ext_authzv3

package
v1.36.11-2026011520535... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: unknown License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const CheckSettings_GrpcService_case case_CheckSettings_ServiceOverride = 4
View Source 
const CheckSettings_HttpService_case case_CheckSettings_ServiceOverride = 5
View Source 
const CheckSettings_ServiceOverride_not_set_case case_CheckSettings_ServiceOverride = 0
View Source 
const ExtAuthzPerRoute_CheckSettings_case case_ExtAuthzPerRoute_Override = 2
View Source 
const ExtAuthzPerRoute_Disabled_case case_ExtAuthzPerRoute_Override = 1
View Source 
const ExtAuthzPerRoute_Override_not_set_case case_ExtAuthzPerRoute_Override = 0
View Source 
const ExtAuthz_GrpcService_case case_ExtAuthz_Services = 1
View Source 
const ExtAuthz_HttpService_case case_ExtAuthz_Services = 3
View Source 
const ExtAuthz_Services_not_set_case case_ExtAuthz_Services = 0

Variables

View Source 
var File_envoy_extensions_filters_http_ext_authz_v3_ext_authz_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type AuthorizationRequest 

type AuthorizationRequest struct {

	// Authorization request includes the client request headers that have a corresponding match
	// in the list.
	// This field has been deprecated in favor of :ref:`allowed_headers
	// <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.allowed_headers>`.
	//
	// .. note::
	//
	//	In addition to the user's supplied matchers, “Host“, “Method“, “Path“,
	//	“Content-Length“, and “Authorization“ are **automatically included** in the list.
	//
	// .. note::
	//
	//	By default, the “Content-Length“ header is set to “0“ and the request to the authorization
	//	service has no message body. However, the authorization request *may* include the buffered
	//	client request body (controlled by :ref:`with_request_body
	//	<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>`
	//	setting); hence the value of its “Content-Length“ reflects the size of its payload.
	//
	// Deprecated: Marked as deprecated in envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto.
	AllowedHeaders *v32.ListStringMatcher `protobuf:"bytes,1,opt,name=allowed_headers,json=allowedHeaders,proto3" json:"allowed_headers,omitempty"`
	// Sets a list of headers that will be included in the request to the authorization service.
	//
	// .. note::
	//
	//	Client request headers with the same key will be overridden.
	HeadersToAdd []*v3.HeaderValue `protobuf:"bytes,2,rep,name=headers_to_add,json=headersToAdd,proto3" json:"headers_to_add,omitempty"`
	// contains filtered or unexported fields
}

func (*AuthorizationRequest) ClearAllowedHeaders deprecated 

func (x *AuthorizationRequest) ClearAllowedHeaders()

Deprecated: Marked as deprecated in envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto.

func (*AuthorizationRequest) GetAllowedHeaders deprecated 

func (x *AuthorizationRequest) GetAllowedHeaders() *v32.ListStringMatcher

Deprecated: Marked as deprecated in envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto.

func (*AuthorizationRequest) GetHeadersToAdd 

func (x *AuthorizationRequest) GetHeadersToAdd() []*v3.HeaderValue

func (*AuthorizationRequest) HasAllowedHeaders deprecated 

func (x *AuthorizationRequest) HasAllowedHeaders() bool

Deprecated: Marked as deprecated in envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto.

func (*AuthorizationRequest) ProtoMessage 

func (*AuthorizationRequest) ProtoMessage()

func (*AuthorizationRequest) ProtoReflect 

func (x *AuthorizationRequest) ProtoReflect() protoreflect.Message

func (*AuthorizationRequest) Reset 

func (x *AuthorizationRequest) Reset()

func (*AuthorizationRequest) SetAllowedHeaders deprecated 

func (x *AuthorizationRequest) SetAllowedHeaders(v *v32.ListStringMatcher)

Deprecated: Marked as deprecated in envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto.

func (*AuthorizationRequest) SetHeadersToAdd 

func (x *AuthorizationRequest) SetHeadersToAdd(v []*v3.HeaderValue)

func (*AuthorizationRequest) String 

func (x *AuthorizationRequest) String() string

type AuthorizationRequest_builder 

type AuthorizationRequest_builder struct {

	// Authorization request includes the client request headers that have a corresponding match
	// in the list.
	// This field has been deprecated in favor of :ref:`allowed_headers
	// <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.allowed_headers>`.
	//
	// .. note::
	//
	//	In addition to the user's supplied matchers, “Host“, “Method“, “Path“,
	//	“Content-Length“, and “Authorization“ are **automatically included** in the list.
	//
	// .. note::
	//
	//	By default, the “Content-Length“ header is set to “0“ and the request to the authorization
	//	service has no message body. However, the authorization request *may* include the buffered
	//	client request body (controlled by :ref:`with_request_body
	//	<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>`
	//	setting); hence the value of its “Content-Length“ reflects the size of its payload.
	//
	// Deprecated: Marked as deprecated in envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto.
	AllowedHeaders *v32.ListStringMatcher
	// Sets a list of headers that will be included in the request to the authorization service.
	//
	// .. note::
	//
	//	Client request headers with the same key will be overridden.
	HeadersToAdd []*v3.HeaderValue
	// contains filtered or unexported fields
}

func (AuthorizationRequest_builder) Build 

func (b0 AuthorizationRequest_builder) Build() *AuthorizationRequest

type AuthorizationResponse 

type AuthorizationResponse struct {

	// When this list is set, authorization
	// response headers that have a correspondent match will be added to the original client request.
	//
	// .. note::
	//
	//	Existing headers will be overridden.
	AllowedUpstreamHeaders *v32.ListStringMatcher `` /* 129-byte string literal not displayed */
	// When this list is set, authorization
	// response headers that have a correspondent match will be added to the original client request.
	//
	// .. note::
	//
	//	Existing headers will be appended.
	AllowedUpstreamHeadersToAppend *v32.ListStringMatcher `` /* 157-byte string literal not displayed */
	// When this list is set, authorization
	// response headers that have a correspondent match will be added to the client's response.
	// When a header is included in this list, “Path“, “Status“, “Content-Length“, “WWW-Authenticate“ and
	// “Location“ are automatically added.
	//
	// .. note::
	//
	//	When this list is *not* set, all the authorization response headers, except
	//	“Authority (Host)“, will be in the response to the client.
	AllowedClientHeaders *v32.ListStringMatcher `protobuf:"bytes,2,opt,name=allowed_client_headers,json=allowedClientHeaders,proto3" json:"allowed_client_headers,omitempty"`
	// When this list is set, authorization
	// response headers that have a correspondent match will be added to the client's response when
	// the authorization response itself is successful, i.e. not failed or denied. When this list is
	// *not* set, no additional headers will be added to the client's response on success.
	AllowedClientHeadersOnSuccess *v32.ListStringMatcher `` /* 154-byte string literal not displayed */
	// When this list is set, authorization
	// response headers that have a correspondent match will be emitted as dynamic metadata to be consumed
	// by the next filter. This metadata lives in a namespace specified by the canonical name of extension filter
	// that requires it:
	//
	// - :ref:`envoy.filters.http.ext_authz <config_http_filters_ext_authz_dynamic_metadata>` for HTTP filter.
	// - :ref:`envoy.filters.network.ext_authz <config_network_filters_ext_authz_dynamic_metadata>` for network filter.
	DynamicMetadataFromHeaders *v32.ListStringMatcher `` /* 143-byte string literal not displayed */
	// contains filtered or unexported fields
}

[#next-free-field: 6]

func (*AuthorizationResponse) ClearAllowedClientHeaders 

func (x *AuthorizationResponse) ClearAllowedClientHeaders()

func (*AuthorizationResponse) ClearAllowedClientHeadersOnSuccess 

func (x *AuthorizationResponse) ClearAllowedClientHeadersOnSuccess()

func (*AuthorizationResponse) ClearAllowedUpstreamHeaders 

func (x *AuthorizationResponse) ClearAllowedUpstreamHeaders()

func (*AuthorizationResponse) ClearAllowedUpstreamHeadersToAppend 

func (x *AuthorizationResponse) ClearAllowedUpstreamHeadersToAppend()

func (*AuthorizationResponse) ClearDynamicMetadataFromHeaders 

func (x *AuthorizationResponse) ClearDynamicMetadataFromHeaders()

func (*AuthorizationResponse) GetAllowedClientHeaders 

func (x *AuthorizationResponse) GetAllowedClientHeaders() *v32.ListStringMatcher

func (*AuthorizationResponse) GetAllowedClientHeadersOnSuccess 

func (x *AuthorizationResponse) GetAllowedClientHeadersOnSuccess() *v32.ListStringMatcher

func (*AuthorizationResponse) GetAllowedUpstreamHeaders 

func (x *AuthorizationResponse) GetAllowedUpstreamHeaders() *v32.ListStringMatcher

func (*AuthorizationResponse) GetAllowedUpstreamHeadersToAppend 

func (x *AuthorizationResponse) GetAllowedUpstreamHeadersToAppend() *v32.ListStringMatcher

func (*AuthorizationResponse) GetDynamicMetadataFromHeaders 

func (x *AuthorizationResponse) GetDynamicMetadataFromHeaders() *v32.ListStringMatcher

func (*AuthorizationResponse) HasAllowedClientHeaders 

func (x *AuthorizationResponse) HasAllowedClientHeaders() bool

func (*AuthorizationResponse) HasAllowedClientHeadersOnSuccess 

func (x *AuthorizationResponse) HasAllowedClientHeadersOnSuccess() bool

func (*AuthorizationResponse) HasAllowedUpstreamHeaders 

func (x *AuthorizationResponse) HasAllowedUpstreamHeaders() bool

func (*AuthorizationResponse) HasAllowedUpstreamHeadersToAppend 

func (x *AuthorizationResponse) HasAllowedUpstreamHeadersToAppend() bool

func (*AuthorizationResponse) HasDynamicMetadataFromHeaders 

func (x *AuthorizationResponse) HasDynamicMetadataFromHeaders() bool

func (*AuthorizationResponse) ProtoMessage 

func (*AuthorizationResponse) ProtoMessage()

func (*AuthorizationResponse) ProtoReflect 

func (x *AuthorizationResponse) ProtoReflect() protoreflect.Message

func (*AuthorizationResponse) Reset 

func (x *AuthorizationResponse) Reset()

func (*AuthorizationResponse) SetAllowedClientHeaders 

func (x *AuthorizationResponse) SetAllowedClientHeaders(v *v32.ListStringMatcher)

func (*AuthorizationResponse) SetAllowedClientHeadersOnSuccess 

func (x *AuthorizationResponse) SetAllowedClientHeadersOnSuccess(v *v32.ListStringMatcher)

func (*AuthorizationResponse) SetAllowedUpstreamHeaders 

func (x *AuthorizationResponse) SetAllowedUpstreamHeaders(v *v32.ListStringMatcher)

func (*AuthorizationResponse) SetAllowedUpstreamHeadersToAppend 

func (x *AuthorizationResponse) SetAllowedUpstreamHeadersToAppend(v *v32.ListStringMatcher)

func (*AuthorizationResponse) SetDynamicMetadataFromHeaders 

func (x *AuthorizationResponse) SetDynamicMetadataFromHeaders(v *v32.ListStringMatcher)

func (*AuthorizationResponse) String 

func (x *AuthorizationResponse) String() string

type AuthorizationResponse_builder 

type AuthorizationResponse_builder struct {

	// When this list is set, authorization
	// response headers that have a correspondent match will be added to the original client request.
	//
	// .. note::
	//
	//	Existing headers will be overridden.
	AllowedUpstreamHeaders *v32.ListStringMatcher
	// When this list is set, authorization
	// response headers that have a correspondent match will be added to the original client request.
	//
	// .. note::
	//
	//	Existing headers will be appended.
	AllowedUpstreamHeadersToAppend *v32.ListStringMatcher
	// When this list is set, authorization
	// response headers that have a correspondent match will be added to the client's response.
	// When a header is included in this list, “Path“, “Status“, “Content-Length“, “WWW-Authenticate“ and
	// “Location“ are automatically added.
	//
	// .. note::
	//
	//	When this list is *not* set, all the authorization response headers, except
	//	“Authority (Host)“, will be in the response to the client.
	AllowedClientHeaders *v32.ListStringMatcher
	// When this list is set, authorization
	// response headers that have a correspondent match will be added to the client's response when
	// the authorization response itself is successful, i.e. not failed or denied. When this list is
	// *not* set, no additional headers will be added to the client's response on success.
	AllowedClientHeadersOnSuccess *v32.ListStringMatcher
	// When this list is set, authorization
	// response headers that have a correspondent match will be emitted as dynamic metadata to be consumed
	// by the next filter. This metadata lives in a namespace specified by the canonical name of extension filter
	// that requires it:
	//
	// - :ref:`envoy.filters.http.ext_authz <config_http_filters_ext_authz_dynamic_metadata>` for HTTP filter.
	// - :ref:`envoy.filters.network.ext_authz <config_network_filters_ext_authz_dynamic_metadata>` for network filter.
	DynamicMetadataFromHeaders *v32.ListStringMatcher
	// contains filtered or unexported fields
}

func (AuthorizationResponse_builder) Build 

func (b0 AuthorizationResponse_builder) Build() *AuthorizationResponse

type BufferSettings 

type BufferSettings struct {

	// Sets the maximum size of a message body that the filter will hold in memory. Envoy will return
	// “HTTP 413“ and will *not* initiate the authorization process when the buffer reaches the size
	// set in this field.
	//
	// .. note::
	//
	//	This setting will have precedence over :ref:`failure_mode_allow
	//	<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.failure_mode_allow>`.
	MaxRequestBytes uint32 `protobuf:"varint,1,opt,name=max_request_bytes,json=maxRequestBytes,proto3" json:"max_request_bytes,omitempty"`
	// When this field is “true“, Envoy will buffer the message until “max_request_bytes“ is reached.
	// The authorization request will be dispatched and no 413 HTTP error will be returned by the
	// filter.
	//
	// Defaults to “false“.
	AllowPartialMessage bool `protobuf:"varint,2,opt,name=allow_partial_message,json=allowPartialMessage,proto3" json:"allow_partial_message,omitempty"`
	// If “true“, the body sent to the external authorization service is set as raw bytes and populates
	// :ref:`raw_body<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.raw_body>`
	// in the HTTP request attribute context. Otherwise, :ref:`body
	// <envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.body>` will be populated
	// with a UTF-8 string request body.
	//
	// This field only affects configurations using a :ref:`grpc_service
	// <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.grpc_service>`. In configurations that use
	// an :ref:`http_service <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.http_service>`, this
	// has no effect.
	//
	// Defaults to “false“.
	PackAsBytes bool `protobuf:"varint,3,opt,name=pack_as_bytes,json=packAsBytes,proto3" json:"pack_as_bytes,omitempty"`
	// contains filtered or unexported fields
}

Configuration for buffering the request data.

func (*BufferSettings) GetAllowPartialMessage 

func (x *BufferSettings) GetAllowPartialMessage() bool

func (*BufferSettings) GetMaxRequestBytes 

func (x *BufferSettings) GetMaxRequestBytes() uint32

func (*BufferSettings) GetPackAsBytes 

func (x *BufferSettings) GetPackAsBytes() bool

func (*BufferSettings) ProtoMessage 

func (*BufferSettings) ProtoMessage()

func (*BufferSettings) ProtoReflect 

func (x *BufferSettings) ProtoReflect() protoreflect.Message

func (*BufferSettings) Reset 

func (x *BufferSettings) Reset()

func (*BufferSettings) SetAllowPartialMessage 

func (x *BufferSettings) SetAllowPartialMessage(v bool)

func (*BufferSettings) SetMaxRequestBytes 

func (x *BufferSettings) SetMaxRequestBytes(v uint32)

func (*BufferSettings) SetPackAsBytes 

func (x *BufferSettings) SetPackAsBytes(v bool)

func (*BufferSettings) String 

func (x *BufferSettings) String() string

type BufferSettings_builder 

type BufferSettings_builder struct {

	// Sets the maximum size of a message body that the filter will hold in memory. Envoy will return
	// “HTTP 413“ and will *not* initiate the authorization process when the buffer reaches the size
	// set in this field.
	//
	// .. note::
	//
	//	This setting will have precedence over :ref:`failure_mode_allow
	//	<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.failure_mode_allow>`.
	MaxRequestBytes uint32
	// When this field is “true“, Envoy will buffer the message until “max_request_bytes“ is reached.
	// The authorization request will be dispatched and no 413 HTTP error will be returned by the
	// filter.
	//
	// Defaults to “false“.
	AllowPartialMessage bool
	// If “true“, the body sent to the external authorization service is set as raw bytes and populates
	// :ref:`raw_body<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.raw_body>`
	// in the HTTP request attribute context. Otherwise, :ref:`body
	// <envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.body>` will be populated
	// with a UTF-8 string request body.
	//
	// This field only affects configurations using a :ref:`grpc_service
	// <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.grpc_service>`. In configurations that use
	// an :ref:`http_service <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.http_service>`, this
	// has no effect.
	//
	// Defaults to “false“.
	PackAsBytes bool
	// contains filtered or unexported fields
}

func (BufferSettings_builder) Build 

func (b0 BufferSettings_builder) Build() *BufferSettings

type CheckSettings 

type CheckSettings struct {

	// Context extensions to set on the CheckRequest's
	// :ref:`AttributeContext.context_extensions<envoy_v3_api_field_service.auth.v3.AttributeContext.context_extensions>`
	//
	// You can use this to provide extra context for the external authorization server on specific
	// virtual hosts/routes. For example, adding a context extension on the virtual host level can
	// give the ext-authz server information on what virtual host is used without needing to parse the
	// host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged
	// in order, and the result will be used.
	//
	// Merge semantics for this field are such that keys from more specific configs override.
	//
	// .. note::
	//
	//	These settings are only applied to a filter configured with a
	//	:ref:`grpc_service<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.grpc_service>`.
	ContextExtensions map[string]string `` /* 186-byte string literal not displayed */
	// When set to “true“, disable the configured :ref:`with_request_body
	// <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` for a specific route.
	//
	// Only one of “disable_request_body_buffering“ and
	// :ref:`with_request_body <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.CheckSettings.with_request_body>`
	// may be specified.
	DisableRequestBodyBuffering bool `` /* 147-byte string literal not displayed */
	// Enable or override request body buffering, which is configured using the
	// :ref:`with_request_body <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>`
	// option for a specific route.
	//
	// Only one of “with_request_body“ and
	// :ref:`disable_request_body_buffering <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.CheckSettings.disable_request_body_buffering>`
	// may be specified.
	WithRequestBody *BufferSettings `protobuf:"bytes,3,opt,name=with_request_body,json=withRequestBody,proto3" json:"with_request_body,omitempty"`
	// Override the external authorization service for this route.
	// This allows different routes to use different external authorization service backends
	// and service types (gRPC or HTTP). If specified, this overrides the filter-level service
	// configuration regardless of the original service type.
	//
	// Types that are valid to be assigned to ServiceOverride:
	//
	//	*CheckSettings_GrpcService
	//	*CheckSettings_HttpService
	ServiceOverride isCheckSettings_ServiceOverride `protobuf_oneof:"service_override"`
	// contains filtered or unexported fields
}

Extra settings for the check request. [#next-free-field: 6]

func (*CheckSettings) ClearGrpcService 

func (x *CheckSettings) ClearGrpcService()

func (*CheckSettings) ClearHttpService 

func (x *CheckSettings) ClearHttpService()

func (*CheckSettings) ClearServiceOverride 

func (x *CheckSettings) ClearServiceOverride()

func (*CheckSettings) ClearWithRequestBody 

func (x *CheckSettings) ClearWithRequestBody()

func (*CheckSettings) GetContextExtensions 

func (x *CheckSettings) GetContextExtensions() map[string]string

func (*CheckSettings) GetDisableRequestBodyBuffering 

func (x *CheckSettings) GetDisableRequestBodyBuffering() bool

func (*CheckSettings) GetGrpcService 

func (x *CheckSettings) GetGrpcService() *v3.GrpcService

func (*CheckSettings) GetHttpService 

func (x *CheckSettings) GetHttpService() *HttpService

func (*CheckSettings) GetServiceOverride 

func (x *CheckSettings) GetServiceOverride() isCheckSettings_ServiceOverride

func (*CheckSettings) GetWithRequestBody 

func (x *CheckSettings) GetWithRequestBody() *BufferSettings

func (*CheckSettings) HasGrpcService 

func (x *CheckSettings) HasGrpcService() bool

func (*CheckSettings) HasHttpService 

func (x *CheckSettings) HasHttpService() bool

func (*CheckSettings) HasServiceOverride 

func (x *CheckSettings) HasServiceOverride() bool

func (*CheckSettings) HasWithRequestBody 

func (x *CheckSettings) HasWithRequestBody() bool

func (*CheckSettings) ProtoMessage 

func (*CheckSettings) ProtoMessage()

func (*CheckSettings) ProtoReflect 

func (x *CheckSettings) ProtoReflect() protoreflect.Message

func (*CheckSettings) Reset 

func (x *CheckSettings) Reset()

func (*CheckSettings) SetContextExtensions 

func (x *CheckSettings) SetContextExtensions(v map[string]string)

func (*CheckSettings) SetDisableRequestBodyBuffering 

func (x *CheckSettings) SetDisableRequestBodyBuffering(v bool)

func (*CheckSettings) SetGrpcService 

func (x *CheckSettings) SetGrpcService(v *v3.GrpcService)

func (*CheckSettings) SetHttpService 

func (x *CheckSettings) SetHttpService(v *HttpService)

func (*CheckSettings) SetWithRequestBody 

func (x *CheckSettings) SetWithRequestBody(v *BufferSettings)

func (*CheckSettings) String 

func (x *CheckSettings) String() string

func (*CheckSettings) WhichServiceOverride 

func (x *CheckSettings) WhichServiceOverride() case_CheckSettings_ServiceOverride

type CheckSettings_GrpcService 

type CheckSettings_GrpcService struct {
	// Override with a gRPC service configuration.
	GrpcService *v3.GrpcService `protobuf:"bytes,4,opt,name=grpc_service,json=grpcService,proto3,oneof"`
}

type CheckSettings_HttpService 

type CheckSettings_HttpService struct {
	// Override with an HTTP service configuration.
	HttpService *HttpService `protobuf:"bytes,5,opt,name=http_service,json=httpService,proto3,oneof"`
}

type CheckSettings_builder 

type CheckSettings_builder struct {

	// Context extensions to set on the CheckRequest's
	// :ref:`AttributeContext.context_extensions<envoy_v3_api_field_service.auth.v3.AttributeContext.context_extensions>`
	//
	// You can use this to provide extra context for the external authorization server on specific
	// virtual hosts/routes. For example, adding a context extension on the virtual host level can
	// give the ext-authz server information on what virtual host is used without needing to parse the
	// host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged
	// in order, and the result will be used.
	//
	// Merge semantics for this field are such that keys from more specific configs override.
	//
	// .. note::
	//
	//	These settings are only applied to a filter configured with a
	//	:ref:`grpc_service<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.grpc_service>`.
	ContextExtensions map[string]string
	// When set to “true“, disable the configured :ref:`with_request_body
	// <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` for a specific route.
	//
	// Only one of “disable_request_body_buffering“ and
	// :ref:`with_request_body <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.CheckSettings.with_request_body>`
	// may be specified.
	DisableRequestBodyBuffering bool
	// Enable or override request body buffering, which is configured using the
	// :ref:`with_request_body <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>`
	// option for a specific route.
	//
	// Only one of “with_request_body“ and
	// :ref:`disable_request_body_buffering <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.CheckSettings.disable_request_body_buffering>`
	// may be specified.
	WithRequestBody *BufferSettings

	// Fields of oneof ServiceOverride:
	// Override with a gRPC service configuration.
	GrpcService *v3.GrpcService
	// Override with an HTTP service configuration.
	HttpService *HttpService
	// contains filtered or unexported fields
}

func (CheckSettings_builder) Build 

func (b0 CheckSettings_builder) Build() *CheckSettings

type ExtAuthz 

type ExtAuthz struct {

	// External authorization service configuration.
	//
	// Types that are valid to be assigned to Services:
	//
	//	*ExtAuthz_GrpcService
	//	*ExtAuthz_HttpService
	Services isExtAuthz_Services `protobuf_oneof:"services"`
	// API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
	// version of messages used on the wire.
	TransportApiVersion v3.ApiVersion `` /* 159-byte string literal not displayed */
	// Changes the filter's behavior on errors:
	//
	//   - When set to “true“, the filter will “accept“ the client request even if communication with
	//     the authorization service has failed, or if the authorization service has returned an HTTP 5xx
	//     error.
	//
	//   - When set to “false“, the filter will “reject“ client requests and return “Forbidden“
	//     if communication with the authorization service has failed, or if the authorization service
	//     has returned an HTTP 5xx error.
	//
	// Errors can always be tracked in the :ref:`stats <config_http_filters_ext_authz_stats>`.
	//
	// Defaults to “false“.
	FailureModeAllow bool `protobuf:"varint,2,opt,name=failure_mode_allow,json=failureModeAllow,proto3" json:"failure_mode_allow,omitempty"`
	// When “failure_mode_allow“ and “failure_mode_allow_header_add“ are both set to “true“,
	// “x-envoy-auth-failure-mode-allowed: true“ will be added to request headers if the communication
	// with the authorization service has failed, or if the authorization service has returned a
	// HTTP 5xx error.
	FailureModeAllowHeaderAdd bool `` /* 144-byte string literal not displayed */
	// Enables the filter to buffer the client request body and send it within the authorization request.
	// The “x-envoy-auth-partial-body: false|true“ metadata header will be added to the authorization
	// request indicating whether the body data is partial.
	WithRequestBody *BufferSettings `protobuf:"bytes,5,opt,name=with_request_body,json=withRequestBody,proto3" json:"with_request_body,omitempty"`
	// Clears the route cache in order to allow the external authorization service to correctly affect
	// routing decisions. The filter clears all cached routes when all of the following holds:
	//
	//   - This field is set to “true“.
	//   - The status returned from the authorization service is an HTTP 200 or gRPC 0.
	//   - At least one “authorization response header“ is added to the client request, or is used to
	//     alter another client request header.
	//
	// Defaults to “false“.
	ClearRouteCache bool `protobuf:"varint,6,opt,name=clear_route_cache,json=clearRouteCache,proto3" json:"clear_route_cache,omitempty"`
	// Sets the HTTP status that is returned to the client when the authorization server returns an error
	// or cannot be reached.
	//
	// The default status is “HTTP 403 Forbidden“.
	StatusOnError *v31.HttpStatus `protobuf:"bytes,7,opt,name=status_on_error,json=statusOnError,proto3" json:"status_on_error,omitempty"`
	// When set to “true“, the filter will check the :ref:`ext_authz response
	// <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header and
	// query parameter mutations. If the response is invalid, the filter will send a local reply
	// to the downstream request with status “HTTP 500 Internal Server Error“.
	//
	// .. note::
	//
	//	Both “headers_to_remove“ and “query_parameters_to_remove“ are validated, but invalid elements in
	//	those fields should not affect any headers and thus will not cause the filter to send a local reply.
	//
	// When set to “false“, any invalid mutations will be visible to the rest of Envoy and may cause
	// unexpected behavior.
	//
	// If you are using ext_authz with an untrusted ext_authz server, you should set this to “true“.
	//
	// Defaults to “false“.
	ValidateMutations bool `protobuf:"varint,24,opt,name=validate_mutations,json=validateMutations,proto3" json:"validate_mutations,omitempty"`
	// Specifies a list of metadata namespaces whose values, if present, will be passed to the
	// ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
	// is passed as an opaque “protobuf::Struct“.
	//
	// .. note::
	//
	//	This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.
	//
	// For example, if the “jwt_authn“ filter is used and :ref:`payload_in_metadata
	// <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
	// then the following will pass the jwt payload to the authorization server.
	//
	// .. code-block:: yaml
	//
	//	metadata_context_namespaces:
	//	- envoy.filters.http.jwt_authn
	MetadataContextNamespaces []string `` /* 138-byte string literal not displayed */
	// Specifies a list of metadata namespaces whose values, if present, will be passed to the
	// ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
	// is passed as a “protobuf::Any“.
	//
	// .. note::
	//
	//	This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.
	//
	// This works similarly to “metadata_context_namespaces“ but allows Envoy and the ext_authz server to share
	// the protobuf message definition in order to perform safe parsing.
	TypedMetadataContextNamespaces []string `` /* 156-byte string literal not displayed */
	// Specifies a list of route metadata namespaces whose values, if present, will be passed to the
	// ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
	// :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
	// :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque “protobuf::Struct“.
	RouteMetadataContextNamespaces []string `` /* 156-byte string literal not displayed */
	// Specifies a list of route metadata namespaces whose values, if present, will be passed to the
	// ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
	// :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
	// :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a “protobuf::Any“.
	RouteTypedMetadataContextNamespaces []string `` /* 173-byte string literal not displayed */
	// Specifies if the filter is enabled.
	//
	// If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
	// Envoy will lookup the runtime key to get the percentage of requests to filter.
	//
	// If this field is not specified, the filter will be enabled for all requests.
	FilterEnabled *v3.RuntimeFractionalPercent `protobuf:"bytes,9,opt,name=filter_enabled,json=filterEnabled,proto3" json:"filter_enabled,omitempty"`
	// Specifies if the filter is enabled with metadata matcher.
	// If this field is not specified, the filter will be enabled for all requests.
	//
	// .. note::
	//
	//	This field is only evaluated if the filter is instantiated. If the filter is marked with
	//	“disabled: true“ in the :ref:`HttpFilter
	//	<envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
	//	configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
	//	<envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
	//	the filter will not be instantiated and this field will have no effect.
	//
	// .. tip::
	//
	//	For dynamic filter activation based on metadata (such as metadata set by a preceding
	//	filter), consider using :ref:`ExtensionWithMatcher
	//	<envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
	//	provides a more flexible matching framework that can evaluate conditions before filter
	//	instantiation. See the :ref:`ext_authz filter documentation
	//	<config_http_filters_ext_authz>` for examples.
	FilterEnabledMetadata *v32.MetadataMatcher `` /* 127-byte string literal not displayed */
	// Specifies whether to deny the requests when the filter is disabled.
	// If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
	// Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
	// when the filter is disabled. If the filter is disabled in “typed_per_filter_config“ for the path,
	// requests will not be denied.
	//
	// If this field is not specified, all requests will be allowed when disabled.
	//
	// If a request is denied due to this setting, the response code in :ref:`status_on_error
	// <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
	// be returned.
	DenyAtDisable *v3.RuntimeFeatureFlag `protobuf:"bytes,11,opt,name=deny_at_disable,json=denyAtDisable,proto3" json:"deny_at_disable,omitempty"`
	// Specifies if the peer certificate is sent to the external service.
	//
	// When this field is “true“, Envoy will include the peer X.509 certificate, if available, in the
	// :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
	IncludePeerCertificate bool `` /* 131-byte string literal not displayed */
	// Optional additional prefix to use when emitting statistics. This allows distinguishing
	// emitted statistics between configured “ext_authz“ filters in an HTTP filter chain. For example:
	//
	// .. code-block:: yaml
	//
	//	http_filters:
	//	  - name: envoy.filters.http.ext_authz
	//	    typed_config:
	//	      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
	//	      stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
	//	  - name: envoy.filters.http.ext_authz
	//	    typed_config:
	//	      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
	//	      stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
	StatPrefix string `protobuf:"bytes,13,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"`
	// Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
	// :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
	// The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
	BootstrapMetadataLabelsKey string `` /* 144-byte string literal not displayed */
	// Check request to authorization server will include the client request headers that have a correspondent match
	// in the list. If this option isn't specified, then
	// all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
	// (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
	// This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.
	//
	// .. note::
	//
	//	For requests to an HTTP authorization server: in addition to the user's supplied matchers, “Host“, “Method“, “Path“,
	//	“Content-Length“, and “Authorization“ are **additionally included** in the list.
	//
	// .. note::
	//
	//	For requests to an HTTP authorization server: the value of “Content-Length“ will be set to “0“ and the request to the
	//	authorization server will not have a message body. However, the check request can include the buffered
	//	client request body (controlled by :ref:`with_request_body
	//	<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
	//	consequently, the value of “Content-Length“ in the authorization request reflects the size of its payload.
	//
	// .. note::
	//
	//	This can be overridden by the field “disallowed_headers“ below. That is, if a header
	//	matches for both “allowed_headers“ and “disallowed_headers“, the header will NOT be sent.
	AllowedHeaders *v32.ListStringMatcher `protobuf:"bytes,17,opt,name=allowed_headers,json=allowedHeaders,proto3" json:"allowed_headers,omitempty"`
	// If set, specifically disallow any header in this list to be forwarded to the external
	// authentication server. This overrides the above “allowed_headers“ if a header matches both.
	DisallowedHeaders *v32.ListStringMatcher `protobuf:"bytes,25,opt,name=disallowed_headers,json=disallowedHeaders,proto3" json:"disallowed_headers,omitempty"`
	// Specifies if the TLS session level details like SNI are sent to the external service.
	//
	// When this field is “true“, Envoy will include the SNI name used for TLSClientHello, if available, in the
	// :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
	IncludeTlsSession bool `protobuf:"varint,18,opt,name=include_tls_session,json=includeTlsSession,proto3" json:"include_tls_session,omitempty"`
	// Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
	// Defaults to “true“.
	ChargeClusterResponseStats *wrapperspb.BoolValue `` /* 144-byte string literal not displayed */
	// Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers)
	// in the authorization request. Works with both HTTP and gRPC clients.
	//
	// When this is set to “true“, header values are not sanitized. Headers with the same key will also
	// not be combined into a single, comma-separated header.
	// Requests to gRPC services will populate the field
	// :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`.
	// Requests to HTTP services will be constructed with the unsanitized header values and preserved
	// multi-line headers with the same key.
	//
	// If this field is set to “false“, header values will be sanitized, with any non-UTF-8-compliant
	// bytes replaced with “'!'“. Headers with the same key will have their values concatenated into a
	// single comma-separated header value.
	// Requests to gRPC services will populate the field
	// :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`.
	// Requests to HTTP services will have their header values sanitized and will not preserve
	// multi-line headers with the same key.
	//
	// It is recommended to set this to “true“ unless you rely on the previous behavior.
	//
	// It is set to “false“ by default for backwards compatibility.
	EncodeRawHeaders bool `protobuf:"varint,23,opt,name=encode_raw_headers,json=encodeRawHeaders,proto3" json:"encode_raw_headers,omitempty"`
	// Rules for what modifications an ext_authz server may make to the request headers before
	// continuing decoding or forwarding upstream.
	//
	// If set, enables header mutation checking against the configured rules. Note that
	// :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
	// has defaults that change ext_authz behavior. Also note that if this field is set,
	// ext_authz can no longer append to “:“-prefixed headers.
	//
	// If unset, header mutation rule checking is completely disabled.
	//
	// Regardless of what is configured here, ext_authz cannot remove “:“-prefixed headers.
	//
	// This field and “validate_mutations“ have different use cases. “validate_mutations“ enables
	// correctness checks for all header and query parameter mutations (for example, invalid characters).
	// This field allows the filter to reject mutations to specific headers.
	DecoderHeaderMutationRules *v33.HeaderMutationRules `` /* 144-byte string literal not displayed */
	// Enable or disable ingestion of dynamic metadata from the ext_authz service.
	//
	// If “false“, the filter will ignore dynamic metadata injected by the ext_authz service. If the
	// ext_authz service tries injecting dynamic metadata, the filter will log, increment the
	// “ignored_dynamic_metadata“ stat, then continue handling the response.
	//
	// If “true“, the filter will ingest dynamic metadata entries as normal.
	//
	// If unset, defaults to “true“.
	EnableDynamicMetadataIngestion *wrapperspb.BoolValue `` /* 156-byte string literal not displayed */
	// Additional metadata to be added to the filter state for logging purposes. The metadata will be
	// added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
	// name.
	FilterMetadata *structpb.Struct `protobuf:"bytes,28,opt,name=filter_metadata,json=filterMetadata,proto3" json:"filter_metadata,omitempty"`
	// When set to “true“, the filter will emit per-stream stats for access logging. The filter state
	// key will be the same as the filter name.
	//
	// If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
	// info. If not using Envoy gRPC, emits only latency.
	//
	// .. note::
	//
	//	Stats are ONLY added to filter state if a check request is actually made to an ext_authz service.
	//
	// If this is “false“ the filter will not emit stats, but filter_metadata will still be respected if
	// it has a value.
	//
	// Field “latency_us“ is exposed for CEL and logging when using gRPC or HTTP service.
	// Fields “bytesSent“ and “bytesReceived“ are exposed for CEL and logging only when using gRPC service.
	EmitFilterStateStats bool `` /* 127-byte string literal not displayed */
	// Sets the maximum size (in bytes) of the response body that the filter will send downstream
	// when a request is denied by the external authorization service.
	//
	// If the authorization server returns a response body larger than this configured limit,
	// the body will be truncated to “max_denied_response_body_bytes“ before being sent to the
	// downstream client.
	//
	// If this field is not set or is set to 0, no truncation will occur, and the entire
	// denied response body will be forwarded.
	MaxDeniedResponseBodyBytes uint32 `` /* 147-byte string literal not displayed */
	// When set to “true“, the filter will enforce the response header map's count and size limits
	// by sending a local reply when those limits are violated.
	//
	// When set to “false“, the filter will ignore the response header map's limits and add / set
	// all response headers as specified by the external authorization service.
	//
	// Recommendation: enable if the external authorization service is not trusted. Otherwise, leave
	// it “false“.
	//
	// Defaults to “false“.
	EnforceResponseHeaderLimits bool `` /* 148-byte string literal not displayed */
	// contains filtered or unexported fields
}

[#next-free-field: 32]

func (*ExtAuthz) ClearAllowedHeaders 

func (x *ExtAuthz) ClearAllowedHeaders()

func (*ExtAuthz) ClearChargeClusterResponseStats 

func (x *ExtAuthz) ClearChargeClusterResponseStats()

func (*ExtAuthz) ClearDecoderHeaderMutationRules 

func (x *ExtAuthz) ClearDecoderHeaderMutationRules()

func (*ExtAuthz) ClearDenyAtDisable 

func (x *ExtAuthz) ClearDenyAtDisable()

func (*ExtAuthz) ClearDisallowedHeaders 

func (x *ExtAuthz) ClearDisallowedHeaders()

func (*ExtAuthz) ClearEnableDynamicMetadataIngestion 

func (x *ExtAuthz) ClearEnableDynamicMetadataIngestion()

func (*ExtAuthz) ClearFilterEnabled 

func (x *ExtAuthz) ClearFilterEnabled()

func (*ExtAuthz) ClearFilterEnabledMetadata 

func (x *ExtAuthz) ClearFilterEnabledMetadata()

func (*ExtAuthz) ClearFilterMetadata 

func (x *ExtAuthz) ClearFilterMetadata()

func (*ExtAuthz) ClearGrpcService 

func (x *ExtAuthz) ClearGrpcService()

func (*ExtAuthz) ClearHttpService 

func (x *ExtAuthz) ClearHttpService()

func (*ExtAuthz) ClearServices 

func (x *ExtAuthz) ClearServices()

func (*ExtAuthz) ClearStatusOnError 

func (x *ExtAuthz) ClearStatusOnError()

func (*ExtAuthz) ClearWithRequestBody 

func (x *ExtAuthz) ClearWithRequestBody()

func (*ExtAuthz) GetAllowedHeaders 

func (x *ExtAuthz) GetAllowedHeaders() *v32.ListStringMatcher

func (*ExtAuthz) GetBootstrapMetadataLabelsKey 

func (x *ExtAuthz) GetBootstrapMetadataLabelsKey() string

func (*ExtAuthz) GetChargeClusterResponseStats 

func (x *ExtAuthz) GetChargeClusterResponseStats() *wrapperspb.BoolValue

func (*ExtAuthz) GetClearRouteCache 

func (x *ExtAuthz) GetClearRouteCache() bool

func (*ExtAuthz) GetDecoderHeaderMutationRules 

func (x *ExtAuthz) GetDecoderHeaderMutationRules() *v33.HeaderMutationRules

func (*ExtAuthz) GetDenyAtDisable 

func (x *ExtAuthz) GetDenyAtDisable() *v3.RuntimeFeatureFlag

func (*ExtAuthz) GetDisallowedHeaders 

func (x *ExtAuthz) GetDisallowedHeaders() *v32.ListStringMatcher

func (*ExtAuthz) GetEmitFilterStateStats 

func (x *ExtAuthz) GetEmitFilterStateStats() bool

func (*ExtAuthz) GetEnableDynamicMetadataIngestion 

func (x *ExtAuthz) GetEnableDynamicMetadataIngestion() *wrapperspb.BoolValue

func (*ExtAuthz) GetEncodeRawHeaders 

func (x *ExtAuthz) GetEncodeRawHeaders() bool

func (*ExtAuthz) GetEnforceResponseHeaderLimits 

func (x *ExtAuthz) GetEnforceResponseHeaderLimits() bool

func (*ExtAuthz) GetFailureModeAllow 

func (x *ExtAuthz) GetFailureModeAllow() bool

func (*ExtAuthz) GetFailureModeAllowHeaderAdd 

func (x *ExtAuthz) GetFailureModeAllowHeaderAdd() bool

func (*ExtAuthz) GetFilterEnabled 

func (x *ExtAuthz) GetFilterEnabled() *v3.RuntimeFractionalPercent

func (*ExtAuthz) GetFilterEnabledMetadata 

func (x *ExtAuthz) GetFilterEnabledMetadata() *v32.MetadataMatcher

func (*ExtAuthz) GetFilterMetadata 

func (x *ExtAuthz) GetFilterMetadata() *structpb.Struct

func (*ExtAuthz) GetGrpcService 

func (x *ExtAuthz) GetGrpcService() *v3.GrpcService

func (*ExtAuthz) GetHttpService 

func (x *ExtAuthz) GetHttpService() *HttpService

func (*ExtAuthz) GetIncludePeerCertificate 

func (x *ExtAuthz) GetIncludePeerCertificate() bool

func (*ExtAuthz) GetIncludeTlsSession 

func (x *ExtAuthz) GetIncludeTlsSession() bool

func (*ExtAuthz) GetMaxDeniedResponseBodyBytes 

func (x *ExtAuthz) GetMaxDeniedResponseBodyBytes() uint32

func (*ExtAuthz) GetMetadataContextNamespaces 

func (x *ExtAuthz) GetMetadataContextNamespaces() []string

func (*ExtAuthz) GetRouteMetadataContextNamespaces 

func (x *ExtAuthz) GetRouteMetadataContextNamespaces() []string

func (*ExtAuthz) GetRouteTypedMetadataContextNamespaces 

func (x *ExtAuthz) GetRouteTypedMetadataContextNamespaces() []string

func (*ExtAuthz) GetServices 

func (x *ExtAuthz) GetServices() isExtAuthz_Services

func (*ExtAuthz) GetStatPrefix 

func (x *ExtAuthz) GetStatPrefix() string

func (*ExtAuthz) GetStatusOnError 

func (x *ExtAuthz) GetStatusOnError() *v31.HttpStatus

func (*ExtAuthz) GetTransportApiVersion 

func (x *ExtAuthz) GetTransportApiVersion() v3.ApiVersion

func (*ExtAuthz) GetTypedMetadataContextNamespaces 

func (x *ExtAuthz) GetTypedMetadataContextNamespaces() []string

func (*ExtAuthz) GetValidateMutations 

func (x *ExtAuthz) GetValidateMutations() bool

func (*ExtAuthz) GetWithRequestBody 

func (x *ExtAuthz) GetWithRequestBody() *BufferSettings

func (*ExtAuthz) HasAllowedHeaders 

func (x *ExtAuthz) HasAllowedHeaders() bool

func (*ExtAuthz) HasChargeClusterResponseStats 

func (x *ExtAuthz) HasChargeClusterResponseStats() bool

func (*ExtAuthz) HasDecoderHeaderMutationRules 

func (x *ExtAuthz) HasDecoderHeaderMutationRules() bool

func (*ExtAuthz) HasDenyAtDisable 

func (x *ExtAuthz) HasDenyAtDisable() bool

func (*ExtAuthz) HasDisallowedHeaders 

func (x *ExtAuthz) HasDisallowedHeaders() bool

func (*ExtAuthz) HasEnableDynamicMetadataIngestion 

func (x *ExtAuthz) HasEnableDynamicMetadataIngestion() bool

func (*ExtAuthz) HasFilterEnabled 

func (x *ExtAuthz) HasFilterEnabled() bool

func (*ExtAuthz) HasFilterEnabledMetadata 

func (x *ExtAuthz) HasFilterEnabledMetadata() bool

func (*ExtAuthz) HasFilterMetadata 

func (x *ExtAuthz) HasFilterMetadata() bool

func (*ExtAuthz) HasGrpcService 

func (x *ExtAuthz) HasGrpcService() bool

func (*ExtAuthz) HasHttpService 

func (x *ExtAuthz) HasHttpService() bool

func (*ExtAuthz) HasServices 

func (x *ExtAuthz) HasServices() bool

func (*ExtAuthz) HasStatusOnError 

func (x *ExtAuthz) HasStatusOnError() bool

func (*ExtAuthz) HasWithRequestBody 

func (x *ExtAuthz) HasWithRequestBody() bool

func (*ExtAuthz) ProtoMessage 

func (*ExtAuthz) ProtoMessage()

func (*ExtAuthz) ProtoReflect 

func (x *ExtAuthz) ProtoReflect() protoreflect.Message

func (*ExtAuthz) Reset 

func (x *ExtAuthz) Reset()

func (*ExtAuthz) SetAllowedHeaders 

func (x *ExtAuthz) SetAllowedHeaders(v *v32.ListStringMatcher)

func (*ExtAuthz) SetBootstrapMetadataLabelsKey 

func (x *ExtAuthz) SetBootstrapMetadataLabelsKey(v string)

func (*ExtAuthz) SetChargeClusterResponseStats 

func (x *ExtAuthz) SetChargeClusterResponseStats(v *wrapperspb.BoolValue)

func (*ExtAuthz) SetClearRouteCache 

func (x *ExtAuthz) SetClearRouteCache(v bool)

func (*ExtAuthz) SetDecoderHeaderMutationRules 

func (x *ExtAuthz) SetDecoderHeaderMutationRules(v *v33.HeaderMutationRules)

func (*ExtAuthz) SetDenyAtDisable 

func (x *ExtAuthz) SetDenyAtDisable(v *v3.RuntimeFeatureFlag)

func (*ExtAuthz) SetDisallowedHeaders 

func (x *ExtAuthz) SetDisallowedHeaders(v *v32.ListStringMatcher)

func (*ExtAuthz) SetEmitFilterStateStats 

func (x *ExtAuthz) SetEmitFilterStateStats(v bool)

func (*ExtAuthz) SetEnableDynamicMetadataIngestion 

func (x *ExtAuthz) SetEnableDynamicMetadataIngestion(v *wrapperspb.BoolValue)

func (*ExtAuthz) SetEncodeRawHeaders 

func (x *ExtAuthz) SetEncodeRawHeaders(v bool)

func (*ExtAuthz) SetEnforceResponseHeaderLimits 

func (x *ExtAuthz) SetEnforceResponseHeaderLimits(v bool)

func (*ExtAuthz) SetFailureModeAllow 

func (x *ExtAuthz) SetFailureModeAllow(v bool)

func (*ExtAuthz) SetFailureModeAllowHeaderAdd 

func (x *ExtAuthz) SetFailureModeAllowHeaderAdd(v bool)

func (*ExtAuthz) SetFilterEnabled 

func (x *ExtAuthz) SetFilterEnabled(v *v3.RuntimeFractionalPercent)

func (*ExtAuthz) SetFilterEnabledMetadata 

func (x *ExtAuthz) SetFilterEnabledMetadata(v *v32.MetadataMatcher)

func (*ExtAuthz) SetFilterMetadata 

func (x *ExtAuthz) SetFilterMetadata(v *structpb.Struct)

func (*ExtAuthz) SetGrpcService 

func (x *ExtAuthz) SetGrpcService(v *v3.GrpcService)

func (*ExtAuthz) SetHttpService 

func (x *ExtAuthz) SetHttpService(v *HttpService)

func (*ExtAuthz) SetIncludePeerCertificate 

func (x *ExtAuthz) SetIncludePeerCertificate(v bool)

func (*ExtAuthz) SetIncludeTlsSession 

func (x *ExtAuthz) SetIncludeTlsSession(v bool)

func (*ExtAuthz) SetMaxDeniedResponseBodyBytes 

func (x *ExtAuthz) SetMaxDeniedResponseBodyBytes(v uint32)

func (*ExtAuthz) SetMetadataContextNamespaces 

func (x *ExtAuthz) SetMetadataContextNamespaces(v []string)

func (*ExtAuthz) SetRouteMetadataContextNamespaces 

func (x *ExtAuthz) SetRouteMetadataContextNamespaces(v []string)

func (*ExtAuthz) SetRouteTypedMetadataContextNamespaces 

func (x *ExtAuthz) SetRouteTypedMetadataContextNamespaces(v []string)

func (*ExtAuthz) SetStatPrefix 

func (x *ExtAuthz) SetStatPrefix(v string)

func (*ExtAuthz) SetStatusOnError 

func (x *ExtAuthz) SetStatusOnError(v *v31.HttpStatus)

func (*ExtAuthz) SetTransportApiVersion 

func (x *ExtAuthz) SetTransportApiVersion(v v3.ApiVersion)

func (*ExtAuthz) SetTypedMetadataContextNamespaces 

func (x *ExtAuthz) SetTypedMetadataContextNamespaces(v []string)

func (*ExtAuthz) SetValidateMutations 

func (x *ExtAuthz) SetValidateMutations(v bool)

func (*ExtAuthz) SetWithRequestBody 

func (x *ExtAuthz) SetWithRequestBody(v *BufferSettings)

func (*ExtAuthz) String 

func (x *ExtAuthz) String() string

func (*ExtAuthz) WhichServices 

func (x *ExtAuthz) WhichServices() case_ExtAuthz_Services

type ExtAuthzPerRoute 

type ExtAuthzPerRoute struct {

	// Types that are valid to be assigned to Override:
	//
	//	*ExtAuthzPerRoute_Disabled
	//	*ExtAuthzPerRoute_CheckSettings
	Override isExtAuthzPerRoute_Override `protobuf_oneof:"override"`
	// contains filtered or unexported fields
}

Extra settings on a per virtualhost/route/weighted-cluster level.

func (*ExtAuthzPerRoute) ClearCheckSettings 

func (x *ExtAuthzPerRoute) ClearCheckSettings()

func (*ExtAuthzPerRoute) ClearDisabled 

func (x *ExtAuthzPerRoute) ClearDisabled()

func (*ExtAuthzPerRoute) ClearOverride 

func (x *ExtAuthzPerRoute) ClearOverride()

func (*ExtAuthzPerRoute) GetCheckSettings 

func (x *ExtAuthzPerRoute) GetCheckSettings() *CheckSettings

func (*ExtAuthzPerRoute) GetDisabled 

func (x *ExtAuthzPerRoute) GetDisabled() bool

func (*ExtAuthzPerRoute) GetOverride 

func (x *ExtAuthzPerRoute) GetOverride() isExtAuthzPerRoute_Override

func (*ExtAuthzPerRoute) HasCheckSettings 

func (x *ExtAuthzPerRoute) HasCheckSettings() bool

func (*ExtAuthzPerRoute) HasDisabled 

func (x *ExtAuthzPerRoute) HasDisabled() bool

func (*ExtAuthzPerRoute) HasOverride 

func (x *ExtAuthzPerRoute) HasOverride() bool

func (*ExtAuthzPerRoute) ProtoMessage 

func (*ExtAuthzPerRoute) ProtoMessage()

func (*ExtAuthzPerRoute) ProtoReflect 

func (x *ExtAuthzPerRoute) ProtoReflect() protoreflect.Message

func (*ExtAuthzPerRoute) Reset 

func (x *ExtAuthzPerRoute) Reset()

func (*ExtAuthzPerRoute) SetCheckSettings 

func (x *ExtAuthzPerRoute) SetCheckSettings(v *CheckSettings)

func (*ExtAuthzPerRoute) SetDisabled 

func (x *ExtAuthzPerRoute) SetDisabled(v bool)

func (*ExtAuthzPerRoute) String 

func (x *ExtAuthzPerRoute) String() string

func (*ExtAuthzPerRoute) WhichOverride 

func (x *ExtAuthzPerRoute) WhichOverride() case_ExtAuthzPerRoute_Override

type ExtAuthzPerRoute_CheckSettings 

type ExtAuthzPerRoute_CheckSettings struct {
	// Check request settings for this route.
	CheckSettings *CheckSettings `protobuf:"bytes,2,opt,name=check_settings,json=checkSettings,proto3,oneof"`
}

type ExtAuthzPerRoute_Disabled 

type ExtAuthzPerRoute_Disabled struct {
	// Disable the ext auth filter for this particular vhost or route.
	// If disabled is specified in multiple per-filter-configs, the most specific one will be used.
	// If the filter is disabled by default and this is set to “false“, the filter will be enabled
	// for this vhost or route.
	Disabled bool `protobuf:"varint,1,opt,name=disabled,proto3,oneof"`
}

type ExtAuthzPerRoute_builder 

type ExtAuthzPerRoute_builder struct {

	// Fields of oneof Override:
	// Disable the ext auth filter for this particular vhost or route.
	// If disabled is specified in multiple per-filter-configs, the most specific one will be used.
	// If the filter is disabled by default and this is set to “false“, the filter will be enabled
	// for this vhost or route.
	Disabled *bool
	// Check request settings for this route.
	CheckSettings *CheckSettings
	// contains filtered or unexported fields
}

func (ExtAuthzPerRoute_builder) Build 

func (b0 ExtAuthzPerRoute_builder) Build() *ExtAuthzPerRoute

type ExtAuthz_GrpcService 

type ExtAuthz_GrpcService struct {
	// gRPC service configuration (default timeout: 200ms).
	GrpcService *v3.GrpcService `protobuf:"bytes,1,opt,name=grpc_service,json=grpcService,proto3,oneof"`
}

type ExtAuthz_HttpService 

type ExtAuthz_HttpService struct {
	// HTTP service configuration (default timeout: 200ms).
	HttpService *HttpService `protobuf:"bytes,3,opt,name=http_service,json=httpService,proto3,oneof"`
}

type ExtAuthz_builder 

type ExtAuthz_builder struct {

	// Fields of oneof Services:
	// gRPC service configuration (default timeout: 200ms).
	GrpcService *v3.GrpcService
	// HTTP service configuration (default timeout: 200ms).
	HttpService *HttpService
	// -- end of Services
	// API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
	// version of messages used on the wire.
	TransportApiVersion v3.ApiVersion
	// Changes the filter's behavior on errors:
	//
	//   - When set to “true“, the filter will “accept“ the client request even if communication with
	//     the authorization service has failed, or if the authorization service has returned an HTTP 5xx
	//     error.
	//
	//   - When set to “false“, the filter will “reject“ client requests and return “Forbidden“
	//     if communication with the authorization service has failed, or if the authorization service
	//     has returned an HTTP 5xx error.
	//
	// Errors can always be tracked in the :ref:`stats <config_http_filters_ext_authz_stats>`.
	//
	// Defaults to “false“.
	FailureModeAllow bool
	// When “failure_mode_allow“ and “failure_mode_allow_header_add“ are both set to “true“,
	// “x-envoy-auth-failure-mode-allowed: true“ will be added to request headers if the communication
	// with the authorization service has failed, or if the authorization service has returned a
	// HTTP 5xx error.
	FailureModeAllowHeaderAdd bool
	// Enables the filter to buffer the client request body and send it within the authorization request.
	// The “x-envoy-auth-partial-body: false|true“ metadata header will be added to the authorization
	// request indicating whether the body data is partial.
	WithRequestBody *BufferSettings
	// Clears the route cache in order to allow the external authorization service to correctly affect
	// routing decisions. The filter clears all cached routes when all of the following holds:
	//
	//   - This field is set to “true“.
	//   - The status returned from the authorization service is an HTTP 200 or gRPC 0.
	//   - At least one “authorization response header“ is added to the client request, or is used to
	//     alter another client request header.
	//
	// Defaults to “false“.
	ClearRouteCache bool
	// Sets the HTTP status that is returned to the client when the authorization server returns an error
	// or cannot be reached.
	//
	// The default status is “HTTP 403 Forbidden“.
	StatusOnError *v31.HttpStatus
	// When set to “true“, the filter will check the :ref:`ext_authz response
	// <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header and
	// query parameter mutations. If the response is invalid, the filter will send a local reply
	// to the downstream request with status “HTTP 500 Internal Server Error“.
	//
	// .. note::
	//
	//	Both “headers_to_remove“ and “query_parameters_to_remove“ are validated, but invalid elements in
	//	those fields should not affect any headers and thus will not cause the filter to send a local reply.
	//
	// When set to “false“, any invalid mutations will be visible to the rest of Envoy and may cause
	// unexpected behavior.
	//
	// If you are using ext_authz with an untrusted ext_authz server, you should set this to “true“.
	//
	// Defaults to “false“.
	ValidateMutations bool
	// Specifies a list of metadata namespaces whose values, if present, will be passed to the
	// ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
	// is passed as an opaque “protobuf::Struct“.
	//
	// .. note::
	//
	//	This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.
	//
	// For example, if the “jwt_authn“ filter is used and :ref:`payload_in_metadata
	// <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
	// then the following will pass the jwt payload to the authorization server.
	//
	// .. code-block:: yaml
	//
	//	metadata_context_namespaces:
	//	- envoy.filters.http.jwt_authn
	MetadataContextNamespaces []string
	// Specifies a list of metadata namespaces whose values, if present, will be passed to the
	// ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
	// is passed as a “protobuf::Any“.
	//
	// .. note::
	//
	//	This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.
	//
	// This works similarly to “metadata_context_namespaces“ but allows Envoy and the ext_authz server to share
	// the protobuf message definition in order to perform safe parsing.
	TypedMetadataContextNamespaces []string
	// Specifies a list of route metadata namespaces whose values, if present, will be passed to the
	// ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
	// :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
	// :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque “protobuf::Struct“.
	RouteMetadataContextNamespaces []string
	// Specifies a list of route metadata namespaces whose values, if present, will be passed to the
	// ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
	// :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
	// :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a “protobuf::Any“.
	RouteTypedMetadataContextNamespaces []string
	// Specifies if the filter is enabled.
	//
	// If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
	// Envoy will lookup the runtime key to get the percentage of requests to filter.
	//
	// If this field is not specified, the filter will be enabled for all requests.
	FilterEnabled *v3.RuntimeFractionalPercent
	// Specifies if the filter is enabled with metadata matcher.
	// If this field is not specified, the filter will be enabled for all requests.
	//
	// .. note::
	//
	//	This field is only evaluated if the filter is instantiated. If the filter is marked with
	//	“disabled: true“ in the :ref:`HttpFilter
	//	<envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
	//	configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
	//	<envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
	//	the filter will not be instantiated and this field will have no effect.
	//
	// .. tip::
	//
	//	For dynamic filter activation based on metadata (such as metadata set by a preceding
	//	filter), consider using :ref:`ExtensionWithMatcher
	//	<envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
	//	provides a more flexible matching framework that can evaluate conditions before filter
	//	instantiation. See the :ref:`ext_authz filter documentation
	//	<config_http_filters_ext_authz>` for examples.
	FilterEnabledMetadata *v32.MetadataMatcher
	// Specifies whether to deny the requests when the filter is disabled.
	// If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
	// Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
	// when the filter is disabled. If the filter is disabled in “typed_per_filter_config“ for the path,
	// requests will not be denied.
	//
	// If this field is not specified, all requests will be allowed when disabled.
	//
	// If a request is denied due to this setting, the response code in :ref:`status_on_error
	// <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
	// be returned.
	DenyAtDisable *v3.RuntimeFeatureFlag
	// Specifies if the peer certificate is sent to the external service.
	//
	// When this field is “true“, Envoy will include the peer X.509 certificate, if available, in the
	// :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
	IncludePeerCertificate bool
	// Optional additional prefix to use when emitting statistics. This allows distinguishing
	// emitted statistics between configured “ext_authz“ filters in an HTTP filter chain. For example:
	//
	// .. code-block:: yaml
	//
	//	http_filters:
	//	  - name: envoy.filters.http.ext_authz
	//	    typed_config:
	//	      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
	//	      stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
	//	  - name: envoy.filters.http.ext_authz
	//	    typed_config:
	//	      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
	//	      stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
	StatPrefix string
	// Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
	// :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
	// The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
	BootstrapMetadataLabelsKey string
	// Check request to authorization server will include the client request headers that have a correspondent match
	// in the list. If this option isn't specified, then
	// all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
	// (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
	// This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.
	//
	// .. note::
	//
	//	For requests to an HTTP authorization server: in addition to the user's supplied matchers, “Host“, “Method“, “Path“,
	//	“Content-Length“, and “Authorization“ are **additionally included** in the list.
	//
	// .. note::
	//
	//	For requests to an HTTP authorization server: the value of “Content-Length“ will be set to “0“ and the request to the
	//	authorization server will not have a message body. However, the check request can include the buffered
	//	client request body (controlled by :ref:`with_request_body
	//	<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
	//	consequently, the value of “Content-Length“ in the authorization request reflects the size of its payload.
	//
	// .. note::
	//
	//	This can be overridden by the field “disallowed_headers“ below. That is, if a header
	//	matches for both “allowed_headers“ and “disallowed_headers“, the header will NOT be sent.
	AllowedHeaders *v32.ListStringMatcher
	// If set, specifically disallow any header in this list to be forwarded to the external
	// authentication server. This overrides the above “allowed_headers“ if a header matches both.
	DisallowedHeaders *v32.ListStringMatcher
	// Specifies if the TLS session level details like SNI are sent to the external service.
	//
	// When this field is “true“, Envoy will include the SNI name used for TLSClientHello, if available, in the
	// :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
	IncludeTlsSession bool
	// Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
	// Defaults to “true“.
	ChargeClusterResponseStats *wrapperspb.BoolValue
	// Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers)
	// in the authorization request. Works with both HTTP and gRPC clients.
	//
	// When this is set to “true“, header values are not sanitized. Headers with the same key will also
	// not be combined into a single, comma-separated header.
	// Requests to gRPC services will populate the field
	// :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`.
	// Requests to HTTP services will be constructed with the unsanitized header values and preserved
	// multi-line headers with the same key.
	//
	// If this field is set to “false“, header values will be sanitized, with any non-UTF-8-compliant
	// bytes replaced with “'!'“. Headers with the same key will have their values concatenated into a
	// single comma-separated header value.
	// Requests to gRPC services will populate the field
	// :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`.
	// Requests to HTTP services will have their header values sanitized and will not preserve
	// multi-line headers with the same key.
	//
	// It is recommended to set this to “true“ unless you rely on the previous behavior.
	//
	// It is set to “false“ by default for backwards compatibility.
	EncodeRawHeaders bool
	// Rules for what modifications an ext_authz server may make to the request headers before
	// continuing decoding or forwarding upstream.
	//
	// If set, enables header mutation checking against the configured rules. Note that
	// :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
	// has defaults that change ext_authz behavior. Also note that if this field is set,
	// ext_authz can no longer append to “:“-prefixed headers.
	//
	// If unset, header mutation rule checking is completely disabled.
	//
	// Regardless of what is configured here, ext_authz cannot remove “:“-prefixed headers.
	//
	// This field and “validate_mutations“ have different use cases. “validate_mutations“ enables
	// correctness checks for all header and query parameter mutations (for example, invalid characters).
	// This field allows the filter to reject mutations to specific headers.
	DecoderHeaderMutationRules *v33.HeaderMutationRules
	// Enable or disable ingestion of dynamic metadata from the ext_authz service.
	//
	// If “false“, the filter will ignore dynamic metadata injected by the ext_authz service. If the
	// ext_authz service tries injecting dynamic metadata, the filter will log, increment the
	// “ignored_dynamic_metadata“ stat, then continue handling the response.
	//
	// If “true“, the filter will ingest dynamic metadata entries as normal.
	//
	// If unset, defaults to “true“.
	EnableDynamicMetadataIngestion *wrapperspb.BoolValue
	// Additional metadata to be added to the filter state for logging purposes. The metadata will be
	// added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
	// name.
	FilterMetadata *structpb.Struct
	// When set to “true“, the filter will emit per-stream stats for access logging. The filter state
	// key will be the same as the filter name.
	//
	// If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
	// info. If not using Envoy gRPC, emits only latency.
	//
	// .. note::
	//
	//	Stats are ONLY added to filter state if a check request is actually made to an ext_authz service.
	//
	// If this is “false“ the filter will not emit stats, but filter_metadata will still be respected if
	// it has a value.
	//
	// Field “latency_us“ is exposed for CEL and logging when using gRPC or HTTP service.
	// Fields “bytesSent“ and “bytesReceived“ are exposed for CEL and logging only when using gRPC service.
	EmitFilterStateStats bool
	// Sets the maximum size (in bytes) of the response body that the filter will send downstream
	// when a request is denied by the external authorization service.
	//
	// If the authorization server returns a response body larger than this configured limit,
	// the body will be truncated to “max_denied_response_body_bytes“ before being sent to the
	// downstream client.
	//
	// If this field is not set or is set to 0, no truncation will occur, and the entire
	// denied response body will be forwarded.
	MaxDeniedResponseBodyBytes uint32
	// When set to “true“, the filter will enforce the response header map's count and size limits
	// by sending a local reply when those limits are violated.
	//
	// When set to “false“, the filter will ignore the response header map's limits and add / set
	// all response headers as specified by the external authorization service.
	//
	// Recommendation: enable if the external authorization service is not trusted. Otherwise, leave
	// it “false“.
	//
	// Defaults to “false“.
	EnforceResponseHeaderLimits bool
	// contains filtered or unexported fields
}

func (ExtAuthz_builder) Build 

func (b0 ExtAuthz_builder) Build() *ExtAuthz

type HttpService 

type HttpService struct {

	// Sets the HTTP server URI which the authorization requests must be sent to.
	ServerUri *v3.HttpUri `protobuf:"bytes,1,opt,name=server_uri,json=serverUri,proto3" json:"server_uri,omitempty"`
	// Sets a prefix to the value of authorization request header “Path“.
	PathPrefix string `protobuf:"bytes,2,opt,name=path_prefix,json=pathPrefix,proto3" json:"path_prefix,omitempty"`
	// Settings used for controlling authorization request metadata.
	AuthorizationRequest *AuthorizationRequest `protobuf:"bytes,7,opt,name=authorization_request,json=authorizationRequest,proto3" json:"authorization_request,omitempty"`
	// Settings used for controlling authorization response metadata.
	AuthorizationResponse *AuthorizationResponse `protobuf:"bytes,8,opt,name=authorization_response,json=authorizationResponse,proto3" json:"authorization_response,omitempty"`
	// Optional retry policy for requests to the authorization server.
	// If not set, no retries will be performed.
	//
	// .. note::
	//
	//	When this field is set, the “ext_authz“ filter will buffer the request body for retry purposes.
	RetryPolicy *v3.RetryPolicy `protobuf:"bytes,9,opt,name=retry_policy,json=retryPolicy,proto3" json:"retry_policy,omitempty"`
	// contains filtered or unexported fields
}

HttpService is used for raw HTTP communication between the filter and the authorization service. When configured, the filter will parse the client request and use these attributes to call the authorization server. Depending on the response, the filter may reject or accept the client request.

.. note:: 

In any of these events, metadata can be added, removed or overridden by the filter:

On authorization request, a list of allowed request headers may be supplied. See :ref:`allowed_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationRequest.allowed_headers>` for details. Additional headers metadata may be added to the authorization request. See :ref:`headers_to_add <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationRequest.headers_to_add>` for details.

On authorization response status “HTTP 200 OK“, the filter will allow traffic to the upstream and additional headers metadata may be added to the original client request. See :ref:`allowed_upstream_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_upstream_headers>` for details. Additionally, the filter may add additional headers to the client's response. See :ref:`allowed_client_headers_on_success <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_client_headers_on_success>` for details.

On other authorization response statuses, the filter will not allow traffic. Additional headers metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_client_headers>` for details. [#next-free-field: 10]

func (*HttpService) ClearAuthorizationRequest 

func (x *HttpService) ClearAuthorizationRequest()

func (*HttpService) ClearAuthorizationResponse 

func (x *HttpService) ClearAuthorizationResponse()

func (*HttpService) ClearRetryPolicy 

func (x *HttpService) ClearRetryPolicy()

func (*HttpService) ClearServerUri 

func (x *HttpService) ClearServerUri()

func (*HttpService) GetAuthorizationRequest 

func (x *HttpService) GetAuthorizationRequest() *AuthorizationRequest

func (*HttpService) GetAuthorizationResponse 

func (x *HttpService) GetAuthorizationResponse() *AuthorizationResponse

func (*HttpService) GetPathPrefix 

func (x *HttpService) GetPathPrefix() string

func (*HttpService) GetRetryPolicy 

func (x *HttpService) GetRetryPolicy() *v3.RetryPolicy

func (*HttpService) GetServerUri 

func (x *HttpService) GetServerUri() *v3.HttpUri

func (*HttpService) HasAuthorizationRequest 

func (x *HttpService) HasAuthorizationRequest() bool

func (*HttpService) HasAuthorizationResponse 

func (x *HttpService) HasAuthorizationResponse() bool

func (*HttpService) HasRetryPolicy 

func (x *HttpService) HasRetryPolicy() bool

func (*HttpService) HasServerUri 

func (x *HttpService) HasServerUri() bool

func (*HttpService) ProtoMessage 

func (*HttpService) ProtoMessage()

func (*HttpService) ProtoReflect 

func (x *HttpService) ProtoReflect() protoreflect.Message

func (*HttpService) Reset 

func (x *HttpService) Reset()

func (*HttpService) SetAuthorizationRequest 

func (x *HttpService) SetAuthorizationRequest(v *AuthorizationRequest)

func (*HttpService) SetAuthorizationResponse 

func (x *HttpService) SetAuthorizationResponse(v *AuthorizationResponse)

func (*HttpService) SetPathPrefix 

func (x *HttpService) SetPathPrefix(v string)

func (*HttpService) SetRetryPolicy 

func (x *HttpService) SetRetryPolicy(v *v3.RetryPolicy)

func (*HttpService) SetServerUri 

func (x *HttpService) SetServerUri(v *v3.HttpUri)

func (*HttpService) String 

func (x *HttpService) String() string

type HttpService_builder 

type HttpService_builder struct {

	// Sets the HTTP server URI which the authorization requests must be sent to.
	ServerUri *v3.HttpUri
	// Sets a prefix to the value of authorization request header “Path“.
	PathPrefix string
	// Settings used for controlling authorization request metadata.
	AuthorizationRequest *AuthorizationRequest
	// Settings used for controlling authorization response metadata.
	AuthorizationResponse *AuthorizationResponse
	// Optional retry policy for requests to the authorization server.
	// If not set, no retries will be performed.
	//
	// .. note::
	//
	//	When this field is set, the “ext_authz“ filter will buffer the request body for retry purposes.
	RetryPolicy *v3.RetryPolicy
	// contains filtered or unexported fields
}

func (HttpService_builder) Build 

func (b0 HttpService_builder) Build() *HttpService

Source Files

  • ext_authz.pb.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.