW +// : DENY +// +// 1. Given that the overall intention default is set to deny, we start by +// choosing to build an allow-list in Envoy (this is also the variant that I find +// easier to think about). +// 2. Next we traverse the list in precedence order (top down) and any DENY +// intentions are combined with later intentions using logical operations. +// 3. Now that all of the intentions result in the same action (allow) we have +// successfully removed precedence and we can express this in as a set of Envoy +// RBAC policies. +// +// After this the earlier A/B/C/default list becomes: +// +// A : ALLOW +// C AND NOT(B) : ALLOW +// : DENY +// +// Which really is just an allow-list of [A, C AND NOT(B)] +func makeRBACRules(intentions structs.Intentions, intentionDefaultAllow bool) (*envoyrbac.RBAC, error) { + // Note that we DON'T explicitly validate the trust-domain matches ours. + // + // For now we don't validate the trust domain of the _destination_ at all. + // The RBAC policies below ignore the trust domain and it's implicit that + // the request is for the correct cluster. We might want to reconsider this + // later but plumbing in additional machinery to check the clusterID here + // is not really necessary for now unless the Envoys are badly configured. + // Our threat model _requires_ correctly configured and well behaved + // proxies given that they have ACLs to fetch certs and so can do whatever + // they want including not authorizing traffic at all or routing it do a + // different service than they auth'd against. + + // TODO(banks,rb): Implement revocation list checking? + + // Omit any lower-precedence intentions that share the same source. + intentions = removeSameSourceIntentions(intentions) + + // First build up just the basic principal matches. + rbacIxns := make([]*rbacIntention, 0, len(intentions)) + for _, ixn := range intentions { + rbacIxns = append(rbacIxns, &rbacIntention{ + Source: ixn.SourceServiceName(), + Allow: (ixn.Action == structs.IntentionActionAllow), + Precedence: ixn.Precedence, + }) + } + + // Normalize: if we are in default-deny then all intentions must be allows and vice versa + + var rbacAction envoyrbac.RBAC_Action + if intentionDefaultAllow { + // The RBAC policies deny access to principals. The rest is allowed. + // This is block-list style access control. + rbacAction = envoyrbac.RBAC_DENY + } else { + // The RBAC policies grant access to principals. The rest is denied. + // This is safe-list style access control. This is the default type. + rbacAction = envoyrbac.RBAC_ALLOW + } + + // First walk backwards and if we encounter an intention with an action + // that is the same as the default intention action, add it to all + // subsequent statements (via AND NOT $x) and mark the rule itself for + // erasure. + // + // i.e. for a default-deny setup we look for denies. + if len(rbacIxns) > 0 { + for i := len(rbacIxns) - 1; i >= 0; i-- { + if rbacIxns[i].Allow == intentionDefaultAllow { + for j := i + 1; j < len(rbacIxns); j++ { + if rbacIxns[j].Skip { + continue + } + // [i] is the intention candidate that we are distributing + // [j] is the thing to maybe NOT [i] from + if ixnSourceMatches(rbacIxns[i].Source, rbacIxns[j].Source) { + rbacIxns[j].NotSources = append(rbacIxns[j].NotSources, rbacIxns[i].Source) + } + } + // since this is default-FOO, any trailing FOO intentions will just evaporate + rbacIxns[i].Skip = true // mark for deletion + } + } + } + // At this point precedence doesn't matter since all roads lead to the same action. + + var principals []*envoyrbac.Principal + for _, rbacIxn := range rbacIxns { + if rbacIxn.Skip { + continue + } + + // NOTE: at this point "rbacIxn.Allow != intentionDefaultAllow" + + rbacIxn.Simplify() + + if len(rbacIxn.NotSources) > 0 { + andIDs := make([]*envoyrbac.Principal, 0, len(rbacIxn.NotSources)+1) + andIDs = append(andIDs, idPrincipal(rbacIxn.Source)) + for _, src := range rbacIxn.NotSources { + andIDs = append(andIDs, notPrincipal( + idPrincipal(src), + )) + } + principals = append(principals, andPrincipals(andIDs)) + } else { + principals = append(principals, idPrincipal(rbacIxn.Source)) + } + } + + rbac := &envoyrbac.RBAC{ + Action: rbacAction, + } + if len(principals) > 0 { + policy := &envoyrbac.Policy{ + Principals: principals, + Permissions: []*envoyrbac.Permission{anyPermission()}, + } + rbac.Policies = map[string]*envoyrbac.Policy{ + "consul-intentions": policy, + } + } + + return rbac, nil +} + +func removeSameSourceIntentions(intentions structs.Intentions) structs.Intentions { + if len(intentions) < 2 { + return intentions + } + + var ( + out = make(structs.Intentions, 0, len(intentions)) + changed = false + seenSource = make(map[structs.ServiceName]struct{}) + ) + for _, ixn := range intentions { + sn := ixn.SourceServiceName() + if _, ok := seenSource[sn]; ok { + // A higher precedence intention already used this exact source + // definition with a different destination. + changed = true + continue + } + seenSource[sn] = struct{}{} + out = append(out, ixn) + } + + if !changed { + return intentions + } + return out +} + +type sourceMatch int + +const ( + sourceMatchIgnore sourceMatch = 0 + sourceMatchSuperset sourceMatch = 1 + matchSameSubset sourceMatch = 2 +) + +// ixnSourceMatches deterines if the 'tester' service name is matched by the +// 'against' service name via wildcard rules. +// +// For instance: +// - (web, api) => false, because these have no wildcards +// - (web, *) => true, because "all services" includes "web" +// - (default/web, default/*) => true, because "all services in the default NS" includes "default/web" +// - (default/*, */*) => true, "any service in any NS" includes "all services in the default NS" +func ixnSourceMatches(tester, against structs.ServiceName) bool { + // We assume that we can't have the same intention twice before arriving + // here. + numWildTester := countWild(tester) + numWildAgainst := countWild(against) + + if numWildTester == numWildAgainst { + return false + } else if numWildTester > numWildAgainst { + return false + } + + matchesNS := tester.NamespaceOrDefault() == against.NamespaceOrDefault() || against.NamespaceOrDefault() == structs.WildcardSpecifier + matchesName := tester.Name == against.Name || against.Name == structs.WildcardSpecifier + return matchesNS && matchesName +} + +// countWild counts the number of wildcard values in the given namespace and name. +func countWild(src structs.ServiceName) int { + // If NS is wildcard, it must be 2 since wildcards only follow exact + if src.NamespaceOrDefault() == structs.WildcardSpecifier { + return 2 + } + + // Same reasoning as above, a wildcard can only follow an exact value + // and an exact value cannot follow a wildcard, so if name is a wildcard + // we must have exactly one. + if src.Name == structs.WildcardSpecifier { + return 1 + } + + return 0 +} + +func andPrincipals(ids []*envoyrbac.Principal) *envoyrbac.Principal { + return &envoyrbac.Principal{ + Identifier: &envoyrbac.Principal_AndIds{ + AndIds: &envoyrbac.Principal_Set{ + Ids: ids, + }, + }, + } +} + +func notPrincipal(id *envoyrbac.Principal) *envoyrbac.Principal { + return &envoyrbac.Principal{ + Identifier: &envoyrbac.Principal_NotId{ + NotId: id, + }, + } +} + +func idPrincipal(src structs.ServiceName) *envoyrbac.Principal { + pattern := makeSpiffePattern(src.NamespaceOrDefault(), src.Name) + + return &envoyrbac.Principal{ + Identifier: &envoyrbac.Principal_Authenticated_{ + Authenticated: &envoyrbac.Principal_Authenticated{ + PrincipalName: &envoymatcher.StringMatcher{ + MatchPattern: &envoymatcher.StringMatcher_SafeRegex{ + SafeRegex: makeEnvoyRegexMatch(pattern), + }, + }, + }, + }, + } +} +func makeSpiffePattern(sourceNS, sourceName string) string { + const ( + anyPath = `[^/]+` + spiffeTemplate = `^spiffe://%s/ns/%s/dc/%s/svc/%s$` + ) + switch { + case sourceNS != structs.WildcardSpecifier && sourceName != structs.WildcardSpecifier: + return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, sourceName) + case sourceNS != structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier: + return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, anyPath) + case sourceNS == structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier: + return fmt.Sprintf(spiffeTemplate, anyPath, anyPath, anyPath, anyPath) + default: + panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact service %q", sourceNS, sourceName)) + } +} + +func anyPermission() *envoyrbac.Permission { + return &envoyrbac.Permission{ + Rule: &envoyrbac.Permission_Any{Any: true}, + } +} diff --git a/agent/xds/rbac_test.go b/agent/xds/rbac_test.go new file mode 100644 index 0000000000..0e5d11e5a4 --- /dev/null +++ b/agent/xds/rbac_test.go @@ -0,0 +1,259 @@ +package xds + +import ( + "fmt" + "path/filepath" + "sort" + "testing" + + "github.com/hashicorp/consul/agent/structs" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestMakeRBACNetworkFilter(t *testing.T) { + testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention { + t.Helper() + ixn := structs.TestIntention(t) + ixn.SourceName = src + ixn.DestinationName = dst + ixn.Action = action + ixn.UpdatePrecedence() + return ixn + } + testSourceIntention := func(src string, action structs.IntentionAction) *structs.Intention { + return testIntention(t, src, "api", action) + } + sorted := func(ixns ...*structs.Intention) structs.Intentions { + sort.SliceStable(ixns, func(i, j int) bool { + return ixns[j].Precedence < ixns[i].Precedence + }) + return structs.Intentions(ixns) + } + + tests := map[string]struct { + intentionDefaultAllow bool + intentions structs.Intentions + }{ + "default-deny-mixed-precedence": { + intentionDefaultAllow: false, + intentions: sorted( + testIntention(t, "web", "api", structs.IntentionActionAllow), + testIntention(t, "*", "api", structs.IntentionActionDeny), + testIntention(t, "web", "*", structs.IntentionActionDeny), + ), + }, + "default-deny-service-wildcard-allow": { + intentionDefaultAllow: false, + intentions: sorted( + testSourceIntention("*", structs.IntentionActionAllow), + ), + }, + "default-allow-service-wildcard-deny": { + intentionDefaultAllow: true, + intentions: sorted( + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + "default-deny-one-allow": { + intentionDefaultAllow: false, + intentions: sorted( + testSourceIntention("web", structs.IntentionActionAllow), + ), + }, + "default-allow-one-deny": { + intentionDefaultAllow: true, + intentions: sorted( + testSourceIntention("web", structs.IntentionActionDeny), + ), + }, + "default-deny-allow-deny": { + intentionDefaultAllow: false, + intentions: sorted( + testSourceIntention("web", structs.IntentionActionDeny), + testSourceIntention("*", structs.IntentionActionAllow), + ), + }, + "default-deny-kitchen-sink": { + intentionDefaultAllow: false, + intentions: sorted( + // (double exact) + testSourceIntention("web", structs.IntentionActionAllow), + testSourceIntention("unsafe", structs.IntentionActionDeny), + testSourceIntention("cron", structs.IntentionActionAllow), + // and we invert the default-ness of the whole thing + testSourceIntention("*", structs.IntentionActionAllow), + ), + }, + "default-allow-kitchen-sink": { + intentionDefaultAllow: true, + intentions: sorted( + // (double exact) + testSourceIntention("web", structs.IntentionActionDeny), + testSourceIntention("unsafe", structs.IntentionActionAllow), + testSourceIntention("cron", structs.IntentionActionDeny), + // and we invert the default-ness of the whole thing + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + } + + for name, tt := range tests { + tt := tt + t.Run(name, func(t *testing.T) { + filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow) + require.NoError(t, err) + + gotJSON := protoToJSON(t, filter) + + require.JSONEq(t, golden(t, filepath.Join("rbac", name), "", gotJSON), gotJSON) + }) + } +} + +func TestRemoveSameSourceIntentions(t *testing.T) { + testIntention := func(t *testing.T, src, dst string) *structs.Intention { + t.Helper() + ixn := structs.TestIntention(t) + ixn.SourceName = src + ixn.DestinationName = dst + ixn.UpdatePrecedence() + return ixn + } + sorted := func(ixns ...*structs.Intention) structs.Intentions { + sort.SliceStable(ixns, func(i, j int) bool { + return ixns[j].Precedence < ixns[i].Precedence + }) + return structs.Intentions(ixns) + } + tests := map[string]struct { + in structs.Intentions + expect structs.Intentions + }{ + "empty": {}, + "one": { + in: sorted( + testIntention(t, "*", "*"), + ), + expect: sorted( + testIntention(t, "*", "*"), + ), + }, + "two with no match": { + in: sorted( + testIntention(t, "*", "foo"), + testIntention(t, "bar", "*"), + ), + expect: sorted( + testIntention(t, "*", "foo"), + testIntention(t, "bar", "*"), + ), + }, + "two with match, exact": { + in: sorted( + testIntention(t, "bar", "foo"), + testIntention(t, "bar", "*"), + ), + expect: sorted( + testIntention(t, "bar", "foo"), + ), + }, + "two with match, wildcard": { + in: sorted( + testIntention(t, "*", "foo"), + testIntention(t, "*", "*"), + ), + expect: sorted( + testIntention(t, "*", "foo"), + ), + }, + } + + for name, tc := range tests { + tc := tc + t.Run(name, func(t *testing.T) { + got := removeSameSourceIntentions(tc.in) + require.Equal(t, tc.expect, got) + }) + } +} + +func TestSimplifyNotSourceSlice(t *testing.T) { + tests := map[string]struct { + in []string + expect []string + }{ + "empty": {}, + "one": { + []string{"bar"}, + []string{"bar"}, + }, + "two with no match": { + []string{"foo", "bar"}, + []string{"foo", "bar"}, + }, + "two with match": { + []string{"*", "bar"}, + []string{"*"}, + }, + "three with two matches down to one": { + []string{"*", "foo", "bar"}, + []string{"*"}, + }, + } + + for name, tc := range tests { + tc := tc + t.Run(name, func(t *testing.T) { + got := simplifyNotSourceSlice(makeServiceNameSlice(tc.in)) + require.Equal(t, makeServiceNameSlice(tc.expect), got) + }) + } +} + +func TestIxnSourceMatches(t *testing.T) { + tests := []struct { + tester, against string + matches bool + }{ + // identical precedence + {"web", "api", false}, + {"*", "*", false}, + // backwards precedence + {"*", "web", false}, + // name wildcards + {"web", "*", true}, + } + + for _, tc := range tests { + t.Run(fmt.Sprintf("%s cmp %s", tc.tester, tc.against), func(t *testing.T) { + matches := ixnSourceMatches( + structs.ServiceNameFromString(tc.tester), + structs.ServiceNameFromString(tc.against), + ) + assert.Equal(t, tc.matches, matches) + }) + } +} + +func makeServiceNameSlice(slice []string) []structs.ServiceName { + if len(slice) == 0 { + return nil + } + var out []structs.ServiceName + for _, src := range slice { + out = append(out, structs.ServiceNameFromString(src)) + } + return out +} + +func unmakeServiceNameSlice(slice []structs.ServiceName) []string { + if len(slice) == 0 { + return nil + } + var out []string + for _, src := range slice { + out = append(out, src.String()) + } + return out +} diff --git a/agent/xds/response.go b/agent/xds/response.go index c9a482e20a..6b8173688e 100644 --- a/agent/xds/response.go +++ b/agent/xds/response.go @@ -3,6 +3,7 @@ package xds import ( envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2" envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + envoymatcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" "github.com/golang/protobuf/proto" "github.com/golang/protobuf/ptypes/any" "github.com/golang/protobuf/ptypes/wrappers" @@ -56,3 +57,12 @@ func makeUint32Value(n int) *wrappers.UInt32Value { func makeBoolValue(n bool) *wrappers.BoolValue { return &wrappers.BoolValue{Value: n} } + +func makeEnvoyRegexMatch(patt string) *envoymatcher.RegexMatcher { + return &envoymatcher.RegexMatcher{ + EngineType: &envoymatcher.RegexMatcher_GoogleRe2{ + GoogleRe2: &envoymatcher.RegexMatcher_GoogleRE2{}, + }, + Regex: patt, + } +} diff --git a/agent/xds/routes.go b/agent/xds/routes.go index 9d8dbc2b00..a7660d1684 100644 --- a/agent/xds/routes.go +++ b/agent/xds/routes.go @@ -458,12 +458,3 @@ func makeRouteActionForSplitter(splits []*structs.DiscoverySplit, chain *structs }, }, nil } - -func makeEnvoyRegexMatch(patt string) *envoymatcher.RegexMatcher { - return &envoymatcher.RegexMatcher{ - EngineType: &envoymatcher.RegexMatcher_GoogleRe2{ - GoogleRe2: &envoymatcher.RegexMatcher_GoogleRE2{}, - }, - Regex: patt, - } -} diff --git a/agent/xds/server.go b/agent/xds/server.go index 5dc5f967e9..09f3c1d3fd 100644 --- a/agent/xds/server.go +++ b/agent/xds/server.go @@ -9,19 +9,14 @@ import ( envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2" envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - envoyauthz "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" - envoyauthzalpha "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha" envoydisco "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2" "github.com/golang/protobuf/proto" "github.com/hashicorp/consul/acl" - "github.com/hashicorp/consul/agent/cache" - "github.com/hashicorp/consul/agent/connect" "github.com/hashicorp/consul/agent/proxycfg" "github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/logging" "github.com/hashicorp/consul/tlsutil" "github.com/hashicorp/go-hclog" - rpcstatus "google.golang.org/genproto/googleapis/rpc/status" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials" @@ -92,13 +87,6 @@ const ( // coupling this to the agent. type ACLResolverFunc func(id string) (acl.Authorizer, error) -// ConnectAuthz is the interface the agent needs to expose to be able to re-use -// the authorization logic between both APIs. -type ConnectAuthz interface { - // ConnectAuthorize is implemented by Agent.ConnectAuthorize - ConnectAuthorize(token string, req *structs.ConnectAuthorizeRequest) (authz bool, reason string, m *cache.ResultMeta, err error) -} - // ServiceChecks is the interface the agent needs to expose // for the xDS server to fetch a service's HTTP check definitions type HTTPCheckFetcher interface { @@ -119,16 +107,14 @@ type ConfigManager interface { Watch(proxyID structs.ServiceID) (<-chan *proxycfg.ConfigSnapshot, proxycfg.CancelFunc) } -// Server represents a gRPC server that can handle both XDS and ext_authz -// requests from Envoy. All of it's public members must be set before the gRPC -// server is started. +// Server represents a gRPC server that can handle xDS requests from Envoy. All +// of it's public members must be set before the gRPC server is started. // // A full description of the XDS protocol can be found at // https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol type Server struct { Logger hclog.Logger CfgMgr ConfigManager - Authz ConnectAuthz ResolveToken ACLResolverFunc // AuthCheckFrequency is how often we should re-check the credentials used // during a long-lived gRPC Stream after it has been initially established. @@ -490,90 +476,7 @@ func (s *Server) DeltaAggregatedResources(_ envoydisco.AggregatedDiscoveryServic return errors.New("not implemented") } -func deniedResponse(reason string) (*envoyauthz.CheckResponse, error) { - return &envoyauthz.CheckResponse{ - Status: &rpcstatus.Status{ - Code: int32(codes.PermissionDenied), - Message: "Denied: " + reason, - }, - }, nil -} - -// Check implements envoyauthz.AuthorizationServer. -func (s *Server) Check(ctx context.Context, r *envoyauthz.CheckRequest) (*envoyauthz.CheckResponse, error) { - // Sanity checks - if r.Attributes == nil || r.Attributes.Source == nil || r.Attributes.Destination == nil { - return nil, status.Error(codes.InvalidArgument, "source and destination attributes are required") - } - if r.Attributes.Source.Principal == "" || r.Attributes.Destination.Principal == "" { - return nil, status.Error(codes.InvalidArgument, "source and destination Principal are required") - } - - // Parse destination to know the target service - dest, err := connect.ParseCertURIFromString(r.Attributes.Destination.Principal) - if err != nil { - s.Logger.Debug("Connect AuthZ DENIED: bad destination URI", "source", r.Attributes.Source.Principal, "destination", - r.Attributes.Destination.Principal) - // Treat this as an auth error since Envoy has sent something it considers - // valid, it's just not an identity we trust. - return deniedResponse("Destination Principal is not a valid Connect identity") - } - - destID, ok := dest.(*connect.SpiffeIDService) - if !ok { - s.Logger.Debug("Connect AuthZ DENIED: bad destination service ID", "source", r.Attributes.Source.Principal, "destination", - r.Attributes.Destination.Principal) - return deniedResponse("Destination Principal is not a valid Service identity") - } - - // For now we don't validate the trust domain of the _destination_ at all - - // the HTTP Authorize endpoint just accepts a target _service_ and it's - // implicit that the request is for the correct cluster. We might want to - // reconsider this later but plumbing in additional machinery to check the - // clusterID here is not really necessary for now unless Envoys are badly - // configured. Our threat model _requires_ correctly configured and well - // behaved proxies given that they have ACLs to fetch certs and so can do - // whatever they want including not authorizing traffic at all or routing it - // do a different service than they auth'd against. - - // Create an authz request - req := &structs.ConnectAuthorizeRequest{ - Target: destID.Service, - EnterpriseMeta: *destID.GetEnterpriseMeta(), - ClientCertURI: r.Attributes.Source.Principal, - // TODO(banks): need Envoy to support sending cert serial/hash to enforce - // revocation later. - } - token := tokenFromContext(ctx) - authed, reason, _, err := s.Authz.ConnectAuthorize(token, req) - if err != nil { - if err == acl.ErrPermissionDenied { - s.Logger.Debug("Connect AuthZ failed ACL check", "error", err, "source", r.Attributes.Source.Principal, - "dest", r.Attributes.Destination.Principal) - return nil, status.Error(codes.PermissionDenied, err.Error()) - } - s.Logger.Debug("Connect AuthZ failed", "error", err, "source", r.Attributes.Source.Principal, - "destination", r.Attributes.Destination.Principal) - return nil, status.Error(codes.Internal, err.Error()) - } - if !authed { - s.Logger.Debug("Connect AuthZ DENIED", "source", r.Attributes.Source.Principal, - "destination", r.Attributes.Destination.Principal, "reason", reason) - return deniedResponse(reason) - } - - s.Logger.Debug("Connect AuthZ ALLOWED", "source", r.Attributes.Source.Principal, - "destination", r.Attributes.Destination.Principal, "reason", reason) - return &envoyauthz.CheckResponse{ - Status: &rpcstatus.Status{ - Code: int32(codes.OK), - Message: "ALLOWED: " + reason, - }, - }, nil -} - -// GRPCServer returns a server instance that can handle XDS and ext_authz -// requests. +// GRPCServer returns a server instance that can handle xDS requests. func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server, error) { opts := []grpc.ServerOption{ grpc.MaxConcurrentStreams(2048), @@ -587,15 +490,5 @@ func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server srv := grpc.NewServer(opts...) envoydisco.RegisterAggregatedDiscoveryServiceServer(srv, s) - // Envoy 1.10 changed the package for ext_authz from v2alpha to v2. We still - // need to be compatible with 1.9.1 and earlier which only uses v2alpha. While - // there is a deprecated compatibility shim option in 1.10, we want to support - // first class. Fortunately they are wire-compatible so we can just register a - // single service implementation (using the new v2 package definitions) but - // using the old v2alpha regiatration function which just exports it on the - // old path as well. - envoyauthz.RegisterAuthorizationServer(srv, s) - envoyauthzalpha.RegisterAuthorizationServer(srv, s) - return srv, nil } diff --git a/agent/xds/server_test.go b/agent/xds/server_test.go index 08736ed44d..5310df8fbf 100644 --- a/agent/xds/server_test.go +++ b/agent/xds/server_test.go @@ -1,8 +1,6 @@ package xds import ( - "context" - "errors" "strings" "sync" "sync/atomic" @@ -12,7 +10,6 @@ import ( envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2" "github.com/stretchr/testify/require" "google.golang.org/grpc/codes" - "google.golang.org/grpc/metadata" "google.golang.org/grpc/status" "github.com/hashicorp/consul/acl" @@ -91,22 +88,6 @@ func (m *testManager) AssertWatchCancelled(t *testing.T, proxyID structs.Service } } -// ConnectAuthorize implements ConnectAuthz -func (m *testManager) ConnectAuthorize(token string, req *structs.ConnectAuthorizeRequest) (authz bool, reason string, meta *cache.ResultMeta, err error) { - m.Lock() - defer m.Unlock() - if res, ok := m.authz[token]; ok { - if res.validate != nil { - if err := res.validate(req); err != nil { - return false, "", nil, err - } - } - return res.authz, res.reason, res.m, res.err - } - // Default allow but with reason that won't match by accident in a test case - return true, "OK: allowed by default test implementation", nil, nil -} - func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) { logger := testutil.Logger(t) mgr := newTestManager(t) @@ -120,7 +101,6 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) { s := Server{ Logger: logger, CfgMgr: mgr, - Authz: mgr, ResolveToken: aclResolve, } s.Initialize() @@ -170,7 +150,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) { envoy.SendReq(t, EndpointType, 1, 2) // And should get a response immediately. - assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 1, 3)) + assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 1, 3)) // Now send Route request along with next listener one envoy.SendReq(t, RouteType, 0, 0) @@ -197,7 +177,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) { // which is reasonable anyway to ensure consistency of the config Envoy sees. assertResponseSent(t, envoy.stream.sendCh, expectClustersJSON(snap, 2, 4)) assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(2, 5)) - assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 2, 6)) + assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 2, 6)) // Let's pretend that Envoy doesn't like that new listener config. It will ACK // all the others (same version) but NACK the listener. This is the most @@ -234,7 +214,7 @@ func TestServer_StreamAggregatedResources_BasicProtocol(t *testing.T) { assertResponseSent(t, envoy.stream.sendCh, expectClustersJSON(snap, 3, 7)) assertResponseSent(t, envoy.stream.sendCh, expectEndpointsJSON(3, 8)) - assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, "", 3, 9)) + assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 3, 9)) } func expectEndpointsJSON(v, n uint64) string { @@ -474,7 +454,6 @@ func TestServer_StreamAggregatedResources_ACLEnforcement(t *testing.T) { s := Server{ Logger: logger, CfgMgr: mgr, - Authz: mgr, ResolveToken: aclResolve, } s.Initialize() @@ -501,7 +480,7 @@ func TestServer_StreamAggregatedResources_ACLEnforcement(t *testing.T) { envoy.SendReq(t, ListenerType, 0, 0) if !tt.wantDenied { - assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, tt.token, 1, 1)) + assertResponseSent(t, envoy.stream.sendCh, expectListenerJSON(t, snap, 1, 1)) // Close the client stream since all is well. We _don't_ do this in the // expected error case because we want to verify the error closes the // stream from server side. @@ -549,7 +528,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedDuring s := Server{ Logger: logger, CfgMgr: mgr, - Authz: mgr, ResolveToken: aclResolve, AuthCheckFrequency: 1 * time.Hour, // make sure this doesn't kick in } @@ -641,7 +619,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedInBack s := Server{ Logger: logger, CfgMgr: mgr, - Authz: mgr, ResolveToken: aclResolve, AuthCheckFrequency: 100 * time.Millisecond, // Make this short. } @@ -716,144 +693,6 @@ func TestServer_StreamAggregatedResources_ACLTokenDeleted_StreamTerminatedInBack } } -// This tests the ext_authz service method that implements connect authz. -func TestServer_Check(t *testing.T) { - - tests := []struct { - name string - source string - dest string - sourcePrincipal string - destPrincipal string - authzResult connectAuthzResult - wantErr bool - wantErrCode codes.Code - wantDenied bool - wantReason string - }{ - { - name: "auth allowed", - source: "web", - dest: "db", - authzResult: connectAuthzResult{true, "default allow", nil, nil, nil}, - wantDenied: false, - wantReason: "default allow", - }, - { - name: "auth denied", - source: "web", - dest: "db", - authzResult: connectAuthzResult{false, "default deny", nil, nil, nil}, - wantDenied: true, - wantReason: "default deny", - }, - { - name: "no source", - sourcePrincipal: "", - dest: "db", - // Should never make it to authz call. - wantErr: true, - wantErrCode: codes.InvalidArgument, - }, - { - name: "no dest", - source: "web", - dest: "", - // Should never make it to authz call. - wantErr: true, - wantErrCode: codes.InvalidArgument, - }, - { - name: "dest invalid format", - source: "web", - destPrincipal: "not-a-spiffe-id", - // Should never make it to authz call. - wantDenied: true, - wantReason: "Destination Principal is not a valid Connect identity", - }, - { - name: "dest not a service URI", - source: "web", - destPrincipal: "spiffe://trust-domain.consul", - // Should never make it to authz call. - wantDenied: true, - wantReason: "Destination Principal is not a valid Service identity", - }, - { - name: "ACL not got permission for authz call", - source: "web", - dest: "db", - authzResult: connectAuthzResult{false, "", nil, acl.ErrPermissionDenied, nil}, - wantErr: true, - wantErrCode: codes.PermissionDenied, - }, - { - name: "Random error running authz", - source: "web", - dest: "db", - authzResult: connectAuthzResult{false, "", nil, errors.New("gremlin attack"), nil}, - wantErr: true, - wantErrCode: codes.Internal, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - token := "my-real-acl-token" - logger := testutil.Logger(t) - mgr := newTestManager(t) - - // Setup expected auth result against that token no lock as no other - // goroutine is touching this yet. - mgr.authz[token] = tt.authzResult - - aclResolve := func(id string) (acl.Authorizer, error) { - return nil, nil - } - envoy := NewTestEnvoy(t, "web-sidecar-proxy", token) - defer envoy.Close() - - s := Server{ - Logger: logger, - CfgMgr: mgr, - Authz: mgr, - ResolveToken: aclResolve, - } - s.Initialize() - - // Create a context with the correct token - ctx := metadata.NewIncomingContext(context.Background(), - metadata.Pairs("x-consul-token", token)) - - r := TestCheckRequest(t, tt.source, tt.dest) - // If sourcePrincipal is set override, or if source is also not set - // explicitly override to empty. - if tt.sourcePrincipal != "" || tt.source == "" { - r.Attributes.Source.Principal = tt.sourcePrincipal - } - if tt.destPrincipal != "" || tt.dest == "" { - r.Attributes.Destination.Principal = tt.destPrincipal - } - resp, err := s.Check(ctx, r) - // Denied is not an error - if tt.wantErr { - require.Error(t, err) - grpcStatus := status.Convert(err) - require.Equal(t, tt.wantErrCode, grpcStatus.Code()) - require.Nil(t, resp) - return - } - require.NoError(t, err) - if tt.wantDenied { - require.Equal(t, int32(codes.PermissionDenied), resp.Status.Code) - } else { - require.Equal(t, int32(codes.OK), resp.Status.Code) - } - require.Contains(t, resp.Status.Message, tt.wantReason) - }) - } -} - func TestServer_StreamAggregatedResources_IngressEmptyResponse(t *testing.T) { logger := testutil.Logger(t) mgr := newTestManager(t) @@ -867,7 +706,6 @@ func TestServer_StreamAggregatedResources_IngressEmptyResponse(t *testing.T) { s := Server{ Logger: logger, CfgMgr: mgr, - Authz: mgr, ResolveToken: aclResolve, } s.Initialize() diff --git a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-12-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-12-x.golden index a911cd1890..e835edf4d1 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-12-x.golden @@ -106,18 +106,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-13-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-13-x.golden index a911cd1890..e835edf4d1 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-13-x.golden @@ -106,18 +106,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-14-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-14-x.golden index a911cd1890..e835edf4d1 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-14-x.golden @@ -106,18 +106,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-15-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-15-x.golden index a911cd1890..e835edf4d1 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-and-overrides.envoy-1-15-x.golden @@ -106,18 +106,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-12-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-12-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-13-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-13-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-14-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-14-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-15-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-15-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-chain-external-sni.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-12-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-12-x.golden index a911cd1890..e835edf4d1 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-12-x.golden @@ -106,18 +106,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-13-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-13-x.golden index a911cd1890..e835edf4d1 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-13-x.golden @@ -106,18 +106,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-14-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-14-x.golden index a911cd1890..e835edf4d1 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-14-x.golden @@ -106,18 +106,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-15-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-15-x.golden index a911cd1890..e835edf4d1 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-grpc-chain.envoy-1-15-x.golden @@ -106,18 +106,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-12-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-12-x.golden index ddbdd99142..a2ecc48cd9 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-12-x.golden @@ -99,18 +99,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-13-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-13-x.golden index ddbdd99142..a2ecc48cd9 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-13-x.golden @@ -99,18 +99,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-14-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-14-x.golden index ddbdd99142..a2ecc48cd9 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-14-x.golden @@ -99,18 +99,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-15-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-15-x.golden index ddbdd99142..a2ecc48cd9 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-http-chain.envoy-1-15-x.golden @@ -99,18 +99,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-12-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-12-x.golden index 6994537d4f..11d1ddf64f 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-12-x.golden @@ -101,18 +101,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-13-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-13-x.golden index 6994537d4f..11d1ddf64f 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-13-x.golden @@ -101,18 +101,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-14-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-14-x.golden index 6994537d4f..11d1ddf64f 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-14-x.golden @@ -101,18 +101,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-15-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-15-x.golden index 6994537d4f..11d1ddf64f 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-http2-chain.envoy-1-15-x.golden @@ -101,18 +101,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-12-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-12-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-13-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-13-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-14-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-14-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-15-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-15-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-12-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-12-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-13-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-13-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-14-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-14-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-15-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-15-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-12-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-12-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-13-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-13-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-14-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-14-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-15-x.golden b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-15-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/connect-proxy-with-tcp-chain.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-12-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-12-x.golden new file mode 100644 index 0000000000..21137f9ebb --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-12-x.golden @@ -0,0 +1,131 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "routeConfig": { + "name": "public_listener", + "virtualHosts": [ + { + "name": "public_listener", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } + }, + { + "name": "envoy.router" + } + ] + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-13-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-13-x.golden new file mode 100644 index 0000000000..21137f9ebb --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-13-x.golden @@ -0,0 +1,131 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "routeConfig": { + "name": "public_listener", + "virtualHosts": [ + { + "name": "public_listener", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } + }, + { + "name": "envoy.router" + } + ] + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-14-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-14-x.golden new file mode 100644 index 0000000000..21137f9ebb --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-14-x.golden @@ -0,0 +1,131 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "routeConfig": { + "name": "public_listener", + "virtualHosts": [ + { + "name": "public_listener", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } + }, + { + "name": "envoy.router" + } + ] + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-15-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-15-x.golden new file mode 100644 index 0000000000..21137f9ebb --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-2-typed.envoy-1-15-x.golden @@ -0,0 +1,131 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "routeConfig": { + "name": "public_listener", + "virtualHosts": [ + { + "name": "public_listener", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } + }, + { + "name": "envoy.router" + } + ] + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-12-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-12-x.golden new file mode 100644 index 0000000000..301330c589 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-12-x.golden @@ -0,0 +1,130 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "config": { + "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-13-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-13-x.golden new file mode 100644 index 0000000000..301330c589 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-13-x.golden @@ -0,0 +1,130 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "config": { + "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-14-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-14-x.golden new file mode 100644 index 0000000000..301330c589 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-14-x.golden @@ -0,0 +1,130 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "config": { + "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-15-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-15-x.golden new file mode 100644 index 0000000000..301330c589 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-2.envoy-1-15-x.golden @@ -0,0 +1,130 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.http_connection_manager", + "config": { + "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-12-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-12-x.golden new file mode 100644 index 0000000000..23cf9572e0 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-12-x.golden @@ -0,0 +1,107 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + }, + "stat_prefix": "connect_authz" + } + }, + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "random-cluster", + "stat_prefix": "foo-stats" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-13-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-13-x.golden new file mode 100644 index 0000000000..23cf9572e0 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-13-x.golden @@ -0,0 +1,107 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + }, + "stat_prefix": "connect_authz" + } + }, + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "random-cluster", + "stat_prefix": "foo-stats" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-14-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-14-x.golden new file mode 100644 index 0000000000..23cf9572e0 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-14-x.golden @@ -0,0 +1,107 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + }, + "stat_prefix": "connect_authz" + } + }, + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "random-cluster", + "stat_prefix": "foo-stats" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-15-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-15-x.golden new file mode 100644 index 0000000000..23cf9572e0 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-missing.envoy-1-15-x.golden @@ -0,0 +1,107 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + }, + "stat_prefix": "connect_authz" + } + }, + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "random-cluster", + "stat_prefix": "foo-stats" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-12-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-12-x.golden new file mode 100644 index 0000000000..0743cf8c84 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-12-x.golden @@ -0,0 +1,131 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "routeConfig": { + "name": "public_listener", + "virtualHosts": [ + { + "name": "public_listener", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } + }, + { + "name": "envoy.router" + } + ] + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-13-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-13-x.golden new file mode 100644 index 0000000000..0743cf8c84 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-13-x.golden @@ -0,0 +1,131 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "routeConfig": { + "name": "public_listener", + "virtualHosts": [ + { + "name": "public_listener", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } + }, + { + "name": "envoy.router" + } + ] + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-14-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-14-x.golden new file mode 100644 index 0000000000..0743cf8c84 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-14-x.golden @@ -0,0 +1,131 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "routeConfig": { + "name": "public_listener", + "virtualHosts": [ + { + "name": "public_listener", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } + }, + { + "name": "envoy.router" + } + ] + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-15-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-15-x.golden new file mode 100644 index 0000000000..0743cf8c84 --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http-typed.envoy-1-15-x.golden @@ -0,0 +1,131 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.http_connection_manager", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager", + "routeConfig": { + "name": "public_listener", + "virtualHosts": [ + { + "name": "public_listener", + "domains": [ + "*" + ], + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + }, + "httpFilters": [ + { + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } + }, + { + "name": "envoy.router" + } + ] + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-12-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-12-x.golden new file mode 100644 index 0000000000..e94c7711fc --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-12-x.golden @@ -0,0 +1,130 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.http_connection_manager", + "config": { + "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-13-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-13-x.golden new file mode 100644 index 0000000000..e94c7711fc --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-13-x.golden @@ -0,0 +1,130 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.http_connection_manager", + "config": { + "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-14-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-14-x.golden new file mode 100644 index 0000000000..e94c7711fc --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-14-x.golden @@ -0,0 +1,130 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.http_connection_manager", + "config": { + "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-15-x.golden b/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-15-x.golden new file mode 100644 index 0000000000..e94c7711fc --- /dev/null +++ b/agent/xds/testdata/listeners/custom-public-listener-http.envoy-1-15-x.golden @@ -0,0 +1,130 @@ +{ + "versionInfo": "00000001", + "resources": [ + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "custom-public-listen", + "address": { + "socketAddress": { + "address": "11.11.11.11", + "portValue": 11111 + } + }, + "filterChains": [ + { + "tlsContext": { + "commonTlsContext": { + "tlsParams": { + + }, + "tlsCertificates": [ + { + "certificateChain": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICjDCCAjKgAwIBAgIIC5llxGV1gB8wCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowDjEMMAoG\nA1UEAxMDd2ViMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEADPv1RHVNRfa2VKR\nAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Favq5E0ivpNtv1QnFhxtPd7d5k4e+T7\nSkW1TaOCAXIwggFuMA4GA1UdDwEB/wQEAwIDuDAdBgNVHSUEFjAUBggrBgEFBQcD\nAgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADBoBgNVHQ4EYQRfN2Q6MDc6ODc6M2E6\nNDA6MTk6NDc6YzM6NWE6YzA6YmE6NjI6ZGY6YWY6NGI6ZDQ6MDU6MjU6NzY6M2Q6\nNWE6OGQ6MTY6OGQ6Njc6NWU6MmU6YTA6MzQ6N2Q6ZGM6ZmYwagYDVR0jBGMwYYBf\nZDE6MTE6MTE6YWM6MmE6YmE6OTc6YjI6M2Y6YWM6N2I6YmQ6ZGE6YmU6YjE6OGE6\nZmM6OWE6YmE6YjU6YmM6ODM6ZTc6NWU6NDE6NmY6ZjI6NzM6OTU6NTg6MGM6ZGIw\nWQYDVR0RBFIwUIZOc3BpZmZlOi8vMTExMTExMTEtMjIyMi0zMzMzLTQ0NDQtNTU1\nNTU1NTU1NTU1LmNvbnN1bC9ucy9kZWZhdWx0L2RjL2RjMS9zdmMvd2ViMAoGCCqG\nSM49BAMCA0gAMEUCIGC3TTvvjj76KMrguVyFf4tjOqaSCRie3nmHMRNNRav7AiEA\npY0heYeK9A6iOLrzqxSerkXXQyj5e9bE4VgUnxgPU6g=\n-----END CERTIFICATE-----\n" + }, + "privateKey": { + "inlineString": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMoTkpRggp3fqZzFKh82yS4LjtJI+XY+qX/7DefHFrtdoAoGCCqGSM49\nAwEHoUQDQgAEADPv1RHVNRfa2VKRAB16b6rZnEt7tuhaxCFpQXPj7M2omb0B9Fav\nq5E0ivpNtv1QnFhxtPd7d5k4e+T7SkW1TQ==\n-----END EC PRIVATE KEY-----\n" + } + } + ], + "validationContext": { + "trustedCa": { + "inlineString": "-----BEGIN CERTIFICATE-----\nMIICXDCCAgKgAwIBAgIICpZq70Z9LyUwCgYIKoZIzj0EAwIwFDESMBAGA1UEAxMJ\nVGVzdCBDQSAyMB4XDTE5MDMyMjEzNTgyNloXDTI5MDMyMjEzNTgyNlowFDESMBAG\nA1UEAxMJVGVzdCBDQSAyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIhywH1gx\nAsMwuF3ukAI5YL2jFxH6Usnma1HFSfVyxbXX1/uoZEYrj8yCAtdU2yoHETyd+Zx2\nThhRLP79pYegCaOCATwwggE4MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MGgGA1UdDgRhBF9kMToxMToxMTphYzoyYTpiYTo5NzpiMjozZjphYzo3Yjpi\nZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1ZTo0MTo2ZjpmMjo3\nMzo5NTo1ODowYzpkYjBqBgNVHSMEYzBhgF9kMToxMToxMTphYzoyYTpiYTo5Nzpi\nMjozZjphYzo3YjpiZDpkYTpiZTpiMTo4YTpmYzo5YTpiYTpiNTpiYzo4MzplNzo1\nZTo0MTo2ZjpmMjo3Mzo5NTo1ODowYzpkYjA/BgNVHREEODA2hjRzcGlmZmU6Ly8x\nMTExMTExMS0yMjIyLTMzMzMtNDQ0NC01NTU1NTU1NTU1NTUuY29uc3VsMAoGCCqG\nSM49BAMCA0gAMEUCICOY0i246rQHJt8o8Oya0D5PLL1FnmsQmQqIGCi31RwnAiEA\noR5f6Ku+cig2Il8T8LJujOp2/2A72QcHZA57B13y+8o=\n-----END CERTIFICATE-----\n" + } + } + }, + "requireClientCertificate": true + }, + "filters": [ + { + "name": "envoy.http_connection_manager", + "config": { + "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, + { + "name": "envoy.router" + } + ], + "route_config": { + "name": "public_listener", + "virtual_hosts": [ + { + "domains": [ + "*" + ], + "name": "public_listener", + "routes": [ + { + "match": { + "prefix": "/" + }, + "route": { + "cluster": "random-cluster" + } + } + ] + } + ] + } + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "db:127.0.0.1:9191", + "address": { + "socketAddress": { + "address": "127.0.0.1", + "portValue": 9191 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_db_tcp" + } + } + ] + } + ] + }, + { + "@type": "type.googleapis.com/envoy.api.v2.Listener", + "name": "prepared_query:geo-cache:127.10.10.10:8181", + "address": { + "socketAddress": { + "address": "127.10.10.10", + "portValue": 8181 + } + }, + "filterChains": [ + { + "filters": [ + { + "name": "envoy.tcp_proxy", + "config": { + "cluster": "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul", + "stat_prefix": "upstream_prepared_query_geo-cache_tcp" + } + } + ] + } + ] + } + ], + "typeUrl": "type.googleapis.com/envoy.api.v2.Listener", + "nonce": "00000001" +} \ No newline at end of file diff --git a/agent/xds/testdata/listeners/custom-public-listener.envoy-1-12-x.golden b/agent/xds/testdata/listeners/custom-public-listener.envoy-1-12-x.golden index 4013593d99..23cf9572e0 100644 --- a/agent/xds/testdata/listeners/custom-public-listener.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/custom-public-listener.envoy-1-12-x.golden @@ -37,18 +37,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-public-listener.envoy-1-13-x.golden b/agent/xds/testdata/listeners/custom-public-listener.envoy-1-13-x.golden index 4013593d99..23cf9572e0 100644 --- a/agent/xds/testdata/listeners/custom-public-listener.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/custom-public-listener.envoy-1-13-x.golden @@ -37,18 +37,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-public-listener.envoy-1-14-x.golden b/agent/xds/testdata/listeners/custom-public-listener.envoy-1-14-x.golden index 4013593d99..23cf9572e0 100644 --- a/agent/xds/testdata/listeners/custom-public-listener.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/custom-public-listener.envoy-1-14-x.golden @@ -37,18 +37,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-public-listener.envoy-1-15-x.golden b/agent/xds/testdata/listeners/custom-public-listener.envoy-1-15-x.golden index 4013593d99..23cf9572e0 100644 --- a/agent/xds/testdata/listeners/custom-public-listener.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/custom-public-listener.envoy-1-15-x.golden @@ -37,18 +37,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-12-x.golden b/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-12-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-13-x.golden b/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-13-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-14-x.golden b/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-14-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-15-x.golden b/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-15-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/custom-upstream-typed-ignored-with-disco-chain.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-upstream.envoy-1-12-x.golden b/agent/xds/testdata/listeners/custom-upstream.envoy-1-12-x.golden index ad3951fce4..2a10b9b05d 100644 --- a/agent/xds/testdata/listeners/custom-upstream.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/custom-upstream.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-upstream.envoy-1-13-x.golden b/agent/xds/testdata/listeners/custom-upstream.envoy-1-13-x.golden index ad3951fce4..2a10b9b05d 100644 --- a/agent/xds/testdata/listeners/custom-upstream.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/custom-upstream.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-upstream.envoy-1-14-x.golden b/agent/xds/testdata/listeners/custom-upstream.envoy-1-14-x.golden index ad3951fce4..2a10b9b05d 100644 --- a/agent/xds/testdata/listeners/custom-upstream.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/custom-upstream.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/custom-upstream.envoy-1-15-x.golden b/agent/xds/testdata/listeners/custom-upstream.envoy-1-15-x.golden index ad3951fce4..2a10b9b05d 100644 --- a/agent/xds/testdata/listeners/custom-upstream.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/custom-upstream.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/defaults.envoy-1-12-x.golden b/agent/xds/testdata/listeners/defaults.envoy-1-12-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/defaults.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/defaults.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/defaults.envoy-1-13-x.golden b/agent/xds/testdata/listeners/defaults.envoy-1-13-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/defaults.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/defaults.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/defaults.envoy-1-14-x.golden b/agent/xds/testdata/listeners/defaults.envoy-1-14-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/defaults.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/defaults.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/defaults.envoy-1-15-x.golden b/agent/xds/testdata/listeners/defaults.envoy-1-15-x.golden index 8908c8c0ef..d43380ee1a 100644 --- a/agent/xds/testdata/listeners/defaults.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/defaults.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-12-x.golden b/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-12-x.golden index 60a30df1f3..485f366fe1 100644 --- a/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-12-x.golden @@ -121,18 +121,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-13-x.golden b/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-13-x.golden index 60a30df1f3..485f366fe1 100644 --- a/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-13-x.golden @@ -121,18 +121,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-14-x.golden b/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-14-x.golden index 60a30df1f3..485f366fe1 100644 --- a/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-14-x.golden @@ -121,18 +121,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-15-x.golden b/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-15-x.golden index 60a30df1f3..485f366fe1 100644 --- a/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/expose-paths-local-app-paths.envoy-1-15-x.golden @@ -121,18 +121,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-12-x.golden b/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-12-x.golden index 1d9afe4356..d16f93c993 100644 --- a/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-12-x.golden @@ -123,18 +123,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-13-x.golden b/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-13-x.golden index 1d9afe4356..d16f93c993 100644 --- a/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-13-x.golden @@ -123,18 +123,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-14-x.golden b/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-14-x.golden index 1d9afe4356..d16f93c993 100644 --- a/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-14-x.golden @@ -123,18 +123,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-15-x.golden b/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-15-x.golden index 1d9afe4356..d16f93c993 100644 --- a/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/expose-paths-new-cluster-http2.envoy-1-15-x.golden @@ -123,18 +123,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/http-public-listener.envoy-1-12-x.golden b/agent/xds/testdata/listeners/http-public-listener.envoy-1-12-x.golden index 9641c6f353..f8eb24c538 100644 --- a/agent/xds/testdata/listeners/http-public-listener.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/http-public-listener.envoy-1-12-x.golden @@ -82,27 +82,17 @@ "requireClientCertificate": true }, "filters": [ - { - "name": "envoy.ext_authz", - "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] - }, - "stat_prefix": "connect_authz" - } - }, { "name": "envoy.http_connection_manager", "config": { "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, { "name": "envoy.router" } diff --git a/agent/xds/testdata/listeners/http-public-listener.envoy-1-13-x.golden b/agent/xds/testdata/listeners/http-public-listener.envoy-1-13-x.golden index 9641c6f353..f8eb24c538 100644 --- a/agent/xds/testdata/listeners/http-public-listener.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/http-public-listener.envoy-1-13-x.golden @@ -82,27 +82,17 @@ "requireClientCertificate": true }, "filters": [ - { - "name": "envoy.ext_authz", - "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] - }, - "stat_prefix": "connect_authz" - } - }, { "name": "envoy.http_connection_manager", "config": { "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, { "name": "envoy.router" } diff --git a/agent/xds/testdata/listeners/http-public-listener.envoy-1-14-x.golden b/agent/xds/testdata/listeners/http-public-listener.envoy-1-14-x.golden index 9641c6f353..f8eb24c538 100644 --- a/agent/xds/testdata/listeners/http-public-listener.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/http-public-listener.envoy-1-14-x.golden @@ -82,27 +82,17 @@ "requireClientCertificate": true }, "filters": [ - { - "name": "envoy.ext_authz", - "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] - }, - "stat_prefix": "connect_authz" - } - }, { "name": "envoy.http_connection_manager", "config": { "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, { "name": "envoy.router" } diff --git a/agent/xds/testdata/listeners/http-public-listener.envoy-1-15-x.golden b/agent/xds/testdata/listeners/http-public-listener.envoy-1-15-x.golden index 9641c6f353..f8eb24c538 100644 --- a/agent/xds/testdata/listeners/http-public-listener.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/http-public-listener.envoy-1-15-x.golden @@ -82,27 +82,17 @@ "requireClientCertificate": true }, "filters": [ - { - "name": "envoy.ext_authz", - "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] - }, - "stat_prefix": "connect_authz" - } - }, { "name": "envoy.http_connection_manager", "config": { "http_filters": [ + { + "config": { + "rules": { + } + }, + "name": "envoy.filters.http.rbac" + }, { "name": "envoy.router" } diff --git a/agent/xds/testdata/listeners/http-upstream.envoy-1-12-x.golden b/agent/xds/testdata/listeners/http-upstream.envoy-1-12-x.golden index d645db4e74..2acb211dc5 100644 --- a/agent/xds/testdata/listeners/http-upstream.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/http-upstream.envoy-1-12-x.golden @@ -113,18 +113,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/http-upstream.envoy-1-13-x.golden b/agent/xds/testdata/listeners/http-upstream.envoy-1-13-x.golden index d645db4e74..2acb211dc5 100644 --- a/agent/xds/testdata/listeners/http-upstream.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/http-upstream.envoy-1-13-x.golden @@ -113,18 +113,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/http-upstream.envoy-1-14-x.golden b/agent/xds/testdata/listeners/http-upstream.envoy-1-14-x.golden index d645db4e74..2acb211dc5 100644 --- a/agent/xds/testdata/listeners/http-upstream.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/http-upstream.envoy-1-14-x.golden @@ -113,18 +113,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/http-upstream.envoy-1-15-x.golden b/agent/xds/testdata/listeners/http-upstream.envoy-1-15-x.golden index d645db4e74..2acb211dc5 100644 --- a/agent/xds/testdata/listeners/http-upstream.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/http-upstream.envoy-1-15-x.golden @@ -113,18 +113,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-12-x.golden b/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-12-x.golden index fe52dbd0ff..2dbd28ccd2 100644 --- a/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-13-x.golden b/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-13-x.golden index fe52dbd0ff..2dbd28ccd2 100644 --- a/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-14-x.golden b/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-14-x.golden index fe52dbd0ff..2dbd28ccd2 100644 --- a/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-15-x.golden b/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-15-x.golden index fe52dbd0ff..2dbd28ccd2 100644 --- a/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-address-port.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-address.envoy-1-12-x.golden b/agent/xds/testdata/listeners/listener-bind-address.envoy-1-12-x.golden index 1166269315..3340f9ca1c 100644 --- a/agent/xds/testdata/listeners/listener-bind-address.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-address.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-address.envoy-1-13-x.golden b/agent/xds/testdata/listeners/listener-bind-address.envoy-1-13-x.golden index 1166269315..3340f9ca1c 100644 --- a/agent/xds/testdata/listeners/listener-bind-address.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-address.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-address.envoy-1-14-x.golden b/agent/xds/testdata/listeners/listener-bind-address.envoy-1-14-x.golden index 1166269315..3340f9ca1c 100644 --- a/agent/xds/testdata/listeners/listener-bind-address.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-address.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-address.envoy-1-15-x.golden b/agent/xds/testdata/listeners/listener-bind-address.envoy-1-15-x.golden index 1166269315..3340f9ca1c 100644 --- a/agent/xds/testdata/listeners/listener-bind-address.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-address.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-port.envoy-1-12-x.golden b/agent/xds/testdata/listeners/listener-bind-port.envoy-1-12-x.golden index f82c174425..ead52f0a5c 100644 --- a/agent/xds/testdata/listeners/listener-bind-port.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-port.envoy-1-12-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-port.envoy-1-13-x.golden b/agent/xds/testdata/listeners/listener-bind-port.envoy-1-13-x.golden index f82c174425..ead52f0a5c 100644 --- a/agent/xds/testdata/listeners/listener-bind-port.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-port.envoy-1-13-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-port.envoy-1-14-x.golden b/agent/xds/testdata/listeners/listener-bind-port.envoy-1-14-x.golden index f82c174425..ead52f0a5c 100644 --- a/agent/xds/testdata/listeners/listener-bind-port.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-port.envoy-1-14-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/listener-bind-port.envoy-1-15-x.golden b/agent/xds/testdata/listeners/listener-bind-port.envoy-1-15-x.golden index f82c174425..ead52f0a5c 100644 --- a/agent/xds/testdata/listeners/listener-bind-port.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/listener-bind-port.envoy-1-15-x.golden @@ -83,18 +83,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-12-x.golden b/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-12-x.golden index ddbdd99142..a2ecc48cd9 100644 --- a/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-12-x.golden @@ -99,18 +99,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-13-x.golden b/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-13-x.golden index ddbdd99142..a2ecc48cd9 100644 --- a/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-13-x.golden @@ -99,18 +99,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-14-x.golden b/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-14-x.golden index ddbdd99142..a2ecc48cd9 100644 --- a/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-14-x.golden @@ -99,18 +99,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-15-x.golden b/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-15-x.golden index ddbdd99142..a2ecc48cd9 100644 --- a/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/splitter-with-resolver-redirect.envoy-1-15-x.golden @@ -99,18 +99,9 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } diff --git a/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-12-x.golden b/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-12-x.golden index ddbac0b0db..0164fc6359 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-12-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_foo_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_foo_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_foo_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_foo_tcp" } } @@ -309,29 +261,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_wan_tcp" } } @@ -368,29 +308,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_wan_tcp" } } @@ -427,29 +355,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_wan_tcp" } } @@ -486,29 +402,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_wan_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-13-x.golden b/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-13-x.golden index ddbac0b0db..0164fc6359 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-13-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_foo_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_foo_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_foo_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_foo_tcp" } } @@ -309,29 +261,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_wan_tcp" } } @@ -368,29 +308,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_wan_tcp" } } @@ -427,29 +355,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_wan_tcp" } } @@ -486,29 +402,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_wan_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-14-x.golden b/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-14-x.golden index ddbac0b0db..0164fc6359 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-14-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_foo_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_foo_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_foo_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_foo_tcp" } } @@ -309,29 +261,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_wan_tcp" } } @@ -368,29 +308,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_wan_tcp" } } @@ -427,29 +355,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_wan_tcp" } } @@ -486,29 +402,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_wan_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-15-x.golden b/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-15-x.golden index ddbac0b0db..0164fc6359 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-custom-and-tagged-addresses.envoy-1-15-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_foo_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_foo_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_foo_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_foo_tcp" } } @@ -309,29 +261,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_wan_tcp" } } @@ -368,29 +308,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_wan_tcp" } } @@ -427,29 +355,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_wan_tcp" } } @@ -486,29 +402,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_wan_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-12-x.golden b/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-12-x.golden index 6b7f19cbc4..bfb7ab050a 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-12-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-13-x.golden b/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-13-x.golden index 6b7f19cbc4..bfb7ab050a 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-13-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-14-x.golden b/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-14-x.golden index 6b7f19cbc4..bfb7ab050a 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-14-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-15-x.golden b/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-15-x.golden index 6b7f19cbc4..bfb7ab050a 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-no-api-cert.envoy-1-15-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-12-x.golden b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-12-x.golden index 46ae83eb0a..c77782da28 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-12-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "v1.web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } @@ -278,29 +230,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "v2.web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } @@ -337,29 +277,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-13-x.golden b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-13-x.golden index 46ae83eb0a..c77782da28 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-13-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "v1.web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } @@ -278,29 +230,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "v2.web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } @@ -337,29 +277,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-14-x.golden b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-14-x.golden index 46ae83eb0a..c77782da28 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-14-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "v1.web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } @@ -278,29 +230,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "v2.web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } @@ -337,29 +277,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-15-x.golden b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-15-x.golden index 46ae83eb0a..c77782da28 100644 --- a/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway-service-subsets.envoy-1-15-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "v1.web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } @@ -278,29 +230,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "v2.web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } @@ -337,29 +277,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway.envoy-1-12-x.golden b/agent/xds/testdata/listeners/terminating-gateway.envoy-1-12-x.golden index 3b17879c80..eba577e6ce 100644 --- a/agent/xds/testdata/listeners/terminating-gateway.envoy-1-12-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway.envoy-1-12-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway.envoy-1-13-x.golden b/agent/xds/testdata/listeners/terminating-gateway.envoy-1-13-x.golden index 3b17879c80..eba577e6ce 100644 --- a/agent/xds/testdata/listeners/terminating-gateway.envoy-1-13-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway.envoy-1-13-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway.envoy-1-14-x.golden b/agent/xds/testdata/listeners/terminating-gateway.envoy-1-14-x.golden index 3b17879c80..eba577e6ce 100644 --- a/agent/xds/testdata/listeners/terminating-gateway.envoy-1-14-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway.envoy-1-14-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/listeners/terminating-gateway.envoy-1-15-x.golden b/agent/xds/testdata/listeners/terminating-gateway.envoy-1-15-x.golden index 3b17879c80..eba577e6ce 100644 --- a/agent/xds/testdata/listeners/terminating-gateway.envoy-1-15-x.golden +++ b/agent/xds/testdata/listeners/terminating-gateway.envoy-1-15-x.golden @@ -42,29 +42,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "api.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_api_default_tcp" } } @@ -101,29 +89,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "cache.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_cache_default_tcp" } } @@ -160,29 +136,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "db.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_db_default_tcp" } } @@ -219,29 +183,17 @@ }, "filters": [ { - "name": "envoy.ext_authz", + "name": "envoy.filters.network.rbac", "config": { - "grpc_service": { - "envoy_grpc": { - "cluster_name": "local_agent" - }, - "initial_metadata": [ - { - "key": "x-consul-token", - "value": "my-token" - } - ] + "rules": { }, "stat_prefix": "connect_authz" } }, - { - "name": "envoy.filters.network.sni_cluster" - }, { "name": "envoy.tcp_proxy", "config": { - "cluster": "", + "cluster": "web.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul", "stat_prefix": "terminating_gateway_default_web_default_tcp" } } diff --git a/agent/xds/testdata/rbac/default-allow-kitchen-sink.golden b/agent/xds/testdata/rbac/default-allow-kitchen-sink.golden new file mode 100644 index 0000000000..7d2fd8ef6b --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-kitchen-sink.golden @@ -0,0 +1,72 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + }, + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + } + } + } + }, + { + "and_ids": { + "ids": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "not_id": { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-one-deny.golden b/agent/xds/testdata/rbac/default-allow-one-deny.golden new file mode 100644 index 0000000000..7c04026c9c --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-one-deny.golden @@ -0,0 +1,31 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden b/agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden new file mode 100644 index 0000000000..7780f6c205 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden @@ -0,0 +1,31 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-allow-deny.golden b/agent/xds/testdata/rbac/default-deny-allow-deny.golden new file mode 100644 index 0000000000..1126b28ee1 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-allow-deny.golden @@ -0,0 +1,49 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "policies": { + "consul-intentions": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "and_ids": { + "ids": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "not_id": { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-kitchen-sink.golden b/agent/xds/testdata/rbac/default-deny-kitchen-sink.golden new file mode 100644 index 0000000000..1f5e1f1346 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-kitchen-sink.golden @@ -0,0 +1,71 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "policies": { + "consul-intentions": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + }, + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" + } + } + } + }, + { + "and_ids": { + "ids": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "not_id": { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-mixed-precedence.golden b/agent/xds/testdata/rbac/default-deny-mixed-precedence.golden new file mode 100644 index 0000000000..8b879b8656 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-mixed-precedence.golden @@ -0,0 +1,30 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "policies": { + "consul-intentions": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-one-allow.golden b/agent/xds/testdata/rbac/default-deny-one-allow.golden new file mode 100644 index 0000000000..8b879b8656 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-one-allow.golden @@ -0,0 +1,30 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "policies": { + "consul-intentions": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden b/agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden new file mode 100644 index 0000000000..e2c36db993 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden @@ -0,0 +1,30 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "policies": { + "consul-intentions": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testing.go b/agent/xds/testing.go index 1363b90846..8a635114a2 100644 --- a/agent/xds/testing.go +++ b/agent/xds/testing.go @@ -4,16 +4,20 @@ import ( "context" "fmt" "io" + "strconv" + "strings" "sync" "time" envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2" envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" envoyauth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" + envoytype "github.com/envoyproxy/go-control-plane/envoy/type" "github.com/mitchellh/go-testing-interface" "google.golang.org/grpc/metadata" "github.com/hashicorp/consul/agent/connect" + "github.com/hashicorp/consul/agent/xds/proxysupport" ) // TestADSStream mocks @@ -119,16 +123,53 @@ func hexString(v uint64) string { return fmt.Sprintf("%08x", v) } +func stringToEnvoyVersion(vs string) (*envoytype.SemanticVersion, bool) { + parts := strings.Split(vs, ".") + if len(parts) != 3 { + return nil, false + } + + major, err := strconv.Atoi(parts[0]) + if err != nil { + return nil, false + } + minor, err := strconv.Atoi(parts[1]) + if err != nil { + return nil, false + } + patch, err := strconv.Atoi(parts[2]) + if err != nil { + return nil, false + } + + return &envoytype.SemanticVersion{ + MajorNumber: uint32(major), + MinorNumber: uint32(minor), + Patch: uint32(patch), + }, true +} + // SendReq sends a request from the test server. func (e *TestEnvoy) SendReq(t testing.T, typeURL string, version, nonce uint64) { e.Lock() defer e.Unlock() + ev, valid := stringToEnvoyVersion(proxysupport.EnvoyVersions[0]) + if !valid { + t.Fatal("envoy version is not valid: %s", proxysupport.EnvoyVersions[0]) + } + req := &envoy.DiscoveryRequest{ VersionInfo: hexString(version), Node: &envoycore.Node{ - Id: e.proxyID, - Cluster: e.proxyID, + Id: e.proxyID, + Cluster: e.proxyID, + UserAgentName: "envoy", + UserAgentVersionType: &envoycore.Node_UserAgentBuildVersion{ + UserAgentBuildVersion: &envoycore.BuildVersion{ + Version: ev, + }, + }, }, ResponseNonce: hexString(nonce), TypeUrl: typeURL, diff --git a/go.mod b/go.mod index 12f46bd676..ba7e7c0e76 100644 --- a/go.mod +++ b/go.mod @@ -87,7 +87,6 @@ require ( golang.org/x/tools v0.0.0-20200513154647-78b527d18275 // indirect google.golang.org/api v0.9.0 // indirect google.golang.org/appengine v1.6.0 // indirect - google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 google.golang.org/grpc v1.25.1 gopkg.in/square/go-jose.v2 v2.4.1 k8s.io/api v0.16.9 diff --git a/test/integration/connect/envoy/case-basic/verify.bats b/test/integration/connect/envoy/case-basic/verify.bats index 14ab5d2858..d5c7bf2459 100644 --- a/test/integration/connect/envoy/case-basic/verify.bats +++ b/test/integration/connect/envoy/case-basic/verify.bats @@ -35,3 +35,16 @@ load helpers [ "$status" -eq 0 ] [ "$output" = "hello" ] } + +@test "s1 proxy should have been configured with one rbac listener filter at L4" { + LISTEN_FILTERS=$(get_envoy_listener_filters localhost:19000) + PUB=$(echo "$LISTEN_FILTERS" | grep -E "^public_listener:" | cut -f 2 -d ' ' ) + UPS=$(echo "$LISTEN_FILTERS" | grep -E "^s2:" | cut -f 2 -d ' ' ) + + echo "LISTEN_FILTERS = $LISTEN_FILTERS" + echo "PUB = $PUB" + echo "UPS = $UPS" + + [ "$PUB" = "envoy.filters.network.rbac,envoy.tcp_proxy" ] + [ "$UPS" = "envoy.tcp_proxy" ] +} diff --git a/test/integration/connect/envoy/case-http/verify.bats b/test/integration/connect/envoy/case-http/verify.bats index dfcdecb4f3..33ba342aff 100644 --- a/test/integration/connect/envoy/case-http/verify.bats +++ b/test/integration/connect/envoy/case-http/verify.bats @@ -42,6 +42,39 @@ load helpers echo "PUB = $PUB" echo "UPS = $UPS" - [ "$PUB" = "envoy.ext_authz,envoy.http_connection_manager" ] + [ "$PUB" = "envoy.http_connection_manager" ] [ "$UPS" = "envoy.http_connection_manager" ] } + +@test "s2 proxy should have been configured with an http connection manager" { + LISTEN_FILTERS=$(get_envoy_listener_filters localhost:19001) + PUB=$(echo "$LISTEN_FILTERS" | grep -E "^public_listener:" | cut -f 2 -d ' ' ) + + echo "LISTEN_FILTERS = $LISTEN_FILTERS" + echo "PUB = $PUB" + + [ "$PUB" = "envoy.http_connection_manager" ] +} + +@test "s1 proxy should have been configured with http rbac filters" { + HTTP_FILTERS=$(get_envoy_http_filters localhost:19000) + PUB=$(echo "$HTTP_FILTERS" | grep -E "^public_listener:" | cut -f 2 -d ' ' ) + UPS=$(echo "$HTTP_FILTERS" | grep -E "^s2:" | cut -f 2 -d ' ' ) + + echo "HTTP_FILTERS = $HTTP_FILTERS" + echo "PUB = $PUB" + echo "UPS = $UPS" + + [ "$PUB" = "envoy.filters.http.rbac,envoy.router" ] + [ "$UPS" = "envoy.router" ] +} + +@test "s2 proxy should have been configured with http rbac filters" { + HTTP_FILTERS=$(get_envoy_http_filters localhost:19001) + PUB=$(echo "$HTTP_FILTERS" | grep -E "^public_listener:" | cut -f 2 -d ' ' ) + + echo "HTTP_FILTERS = $HTTP_FILTERS" + echo "PUB = $PUB" + + [ "$PUB" = "envoy.filters.http.rbac,envoy.router" ] +} diff --git a/test/integration/connect/envoy/helpers.bash b/test/integration/connect/envoy/helpers.bash index 5b103678d2..0ba7e2bccb 100755 --- a/test/integration/connect/envoy/helpers.bash +++ b/test/integration/connect/envoy/helpers.bash @@ -169,6 +169,22 @@ function get_envoy_listener_filters { echo "$output" | jq --raw-output "$QUERY" } +function get_envoy_http_filters { + local HOSTPORT=$1 + run retry_default curl -s -f $HOSTPORT/config_dump + [ "$status" -eq 0 ] + local ENVOY_VERSION=$(echo $output | jq --raw-output '.configs[0].bootstrap.node.metadata.envoy_version') + local QUERY='' + # from 1.13.0 on the config json looks slightly different + # 1.10.x, 1.11.x, 1.12.x are not affected + if [[ "$ENVOY_VERSION" =~ ^1\.1[012]\. ]]; then + QUERY='.configs[2].dynamic_active_listeners[].listener | "\(.name) \( .filter_chains[0].filters[] | select(.name == "envoy.http_connection_manager") | .config.http_filters | map(.name) | join(","))"' + else + QUERY='.configs[2].dynamic_listeners[].active_state.listener | "\(.name) \( .filter_chains[0].filters[] | select(.name == "envoy.http_connection_manager") | .config.http_filters | map(.name) | join(","))"' + fi + echo "$output" | jq --raw-output "$QUERY" +} + function get_envoy_cluster_config { local HOSTPORT=$1 local CLUSTER_NAME=$2 @@ -529,12 +545,13 @@ function must_fail_tcp_connection { # to generate a 503 response since the upstreams have refused connection. function must_fail_http_connection { # Attempt to curl through upstream - run curl -s -i -d hello $1 + run curl -s -i -d hello "$1" echo "OUTPUT $output" + local expect_response="${2:-403 Forbidden}" # Should fail request with 503 - echo "$output" | grep '503 Service Unavailable' + echo "$output" | grep "${expect_response}" } function gen_envoy_bootstrap { diff --git a/test/integration/connect/envoy/test-envoy-versions.sh b/test/integration/connect/envoy/test-envoy-versions.sh index e16243ba75..961e1219aa 100755 --- a/test/integration/connect/envoy/test-envoy-versions.sh +++ b/test/integration/connect/envoy/test-envoy-versions.sh @@ -6,29 +6,15 @@ unset CDPATH cd "$(dirname "$0")" -# MISSING: 1.14.0 -# MISSING: 1.12.5 versions=( - 1.14.3 - 1.14.2 - 1.14.1 - 1.13.3 - 1.13.2 - 1.13.1 - 1.13.0 - 1.12.4 - 1.12.3 - 1.12.2 - 1.12.1 - 1.12.0 - 1.11.2 - 1.11.1 - 1.11.0 - 1.10.0 + 1.15.0 + 1.14.4 + 1.13.4 + 1.12.6 ) for v in "${versions[@]}"; do echo "ENVOY_VERSION=${v}" export ENVOY_VERSION="${v}" - go test -tags integration + go test -tags integration "$@" done diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2/rbac.pb.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2/rbac.pb.go new file mode 100644 index 0000000000..c7b08437fb --- /dev/null +++ b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2/rbac.pb.go @@ -0,0 +1,142 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: envoy/config/filter/http/rbac/v2/rbac.proto + +package envoy_config_filter_http_rbac_v2 + +import ( + fmt "fmt" + _ "github.com/cncf/udpa/go/udpa/annotations" + v2 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2" + _ "github.com/envoyproxy/protoc-gen-validate/validate" + proto "github.com/golang/protobuf/proto" + math "math" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +type RBAC struct { + Rules *v2.RBAC `protobuf:"bytes,1,opt,name=rules,proto3" json:"rules,omitempty"` + ShadowRules *v2.RBAC `protobuf:"bytes,2,opt,name=shadow_rules,json=shadowRules,proto3" json:"shadow_rules,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *RBAC) Reset() { *m = RBAC{} } +func (m *RBAC) String() string { return proto.CompactTextString(m) } +func (*RBAC) ProtoMessage() {} +func (*RBAC) Descriptor() ([]byte, []int) { + return fileDescriptor_15d628c6558085a7, []int{0} +} + +func (m *RBAC) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_RBAC.Unmarshal(m, b) +} +func (m *RBAC) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_RBAC.Marshal(b, m, deterministic) +} +func (m *RBAC) XXX_Merge(src proto.Message) { + xxx_messageInfo_RBAC.Merge(m, src) +} +func (m *RBAC) XXX_Size() int { + return xxx_messageInfo_RBAC.Size(m) +} +func (m *RBAC) XXX_DiscardUnknown() { + xxx_messageInfo_RBAC.DiscardUnknown(m) +} + +var xxx_messageInfo_RBAC proto.InternalMessageInfo + +func (m *RBAC) GetRules() *v2.RBAC { + if m != nil { + return m.Rules + } + return nil +} + +func (m *RBAC) GetShadowRules() *v2.RBAC { + if m != nil { + return m.ShadowRules + } + return nil +} + +type RBACPerRoute struct { + Rbac *RBAC `protobuf:"bytes,2,opt,name=rbac,proto3" json:"rbac,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *RBACPerRoute) Reset() { *m = RBACPerRoute{} } +func (m *RBACPerRoute) String() string { return proto.CompactTextString(m) } +func (*RBACPerRoute) ProtoMessage() {} +func (*RBACPerRoute) Descriptor() ([]byte, []int) { + return fileDescriptor_15d628c6558085a7, []int{1} +} + +func (m *RBACPerRoute) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_RBACPerRoute.Unmarshal(m, b) +} +func (m *RBACPerRoute) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_RBACPerRoute.Marshal(b, m, deterministic) +} +func (m *RBACPerRoute) XXX_Merge(src proto.Message) { + xxx_messageInfo_RBACPerRoute.Merge(m, src) +} +func (m *RBACPerRoute) XXX_Size() int { + return xxx_messageInfo_RBACPerRoute.Size(m) +} +func (m *RBACPerRoute) XXX_DiscardUnknown() { + xxx_messageInfo_RBACPerRoute.DiscardUnknown(m) +} + +var xxx_messageInfo_RBACPerRoute proto.InternalMessageInfo + +func (m *RBACPerRoute) GetRbac() *RBAC { + if m != nil { + return m.Rbac + } + return nil +} + +func init() { + proto.RegisterType((*RBAC)(nil), "envoy.config.filter.http.rbac.v2.RBAC") + proto.RegisterType((*RBACPerRoute)(nil), "envoy.config.filter.http.rbac.v2.RBACPerRoute") +} + +func init() { + proto.RegisterFile("envoy/config/filter/http/rbac/v2/rbac.proto", fileDescriptor_15d628c6558085a7) +} + +var fileDescriptor_15d628c6558085a7 = []byte{ + // 302 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x90, 0x4f, 0x4a, 0xc3, 0x40, + 0x14, 0xc6, 0x49, 0x48, 0x8b, 0x4e, 0xbb, 0x28, 0xd9, 0x28, 0x01, 0xb5, 0x14, 0xfc, 0x03, 0xc2, + 0x8c, 0xa4, 0x3b, 0xc1, 0x85, 0x71, 0xe7, 0x2a, 0xe4, 0x02, 0x32, 0x49, 0xa6, 0xed, 0x40, 0x9c, + 0x09, 0x33, 0x2f, 0x69, 0xbb, 0xf3, 0x06, 0x6e, 0x3d, 0x8b, 0x27, 0x70, 0xeb, 0x55, 0x3c, 0x80, + 0xc8, 0x64, 0x46, 0x68, 0xe9, 0x22, 0xab, 0x19, 0xde, 0xf7, 0xfb, 0xbe, 0xf7, 0xf8, 0xd0, 0x2d, + 0x13, 0xad, 0xdc, 0x92, 0x42, 0x8a, 0x05, 0x5f, 0x92, 0x05, 0xaf, 0x80, 0x29, 0xb2, 0x02, 0xa8, + 0x89, 0xca, 0x69, 0x41, 0xda, 0xb8, 0x7b, 0x71, 0xad, 0x24, 0xc8, 0x70, 0xda, 0xc1, 0xd8, 0xc2, + 0xd8, 0xc2, 0xd8, 0xc0, 0xb8, 0x83, 0xda, 0x38, 0xba, 0xd8, 0x8b, 0x3b, 0x8c, 0x88, 0xce, 0x9b, + 0xb2, 0xa6, 0x84, 0x0a, 0x21, 0x81, 0x02, 0x97, 0x42, 0x93, 0x57, 0xbe, 0x54, 0x14, 0x98, 0xd3, + 0xcf, 0x0e, 0x74, 0x0d, 0x14, 0x1a, 0xed, 0xe4, 0x93, 0x96, 0x56, 0xbc, 0xa4, 0xc0, 0xc8, 0xff, + 0xc7, 0x0a, 0xb3, 0x35, 0x0a, 0xb2, 0xe4, 0xf1, 0x29, 0xbc, 0x43, 0x03, 0xd5, 0x54, 0x4c, 0x9f, + 0x7a, 0x53, 0xef, 0x66, 0x14, 0x47, 0x78, 0xef, 0x64, 0x77, 0x26, 0x36, 0x68, 0x66, 0xc1, 0xf0, + 0x01, 0x8d, 0xf5, 0x8a, 0x96, 0x72, 0xfd, 0x62, 0x8d, 0x7e, 0xaf, 0x71, 0x64, 0xf9, 0xcc, 0xe0, + 0xb3, 0x14, 0x8d, 0xcd, 0x30, 0x65, 0x2a, 0x93, 0x0d, 0xb0, 0xf0, 0x1e, 0x05, 0x06, 0x76, 0x31, + 0x57, 0xb8, 0xaf, 0x32, 0x1b, 0xd9, 0x79, 0x9e, 0x83, 0x23, 0x6f, 0xe2, 0x27, 0xea, 0xe7, 0xe3, + 0xf7, 0x7d, 0x70, 0x1d, 0x5e, 0x5a, 0x2b, 0xdb, 0x00, 0x13, 0xda, 0x54, 0xe1, 0xec, 0x7a, 0xd7, + 0x3f, 0xff, 0x7c, 0xfb, 0xfa, 0x1e, 0xfa, 0x13, 0x0f, 0x61, 0x2e, 0xed, 0xb2, 0x5a, 0xc9, 0xcd, + 0xb6, 0x77, 0x6f, 0x72, 0x9c, 0xe5, 0xb4, 0x48, 0x4d, 0x79, 0xa9, 0x97, 0x0f, 0xbb, 0x16, 0xe7, + 0x7f, 0x01, 0x00, 0x00, 0xff, 0xff, 0xf3, 0xc5, 0xbe, 0x85, 0x0f, 0x02, 0x00, 0x00, +} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2/rbac.pb.validate.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2/rbac.pb.validate.go new file mode 100644 index 0000000000..c4df6246c4 --- /dev/null +++ b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2/rbac.pb.validate.go @@ -0,0 +1,196 @@ +// Code generated by protoc-gen-validate. DO NOT EDIT. +// source: envoy/config/filter/http/rbac/v2/rbac.proto + +package envoy_config_filter_http_rbac_v2 + +import ( + "bytes" + "errors" + "fmt" + "net" + "net/mail" + "net/url" + "regexp" + "strings" + "time" + "unicode/utf8" + + "github.com/golang/protobuf/ptypes" +) + +// ensure the imports are used +var ( + _ = bytes.MinRead + _ = errors.New("") + _ = fmt.Print + _ = utf8.UTFMax + _ = (*regexp.Regexp)(nil) + _ = (*strings.Reader)(nil) + _ = net.IPv4len + _ = time.Duration(0) + _ = (*url.URL)(nil) + _ = (*mail.Address)(nil) + _ = ptypes.DynamicAny{} +) + +// define the regex for a UUID once up-front +var _rbac_uuidPattern = regexp.MustCompile("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") + +// Validate checks the field values on RBAC with the rules defined in the proto +// definition for this message. If any rules are violated, an error is returned. +func (m *RBAC) Validate() error { + if m == nil { + return nil + } + + if v, ok := interface{}(m.GetRules()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return RBACValidationError{ + field: "Rules", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if v, ok := interface{}(m.GetShadowRules()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return RBACValidationError{ + field: "ShadowRules", + reason: "embedded message failed validation", + cause: err, + } + } + } + + return nil +} + +// RBACValidationError is the validation error returned by RBAC.Validate if the +// designated constraints aren't met. +type RBACValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e RBACValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e RBACValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e RBACValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e RBACValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e RBACValidationError) ErrorName() string { return "RBACValidationError" } + +// Error satisfies the builtin error interface +func (e RBACValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sRBAC.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = RBACValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = RBACValidationError{} + +// Validate checks the field values on RBACPerRoute with the rules defined in +// the proto definition for this message. If any rules are violated, an error +// is returned. +func (m *RBACPerRoute) Validate() error { + if m == nil { + return nil + } + + if v, ok := interface{}(m.GetRbac()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return RBACPerRouteValidationError{ + field: "Rbac", + reason: "embedded message failed validation", + cause: err, + } + } + } + + return nil +} + +// RBACPerRouteValidationError is the validation error returned by +// RBACPerRoute.Validate if the designated constraints aren't met. +type RBACPerRouteValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e RBACPerRouteValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e RBACPerRouteValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e RBACPerRouteValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e RBACPerRouteValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e RBACPerRouteValidationError) ErrorName() string { return "RBACPerRouteValidationError" } + +// Error satisfies the builtin error interface +func (e RBACPerRouteValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sRBACPerRoute.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = RBACPerRouteValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = RBACPerRouteValidationError{} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2/ext_authz.pb.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2/ext_authz.pb.go deleted file mode 100644 index 484489b808..0000000000 --- a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2/ext_authz.pb.go +++ /dev/null @@ -1,123 +0,0 @@ -// Code generated by protoc-gen-go. DO NOT EDIT. -// source: envoy/config/filter/network/ext_authz/v2/ext_authz.proto - -package envoy_config_filter_network_ext_authz_v2 - -import ( - fmt "fmt" - _ "github.com/cncf/udpa/go/udpa/annotations" - core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" - _ "github.com/envoyproxy/protoc-gen-validate/validate" - proto "github.com/golang/protobuf/proto" - math "math" -) - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the proto package it is being compiled against. -// A compilation error at this line likely means your copy of the -// proto package needs to be updated. -const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package - -type ExtAuthz struct { - StatPrefix string `protobuf:"bytes,1,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"` - GrpcService *core.GrpcService `protobuf:"bytes,2,opt,name=grpc_service,json=grpcService,proto3" json:"grpc_service,omitempty"` - FailureModeAllow bool `protobuf:"varint,3,opt,name=failure_mode_allow,json=failureModeAllow,proto3" json:"failure_mode_allow,omitempty"` - IncludePeerCertificate bool `protobuf:"varint,4,opt,name=include_peer_certificate,json=includePeerCertificate,proto3" json:"include_peer_certificate,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *ExtAuthz) Reset() { *m = ExtAuthz{} } -func (m *ExtAuthz) String() string { return proto.CompactTextString(m) } -func (*ExtAuthz) ProtoMessage() {} -func (*ExtAuthz) Descriptor() ([]byte, []int) { - return fileDescriptor_3ec2615c2696024a, []int{0} -} - -func (m *ExtAuthz) XXX_Unmarshal(b []byte) error { - return xxx_messageInfo_ExtAuthz.Unmarshal(m, b) -} -func (m *ExtAuthz) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - return xxx_messageInfo_ExtAuthz.Marshal(b, m, deterministic) -} -func (m *ExtAuthz) XXX_Merge(src proto.Message) { - xxx_messageInfo_ExtAuthz.Merge(m, src) -} -func (m *ExtAuthz) XXX_Size() int { - return xxx_messageInfo_ExtAuthz.Size(m) -} -func (m *ExtAuthz) XXX_DiscardUnknown() { - xxx_messageInfo_ExtAuthz.DiscardUnknown(m) -} - -var xxx_messageInfo_ExtAuthz proto.InternalMessageInfo - -func (m *ExtAuthz) GetStatPrefix() string { - if m != nil { - return m.StatPrefix - } - return "" -} - -func (m *ExtAuthz) GetGrpcService() *core.GrpcService { - if m != nil { - return m.GrpcService - } - return nil -} - -func (m *ExtAuthz) GetFailureModeAllow() bool { - if m != nil { - return m.FailureModeAllow - } - return false -} - -func (m *ExtAuthz) GetIncludePeerCertificate() bool { - if m != nil { - return m.IncludePeerCertificate - } - return false -} - -func init() { - proto.RegisterType((*ExtAuthz)(nil), "envoy.config.filter.network.ext_authz.v2.ExtAuthz") -} - -func init() { - proto.RegisterFile("envoy/config/filter/network/ext_authz/v2/ext_authz.proto", fileDescriptor_3ec2615c2696024a) -} - -var fileDescriptor_3ec2615c2696024a = []byte{ - // 384 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x91, 0xb1, 0xee, 0xd3, 0x30, - 0x10, 0xc6, 0xe5, 0x52, 0x4a, 0x71, 0x41, 0xaa, 0x32, 0x40, 0x54, 0x89, 0x2a, 0x42, 0x0c, 0x19, - 0xc0, 0x96, 0x52, 0x09, 0x75, 0x6d, 0x10, 0x62, 0x42, 0x8a, 0xca, 0x03, 0x44, 0xc6, 0xb9, 0x04, - 0x8b, 0xd4, 0xb6, 0x1c, 0x27, 0x4d, 0x99, 0x98, 0x58, 0x59, 0x79, 0x16, 0x9e, 0x80, 0x95, 0x27, - 0xe0, 0x1d, 0x18, 0x19, 0x10, 0x72, 0x9c, 0x2a, 0x48, 0x30, 0xfc, 0xb7, 0x5c, 0x7e, 0xf7, 0x9d, - 0xef, 0xbe, 0x0f, 0xef, 0x41, 0x76, 0xea, 0x42, 0xb9, 0x92, 0xa5, 0xa8, 0x68, 0x29, 0x6a, 0x0b, - 0x86, 0x4a, 0xb0, 0x67, 0x65, 0xde, 0x53, 0xe8, 0x6d, 0xce, 0x5a, 0xfb, 0xee, 0x03, 0xed, 0x92, - 0xa9, 0x20, 0xda, 0x28, 0xab, 0x82, 0x78, 0x50, 0x12, 0xaf, 0x24, 0x5e, 0x49, 0x46, 0x25, 0x99, - 0x9a, 0xbb, 0x64, 0xf3, 0xc4, 0xbf, 0xc1, 0xb4, 0x70, 0x73, 0xb8, 0x32, 0x40, 0x2b, 0xa3, 0x79, - 0xde, 0x80, 0xe9, 0x04, 0x07, 0x3f, 0x6f, 0xb3, 0x6d, 0x0b, 0xcd, 0x28, 0x93, 0x52, 0x59, 0x66, - 0x85, 0x92, 0x0d, 0x3d, 0x89, 0xca, 0x30, 0x7b, 0xe5, 0x8f, 0xfe, 0xe1, 0x8d, 0x65, 0xb6, 0x6d, - 0x46, 0xfc, 0xb0, 0x63, 0xb5, 0x28, 0x98, 0x05, 0x7a, 0xfd, 0xf0, 0xe0, 0xf1, 0x0f, 0x84, 0x97, - 0x2f, 0x7b, 0x7b, 0x70, 0xdb, 0x04, 0x31, 0x5e, 0x39, 0x55, 0xae, 0x0d, 0x94, 0xa2, 0x0f, 0x51, - 0x84, 0xe2, 0xbb, 0xe9, 0x9d, 0x5f, 0xe9, 0xdc, 0xcc, 0x22, 0x74, 0xc4, 0x8e, 0x65, 0x03, 0x0a, - 0x0e, 0xf8, 0xde, 0xdf, 0x4b, 0x86, 0xb3, 0x08, 0xc5, 0xab, 0x64, 0x4b, 0xfc, 0xd5, 0x4c, 0x0b, - 0xd2, 0x25, 0xc4, 0xdd, 0x42, 0x5e, 0x19, 0xcd, 0xdf, 0xf8, 0xae, 0xe3, 0xaa, 0x9a, 0x8a, 0xe0, - 0x29, 0x0e, 0x4a, 0x26, 0xea, 0xd6, 0x40, 0x7e, 0x52, 0x05, 0xe4, 0xac, 0xae, 0xd5, 0x39, 0xbc, - 0x15, 0xa1, 0x78, 0x79, 0x5c, 0x8f, 0xe4, 0xb5, 0x2a, 0xe0, 0xe0, 0xfe, 0x07, 0x7b, 0x1c, 0x0a, - 0xc9, 0xeb, 0xb6, 0x80, 0x5c, 0x03, 0x98, 0x9c, 0x83, 0xb1, 0xa2, 0x14, 0x9c, 0x59, 0x08, 0xe7, - 0x83, 0xe6, 0xc1, 0xc8, 0x33, 0x00, 0xf3, 0x62, 0xa2, 0xe9, 0x27, 0xf4, 0xf3, 0xcb, 0xef, 0xcf, - 0xb7, 0x69, 0xf0, 0xcc, 0x2f, 0x07, 0xbd, 0x05, 0xd9, 0x38, 0x8b, 0xc6, 0x58, 0x9a, 0xff, 0xe5, - 0xb2, 0xfb, 0xfa, 0xf1, 0xdb, 0xf7, 0xc5, 0x6c, 0x8d, 0xf0, 0x73, 0xa1, 0xfc, 0x59, 0xda, 0xa8, - 0xfe, 0x42, 0x6e, 0x9a, 0x6b, 0x7a, 0xff, 0x6a, 0x6b, 0xe6, 0x8c, 0xce, 0xd0, 0xdb, 0xc5, 0xe0, - 0xf8, 0xee, 0x4f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xeb, 0x56, 0xa0, 0x9b, 0x55, 0x02, 0x00, 0x00, -} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.go deleted file mode 100644 index 5a05f5464f..0000000000 --- a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2/ext_authz.pb.validate.go +++ /dev/null @@ -1,122 +0,0 @@ -// Code generated by protoc-gen-validate. DO NOT EDIT. -// source: envoy/config/filter/network/ext_authz/v2/ext_authz.proto - -package envoy_config_filter_network_ext_authz_v2 - -import ( - "bytes" - "errors" - "fmt" - "net" - "net/mail" - "net/url" - "regexp" - "strings" - "time" - "unicode/utf8" - - "github.com/golang/protobuf/ptypes" -) - -// ensure the imports are used -var ( - _ = bytes.MinRead - _ = errors.New("") - _ = fmt.Print - _ = utf8.UTFMax - _ = (*regexp.Regexp)(nil) - _ = (*strings.Reader)(nil) - _ = net.IPv4len - _ = time.Duration(0) - _ = (*url.URL)(nil) - _ = (*mail.Address)(nil) - _ = ptypes.DynamicAny{} -) - -// define the regex for a UUID once up-front -var _ext_authz_uuidPattern = regexp.MustCompile("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") - -// Validate checks the field values on ExtAuthz with the rules defined in the -// proto definition for this message. If any rules are violated, an error is returned. -func (m *ExtAuthz) Validate() error { - if m == nil { - return nil - } - - if len(m.GetStatPrefix()) < 1 { - return ExtAuthzValidationError{ - field: "StatPrefix", - reason: "value length must be at least 1 bytes", - } - } - - if v, ok := interface{}(m.GetGrpcService()).(interface{ Validate() error }); ok { - if err := v.Validate(); err != nil { - return ExtAuthzValidationError{ - field: "GrpcService", - reason: "embedded message failed validation", - cause: err, - } - } - } - - // no validation rules for FailureModeAllow - - // no validation rules for IncludePeerCertificate - - return nil -} - -// ExtAuthzValidationError is the validation error returned by -// ExtAuthz.Validate if the designated constraints aren't met. -type ExtAuthzValidationError struct { - field string - reason string - cause error - key bool -} - -// Field function returns field value. -func (e ExtAuthzValidationError) Field() string { return e.field } - -// Reason function returns reason value. -func (e ExtAuthzValidationError) Reason() string { return e.reason } - -// Cause function returns cause value. -func (e ExtAuthzValidationError) Cause() error { return e.cause } - -// Key function returns key value. -func (e ExtAuthzValidationError) Key() bool { return e.key } - -// ErrorName returns error name. -func (e ExtAuthzValidationError) ErrorName() string { return "ExtAuthzValidationError" } - -// Error satisfies the builtin error interface -func (e ExtAuthzValidationError) Error() string { - cause := "" - if e.cause != nil { - cause = fmt.Sprintf(" | caused by: %v", e.cause) - } - - key := "" - if e.key { - key = "key for " - } - - return fmt.Sprintf( - "invalid %sExtAuthz.%s: %s%s", - key, - e.field, - e.reason, - cause) -} - -var _ error = ExtAuthzValidationError{} - -var _ interface { - Field() string - Reason() string - Key() bool - Cause() error - ErrorName() string -} = ExtAuthzValidationError{} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2/rbac.pb.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2/rbac.pb.go new file mode 100644 index 0000000000..a9a35c3453 --- /dev/null +++ b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2/rbac.pb.go @@ -0,0 +1,150 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: envoy/config/filter/network/rbac/v2/rbac.proto + +package envoy_config_filter_network_rbac_v2 + +import ( + fmt "fmt" + _ "github.com/cncf/udpa/go/udpa/annotations" + v2 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2" + _ "github.com/envoyproxy/protoc-gen-validate/validate" + proto "github.com/golang/protobuf/proto" + math "math" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +type RBAC_EnforcementType int32 + +const ( + RBAC_ONE_TIME_ON_FIRST_BYTE RBAC_EnforcementType = 0 + RBAC_CONTINUOUS RBAC_EnforcementType = 1 +) + +var RBAC_EnforcementType_name = map[int32]string{ + 0: "ONE_TIME_ON_FIRST_BYTE", + 1: "CONTINUOUS", +} + +var RBAC_EnforcementType_value = map[string]int32{ + "ONE_TIME_ON_FIRST_BYTE": 0, + "CONTINUOUS": 1, +} + +func (x RBAC_EnforcementType) String() string { + return proto.EnumName(RBAC_EnforcementType_name, int32(x)) +} + +func (RBAC_EnforcementType) EnumDescriptor() ([]byte, []int) { + return fileDescriptor_8ec60cc393c44598, []int{0, 0} +} + +type RBAC struct { + Rules *v2.RBAC `protobuf:"bytes,1,opt,name=rules,proto3" json:"rules,omitempty"` + ShadowRules *v2.RBAC `protobuf:"bytes,2,opt,name=shadow_rules,json=shadowRules,proto3" json:"shadow_rules,omitempty"` + StatPrefix string `protobuf:"bytes,3,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"` + EnforcementType RBAC_EnforcementType `protobuf:"varint,4,opt,name=enforcement_type,json=enforcementType,proto3,enum=envoy.config.filter.network.rbac.v2.RBAC_EnforcementType" json:"enforcement_type,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *RBAC) Reset() { *m = RBAC{} } +func (m *RBAC) String() string { return proto.CompactTextString(m) } +func (*RBAC) ProtoMessage() {} +func (*RBAC) Descriptor() ([]byte, []int) { + return fileDescriptor_8ec60cc393c44598, []int{0} +} + +func (m *RBAC) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_RBAC.Unmarshal(m, b) +} +func (m *RBAC) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_RBAC.Marshal(b, m, deterministic) +} +func (m *RBAC) XXX_Merge(src proto.Message) { + xxx_messageInfo_RBAC.Merge(m, src) +} +func (m *RBAC) XXX_Size() int { + return xxx_messageInfo_RBAC.Size(m) +} +func (m *RBAC) XXX_DiscardUnknown() { + xxx_messageInfo_RBAC.DiscardUnknown(m) +} + +var xxx_messageInfo_RBAC proto.InternalMessageInfo + +func (m *RBAC) GetRules() *v2.RBAC { + if m != nil { + return m.Rules + } + return nil +} + +func (m *RBAC) GetShadowRules() *v2.RBAC { + if m != nil { + return m.ShadowRules + } + return nil +} + +func (m *RBAC) GetStatPrefix() string { + if m != nil { + return m.StatPrefix + } + return "" +} + +func (m *RBAC) GetEnforcementType() RBAC_EnforcementType { + if m != nil { + return m.EnforcementType + } + return RBAC_ONE_TIME_ON_FIRST_BYTE +} + +func init() { + proto.RegisterEnum("envoy.config.filter.network.rbac.v2.RBAC_EnforcementType", RBAC_EnforcementType_name, RBAC_EnforcementType_value) + proto.RegisterType((*RBAC)(nil), "envoy.config.filter.network.rbac.v2.RBAC") +} + +func init() { + proto.RegisterFile("envoy/config/filter/network/rbac/v2/rbac.proto", fileDescriptor_8ec60cc393c44598) +} + +var fileDescriptor_8ec60cc393c44598 = []byte{ + // 396 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x91, 0xb1, 0xae, 0xd3, 0x30, + 0x14, 0x86, 0x71, 0xe8, 0xbd, 0xe8, 0xba, 0xe8, 0xde, 0x28, 0x03, 0x54, 0x91, 0x80, 0xa8, 0x2c, + 0x11, 0x83, 0x0d, 0xe9, 0xc4, 0xd0, 0x81, 0x54, 0x41, 0xea, 0x40, 0x52, 0xa5, 0xe9, 0xc0, 0x14, + 0xb9, 0x89, 0x53, 0x22, 0x5a, 0x3b, 0x72, 0xdc, 0x34, 0xd9, 0x78, 0x03, 0x56, 0x9e, 0x85, 0x07, + 0x40, 0xac, 0xbc, 0x0a, 0x23, 0x03, 0x42, 0x89, 0x83, 0x50, 0xdb, 0x81, 0x4e, 0x89, 0xfc, 0x7f, + 0xe7, 0xf8, 0x3b, 0x3e, 0x10, 0x51, 0x56, 0xf1, 0x06, 0x27, 0x9c, 0x65, 0xf9, 0x06, 0x67, 0xf9, + 0x56, 0x52, 0x81, 0x19, 0x95, 0x07, 0x2e, 0x3e, 0x62, 0xb1, 0x26, 0x09, 0xae, 0x9c, 0xee, 0x8b, + 0x0a, 0xc1, 0x25, 0x37, 0x9e, 0x77, 0x3c, 0x52, 0x3c, 0x52, 0x3c, 0xea, 0x79, 0xd4, 0x71, 0x95, + 0x63, 0x3e, 0x3b, 0x6a, 0x7a, 0xde, 0xc5, 0x7c, 0xba, 0x4f, 0x0b, 0x82, 0x09, 0x63, 0x5c, 0x12, + 0x99, 0x73, 0x56, 0xe2, 0x5d, 0xbe, 0x11, 0x44, 0xd2, 0x3e, 0x7f, 0x72, 0x96, 0x97, 0x92, 0xc8, + 0x7d, 0xd9, 0xc7, 0x8f, 0x2b, 0xb2, 0xcd, 0x53, 0x22, 0x29, 0xfe, 0xfb, 0xa3, 0x82, 0xf1, 0x37, + 0x0d, 0x0e, 0x42, 0xf7, 0xcd, 0xcc, 0x78, 0x09, 0xaf, 0xc4, 0x7e, 0x4b, 0xcb, 0x11, 0xb0, 0x80, + 0x3d, 0x74, 0x4c, 0x74, 0xa4, 0xdd, 0x7b, 0xa2, 0x16, 0x0d, 0x15, 0x68, 0x4c, 0xe1, 0xc3, 0xf2, + 0x03, 0x49, 0xf9, 0x21, 0x56, 0x85, 0xda, 0x7f, 0x0b, 0x87, 0x8a, 0x0f, 0xbb, 0x72, 0x1b, 0x0e, + 0x5b, 0xc5, 0xb8, 0x10, 0x34, 0xcb, 0xeb, 0xd1, 0x7d, 0x0b, 0xd8, 0x37, 0xee, 0x83, 0x5f, 0xee, + 0x40, 0x68, 0x16, 0x08, 0x61, 0x9b, 0x2d, 0xba, 0xc8, 0x48, 0xa1, 0x4e, 0x59, 0xc6, 0x45, 0x42, + 0x77, 0x94, 0xc9, 0x58, 0x36, 0x05, 0x1d, 0x0d, 0x2c, 0x60, 0xdf, 0x3a, 0xaf, 0xd1, 0x05, 0x8f, + 0xdb, 0xdd, 0x8d, 0xbc, 0x7f, 0x1d, 0xa2, 0xa6, 0xa0, 0xe1, 0x1d, 0x3d, 0x3e, 0x18, 0x4f, 0xe1, + 0xdd, 0x09, 0x63, 0x98, 0xf0, 0x51, 0xe0, 0x7b, 0x71, 0x34, 0x7f, 0xe7, 0xc5, 0x81, 0x1f, 0xbf, + 0x9d, 0x87, 0xcb, 0x28, 0x76, 0xdf, 0x47, 0x9e, 0x7e, 0xcf, 0xb8, 0x85, 0x70, 0x16, 0xf8, 0xd1, + 0xdc, 0x5f, 0x05, 0xab, 0xa5, 0x0e, 0xdc, 0xfa, 0xe7, 0x97, 0xdf, 0x9f, 0xaf, 0x5e, 0x18, 0xb6, + 0x32, 0xa2, 0xb5, 0xa4, 0xac, 0x6c, 0x17, 0xd1, 0x5b, 0x95, 0x27, 0x5a, 0x93, 0xaf, 0x9f, 0xbe, + 0xff, 0xb8, 0xd6, 0x74, 0x00, 0x5f, 0xe5, 0x5c, 0x8d, 0x51, 0x08, 0x5e, 0x37, 0x97, 0x4c, 0xe4, + 0xde, 0x84, 0x6b, 0x92, 0x2c, 0xda, 0x05, 0x2e, 0xc0, 0xfa, 0xba, 0xdb, 0xe4, 0xe4, 0x4f, 0x00, + 0x00, 0x00, 0xff, 0xff, 0x25, 0xdd, 0x2f, 0xcb, 0x99, 0x02, 0x00, 0x00, +} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2/rbac.pb.validate.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2/rbac.pb.validate.go new file mode 100644 index 0000000000..908c654480 --- /dev/null +++ b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2/rbac.pb.validate.go @@ -0,0 +1,130 @@ +// Code generated by protoc-gen-validate. DO NOT EDIT. +// source: envoy/config/filter/network/rbac/v2/rbac.proto + +package envoy_config_filter_network_rbac_v2 + +import ( + "bytes" + "errors" + "fmt" + "net" + "net/mail" + "net/url" + "regexp" + "strings" + "time" + "unicode/utf8" + + "github.com/golang/protobuf/ptypes" +) + +// ensure the imports are used +var ( + _ = bytes.MinRead + _ = errors.New("") + _ = fmt.Print + _ = utf8.UTFMax + _ = (*regexp.Regexp)(nil) + _ = (*strings.Reader)(nil) + _ = net.IPv4len + _ = time.Duration(0) + _ = (*url.URL)(nil) + _ = (*mail.Address)(nil) + _ = ptypes.DynamicAny{} +) + +// define the regex for a UUID once up-front +var _rbac_uuidPattern = regexp.MustCompile("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") + +// Validate checks the field values on RBAC with the rules defined in the proto +// definition for this message. If any rules are violated, an error is returned. +func (m *RBAC) Validate() error { + if m == nil { + return nil + } + + if v, ok := interface{}(m.GetRules()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return RBACValidationError{ + field: "Rules", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if v, ok := interface{}(m.GetShadowRules()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return RBACValidationError{ + field: "ShadowRules", + reason: "embedded message failed validation", + cause: err, + } + } + } + + if len(m.GetStatPrefix()) < 1 { + return RBACValidationError{ + field: "StatPrefix", + reason: "value length must be at least 1 bytes", + } + } + + // no validation rules for EnforcementType + + return nil +} + +// RBACValidationError is the validation error returned by RBAC.Validate if the +// designated constraints aren't met. +type RBACValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e RBACValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e RBACValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e RBACValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e RBACValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e RBACValidationError) ErrorName() string { return "RBACValidationError" } + +// Error satisfies the builtin error interface +func (e RBACValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sRBAC.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = RBACValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = RBACValidationError{} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2/rbac.pb.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2/rbac.pb.go new file mode 100644 index 0000000000..15ed2d3553 --- /dev/null +++ b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2/rbac.pb.go @@ -0,0 +1,734 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: envoy/config/rbac/v2/rbac.proto + +package envoy_config_rbac_v2 + +import ( + fmt "fmt" + _ "github.com/cncf/udpa/go/udpa/annotations" + core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" + route "github.com/envoyproxy/go-control-plane/envoy/api/v2/route" + matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" + _ "github.com/envoyproxy/protoc-gen-validate/validate" + proto "github.com/golang/protobuf/proto" + v1alpha1 "google.golang.org/genproto/googleapis/api/expr/v1alpha1" + math "math" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +type RBAC_Action int32 + +const ( + RBAC_ALLOW RBAC_Action = 0 + RBAC_DENY RBAC_Action = 1 +) + +var RBAC_Action_name = map[int32]string{ + 0: "ALLOW", + 1: "DENY", +} + +var RBAC_Action_value = map[string]int32{ + "ALLOW": 0, + "DENY": 1, +} + +func (x RBAC_Action) String() string { + return proto.EnumName(RBAC_Action_name, int32(x)) +} + +func (RBAC_Action) EnumDescriptor() ([]byte, []int) { + return fileDescriptor_e8a2b527e1e731e1, []int{0, 0} +} + +type RBAC struct { + Action RBAC_Action `protobuf:"varint,1,opt,name=action,proto3,enum=envoy.config.rbac.v2.RBAC_Action" json:"action,omitempty"` + Policies map[string]*Policy `protobuf:"bytes,2,rep,name=policies,proto3" json:"policies,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *RBAC) Reset() { *m = RBAC{} } +func (m *RBAC) String() string { return proto.CompactTextString(m) } +func (*RBAC) ProtoMessage() {} +func (*RBAC) Descriptor() ([]byte, []int) { + return fileDescriptor_e8a2b527e1e731e1, []int{0} +} + +func (m *RBAC) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_RBAC.Unmarshal(m, b) +} +func (m *RBAC) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_RBAC.Marshal(b, m, deterministic) +} +func (m *RBAC) XXX_Merge(src proto.Message) { + xxx_messageInfo_RBAC.Merge(m, src) +} +func (m *RBAC) XXX_Size() int { + return xxx_messageInfo_RBAC.Size(m) +} +func (m *RBAC) XXX_DiscardUnknown() { + xxx_messageInfo_RBAC.DiscardUnknown(m) +} + +var xxx_messageInfo_RBAC proto.InternalMessageInfo + +func (m *RBAC) GetAction() RBAC_Action { + if m != nil { + return m.Action + } + return RBAC_ALLOW +} + +func (m *RBAC) GetPolicies() map[string]*Policy { + if m != nil { + return m.Policies + } + return nil +} + +type Policy struct { + Permissions []*Permission `protobuf:"bytes,1,rep,name=permissions,proto3" json:"permissions,omitempty"` + Principals []*Principal `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"` + Condition *v1alpha1.Expr `protobuf:"bytes,3,opt,name=condition,proto3" json:"condition,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Policy) Reset() { *m = Policy{} } +func (m *Policy) String() string { return proto.CompactTextString(m) } +func (*Policy) ProtoMessage() {} +func (*Policy) Descriptor() ([]byte, []int) { + return fileDescriptor_e8a2b527e1e731e1, []int{1} +} + +func (m *Policy) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Policy.Unmarshal(m, b) +} +func (m *Policy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Policy.Marshal(b, m, deterministic) +} +func (m *Policy) XXX_Merge(src proto.Message) { + xxx_messageInfo_Policy.Merge(m, src) +} +func (m *Policy) XXX_Size() int { + return xxx_messageInfo_Policy.Size(m) +} +func (m *Policy) XXX_DiscardUnknown() { + xxx_messageInfo_Policy.DiscardUnknown(m) +} + +var xxx_messageInfo_Policy proto.InternalMessageInfo + +func (m *Policy) GetPermissions() []*Permission { + if m != nil { + return m.Permissions + } + return nil +} + +func (m *Policy) GetPrincipals() []*Principal { + if m != nil { + return m.Principals + } + return nil +} + +func (m *Policy) GetCondition() *v1alpha1.Expr { + if m != nil { + return m.Condition + } + return nil +} + +type Permission struct { + // Types that are valid to be assigned to Rule: + // *Permission_AndRules + // *Permission_OrRules + // *Permission_Any + // *Permission_Header + // *Permission_UrlPath + // *Permission_DestinationIp + // *Permission_DestinationPort + // *Permission_Metadata + // *Permission_NotRule + // *Permission_RequestedServerName + Rule isPermission_Rule `protobuf_oneof:"rule"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Permission) Reset() { *m = Permission{} } +func (m *Permission) String() string { return proto.CompactTextString(m) } +func (*Permission) ProtoMessage() {} +func (*Permission) Descriptor() ([]byte, []int) { + return fileDescriptor_e8a2b527e1e731e1, []int{2} +} + +func (m *Permission) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Permission.Unmarshal(m, b) +} +func (m *Permission) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Permission.Marshal(b, m, deterministic) +} +func (m *Permission) XXX_Merge(src proto.Message) { + xxx_messageInfo_Permission.Merge(m, src) +} +func (m *Permission) XXX_Size() int { + return xxx_messageInfo_Permission.Size(m) +} +func (m *Permission) XXX_DiscardUnknown() { + xxx_messageInfo_Permission.DiscardUnknown(m) +} + +var xxx_messageInfo_Permission proto.InternalMessageInfo + +type isPermission_Rule interface { + isPermission_Rule() +} + +type Permission_AndRules struct { + AndRules *Permission_Set `protobuf:"bytes,1,opt,name=and_rules,json=andRules,proto3,oneof"` +} + +type Permission_OrRules struct { + OrRules *Permission_Set `protobuf:"bytes,2,opt,name=or_rules,json=orRules,proto3,oneof"` +} + +type Permission_Any struct { + Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"` +} + +type Permission_Header struct { + Header *route.HeaderMatcher `protobuf:"bytes,4,opt,name=header,proto3,oneof"` +} + +type Permission_UrlPath struct { + UrlPath *matcher.PathMatcher `protobuf:"bytes,10,opt,name=url_path,json=urlPath,proto3,oneof"` +} + +type Permission_DestinationIp struct { + DestinationIp *core.CidrRange `protobuf:"bytes,5,opt,name=destination_ip,json=destinationIp,proto3,oneof"` +} + +type Permission_DestinationPort struct { + DestinationPort uint32 `protobuf:"varint,6,opt,name=destination_port,json=destinationPort,proto3,oneof"` +} + +type Permission_Metadata struct { + Metadata *matcher.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"` +} + +type Permission_NotRule struct { + NotRule *Permission `protobuf:"bytes,8,opt,name=not_rule,json=notRule,proto3,oneof"` +} + +type Permission_RequestedServerName struct { + RequestedServerName *matcher.StringMatcher `protobuf:"bytes,9,opt,name=requested_server_name,json=requestedServerName,proto3,oneof"` +} + +func (*Permission_AndRules) isPermission_Rule() {} + +func (*Permission_OrRules) isPermission_Rule() {} + +func (*Permission_Any) isPermission_Rule() {} + +func (*Permission_Header) isPermission_Rule() {} + +func (*Permission_UrlPath) isPermission_Rule() {} + +func (*Permission_DestinationIp) isPermission_Rule() {} + +func (*Permission_DestinationPort) isPermission_Rule() {} + +func (*Permission_Metadata) isPermission_Rule() {} + +func (*Permission_NotRule) isPermission_Rule() {} + +func (*Permission_RequestedServerName) isPermission_Rule() {} + +func (m *Permission) GetRule() isPermission_Rule { + if m != nil { + return m.Rule + } + return nil +} + +func (m *Permission) GetAndRules() *Permission_Set { + if x, ok := m.GetRule().(*Permission_AndRules); ok { + return x.AndRules + } + return nil +} + +func (m *Permission) GetOrRules() *Permission_Set { + if x, ok := m.GetRule().(*Permission_OrRules); ok { + return x.OrRules + } + return nil +} + +func (m *Permission) GetAny() bool { + if x, ok := m.GetRule().(*Permission_Any); ok { + return x.Any + } + return false +} + +func (m *Permission) GetHeader() *route.HeaderMatcher { + if x, ok := m.GetRule().(*Permission_Header); ok { + return x.Header + } + return nil +} + +func (m *Permission) GetUrlPath() *matcher.PathMatcher { + if x, ok := m.GetRule().(*Permission_UrlPath); ok { + return x.UrlPath + } + return nil +} + +func (m *Permission) GetDestinationIp() *core.CidrRange { + if x, ok := m.GetRule().(*Permission_DestinationIp); ok { + return x.DestinationIp + } + return nil +} + +func (m *Permission) GetDestinationPort() uint32 { + if x, ok := m.GetRule().(*Permission_DestinationPort); ok { + return x.DestinationPort + } + return 0 +} + +func (m *Permission) GetMetadata() *matcher.MetadataMatcher { + if x, ok := m.GetRule().(*Permission_Metadata); ok { + return x.Metadata + } + return nil +} + +func (m *Permission) GetNotRule() *Permission { + if x, ok := m.GetRule().(*Permission_NotRule); ok { + return x.NotRule + } + return nil +} + +func (m *Permission) GetRequestedServerName() *matcher.StringMatcher { + if x, ok := m.GetRule().(*Permission_RequestedServerName); ok { + return x.RequestedServerName + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*Permission) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*Permission_AndRules)(nil), + (*Permission_OrRules)(nil), + (*Permission_Any)(nil), + (*Permission_Header)(nil), + (*Permission_UrlPath)(nil), + (*Permission_DestinationIp)(nil), + (*Permission_DestinationPort)(nil), + (*Permission_Metadata)(nil), + (*Permission_NotRule)(nil), + (*Permission_RequestedServerName)(nil), + } +} + +type Permission_Set struct { + Rules []*Permission `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Permission_Set) Reset() { *m = Permission_Set{} } +func (m *Permission_Set) String() string { return proto.CompactTextString(m) } +func (*Permission_Set) ProtoMessage() {} +func (*Permission_Set) Descriptor() ([]byte, []int) { + return fileDescriptor_e8a2b527e1e731e1, []int{2, 0} +} + +func (m *Permission_Set) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Permission_Set.Unmarshal(m, b) +} +func (m *Permission_Set) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Permission_Set.Marshal(b, m, deterministic) +} +func (m *Permission_Set) XXX_Merge(src proto.Message) { + xxx_messageInfo_Permission_Set.Merge(m, src) +} +func (m *Permission_Set) XXX_Size() int { + return xxx_messageInfo_Permission_Set.Size(m) +} +func (m *Permission_Set) XXX_DiscardUnknown() { + xxx_messageInfo_Permission_Set.DiscardUnknown(m) +} + +var xxx_messageInfo_Permission_Set proto.InternalMessageInfo + +func (m *Permission_Set) GetRules() []*Permission { + if m != nil { + return m.Rules + } + return nil +} + +type Principal struct { + // Types that are valid to be assigned to Identifier: + // *Principal_AndIds + // *Principal_OrIds + // *Principal_Any + // *Principal_Authenticated_ + // *Principal_SourceIp + // *Principal_Header + // *Principal_UrlPath + // *Principal_Metadata + // *Principal_NotId + Identifier isPrincipal_Identifier `protobuf_oneof:"identifier"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Principal) Reset() { *m = Principal{} } +func (m *Principal) String() string { return proto.CompactTextString(m) } +func (*Principal) ProtoMessage() {} +func (*Principal) Descriptor() ([]byte, []int) { + return fileDescriptor_e8a2b527e1e731e1, []int{3} +} + +func (m *Principal) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Principal.Unmarshal(m, b) +} +func (m *Principal) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Principal.Marshal(b, m, deterministic) +} +func (m *Principal) XXX_Merge(src proto.Message) { + xxx_messageInfo_Principal.Merge(m, src) +} +func (m *Principal) XXX_Size() int { + return xxx_messageInfo_Principal.Size(m) +} +func (m *Principal) XXX_DiscardUnknown() { + xxx_messageInfo_Principal.DiscardUnknown(m) +} + +var xxx_messageInfo_Principal proto.InternalMessageInfo + +type isPrincipal_Identifier interface { + isPrincipal_Identifier() +} + +type Principal_AndIds struct { + AndIds *Principal_Set `protobuf:"bytes,1,opt,name=and_ids,json=andIds,proto3,oneof"` +} + +type Principal_OrIds struct { + OrIds *Principal_Set `protobuf:"bytes,2,opt,name=or_ids,json=orIds,proto3,oneof"` +} + +type Principal_Any struct { + Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"` +} + +type Principal_Authenticated_ struct { + Authenticated *Principal_Authenticated `protobuf:"bytes,4,opt,name=authenticated,proto3,oneof"` +} + +type Principal_SourceIp struct { + SourceIp *core.CidrRange `protobuf:"bytes,5,opt,name=source_ip,json=sourceIp,proto3,oneof"` +} + +type Principal_Header struct { + Header *route.HeaderMatcher `protobuf:"bytes,6,opt,name=header,proto3,oneof"` +} + +type Principal_UrlPath struct { + UrlPath *matcher.PathMatcher `protobuf:"bytes,9,opt,name=url_path,json=urlPath,proto3,oneof"` +} + +type Principal_Metadata struct { + Metadata *matcher.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"` +} + +type Principal_NotId struct { + NotId *Principal `protobuf:"bytes,8,opt,name=not_id,json=notId,proto3,oneof"` +} + +func (*Principal_AndIds) isPrincipal_Identifier() {} + +func (*Principal_OrIds) isPrincipal_Identifier() {} + +func (*Principal_Any) isPrincipal_Identifier() {} + +func (*Principal_Authenticated_) isPrincipal_Identifier() {} + +func (*Principal_SourceIp) isPrincipal_Identifier() {} + +func (*Principal_Header) isPrincipal_Identifier() {} + +func (*Principal_UrlPath) isPrincipal_Identifier() {} + +func (*Principal_Metadata) isPrincipal_Identifier() {} + +func (*Principal_NotId) isPrincipal_Identifier() {} + +func (m *Principal) GetIdentifier() isPrincipal_Identifier { + if m != nil { + return m.Identifier + } + return nil +} + +func (m *Principal) GetAndIds() *Principal_Set { + if x, ok := m.GetIdentifier().(*Principal_AndIds); ok { + return x.AndIds + } + return nil +} + +func (m *Principal) GetOrIds() *Principal_Set { + if x, ok := m.GetIdentifier().(*Principal_OrIds); ok { + return x.OrIds + } + return nil +} + +func (m *Principal) GetAny() bool { + if x, ok := m.GetIdentifier().(*Principal_Any); ok { + return x.Any + } + return false +} + +func (m *Principal) GetAuthenticated() *Principal_Authenticated { + if x, ok := m.GetIdentifier().(*Principal_Authenticated_); ok { + return x.Authenticated + } + return nil +} + +func (m *Principal) GetSourceIp() *core.CidrRange { + if x, ok := m.GetIdentifier().(*Principal_SourceIp); ok { + return x.SourceIp + } + return nil +} + +func (m *Principal) GetHeader() *route.HeaderMatcher { + if x, ok := m.GetIdentifier().(*Principal_Header); ok { + return x.Header + } + return nil +} + +func (m *Principal) GetUrlPath() *matcher.PathMatcher { + if x, ok := m.GetIdentifier().(*Principal_UrlPath); ok { + return x.UrlPath + } + return nil +} + +func (m *Principal) GetMetadata() *matcher.MetadataMatcher { + if x, ok := m.GetIdentifier().(*Principal_Metadata); ok { + return x.Metadata + } + return nil +} + +func (m *Principal) GetNotId() *Principal { + if x, ok := m.GetIdentifier().(*Principal_NotId); ok { + return x.NotId + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*Principal) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*Principal_AndIds)(nil), + (*Principal_OrIds)(nil), + (*Principal_Any)(nil), + (*Principal_Authenticated_)(nil), + (*Principal_SourceIp)(nil), + (*Principal_Header)(nil), + (*Principal_UrlPath)(nil), + (*Principal_Metadata)(nil), + (*Principal_NotId)(nil), + } +} + +type Principal_Set struct { + Ids []*Principal `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Principal_Set) Reset() { *m = Principal_Set{} } +func (m *Principal_Set) String() string { return proto.CompactTextString(m) } +func (*Principal_Set) ProtoMessage() {} +func (*Principal_Set) Descriptor() ([]byte, []int) { + return fileDescriptor_e8a2b527e1e731e1, []int{3, 0} +} + +func (m *Principal_Set) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Principal_Set.Unmarshal(m, b) +} +func (m *Principal_Set) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Principal_Set.Marshal(b, m, deterministic) +} +func (m *Principal_Set) XXX_Merge(src proto.Message) { + xxx_messageInfo_Principal_Set.Merge(m, src) +} +func (m *Principal_Set) XXX_Size() int { + return xxx_messageInfo_Principal_Set.Size(m) +} +func (m *Principal_Set) XXX_DiscardUnknown() { + xxx_messageInfo_Principal_Set.DiscardUnknown(m) +} + +var xxx_messageInfo_Principal_Set proto.InternalMessageInfo + +func (m *Principal_Set) GetIds() []*Principal { + if m != nil { + return m.Ids + } + return nil +} + +type Principal_Authenticated struct { + PrincipalName *matcher.StringMatcher `protobuf:"bytes,2,opt,name=principal_name,json=principalName,proto3" json:"principal_name,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Principal_Authenticated) Reset() { *m = Principal_Authenticated{} } +func (m *Principal_Authenticated) String() string { return proto.CompactTextString(m) } +func (*Principal_Authenticated) ProtoMessage() {} +func (*Principal_Authenticated) Descriptor() ([]byte, []int) { + return fileDescriptor_e8a2b527e1e731e1, []int{3, 1} +} + +func (m *Principal_Authenticated) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Principal_Authenticated.Unmarshal(m, b) +} +func (m *Principal_Authenticated) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Principal_Authenticated.Marshal(b, m, deterministic) +} +func (m *Principal_Authenticated) XXX_Merge(src proto.Message) { + xxx_messageInfo_Principal_Authenticated.Merge(m, src) +} +func (m *Principal_Authenticated) XXX_Size() int { + return xxx_messageInfo_Principal_Authenticated.Size(m) +} +func (m *Principal_Authenticated) XXX_DiscardUnknown() { + xxx_messageInfo_Principal_Authenticated.DiscardUnknown(m) +} + +var xxx_messageInfo_Principal_Authenticated proto.InternalMessageInfo + +func (m *Principal_Authenticated) GetPrincipalName() *matcher.StringMatcher { + if m != nil { + return m.PrincipalName + } + return nil +} + +func init() { + proto.RegisterEnum("envoy.config.rbac.v2.RBAC_Action", RBAC_Action_name, RBAC_Action_value) + proto.RegisterType((*RBAC)(nil), "envoy.config.rbac.v2.RBAC") + proto.RegisterMapType((map[string]*Policy)(nil), "envoy.config.rbac.v2.RBAC.PoliciesEntry") + proto.RegisterType((*Policy)(nil), "envoy.config.rbac.v2.Policy") + proto.RegisterType((*Permission)(nil), "envoy.config.rbac.v2.Permission") + proto.RegisterType((*Permission_Set)(nil), "envoy.config.rbac.v2.Permission.Set") + proto.RegisterType((*Principal)(nil), "envoy.config.rbac.v2.Principal") + proto.RegisterType((*Principal_Set)(nil), "envoy.config.rbac.v2.Principal.Set") + proto.RegisterType((*Principal_Authenticated)(nil), "envoy.config.rbac.v2.Principal.Authenticated") +} + +func init() { proto.RegisterFile("envoy/config/rbac/v2/rbac.proto", fileDescriptor_e8a2b527e1e731e1) } + +var fileDescriptor_e8a2b527e1e731e1 = []byte{ + // 957 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x55, 0xdd, 0x8e, 0xdb, 0x44, + 0x18, 0x8d, 0x9d, 0xc4, 0x6b, 0x7f, 0xab, 0x94, 0x30, 0x80, 0xb0, 0x02, 0x65, 0xd3, 0x14, 0xa4, + 0x80, 0x84, 0xad, 0x06, 0x09, 0xb5, 0x6c, 0x41, 0xc4, 0xdb, 0x15, 0x09, 0xda, 0x96, 0xc8, 0x2b, + 0x54, 0xf5, 0x2a, 0x9a, 0xb5, 0xa7, 0xc9, 0x40, 0x32, 0x63, 0xc6, 0xe3, 0x68, 0x73, 0x07, 0xaf, + 0xc0, 0xe3, 0xf0, 0x04, 0xdc, 0x72, 0x8f, 0xc4, 0x3d, 0x4f, 0x80, 0xf6, 0xa6, 0x68, 0xc6, 0x76, + 0x7e, 0xa4, 0xb4, 0x69, 0x04, 0x37, 0x89, 0xe5, 0x39, 0xe7, 0xcc, 0x37, 0xdf, 0x9c, 0xf3, 0x19, + 0x4e, 0x08, 0x5b, 0xf0, 0xa5, 0x1f, 0x71, 0xf6, 0x9c, 0x4e, 0x7c, 0x71, 0x85, 0x23, 0x7f, 0xd1, + 0xd3, 0xff, 0x5e, 0x22, 0xb8, 0xe4, 0xe8, 0x6d, 0x0d, 0xf0, 0x72, 0x80, 0xa7, 0x17, 0x16, 0xbd, + 0x56, 0x41, 0xc3, 0x09, 0x55, 0xf0, 0x88, 0x0b, 0xe2, 0xe3, 0x38, 0x16, 0x24, 0x4d, 0x73, 0x5a, + 0xeb, 0xe3, 0x2d, 0x80, 0xe0, 0x99, 0x24, 0xf9, 0xef, 0x38, 0xe2, 0xf3, 0x84, 0x33, 0xc2, 0x64, + 0x09, 0xbd, 0x93, 0x43, 0xe5, 0x32, 0x21, 0xfe, 0x1c, 0xcb, 0x68, 0x4a, 0x84, 0x3f, 0x27, 0x12, + 0xc7, 0x58, 0xe2, 0x02, 0x72, 0x7b, 0x07, 0x24, 0xc1, 0x72, 0x5a, 0x2c, 0x9f, 0xec, 0x58, 0x4e, + 0xa5, 0xa0, 0x6c, 0x52, 0x00, 0x3e, 0x9a, 0x70, 0x3e, 0x99, 0x11, 0x5d, 0x0e, 0xb9, 0x4e, 0x84, + 0xbf, 0xb8, 0x87, 0x67, 0xc9, 0x14, 0xdf, 0xf3, 0xd3, 0x25, 0x93, 0xf8, 0xba, 0xdc, 0x26, 0x8b, + 0x13, 0xec, 0x63, 0xc6, 0xb8, 0xc4, 0x92, 0x72, 0x96, 0xfa, 0xa9, 0xc4, 0x32, 0x2b, 0x0b, 0x7d, + 0x77, 0x81, 0x67, 0x34, 0xc6, 0x92, 0xf8, 0xe5, 0x43, 0xbe, 0xd0, 0xf9, 0xc5, 0x84, 0x5a, 0x18, + 0xf4, 0xcf, 0xd0, 0x03, 0xb0, 0x70, 0xa4, 0x98, 0xae, 0xd1, 0x36, 0xba, 0xb7, 0x7a, 0x77, 0xbc, + 0x5d, 0xdd, 0xf3, 0x14, 0xd6, 0xeb, 0x6b, 0x60, 0x58, 0x10, 0xd0, 0x23, 0xb0, 0x13, 0x3e, 0xa3, + 0x11, 0x25, 0xa9, 0x6b, 0xb6, 0xab, 0xdd, 0xe3, 0x5e, 0xf7, 0x15, 0xe4, 0x51, 0x01, 0x3d, 0x67, + 0x52, 0x2c, 0xc3, 0x15, 0xb3, 0xf5, 0x0c, 0x1a, 0x5b, 0x4b, 0xa8, 0x09, 0xd5, 0x1f, 0xc9, 0x52, + 0x97, 0xe3, 0x84, 0xea, 0x11, 0xf5, 0xa0, 0xbe, 0xc0, 0xb3, 0x8c, 0xb8, 0x66, 0xdb, 0xe8, 0x1e, + 0xf7, 0xde, 0xdf, 0xbd, 0x8b, 0x56, 0x59, 0x86, 0x39, 0xf4, 0x0b, 0xf3, 0xbe, 0xd1, 0xb9, 0x0d, + 0x56, 0x5e, 0x32, 0x72, 0xa0, 0xde, 0xbf, 0xb8, 0xf8, 0xee, 0x69, 0xb3, 0x82, 0x6c, 0xa8, 0x3d, + 0x3a, 0x7f, 0xf2, 0xac, 0x69, 0x74, 0xfe, 0x32, 0xc0, 0xca, 0x49, 0xe8, 0x02, 0x8e, 0x13, 0x22, + 0xe6, 0x34, 0x4d, 0x55, 0x0f, 0x5d, 0x43, 0x9f, 0xa6, 0xfd, 0x92, 0x7d, 0x56, 0xc0, 0xc0, 0xbe, + 0x09, 0xea, 0xbf, 0x1a, 0xa6, 0x6d, 0x84, 0x9b, 0x74, 0x34, 0x04, 0x48, 0x04, 0x65, 0x11, 0x4d, + 0xf0, 0xac, 0x6c, 0xcd, 0xc9, 0x4b, 0xc4, 0x4a, 0xdc, 0x86, 0xd6, 0x06, 0x19, 0x3d, 0x04, 0x27, + 0xe2, 0x2c, 0xa6, 0xfa, 0x86, 0xaa, 0xfa, 0xf8, 0x1f, 0x78, 0xb9, 0x35, 0x3c, 0x9c, 0x50, 0x4f, + 0x59, 0xc3, 0x2b, 0xad, 0xe1, 0x9d, 0x5f, 0x27, 0x22, 0x5c, 0x13, 0x3a, 0x7f, 0xd6, 0x01, 0xd6, + 0xe5, 0xa2, 0x33, 0x70, 0x30, 0x8b, 0xc7, 0x22, 0x9b, 0x91, 0x54, 0xf7, 0xf7, 0xb8, 0xf7, 0xe1, + 0xbe, 0x33, 0x7a, 0x97, 0x44, 0x0e, 0x2a, 0xa1, 0x8d, 0x59, 0x1c, 0x2a, 0x1e, 0xea, 0x83, 0xcd, + 0x45, 0xa1, 0x61, 0x1e, 0xa4, 0x71, 0xc4, 0x45, 0x2e, 0xf1, 0x1e, 0x54, 0x31, 0x5b, 0xea, 0xe3, + 0xd8, 0xc1, 0xd1, 0x4d, 0x50, 0xfb, 0xc1, 0xb4, 0x8d, 0x41, 0x25, 0x54, 0x6f, 0xd1, 0x29, 0x58, + 0x53, 0x82, 0x63, 0x22, 0xdc, 0x9a, 0x56, 0x2f, 0x0d, 0xa9, 0x4e, 0xbb, 0xe8, 0x79, 0x3a, 0x91, + 0xde, 0x40, 0x23, 0x1e, 0xe7, 0xc1, 0x19, 0x54, 0xc2, 0x82, 0x82, 0x1e, 0x82, 0x9d, 0x89, 0xd9, + 0x58, 0x05, 0xcd, 0x05, 0x4d, 0x2f, 0xfb, 0xae, 0x92, 0xe6, 0x15, 0x49, 0xf3, 0x46, 0x58, 0x4e, + 0xd7, 0xe4, 0xa3, 0x4c, 0xcc, 0xd4, 0x1b, 0x74, 0x0e, 0xb7, 0x62, 0x92, 0x4a, 0xca, 0x74, 0x94, + 0xc6, 0x34, 0x71, 0xeb, 0x5b, 0x86, 0x2b, 0x4a, 0x50, 0xb3, 0xc3, 0x3b, 0xa3, 0xb1, 0x08, 0x31, + 0x9b, 0x90, 0x41, 0x25, 0x6c, 0x6c, 0xb0, 0x86, 0x09, 0xfa, 0x1c, 0x9a, 0x9b, 0x32, 0x09, 0x17, + 0xd2, 0xb5, 0xda, 0x46, 0xb7, 0x11, 0x38, 0x37, 0x81, 0xf5, 0x49, 0xcd, 0x7d, 0xf1, 0xa2, 0x3a, + 0xa8, 0x84, 0x6f, 0x6c, 0x80, 0x46, 0x5c, 0x48, 0xd5, 0xd9, 0x72, 0x88, 0xb8, 0x47, 0x7a, 0xe3, + 0xbb, 0xbb, 0x8a, 0x7f, 0x5c, 0x60, 0xd6, 0x07, 0x58, 0xd1, 0xd0, 0x97, 0x60, 0x33, 0x2e, 0xf5, + 0xed, 0xb8, 0xb6, 0x96, 0xd8, 0x6b, 0x62, 0xd5, 0x00, 0xc6, 0xa5, 0xba, 0x19, 0xf4, 0x14, 0xde, + 0x11, 0xe4, 0xa7, 0x8c, 0xa4, 0x92, 0xc4, 0xe3, 0x94, 0x88, 0x05, 0x11, 0x63, 0x86, 0xe7, 0xc4, + 0x75, 0xb6, 0xae, 0x62, 0xab, 0x9c, 0x4b, 0x3d, 0xb5, 0xd6, 0xc5, 0xbc, 0xb5, 0x52, 0xb8, 0xd4, + 0x02, 0x4f, 0xf0, 0x9c, 0xb4, 0xbe, 0x81, 0xea, 0x25, 0x91, 0xe8, 0x6b, 0xa8, 0x97, 0xe6, 0x3b, + 0x34, 0x60, 0x39, 0x31, 0x38, 0x86, 0x9a, 0x7a, 0x40, 0xd5, 0x7f, 0x02, 0xa3, 0xf3, 0x77, 0x1d, + 0x9c, 0x55, 0x80, 0xd0, 0x57, 0x70, 0xa4, 0xdc, 0x4d, 0xe3, 0xd2, 0xdb, 0x77, 0xf7, 0x44, 0xae, + 0xb0, 0xa5, 0x85, 0x59, 0x3c, 0x8c, 0x55, 0xd4, 0x2c, 0x2e, 0x34, 0xdd, 0x3c, 0x84, 0x5e, 0xe7, + 0x42, 0xb1, 0x5f, 0xe9, 0xe9, 0xef, 0xa1, 0x81, 0x33, 0x39, 0x25, 0x4c, 0xd2, 0x08, 0x4b, 0x12, + 0x17, 0xd6, 0xfe, 0x74, 0xdf, 0x0e, 0xfd, 0x4d, 0x92, 0x32, 0xda, 0x96, 0x0a, 0x3a, 0x05, 0x27, + 0xe5, 0x99, 0x88, 0xc8, 0xeb, 0x5b, 0xd5, 0xce, 0x09, 0xc3, 0x64, 0x23, 0x67, 0xd6, 0x7f, 0xcb, + 0x99, 0x73, 0x70, 0xce, 0xfe, 0x07, 0xa3, 0xdf, 0x07, 0x4b, 0x19, 0x9d, 0xc6, 0x85, 0xcd, 0xf7, + 0x8d, 0x57, 0x75, 0x51, 0x8c, 0xcb, 0x61, 0xdc, 0x0a, 0x72, 0x2b, 0x9e, 0x42, 0x35, 0x77, 0xca, + 0x81, 0xc3, 0x59, 0xb1, 0x5a, 0x63, 0x68, 0x6c, 0x5d, 0x0d, 0x1a, 0xc0, 0xad, 0xd5, 0xd0, 0xce, + 0x13, 0x63, 0xbe, 0x66, 0x62, 0xc2, 0xc6, 0x8a, 0xa8, 0x92, 0xf2, 0x6d, 0xcd, 0x36, 0x9a, 0x66, + 0xf0, 0x26, 0x00, 0x8d, 0x95, 0xfc, 0x73, 0x4a, 0x84, 0x36, 0x7b, 0xf0, 0xe0, 0xb7, 0x9f, 0x7f, + 0xff, 0xc3, 0x32, 0x9b, 0x06, 0x74, 0x28, 0xcf, 0x65, 0x13, 0xc1, 0xaf, 0x97, 0x3b, 0x4b, 0x0f, + 0x9c, 0xf0, 0x0a, 0x47, 0x23, 0xf5, 0xa9, 0x1f, 0x19, 0x57, 0x96, 0xfe, 0xe6, 0x7f, 0xf6, 0x6f, + 0x00, 0x00, 0x00, 0xff, 0xff, 0x8e, 0x7d, 0x24, 0x7e, 0x3a, 0x09, 0x00, 0x00, +} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2/rbac.pb.validate.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2/rbac.pb.validate.go new file mode 100644 index 0000000000..c7a492e95d --- /dev/null +++ b/vendor/github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2/rbac.pb.validate.go @@ -0,0 +1,856 @@ +// Code generated by protoc-gen-validate. DO NOT EDIT. +// source: envoy/config/rbac/v2/rbac.proto + +package envoy_config_rbac_v2 + +import ( + "bytes" + "errors" + "fmt" + "net" + "net/mail" + "net/url" + "regexp" + "strings" + "time" + "unicode/utf8" + + "github.com/golang/protobuf/ptypes" +) + +// ensure the imports are used +var ( + _ = bytes.MinRead + _ = errors.New("") + _ = fmt.Print + _ = utf8.UTFMax + _ = (*regexp.Regexp)(nil) + _ = (*strings.Reader)(nil) + _ = net.IPv4len + _ = time.Duration(0) + _ = (*url.URL)(nil) + _ = (*mail.Address)(nil) + _ = ptypes.DynamicAny{} +) + +// define the regex for a UUID once up-front +var _rbac_uuidPattern = regexp.MustCompile("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") + +// Validate checks the field values on RBAC with the rules defined in the proto +// definition for this message. If any rules are violated, an error is returned. +func (m *RBAC) Validate() error { + if m == nil { + return nil + } + + // no validation rules for Action + + for key, val := range m.GetPolicies() { + _ = val + + // no validation rules for Policies[key] + + if v, ok := interface{}(val).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return RBACValidationError{ + field: fmt.Sprintf("Policies[%v]", key), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + return nil +} + +// RBACValidationError is the validation error returned by RBAC.Validate if the +// designated constraints aren't met. +type RBACValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e RBACValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e RBACValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e RBACValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e RBACValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e RBACValidationError) ErrorName() string { return "RBACValidationError" } + +// Error satisfies the builtin error interface +func (e RBACValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sRBAC.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = RBACValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = RBACValidationError{} + +// Validate checks the field values on Policy with the rules defined in the +// proto definition for this message. If any rules are violated, an error is returned. +func (m *Policy) Validate() error { + if m == nil { + return nil + } + + if len(m.GetPermissions()) < 1 { + return PolicyValidationError{ + field: "Permissions", + reason: "value must contain at least 1 item(s)", + } + } + + for idx, item := range m.GetPermissions() { + _, _ = idx, item + + if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PolicyValidationError{ + field: fmt.Sprintf("Permissions[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if len(m.GetPrincipals()) < 1 { + return PolicyValidationError{ + field: "Principals", + reason: "value must contain at least 1 item(s)", + } + } + + for idx, item := range m.GetPrincipals() { + _, _ = idx, item + + if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PolicyValidationError{ + field: fmt.Sprintf("Principals[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + if v, ok := interface{}(m.GetCondition()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PolicyValidationError{ + field: "Condition", + reason: "embedded message failed validation", + cause: err, + } + } + } + + return nil +} + +// PolicyValidationError is the validation error returned by Policy.Validate if +// the designated constraints aren't met. +type PolicyValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e PolicyValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e PolicyValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e PolicyValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e PolicyValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e PolicyValidationError) ErrorName() string { return "PolicyValidationError" } + +// Error satisfies the builtin error interface +func (e PolicyValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sPolicy.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = PolicyValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = PolicyValidationError{} + +// Validate checks the field values on Permission with the rules defined in the +// proto definition for this message. If any rules are violated, an error is returned. +func (m *Permission) Validate() error { + if m == nil { + return nil + } + + switch m.Rule.(type) { + + case *Permission_AndRules: + + if v, ok := interface{}(m.GetAndRules()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PermissionValidationError{ + field: "AndRules", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Permission_OrRules: + + if v, ok := interface{}(m.GetOrRules()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PermissionValidationError{ + field: "OrRules", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Permission_Any: + + if m.GetAny() != true { + return PermissionValidationError{ + field: "Any", + reason: "value must equal true", + } + } + + case *Permission_Header: + + if v, ok := interface{}(m.GetHeader()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PermissionValidationError{ + field: "Header", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Permission_UrlPath: + + if v, ok := interface{}(m.GetUrlPath()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PermissionValidationError{ + field: "UrlPath", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Permission_DestinationIp: + + if v, ok := interface{}(m.GetDestinationIp()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PermissionValidationError{ + field: "DestinationIp", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Permission_DestinationPort: + + if m.GetDestinationPort() > 65535 { + return PermissionValidationError{ + field: "DestinationPort", + reason: "value must be less than or equal to 65535", + } + } + + case *Permission_Metadata: + + if v, ok := interface{}(m.GetMetadata()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PermissionValidationError{ + field: "Metadata", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Permission_NotRule: + + if v, ok := interface{}(m.GetNotRule()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PermissionValidationError{ + field: "NotRule", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Permission_RequestedServerName: + + if v, ok := interface{}(m.GetRequestedServerName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PermissionValidationError{ + field: "RequestedServerName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + default: + return PermissionValidationError{ + field: "Rule", + reason: "value is required", + } + + } + + return nil +} + +// PermissionValidationError is the validation error returned by +// Permission.Validate if the designated constraints aren't met. +type PermissionValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e PermissionValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e PermissionValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e PermissionValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e PermissionValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e PermissionValidationError) ErrorName() string { return "PermissionValidationError" } + +// Error satisfies the builtin error interface +func (e PermissionValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sPermission.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = PermissionValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = PermissionValidationError{} + +// Validate checks the field values on Principal with the rules defined in the +// proto definition for this message. If any rules are violated, an error is returned. +func (m *Principal) Validate() error { + if m == nil { + return nil + } + + switch m.Identifier.(type) { + + case *Principal_AndIds: + + if v, ok := interface{}(m.GetAndIds()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PrincipalValidationError{ + field: "AndIds", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Principal_OrIds: + + if v, ok := interface{}(m.GetOrIds()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PrincipalValidationError{ + field: "OrIds", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Principal_Any: + + if m.GetAny() != true { + return PrincipalValidationError{ + field: "Any", + reason: "value must equal true", + } + } + + case *Principal_Authenticated_: + + if v, ok := interface{}(m.GetAuthenticated()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PrincipalValidationError{ + field: "Authenticated", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Principal_SourceIp: + + if v, ok := interface{}(m.GetSourceIp()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PrincipalValidationError{ + field: "SourceIp", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Principal_Header: + + if v, ok := interface{}(m.GetHeader()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PrincipalValidationError{ + field: "Header", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Principal_UrlPath: + + if v, ok := interface{}(m.GetUrlPath()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PrincipalValidationError{ + field: "UrlPath", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Principal_Metadata: + + if v, ok := interface{}(m.GetMetadata()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PrincipalValidationError{ + field: "Metadata", + reason: "embedded message failed validation", + cause: err, + } + } + } + + case *Principal_NotId: + + if v, ok := interface{}(m.GetNotId()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return PrincipalValidationError{ + field: "NotId", + reason: "embedded message failed validation", + cause: err, + } + } + } + + default: + return PrincipalValidationError{ + field: "Identifier", + reason: "value is required", + } + + } + + return nil +} + +// PrincipalValidationError is the validation error returned by +// Principal.Validate if the designated constraints aren't met. +type PrincipalValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e PrincipalValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e PrincipalValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e PrincipalValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e PrincipalValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e PrincipalValidationError) ErrorName() string { return "PrincipalValidationError" } + +// Error satisfies the builtin error interface +func (e PrincipalValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sPrincipal.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = PrincipalValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = PrincipalValidationError{} + +// Validate checks the field values on Permission_Set with the rules defined in +// the proto definition for this message. If any rules are violated, an error +// is returned. +func (m *Permission_Set) Validate() error { + if m == nil { + return nil + } + + if len(m.GetRules()) < 1 { + return Permission_SetValidationError{ + field: "Rules", + reason: "value must contain at least 1 item(s)", + } + } + + for idx, item := range m.GetRules() { + _, _ = idx, item + + if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return Permission_SetValidationError{ + field: fmt.Sprintf("Rules[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + return nil +} + +// Permission_SetValidationError is the validation error returned by +// Permission_Set.Validate if the designated constraints aren't met. +type Permission_SetValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e Permission_SetValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e Permission_SetValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e Permission_SetValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e Permission_SetValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e Permission_SetValidationError) ErrorName() string { return "Permission_SetValidationError" } + +// Error satisfies the builtin error interface +func (e Permission_SetValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sPermission_Set.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = Permission_SetValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = Permission_SetValidationError{} + +// Validate checks the field values on Principal_Set with the rules defined in +// the proto definition for this message. If any rules are violated, an error +// is returned. +func (m *Principal_Set) Validate() error { + if m == nil { + return nil + } + + if len(m.GetIds()) < 1 { + return Principal_SetValidationError{ + field: "Ids", + reason: "value must contain at least 1 item(s)", + } + } + + for idx, item := range m.GetIds() { + _, _ = idx, item + + if v, ok := interface{}(item).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return Principal_SetValidationError{ + field: fmt.Sprintf("Ids[%v]", idx), + reason: "embedded message failed validation", + cause: err, + } + } + } + + } + + return nil +} + +// Principal_SetValidationError is the validation error returned by +// Principal_Set.Validate if the designated constraints aren't met. +type Principal_SetValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e Principal_SetValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e Principal_SetValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e Principal_SetValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e Principal_SetValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e Principal_SetValidationError) ErrorName() string { return "Principal_SetValidationError" } + +// Error satisfies the builtin error interface +func (e Principal_SetValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sPrincipal_Set.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = Principal_SetValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = Principal_SetValidationError{} + +// Validate checks the field values on Principal_Authenticated with the rules +// defined in the proto definition for this message. If any rules are +// violated, an error is returned. +func (m *Principal_Authenticated) Validate() error { + if m == nil { + return nil + } + + if v, ok := interface{}(m.GetPrincipalName()).(interface{ Validate() error }); ok { + if err := v.Validate(); err != nil { + return Principal_AuthenticatedValidationError{ + field: "PrincipalName", + reason: "embedded message failed validation", + cause: err, + } + } + } + + return nil +} + +// Principal_AuthenticatedValidationError is the validation error returned by +// Principal_Authenticated.Validate if the designated constraints aren't met. +type Principal_AuthenticatedValidationError struct { + field string + reason string + cause error + key bool +} + +// Field function returns field value. +func (e Principal_AuthenticatedValidationError) Field() string { return e.field } + +// Reason function returns reason value. +func (e Principal_AuthenticatedValidationError) Reason() string { return e.reason } + +// Cause function returns cause value. +func (e Principal_AuthenticatedValidationError) Cause() error { return e.cause } + +// Key function returns key value. +func (e Principal_AuthenticatedValidationError) Key() bool { return e.key } + +// ErrorName returns error name. +func (e Principal_AuthenticatedValidationError) ErrorName() string { + return "Principal_AuthenticatedValidationError" +} + +// Error satisfies the builtin error interface +func (e Principal_AuthenticatedValidationError) Error() string { + cause := "" + if e.cause != nil { + cause = fmt.Sprintf(" | caused by: %v", e.cause) + } + + key := "" + if e.key { + key = "key for " + } + + return fmt.Sprintf( + "invalid %sPrincipal_Authenticated.%s: %s%s", + key, + e.field, + e.reason, + cause) +} + +var _ error = Principal_AuthenticatedValidationError{} + +var _ interface { + Field() string + Reason() string + Key() bool + Cause() error + ErrorName() string +} = Principal_AuthenticatedValidationError{} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha/external_auth.pb.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha/external_auth.pb.go deleted file mode 100644 index 7e392f730c..0000000000 --- a/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha/external_auth.pb.go +++ /dev/null @@ -1,125 +0,0 @@ -// Code generated by protoc-gen-go. DO NOT EDIT. -// source: envoy/service/auth/v2alpha/external_auth.proto - -package envoy_service_auth_v2alpha - -import ( - context "context" - fmt "fmt" - v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" - proto "github.com/golang/protobuf/proto" - grpc "google.golang.org/grpc" - codes "google.golang.org/grpc/codes" - status "google.golang.org/grpc/status" - math "math" -) - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the proto package it is being compiled against. -// A compilation error at this line likely means your copy of the -// proto package needs to be updated. -const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package - -func init() { - proto.RegisterFile("envoy/service/auth/v2alpha/external_auth.proto", fileDescriptor_878c0ddb0c43de8d) -} - -var fileDescriptor_878c0ddb0c43de8d = []byte{ - // 176 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0xce, 0xb1, 0x0e, 0x82, 0x30, - 0x10, 0x06, 0xe0, 0x30, 0xe8, 0xd0, 0xc4, 0x85, 0x91, 0x55, 0x07, 0x5d, 0xae, 0x09, 0x8e, 0x4e, - 0xc2, 0x0b, 0x10, 0x5e, 0xc0, 0x54, 0x72, 0x49, 0x1b, 0x49, 0xaf, 0xb6, 0x07, 0x01, 0x9f, 0xc0, - 0xc7, 0x36, 0x54, 0xc6, 0xea, 0x7a, 0xff, 0x97, 0xff, 0x7e, 0x01, 0x68, 0x47, 0x9a, 0x65, 0x40, - 0x3f, 0x9a, 0x0e, 0xa5, 0x1a, 0x58, 0xcb, 0xb1, 0x54, 0xbd, 0xd3, 0x4a, 0xe2, 0xc4, 0xe8, 0xad, - 0xea, 0x6f, 0xcb, 0x15, 0x9c, 0x27, 0xa6, 0xbc, 0x88, 0x1e, 0x56, 0x0f, 0x31, 0x59, 0x7d, 0x71, - 0x4a, 0x76, 0xa5, 0x6a, 0xca, 0x4e, 0xec, 0xae, 0x03, 0x6b, 0xf2, 0xe6, 0xa5, 0xd8, 0x90, 0xcd, - 0x5b, 0xb1, 0xa9, 0x35, 0x76, 0x8f, 0x7c, 0x0f, 0xc9, 0x0f, 0x10, 0xd3, 0x16, 0x9f, 0x03, 0x06, - 0x2e, 0x0e, 0xff, 0x51, 0x70, 0x64, 0x03, 0x56, 0x17, 0x71, 0x34, 0xf4, 0x95, 0xce, 0xd3, 0x34, - 0xc3, 0xef, 0xed, 0x95, 0xa8, 0xd1, 0x73, 0x68, 0x96, 0x71, 0x4d, 0xf6, 0xce, 0xb2, 0xfb, 0x36, - 0x0e, 0x3d, 0x7f, 0x02, 0x00, 0x00, 0xff, 0xff, 0xed, 0xe3, 0x41, 0xb2, 0x21, 0x01, 0x00, 0x00, -} - -// Reference imports to suppress errors if they are not otherwise used. -var _ context.Context -var _ grpc.ClientConn - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the grpc package it is being compiled against. -const _ = grpc.SupportPackageIsVersion4 - -// AuthorizationClient is the client API for Authorization service. -// -// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. -type AuthorizationClient interface { - Check(ctx context.Context, in *v2.CheckRequest, opts ...grpc.CallOption) (*v2.CheckResponse, error) -} - -type authorizationClient struct { - cc *grpc.ClientConn -} - -func NewAuthorizationClient(cc *grpc.ClientConn) AuthorizationClient { - return &authorizationClient{cc} -} - -func (c *authorizationClient) Check(ctx context.Context, in *v2.CheckRequest, opts ...grpc.CallOption) (*v2.CheckResponse, error) { - out := new(v2.CheckResponse) - err := c.cc.Invoke(ctx, "/envoy.service.auth.v2alpha.Authorization/Check", in, out, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -// AuthorizationServer is the server API for Authorization service. -type AuthorizationServer interface { - Check(context.Context, *v2.CheckRequest) (*v2.CheckResponse, error) -} - -// UnimplementedAuthorizationServer can be embedded to have forward compatible implementations. -type UnimplementedAuthorizationServer struct { -} - -func (*UnimplementedAuthorizationServer) Check(ctx context.Context, req *v2.CheckRequest) (*v2.CheckResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method Check not implemented") -} - -func RegisterAuthorizationServer(s *grpc.Server, srv AuthorizationServer) { - s.RegisterService(&_Authorization_serviceDesc, srv) -} - -func _Authorization_Check_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(v2.CheckRequest) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(AuthorizationServer).Check(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/envoy.service.auth.v2alpha.Authorization/Check", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(AuthorizationServer).Check(ctx, req.(*v2.CheckRequest)) - } - return interceptor(ctx, in, info, handler) -} - -var _Authorization_serviceDesc = grpc.ServiceDesc{ - ServiceName: "envoy.service.auth.v2alpha.Authorization", - HandlerType: (*AuthorizationServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "Check", - Handler: _Authorization_Check_Handler, - }, - }, - Streams: []grpc.StreamDesc{}, - Metadata: "envoy/service/auth/v2alpha/external_auth.proto", -} diff --git a/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha/external_auth.pb.validate.go b/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha/external_auth.pb.validate.go deleted file mode 100644 index c52620a2dd..0000000000 --- a/vendor/github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha/external_auth.pb.validate.go +++ /dev/null @@ -1,37 +0,0 @@ -// Code generated by protoc-gen-validate. DO NOT EDIT. -// source: envoy/service/auth/v2alpha/external_auth.proto - -package envoy_service_auth_v2alpha - -import ( - "bytes" - "errors" - "fmt" - "net" - "net/mail" - "net/url" - "regexp" - "strings" - "time" - "unicode/utf8" - - "github.com/golang/protobuf/ptypes" -) - -// ensure the imports are used -var ( - _ = bytes.MinRead - _ = errors.New("") - _ = fmt.Print - _ = utf8.UTFMax - _ = (*regexp.Regexp)(nil) - _ = (*strings.Reader)(nil) - _ = net.IPv4len - _ = time.Duration(0) - _ = (*url.URL)(nil) - _ = (*mail.Address)(nil) - _ = ptypes.DynamicAny{} -) - -// define the regex for a UUID once up-front -var _external_auth_uuidPattern = regexp.MustCompile("^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$") diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/cel_service.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/cel_service.pb.go new file mode 100644 index 0000000000..b516c4e81b --- /dev/null +++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/cel_service.pb.go @@ -0,0 +1,195 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: google/api/expr/v1alpha1/cel_service.proto + +package expr + +import ( + context "context" + fmt "fmt" + math "math" + + proto "github.com/golang/protobuf/proto" + grpc "google.golang.org/grpc" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +func init() { + proto.RegisterFile("google/api/expr/v1alpha1/cel_service.proto", fileDescriptor_f35b2125e64b6d66) +} + +var fileDescriptor_f35b2125e64b6d66 = []byte{ + // 240 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0xd1, 0x31, 0x4b, 0xc4, 0x30, + 0x14, 0xc0, 0x71, 0x2b, 0xea, 0x90, 0x45, 0xc8, 0x24, 0x87, 0x93, 0xe0, 0x09, 0x0e, 0x09, 0x77, + 0x8e, 0x3a, 0xdd, 0xe1, 0x5e, 0x74, 0x10, 0x6e, 0x91, 0x67, 0x78, 0xe6, 0x82, 0x69, 0x5e, 0x4c, + 0x6a, 0xf1, 0xcb, 0xf8, 0x3d, 0x1d, 0x25, 0x69, 0xab, 0x88, 0xc4, 0xde, 0xd8, 0xbe, 0x5f, 0xfe, + 0x81, 0x17, 0x76, 0xa9, 0x89, 0xb4, 0x45, 0x09, 0xde, 0x48, 0x7c, 0xf7, 0x41, 0x76, 0x0b, 0xb0, + 0x7e, 0x0b, 0x0b, 0xa9, 0xd0, 0x3e, 0x46, 0x0c, 0x9d, 0x51, 0x28, 0x7c, 0xa0, 0x96, 0xf8, 0x49, + 0x6f, 0x05, 0x78, 0x23, 0x92, 0x15, 0xa3, 0x9d, 0x2d, 0xcb, 0x15, 0x72, 0xcf, 0x14, 0x1a, 0x70, + 0x0a, 0x7f, 0xd7, 0x96, 0x1f, 0xfb, 0x8c, 0xad, 0xd1, 0xde, 0xf7, 0x3f, 0xf9, 0x86, 0x1d, 0xd6, + 0x10, 0x22, 0xf2, 0xb9, 0x28, 0x5d, 0x23, 0x32, 0xb8, 0xc3, 0xd7, 0x37, 0x8c, 0xed, 0xec, 0x62, + 0xd2, 0x45, 0x4f, 0x2e, 0xe2, 0xd9, 0x5e, 0x6a, 0xaf, 0xb7, 0xa8, 0x5e, 0xfe, 0x6b, 0x67, 0xb0, + 0x43, 0x7b, 0x70, 0xdf, 0xed, 0x07, 0x76, 0x70, 0xdb, 0x81, 0xe5, 0xe7, 0xe5, 0x23, 0x69, 0x3e, + 0x96, 0xe7, 0x53, 0x6c, 0x0c, 0xaf, 0x02, 0x3b, 0x55, 0xd4, 0x14, 0xf9, 0xea, 0xf8, 0x67, 0x79, + 0x75, 0x5a, 0x68, 0x5d, 0x6d, 0x6e, 0x06, 0xac, 0xc9, 0x82, 0xd3, 0x82, 0x82, 0x96, 0x1a, 0x5d, + 0x5e, 0xb7, 0xec, 0x47, 0xe0, 0x4d, 0xfc, 0xfb, 0x4a, 0xd7, 0xe9, 0xeb, 0xb3, 0xaa, 0x9e, 0x8e, + 0xb2, 0xbd, 0xfa, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x3e, 0x97, 0x50, 0xb8, 0x16, 0x02, 0x00, 0x00, +} + +// Reference imports to suppress errors if they are not otherwise used. +var _ context.Context +var _ grpc.ClientConn + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion4 + +// CelServiceClient is the client API for CelService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. +type CelServiceClient interface { + // Transforms CEL source text into a parsed representation. + Parse(ctx context.Context, in *ParseRequest, opts ...grpc.CallOption) (*ParseResponse, error) + // Runs static checks on a parsed CEL representation and return + // an annotated representation, or a set of issues. + Check(ctx context.Context, in *CheckRequest, opts ...grpc.CallOption) (*CheckResponse, error) + // Evaluates a parsed or annotation CEL representation given + // values of external bindings. + Eval(ctx context.Context, in *EvalRequest, opts ...grpc.CallOption) (*EvalResponse, error) +} + +type celServiceClient struct { + cc *grpc.ClientConn +} + +func NewCelServiceClient(cc *grpc.ClientConn) CelServiceClient { + return &celServiceClient{cc} +} + +func (c *celServiceClient) Parse(ctx context.Context, in *ParseRequest, opts ...grpc.CallOption) (*ParseResponse, error) { + out := new(ParseResponse) + err := c.cc.Invoke(ctx, "/google.api.expr.v1alpha1.CelService/Parse", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *celServiceClient) Check(ctx context.Context, in *CheckRequest, opts ...grpc.CallOption) (*CheckResponse, error) { + out := new(CheckResponse) + err := c.cc.Invoke(ctx, "/google.api.expr.v1alpha1.CelService/Check", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *celServiceClient) Eval(ctx context.Context, in *EvalRequest, opts ...grpc.CallOption) (*EvalResponse, error) { + out := new(EvalResponse) + err := c.cc.Invoke(ctx, "/google.api.expr.v1alpha1.CelService/Eval", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// CelServiceServer is the server API for CelService service. +type CelServiceServer interface { + // Transforms CEL source text into a parsed representation. + Parse(context.Context, *ParseRequest) (*ParseResponse, error) + // Runs static checks on a parsed CEL representation and return + // an annotated representation, or a set of issues. + Check(context.Context, *CheckRequest) (*CheckResponse, error) + // Evaluates a parsed or annotation CEL representation given + // values of external bindings. + Eval(context.Context, *EvalRequest) (*EvalResponse, error) +} + +func RegisterCelServiceServer(s *grpc.Server, srv CelServiceServer) { + s.RegisterService(&_CelService_serviceDesc, srv) +} + +func _CelService_Parse_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ParseRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(CelServiceServer).Parse(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/google.api.expr.v1alpha1.CelService/Parse", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(CelServiceServer).Parse(ctx, req.(*ParseRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _CelService_Check_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(CheckRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(CelServiceServer).Check(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/google.api.expr.v1alpha1.CelService/Check", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(CelServiceServer).Check(ctx, req.(*CheckRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _CelService_Eval_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(EvalRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(CelServiceServer).Eval(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/google.api.expr.v1alpha1.CelService/Eval", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(CelServiceServer).Eval(ctx, req.(*EvalRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _CelService_serviceDesc = grpc.ServiceDesc{ + ServiceName: "google.api.expr.v1alpha1.CelService", + HandlerType: (*CelServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Parse", + Handler: _CelService_Parse_Handler, + }, + { + MethodName: "Check", + Handler: _CelService_Check_Handler, + }, + { + MethodName: "Eval", + Handler: _CelService_Eval_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "google/api/expr/v1alpha1/cel_service.proto", +} diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go new file mode 100644 index 0000000000..f6b2630110 --- /dev/null +++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/checked.pb.go @@ -0,0 +1,1144 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: google/api/expr/v1alpha1/checked.proto + +package expr + +import ( + fmt "fmt" + math "math" + + proto "github.com/golang/protobuf/proto" + empty "github.com/golang/protobuf/ptypes/empty" + _struct "github.com/golang/protobuf/ptypes/struct" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +// CEL primitive types. +type Type_PrimitiveType int32 + +const ( + // Unspecified type. + Type_PRIMITIVE_TYPE_UNSPECIFIED Type_PrimitiveType = 0 + // Boolean type. + Type_BOOL Type_PrimitiveType = 1 + // Int64 type. + // + // Proto-based integer values are widened to int64. + Type_INT64 Type_PrimitiveType = 2 + // Uint64 type. + // + // Proto-based unsigned integer values are widened to uint64. + Type_UINT64 Type_PrimitiveType = 3 + // Double type. + // + // Proto-based float values are widened to double values. + Type_DOUBLE Type_PrimitiveType = 4 + // String type. + Type_STRING Type_PrimitiveType = 5 + // Bytes type. + Type_BYTES Type_PrimitiveType = 6 +) + +var Type_PrimitiveType_name = map[int32]string{ + 0: "PRIMITIVE_TYPE_UNSPECIFIED", + 1: "BOOL", + 2: "INT64", + 3: "UINT64", + 4: "DOUBLE", + 5: "STRING", + 6: "BYTES", +} + +var Type_PrimitiveType_value = map[string]int32{ + "PRIMITIVE_TYPE_UNSPECIFIED": 0, + "BOOL": 1, + "INT64": 2, + "UINT64": 3, + "DOUBLE": 4, + "STRING": 5, + "BYTES": 6, +} + +func (x Type_PrimitiveType) String() string { + return proto.EnumName(Type_PrimitiveType_name, int32(x)) +} + +func (Type_PrimitiveType) EnumDescriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{1, 0} +} + +// Well-known protobuf types treated with first-class support in CEL. +type Type_WellKnownType int32 + +const ( + // Unspecified type. + Type_WELL_KNOWN_TYPE_UNSPECIFIED Type_WellKnownType = 0 + // Well-known protobuf.Any type. + // + // Any types are a polymorphic message type. During type-checking they are + // treated like `DYN` types, but at runtime they are resolved to a specific + // message type specified at evaluation time. + Type_ANY Type_WellKnownType = 1 + // Well-known protobuf.Timestamp type, internally referenced as `timestamp`. + Type_TIMESTAMP Type_WellKnownType = 2 + // Well-known protobuf.Duration type, internally referenced as `duration`. + Type_DURATION Type_WellKnownType = 3 +) + +var Type_WellKnownType_name = map[int32]string{ + 0: "WELL_KNOWN_TYPE_UNSPECIFIED", + 1: "ANY", + 2: "TIMESTAMP", + 3: "DURATION", +} + +var Type_WellKnownType_value = map[string]int32{ + "WELL_KNOWN_TYPE_UNSPECIFIED": 0, + "ANY": 1, + "TIMESTAMP": 2, + "DURATION": 3, +} + +func (x Type_WellKnownType) String() string { + return proto.EnumName(Type_WellKnownType_name, int32(x)) +} + +func (Type_WellKnownType) EnumDescriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{1, 1} +} + +// A CEL expression which has been successfully type checked. +type CheckedExpr struct { + // A map from expression ids to resolved references. + // + // The following entries are in this table: + // + // - An Ident or Select expression is represented here if it resolves to a + // declaration. For instance, if `a.b.c` is represented by + // `select(select(id(a), b), c)`, and `a.b` resolves to a declaration, + // while `c` is a field selection, then the reference is attached to the + // nested select expression (but not to the id or or the outer select). + // In turn, if `a` resolves to a declaration and `b.c` are field selections, + // the reference is attached to the ident expression. + // - Every Call expression has an entry here, identifying the function being + // called. + // - Every CreateStruct expression for a message has an entry, identifying + // the message. + ReferenceMap map[int64]*Reference `protobuf:"bytes,2,rep,name=reference_map,json=referenceMap,proto3" json:"reference_map,omitempty" protobuf_key:"varint,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + // A map from expression ids to types. + // + // Every expression node which has a type different than DYN has a mapping + // here. If an expression has type DYN, it is omitted from this map to save + // space. + TypeMap map[int64]*Type `protobuf:"bytes,3,rep,name=type_map,json=typeMap,proto3" json:"type_map,omitempty" protobuf_key:"varint,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + // The source info derived from input that generated the parsed `expr` and + // any optimizations made during the type-checking pass. + SourceInfo *SourceInfo `protobuf:"bytes,5,opt,name=source_info,json=sourceInfo,proto3" json:"source_info,omitempty"` + // The checked expression. Semantically equivalent to the parsed `expr`, but + // may have structural differences. + Expr *Expr `protobuf:"bytes,4,opt,name=expr,proto3" json:"expr,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *CheckedExpr) Reset() { *m = CheckedExpr{} } +func (m *CheckedExpr) String() string { return proto.CompactTextString(m) } +func (*CheckedExpr) ProtoMessage() {} +func (*CheckedExpr) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{0} +} + +func (m *CheckedExpr) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_CheckedExpr.Unmarshal(m, b) +} +func (m *CheckedExpr) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_CheckedExpr.Marshal(b, m, deterministic) +} +func (m *CheckedExpr) XXX_Merge(src proto.Message) { + xxx_messageInfo_CheckedExpr.Merge(m, src) +} +func (m *CheckedExpr) XXX_Size() int { + return xxx_messageInfo_CheckedExpr.Size(m) +} +func (m *CheckedExpr) XXX_DiscardUnknown() { + xxx_messageInfo_CheckedExpr.DiscardUnknown(m) +} + +var xxx_messageInfo_CheckedExpr proto.InternalMessageInfo + +func (m *CheckedExpr) GetReferenceMap() map[int64]*Reference { + if m != nil { + return m.ReferenceMap + } + return nil +} + +func (m *CheckedExpr) GetTypeMap() map[int64]*Type { + if m != nil { + return m.TypeMap + } + return nil +} + +func (m *CheckedExpr) GetSourceInfo() *SourceInfo { + if m != nil { + return m.SourceInfo + } + return nil +} + +func (m *CheckedExpr) GetExpr() *Expr { + if m != nil { + return m.Expr + } + return nil +} + +// Represents a CEL type. +type Type struct { + // The kind of type. + // + // Types that are valid to be assigned to TypeKind: + // *Type_Dyn + // *Type_Null + // *Type_Primitive + // *Type_Wrapper + // *Type_WellKnown + // *Type_ListType_ + // *Type_MapType_ + // *Type_Function + // *Type_MessageType + // *Type_TypeParam + // *Type_Type + // *Type_Error + // *Type_AbstractType_ + TypeKind isType_TypeKind `protobuf_oneof:"type_kind"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Type) Reset() { *m = Type{} } +func (m *Type) String() string { return proto.CompactTextString(m) } +func (*Type) ProtoMessage() {} +func (*Type) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{1} +} + +func (m *Type) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Type.Unmarshal(m, b) +} +func (m *Type) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Type.Marshal(b, m, deterministic) +} +func (m *Type) XXX_Merge(src proto.Message) { + xxx_messageInfo_Type.Merge(m, src) +} +func (m *Type) XXX_Size() int { + return xxx_messageInfo_Type.Size(m) +} +func (m *Type) XXX_DiscardUnknown() { + xxx_messageInfo_Type.DiscardUnknown(m) +} + +var xxx_messageInfo_Type proto.InternalMessageInfo + +type isType_TypeKind interface { + isType_TypeKind() +} + +type Type_Dyn struct { + Dyn *empty.Empty `protobuf:"bytes,1,opt,name=dyn,proto3,oneof"` +} + +type Type_Null struct { + Null _struct.NullValue `protobuf:"varint,2,opt,name=null,proto3,enum=google.protobuf.NullValue,oneof"` +} + +type Type_Primitive struct { + Primitive Type_PrimitiveType `protobuf:"varint,3,opt,name=primitive,proto3,enum=google.api.expr.v1alpha1.Type_PrimitiveType,oneof"` +} + +type Type_Wrapper struct { + Wrapper Type_PrimitiveType `protobuf:"varint,4,opt,name=wrapper,proto3,enum=google.api.expr.v1alpha1.Type_PrimitiveType,oneof"` +} + +type Type_WellKnown struct { + WellKnown Type_WellKnownType `protobuf:"varint,5,opt,name=well_known,json=wellKnown,proto3,enum=google.api.expr.v1alpha1.Type_WellKnownType,oneof"` +} + +type Type_ListType_ struct { + ListType *Type_ListType `protobuf:"bytes,6,opt,name=list_type,json=listType,proto3,oneof"` +} + +type Type_MapType_ struct { + MapType *Type_MapType `protobuf:"bytes,7,opt,name=map_type,json=mapType,proto3,oneof"` +} + +type Type_Function struct { + Function *Type_FunctionType `protobuf:"bytes,8,opt,name=function,proto3,oneof"` +} + +type Type_MessageType struct { + MessageType string `protobuf:"bytes,9,opt,name=message_type,json=messageType,proto3,oneof"` +} + +type Type_TypeParam struct { + TypeParam string `protobuf:"bytes,10,opt,name=type_param,json=typeParam,proto3,oneof"` +} + +type Type_Type struct { + Type *Type `protobuf:"bytes,11,opt,name=type,proto3,oneof"` +} + +type Type_Error struct { + Error *empty.Empty `protobuf:"bytes,12,opt,name=error,proto3,oneof"` +} + +type Type_AbstractType_ struct { + AbstractType *Type_AbstractType `protobuf:"bytes,14,opt,name=abstract_type,json=abstractType,proto3,oneof"` +} + +func (*Type_Dyn) isType_TypeKind() {} + +func (*Type_Null) isType_TypeKind() {} + +func (*Type_Primitive) isType_TypeKind() {} + +func (*Type_Wrapper) isType_TypeKind() {} + +func (*Type_WellKnown) isType_TypeKind() {} + +func (*Type_ListType_) isType_TypeKind() {} + +func (*Type_MapType_) isType_TypeKind() {} + +func (*Type_Function) isType_TypeKind() {} + +func (*Type_MessageType) isType_TypeKind() {} + +func (*Type_TypeParam) isType_TypeKind() {} + +func (*Type_Type) isType_TypeKind() {} + +func (*Type_Error) isType_TypeKind() {} + +func (*Type_AbstractType_) isType_TypeKind() {} + +func (m *Type) GetTypeKind() isType_TypeKind { + if m != nil { + return m.TypeKind + } + return nil +} + +func (m *Type) GetDyn() *empty.Empty { + if x, ok := m.GetTypeKind().(*Type_Dyn); ok { + return x.Dyn + } + return nil +} + +func (m *Type) GetNull() _struct.NullValue { + if x, ok := m.GetTypeKind().(*Type_Null); ok { + return x.Null + } + return _struct.NullValue_NULL_VALUE +} + +func (m *Type) GetPrimitive() Type_PrimitiveType { + if x, ok := m.GetTypeKind().(*Type_Primitive); ok { + return x.Primitive + } + return Type_PRIMITIVE_TYPE_UNSPECIFIED +} + +func (m *Type) GetWrapper() Type_PrimitiveType { + if x, ok := m.GetTypeKind().(*Type_Wrapper); ok { + return x.Wrapper + } + return Type_PRIMITIVE_TYPE_UNSPECIFIED +} + +func (m *Type) GetWellKnown() Type_WellKnownType { + if x, ok := m.GetTypeKind().(*Type_WellKnown); ok { + return x.WellKnown + } + return Type_WELL_KNOWN_TYPE_UNSPECIFIED +} + +func (m *Type) GetListType() *Type_ListType { + if x, ok := m.GetTypeKind().(*Type_ListType_); ok { + return x.ListType + } + return nil +} + +func (m *Type) GetMapType() *Type_MapType { + if x, ok := m.GetTypeKind().(*Type_MapType_); ok { + return x.MapType + } + return nil +} + +func (m *Type) GetFunction() *Type_FunctionType { + if x, ok := m.GetTypeKind().(*Type_Function); ok { + return x.Function + } + return nil +} + +func (m *Type) GetMessageType() string { + if x, ok := m.GetTypeKind().(*Type_MessageType); ok { + return x.MessageType + } + return "" +} + +func (m *Type) GetTypeParam() string { + if x, ok := m.GetTypeKind().(*Type_TypeParam); ok { + return x.TypeParam + } + return "" +} + +func (m *Type) GetType() *Type { + if x, ok := m.GetTypeKind().(*Type_Type); ok { + return x.Type + } + return nil +} + +func (m *Type) GetError() *empty.Empty { + if x, ok := m.GetTypeKind().(*Type_Error); ok { + return x.Error + } + return nil +} + +func (m *Type) GetAbstractType() *Type_AbstractType { + if x, ok := m.GetTypeKind().(*Type_AbstractType_); ok { + return x.AbstractType + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*Type) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*Type_Dyn)(nil), + (*Type_Null)(nil), + (*Type_Primitive)(nil), + (*Type_Wrapper)(nil), + (*Type_WellKnown)(nil), + (*Type_ListType_)(nil), + (*Type_MapType_)(nil), + (*Type_Function)(nil), + (*Type_MessageType)(nil), + (*Type_TypeParam)(nil), + (*Type_Type)(nil), + (*Type_Error)(nil), + (*Type_AbstractType_)(nil), + } +} + +// List type with typed elements, e.g. `list`. +type Type_ListType struct { + // The element type. + ElemType *Type `protobuf:"bytes,1,opt,name=elem_type,json=elemType,proto3" json:"elem_type,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Type_ListType) Reset() { *m = Type_ListType{} } +func (m *Type_ListType) String() string { return proto.CompactTextString(m) } +func (*Type_ListType) ProtoMessage() {} +func (*Type_ListType) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{1, 0} +} + +func (m *Type_ListType) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Type_ListType.Unmarshal(m, b) +} +func (m *Type_ListType) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Type_ListType.Marshal(b, m, deterministic) +} +func (m *Type_ListType) XXX_Merge(src proto.Message) { + xxx_messageInfo_Type_ListType.Merge(m, src) +} +func (m *Type_ListType) XXX_Size() int { + return xxx_messageInfo_Type_ListType.Size(m) +} +func (m *Type_ListType) XXX_DiscardUnknown() { + xxx_messageInfo_Type_ListType.DiscardUnknown(m) +} + +var xxx_messageInfo_Type_ListType proto.InternalMessageInfo + +func (m *Type_ListType) GetElemType() *Type { + if m != nil { + return m.ElemType + } + return nil +} + +// Map type with parameterized key and value types, e.g. `map`. +type Type_MapType struct { + // The type of the key. + KeyType *Type `protobuf:"bytes,1,opt,name=key_type,json=keyType,proto3" json:"key_type,omitempty"` + // The type of the value. + ValueType *Type `protobuf:"bytes,2,opt,name=value_type,json=valueType,proto3" json:"value_type,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Type_MapType) Reset() { *m = Type_MapType{} } +func (m *Type_MapType) String() string { return proto.CompactTextString(m) } +func (*Type_MapType) ProtoMessage() {} +func (*Type_MapType) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{1, 1} +} + +func (m *Type_MapType) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Type_MapType.Unmarshal(m, b) +} +func (m *Type_MapType) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Type_MapType.Marshal(b, m, deterministic) +} +func (m *Type_MapType) XXX_Merge(src proto.Message) { + xxx_messageInfo_Type_MapType.Merge(m, src) +} +func (m *Type_MapType) XXX_Size() int { + return xxx_messageInfo_Type_MapType.Size(m) +} +func (m *Type_MapType) XXX_DiscardUnknown() { + xxx_messageInfo_Type_MapType.DiscardUnknown(m) +} + +var xxx_messageInfo_Type_MapType proto.InternalMessageInfo + +func (m *Type_MapType) GetKeyType() *Type { + if m != nil { + return m.KeyType + } + return nil +} + +func (m *Type_MapType) GetValueType() *Type { + if m != nil { + return m.ValueType + } + return nil +} + +// Function type with result and arg types. +type Type_FunctionType struct { + // Result type of the function. + ResultType *Type `protobuf:"bytes,1,opt,name=result_type,json=resultType,proto3" json:"result_type,omitempty"` + // Argument types of the function. + ArgTypes []*Type `protobuf:"bytes,2,rep,name=arg_types,json=argTypes,proto3" json:"arg_types,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Type_FunctionType) Reset() { *m = Type_FunctionType{} } +func (m *Type_FunctionType) String() string { return proto.CompactTextString(m) } +func (*Type_FunctionType) ProtoMessage() {} +func (*Type_FunctionType) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{1, 2} +} + +func (m *Type_FunctionType) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Type_FunctionType.Unmarshal(m, b) +} +func (m *Type_FunctionType) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Type_FunctionType.Marshal(b, m, deterministic) +} +func (m *Type_FunctionType) XXX_Merge(src proto.Message) { + xxx_messageInfo_Type_FunctionType.Merge(m, src) +} +func (m *Type_FunctionType) XXX_Size() int { + return xxx_messageInfo_Type_FunctionType.Size(m) +} +func (m *Type_FunctionType) XXX_DiscardUnknown() { + xxx_messageInfo_Type_FunctionType.DiscardUnknown(m) +} + +var xxx_messageInfo_Type_FunctionType proto.InternalMessageInfo + +func (m *Type_FunctionType) GetResultType() *Type { + if m != nil { + return m.ResultType + } + return nil +} + +func (m *Type_FunctionType) GetArgTypes() []*Type { + if m != nil { + return m.ArgTypes + } + return nil +} + +// Application defined abstract type. +type Type_AbstractType struct { + // The fully qualified name of this abstract type. + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + // Parameter types for this abstract type. + ParameterTypes []*Type `protobuf:"bytes,2,rep,name=parameter_types,json=parameterTypes,proto3" json:"parameter_types,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Type_AbstractType) Reset() { *m = Type_AbstractType{} } +func (m *Type_AbstractType) String() string { return proto.CompactTextString(m) } +func (*Type_AbstractType) ProtoMessage() {} +func (*Type_AbstractType) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{1, 3} +} + +func (m *Type_AbstractType) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Type_AbstractType.Unmarshal(m, b) +} +func (m *Type_AbstractType) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Type_AbstractType.Marshal(b, m, deterministic) +} +func (m *Type_AbstractType) XXX_Merge(src proto.Message) { + xxx_messageInfo_Type_AbstractType.Merge(m, src) +} +func (m *Type_AbstractType) XXX_Size() int { + return xxx_messageInfo_Type_AbstractType.Size(m) +} +func (m *Type_AbstractType) XXX_DiscardUnknown() { + xxx_messageInfo_Type_AbstractType.DiscardUnknown(m) +} + +var xxx_messageInfo_Type_AbstractType proto.InternalMessageInfo + +func (m *Type_AbstractType) GetName() string { + if m != nil { + return m.Name + } + return "" +} + +func (m *Type_AbstractType) GetParameterTypes() []*Type { + if m != nil { + return m.ParameterTypes + } + return nil +} + +// Represents a declaration of a named value or function. +// +// A declaration is part of the contract between the expression, the agent +// evaluating that expression, and the caller requesting evaluation. +type Decl struct { + // The fully qualified name of the declaration. + // + // Declarations are organized in containers and this represents the full path + // to the declaration in its container, as in `google.api.expr.Decl`. + // + // Declarations used as + // [FunctionDecl.Overload][google.api.expr.v1alpha1.Decl.FunctionDecl.Overload] + // parameters may or may not have a name depending on whether the overload is + // function declaration or a function definition containing a result + // [Expr][google.api.expr.v1alpha1.Expr]. + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + // Required. The declaration kind. + // + // Types that are valid to be assigned to DeclKind: + // *Decl_Ident + // *Decl_Function + DeclKind isDecl_DeclKind `protobuf_oneof:"decl_kind"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Decl) Reset() { *m = Decl{} } +func (m *Decl) String() string { return proto.CompactTextString(m) } +func (*Decl) ProtoMessage() {} +func (*Decl) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{2} +} + +func (m *Decl) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Decl.Unmarshal(m, b) +} +func (m *Decl) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Decl.Marshal(b, m, deterministic) +} +func (m *Decl) XXX_Merge(src proto.Message) { + xxx_messageInfo_Decl.Merge(m, src) +} +func (m *Decl) XXX_Size() int { + return xxx_messageInfo_Decl.Size(m) +} +func (m *Decl) XXX_DiscardUnknown() { + xxx_messageInfo_Decl.DiscardUnknown(m) +} + +var xxx_messageInfo_Decl proto.InternalMessageInfo + +func (m *Decl) GetName() string { + if m != nil { + return m.Name + } + return "" +} + +type isDecl_DeclKind interface { + isDecl_DeclKind() +} + +type Decl_Ident struct { + Ident *Decl_IdentDecl `protobuf:"bytes,2,opt,name=ident,proto3,oneof"` +} + +type Decl_Function struct { + Function *Decl_FunctionDecl `protobuf:"bytes,3,opt,name=function,proto3,oneof"` +} + +func (*Decl_Ident) isDecl_DeclKind() {} + +func (*Decl_Function) isDecl_DeclKind() {} + +func (m *Decl) GetDeclKind() isDecl_DeclKind { + if m != nil { + return m.DeclKind + } + return nil +} + +func (m *Decl) GetIdent() *Decl_IdentDecl { + if x, ok := m.GetDeclKind().(*Decl_Ident); ok { + return x.Ident + } + return nil +} + +func (m *Decl) GetFunction() *Decl_FunctionDecl { + if x, ok := m.GetDeclKind().(*Decl_Function); ok { + return x.Function + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*Decl) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*Decl_Ident)(nil), + (*Decl_Function)(nil), + } +} + +// Identifier declaration which specifies its type and optional `Expr` value. +// +// An identifier without a value is a declaration that must be provided at +// evaluation time. An identifier with a value should resolve to a constant, +// but may be used in conjunction with other identifiers bound at evaluation +// time. +type Decl_IdentDecl struct { + // Required. The type of the identifier. + Type *Type `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"` + // The constant value of the identifier. If not specified, the identifier + // must be supplied at evaluation time. + Value *Constant `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` + // Documentation string for the identifier. + Doc string `protobuf:"bytes,3,opt,name=doc,proto3" json:"doc,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Decl_IdentDecl) Reset() { *m = Decl_IdentDecl{} } +func (m *Decl_IdentDecl) String() string { return proto.CompactTextString(m) } +func (*Decl_IdentDecl) ProtoMessage() {} +func (*Decl_IdentDecl) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{2, 0} +} + +func (m *Decl_IdentDecl) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Decl_IdentDecl.Unmarshal(m, b) +} +func (m *Decl_IdentDecl) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Decl_IdentDecl.Marshal(b, m, deterministic) +} +func (m *Decl_IdentDecl) XXX_Merge(src proto.Message) { + xxx_messageInfo_Decl_IdentDecl.Merge(m, src) +} +func (m *Decl_IdentDecl) XXX_Size() int { + return xxx_messageInfo_Decl_IdentDecl.Size(m) +} +func (m *Decl_IdentDecl) XXX_DiscardUnknown() { + xxx_messageInfo_Decl_IdentDecl.DiscardUnknown(m) +} + +var xxx_messageInfo_Decl_IdentDecl proto.InternalMessageInfo + +func (m *Decl_IdentDecl) GetType() *Type { + if m != nil { + return m.Type + } + return nil +} + +func (m *Decl_IdentDecl) GetValue() *Constant { + if m != nil { + return m.Value + } + return nil +} + +func (m *Decl_IdentDecl) GetDoc() string { + if m != nil { + return m.Doc + } + return "" +} + +// Function declaration specifies one or more overloads which indicate the +// function's parameter types and return type, and may optionally specify a +// function definition in terms of CEL expressions. +// +// Functions have no observable side-effects (there may be side-effects like +// logging which are not observable from CEL). +type Decl_FunctionDecl struct { + // Required. List of function overloads, must contain at least one overload. + Overloads []*Decl_FunctionDecl_Overload `protobuf:"bytes,1,rep,name=overloads,proto3" json:"overloads,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Decl_FunctionDecl) Reset() { *m = Decl_FunctionDecl{} } +func (m *Decl_FunctionDecl) String() string { return proto.CompactTextString(m) } +func (*Decl_FunctionDecl) ProtoMessage() {} +func (*Decl_FunctionDecl) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{2, 1} +} + +func (m *Decl_FunctionDecl) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Decl_FunctionDecl.Unmarshal(m, b) +} +func (m *Decl_FunctionDecl) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Decl_FunctionDecl.Marshal(b, m, deterministic) +} +func (m *Decl_FunctionDecl) XXX_Merge(src proto.Message) { + xxx_messageInfo_Decl_FunctionDecl.Merge(m, src) +} +func (m *Decl_FunctionDecl) XXX_Size() int { + return xxx_messageInfo_Decl_FunctionDecl.Size(m) +} +func (m *Decl_FunctionDecl) XXX_DiscardUnknown() { + xxx_messageInfo_Decl_FunctionDecl.DiscardUnknown(m) +} + +var xxx_messageInfo_Decl_FunctionDecl proto.InternalMessageInfo + +func (m *Decl_FunctionDecl) GetOverloads() []*Decl_FunctionDecl_Overload { + if m != nil { + return m.Overloads + } + return nil +} + +// An overload indicates a function's parameter types and return type, and +// may optionally include a function body described in terms of +// [Expr][google.api.expr.v1alpha1.Expr] values. +// +// Functions overloads are declared in either a function or method +// call-style. For methods, the `params[0]` is the expected type of the +// target receiver. +// +// Overloads must have non-overlapping argument types after erasure of all +// parameterized type variables (similar as type erasure in Java). +type Decl_FunctionDecl_Overload struct { + // Required. Globally unique overload name of the function which reflects + // the function name and argument types. + // + // This will be used by a [Reference][google.api.expr.v1alpha1.Reference] + // to indicate the `overload_id` that was resolved for the function + // `name`. + OverloadId string `protobuf:"bytes,1,opt,name=overload_id,json=overloadId,proto3" json:"overload_id,omitempty"` + // List of function parameter [Type][google.api.expr.v1alpha1.Type] + // values. + // + // Param types are disjoint after generic type parameters have been + // replaced with the type `DYN`. Since the `DYN` type is compatible with + // any other type, this means that if `A` is a type parameter, the + // function types `int` and `int` are not disjoint. Likewise, + // `map` is not disjoint from `map`. + // + // When the `result_type` of a function is a generic type param, the + // type param name also appears as the `type` of on at least one params. + Params []*Type `protobuf:"bytes,2,rep,name=params,proto3" json:"params,omitempty"` + // The type param names associated with the function declaration. + // + // For example, `function ex(K key, map map) : V` would yield + // the type params of `K, V`. + TypeParams []string `protobuf:"bytes,3,rep,name=type_params,json=typeParams,proto3" json:"type_params,omitempty"` + // Required. The result type of the function. For example, the operator + // `string.isEmpty()` would have `result_type` of `kind: BOOL`. + ResultType *Type `protobuf:"bytes,4,opt,name=result_type,json=resultType,proto3" json:"result_type,omitempty"` + // Whether the function is to be used in a method call-style `x.f(...)` + // of a function call-style `f(x, ...)`. + // + // For methods, the first parameter declaration, `params[0]` is the + // expected type of the target receiver. + IsInstanceFunction bool `protobuf:"varint,5,opt,name=is_instance_function,json=isInstanceFunction,proto3" json:"is_instance_function,omitempty"` + // Documentation string for the overload. + Doc string `protobuf:"bytes,6,opt,name=doc,proto3" json:"doc,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Decl_FunctionDecl_Overload) Reset() { *m = Decl_FunctionDecl_Overload{} } +func (m *Decl_FunctionDecl_Overload) String() string { return proto.CompactTextString(m) } +func (*Decl_FunctionDecl_Overload) ProtoMessage() {} +func (*Decl_FunctionDecl_Overload) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{2, 1, 0} +} + +func (m *Decl_FunctionDecl_Overload) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Decl_FunctionDecl_Overload.Unmarshal(m, b) +} +func (m *Decl_FunctionDecl_Overload) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Decl_FunctionDecl_Overload.Marshal(b, m, deterministic) +} +func (m *Decl_FunctionDecl_Overload) XXX_Merge(src proto.Message) { + xxx_messageInfo_Decl_FunctionDecl_Overload.Merge(m, src) +} +func (m *Decl_FunctionDecl_Overload) XXX_Size() int { + return xxx_messageInfo_Decl_FunctionDecl_Overload.Size(m) +} +func (m *Decl_FunctionDecl_Overload) XXX_DiscardUnknown() { + xxx_messageInfo_Decl_FunctionDecl_Overload.DiscardUnknown(m) +} + +var xxx_messageInfo_Decl_FunctionDecl_Overload proto.InternalMessageInfo + +func (m *Decl_FunctionDecl_Overload) GetOverloadId() string { + if m != nil { + return m.OverloadId + } + return "" +} + +func (m *Decl_FunctionDecl_Overload) GetParams() []*Type { + if m != nil { + return m.Params + } + return nil +} + +func (m *Decl_FunctionDecl_Overload) GetTypeParams() []string { + if m != nil { + return m.TypeParams + } + return nil +} + +func (m *Decl_FunctionDecl_Overload) GetResultType() *Type { + if m != nil { + return m.ResultType + } + return nil +} + +func (m *Decl_FunctionDecl_Overload) GetIsInstanceFunction() bool { + if m != nil { + return m.IsInstanceFunction + } + return false +} + +func (m *Decl_FunctionDecl_Overload) GetDoc() string { + if m != nil { + return m.Doc + } + return "" +} + +// Describes a resolved reference to a declaration. +type Reference struct { + // The fully qualified name of the declaration. + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + // For references to functions, this is a list of `Overload.overload_id` + // values which match according to typing rules. + // + // If the list has more than one element, overload resolution among the + // presented candidates must happen at runtime because of dynamic types. The + // type checker attempts to narrow down this list as much as possible. + // + // Empty if this is not a reference to a + // [Decl.FunctionDecl][google.api.expr.v1alpha1.Decl.FunctionDecl]. + OverloadId []string `protobuf:"bytes,3,rep,name=overload_id,json=overloadId,proto3" json:"overload_id,omitempty"` + // For references to constants, this may contain the value of the + // constant if known at compile time. + Value *Constant `protobuf:"bytes,4,opt,name=value,proto3" json:"value,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Reference) Reset() { *m = Reference{} } +func (m *Reference) String() string { return proto.CompactTextString(m) } +func (*Reference) ProtoMessage() {} +func (*Reference) Descriptor() ([]byte, []int) { + return fileDescriptor_30a741de3e790389, []int{3} +} + +func (m *Reference) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Reference.Unmarshal(m, b) +} +func (m *Reference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Reference.Marshal(b, m, deterministic) +} +func (m *Reference) XXX_Merge(src proto.Message) { + xxx_messageInfo_Reference.Merge(m, src) +} +func (m *Reference) XXX_Size() int { + return xxx_messageInfo_Reference.Size(m) +} +func (m *Reference) XXX_DiscardUnknown() { + xxx_messageInfo_Reference.DiscardUnknown(m) +} + +var xxx_messageInfo_Reference proto.InternalMessageInfo + +func (m *Reference) GetName() string { + if m != nil { + return m.Name + } + return "" +} + +func (m *Reference) GetOverloadId() []string { + if m != nil { + return m.OverloadId + } + return nil +} + +func (m *Reference) GetValue() *Constant { + if m != nil { + return m.Value + } + return nil +} + +func init() { + proto.RegisterEnum("google.api.expr.v1alpha1.Type_PrimitiveType", Type_PrimitiveType_name, Type_PrimitiveType_value) + proto.RegisterEnum("google.api.expr.v1alpha1.Type_WellKnownType", Type_WellKnownType_name, Type_WellKnownType_value) + proto.RegisterType((*CheckedExpr)(nil), "google.api.expr.v1alpha1.CheckedExpr") + proto.RegisterMapType((map[int64]*Reference)(nil), "google.api.expr.v1alpha1.CheckedExpr.ReferenceMapEntry") + proto.RegisterMapType((map[int64]*Type)(nil), "google.api.expr.v1alpha1.CheckedExpr.TypeMapEntry") + proto.RegisterType((*Type)(nil), "google.api.expr.v1alpha1.Type") + proto.RegisterType((*Type_ListType)(nil), "google.api.expr.v1alpha1.Type.ListType") + proto.RegisterType((*Type_MapType)(nil), "google.api.expr.v1alpha1.Type.MapType") + proto.RegisterType((*Type_FunctionType)(nil), "google.api.expr.v1alpha1.Type.FunctionType") + proto.RegisterType((*Type_AbstractType)(nil), "google.api.expr.v1alpha1.Type.AbstractType") + proto.RegisterType((*Decl)(nil), "google.api.expr.v1alpha1.Decl") + proto.RegisterType((*Decl_IdentDecl)(nil), "google.api.expr.v1alpha1.Decl.IdentDecl") + proto.RegisterType((*Decl_FunctionDecl)(nil), "google.api.expr.v1alpha1.Decl.FunctionDecl") + proto.RegisterType((*Decl_FunctionDecl_Overload)(nil), "google.api.expr.v1alpha1.Decl.FunctionDecl.Overload") + proto.RegisterType((*Reference)(nil), "google.api.expr.v1alpha1.Reference") +} + +func init() { + proto.RegisterFile("google/api/expr/v1alpha1/checked.proto", fileDescriptor_30a741de3e790389) +} + +var fileDescriptor_30a741de3e790389 = []byte{ + // 1144 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x56, 0x5f, 0x6f, 0xdb, 0xb6, + 0x17, 0x8d, 0x6c, 0xd9, 0x96, 0xae, 0x9c, 0xfe, 0xfc, 0x23, 0x86, 0x41, 0x50, 0x8b, 0x36, 0x70, + 0xb7, 0x2e, 0xd8, 0x06, 0xb9, 0xf5, 0x82, 0xae, 0x5d, 0x37, 0x6c, 0x71, 0xa2, 0x24, 0x42, 0xfd, + 0x0f, 0x8a, 0x93, 0x20, 0xc5, 0x00, 0x81, 0x91, 0x19, 0x57, 0xb0, 0x2c, 0x09, 0x94, 0x9c, 0xc4, + 0x7b, 0xdd, 0xd3, 0xb0, 0x7d, 0x9b, 0x7d, 0x89, 0x7d, 0x9a, 0xbd, 0x6e, 0x8f, 0x03, 0x29, 0xc9, + 0x71, 0xfe, 0x38, 0xb6, 0xdf, 0xae, 0xc8, 0x73, 0x0e, 0x2f, 0x2f, 0xcf, 0x25, 0x05, 0x2f, 0x06, + 0x41, 0x30, 0xf0, 0x48, 0x0d, 0x87, 0x6e, 0x8d, 0x5c, 0x85, 0xb4, 0x76, 0xf1, 0x0a, 0x7b, 0xe1, + 0x47, 0xfc, 0xaa, 0xe6, 0x7c, 0x24, 0xce, 0x90, 0xf4, 0xf5, 0x90, 0x06, 0x71, 0x80, 0xd4, 0x04, + 0xa7, 0xe3, 0xd0, 0xd5, 0x19, 0x4e, 0xcf, 0x70, 0xda, 0xe7, 0x73, 0x15, 0xa2, 0x89, 0x1f, 0xe3, + 0xab, 0x44, 0x40, 0x7b, 0x9c, 0xc2, 0xf8, 0xd7, 0xd9, 0xf8, 0xbc, 0x46, 0x46, 0x61, 0x3c, 0x49, + 0x27, 0x9f, 0xdc, 0x9e, 0x8c, 0x62, 0x3a, 0x76, 0xe2, 0x64, 0xb6, 0xfa, 0x4f, 0x1e, 0x94, 0x9d, + 0x24, 0x1b, 0xe3, 0x2a, 0xa4, 0xe8, 0x67, 0x58, 0xa7, 0xe4, 0x9c, 0x50, 0xe2, 0x3b, 0xc4, 0x1e, + 0xe1, 0x50, 0xcd, 0x6d, 0xe4, 0x37, 0x95, 0xfa, 0xb7, 0xfa, 0xbc, 0x1c, 0xf5, 0x19, 0xb6, 0x6e, + 0x65, 0xd4, 0x16, 0x0e, 0x0d, 0x3f, 0xa6, 0x13, 0xab, 0x4c, 0x67, 0x86, 0x50, 0x0b, 0xa4, 0x78, + 0x12, 0x26, 0xc2, 0x79, 0x2e, 0x5c, 0x5f, 0x4e, 0xb8, 0x37, 0x09, 0xaf, 0x35, 0x4b, 0x71, 0xf2, + 0x85, 0x0c, 0x50, 0xa2, 0x60, 0x4c, 0x1d, 0x62, 0xbb, 0xfe, 0x79, 0xa0, 0x16, 0x36, 0x84, 0x4d, + 0xa5, 0xfe, 0xd9, 0x7c, 0xc5, 0x43, 0x0e, 0x36, 0xfd, 0xf3, 0xc0, 0x82, 0x68, 0x1a, 0xa3, 0x3a, + 0x88, 0x0c, 0xa7, 0x8a, 0x9c, 0xff, 0x74, 0x3e, 0x9f, 0xa5, 0x62, 0x71, 0xac, 0xd6, 0x87, 0xff, + 0xdf, 0xd9, 0x2c, 0xaa, 0x40, 0x7e, 0x48, 0x26, 0xaa, 0xb0, 0x21, 0x6c, 0xe6, 0x2d, 0x16, 0xa2, + 0xb7, 0x50, 0xb8, 0xc0, 0xde, 0x98, 0xa8, 0x39, 0xae, 0xfd, 0x7c, 0xbe, 0xf6, 0x54, 0xcd, 0x4a, + 0x18, 0xdf, 0xe5, 0xde, 0x08, 0xda, 0x07, 0x28, 0xcf, 0xee, 0xfc, 0x9e, 0x05, 0xb6, 0x6e, 0x2e, + 0xf0, 0x40, 0xf2, 0x4c, 0x68, 0x46, 0xbb, 0xfa, 0x97, 0x02, 0x22, 0x1b, 0x43, 0x5f, 0x42, 0xbe, + 0x3f, 0xf1, 0xb9, 0xa8, 0x52, 0xff, 0x34, 0x13, 0xc8, 0xec, 0xa2, 0x1b, 0xcc, 0x4b, 0x07, 0x6b, + 0x16, 0x03, 0xa1, 0x97, 0x20, 0xfa, 0x63, 0xcf, 0xe3, 0xab, 0x3d, 0xaa, 0x6b, 0x77, 0xc0, 0xed, + 0xb1, 0xe7, 0x1d, 0xb3, 0x25, 0x0e, 0xd6, 0x2c, 0x8e, 0x44, 0x4d, 0x90, 0x43, 0xea, 0x8e, 0xdc, + 0xd8, 0xbd, 0x20, 0x6a, 0x9e, 0xd3, 0xbe, 0x7e, 0x38, 0x49, 0xbd, 0x9b, 0xe1, 0xd9, 0xd7, 0xc1, + 0x9a, 0x75, 0x2d, 0x80, 0x0e, 0xa0, 0x74, 0x49, 0x71, 0x18, 0x92, 0xe4, 0xb4, 0x56, 0xd7, 0xca, + 0xe8, 0xa8, 0x05, 0x70, 0x49, 0x3c, 0xcf, 0x1e, 0xfa, 0xc1, 0xa5, 0xcf, 0xad, 0xb3, 0x58, 0xec, + 0x84, 0x78, 0xde, 0x7b, 0x86, 0xcf, 0x12, 0xbb, 0xcc, 0x06, 0xd0, 0x1e, 0xc8, 0x9e, 0x1b, 0xc5, + 0x36, 0xb3, 0xa6, 0x5a, 0xe4, 0xa5, 0xfc, 0x62, 0x81, 0x5a, 0xd3, 0x8d, 0xe2, 0x54, 0x48, 0xf2, + 0xd2, 0x18, 0xed, 0x80, 0x34, 0xc2, 0x61, 0x22, 0x53, 0xe2, 0x32, 0x2f, 0x16, 0xc8, 0xb4, 0x70, + 0x98, 0xed, 0x6d, 0x94, 0x84, 0xc8, 0x04, 0xe9, 0x7c, 0xec, 0x3b, 0xb1, 0x1b, 0xf8, 0xaa, 0xc4, + 0x45, 0xbe, 0x5a, 0x20, 0xb2, 0x97, 0xc2, 0xb3, 0x7c, 0x32, 0x3a, 0x7a, 0x0e, 0xe5, 0x11, 0x89, + 0x22, 0x3c, 0x20, 0x49, 0x4e, 0xf2, 0x86, 0xb0, 0x29, 0x1f, 0xac, 0x59, 0x4a, 0x3a, 0xca, 0xd7, + 0x7b, 0x06, 0xc0, 0xdb, 0x3a, 0xc4, 0x14, 0x8f, 0x54, 0x48, 0x21, 0x32, 0x1b, 0xeb, 0xb2, 0x21, + 0xb4, 0x05, 0x22, 0x67, 0x2b, 0xcb, 0x98, 0x94, 0x59, 0x87, 0xa1, 0x91, 0x0e, 0x05, 0x42, 0x69, + 0x40, 0xd5, 0xf2, 0x02, 0x6b, 0x26, 0x30, 0x64, 0xc1, 0x3a, 0x3e, 0x8b, 0x62, 0x8a, 0x9d, 0xf4, + 0x1c, 0x1e, 0x2d, 0xb5, 0xf7, 0xed, 0x94, 0x93, 0xae, 0x5d, 0xc6, 0x33, 0xdf, 0xda, 0x3e, 0x48, + 0xd9, 0x39, 0xa1, 0x77, 0x20, 0x13, 0x8f, 0x8c, 0x12, 0x6d, 0x61, 0xa9, 0x7e, 0x93, 0x18, 0x81, + 0x0b, 0xfd, 0x2a, 0x40, 0x29, 0x3d, 0x2a, 0xf4, 0x16, 0xa4, 0x21, 0x99, 0xac, 0xa2, 0x53, 0x1a, + 0x92, 0x09, 0xa7, 0xfe, 0x00, 0xc0, 0x5b, 0x38, 0x21, 0x2f, 0xd7, 0xf4, 0x32, 0x67, 0xf0, 0x2c, + 0xfe, 0x10, 0xa0, 0x3c, 0x7b, 0xd6, 0xe8, 0x47, 0x50, 0x28, 0x89, 0xc6, 0x5e, 0xbc, 0x4a, 0x36, + 0x90, 0x50, 0xb2, 0xa2, 0x60, 0x3a, 0xe0, 0xec, 0x28, 0x7d, 0x2c, 0x16, 0x16, 0x05, 0xd3, 0x01, + 0x0b, 0x22, 0x6d, 0x08, 0xe5, 0xd9, 0xea, 0x23, 0x04, 0xa2, 0x8f, 0x47, 0x49, 0x1a, 0xb2, 0xc5, + 0x63, 0xb4, 0x0f, 0xff, 0xe3, 0xbe, 0x22, 0x31, 0xa1, 0x2b, 0x2d, 0xf3, 0x68, 0x4a, 0xe3, 0x8b, + 0x55, 0x23, 0x58, 0xbf, 0x71, 0x1b, 0xa0, 0xa7, 0xa0, 0x75, 0x2d, 0xb3, 0x65, 0xf6, 0xcc, 0x63, + 0xc3, 0xee, 0x9d, 0x76, 0x0d, 0xfb, 0xa8, 0x7d, 0xd8, 0x35, 0x76, 0xcc, 0x3d, 0xd3, 0xd8, 0xad, + 0xac, 0x21, 0x09, 0xc4, 0x46, 0xa7, 0xd3, 0xac, 0x08, 0x48, 0x86, 0x82, 0xd9, 0xee, 0xbd, 0xde, + 0xaa, 0xe4, 0x10, 0x40, 0xf1, 0x28, 0x89, 0xf3, 0x2c, 0xde, 0xed, 0x1c, 0x35, 0x9a, 0x46, 0x45, + 0x64, 0xf1, 0x61, 0xcf, 0x32, 0xdb, 0xfb, 0x95, 0x02, 0x83, 0x37, 0x4e, 0x7b, 0xc6, 0x61, 0xa5, + 0x58, 0x3d, 0x86, 0xf5, 0x1b, 0xb7, 0x06, 0x7a, 0x06, 0x8f, 0x4f, 0x8c, 0x66, 0xd3, 0x7e, 0xdf, + 0xee, 0x9c, 0xb4, 0xef, 0x5b, 0xb5, 0x04, 0xf9, 0xed, 0xf6, 0x69, 0x45, 0x40, 0xeb, 0x20, 0xf7, + 0xcc, 0x96, 0x71, 0xd8, 0xdb, 0x6e, 0x75, 0x2b, 0x39, 0x54, 0x06, 0x69, 0xf7, 0xc8, 0xda, 0xee, + 0x99, 0x9d, 0x76, 0x25, 0xdf, 0x50, 0x80, 0xb7, 0x97, 0x3d, 0x74, 0xfd, 0x7e, 0xf5, 0xcf, 0x02, + 0x88, 0xbb, 0xc4, 0xf1, 0xee, 0xad, 0xdf, 0x4f, 0x50, 0x70, 0xfb, 0xc4, 0x8f, 0x53, 0xb3, 0x6c, + 0xce, 0xaf, 0x1a, 0x93, 0xd0, 0x4d, 0x86, 0x65, 0x11, 0xeb, 0x2b, 0x4e, 0xbc, 0x71, 0x9d, 0xe4, + 0x17, 0xb5, 0x14, 0x17, 0xc9, 0x2c, 0x96, 0xea, 0x4c, 0xe9, 0xda, 0xef, 0x02, 0xc8, 0xd3, 0x15, + 0xd8, 0xc3, 0xbb, 0x82, 0xeb, 0x92, 0x4b, 0xe1, 0xcd, 0xcd, 0x07, 0xaf, 0xfa, 0xc0, 0xff, 0x43, + 0xe0, 0x47, 0x31, 0xf6, 0xe3, 0xf4, 0xd1, 0x63, 0x8f, 0x67, 0x3f, 0x70, 0xf8, 0x0e, 0x64, 0x8b, + 0x85, 0xda, 0xdf, 0xb9, 0xeb, 0x6e, 0xe0, 0x09, 0x59, 0x20, 0x07, 0x17, 0x84, 0x7a, 0x01, 0xee, + 0x47, 0xaa, 0xc0, 0x5d, 0xb6, 0xb5, 0xc2, 0x56, 0xf5, 0x4e, 0x4a, 0xb6, 0xae, 0x65, 0xb4, 0xdf, + 0x72, 0x20, 0x65, 0xe3, 0xe8, 0x19, 0x28, 0xd9, 0x8c, 0xed, 0xf6, 0xd3, 0x73, 0x82, 0x6c, 0xc8, + 0xec, 0xa3, 0xd7, 0x50, 0xe4, 0xb6, 0x5d, 0xd6, 0xe4, 0x29, 0x9a, 0x09, 0x5f, 0x5f, 0xc1, 0x11, + 0xff, 0xb9, 0x92, 0x2d, 0x98, 0xde, 0xc0, 0xd1, 0xed, 0x46, 0x17, 0x57, 0x6e, 0xf4, 0x97, 0xf0, + 0x89, 0x1b, 0xd9, 0x2e, 0xaf, 0xa9, 0x43, 0xec, 0xa9, 0x23, 0xd8, 0xd3, 0x29, 0x59, 0xc8, 0x8d, + 0xcc, 0x74, 0x2a, 0xab, 0x48, 0x56, 0xf0, 0xe2, 0xb4, 0xe0, 0xcc, 0xb5, 0x7d, 0xe2, 0x78, 0x89, + 0x6b, 0x7f, 0x01, 0x79, 0xfa, 0xd3, 0x73, 0xaf, 0x73, 0x6f, 0x15, 0x2b, 0xdd, 0xd3, 0x4c, 0xb1, + 0xa6, 0x5e, 0x10, 0x57, 0xf4, 0x42, 0xc3, 0x83, 0x27, 0x4e, 0x30, 0x9a, 0x8b, 0x6f, 0xc8, 0xec, + 0x38, 0xbb, 0xec, 0x9d, 0xe9, 0x0a, 0x1f, 0xbe, 0x4f, 0x61, 0x83, 0xc0, 0xc3, 0xfe, 0x40, 0x0f, + 0xe8, 0xa0, 0x36, 0x20, 0x3e, 0x7f, 0x85, 0x6a, 0xc9, 0x14, 0x0e, 0xdd, 0xe8, 0xee, 0x4f, 0xfa, + 0x3b, 0xf6, 0xf5, 0xaf, 0x20, 0x9c, 0x15, 0x39, 0xf6, 0x9b, 0xff, 0x02, 0x00, 0x00, 0xff, 0xff, + 0xee, 0x02, 0xe6, 0x8f, 0x11, 0x0c, 0x00, 0x00, +} diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/conformance_service.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/conformance_service.pb.go new file mode 100644 index 0000000000..1eef1122c2 --- /dev/null +++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/conformance_service.pb.go @@ -0,0 +1,742 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: google/api/expr/v1alpha1/conformance_service.proto + +package expr + +import ( + context "context" + fmt "fmt" + math "math" + + proto "github.com/golang/protobuf/proto" + status "google.golang.org/genproto/googleapis/rpc/status" + grpc "google.golang.org/grpc" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +// Severities of issues. +type IssueDetails_Severity int32 + +const ( + // An unspecified severity. + IssueDetails_SEVERITY_UNSPECIFIED IssueDetails_Severity = 0 + // Deprecation issue for statements and method that may no longer be + // supported or maintained. + IssueDetails_DEPRECATION IssueDetails_Severity = 1 + // Warnings such as: unused variables. + IssueDetails_WARNING IssueDetails_Severity = 2 + // Errors such as: unmatched curly braces or variable redefinition. + IssueDetails_ERROR IssueDetails_Severity = 3 +) + +var IssueDetails_Severity_name = map[int32]string{ + 0: "SEVERITY_UNSPECIFIED", + 1: "DEPRECATION", + 2: "WARNING", + 3: "ERROR", +} + +var IssueDetails_Severity_value = map[string]int32{ + "SEVERITY_UNSPECIFIED": 0, + "DEPRECATION": 1, + "WARNING": 2, + "ERROR": 3, +} + +func (x IssueDetails_Severity) String() string { + return proto.EnumName(IssueDetails_Severity_name, int32(x)) +} + +func (IssueDetails_Severity) EnumDescriptor() ([]byte, []int) { + return fileDescriptor_b3ca1183e6ceae83, []int{6, 0} +} + +// Request message for the Parse method. +type ParseRequest struct { + // Required. Source text in CEL syntax. + CelSource string `protobuf:"bytes,1,opt,name=cel_source,json=celSource,proto3" json:"cel_source,omitempty"` + // Tag for version of CEL syntax, for future use. + SyntaxVersion string `protobuf:"bytes,2,opt,name=syntax_version,json=syntaxVersion,proto3" json:"syntax_version,omitempty"` + // File or resource for source text, used in + // [SourceInfo][google.api.expr.v1alpha1.SourceInfo]. + SourceLocation string `protobuf:"bytes,3,opt,name=source_location,json=sourceLocation,proto3" json:"source_location,omitempty"` + // Prevent macro expansion. See "Macros" in Language Defiinition. + DisableMacros bool `protobuf:"varint,4,opt,name=disable_macros,json=disableMacros,proto3" json:"disable_macros,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *ParseRequest) Reset() { *m = ParseRequest{} } +func (m *ParseRequest) String() string { return proto.CompactTextString(m) } +func (*ParseRequest) ProtoMessage() {} +func (*ParseRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_b3ca1183e6ceae83, []int{0} +} + +func (m *ParseRequest) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_ParseRequest.Unmarshal(m, b) +} +func (m *ParseRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_ParseRequest.Marshal(b, m, deterministic) +} +func (m *ParseRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_ParseRequest.Merge(m, src) +} +func (m *ParseRequest) XXX_Size() int { + return xxx_messageInfo_ParseRequest.Size(m) +} +func (m *ParseRequest) XXX_DiscardUnknown() { + xxx_messageInfo_ParseRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_ParseRequest proto.InternalMessageInfo + +func (m *ParseRequest) GetCelSource() string { + if m != nil { + return m.CelSource + } + return "" +} + +func (m *ParseRequest) GetSyntaxVersion() string { + if m != nil { + return m.SyntaxVersion + } + return "" +} + +func (m *ParseRequest) GetSourceLocation() string { + if m != nil { + return m.SourceLocation + } + return "" +} + +func (m *ParseRequest) GetDisableMacros() bool { + if m != nil { + return m.DisableMacros + } + return false +} + +// Response message for the Parse method. +type ParseResponse struct { + // The parsed representation, or unset if parsing failed. + ParsedExpr *ParsedExpr `protobuf:"bytes,1,opt,name=parsed_expr,json=parsedExpr,proto3" json:"parsed_expr,omitempty"` + // Any number of issues with [StatusDetails][] as the details. + Issues []*status.Status `protobuf:"bytes,2,rep,name=issues,proto3" json:"issues,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *ParseResponse) Reset() { *m = ParseResponse{} } +func (m *ParseResponse) String() string { return proto.CompactTextString(m) } +func (*ParseResponse) ProtoMessage() {} +func (*ParseResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_b3ca1183e6ceae83, []int{1} +} + +func (m *ParseResponse) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_ParseResponse.Unmarshal(m, b) +} +func (m *ParseResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_ParseResponse.Marshal(b, m, deterministic) +} +func (m *ParseResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_ParseResponse.Merge(m, src) +} +func (m *ParseResponse) XXX_Size() int { + return xxx_messageInfo_ParseResponse.Size(m) +} +func (m *ParseResponse) XXX_DiscardUnknown() { + xxx_messageInfo_ParseResponse.DiscardUnknown(m) +} + +var xxx_messageInfo_ParseResponse proto.InternalMessageInfo + +func (m *ParseResponse) GetParsedExpr() *ParsedExpr { + if m != nil { + return m.ParsedExpr + } + return nil +} + +func (m *ParseResponse) GetIssues() []*status.Status { + if m != nil { + return m.Issues + } + return nil +} + +// Request message for the Check method. +type CheckRequest struct { + // Required. The parsed representation of the CEL program. + ParsedExpr *ParsedExpr `protobuf:"bytes,1,opt,name=parsed_expr,json=parsedExpr,proto3" json:"parsed_expr,omitempty"` + // Declarations of types for external variables and functions. + // Required if program uses external variables or functions + // not in the default environment. + TypeEnv []*Decl `protobuf:"bytes,2,rep,name=type_env,json=typeEnv,proto3" json:"type_env,omitempty"` + // The protocol buffer context. See "Name Resolution" in the + // Language Definition. + Container string `protobuf:"bytes,3,opt,name=container,proto3" json:"container,omitempty"` + // If true, use only the declarations in + // [type_env][google.api.expr.v1alpha1.CheckRequest.type_env]. If false + // (default), add declarations for the standard definitions to the type + // environment. See "Standard Definitions" in the Language Definition. + NoStdEnv bool `protobuf:"varint,4,opt,name=no_std_env,json=noStdEnv,proto3" json:"no_std_env,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *CheckRequest) Reset() { *m = CheckRequest{} } +func (m *CheckRequest) String() string { return proto.CompactTextString(m) } +func (*CheckRequest) ProtoMessage() {} +func (*CheckRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_b3ca1183e6ceae83, []int{2} +} + +func (m *CheckRequest) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_CheckRequest.Unmarshal(m, b) +} +func (m *CheckRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_CheckRequest.Marshal(b, m, deterministic) +} +func (m *CheckRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_CheckRequest.Merge(m, src) +} +func (m *CheckRequest) XXX_Size() int { + return xxx_messageInfo_CheckRequest.Size(m) +} +func (m *CheckRequest) XXX_DiscardUnknown() { + xxx_messageInfo_CheckRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_CheckRequest proto.InternalMessageInfo + +func (m *CheckRequest) GetParsedExpr() *ParsedExpr { + if m != nil { + return m.ParsedExpr + } + return nil +} + +func (m *CheckRequest) GetTypeEnv() []*Decl { + if m != nil { + return m.TypeEnv + } + return nil +} + +func (m *CheckRequest) GetContainer() string { + if m != nil { + return m.Container + } + return "" +} + +func (m *CheckRequest) GetNoStdEnv() bool { + if m != nil { + return m.NoStdEnv + } + return false +} + +// Response message for the Check method. +type CheckResponse struct { + // The annotated representation, or unset if checking failed. + CheckedExpr *CheckedExpr `protobuf:"bytes,1,opt,name=checked_expr,json=checkedExpr,proto3" json:"checked_expr,omitempty"` + // Any number of issues with [StatusDetails][] as the details. + Issues []*status.Status `protobuf:"bytes,2,rep,name=issues,proto3" json:"issues,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *CheckResponse) Reset() { *m = CheckResponse{} } +func (m *CheckResponse) String() string { return proto.CompactTextString(m) } +func (*CheckResponse) ProtoMessage() {} +func (*CheckResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_b3ca1183e6ceae83, []int{3} +} + +func (m *CheckResponse) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_CheckResponse.Unmarshal(m, b) +} +func (m *CheckResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_CheckResponse.Marshal(b, m, deterministic) +} +func (m *CheckResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_CheckResponse.Merge(m, src) +} +func (m *CheckResponse) XXX_Size() int { + return xxx_messageInfo_CheckResponse.Size(m) +} +func (m *CheckResponse) XXX_DiscardUnknown() { + xxx_messageInfo_CheckResponse.DiscardUnknown(m) +} + +var xxx_messageInfo_CheckResponse proto.InternalMessageInfo + +func (m *CheckResponse) GetCheckedExpr() *CheckedExpr { + if m != nil { + return m.CheckedExpr + } + return nil +} + +func (m *CheckResponse) GetIssues() []*status.Status { + if m != nil { + return m.Issues + } + return nil +} + +// Request message for the Eval method. +type EvalRequest struct { + // Required. Either the parsed or annotated representation of the CEL program. + // + // Types that are valid to be assigned to ExprKind: + // *EvalRequest_ParsedExpr + // *EvalRequest_CheckedExpr + ExprKind isEvalRequest_ExprKind `protobuf_oneof:"expr_kind"` + // Bindings for the external variables. The types SHOULD be compatible + // with the type environment in + // [CheckRequest][google.api.expr.v1alpha1.CheckRequest], if checked. + Bindings map[string]*ExprValue `protobuf:"bytes,3,rep,name=bindings,proto3" json:"bindings,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` + // SHOULD be the same container as used in + // [CheckRequest][google.api.expr.v1alpha1.CheckRequest], if checked. + Container string `protobuf:"bytes,4,opt,name=container,proto3" json:"container,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *EvalRequest) Reset() { *m = EvalRequest{} } +func (m *EvalRequest) String() string { return proto.CompactTextString(m) } +func (*EvalRequest) ProtoMessage() {} +func (*EvalRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_b3ca1183e6ceae83, []int{4} +} + +func (m *EvalRequest) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_EvalRequest.Unmarshal(m, b) +} +func (m *EvalRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_EvalRequest.Marshal(b, m, deterministic) +} +func (m *EvalRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_EvalRequest.Merge(m, src) +} +func (m *EvalRequest) XXX_Size() int { + return xxx_messageInfo_EvalRequest.Size(m) +} +func (m *EvalRequest) XXX_DiscardUnknown() { + xxx_messageInfo_EvalRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_EvalRequest proto.InternalMessageInfo + +type isEvalRequest_ExprKind interface { + isEvalRequest_ExprKind() +} + +type EvalRequest_ParsedExpr struct { + ParsedExpr *ParsedExpr `protobuf:"bytes,1,opt,name=parsed_expr,json=parsedExpr,proto3,oneof"` +} + +type EvalRequest_CheckedExpr struct { + CheckedExpr *CheckedExpr `protobuf:"bytes,2,opt,name=checked_expr,json=checkedExpr,proto3,oneof"` +} + +func (*EvalRequest_ParsedExpr) isEvalRequest_ExprKind() {} + +func (*EvalRequest_CheckedExpr) isEvalRequest_ExprKind() {} + +func (m *EvalRequest) GetExprKind() isEvalRequest_ExprKind { + if m != nil { + return m.ExprKind + } + return nil +} + +func (m *EvalRequest) GetParsedExpr() *ParsedExpr { + if x, ok := m.GetExprKind().(*EvalRequest_ParsedExpr); ok { + return x.ParsedExpr + } + return nil +} + +func (m *EvalRequest) GetCheckedExpr() *CheckedExpr { + if x, ok := m.GetExprKind().(*EvalRequest_CheckedExpr); ok { + return x.CheckedExpr + } + return nil +} + +func (m *EvalRequest) GetBindings() map[string]*ExprValue { + if m != nil { + return m.Bindings + } + return nil +} + +func (m *EvalRequest) GetContainer() string { + if m != nil { + return m.Container + } + return "" +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*EvalRequest) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*EvalRequest_ParsedExpr)(nil), + (*EvalRequest_CheckedExpr)(nil), + } +} + +// Response message for the Eval method. +type EvalResponse struct { + // The execution result, or unset if execution couldn't start. + Result *ExprValue `protobuf:"bytes,1,opt,name=result,proto3" json:"result,omitempty"` + // Any number of issues with [StatusDetails][] as the details. + // Note that CEL execution errors are reified into + // [ExprValue][google.api.expr.v1alpha1.ExprValue]. Nevertheless, we'll allow + // out-of-band issues to be raised, which also makes the replies more regular. + Issues []*status.Status `protobuf:"bytes,2,rep,name=issues,proto3" json:"issues,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *EvalResponse) Reset() { *m = EvalResponse{} } +func (m *EvalResponse) String() string { return proto.CompactTextString(m) } +func (*EvalResponse) ProtoMessage() {} +func (*EvalResponse) Descriptor() ([]byte, []int) { + return fileDescriptor_b3ca1183e6ceae83, []int{5} +} + +func (m *EvalResponse) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_EvalResponse.Unmarshal(m, b) +} +func (m *EvalResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_EvalResponse.Marshal(b, m, deterministic) +} +func (m *EvalResponse) XXX_Merge(src proto.Message) { + xxx_messageInfo_EvalResponse.Merge(m, src) +} +func (m *EvalResponse) XXX_Size() int { + return xxx_messageInfo_EvalResponse.Size(m) +} +func (m *EvalResponse) XXX_DiscardUnknown() { + xxx_messageInfo_EvalResponse.DiscardUnknown(m) +} + +var xxx_messageInfo_EvalResponse proto.InternalMessageInfo + +func (m *EvalResponse) GetResult() *ExprValue { + if m != nil { + return m.Result + } + return nil +} + +func (m *EvalResponse) GetIssues() []*status.Status { + if m != nil { + return m.Issues + } + return nil +} + +// Warnings or errors in service execution are represented by +// [google.rpc.Status][google.rpc.Status] messages, with the following message +// in the details field. +type IssueDetails struct { + // The severity of the issue. + Severity IssueDetails_Severity `protobuf:"varint,1,opt,name=severity,proto3,enum=google.api.expr.v1alpha1.IssueDetails_Severity" json:"severity,omitempty"` + // Position in the source, if known. + Position *SourcePosition `protobuf:"bytes,2,opt,name=position,proto3" json:"position,omitempty"` + // Expression ID from [Expr][google.api.expr.v1alpha1.Expr], 0 if unknown. + Id int64 `protobuf:"varint,3,opt,name=id,proto3" json:"id,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *IssueDetails) Reset() { *m = IssueDetails{} } +func (m *IssueDetails) String() string { return proto.CompactTextString(m) } +func (*IssueDetails) ProtoMessage() {} +func (*IssueDetails) Descriptor() ([]byte, []int) { + return fileDescriptor_b3ca1183e6ceae83, []int{6} +} + +func (m *IssueDetails) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_IssueDetails.Unmarshal(m, b) +} +func (m *IssueDetails) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_IssueDetails.Marshal(b, m, deterministic) +} +func (m *IssueDetails) XXX_Merge(src proto.Message) { + xxx_messageInfo_IssueDetails.Merge(m, src) +} +func (m *IssueDetails) XXX_Size() int { + return xxx_messageInfo_IssueDetails.Size(m) +} +func (m *IssueDetails) XXX_DiscardUnknown() { + xxx_messageInfo_IssueDetails.DiscardUnknown(m) +} + +var xxx_messageInfo_IssueDetails proto.InternalMessageInfo + +func (m *IssueDetails) GetSeverity() IssueDetails_Severity { + if m != nil { + return m.Severity + } + return IssueDetails_SEVERITY_UNSPECIFIED +} + +func (m *IssueDetails) GetPosition() *SourcePosition { + if m != nil { + return m.Position + } + return nil +} + +func (m *IssueDetails) GetId() int64 { + if m != nil { + return m.Id + } + return 0 +} + +func init() { + proto.RegisterEnum("google.api.expr.v1alpha1.IssueDetails_Severity", IssueDetails_Severity_name, IssueDetails_Severity_value) + proto.RegisterType((*ParseRequest)(nil), "google.api.expr.v1alpha1.ParseRequest") + proto.RegisterType((*ParseResponse)(nil), "google.api.expr.v1alpha1.ParseResponse") + proto.RegisterType((*CheckRequest)(nil), "google.api.expr.v1alpha1.CheckRequest") + proto.RegisterType((*CheckResponse)(nil), "google.api.expr.v1alpha1.CheckResponse") + proto.RegisterType((*EvalRequest)(nil), "google.api.expr.v1alpha1.EvalRequest") + proto.RegisterMapType((map[string]*ExprValue)(nil), "google.api.expr.v1alpha1.EvalRequest.BindingsEntry") + proto.RegisterType((*EvalResponse)(nil), "google.api.expr.v1alpha1.EvalResponse") + proto.RegisterType((*IssueDetails)(nil), "google.api.expr.v1alpha1.IssueDetails") +} + +func init() { + proto.RegisterFile("google/api/expr/v1alpha1/conformance_service.proto", fileDescriptor_b3ca1183e6ceae83) +} + +var fileDescriptor_b3ca1183e6ceae83 = []byte{ + // 807 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x55, 0x41, 0x6f, 0xdb, 0x36, + 0x18, 0xb5, 0xe4, 0x24, 0xb5, 0x3f, 0xd9, 0xa9, 0x41, 0x0c, 0xa8, 0x61, 0x64, 0x43, 0xa0, 0x2e, + 0x69, 0xb0, 0x83, 0x84, 0xba, 0x97, 0x75, 0xdd, 0xa5, 0xb1, 0xb5, 0xc6, 0xdb, 0x9a, 0x18, 0x74, + 0x97, 0x62, 0xbd, 0x68, 0x8c, 0xc4, 0xb9, 0x44, 0x14, 0x52, 0x23, 0x65, 0xcd, 0xde, 0x69, 0x18, + 0xb0, 0x7f, 0xb2, 0xfd, 0x9b, 0xfd, 0xa0, 0x1d, 0x07, 0x89, 0xb4, 0x63, 0xb7, 0x50, 0xd2, 0x0c, + 0xbd, 0x49, 0x9f, 0xde, 0x7b, 0xfa, 0xde, 0xe3, 0x47, 0x12, 0xfa, 0x53, 0x21, 0xa6, 0x09, 0xf5, + 0x49, 0xca, 0x7c, 0x3a, 0x4f, 0xa5, 0x9f, 0x3f, 0x26, 0x49, 0xfa, 0x96, 0x3c, 0xf6, 0x23, 0xc1, + 0x7f, 0x16, 0xf2, 0x8a, 0xf0, 0x88, 0x86, 0x8a, 0xca, 0x9c, 0x45, 0xd4, 0x4b, 0xa5, 0xc8, 0x04, + 0xea, 0x6a, 0x8e, 0x47, 0x52, 0xe6, 0x15, 0x1c, 0x6f, 0xc9, 0xe9, 0x1d, 0x56, 0xab, 0xbd, 0xa5, + 0xd1, 0x25, 0x8d, 0xb5, 0x42, 0xef, 0x61, 0x25, 0x8e, 0xe6, 0x24, 0x31, 0xa0, 0x83, 0x4a, 0x90, + 0x5a, 0xf0, 0x8c, 0xcc, 0x0d, 0xec, 0x81, 0x81, 0xc9, 0x34, 0xf2, 0x55, 0x46, 0xb2, 0x99, 0xd2, + 0x1f, 0xdc, 0xbf, 0x2c, 0x68, 0x8d, 0x89, 0x54, 0x14, 0xd3, 0x5f, 0x66, 0x54, 0x65, 0xe8, 0x53, + 0x80, 0x88, 0x26, 0xa1, 0x12, 0x33, 0x19, 0xd1, 0xae, 0xb5, 0x6f, 0x1d, 0x35, 0x71, 0x33, 0xa2, + 0xc9, 0xa4, 0x2c, 0xa0, 0x03, 0xd8, 0xd5, 0xc2, 0x61, 0x4e, 0xa5, 0x62, 0x82, 0x77, 0xed, 0x12, + 0xd2, 0xd6, 0xd5, 0x73, 0x5d, 0x44, 0x8f, 0xe0, 0xbe, 0x56, 0x08, 0x13, 0x11, 0x91, 0xac, 0xc0, + 0xd5, 0x4b, 0xdc, 0xae, 0x2e, 0x7f, 0x6f, 0xaa, 0x85, 0x5e, 0xcc, 0x14, 0xb9, 0x48, 0x68, 0x78, + 0x45, 0x22, 0x29, 0x54, 0x77, 0x6b, 0xdf, 0x3a, 0x6a, 0xe0, 0xb6, 0xa9, 0xbe, 0x2c, 0x8b, 0xee, + 0x1f, 0x16, 0xb4, 0x4d, 0x9b, 0x2a, 0x15, 0x5c, 0x51, 0x14, 0x80, 0x93, 0x16, 0x85, 0x38, 0x2c, + 0x6c, 0x97, 0x8d, 0x3a, 0xfd, 0xcf, 0xbd, 0xaa, 0xd4, 0xbd, 0x92, 0x1d, 0x07, 0xf3, 0x54, 0x62, + 0x48, 0x57, 0xcf, 0xe8, 0x0b, 0xd8, 0x61, 0x4a, 0xcd, 0xa8, 0xea, 0xda, 0xfb, 0xf5, 0x23, 0xa7, + 0x8f, 0x96, 0x0a, 0x32, 0x8d, 0xbc, 0x49, 0x99, 0x14, 0x36, 0x08, 0xf7, 0x1f, 0x0b, 0x5a, 0x83, + 0x62, 0x89, 0x96, 0x59, 0x7d, 0xa4, 0x1e, 0x9e, 0x42, 0x23, 0x5b, 0xa4, 0x34, 0xa4, 0x3c, 0x37, + 0x5d, 0x7c, 0x56, 0xad, 0x31, 0xa4, 0x51, 0x82, 0xef, 0x15, 0xf8, 0x80, 0xe7, 0x68, 0x0f, 0x9a, + 0x91, 0xe0, 0x19, 0x61, 0x9c, 0x4a, 0x93, 0xf0, 0x75, 0x01, 0xed, 0x01, 0x70, 0x11, 0xaa, 0x2c, + 0x2e, 0xa5, 0x75, 0xb0, 0x0d, 0x2e, 0x26, 0x59, 0x1c, 0xf0, 0xdc, 0xfd, 0xd3, 0x82, 0xb6, 0xb1, + 0x63, 0x32, 0x3d, 0x81, 0x96, 0x19, 0xc1, 0x75, 0x43, 0x07, 0xd5, 0xcd, 0x0c, 0x34, 0xba, 0x74, + 0xe4, 0x44, 0xd7, 0x2f, 0x77, 0x8a, 0xf5, 0xf7, 0x3a, 0x38, 0x41, 0x4e, 0x92, 0x65, 0xaa, 0x2f, + 0xfe, 0x77, 0xaa, 0x27, 0xb5, 0x8d, 0x5c, 0xbf, 0x7d, 0xc7, 0x8e, 0x7d, 0x07, 0x3b, 0x27, 0xb5, + 0x4d, 0x43, 0x67, 0xd0, 0xb8, 0x60, 0x3c, 0x66, 0x7c, 0xaa, 0xba, 0xf5, 0xd2, 0xd2, 0x93, 0x6a, + 0x9d, 0x35, 0x37, 0xde, 0xb1, 0x61, 0x05, 0x3c, 0x93, 0x0b, 0xbc, 0x12, 0xd9, 0x5c, 0xb9, 0xad, + 0x77, 0x56, 0xae, 0xf7, 0x13, 0xb4, 0x37, 0x88, 0xa8, 0x03, 0xf5, 0x4b, 0xba, 0x30, 0xfb, 0xb1, + 0x78, 0x44, 0x4f, 0x61, 0x3b, 0x27, 0xc9, 0x8c, 0x1a, 0x5b, 0x0f, 0x6f, 0x68, 0x67, 0x9e, 0xca, + 0xf3, 0x02, 0x8a, 0x35, 0xe3, 0x2b, 0xfb, 0x4b, 0xeb, 0xd8, 0x81, 0x66, 0x81, 0x0a, 0x2f, 0x19, + 0x8f, 0xdd, 0x5f, 0xa1, 0xa5, 0x7b, 0x36, 0x83, 0xf0, 0x0c, 0x76, 0x24, 0x55, 0xb3, 0x24, 0x33, + 0xe9, 0x7f, 0x90, 0xb8, 0xa1, 0xdc, 0x6d, 0xed, 0x6d, 0x68, 0x8d, 0x8a, 0xc7, 0x21, 0xcd, 0x08, + 0x4b, 0x14, 0xfa, 0x0e, 0x1a, 0x8a, 0xe6, 0x54, 0xb2, 0x4c, 0x9b, 0xdd, 0xed, 0xfb, 0xd5, 0xff, + 0x5e, 0x67, 0x7a, 0x13, 0x43, 0xc3, 0x2b, 0x01, 0x34, 0x84, 0x46, 0x2a, 0x14, 0xcb, 0x96, 0xc7, + 0x94, 0xd3, 0x3f, 0xaa, 0x16, 0xd3, 0x07, 0xdc, 0xd8, 0xe0, 0xf1, 0x8a, 0x89, 0x76, 0xc1, 0x66, + 0x71, 0xb9, 0xb9, 0xea, 0xd8, 0x66, 0xb1, 0xfb, 0x12, 0x1a, 0xcb, 0x7f, 0xa1, 0x2e, 0x7c, 0x32, + 0x09, 0xce, 0x03, 0x3c, 0x7a, 0xf5, 0x63, 0xf8, 0xc3, 0xe9, 0x64, 0x1c, 0x0c, 0x46, 0xdf, 0x8c, + 0x82, 0x61, 0xa7, 0x86, 0xee, 0x83, 0x33, 0x0c, 0xc6, 0x38, 0x18, 0x3c, 0x7f, 0x35, 0x3a, 0x3b, + 0xed, 0x58, 0xc8, 0x81, 0x7b, 0xaf, 0x9f, 0xe3, 0xd3, 0xd1, 0xe9, 0x8b, 0x8e, 0x8d, 0x9a, 0xb0, + 0x1d, 0x60, 0x7c, 0x86, 0x3b, 0xf5, 0xfe, 0xdf, 0x36, 0xa0, 0xc1, 0xf5, 0x35, 0x32, 0xd1, 0xb7, + 0x08, 0x7a, 0x03, 0xdb, 0xe5, 0x60, 0xa3, 0xc3, 0x5b, 0x26, 0xdf, 0x0c, 0x5a, 0xef, 0xd1, 0xad, + 0x38, 0xbd, 0xb8, 0x6e, 0xad, 0xd0, 0x2e, 0x47, 0xfd, 0x26, 0xed, 0xf5, 0x83, 0xee, 0x26, 0xed, + 0x8d, 0x13, 0xc4, 0xad, 0xa1, 0xd7, 0xb0, 0x55, 0x8c, 0x12, 0x3a, 0xf8, 0xa0, 0xed, 0xd1, 0x3b, + 0xbc, 0x0d, 0xb6, 0x14, 0x3e, 0xfe, 0x0d, 0xf6, 0x22, 0x71, 0x55, 0x09, 0x3f, 0x7e, 0xf0, 0x7e, + 0x88, 0xe3, 0xe2, 0x8a, 0x1b, 0x5b, 0x6f, 0xbe, 0x36, 0xa4, 0xa9, 0x48, 0x08, 0x9f, 0x7a, 0x42, + 0x4e, 0xfd, 0x29, 0xe5, 0xe5, 0x05, 0xe8, 0xeb, 0x4f, 0x24, 0x65, 0xea, 0xfd, 0x3b, 0xf4, 0x59, + 0xf1, 0xf6, 0xaf, 0x65, 0x5d, 0xec, 0x94, 0xd8, 0x27, 0xff, 0x05, 0x00, 0x00, 0xff, 0xff, 0xf9, + 0x66, 0xbb, 0xae, 0x09, 0x08, 0x00, 0x00, +} + +// Reference imports to suppress errors if they are not otherwise used. +var _ context.Context +var _ grpc.ClientConn + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the grpc package it is being compiled against. +const _ = grpc.SupportPackageIsVersion4 + +// ConformanceServiceClient is the client API for ConformanceService service. +// +// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream. +type ConformanceServiceClient interface { + // Transforms CEL source text into a parsed representation. + Parse(ctx context.Context, in *ParseRequest, opts ...grpc.CallOption) (*ParseResponse, error) + // Runs static checks on a parsed CEL representation and return + // an annotated representation, or a set of issues. + Check(ctx context.Context, in *CheckRequest, opts ...grpc.CallOption) (*CheckResponse, error) + // Evaluates a parsed or annotation CEL representation given + // values of external bindings. + Eval(ctx context.Context, in *EvalRequest, opts ...grpc.CallOption) (*EvalResponse, error) +} + +type conformanceServiceClient struct { + cc *grpc.ClientConn +} + +func NewConformanceServiceClient(cc *grpc.ClientConn) ConformanceServiceClient { + return &conformanceServiceClient{cc} +} + +func (c *conformanceServiceClient) Parse(ctx context.Context, in *ParseRequest, opts ...grpc.CallOption) (*ParseResponse, error) { + out := new(ParseResponse) + err := c.cc.Invoke(ctx, "/google.api.expr.v1alpha1.ConformanceService/Parse", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *conformanceServiceClient) Check(ctx context.Context, in *CheckRequest, opts ...grpc.CallOption) (*CheckResponse, error) { + out := new(CheckResponse) + err := c.cc.Invoke(ctx, "/google.api.expr.v1alpha1.ConformanceService/Check", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *conformanceServiceClient) Eval(ctx context.Context, in *EvalRequest, opts ...grpc.CallOption) (*EvalResponse, error) { + out := new(EvalResponse) + err := c.cc.Invoke(ctx, "/google.api.expr.v1alpha1.ConformanceService/Eval", in, out, opts...) + if err != nil { + return nil, err + } + return out, nil +} + +// ConformanceServiceServer is the server API for ConformanceService service. +type ConformanceServiceServer interface { + // Transforms CEL source text into a parsed representation. + Parse(context.Context, *ParseRequest) (*ParseResponse, error) + // Runs static checks on a parsed CEL representation and return + // an annotated representation, or a set of issues. + Check(context.Context, *CheckRequest) (*CheckResponse, error) + // Evaluates a parsed or annotation CEL representation given + // values of external bindings. + Eval(context.Context, *EvalRequest) (*EvalResponse, error) +} + +func RegisterConformanceServiceServer(s *grpc.Server, srv ConformanceServiceServer) { + s.RegisterService(&_ConformanceService_serviceDesc, srv) +} + +func _ConformanceService_Parse_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ParseRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ConformanceServiceServer).Parse(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/google.api.expr.v1alpha1.ConformanceService/Parse", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ConformanceServiceServer).Parse(ctx, req.(*ParseRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _ConformanceService_Check_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(CheckRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ConformanceServiceServer).Check(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/google.api.expr.v1alpha1.ConformanceService/Check", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ConformanceServiceServer).Check(ctx, req.(*CheckRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _ConformanceService_Eval_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(EvalRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(ConformanceServiceServer).Eval(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: "/google.api.expr.v1alpha1.ConformanceService/Eval", + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(ConformanceServiceServer).Eval(ctx, req.(*EvalRequest)) + } + return interceptor(ctx, in, info, handler) +} + +var _ConformanceService_serviceDesc = grpc.ServiceDesc{ + ServiceName: "google.api.expr.v1alpha1.ConformanceService", + HandlerType: (*ConformanceServiceServer)(nil), + Methods: []grpc.MethodDesc{ + { + MethodName: "Parse", + Handler: _ConformanceService_Parse_Handler, + }, + { + MethodName: "Check", + Handler: _ConformanceService_Check_Handler, + }, + { + MethodName: "Eval", + Handler: _ConformanceService_Eval_Handler, + }, + }, + Streams: []grpc.StreamDesc{}, + Metadata: "google/api/expr/v1alpha1/conformance_service.proto", +} diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go new file mode 100644 index 0000000000..79d945c7e8 --- /dev/null +++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/eval.pb.go @@ -0,0 +1,351 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: google/api/expr/v1alpha1/eval.proto + +package expr + +import ( + fmt "fmt" + math "math" + + proto "github.com/golang/protobuf/proto" + status "google.golang.org/genproto/googleapis/rpc/status" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +// The state of an evaluation. +// +// Can represent an inital, partial, or completed state of evaluation. +type EvalState struct { + // The unique values referenced in this message. + Values []*ExprValue `protobuf:"bytes,1,rep,name=values,proto3" json:"values,omitempty"` + // An ordered list of results. + // + // Tracks the flow of evaluation through the expression. + // May be sparse. + Results []*EvalState_Result `protobuf:"bytes,3,rep,name=results,proto3" json:"results,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *EvalState) Reset() { *m = EvalState{} } +func (m *EvalState) String() string { return proto.CompactTextString(m) } +func (*EvalState) ProtoMessage() {} +func (*EvalState) Descriptor() ([]byte, []int) { + return fileDescriptor_1e95f32326d4b8b7, []int{0} +} + +func (m *EvalState) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_EvalState.Unmarshal(m, b) +} +func (m *EvalState) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_EvalState.Marshal(b, m, deterministic) +} +func (m *EvalState) XXX_Merge(src proto.Message) { + xxx_messageInfo_EvalState.Merge(m, src) +} +func (m *EvalState) XXX_Size() int { + return xxx_messageInfo_EvalState.Size(m) +} +func (m *EvalState) XXX_DiscardUnknown() { + xxx_messageInfo_EvalState.DiscardUnknown(m) +} + +var xxx_messageInfo_EvalState proto.InternalMessageInfo + +func (m *EvalState) GetValues() []*ExprValue { + if m != nil { + return m.Values + } + return nil +} + +func (m *EvalState) GetResults() []*EvalState_Result { + if m != nil { + return m.Results + } + return nil +} + +// A single evalution result. +type EvalState_Result struct { + // The id of the expression this result if for. + Expr int64 `protobuf:"varint,1,opt,name=expr,proto3" json:"expr,omitempty"` + // The index in `values` of the resulting value. + Value int64 `protobuf:"varint,2,opt,name=value,proto3" json:"value,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *EvalState_Result) Reset() { *m = EvalState_Result{} } +func (m *EvalState_Result) String() string { return proto.CompactTextString(m) } +func (*EvalState_Result) ProtoMessage() {} +func (*EvalState_Result) Descriptor() ([]byte, []int) { + return fileDescriptor_1e95f32326d4b8b7, []int{0, 0} +} + +func (m *EvalState_Result) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_EvalState_Result.Unmarshal(m, b) +} +func (m *EvalState_Result) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_EvalState_Result.Marshal(b, m, deterministic) +} +func (m *EvalState_Result) XXX_Merge(src proto.Message) { + xxx_messageInfo_EvalState_Result.Merge(m, src) +} +func (m *EvalState_Result) XXX_Size() int { + return xxx_messageInfo_EvalState_Result.Size(m) +} +func (m *EvalState_Result) XXX_DiscardUnknown() { + xxx_messageInfo_EvalState_Result.DiscardUnknown(m) +} + +var xxx_messageInfo_EvalState_Result proto.InternalMessageInfo + +func (m *EvalState_Result) GetExpr() int64 { + if m != nil { + return m.Expr + } + return 0 +} + +func (m *EvalState_Result) GetValue() int64 { + if m != nil { + return m.Value + } + return 0 +} + +// The value of an evaluated expression. +type ExprValue struct { + // An expression can resolve to a value, error or unknown. + // + // Types that are valid to be assigned to Kind: + // *ExprValue_Value + // *ExprValue_Error + // *ExprValue_Unknown + Kind isExprValue_Kind `protobuf_oneof:"kind"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *ExprValue) Reset() { *m = ExprValue{} } +func (m *ExprValue) String() string { return proto.CompactTextString(m) } +func (*ExprValue) ProtoMessage() {} +func (*ExprValue) Descriptor() ([]byte, []int) { + return fileDescriptor_1e95f32326d4b8b7, []int{1} +} + +func (m *ExprValue) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_ExprValue.Unmarshal(m, b) +} +func (m *ExprValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_ExprValue.Marshal(b, m, deterministic) +} +func (m *ExprValue) XXX_Merge(src proto.Message) { + xxx_messageInfo_ExprValue.Merge(m, src) +} +func (m *ExprValue) XXX_Size() int { + return xxx_messageInfo_ExprValue.Size(m) +} +func (m *ExprValue) XXX_DiscardUnknown() { + xxx_messageInfo_ExprValue.DiscardUnknown(m) +} + +var xxx_messageInfo_ExprValue proto.InternalMessageInfo + +type isExprValue_Kind interface { + isExprValue_Kind() +} + +type ExprValue_Value struct { + Value *Value `protobuf:"bytes,1,opt,name=value,proto3,oneof"` +} + +type ExprValue_Error struct { + Error *ErrorSet `protobuf:"bytes,2,opt,name=error,proto3,oneof"` +} + +type ExprValue_Unknown struct { + Unknown *UnknownSet `protobuf:"bytes,3,opt,name=unknown,proto3,oneof"` +} + +func (*ExprValue_Value) isExprValue_Kind() {} + +func (*ExprValue_Error) isExprValue_Kind() {} + +func (*ExprValue_Unknown) isExprValue_Kind() {} + +func (m *ExprValue) GetKind() isExprValue_Kind { + if m != nil { + return m.Kind + } + return nil +} + +func (m *ExprValue) GetValue() *Value { + if x, ok := m.GetKind().(*ExprValue_Value); ok { + return x.Value + } + return nil +} + +func (m *ExprValue) GetError() *ErrorSet { + if x, ok := m.GetKind().(*ExprValue_Error); ok { + return x.Error + } + return nil +} + +func (m *ExprValue) GetUnknown() *UnknownSet { + if x, ok := m.GetKind().(*ExprValue_Unknown); ok { + return x.Unknown + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*ExprValue) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*ExprValue_Value)(nil), + (*ExprValue_Error)(nil), + (*ExprValue_Unknown)(nil), + } +} + +// A set of errors. +// +// The errors included depend on the context. See `ExprValue.error`. +type ErrorSet struct { + // The errors in the set. + Errors []*status.Status `protobuf:"bytes,1,rep,name=errors,proto3" json:"errors,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *ErrorSet) Reset() { *m = ErrorSet{} } +func (m *ErrorSet) String() string { return proto.CompactTextString(m) } +func (*ErrorSet) ProtoMessage() {} +func (*ErrorSet) Descriptor() ([]byte, []int) { + return fileDescriptor_1e95f32326d4b8b7, []int{2} +} + +func (m *ErrorSet) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_ErrorSet.Unmarshal(m, b) +} +func (m *ErrorSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_ErrorSet.Marshal(b, m, deterministic) +} +func (m *ErrorSet) XXX_Merge(src proto.Message) { + xxx_messageInfo_ErrorSet.Merge(m, src) +} +func (m *ErrorSet) XXX_Size() int { + return xxx_messageInfo_ErrorSet.Size(m) +} +func (m *ErrorSet) XXX_DiscardUnknown() { + xxx_messageInfo_ErrorSet.DiscardUnknown(m) +} + +var xxx_messageInfo_ErrorSet proto.InternalMessageInfo + +func (m *ErrorSet) GetErrors() []*status.Status { + if m != nil { + return m.Errors + } + return nil +} + +// A set of expressions for which the value is unknown. +// +// The unknowns included depend on the context. See `ExprValue.unknown`. +type UnknownSet struct { + // The ids of the expressions with unknown values. + Exprs []int64 `protobuf:"varint,1,rep,packed,name=exprs,proto3" json:"exprs,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *UnknownSet) Reset() { *m = UnknownSet{} } +func (m *UnknownSet) String() string { return proto.CompactTextString(m) } +func (*UnknownSet) ProtoMessage() {} +func (*UnknownSet) Descriptor() ([]byte, []int) { + return fileDescriptor_1e95f32326d4b8b7, []int{3} +} + +func (m *UnknownSet) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_UnknownSet.Unmarshal(m, b) +} +func (m *UnknownSet) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_UnknownSet.Marshal(b, m, deterministic) +} +func (m *UnknownSet) XXX_Merge(src proto.Message) { + xxx_messageInfo_UnknownSet.Merge(m, src) +} +func (m *UnknownSet) XXX_Size() int { + return xxx_messageInfo_UnknownSet.Size(m) +} +func (m *UnknownSet) XXX_DiscardUnknown() { + xxx_messageInfo_UnknownSet.DiscardUnknown(m) +} + +var xxx_messageInfo_UnknownSet proto.InternalMessageInfo + +func (m *UnknownSet) GetExprs() []int64 { + if m != nil { + return m.Exprs + } + return nil +} + +func init() { + proto.RegisterType((*EvalState)(nil), "google.api.expr.v1alpha1.EvalState") + proto.RegisterType((*EvalState_Result)(nil), "google.api.expr.v1alpha1.EvalState.Result") + proto.RegisterType((*ExprValue)(nil), "google.api.expr.v1alpha1.ExprValue") + proto.RegisterType((*ErrorSet)(nil), "google.api.expr.v1alpha1.ErrorSet") + proto.RegisterType((*UnknownSet)(nil), "google.api.expr.v1alpha1.UnknownSet") +} + +func init() { + proto.RegisterFile("google/api/expr/v1alpha1/eval.proto", fileDescriptor_1e95f32326d4b8b7) +} + +var fileDescriptor_1e95f32326d4b8b7 = []byte{ + // 367 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x92, 0xcf, 0x4b, 0xeb, 0x40, + 0x10, 0xc7, 0x5f, 0x5e, 0xda, 0xf4, 0xbd, 0xe9, 0x6d, 0x11, 0x0c, 0x45, 0xb0, 0xa4, 0x3d, 0x94, + 0x1e, 0x36, 0x34, 0x82, 0x82, 0xf5, 0x20, 0xc5, 0x82, 0xc7, 0x92, 0xa2, 0x07, 0x6f, 0x6b, 0x5d, + 0x62, 0xe8, 0x9a, 0x5d, 0x36, 0x3f, 0xec, 0xdf, 0xe7, 0xd1, 0xbf, 0xc8, 0xa3, 0xec, 0x6c, 0x16, + 0x0f, 0x92, 0xde, 0x3a, 0xbb, 0x9f, 0xcf, 0x77, 0xa6, 0xd9, 0x81, 0x49, 0x26, 0x65, 0x26, 0x78, + 0xcc, 0x54, 0x1e, 0xf3, 0x83, 0xd2, 0x71, 0xb3, 0x60, 0x42, 0xbd, 0xb2, 0x45, 0xcc, 0x1b, 0x26, + 0xa8, 0xd2, 0xb2, 0x92, 0x24, 0xb4, 0x10, 0x65, 0x2a, 0xa7, 0x06, 0xa2, 0x0e, 0x1a, 0x4d, 0x3b, + 0xf5, 0x86, 0x89, 0x9a, 0x5b, 0x7f, 0x74, 0xda, 0x52, 0x5a, 0xed, 0xe2, 0xb2, 0x62, 0x55, 0x5d, + 0xda, 0x8b, 0xe8, 0xc3, 0x83, 0xff, 0xeb, 0x86, 0x89, 0x6d, 0xc5, 0x2a, 0x4e, 0x96, 0x10, 0xa0, + 0x55, 0x86, 0xde, 0xd8, 0x9f, 0x0d, 0x93, 0x09, 0xed, 0xea, 0x4b, 0xd7, 0x07, 0xa5, 0x1f, 0x0d, + 0x9b, 0xb6, 0x0a, 0xb9, 0x83, 0x81, 0xe6, 0x65, 0x2d, 0xaa, 0x32, 0xf4, 0xd1, 0x9e, 0x1f, 0xb1, + 0x5d, 0x4b, 0x9a, 0xa2, 0x92, 0x3a, 0x75, 0x94, 0x40, 0x60, 0x8f, 0x08, 0x81, 0x9e, 0x91, 0x42, + 0x6f, 0xec, 0xcd, 0xfc, 0x14, 0x7f, 0x93, 0x13, 0xe8, 0x63, 0xb7, 0xf0, 0x2f, 0x1e, 0xda, 0x22, + 0xfa, 0x34, 0x7f, 0xc2, 0xcd, 0x43, 0xae, 0x1c, 0x63, 0xc4, 0x61, 0x72, 0xde, 0x3d, 0x05, 0xf2, + 0xf7, 0x7f, 0xda, 0x18, 0x72, 0x0d, 0x7d, 0xae, 0xb5, 0xd4, 0x18, 0x3e, 0x4c, 0xa2, 0x23, 0xe3, + 0x1b, 0x6c, 0xcb, 0x2b, 0xe3, 0xa2, 0x42, 0x6e, 0x61, 0x50, 0x17, 0xfb, 0x42, 0xbe, 0x17, 0xa1, + 0x8f, 0xf6, 0xb4, 0xdb, 0x7e, 0xb0, 0xa0, 0xf5, 0x9d, 0xb6, 0x0a, 0xa0, 0xb7, 0xcf, 0x8b, 0x97, + 0xe8, 0x12, 0xfe, 0xb9, 0x78, 0x32, 0x87, 0x00, 0xe3, 0xdd, 0x7b, 0x10, 0x17, 0xaa, 0xd5, 0x8e, + 0x6e, 0xf1, 0x1d, 0xd3, 0x96, 0x88, 0x22, 0x80, 0x9f, 0x60, 0xf3, 0xa1, 0x4c, 0x53, 0x2b, 0xfa, + 0xa9, 0x2d, 0x56, 0x02, 0xce, 0x76, 0xf2, 0xad, 0x73, 0xb2, 0x15, 0xae, 0xc2, 0xc6, 0x2c, 0xc6, + 0xc6, 0x7b, 0xba, 0x69, 0xb1, 0x4c, 0x0a, 0x56, 0x64, 0x54, 0xea, 0x2c, 0xce, 0x78, 0x81, 0x6b, + 0x13, 0xdb, 0x2b, 0xa6, 0xf2, 0xf2, 0xf7, 0xe2, 0x2d, 0x4d, 0xf5, 0xe5, 0x79, 0xcf, 0x01, 0xb2, + 0x17, 0xdf, 0x01, 0x00, 0x00, 0xff, 0xff, 0x9d, 0x62, 0xde, 0x1d, 0xe2, 0x02, 0x00, 0x00, +} diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go new file mode 100644 index 0000000000..93f628f0da --- /dev/null +++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/explain.pb.go @@ -0,0 +1,162 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: google/api/expr/v1alpha1/explain.proto + +package expr + +import ( + fmt "fmt" + math "math" + + proto "github.com/golang/protobuf/proto" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +// Values of intermediate expressions produced when evaluating expression. +// Deprecated, use `EvalState` instead. +// +// Deprecated: Do not use. +type Explain struct { + // All of the observed values. + // + // The field value_index is an index in the values list. + // Separating values from steps is needed to remove redundant values. + Values []*Value `protobuf:"bytes,1,rep,name=values,proto3" json:"values,omitempty"` + // List of steps. + // + // Repeated evaluations of the same expression generate new ExprStep + // instances. The order of such ExprStep instances matches the order of + // elements returned by Comprehension.iter_range. + ExprSteps []*Explain_ExprStep `protobuf:"bytes,2,rep,name=expr_steps,json=exprSteps,proto3" json:"expr_steps,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Explain) Reset() { *m = Explain{} } +func (m *Explain) String() string { return proto.CompactTextString(m) } +func (*Explain) ProtoMessage() {} +func (*Explain) Descriptor() ([]byte, []int) { + return fileDescriptor_2df9793dd8748e27, []int{0} +} + +func (m *Explain) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Explain.Unmarshal(m, b) +} +func (m *Explain) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Explain.Marshal(b, m, deterministic) +} +func (m *Explain) XXX_Merge(src proto.Message) { + xxx_messageInfo_Explain.Merge(m, src) +} +func (m *Explain) XXX_Size() int { + return xxx_messageInfo_Explain.Size(m) +} +func (m *Explain) XXX_DiscardUnknown() { + xxx_messageInfo_Explain.DiscardUnknown(m) +} + +var xxx_messageInfo_Explain proto.InternalMessageInfo + +func (m *Explain) GetValues() []*Value { + if m != nil { + return m.Values + } + return nil +} + +func (m *Explain) GetExprSteps() []*Explain_ExprStep { + if m != nil { + return m.ExprSteps + } + return nil +} + +// ID and value index of one step. +type Explain_ExprStep struct { + // ID of corresponding Expr node. + Id int64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"` + // Index of the value in the values list. + ValueIndex int32 `protobuf:"varint,2,opt,name=value_index,json=valueIndex,proto3" json:"value_index,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Explain_ExprStep) Reset() { *m = Explain_ExprStep{} } +func (m *Explain_ExprStep) String() string { return proto.CompactTextString(m) } +func (*Explain_ExprStep) ProtoMessage() {} +func (*Explain_ExprStep) Descriptor() ([]byte, []int) { + return fileDescriptor_2df9793dd8748e27, []int{0, 0} +} + +func (m *Explain_ExprStep) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Explain_ExprStep.Unmarshal(m, b) +} +func (m *Explain_ExprStep) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Explain_ExprStep.Marshal(b, m, deterministic) +} +func (m *Explain_ExprStep) XXX_Merge(src proto.Message) { + xxx_messageInfo_Explain_ExprStep.Merge(m, src) +} +func (m *Explain_ExprStep) XXX_Size() int { + return xxx_messageInfo_Explain_ExprStep.Size(m) +} +func (m *Explain_ExprStep) XXX_DiscardUnknown() { + xxx_messageInfo_Explain_ExprStep.DiscardUnknown(m) +} + +var xxx_messageInfo_Explain_ExprStep proto.InternalMessageInfo + +func (m *Explain_ExprStep) GetId() int64 { + if m != nil { + return m.Id + } + return 0 +} + +func (m *Explain_ExprStep) GetValueIndex() int32 { + if m != nil { + return m.ValueIndex + } + return 0 +} + +func init() { + proto.RegisterType((*Explain)(nil), "google.api.expr.v1alpha1.Explain") + proto.RegisterType((*Explain_ExprStep)(nil), "google.api.expr.v1alpha1.Explain.ExprStep") +} + +func init() { + proto.RegisterFile("google/api/expr/v1alpha1/explain.proto", fileDescriptor_2df9793dd8748e27) +} + +var fileDescriptor_2df9793dd8748e27 = []byte{ + // 261 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x74, 0x90, 0xb1, 0x4b, 0x03, 0x31, + 0x14, 0xc6, 0x79, 0x29, 0x56, 0x7d, 0x15, 0x87, 0x4c, 0xa1, 0x08, 0x3d, 0x44, 0xe4, 0x70, 0x48, + 0xa8, 0x0e, 0x82, 0x75, 0x2a, 0x38, 0x74, 0x2b, 0x27, 0x38, 0xb8, 0x94, 0xe8, 0x85, 0x18, 0x88, + 0x97, 0x70, 0x39, 0x4b, 0xff, 0x4a, 0xff, 0x1e, 0x47, 0x49, 0x2e, 0x37, 0x95, 0x9b, 0xee, 0xde, + 0xfb, 0x7e, 0xdf, 0xf7, 0x91, 0x87, 0xb7, 0xda, 0x39, 0x6d, 0x95, 0x90, 0xde, 0x08, 0x75, 0xf0, + 0xad, 0xd8, 0x2f, 0xa5, 0xf5, 0x5f, 0x72, 0x19, 0x27, 0x2b, 0x4d, 0xc3, 0x7d, 0xeb, 0x3a, 0x47, + 0x59, 0xcf, 0x71, 0xe9, 0x0d, 0x8f, 0x1c, 0x1f, 0xb8, 0xf9, 0xcd, 0x68, 0xc2, 0x5e, 0xda, 0x1f, + 0xd5, 0xfb, 0xaf, 0x7f, 0x01, 0x4f, 0x5f, 0xfa, 0x44, 0xfa, 0x88, 0xd3, 0x24, 0x05, 0x06, 0xc5, + 0xa4, 0x9c, 0xdd, 0x2f, 0xf8, 0x58, 0x38, 0x7f, 0x8b, 0x5c, 0x95, 0x71, 0xba, 0x41, 0x8c, 0xf2, + 0x2e, 0x74, 0xca, 0x07, 0x46, 0x92, 0xf9, 0x6e, 0xdc, 0x9c, 0xfb, 0xe2, 0xb7, 0x7d, 0xed, 0x94, + 0xaf, 0xce, 0x55, 0xfe, 0x0b, 0xf3, 0x15, 0x9e, 0x0d, 0x6b, 0x7a, 0x89, 0xc4, 0xd4, 0x0c, 0x0a, + 0x28, 0x27, 0x15, 0x31, 0x35, 0x5d, 0xe0, 0x2c, 0x15, 0xee, 0x4c, 0x53, 0xab, 0x03, 0x23, 0x05, + 0x94, 0x27, 0x15, 0xa6, 0xd5, 0x26, 0x6e, 0x9e, 0x08, 0x83, 0xb5, 0xc3, 0xab, 0x4f, 0xf7, 0x3d, + 0x5a, 0xbe, 0xbe, 0xc8, 0xed, 0xdb, 0xf8, 0xfc, 0x2d, 0xbc, 0x3f, 0x67, 0x52, 0x3b, 0x2b, 0x1b, + 0xcd, 0x5d, 0xab, 0x85, 0x56, 0x4d, 0x3a, 0x8e, 0xe8, 0x25, 0xe9, 0x4d, 0x38, 0xbe, 0xe2, 0x2a, + 0x4e, 0x7f, 0x00, 0x1f, 0xd3, 0xc4, 0x3e, 0xfc, 0x07, 0x00, 0x00, 0xff, 0xff, 0x34, 0xf2, 0xb9, + 0x9e, 0xb2, 0x01, 0x00, 0x00, +} diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go new file mode 100644 index 0000000000..7f13ff0927 --- /dev/null +++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/syntax.pb.go @@ -0,0 +1,1208 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: google/api/expr/v1alpha1/syntax.proto + +package expr + +import ( + fmt "fmt" + math "math" + + proto "github.com/golang/protobuf/proto" + duration "github.com/golang/protobuf/ptypes/duration" + _struct "github.com/golang/protobuf/ptypes/struct" + timestamp "github.com/golang/protobuf/ptypes/timestamp" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +// An expression together with source information as returned by the parser. +type ParsedExpr struct { + // The parsed expression. + Expr *Expr `protobuf:"bytes,2,opt,name=expr,proto3" json:"expr,omitempty"` + // The source info derived from input that generated the parsed `expr`. + SourceInfo *SourceInfo `protobuf:"bytes,3,opt,name=source_info,json=sourceInfo,proto3" json:"source_info,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *ParsedExpr) Reset() { *m = ParsedExpr{} } +func (m *ParsedExpr) String() string { return proto.CompactTextString(m) } +func (*ParsedExpr) ProtoMessage() {} +func (*ParsedExpr) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{0} +} + +func (m *ParsedExpr) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_ParsedExpr.Unmarshal(m, b) +} +func (m *ParsedExpr) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_ParsedExpr.Marshal(b, m, deterministic) +} +func (m *ParsedExpr) XXX_Merge(src proto.Message) { + xxx_messageInfo_ParsedExpr.Merge(m, src) +} +func (m *ParsedExpr) XXX_Size() int { + return xxx_messageInfo_ParsedExpr.Size(m) +} +func (m *ParsedExpr) XXX_DiscardUnknown() { + xxx_messageInfo_ParsedExpr.DiscardUnknown(m) +} + +var xxx_messageInfo_ParsedExpr proto.InternalMessageInfo + +func (m *ParsedExpr) GetExpr() *Expr { + if m != nil { + return m.Expr + } + return nil +} + +func (m *ParsedExpr) GetSourceInfo() *SourceInfo { + if m != nil { + return m.SourceInfo + } + return nil +} + +// An abstract representation of a common expression. +// +// Expressions are abstractly represented as a collection of identifiers, +// select statements, function calls, literals, and comprehensions. All +// operators with the exception of the '.' operator are modelled as function +// calls. This makes it easy to represent new operators into the existing AST. +// +// All references within expressions must resolve to a +// [Decl][google.api.expr.v1alpha1.Decl] provided at type-check for an +// expression to be valid. A reference may either be a bare identifier `name` or +// a qualified identifier `google.api.name`. References may either refer to a +// value or a function declaration. +// +// For example, the expression `google.api.name.startsWith('expr')` references +// the declaration `google.api.name` within a +// [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression, and the +// function declaration `startsWith`. +type Expr struct { + // Required. An id assigned to this node by the parser which is unique in a + // given expression tree. This is used to associate type information and other + // attributes to a node in the parse tree. + Id int64 `protobuf:"varint,2,opt,name=id,proto3" json:"id,omitempty"` + // Required. Variants of expressions. + // + // Types that are valid to be assigned to ExprKind: + // *Expr_ConstExpr + // *Expr_IdentExpr + // *Expr_SelectExpr + // *Expr_CallExpr + // *Expr_ListExpr + // *Expr_StructExpr + // *Expr_ComprehensionExpr + ExprKind isExpr_ExprKind `protobuf_oneof:"expr_kind"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Expr) Reset() { *m = Expr{} } +func (m *Expr) String() string { return proto.CompactTextString(m) } +func (*Expr) ProtoMessage() {} +func (*Expr) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{1} +} + +func (m *Expr) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Expr.Unmarshal(m, b) +} +func (m *Expr) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Expr.Marshal(b, m, deterministic) +} +func (m *Expr) XXX_Merge(src proto.Message) { + xxx_messageInfo_Expr.Merge(m, src) +} +func (m *Expr) XXX_Size() int { + return xxx_messageInfo_Expr.Size(m) +} +func (m *Expr) XXX_DiscardUnknown() { + xxx_messageInfo_Expr.DiscardUnknown(m) +} + +var xxx_messageInfo_Expr proto.InternalMessageInfo + +func (m *Expr) GetId() int64 { + if m != nil { + return m.Id + } + return 0 +} + +type isExpr_ExprKind interface { + isExpr_ExprKind() +} + +type Expr_ConstExpr struct { + ConstExpr *Constant `protobuf:"bytes,3,opt,name=const_expr,json=constExpr,proto3,oneof"` +} + +type Expr_IdentExpr struct { + IdentExpr *Expr_Ident `protobuf:"bytes,4,opt,name=ident_expr,json=identExpr,proto3,oneof"` +} + +type Expr_SelectExpr struct { + SelectExpr *Expr_Select `protobuf:"bytes,5,opt,name=select_expr,json=selectExpr,proto3,oneof"` +} + +type Expr_CallExpr struct { + CallExpr *Expr_Call `protobuf:"bytes,6,opt,name=call_expr,json=callExpr,proto3,oneof"` +} + +type Expr_ListExpr struct { + ListExpr *Expr_CreateList `protobuf:"bytes,7,opt,name=list_expr,json=listExpr,proto3,oneof"` +} + +type Expr_StructExpr struct { + StructExpr *Expr_CreateStruct `protobuf:"bytes,8,opt,name=struct_expr,json=structExpr,proto3,oneof"` +} + +type Expr_ComprehensionExpr struct { + ComprehensionExpr *Expr_Comprehension `protobuf:"bytes,9,opt,name=comprehension_expr,json=comprehensionExpr,proto3,oneof"` +} + +func (*Expr_ConstExpr) isExpr_ExprKind() {} + +func (*Expr_IdentExpr) isExpr_ExprKind() {} + +func (*Expr_SelectExpr) isExpr_ExprKind() {} + +func (*Expr_CallExpr) isExpr_ExprKind() {} + +func (*Expr_ListExpr) isExpr_ExprKind() {} + +func (*Expr_StructExpr) isExpr_ExprKind() {} + +func (*Expr_ComprehensionExpr) isExpr_ExprKind() {} + +func (m *Expr) GetExprKind() isExpr_ExprKind { + if m != nil { + return m.ExprKind + } + return nil +} + +func (m *Expr) GetConstExpr() *Constant { + if x, ok := m.GetExprKind().(*Expr_ConstExpr); ok { + return x.ConstExpr + } + return nil +} + +func (m *Expr) GetIdentExpr() *Expr_Ident { + if x, ok := m.GetExprKind().(*Expr_IdentExpr); ok { + return x.IdentExpr + } + return nil +} + +func (m *Expr) GetSelectExpr() *Expr_Select { + if x, ok := m.GetExprKind().(*Expr_SelectExpr); ok { + return x.SelectExpr + } + return nil +} + +func (m *Expr) GetCallExpr() *Expr_Call { + if x, ok := m.GetExprKind().(*Expr_CallExpr); ok { + return x.CallExpr + } + return nil +} + +func (m *Expr) GetListExpr() *Expr_CreateList { + if x, ok := m.GetExprKind().(*Expr_ListExpr); ok { + return x.ListExpr + } + return nil +} + +func (m *Expr) GetStructExpr() *Expr_CreateStruct { + if x, ok := m.GetExprKind().(*Expr_StructExpr); ok { + return x.StructExpr + } + return nil +} + +func (m *Expr) GetComprehensionExpr() *Expr_Comprehension { + if x, ok := m.GetExprKind().(*Expr_ComprehensionExpr); ok { + return x.ComprehensionExpr + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*Expr) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*Expr_ConstExpr)(nil), + (*Expr_IdentExpr)(nil), + (*Expr_SelectExpr)(nil), + (*Expr_CallExpr)(nil), + (*Expr_ListExpr)(nil), + (*Expr_StructExpr)(nil), + (*Expr_ComprehensionExpr)(nil), + } +} + +// An identifier expression. e.g. `request`. +type Expr_Ident struct { + // Required. Holds a single, unqualified identifier, possibly preceded by a + // '.'. + // + // Qualified names are represented by the + // [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression. + Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Expr_Ident) Reset() { *m = Expr_Ident{} } +func (m *Expr_Ident) String() string { return proto.CompactTextString(m) } +func (*Expr_Ident) ProtoMessage() {} +func (*Expr_Ident) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{1, 0} +} + +func (m *Expr_Ident) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Expr_Ident.Unmarshal(m, b) +} +func (m *Expr_Ident) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Expr_Ident.Marshal(b, m, deterministic) +} +func (m *Expr_Ident) XXX_Merge(src proto.Message) { + xxx_messageInfo_Expr_Ident.Merge(m, src) +} +func (m *Expr_Ident) XXX_Size() int { + return xxx_messageInfo_Expr_Ident.Size(m) +} +func (m *Expr_Ident) XXX_DiscardUnknown() { + xxx_messageInfo_Expr_Ident.DiscardUnknown(m) +} + +var xxx_messageInfo_Expr_Ident proto.InternalMessageInfo + +func (m *Expr_Ident) GetName() string { + if m != nil { + return m.Name + } + return "" +} + +// A field selection expression. e.g. `request.auth`. +type Expr_Select struct { + // Required. The target of the selection expression. + // + // For example, in the select expression `request.auth`, the `request` + // portion of the expression is the `operand`. + Operand *Expr `protobuf:"bytes,1,opt,name=operand,proto3" json:"operand,omitempty"` + // Required. The name of the field to select. + // + // For example, in the select expression `request.auth`, the `auth` portion + // of the expression would be the `field`. + Field string `protobuf:"bytes,2,opt,name=field,proto3" json:"field,omitempty"` + // Whether the select is to be interpreted as a field presence test. + // + // This results from the macro `has(request.auth)`. + TestOnly bool `protobuf:"varint,3,opt,name=test_only,json=testOnly,proto3" json:"test_only,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Expr_Select) Reset() { *m = Expr_Select{} } +func (m *Expr_Select) String() string { return proto.CompactTextString(m) } +func (*Expr_Select) ProtoMessage() {} +func (*Expr_Select) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{1, 1} +} + +func (m *Expr_Select) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Expr_Select.Unmarshal(m, b) +} +func (m *Expr_Select) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Expr_Select.Marshal(b, m, deterministic) +} +func (m *Expr_Select) XXX_Merge(src proto.Message) { + xxx_messageInfo_Expr_Select.Merge(m, src) +} +func (m *Expr_Select) XXX_Size() int { + return xxx_messageInfo_Expr_Select.Size(m) +} +func (m *Expr_Select) XXX_DiscardUnknown() { + xxx_messageInfo_Expr_Select.DiscardUnknown(m) +} + +var xxx_messageInfo_Expr_Select proto.InternalMessageInfo + +func (m *Expr_Select) GetOperand() *Expr { + if m != nil { + return m.Operand + } + return nil +} + +func (m *Expr_Select) GetField() string { + if m != nil { + return m.Field + } + return "" +} + +func (m *Expr_Select) GetTestOnly() bool { + if m != nil { + return m.TestOnly + } + return false +} + +// A call expression, including calls to predefined functions and operators. +// +// For example, `value == 10`, `size(map_value)`. +type Expr_Call struct { + // The target of an method call-style expression. For example, `x` in + // `x.f()`. + Target *Expr `protobuf:"bytes,1,opt,name=target,proto3" json:"target,omitempty"` + // Required. The name of the function or method being called. + Function string `protobuf:"bytes,2,opt,name=function,proto3" json:"function,omitempty"` + // The arguments. + Args []*Expr `protobuf:"bytes,3,rep,name=args,proto3" json:"args,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Expr_Call) Reset() { *m = Expr_Call{} } +func (m *Expr_Call) String() string { return proto.CompactTextString(m) } +func (*Expr_Call) ProtoMessage() {} +func (*Expr_Call) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{1, 2} +} + +func (m *Expr_Call) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Expr_Call.Unmarshal(m, b) +} +func (m *Expr_Call) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Expr_Call.Marshal(b, m, deterministic) +} +func (m *Expr_Call) XXX_Merge(src proto.Message) { + xxx_messageInfo_Expr_Call.Merge(m, src) +} +func (m *Expr_Call) XXX_Size() int { + return xxx_messageInfo_Expr_Call.Size(m) +} +func (m *Expr_Call) XXX_DiscardUnknown() { + xxx_messageInfo_Expr_Call.DiscardUnknown(m) +} + +var xxx_messageInfo_Expr_Call proto.InternalMessageInfo + +func (m *Expr_Call) GetTarget() *Expr { + if m != nil { + return m.Target + } + return nil +} + +func (m *Expr_Call) GetFunction() string { + if m != nil { + return m.Function + } + return "" +} + +func (m *Expr_Call) GetArgs() []*Expr { + if m != nil { + return m.Args + } + return nil +} + +// A list creation expression. +// +// Lists may either be homogenous, e.g. `[1, 2, 3]`, or heterogenous, e.g. +// `dyn([1, 'hello', 2.0])` +type Expr_CreateList struct { + // The elements part of the list. + Elements []*Expr `protobuf:"bytes,1,rep,name=elements,proto3" json:"elements,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Expr_CreateList) Reset() { *m = Expr_CreateList{} } +func (m *Expr_CreateList) String() string { return proto.CompactTextString(m) } +func (*Expr_CreateList) ProtoMessage() {} +func (*Expr_CreateList) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{1, 3} +} + +func (m *Expr_CreateList) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Expr_CreateList.Unmarshal(m, b) +} +func (m *Expr_CreateList) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Expr_CreateList.Marshal(b, m, deterministic) +} +func (m *Expr_CreateList) XXX_Merge(src proto.Message) { + xxx_messageInfo_Expr_CreateList.Merge(m, src) +} +func (m *Expr_CreateList) XXX_Size() int { + return xxx_messageInfo_Expr_CreateList.Size(m) +} +func (m *Expr_CreateList) XXX_DiscardUnknown() { + xxx_messageInfo_Expr_CreateList.DiscardUnknown(m) +} + +var xxx_messageInfo_Expr_CreateList proto.InternalMessageInfo + +func (m *Expr_CreateList) GetElements() []*Expr { + if m != nil { + return m.Elements + } + return nil +} + +// A map or message creation expression. +// +// Maps are constructed as `{'key_name': 'value'}`. Message construction is +// similar, but prefixed with a type name and composed of field ids: +// `types.MyType{field_id: 'value'}`. +type Expr_CreateStruct struct { + // The type name of the message to be created, empty when creating map + // literals. + MessageName string `protobuf:"bytes,1,opt,name=message_name,json=messageName,proto3" json:"message_name,omitempty"` + // The entries in the creation expression. + Entries []*Expr_CreateStruct_Entry `protobuf:"bytes,2,rep,name=entries,proto3" json:"entries,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Expr_CreateStruct) Reset() { *m = Expr_CreateStruct{} } +func (m *Expr_CreateStruct) String() string { return proto.CompactTextString(m) } +func (*Expr_CreateStruct) ProtoMessage() {} +func (*Expr_CreateStruct) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{1, 4} +} + +func (m *Expr_CreateStruct) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Expr_CreateStruct.Unmarshal(m, b) +} +func (m *Expr_CreateStruct) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Expr_CreateStruct.Marshal(b, m, deterministic) +} +func (m *Expr_CreateStruct) XXX_Merge(src proto.Message) { + xxx_messageInfo_Expr_CreateStruct.Merge(m, src) +} +func (m *Expr_CreateStruct) XXX_Size() int { + return xxx_messageInfo_Expr_CreateStruct.Size(m) +} +func (m *Expr_CreateStruct) XXX_DiscardUnknown() { + xxx_messageInfo_Expr_CreateStruct.DiscardUnknown(m) +} + +var xxx_messageInfo_Expr_CreateStruct proto.InternalMessageInfo + +func (m *Expr_CreateStruct) GetMessageName() string { + if m != nil { + return m.MessageName + } + return "" +} + +func (m *Expr_CreateStruct) GetEntries() []*Expr_CreateStruct_Entry { + if m != nil { + return m.Entries + } + return nil +} + +// Represents an entry. +type Expr_CreateStruct_Entry struct { + // Required. An id assigned to this node by the parser which is unique + // in a given expression tree. This is used to associate type + // information and other attributes to the node. + Id int64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"` + // The `Entry` key kinds. + // + // Types that are valid to be assigned to KeyKind: + // *Expr_CreateStruct_Entry_FieldKey + // *Expr_CreateStruct_Entry_MapKey + KeyKind isExpr_CreateStruct_Entry_KeyKind `protobuf_oneof:"key_kind"` + // Required. The value assigned to the key. + Value *Expr `protobuf:"bytes,4,opt,name=value,proto3" json:"value,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Expr_CreateStruct_Entry) Reset() { *m = Expr_CreateStruct_Entry{} } +func (m *Expr_CreateStruct_Entry) String() string { return proto.CompactTextString(m) } +func (*Expr_CreateStruct_Entry) ProtoMessage() {} +func (*Expr_CreateStruct_Entry) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{1, 4, 0} +} + +func (m *Expr_CreateStruct_Entry) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Expr_CreateStruct_Entry.Unmarshal(m, b) +} +func (m *Expr_CreateStruct_Entry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Expr_CreateStruct_Entry.Marshal(b, m, deterministic) +} +func (m *Expr_CreateStruct_Entry) XXX_Merge(src proto.Message) { + xxx_messageInfo_Expr_CreateStruct_Entry.Merge(m, src) +} +func (m *Expr_CreateStruct_Entry) XXX_Size() int { + return xxx_messageInfo_Expr_CreateStruct_Entry.Size(m) +} +func (m *Expr_CreateStruct_Entry) XXX_DiscardUnknown() { + xxx_messageInfo_Expr_CreateStruct_Entry.DiscardUnknown(m) +} + +var xxx_messageInfo_Expr_CreateStruct_Entry proto.InternalMessageInfo + +func (m *Expr_CreateStruct_Entry) GetId() int64 { + if m != nil { + return m.Id + } + return 0 +} + +type isExpr_CreateStruct_Entry_KeyKind interface { + isExpr_CreateStruct_Entry_KeyKind() +} + +type Expr_CreateStruct_Entry_FieldKey struct { + FieldKey string `protobuf:"bytes,2,opt,name=field_key,json=fieldKey,proto3,oneof"` +} + +type Expr_CreateStruct_Entry_MapKey struct { + MapKey *Expr `protobuf:"bytes,3,opt,name=map_key,json=mapKey,proto3,oneof"` +} + +func (*Expr_CreateStruct_Entry_FieldKey) isExpr_CreateStruct_Entry_KeyKind() {} + +func (*Expr_CreateStruct_Entry_MapKey) isExpr_CreateStruct_Entry_KeyKind() {} + +func (m *Expr_CreateStruct_Entry) GetKeyKind() isExpr_CreateStruct_Entry_KeyKind { + if m != nil { + return m.KeyKind + } + return nil +} + +func (m *Expr_CreateStruct_Entry) GetFieldKey() string { + if x, ok := m.GetKeyKind().(*Expr_CreateStruct_Entry_FieldKey); ok { + return x.FieldKey + } + return "" +} + +func (m *Expr_CreateStruct_Entry) GetMapKey() *Expr { + if x, ok := m.GetKeyKind().(*Expr_CreateStruct_Entry_MapKey); ok { + return x.MapKey + } + return nil +} + +func (m *Expr_CreateStruct_Entry) GetValue() *Expr { + if m != nil { + return m.Value + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*Expr_CreateStruct_Entry) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*Expr_CreateStruct_Entry_FieldKey)(nil), + (*Expr_CreateStruct_Entry_MapKey)(nil), + } +} + +// A comprehension expression applied to a list or map. +// +// Comprehensions are not part of the core syntax, but enabled with macros. +// A macro matches a specific call signature within a parsed AST and replaces +// the call with an alternate AST block. Macro expansion happens at parse +// time. +// +// The following macros are supported within CEL: +// +// Aggregate type macros may be applied to all elements in a list or all keys +// in a map: +// +// * `all`, `exists`, `exists_one` - test a predicate expression against +// the inputs and return `true` if the predicate is satisfied for all, +// any, or only one value `list.all(x, x < 10)`. +// * `filter` - test a predicate expression against the inputs and return +// the subset of elements which satisfy the predicate: +// `payments.filter(p, p > 1000)`. +// * `map` - apply an expression to all elements in the input and return the +// output aggregate type: `[1, 2, 3].map(i, i * i)`. +// +// The `has(m.x)` macro tests whether the property `x` is present in struct +// `m`. The semantics of this macro depend on the type of `m`. For proto2 +// messages `has(m.x)` is defined as 'defined, but not set`. For proto3, the +// macro tests whether the property is set to its default. For map and struct +// types, the macro tests whether the property `x` is defined on `m`. +type Expr_Comprehension struct { + // The name of the iteration variable. + IterVar string `protobuf:"bytes,1,opt,name=iter_var,json=iterVar,proto3" json:"iter_var,omitempty"` + // The range over which var iterates. + IterRange *Expr `protobuf:"bytes,2,opt,name=iter_range,json=iterRange,proto3" json:"iter_range,omitempty"` + // The name of the variable used for accumulation of the result. + AccuVar string `protobuf:"bytes,3,opt,name=accu_var,json=accuVar,proto3" json:"accu_var,omitempty"` + // The initial value of the accumulator. + AccuInit *Expr `protobuf:"bytes,4,opt,name=accu_init,json=accuInit,proto3" json:"accu_init,omitempty"` + // An expression which can contain iter_var and accu_var. + // + // Returns false when the result has been computed and may be used as + // a hint to short-circuit the remainder of the comprehension. + LoopCondition *Expr `protobuf:"bytes,5,opt,name=loop_condition,json=loopCondition,proto3" json:"loop_condition,omitempty"` + // An expression which can contain iter_var and accu_var. + // + // Computes the next value of accu_var. + LoopStep *Expr `protobuf:"bytes,6,opt,name=loop_step,json=loopStep,proto3" json:"loop_step,omitempty"` + // An expression which can contain accu_var. + // + // Computes the result. + Result *Expr `protobuf:"bytes,7,opt,name=result,proto3" json:"result,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Expr_Comprehension) Reset() { *m = Expr_Comprehension{} } +func (m *Expr_Comprehension) String() string { return proto.CompactTextString(m) } +func (*Expr_Comprehension) ProtoMessage() {} +func (*Expr_Comprehension) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{1, 5} +} + +func (m *Expr_Comprehension) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Expr_Comprehension.Unmarshal(m, b) +} +func (m *Expr_Comprehension) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Expr_Comprehension.Marshal(b, m, deterministic) +} +func (m *Expr_Comprehension) XXX_Merge(src proto.Message) { + xxx_messageInfo_Expr_Comprehension.Merge(m, src) +} +func (m *Expr_Comprehension) XXX_Size() int { + return xxx_messageInfo_Expr_Comprehension.Size(m) +} +func (m *Expr_Comprehension) XXX_DiscardUnknown() { + xxx_messageInfo_Expr_Comprehension.DiscardUnknown(m) +} + +var xxx_messageInfo_Expr_Comprehension proto.InternalMessageInfo + +func (m *Expr_Comprehension) GetIterVar() string { + if m != nil { + return m.IterVar + } + return "" +} + +func (m *Expr_Comprehension) GetIterRange() *Expr { + if m != nil { + return m.IterRange + } + return nil +} + +func (m *Expr_Comprehension) GetAccuVar() string { + if m != nil { + return m.AccuVar + } + return "" +} + +func (m *Expr_Comprehension) GetAccuInit() *Expr { + if m != nil { + return m.AccuInit + } + return nil +} + +func (m *Expr_Comprehension) GetLoopCondition() *Expr { + if m != nil { + return m.LoopCondition + } + return nil +} + +func (m *Expr_Comprehension) GetLoopStep() *Expr { + if m != nil { + return m.LoopStep + } + return nil +} + +func (m *Expr_Comprehension) GetResult() *Expr { + if m != nil { + return m.Result + } + return nil +} + +// Represents a primitive literal. +// +// Named 'Constant' here for backwards compatibility. +// +// This is similar as the primitives supported in the well-known type +// `google.protobuf.Value`, but richer so it can represent CEL's full range of +// primitives. +// +// Lists and structs are not included as constants as these aggregate types may +// contain [Expr][google.api.expr.v1alpha1.Expr] elements which require +// evaluation and are thus not constant. +// +// Examples of literals include: `"hello"`, `b'bytes'`, `1u`, `4.2`, `-2`, +// `true`, `null`. +type Constant struct { + // Required. The valid constant kinds. + // + // Types that are valid to be assigned to ConstantKind: + // *Constant_NullValue + // *Constant_BoolValue + // *Constant_Int64Value + // *Constant_Uint64Value + // *Constant_DoubleValue + // *Constant_StringValue + // *Constant_BytesValue + // *Constant_DurationValue + // *Constant_TimestampValue + ConstantKind isConstant_ConstantKind `protobuf_oneof:"constant_kind"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Constant) Reset() { *m = Constant{} } +func (m *Constant) String() string { return proto.CompactTextString(m) } +func (*Constant) ProtoMessage() {} +func (*Constant) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{2} +} + +func (m *Constant) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Constant.Unmarshal(m, b) +} +func (m *Constant) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Constant.Marshal(b, m, deterministic) +} +func (m *Constant) XXX_Merge(src proto.Message) { + xxx_messageInfo_Constant.Merge(m, src) +} +func (m *Constant) XXX_Size() int { + return xxx_messageInfo_Constant.Size(m) +} +func (m *Constant) XXX_DiscardUnknown() { + xxx_messageInfo_Constant.DiscardUnknown(m) +} + +var xxx_messageInfo_Constant proto.InternalMessageInfo + +type isConstant_ConstantKind interface { + isConstant_ConstantKind() +} + +type Constant_NullValue struct { + NullValue _struct.NullValue `protobuf:"varint,1,opt,name=null_value,json=nullValue,proto3,enum=google.protobuf.NullValue,oneof"` +} + +type Constant_BoolValue struct { + BoolValue bool `protobuf:"varint,2,opt,name=bool_value,json=boolValue,proto3,oneof"` +} + +type Constant_Int64Value struct { + Int64Value int64 `protobuf:"varint,3,opt,name=int64_value,json=int64Value,proto3,oneof"` +} + +type Constant_Uint64Value struct { + Uint64Value uint64 `protobuf:"varint,4,opt,name=uint64_value,json=uint64Value,proto3,oneof"` +} + +type Constant_DoubleValue struct { + DoubleValue float64 `protobuf:"fixed64,5,opt,name=double_value,json=doubleValue,proto3,oneof"` +} + +type Constant_StringValue struct { + StringValue string `protobuf:"bytes,6,opt,name=string_value,json=stringValue,proto3,oneof"` +} + +type Constant_BytesValue struct { + BytesValue []byte `protobuf:"bytes,7,opt,name=bytes_value,json=bytesValue,proto3,oneof"` +} + +type Constant_DurationValue struct { + DurationValue *duration.Duration `protobuf:"bytes,8,opt,name=duration_value,json=durationValue,proto3,oneof"` +} + +type Constant_TimestampValue struct { + TimestampValue *timestamp.Timestamp `protobuf:"bytes,9,opt,name=timestamp_value,json=timestampValue,proto3,oneof"` +} + +func (*Constant_NullValue) isConstant_ConstantKind() {} + +func (*Constant_BoolValue) isConstant_ConstantKind() {} + +func (*Constant_Int64Value) isConstant_ConstantKind() {} + +func (*Constant_Uint64Value) isConstant_ConstantKind() {} + +func (*Constant_DoubleValue) isConstant_ConstantKind() {} + +func (*Constant_StringValue) isConstant_ConstantKind() {} + +func (*Constant_BytesValue) isConstant_ConstantKind() {} + +func (*Constant_DurationValue) isConstant_ConstantKind() {} + +func (*Constant_TimestampValue) isConstant_ConstantKind() {} + +func (m *Constant) GetConstantKind() isConstant_ConstantKind { + if m != nil { + return m.ConstantKind + } + return nil +} + +func (m *Constant) GetNullValue() _struct.NullValue { + if x, ok := m.GetConstantKind().(*Constant_NullValue); ok { + return x.NullValue + } + return _struct.NullValue_NULL_VALUE +} + +func (m *Constant) GetBoolValue() bool { + if x, ok := m.GetConstantKind().(*Constant_BoolValue); ok { + return x.BoolValue + } + return false +} + +func (m *Constant) GetInt64Value() int64 { + if x, ok := m.GetConstantKind().(*Constant_Int64Value); ok { + return x.Int64Value + } + return 0 +} + +func (m *Constant) GetUint64Value() uint64 { + if x, ok := m.GetConstantKind().(*Constant_Uint64Value); ok { + return x.Uint64Value + } + return 0 +} + +func (m *Constant) GetDoubleValue() float64 { + if x, ok := m.GetConstantKind().(*Constant_DoubleValue); ok { + return x.DoubleValue + } + return 0 +} + +func (m *Constant) GetStringValue() string { + if x, ok := m.GetConstantKind().(*Constant_StringValue); ok { + return x.StringValue + } + return "" +} + +func (m *Constant) GetBytesValue() []byte { + if x, ok := m.GetConstantKind().(*Constant_BytesValue); ok { + return x.BytesValue + } + return nil +} + +// Deprecated: Do not use. +func (m *Constant) GetDurationValue() *duration.Duration { + if x, ok := m.GetConstantKind().(*Constant_DurationValue); ok { + return x.DurationValue + } + return nil +} + +// Deprecated: Do not use. +func (m *Constant) GetTimestampValue() *timestamp.Timestamp { + if x, ok := m.GetConstantKind().(*Constant_TimestampValue); ok { + return x.TimestampValue + } + return nil +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*Constant) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*Constant_NullValue)(nil), + (*Constant_BoolValue)(nil), + (*Constant_Int64Value)(nil), + (*Constant_Uint64Value)(nil), + (*Constant_DoubleValue)(nil), + (*Constant_StringValue)(nil), + (*Constant_BytesValue)(nil), + (*Constant_DurationValue)(nil), + (*Constant_TimestampValue)(nil), + } +} + +// Source information collected at parse time. +type SourceInfo struct { + // The syntax version of the source, e.g. `cel1`. + SyntaxVersion string `protobuf:"bytes,1,opt,name=syntax_version,json=syntaxVersion,proto3" json:"syntax_version,omitempty"` + // The location name. All position information attached to an expression is + // relative to this location. + // + // The location could be a file, UI element, or similar. For example, + // `acme/app/AnvilPolicy.cel`. + Location string `protobuf:"bytes,2,opt,name=location,proto3" json:"location,omitempty"` + // Monotonically increasing list of character offsets where newlines appear. + // + // The line number of a given position is the index `i` where for a given + // `id` the `line_offsets[i] < id_positions[id] < line_offsets[i+1]`. The + // column may be derivd from `id_positions[id] - line_offsets[i]`. + LineOffsets []int32 `protobuf:"varint,3,rep,packed,name=line_offsets,json=lineOffsets,proto3" json:"line_offsets,omitempty"` + // A map from the parse node id (e.g. `Expr.id`) to the character offset + // within source. + Positions map[int64]int32 `protobuf:"bytes,4,rep,name=positions,proto3" json:"positions,omitempty" protobuf_key:"varint,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *SourceInfo) Reset() { *m = SourceInfo{} } +func (m *SourceInfo) String() string { return proto.CompactTextString(m) } +func (*SourceInfo) ProtoMessage() {} +func (*SourceInfo) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{3} +} + +func (m *SourceInfo) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_SourceInfo.Unmarshal(m, b) +} +func (m *SourceInfo) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_SourceInfo.Marshal(b, m, deterministic) +} +func (m *SourceInfo) XXX_Merge(src proto.Message) { + xxx_messageInfo_SourceInfo.Merge(m, src) +} +func (m *SourceInfo) XXX_Size() int { + return xxx_messageInfo_SourceInfo.Size(m) +} +func (m *SourceInfo) XXX_DiscardUnknown() { + xxx_messageInfo_SourceInfo.DiscardUnknown(m) +} + +var xxx_messageInfo_SourceInfo proto.InternalMessageInfo + +func (m *SourceInfo) GetSyntaxVersion() string { + if m != nil { + return m.SyntaxVersion + } + return "" +} + +func (m *SourceInfo) GetLocation() string { + if m != nil { + return m.Location + } + return "" +} + +func (m *SourceInfo) GetLineOffsets() []int32 { + if m != nil { + return m.LineOffsets + } + return nil +} + +func (m *SourceInfo) GetPositions() map[int64]int32 { + if m != nil { + return m.Positions + } + return nil +} + +// A specific position in source. +type SourcePosition struct { + // The soucre location name (e.g. file name). + Location string `protobuf:"bytes,1,opt,name=location,proto3" json:"location,omitempty"` + // The character offset. + Offset int32 `protobuf:"varint,2,opt,name=offset,proto3" json:"offset,omitempty"` + // The 1-based index of the starting line in the source text + // where the issue occurs, or 0 if unknown. + Line int32 `protobuf:"varint,3,opt,name=line,proto3" json:"line,omitempty"` + // The 0-based index of the starting position within the line of source text + // where the issue occurs. Only meaningful if line is nonzero. + Column int32 `protobuf:"varint,4,opt,name=column,proto3" json:"column,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *SourcePosition) Reset() { *m = SourcePosition{} } +func (m *SourcePosition) String() string { return proto.CompactTextString(m) } +func (*SourcePosition) ProtoMessage() {} +func (*SourcePosition) Descriptor() ([]byte, []int) { + return fileDescriptor_d4e2be48009c83cb, []int{4} +} + +func (m *SourcePosition) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_SourcePosition.Unmarshal(m, b) +} +func (m *SourcePosition) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_SourcePosition.Marshal(b, m, deterministic) +} +func (m *SourcePosition) XXX_Merge(src proto.Message) { + xxx_messageInfo_SourcePosition.Merge(m, src) +} +func (m *SourcePosition) XXX_Size() int { + return xxx_messageInfo_SourcePosition.Size(m) +} +func (m *SourcePosition) XXX_DiscardUnknown() { + xxx_messageInfo_SourcePosition.DiscardUnknown(m) +} + +var xxx_messageInfo_SourcePosition proto.InternalMessageInfo + +func (m *SourcePosition) GetLocation() string { + if m != nil { + return m.Location + } + return "" +} + +func (m *SourcePosition) GetOffset() int32 { + if m != nil { + return m.Offset + } + return 0 +} + +func (m *SourcePosition) GetLine() int32 { + if m != nil { + return m.Line + } + return 0 +} + +func (m *SourcePosition) GetColumn() int32 { + if m != nil { + return m.Column + } + return 0 +} + +func init() { + proto.RegisterType((*ParsedExpr)(nil), "google.api.expr.v1alpha1.ParsedExpr") + proto.RegisterType((*Expr)(nil), "google.api.expr.v1alpha1.Expr") + proto.RegisterType((*Expr_Ident)(nil), "google.api.expr.v1alpha1.Expr.Ident") + proto.RegisterType((*Expr_Select)(nil), "google.api.expr.v1alpha1.Expr.Select") + proto.RegisterType((*Expr_Call)(nil), "google.api.expr.v1alpha1.Expr.Call") + proto.RegisterType((*Expr_CreateList)(nil), "google.api.expr.v1alpha1.Expr.CreateList") + proto.RegisterType((*Expr_CreateStruct)(nil), "google.api.expr.v1alpha1.Expr.CreateStruct") + proto.RegisterType((*Expr_CreateStruct_Entry)(nil), "google.api.expr.v1alpha1.Expr.CreateStruct.Entry") + proto.RegisterType((*Expr_Comprehension)(nil), "google.api.expr.v1alpha1.Expr.Comprehension") + proto.RegisterType((*Constant)(nil), "google.api.expr.v1alpha1.Constant") + proto.RegisterType((*SourceInfo)(nil), "google.api.expr.v1alpha1.SourceInfo") + proto.RegisterMapType((map[int64]int32)(nil), "google.api.expr.v1alpha1.SourceInfo.PositionsEntry") + proto.RegisterType((*SourcePosition)(nil), "google.api.expr.v1alpha1.SourcePosition") +} + +func init() { + proto.RegisterFile("google/api/expr/v1alpha1/syntax.proto", fileDescriptor_d4e2be48009c83cb) +} + +var fileDescriptor_d4e2be48009c83cb = []byte{ + // 1134 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x56, 0xcf, 0x6e, 0x1b, 0xb7, + 0x13, 0xd6, 0xea, 0x9f, 0xb5, 0x23, 0x5b, 0xf9, 0xfd, 0x88, 0xa2, 0x50, 0x36, 0x69, 0xe2, 0x38, + 0x35, 0x90, 0xa2, 0x85, 0x04, 0x3b, 0x41, 0x90, 0xc6, 0xe9, 0x45, 0xae, 0x0b, 0x19, 0x29, 0x1c, + 0x77, 0x5d, 0xf8, 0x50, 0xa0, 0x10, 0xe8, 0x15, 0xa5, 0x2c, 0x4c, 0x91, 0x8b, 0x25, 0xd7, 0xb0, + 0xce, 0x3d, 0xf4, 0xd6, 0x97, 0x69, 0x5f, 0xa0, 0xef, 0xd1, 0x07, 0xe9, 0xa5, 0x40, 0x31, 0x43, + 0xae, 0xfc, 0x0f, 0x86, 0xd4, 0x1b, 0x39, 0xfc, 0xbe, 0x8f, 0xc3, 0x99, 0xe1, 0x90, 0xb0, 0x3d, + 0xd5, 0x7a, 0x2a, 0x45, 0x9f, 0x67, 0x69, 0x5f, 0x5c, 0x66, 0x79, 0xff, 0x62, 0x87, 0xcb, 0xec, + 0x23, 0xdf, 0xe9, 0x9b, 0xb9, 0xb2, 0xfc, 0xb2, 0x97, 0xe5, 0xda, 0x6a, 0xd6, 0x75, 0xb0, 0x1e, + 0xcf, 0xd2, 0x1e, 0xc2, 0x7a, 0x25, 0x2c, 0x7a, 0xe2, 0x05, 0x08, 0x77, 0x56, 0x4c, 0xfa, 0xe3, + 0x22, 0xe7, 0x36, 0xd5, 0xca, 0x31, 0xa3, 0xc7, 0xb7, 0xd7, 0x8d, 0xcd, 0x8b, 0xc4, 0xfa, 0xd5, + 0xa7, 0xb7, 0x57, 0x6d, 0x3a, 0x13, 0xc6, 0xf2, 0x59, 0xe6, 0x00, 0x5b, 0xbf, 0x06, 0x00, 0xc7, + 0x3c, 0x37, 0x62, 0x7c, 0x70, 0x99, 0xe5, 0x6c, 0x17, 0xea, 0xb8, 0x7d, 0xb7, 0xba, 0x19, 0xbc, + 0x68, 0xef, 0x3e, 0xe9, 0xdd, 0xe7, 0x56, 0x0f, 0xd1, 0x31, 0x61, 0xd9, 0x01, 0xb4, 0x8d, 0x2e, + 0xf2, 0x44, 0x8c, 0x52, 0x35, 0xd1, 0xdd, 0x1a, 0x51, 0x3f, 0xbf, 0x9f, 0x7a, 0x42, 0xe0, 0x43, + 0x35, 0xd1, 0x31, 0x98, 0xc5, 0x78, 0xeb, 0xaf, 0x75, 0xa8, 0x93, 0x0f, 0x1d, 0xa8, 0xa6, 0x63, + 0xf2, 0xa0, 0x16, 0x57, 0xd3, 0x31, 0xdb, 0x07, 0x48, 0xb4, 0x32, 0x76, 0x44, 0x9e, 0x39, 0xf9, + 0xad, 0xfb, 0xe5, 0xf7, 0x11, 0xcb, 0x95, 0x1d, 0x56, 0xe2, 0x90, 0x78, 0x07, 0xce, 0x49, 0x48, + 0xc7, 0x42, 0x79, 0x91, 0xfa, 0x32, 0x1f, 0x91, 0xd3, 0x3b, 0x44, 0x02, 0xca, 0x10, 0x93, 0x64, + 0x86, 0xd0, 0x36, 0x42, 0x8a, 0xc4, 0xeb, 0x34, 0x48, 0x67, 0x7b, 0x89, 0xce, 0x09, 0x31, 0x86, + 0x95, 0x18, 0x1c, 0x97, 0x94, 0x06, 0x10, 0x26, 0x5c, 0x4a, 0xa7, 0xd3, 0x24, 0x9d, 0xe7, 0x4b, + 0x74, 0xf6, 0xb9, 0x94, 0xc3, 0x4a, 0xdc, 0x42, 0x9e, 0xf7, 0x26, 0x94, 0x69, 0x19, 0x98, 0x35, + 0xd2, 0xf8, 0x62, 0x99, 0x46, 0x2e, 0xb8, 0x15, 0xdf, 0xa7, 0x06, 0xfd, 0x69, 0x21, 0x9b, 0x94, + 0x8e, 0xa0, 0xed, 0xea, 0xc6, 0x69, 0xb5, 0x48, 0xeb, 0xcb, 0x95, 0xb4, 0x4e, 0x88, 0x47, 0xa7, + 0xa3, 0x11, 0xe9, 0xfd, 0x0c, 0x2c, 0xd1, 0xb3, 0x2c, 0x17, 0x1f, 0x85, 0x32, 0xa9, 0x56, 0x4e, + 0x36, 0x24, 0xd9, 0xaf, 0x96, 0xc9, 0x5e, 0x27, 0x0e, 0x2b, 0xf1, 0xff, 0x6f, 0x28, 0x21, 0x24, + 0x7a, 0x04, 0x0d, 0x4a, 0x0e, 0x63, 0x50, 0x57, 0x7c, 0x26, 0xba, 0xc1, 0x66, 0xf0, 0x22, 0x8c, + 0x69, 0x1c, 0x15, 0xd0, 0x74, 0x11, 0x67, 0x6f, 0x60, 0x4d, 0x67, 0x22, 0xe7, 0x6a, 0x4c, 0x80, + 0xe5, 0x05, 0x5d, 0xc2, 0xd9, 0x27, 0xd0, 0x98, 0xa4, 0x42, 0xba, 0x32, 0x0c, 0x63, 0x37, 0x61, + 0x8f, 0x20, 0xb4, 0xc2, 0xd8, 0x91, 0x56, 0x72, 0x4e, 0x85, 0xd8, 0x8a, 0x5b, 0x68, 0xf8, 0xa0, + 0xe4, 0x3c, 0xfa, 0x2d, 0x80, 0x3a, 0x66, 0x88, 0xbd, 0x86, 0xa6, 0xe5, 0xf9, 0x54, 0xd8, 0x15, + 0x37, 0xf5, 0x68, 0x16, 0x41, 0x6b, 0x52, 0xa8, 0x04, 0xef, 0xb6, 0xdf, 0x76, 0x31, 0xc7, 0x7b, + 0xc9, 0xf3, 0xa9, 0xe9, 0xd6, 0x36, 0x6b, 0xab, 0xdc, 0x4b, 0xc4, 0x46, 0x43, 0x80, 0xab, 0x6c, + 0xb3, 0xb7, 0xd0, 0x12, 0x52, 0xcc, 0x84, 0xb2, 0xa6, 0x1b, 0xac, 0xa4, 0xb2, 0xc0, 0x47, 0x7f, + 0x54, 0x61, 0xfd, 0x7a, 0xb2, 0xd9, 0x33, 0x58, 0x9f, 0x09, 0x63, 0xf8, 0x54, 0x8c, 0xae, 0x85, + 0xbf, 0xed, 0x6d, 0x47, 0x7c, 0x26, 0xd8, 0x7b, 0x58, 0x13, 0xca, 0xe6, 0xa9, 0x30, 0xdd, 0x2a, + 0x6d, 0xb7, 0xf3, 0x1f, 0xaa, 0xa9, 0x77, 0xa0, 0x6c, 0x3e, 0x8f, 0x4b, 0x85, 0xe8, 0xf7, 0x00, + 0x1a, 0x64, 0xf2, 0xcd, 0x21, 0x58, 0x34, 0x87, 0xcf, 0x20, 0xa4, 0xdc, 0x8c, 0xce, 0xc5, 0xdc, + 0x45, 0x0d, 0xeb, 0x9a, 0x4c, 0xef, 0xc5, 0x9c, 0x7d, 0x0d, 0x6b, 0x33, 0x9e, 0xd1, 0x62, 0x6d, + 0x95, 0x64, 0x0c, 0x2b, 0x71, 0x73, 0xc6, 0x33, 0xa4, 0xbe, 0x82, 0xc6, 0x05, 0x97, 0x85, 0xf0, + 0xcd, 0x62, 0x59, 0xb4, 0x1c, 0x78, 0x00, 0xd0, 0x3a, 0x17, 0xf3, 0xd1, 0x79, 0xaa, 0xc6, 0xd1, + 0x3f, 0x55, 0xd8, 0xb8, 0x51, 0xcc, 0xec, 0x21, 0xb4, 0x52, 0x2b, 0xf2, 0xd1, 0x05, 0xcf, 0x7d, + 0xcc, 0xd6, 0x70, 0x7e, 0xca, 0x73, 0xf6, 0x0d, 0x00, 0x2d, 0xe5, 0x5c, 0x4d, 0xc5, 0x8a, 0xfd, + 0x37, 0x44, 0x46, 0x8c, 0x04, 0x54, 0xe6, 0x49, 0x52, 0x90, 0x72, 0xcd, 0x29, 0xe3, 0x1c, 0x95, + 0xf7, 0x20, 0xa4, 0xa5, 0x54, 0xa5, 0x76, 0xc5, 0xc3, 0x90, 0xd6, 0xa1, 0x4a, 0x2d, 0x3b, 0x80, + 0x8e, 0xd4, 0x3a, 0x1b, 0x25, 0x5a, 0x8d, 0x53, 0x2a, 0xcd, 0xc6, 0x4a, 0x0a, 0x1b, 0xc8, 0xda, + 0x2f, 0x49, 0xe8, 0x03, 0xc9, 0x18, 0x2b, 0x32, 0xdf, 0xed, 0x96, 0xfa, 0x80, 0x84, 0x13, 0x2b, + 0x32, 0xbc, 0x50, 0xb9, 0x30, 0x85, 0xb4, 0xbe, 0xc7, 0x2d, 0xbd, 0x50, 0x0e, 0x3d, 0x68, 0x43, + 0x88, 0xab, 0x94, 0x8c, 0xad, 0x3f, 0x6b, 0xd0, 0x2a, 0x9f, 0x06, 0xb6, 0x07, 0xa0, 0x0a, 0x29, + 0x47, 0x2e, 0xc1, 0x98, 0x89, 0xce, 0x6e, 0x54, 0xaa, 0x96, 0x6f, 0x65, 0xef, 0xa8, 0x90, 0xf2, + 0x14, 0x11, 0xf8, 0x06, 0xa8, 0x72, 0xc2, 0x9e, 0x02, 0x9c, 0x69, 0x5d, 0x92, 0x31, 0x53, 0x2d, + 0x04, 0xa0, 0xcd, 0x01, 0x9e, 0x41, 0x3b, 0x55, 0xf6, 0xf5, 0x2b, 0x8f, 0xc0, 0x74, 0xd4, 0xb0, + 0x3f, 0x92, 0xd1, 0x41, 0x9e, 0xc3, 0x7a, 0x71, 0x1d, 0x83, 0x69, 0xa9, 0x0f, 0x2b, 0x71, 0xbb, + 0xb8, 0x09, 0x1a, 0xeb, 0xe2, 0x4c, 0x0a, 0x0f, 0xc2, 0xc8, 0x07, 0x08, 0x72, 0xd6, 0x05, 0xc8, + 0xd8, 0x3c, 0x55, 0x53, 0x0f, 0x6a, 0xfa, 0x3b, 0xd0, 0x76, 0xd6, 0x85, 0x47, 0x67, 0x73, 0x2b, + 0x8c, 0xc7, 0x60, 0x18, 0xd7, 0xd1, 0x23, 0x32, 0x3a, 0xc8, 0x77, 0xd0, 0x29, 0x7f, 0x16, 0x1e, + 0xe5, 0x1e, 0x81, 0x87, 0x77, 0xc2, 0xf2, 0xad, 0x87, 0x0d, 0xaa, 0x5d, 0xf4, 0x66, 0xa3, 0xa4, + 0x39, 0x9d, 0x43, 0x78, 0xb0, 0xf8, 0x63, 0x78, 0x21, 0xd7, 0xf6, 0xef, 0xc6, 0xf7, 0xc7, 0x12, + 0xe7, 0x95, 0x3a, 0x0b, 0x22, 0x49, 0x0d, 0x1e, 0xc0, 0x46, 0xe2, 0x33, 0xe6, 0x72, 0xf8, 0x4b, + 0x15, 0xe0, 0xea, 0xf7, 0xc0, 0xb6, 0xa1, 0xe3, 0x3e, 0x51, 0xa3, 0x0b, 0x91, 0xe3, 0xfd, 0xf2, + 0x77, 0x6a, 0xc3, 0x59, 0x4f, 0x9d, 0x11, 0xfb, 0xaa, 0xd4, 0x09, 0xbf, 0xde, 0x57, 0xcb, 0x39, + 0x36, 0x32, 0x99, 0x2a, 0x31, 0xd2, 0x93, 0x89, 0x11, 0xd6, 0xf5, 0xd7, 0x46, 0xdc, 0x46, 0xdb, + 0x07, 0x67, 0x62, 0x3f, 0x40, 0x98, 0x69, 0x43, 0x65, 0x6c, 0xba, 0x75, 0x6a, 0x65, 0x2f, 0x57, + 0xf9, 0xdc, 0xf4, 0x8e, 0x4b, 0x96, 0x6b, 0x66, 0x57, 0x2a, 0xd1, 0x3b, 0xe8, 0xdc, 0x5c, 0x64, + 0xff, 0x83, 0x1a, 0xf6, 0x28, 0xd7, 0xd7, 0x70, 0x88, 0x2f, 0xd0, 0x55, 0x81, 0x35, 0x7c, 0x7b, + 0x79, 0x5b, 0x7d, 0x13, 0x6c, 0x65, 0xd0, 0x71, 0xbb, 0x94, 0x1a, 0x37, 0x4e, 0x18, 0xdc, 0x3a, + 0xe1, 0xa7, 0xd0, 0x74, 0x87, 0xf3, 0x42, 0x7e, 0x86, 0x2f, 0x27, 0x9e, 0x92, 0xaa, 0xb3, 0x11, + 0xd3, 0x18, 0xb1, 0x89, 0x96, 0xc5, 0x4c, 0x51, 0x3d, 0x36, 0x62, 0x3f, 0x1b, 0x28, 0x78, 0x9c, + 0xe8, 0xd9, 0xbd, 0x87, 0x1e, 0xb4, 0x4f, 0x28, 0xe0, 0xc7, 0x98, 0xd8, 0xe3, 0xe0, 0xa7, 0x77, + 0x1e, 0x38, 0xd5, 0x92, 0xab, 0x69, 0x4f, 0xe7, 0xd3, 0xfe, 0x54, 0x28, 0x4a, 0x7b, 0xdf, 0x2d, + 0xf1, 0x2c, 0x35, 0x77, 0xbf, 0xc4, 0x7b, 0x38, 0xfb, 0x3b, 0x08, 0xce, 0x9a, 0x84, 0x7d, 0xf9, + 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0x0d, 0x25, 0xe3, 0xe8, 0x3d, 0x0b, 0x00, 0x00, +} diff --git a/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go new file mode 100644 index 0000000000..cec841e86a --- /dev/null +++ b/vendor/google.golang.org/genproto/googleapis/api/expr/v1alpha1/value.pb.go @@ -0,0 +1,503 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// source: google/api/expr/v1alpha1/value.proto + +package expr + +import ( + fmt "fmt" + math "math" + + proto "github.com/golang/protobuf/proto" + any "github.com/golang/protobuf/ptypes/any" + _struct "github.com/golang/protobuf/ptypes/struct" +) + +// Reference imports to suppress errors if they are not otherwise used. +var _ = proto.Marshal +var _ = fmt.Errorf +var _ = math.Inf + +// This is a compile-time assertion to ensure that this generated file +// is compatible with the proto package it is being compiled against. +// A compilation error at this line likely means your copy of the +// proto package needs to be updated. +const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package + +// Represents a CEL value. +// +// This is similar to `google.protobuf.Value`, but can represent CEL's full +// range of values. +type Value struct { + // Required. The valid kinds of values. + // + // Types that are valid to be assigned to Kind: + // *Value_NullValue + // *Value_BoolValue + // *Value_Int64Value + // *Value_Uint64Value + // *Value_DoubleValue + // *Value_StringValue + // *Value_BytesValue + // *Value_EnumValue + // *Value_ObjectValue + // *Value_MapValue + // *Value_ListValue + // *Value_TypeValue + Kind isValue_Kind `protobuf_oneof:"kind"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *Value) Reset() { *m = Value{} } +func (m *Value) String() string { return proto.CompactTextString(m) } +func (*Value) ProtoMessage() {} +func (*Value) Descriptor() ([]byte, []int) { + return fileDescriptor_24bee359d1e5798a, []int{0} +} + +func (m *Value) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_Value.Unmarshal(m, b) +} +func (m *Value) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_Value.Marshal(b, m, deterministic) +} +func (m *Value) XXX_Merge(src proto.Message) { + xxx_messageInfo_Value.Merge(m, src) +} +func (m *Value) XXX_Size() int { + return xxx_messageInfo_Value.Size(m) +} +func (m *Value) XXX_DiscardUnknown() { + xxx_messageInfo_Value.DiscardUnknown(m) +} + +var xxx_messageInfo_Value proto.InternalMessageInfo + +type isValue_Kind interface { + isValue_Kind() +} + +type Value_NullValue struct { + NullValue _struct.NullValue `protobuf:"varint,1,opt,name=null_value,json=nullValue,proto3,enum=google.protobuf.NullValue,oneof"` +} + +type Value_BoolValue struct { + BoolValue bool `protobuf:"varint,2,opt,name=bool_value,json=boolValue,proto3,oneof"` +} + +type Value_Int64Value struct { + Int64Value int64 `protobuf:"varint,3,opt,name=int64_value,json=int64Value,proto3,oneof"` +} + +type Value_Uint64Value struct { + Uint64Value uint64 `protobuf:"varint,4,opt,name=uint64_value,json=uint64Value,proto3,oneof"` +} + +type Value_DoubleValue struct { + DoubleValue float64 `protobuf:"fixed64,5,opt,name=double_value,json=doubleValue,proto3,oneof"` +} + +type Value_StringValue struct { + StringValue string `protobuf:"bytes,6,opt,name=string_value,json=stringValue,proto3,oneof"` +} + +type Value_BytesValue struct { + BytesValue []byte `protobuf:"bytes,7,opt,name=bytes_value,json=bytesValue,proto3,oneof"` +} + +type Value_EnumValue struct { + EnumValue *EnumValue `protobuf:"bytes,9,opt,name=enum_value,json=enumValue,proto3,oneof"` +} + +type Value_ObjectValue struct { + ObjectValue *any.Any `protobuf:"bytes,10,opt,name=object_value,json=objectValue,proto3,oneof"` +} + +type Value_MapValue struct { + MapValue *MapValue `protobuf:"bytes,11,opt,name=map_value,json=mapValue,proto3,oneof"` +} + +type Value_ListValue struct { + ListValue *ListValue `protobuf:"bytes,12,opt,name=list_value,json=listValue,proto3,oneof"` +} + +type Value_TypeValue struct { + TypeValue string `protobuf:"bytes,15,opt,name=type_value,json=typeValue,proto3,oneof"` +} + +func (*Value_NullValue) isValue_Kind() {} + +func (*Value_BoolValue) isValue_Kind() {} + +func (*Value_Int64Value) isValue_Kind() {} + +func (*Value_Uint64Value) isValue_Kind() {} + +func (*Value_DoubleValue) isValue_Kind() {} + +func (*Value_StringValue) isValue_Kind() {} + +func (*Value_BytesValue) isValue_Kind() {} + +func (*Value_EnumValue) isValue_Kind() {} + +func (*Value_ObjectValue) isValue_Kind() {} + +func (*Value_MapValue) isValue_Kind() {} + +func (*Value_ListValue) isValue_Kind() {} + +func (*Value_TypeValue) isValue_Kind() {} + +func (m *Value) GetKind() isValue_Kind { + if m != nil { + return m.Kind + } + return nil +} + +func (m *Value) GetNullValue() _struct.NullValue { + if x, ok := m.GetKind().(*Value_NullValue); ok { + return x.NullValue + } + return _struct.NullValue_NULL_VALUE +} + +func (m *Value) GetBoolValue() bool { + if x, ok := m.GetKind().(*Value_BoolValue); ok { + return x.BoolValue + } + return false +} + +func (m *Value) GetInt64Value() int64 { + if x, ok := m.GetKind().(*Value_Int64Value); ok { + return x.Int64Value + } + return 0 +} + +func (m *Value) GetUint64Value() uint64 { + if x, ok := m.GetKind().(*Value_Uint64Value); ok { + return x.Uint64Value + } + return 0 +} + +func (m *Value) GetDoubleValue() float64 { + if x, ok := m.GetKind().(*Value_DoubleValue); ok { + return x.DoubleValue + } + return 0 +} + +func (m *Value) GetStringValue() string { + if x, ok := m.GetKind().(*Value_StringValue); ok { + return x.StringValue + } + return "" +} + +func (m *Value) GetBytesValue() []byte { + if x, ok := m.GetKind().(*Value_BytesValue); ok { + return x.BytesValue + } + return nil +} + +func (m *Value) GetEnumValue() *EnumValue { + if x, ok := m.GetKind().(*Value_EnumValue); ok { + return x.EnumValue + } + return nil +} + +func (m *Value) GetObjectValue() *any.Any { + if x, ok := m.GetKind().(*Value_ObjectValue); ok { + return x.ObjectValue + } + return nil +} + +func (m *Value) GetMapValue() *MapValue { + if x, ok := m.GetKind().(*Value_MapValue); ok { + return x.MapValue + } + return nil +} + +func (m *Value) GetListValue() *ListValue { + if x, ok := m.GetKind().(*Value_ListValue); ok { + return x.ListValue + } + return nil +} + +func (m *Value) GetTypeValue() string { + if x, ok := m.GetKind().(*Value_TypeValue); ok { + return x.TypeValue + } + return "" +} + +// XXX_OneofWrappers is for the internal use of the proto package. +func (*Value) XXX_OneofWrappers() []interface{} { + return []interface{}{ + (*Value_NullValue)(nil), + (*Value_BoolValue)(nil), + (*Value_Int64Value)(nil), + (*Value_Uint64Value)(nil), + (*Value_DoubleValue)(nil), + (*Value_StringValue)(nil), + (*Value_BytesValue)(nil), + (*Value_EnumValue)(nil), + (*Value_ObjectValue)(nil), + (*Value_MapValue)(nil), + (*Value_ListValue)(nil), + (*Value_TypeValue)(nil), + } +} + +// An enum value. +type EnumValue struct { + // The fully qualified name of the enum type. + Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"` + // The value of the enum. + Value int32 `protobuf:"varint,2,opt,name=value,proto3" json:"value,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *EnumValue) Reset() { *m = EnumValue{} } +func (m *EnumValue) String() string { return proto.CompactTextString(m) } +func (*EnumValue) ProtoMessage() {} +func (*EnumValue) Descriptor() ([]byte, []int) { + return fileDescriptor_24bee359d1e5798a, []int{1} +} + +func (m *EnumValue) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_EnumValue.Unmarshal(m, b) +} +func (m *EnumValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_EnumValue.Marshal(b, m, deterministic) +} +func (m *EnumValue) XXX_Merge(src proto.Message) { + xxx_messageInfo_EnumValue.Merge(m, src) +} +func (m *EnumValue) XXX_Size() int { + return xxx_messageInfo_EnumValue.Size(m) +} +func (m *EnumValue) XXX_DiscardUnknown() { + xxx_messageInfo_EnumValue.DiscardUnknown(m) +} + +var xxx_messageInfo_EnumValue proto.InternalMessageInfo + +func (m *EnumValue) GetType() string { + if m != nil { + return m.Type + } + return "" +} + +func (m *EnumValue) GetValue() int32 { + if m != nil { + return m.Value + } + return 0 +} + +// A list. +// +// Wrapped in a message so 'not set' and empty can be differentiated, which is +// required for use in a 'oneof'. +type ListValue struct { + // The ordered values in the list. + Values []*Value `protobuf:"bytes,1,rep,name=values,proto3" json:"values,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *ListValue) Reset() { *m = ListValue{} } +func (m *ListValue) String() string { return proto.CompactTextString(m) } +func (*ListValue) ProtoMessage() {} +func (*ListValue) Descriptor() ([]byte, []int) { + return fileDescriptor_24bee359d1e5798a, []int{2} +} + +func (m *ListValue) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_ListValue.Unmarshal(m, b) +} +func (m *ListValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_ListValue.Marshal(b, m, deterministic) +} +func (m *ListValue) XXX_Merge(src proto.Message) { + xxx_messageInfo_ListValue.Merge(m, src) +} +func (m *ListValue) XXX_Size() int { + return xxx_messageInfo_ListValue.Size(m) +} +func (m *ListValue) XXX_DiscardUnknown() { + xxx_messageInfo_ListValue.DiscardUnknown(m) +} + +var xxx_messageInfo_ListValue proto.InternalMessageInfo + +func (m *ListValue) GetValues() []*Value { + if m != nil { + return m.Values + } + return nil +} + +// A map. +// +// Wrapped in a message so 'not set' and empty can be differentiated, which is +// required for use in a 'oneof'. +type MapValue struct { + // The set of map entries. + // + // CEL has fewer restrictions on keys, so a protobuf map represenation + // cannot be used. + Entries []*MapValue_Entry `protobuf:"bytes,1,rep,name=entries,proto3" json:"entries,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *MapValue) Reset() { *m = MapValue{} } +func (m *MapValue) String() string { return proto.CompactTextString(m) } +func (*MapValue) ProtoMessage() {} +func (*MapValue) Descriptor() ([]byte, []int) { + return fileDescriptor_24bee359d1e5798a, []int{3} +} + +func (m *MapValue) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_MapValue.Unmarshal(m, b) +} +func (m *MapValue) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_MapValue.Marshal(b, m, deterministic) +} +func (m *MapValue) XXX_Merge(src proto.Message) { + xxx_messageInfo_MapValue.Merge(m, src) +} +func (m *MapValue) XXX_Size() int { + return xxx_messageInfo_MapValue.Size(m) +} +func (m *MapValue) XXX_DiscardUnknown() { + xxx_messageInfo_MapValue.DiscardUnknown(m) +} + +var xxx_messageInfo_MapValue proto.InternalMessageInfo + +func (m *MapValue) GetEntries() []*MapValue_Entry { + if m != nil { + return m.Entries + } + return nil +} + +// An entry in the map. +type MapValue_Entry struct { + // The key. + // + // Must be unique with in the map. + // Currently only boolean, int, uint, and string values can be keys. + Key *Value `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` + // The value. + Value *Value `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *MapValue_Entry) Reset() { *m = MapValue_Entry{} } +func (m *MapValue_Entry) String() string { return proto.CompactTextString(m) } +func (*MapValue_Entry) ProtoMessage() {} +func (*MapValue_Entry) Descriptor() ([]byte, []int) { + return fileDescriptor_24bee359d1e5798a, []int{3, 0} +} + +func (m *MapValue_Entry) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_MapValue_Entry.Unmarshal(m, b) +} +func (m *MapValue_Entry) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_MapValue_Entry.Marshal(b, m, deterministic) +} +func (m *MapValue_Entry) XXX_Merge(src proto.Message) { + xxx_messageInfo_MapValue_Entry.Merge(m, src) +} +func (m *MapValue_Entry) XXX_Size() int { + return xxx_messageInfo_MapValue_Entry.Size(m) +} +func (m *MapValue_Entry) XXX_DiscardUnknown() { + xxx_messageInfo_MapValue_Entry.DiscardUnknown(m) +} + +var xxx_messageInfo_MapValue_Entry proto.InternalMessageInfo + +func (m *MapValue_Entry) GetKey() *Value { + if m != nil { + return m.Key + } + return nil +} + +func (m *MapValue_Entry) GetValue() *Value { + if m != nil { + return m.Value + } + return nil +} + +func init() { + proto.RegisterType((*Value)(nil), "google.api.expr.v1alpha1.Value") + proto.RegisterType((*EnumValue)(nil), "google.api.expr.v1alpha1.EnumValue") + proto.RegisterType((*ListValue)(nil), "google.api.expr.v1alpha1.ListValue") + proto.RegisterType((*MapValue)(nil), "google.api.expr.v1alpha1.MapValue") + proto.RegisterType((*MapValue_Entry)(nil), "google.api.expr.v1alpha1.MapValue.Entry") +} + +func init() { + proto.RegisterFile("google/api/expr/v1alpha1/value.proto", fileDescriptor_24bee359d1e5798a) +} + +var fileDescriptor_24bee359d1e5798a = []byte{ + // 518 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x8c, 0x94, 0xcb, 0x6e, 0xd4, 0x30, + 0x14, 0x86, 0x6b, 0xe6, 0xd2, 0xc9, 0x99, 0x11, 0x48, 0x56, 0x17, 0xc3, 0xa8, 0x52, 0x43, 0xca, + 0x22, 0xab, 0x44, 0x33, 0x50, 0x10, 0x2a, 0x9b, 0x8e, 0x5a, 0x69, 0x16, 0x80, 0xaa, 0x2c, 0x58, + 0xb0, 0x41, 0xce, 0xd4, 0x84, 0x50, 0xc7, 0x0e, 0x89, 0x5d, 0x91, 0xc7, 0xe3, 0x01, 0x78, 0x1f, + 0x96, 0xc8, 0xb7, 0x50, 0xa8, 0x46, 0xed, 0x2e, 0xe7, 0xf7, 0xf7, 0xfb, 0x5c, 0x7c, 0x14, 0x78, + 0x5e, 0x08, 0x51, 0x30, 0x9a, 0x92, 0xba, 0x4c, 0xe9, 0x8f, 0xba, 0x49, 0x6f, 0x96, 0x84, 0xd5, + 0x5f, 0xc9, 0x32, 0xbd, 0x21, 0x4c, 0xd1, 0xa4, 0x6e, 0x84, 0x14, 0x78, 0x6e, 0xa9, 0x84, 0xd4, + 0x65, 0xa2, 0xa9, 0xc4, 0x53, 0x8b, 0xa7, 0xce, 0x6f, 0xb8, 0x5c, 0x7d, 0x49, 0x09, 0xef, 0xac, + 0x69, 0x71, 0xf8, 0xff, 0x51, 0x2b, 0x1b, 0xb5, 0x95, 0xf6, 0x34, 0xfa, 0x35, 0x84, 0xd1, 0x47, + 0x9d, 0x02, 0x9f, 0x02, 0x70, 0xc5, 0xd8, 0x67, 0x93, 0x70, 0x8e, 0x42, 0x14, 0x3f, 0x5e, 0x2d, + 0x12, 0x97, 0xd1, 0x9b, 0x93, 0x0f, 0x8a, 0x31, 0xc3, 0x6f, 0xf6, 0xb2, 0x80, 0xfb, 0x00, 0x1f, + 0x01, 0xe4, 0x42, 0x78, 0xf3, 0xa3, 0x10, 0xc5, 0x13, 0x0d, 0x68, 0xcd, 0x02, 0xcf, 0x60, 0x5a, + 0x72, 0xf9, 0xea, 0xa5, 0x23, 0x06, 0x21, 0x8a, 0x07, 0x9b, 0xbd, 0x0c, 0x8c, 0x68, 0x91, 0x63, + 0x98, 0xa9, 0xdb, 0xcc, 0x30, 0x44, 0xf1, 0x70, 0xb3, 0x97, 0x4d, 0xd5, 0xbf, 0xd0, 0x95, 0x50, + 0x39, 0xa3, 0x0e, 0x1a, 0x85, 0x28, 0x46, 0x1a, 0xb2, 0x6a, 0x0f, 0xb5, 0xb2, 0x29, 0x79, 0xe1, + 0xa0, 0x71, 0x88, 0xe2, 0x40, 0x43, 0x56, 0xed, 0x2b, 0xca, 0x3b, 0x49, 0x5b, 0xc7, 0xec, 0x87, + 0x28, 0x9e, 0xe9, 0x8a, 0x8c, 0x68, 0x91, 0x73, 0x00, 0xca, 0x55, 0xe5, 0x88, 0x20, 0x44, 0xf1, + 0x74, 0x75, 0x9c, 0xec, 0x7a, 0x84, 0xe4, 0x82, 0xab, 0xaa, 0x9f, 0x0d, 0xf5, 0x01, 0x7e, 0x03, + 0x33, 0x91, 0x7f, 0xa3, 0x5b, 0xe9, 0xee, 0x01, 0x73, 0xcf, 0xc1, 0x9d, 0xd1, 0x9e, 0xf1, 0x4e, + 0xd7, 0x68, 0x59, 0x6b, 0x3d, 0x83, 0xa0, 0x22, 0xb5, 0xf3, 0x4d, 0x8d, 0x2f, 0xda, 0x9d, 0xff, + 0x3d, 0xa9, 0x7d, 0xfa, 0x49, 0xe5, 0xbe, 0x75, 0x0f, 0xac, 0x6c, 0x7d, 0xee, 0xd9, 0x7d, 0x3d, + 0xbc, 0x2b, 0x5b, 0xd9, 0xf7, 0xc0, 0x7c, 0xa0, 0xdf, 0x57, 0x76, 0xb5, 0x1f, 0xfa, 0x13, 0x37, + 0xcf, 0x40, 0x6b, 0x06, 0x58, 0x8f, 0x61, 0x78, 0x5d, 0xf2, 0xab, 0xe8, 0x04, 0x82, 0x7e, 0x0c, + 0x18, 0xc3, 0x50, 0x13, 0x66, 0x99, 0x82, 0xcc, 0x7c, 0xe3, 0x03, 0x18, 0xfd, 0x5d, 0x92, 0x51, + 0x66, 0x83, 0xe8, 0x1c, 0x82, 0x3e, 0x33, 0x7e, 0x0d, 0x63, 0xa3, 0xb6, 0x73, 0x14, 0x0e, 0xe2, + 0xe9, 0xea, 0x68, 0x77, 0xb9, 0xc6, 0x90, 0x39, 0x3c, 0xfa, 0x89, 0x60, 0xe2, 0x87, 0x80, 0xd7, + 0xb0, 0x4f, 0xb9, 0x6c, 0xca, 0xfe, 0x9a, 0xf8, 0xfe, 0xc9, 0x25, 0x17, 0x5c, 0x36, 0x5d, 0xe6, + 0x8d, 0x8b, 0xef, 0x30, 0x32, 0x0a, 0x5e, 0xc2, 0xe0, 0x9a, 0x76, 0xa6, 0x91, 0x07, 0xd4, 0xa3, + 0x59, 0x7c, 0x72, 0xbb, 0xd1, 0x07, 0x98, 0x2c, 0xbd, 0xae, 0xe0, 0x70, 0x2b, 0xaa, 0x9d, 0xf0, + 0x1a, 0x0c, 0x7d, 0xa9, 0x97, 0xe6, 0x12, 0x7d, 0x7a, 0xeb, 0xb8, 0x42, 0x30, 0xc2, 0x8b, 0x44, + 0x34, 0x45, 0x5a, 0x50, 0x6e, 0x56, 0x2a, 0xb5, 0x47, 0xa4, 0x2e, 0xdb, 0xbb, 0xbf, 0x95, 0x53, + 0x1d, 0xfd, 0x46, 0x28, 0x1f, 0x1b, 0xf6, 0xc5, 0x9f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf9, 0x53, + 0x8e, 0x99, 0x81, 0x04, 0x00, 0x00, +} diff --git a/vendor/modules.txt b/vendor/modules.txt index d32f9b51d4..e2f7b4ae45 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -126,13 +126,14 @@ github.com/envoyproxy/go-control-plane/envoy/api/v2/endpoint github.com/envoyproxy/go-control-plane/envoy/api/v2/listener github.com/envoyproxy/go-control-plane/envoy/api/v2/route github.com/envoyproxy/go-control-plane/envoy/config/filter/accesslog/v2 -github.com/envoyproxy/go-control-plane/envoy/config/filter/network/ext_authz/v2 +github.com/envoyproxy/go-control-plane/envoy/config/filter/http/rbac/v2 github.com/envoyproxy/go-control-plane/envoy/config/filter/network/http_connection_manager/v2 +github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2 github.com/envoyproxy/go-control-plane/envoy/config/filter/network/tcp_proxy/v2 github.com/envoyproxy/go-control-plane/envoy/config/listener/v2 +github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2 github.com/envoyproxy/go-control-plane/envoy/config/trace/v2 github.com/envoyproxy/go-control-plane/envoy/service/auth/v2 -github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2 github.com/envoyproxy/go-control-plane/envoy/type github.com/envoyproxy/go-control-plane/envoy/type/matcher @@ -537,6 +538,7 @@ google.golang.org/appengine/internal/urlfetch google.golang.org/appengine/urlfetch # google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55 google.golang.org/genproto/googleapis/api/annotations +google.golang.org/genproto/googleapis/api/expr/v1alpha1 google.golang.org/genproto/googleapis/rpc/status # google.golang.org/grpc v1.25.1 google.golang.org/grpc