// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

syntax = "proto3";

package hashicorp.consul.auth.v2beta1;

import "pbresource/annotations.proto";

// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
message TrafficPermissions {
  option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};

  // Destination is a configuration of the destination proxies
  // where these traffic permissions should apply.
  Destination destination = 1;

  // Action can be either allow or deny for the entire object. It will default to allow.
  // Deny actions are available only in Consul Enterprise.
  //
  // If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
  // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
  // actions have no effect without a deny permission as everything is allowed by default.
  //
  // If action is deny, we will deny the connection if one of the rules in Rules match, in other words,
  // we will allow all requests except for the ones that match Rules. If Consul is default deny mode,
  // then deny permissions have no effect without an allow permission as everything is denied by default.
  //
  // Action unspecified is reserved for compatibility with the addition of future actions.
  Action action = 2;

  // Permissions is a list of permissions to match on. They are applied using OR semantics.
  repeated Permission permissions = 3;
}

// NamespaceTrafficPermissions represents traffic permissions that should
// apply to all destinations in a namespace.
message NamespaceTrafficPermissions {
  option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};

  Action action = 1;
  repeated Permission permissions = 2;
}

// PartitionTrafficPermissions represents traffic permissions that should
// apply to all destinations in a partition.
message PartitionTrafficPermissions {
  option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};

  Action action = 1;
  repeated Permission permissions = 2;
}

// Destination contains the name or name-prefix of the WorkloadIdentity.
// The WorkloadIdentity resource must be in the same tenancy as the TrafficPermissions resource.
message Destination {
  string identity_name = 1;
}

// Action specifies the behavior of a TrafficPermission.
// ACTION_DENY is only available in Consul enterprise.
//
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
// +kubebuilder:validation:Type=string
enum Action {
  ACTION_UNSPECIFIED = 0;
  ACTION_DENY = 1;
  ACTION_ALLOW = 2;
}

// Permissions is a list of permissions to match on.
message Permission {
  // Sources is a list of sources in this traffic permission.
  repeated Source sources = 1;
  // DestinationRules is a list of rules to apply for matching sources in this Permission.
  // These rules are specific to the request or connection that is going to the destination(s)
  // selected by the TrafficPermissions resource.
  repeated DestinationRule destination_rules = 2;
}

// Source represents the source identity.
// To specify any of the wildcard sources, the specific fields need to be omitted.
// For example, for a wildcard namespace, identity_name should be omitted.
message Source {
  string identity_name = 1;
  string namespace = 2;
  string partition = 3;
  string peer = 4;
  string sameness_group = 5;

  // Exclude is a list of sources to exclude from this source.
  repeated ExcludeSource exclude = 6;
}

// ExcludeSource is almost the same as source but it prevents the addition of
// matching sources.
message ExcludeSource {
  string identity_name = 1;
  string namespace = 2;
  string partition = 3;
  string peer = 4;
  string sameness_group = 5;
}

// DestinationRule contains rules rules to apply to the incoming connection.
message DestinationRule {
  string path_exact = 1;
  string path_prefix = 2;
  string path_regex = 3;
  // Methods is the list of HTTP methods. If no methods are specified,
  // this rule will apply to all methods.
  repeated string methods = 4;
  repeated DestinationRuleHeader headers = 5;
  repeated string port_names = 6;
  // Exclude contains a list of rules to exclude when evaluating rules for the incoming connection.
  repeated ExcludePermissionRule exclude = 7;
}

message ExcludePermissionRule {
  string path_exact = 1;
  string path_prefix = 2;
  string path_regex = 3;
  // Methods is the list of HTTP methods.
  repeated string methods = 4;

  repeated DestinationRuleHeader headers = 5;

  // PortNames is a list of workload ports to apply this rule to. The ports specified here
  // must be the ports used in the connection.
  repeated string port_names = 6;
}

message DestinationRuleHeader {
  string name = 1;
  bool present = 2;
  string exact = 3;
  string prefix = 4;
  string suffix = 5;
  string regex = 6;
  bool invert = 7;
}