async-grpc-xds 0.0.1

data/proto/envoy/type/matcher/v3/filter_state.proto

@@ -0,0 +1,33 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "envoy/type/matcher/v3/address.proto";
+import "envoy/type/matcher/v3/string.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "FilterStateProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Filter state matcher]
+
+// FilterStateMatcher provides a general interface for matching the filter state objects.
+message FilterStateMatcher {
+  // The filter state key to retrieve the object.
+  string key = 1 [(validate.rules).string = {min_len: 1}];
+
+  oneof matcher {
+    option (validate.required) = true;
+
+    // Matches the filter state object as a string value.
+    StringMatcher string_match = 2;
+
+    // Matches the filter state object as a ip Instance.
+    AddressMatcher address_match = 3;
+  }
+}

data/proto/envoy/type/matcher/v3/http_inputs.proto

@@ -0,0 +1,71 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "HttpInputsProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Common HTTP inputs]
+
+// Match input indicates that matching should be done on a specific request header.
+// The resulting input string will be all headers for the given key joined by a comma,
+// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input
+// string will be 'bar,baz'.
+// [#comment:TODO(snowp): Link to unified matching docs.]
+// [#extension: envoy.matching.inputs.request_headers]
+message HttpRequestHeaderMatchInput {
+  // The request header to match on.
+  string header_name = 1
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+}
+
+// Match input indicates that matching should be done on a specific request trailer.
+// The resulting input string will be all headers for the given key joined by a comma,
+// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input
+// string will be 'bar,baz'.
+// [#comment:TODO(snowp): Link to unified matching docs.]
+// [#extension: envoy.matching.inputs.request_trailers]
+message HttpRequestTrailerMatchInput {
+  // The request trailer to match on.
+  string header_name = 1
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+}
+
+// Match input indicating that matching should be done on a specific response header.
+// The resulting input string will be all headers for the given key joined by a comma,
+// e.g. if the response contains two 'foo' headers with value 'bar' and 'baz', the input
+// string will be 'bar,baz'.
+// [#comment:TODO(snowp): Link to unified matching docs.]
+// [#extension: envoy.matching.inputs.response_headers]
+message HttpResponseHeaderMatchInput {
+  // The response header to match on.
+  string header_name = 1
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+}
+
+// Match input indicates that matching should be done on a specific response trailer.
+// The resulting input string will be all headers for the given key joined by a comma,
+// e.g. if the request contains two 'foo' headers with value 'bar' and 'baz', the input
+// string will be 'bar,baz'.
+// [#comment:TODO(snowp): Link to unified matching docs.]
+// [#extension: envoy.matching.inputs.response_trailers]
+message HttpResponseTrailerMatchInput {
+  // The response trailer to match on.
+  string header_name = 1
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}];
+}
+
+// Match input indicates that matching should be done on a specific query parameter.
+// The resulting input string will be the first query parameter for the value
+// 'query_param'.
+// [#extension: envoy.matching.inputs.query_params]
+message HttpRequestQueryParamMatchInput {
+  // The query parameter to match on.
+  string query_param = 1 [(validate.rules).string = {min_len: 1}];
+}

data/proto/envoy/type/matcher/v3/metadata.proto

@@ -0,0 +1,110 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "envoy/type/matcher/v3/value.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "MetadataProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Metadata matcher]
+
+// ``MetadataMatcher`` provides a general interface to check if a given value is matched in
+// :ref:`Metadata <envoy_v3_api_msg_config.core.v3.Metadata>`. It uses ``filter`` and ``path`` to retrieve the value
+// from the ``Metadata`` and then check if it's matched to the specified value.
+//
+// For example, for the following ``Metadata``:
+//
+// .. code-block:: yaml
+//
+//    filter_metadata:
+//      envoy.filters.http.rbac:
+//        fields:
+//          a:
+//            struct_value:
+//              fields:
+//                b:
+//                  struct_value:
+//                    fields:
+//                      c:
+//                        string_value: pro
+//                t:
+//                  list_value:
+//                    values:
+//                      - string_value: m
+//                      - string_value: n
+//
+// The following ``MetadataMatcher`` is matched as the path ``[a, b, c]`` will retrieve a string value ``pro``
+// from the ``Metadata`` which is matched to the specified prefix match.
+//
+// .. code-block:: yaml
+//
+//    filter: envoy.filters.http.rbac
+//    path:
+//    - key: a
+//    - key: b
+//    - key: c
+//    value:
+//      string_match:
+//        prefix: pr
+//
+// The following ``MetadataMatcher`` is matched as the code will match one of the string values in the
+// list at the path [a, t].
+//
+// .. code-block:: yaml
+//
+//    filter: envoy.filters.http.rbac
+//    path:
+//    - key: a
+//    - key: t
+//    value:
+//      list_match:
+//        one_of:
+//          string_match:
+//            exact: m
+//
+// An example use of ``MetadataMatcher`` is specifying additional metadata in ``envoy.filters.http.rbac`` to
+// enforce access control based on dynamic metadata in a request. See :ref:`Permission
+// <envoy_v3_api_msg_config.rbac.v3.Permission>` and :ref:`Principal
+// <envoy_v3_api_msg_config.rbac.v3.Principal>`.
+
+// [#next-major-version: MetadataMatcher should use StructMatcher]
+message MetadataMatcher {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.MetadataMatcher";
+
+  // Specifies the segment in a path to retrieve value from ``Metadata``.
+  //
+  // .. note::
+  //   Currently it's not supported to retrieve a value from a list in ``Metadata``. This means that
+  //   if the segment key refers to a list, it has to be the last segment in a path.
+  message PathSegment {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.type.matcher.MetadataMatcher.PathSegment";
+
+    oneof segment {
+      option (validate.required) = true;
+
+      // If specified, use the key to retrieve the value in a ``Struct``.
+      string key = 1 [(validate.rules).string = {min_len: 1}];
+    }
+  }
+
+  // The filter name to retrieve the ``Struct`` from the ``Metadata``.
+  string filter = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The path to retrieve the ``Value`` from the ``Struct``.
+  repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];
+
+  // The ``MetadataMatcher`` is matched if the value retrieved by path is matched to this value.
+  ValueMatcher value = 3 [(validate.rules).message = {required: true}];
+
+  // If true, the match result will be inverted.
+  bool invert = 4;
+}

data/proto/envoy/type/matcher/v3/node.proto

@@ -0,0 +1,29 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "envoy/type/matcher/v3/string.proto";
+import "envoy/type/matcher/v3/struct.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "NodeProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Node matcher]
+
+// Specifies the way to match a Node.
+// The match follows AND semantics.
+message NodeMatcher {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.NodeMatcher";
+
+  // Specifies match criteria on the node id.
+  StringMatcher node_id = 1;
+
+  // Specifies match criteria on the node metadata.
+  repeated StructMatcher node_metadatas = 2;
+}

data/proto/envoy/type/matcher/v3/number.proto

@@ -0,0 +1,33 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "envoy/type/v3/range.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "NumberProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Number matcher]
+
+// Specifies the way to match a double value.
+message DoubleMatcher {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.DoubleMatcher";
+
+  oneof match_pattern {
+    option (validate.required) = true;
+
+    // If specified, the input double value must be in the range specified here.
+    // Note: The range is using half-open interval semantics [start, end).
+    type.v3.DoubleRange range = 1;
+
+    // If specified, the input double value must be equal to the value specified here.
+    double exact = 2;
+  }
+}

data/proto/envoy/type/matcher/v3/path.proto

@@ -0,0 +1,31 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "envoy/type/matcher/v3/string.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "PathProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Path matcher]
+
+// Specifies the way to match a path on HTTP request.
+message PathMatcher {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.PathMatcher";
+
+  oneof rule {
+    option (validate.required) = true;
+
+    // The ``path`` must match the URL path portion of the :path header. The query and fragment
+    // string (if present) are removed in the URL path portion.
+    // For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``.
+    StringMatcher path = 1 [(validate.rules).message = {required: true}];
+  }
+}

data/proto/envoy/type/matcher/v3/regex.proto

@@ -0,0 +1,97 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "google/protobuf/wrappers.proto";
+
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "RegexProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Regex matcher]
+
+// A regex matcher designed for safety when used with untrusted input.
+message RegexMatcher {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.RegexMatcher";
+
+  // Google's `RE2 <https://github.com/google/re2>`_ regex engine. The regex string must adhere to
+  // the documented `syntax <https://github.com/google/re2/wiki/Syntax>`_. The engine is designed
+  // to complete execution in linear time as well as limit the amount of memory used.
+  //
+  // Envoy supports program size checking via runtime. The runtime keys ``re2.max_program_size.error_level``
+  // and ``re2.max_program_size.warn_level`` can be set to integers as the maximum program size or
+  // complexity that a compiled regex can have before an exception is thrown or a warning is
+  // logged, respectively. ``re2.max_program_size.error_level`` defaults to 100, and
+  // ``re2.max_program_size.warn_level`` has no default if unset (will not check/log a warning).
+  //
+  // Envoy emits two stats for tracking the program size of regexes: the histogram ``re2.program_size``,
+  // which records the program size, and the counter ``re2.exceeded_warn_level``, which is incremented
+  // each time the program size exceeds the warn level threshold.
+  message GoogleRE2 {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.type.matcher.RegexMatcher.GoogleRE2";
+
+    // This field controls the RE2 "program size" which is a rough estimate of how complex a
+    // compiled regex is to evaluate. A regex that has a program size greater than the configured
+    // value will fail to compile. In this case, the configured max program size can be increased
+    // or the regex can be simplified. If not specified, the default is 100.
+    //
+    // This field is deprecated; regexp validation should be performed on the management server
+    // instead of being done by each individual client.
+    //
+    // .. note::
+    //
+    //  Although this field is deprecated, the program size will still be checked against the
+    //  global ``re2.max_program_size.error_level`` runtime value.
+    //
+    google.protobuf.UInt32Value max_program_size = 1
+        [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
+  }
+
+  oneof engine_type {
+    // Google's RE2 regex engine.
+    GoogleRE2 google_re2 = 1
+        [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
+  }
+
+  // The regex match string. The string must be supported by the configured engine. The regex is matched
+  // against the full string, not as a partial match.
+  string regex = 2 [(validate.rules).string = {min_len: 1}];
+}
+
+// Describes how to match a string and then produce a new string using a regular
+// expression and a substitution string.
+message RegexMatchAndSubstitute {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.type.matcher.RegexMatchAndSubstitute";
+
+  // The regular expression used to find portions of a string (hereafter called
+  // the "subject string") that should be replaced. When a new string is
+  // produced during the substitution operation, the new string is initially
+  // the same as the subject string, but then all matches in the subject string
+  // are replaced by the substitution string. If replacing all matches isn't
+  // desired, regular expression anchors can be used to ensure a single match,
+  // so as to replace just one occurrence of a pattern. Capture groups can be
+  // used in the pattern to extract portions of the subject string, and then
+  // referenced in the substitution string.
+  RegexMatcher pattern = 1 [(validate.rules).message = {required: true}];
+
+  // The string that should be substituted into matching portions of the
+  // subject string during a substitution operation to produce a new string.
+  // Capture groups in the pattern can be referenced in the substitution
+  // string. Note, however, that the syntax for referring to capture groups is
+  // defined by the chosen regular expression engine. Google's `RE2
+  // <https://github.com/google/re2>`_ regular expression engine uses a
+  // backslash followed by the capture group number to denote a numbered
+  // capture group. E.g., ``\1`` refers to capture group 1, and ``\2`` refers
+  // to capture group 2.
+  string substitution = 2
+      [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
+}

data/proto/envoy/type/matcher/v3/status_code_input.proto

@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "StatusCodeInputProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Common HTTP Inputs]
+
+// Match input indicates that matching should be done on the response status
+// code.
+message HttpResponseStatusCodeMatchInput {
+}
+
+// Match input indicates that the matching should be done on the class of the
+// response status code. For eg: 1xx, 2xx, 3xx, 4xx or 5xx.
+message HttpResponseStatusCodeClassMatchInput {
+}

data/proto/envoy/type/matcher/v3/string.proto

@@ -0,0 +1,94 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "envoy/type/matcher/v3/regex.proto";
+
+import "xds/core/v3/extension.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "StringProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: String matcher]
+
+// Specifies the way to match a string.
+// [#next-free-field: 9]
+message StringMatcher {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StringMatcher";
+
+  reserved 4;
+
+  reserved "regex";
+
+  oneof match_pattern {
+    option (validate.required) = true;
+
+    // The input string must match exactly the string specified here.
+    //
+    // Examples:
+    //
+    // * ``abc`` only matches the value ``abc``.
+    string exact = 1;
+
+    // The input string must have the prefix specified here.
+    //
+    // .. note::
+    //
+    //  Empty prefix match is not allowed, please use ``safe_regex`` instead.
+    //
+    // Examples:
+    //
+    // * ``abc`` matches the value ``abc.xyz``
+    string prefix = 2 [(validate.rules).string = {min_len: 1}];
+
+    // The input string must have the suffix specified here.
+    //
+    // .. note::
+    //
+    //  Empty suffix match is not allowed, please use ``safe_regex`` instead.
+    //
+    // Examples:
+    //
+    // * ``abc`` matches the value ``xyz.abc``
+    string suffix = 3 [(validate.rules).string = {min_len: 1}];
+
+    // The input string must match the regular expression specified here.
+    RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}];
+
+    // The input string must have the substring specified here.
+    //
+    // .. note::
+    //
+    //  Empty contains match is not allowed, please use ``safe_regex`` instead.
+    //
+    // Examples:
+    //
+    // * ``abc`` matches the value ``xyz.abc.def``
+    string contains = 7 [(validate.rules).string = {min_len: 1}];
+
+    // Use an extension as the matcher type.
+    // [#extension-category: envoy.string_matcher]
+    xds.core.v3.TypedExtensionConfig custom = 8;
+  }
+
+  // If ``true``, indicates the exact/prefix/suffix/contains matching should be case insensitive. This
+  // has no effect for the ``safe_regex`` match.
+  // For example, the matcher ``data`` will match both input string ``Data`` and ``data`` if this option
+  // is set to ``true``.
+  bool ignore_case = 6;
+}
+
+// Specifies a list of ways to match a string.
+message ListStringMatcher {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.type.matcher.ListStringMatcher";
+
+  repeated StringMatcher patterns = 1 [(validate.rules).repeated = {min_items: 1}];
+}

data/proto/envoy/type/matcher/v3/struct.proto

@@ -0,0 +1,91 @@
+syntax = "proto3";
+
+package envoy.type.matcher.v3;
+
+import "envoy/type/matcher/v3/value.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.type.matcher.v3";
+option java_outer_classname = "StructProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Struct matcher]
+
+// StructMatcher provides a general interface to check if a given value is matched in
+// google.protobuf.Struct. It uses ``path`` to retrieve the value
+// from the struct and then check if it's matched to the specified value.
+//
+// For example, for the following Struct:
+//
+// .. code-block:: yaml
+//
+//        fields:
+//          a:
+//            struct_value:
+//              fields:
+//                b:
+//                  struct_value:
+//                    fields:
+//                      c:
+//                        string_value: pro
+//                t:
+//                  list_value:
+//                    values:
+//                      - string_value: m
+//                      - string_value: n
+//
+// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro"
+// from the Metadata which is matched to the specified prefix match.
+//
+// .. code-block:: yaml
+//
+//    path:
+//    - key: a
+//    - key: b
+//    - key: c
+//    value:
+//      string_match:
+//        prefix: pr
+//
+// The following StructMatcher is matched as the code will match one of the string values in the
+// list at the path [a, t].
+//
+// .. code-block:: yaml
+//
+//    path:
+//    - key: a
+//    - key: t
+//    value:
+//      list_match:
+//        one_of:
+//          string_match:
+//            exact: m
+//
+// An example use of StructMatcher is to match metadata in envoy.v*.core.Node.
+message StructMatcher {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StructMatcher";
+
+  // Specifies the segment in a path to retrieve value from Struct.
+  message PathSegment {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.type.matcher.StructMatcher.PathSegment";
+
+    oneof segment {
+      option (validate.required) = true;
+
+      // If specified, use the key to retrieve the value in a Struct.
+      string key = 1 [(validate.rules).string = {min_len: 1}];
+    }
+  }
+
+  // The path to retrieve the Value from the Struct.
+  repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];
+
+  // The StructMatcher is matched if the value retrieved by path is matched to this value.
+  ValueMatcher value = 3 [(validate.rules).message = {required: true}];
+}