envoy_extensions_filters_http_jwt_authn_v3

package
v0.9.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 21, 2021 License: Apache-2.0 Imports: 22 Imported by: 30

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var File_envoy_extensions_filters_http_jwt_authn_v3_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type FilterStateRule 

type FilterStateRule struct {

	// The filter state name to retrieve the `Router::StringAccessor` object.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// A map of string keys to requirements. The string key is the string value
	// in the FilterState with the name specified in the *name* field above.
	Requires map[string]*JwtRequirement `` /* 157-byte string literal not displayed */
	// contains filtered or unexported fields
}

This message specifies Jwt requirements based on stream_info.filterState. This FilterState should use `Router::StringAccessor` object to set a string value. Other HTTP filters can use it to specify Jwt requirements dynamically.

Example:

.. code-block:: yaml 

name: jwt_selector
requires:
  issuer_1:
    provider_name: issuer1
  issuer_2:
    provider_name: issuer2

If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify.

func (*FilterStateRule) Descriptor deprecated 

func (*FilterStateRule) Descriptor() ([]byte, []int)

Deprecated: Use FilterStateRule.ProtoReflect.Descriptor instead.

func (*FilterStateRule) GetName 

func (x *FilterStateRule) GetName() string

func (*FilterStateRule) GetRequires 

func (x *FilterStateRule) GetRequires() map[string]*JwtRequirement

func (*FilterStateRule) ProtoMessage 

func (*FilterStateRule) ProtoMessage()

func (*FilterStateRule) ProtoReflect added in v0.9.6 

func (x *FilterStateRule) ProtoReflect() protoreflect.Message

func (*FilterStateRule) Reset 

func (x *FilterStateRule) Reset()

func (*FilterStateRule) String 

func (x *FilterStateRule) String() string

func (*FilterStateRule) Validate 

func (m *FilterStateRule) Validate() error

Validate checks the field values on FilterStateRule with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type FilterStateRuleValidationError 

type FilterStateRuleValidationError struct {
	// contains filtered or unexported fields
}

FilterStateRuleValidationError is the validation error returned by FilterStateRule.Validate if the designated constraints aren't met.

func (FilterStateRuleValidationError) Cause 

func (e FilterStateRuleValidationError) Cause() error

Cause function returns cause value.

func (FilterStateRuleValidationError) Error 

func (e FilterStateRuleValidationError) Error() string

Error satisfies the builtin error interface

func (FilterStateRuleValidationError) ErrorName 

func (e FilterStateRuleValidationError) ErrorName() string

ErrorName returns error name.

func (FilterStateRuleValidationError) Field 

func (e FilterStateRuleValidationError) Field() string

Field function returns field value.

func (FilterStateRuleValidationError) Key 

func (e FilterStateRuleValidationError) Key() bool

Key function returns key value.

func (FilterStateRuleValidationError) Reason 

func (e FilterStateRuleValidationError) Reason() string

Reason function returns reason value.

type JwtAuthentication 

type JwtAuthentication struct {

	// Map of provider names to JwtProviders.
	//
	// .. code-block:: yaml
	//
	//   providers:
	//     provider1:
	//        issuer: issuer1
	//        audiences:
	//        - audience1
	//        - audience2
	//        remote_jwks:
	//          http_uri:
	//            uri: https://example.com/.well-known/jwks.json
	//            cluster: example_jwks_cluster
	//            timeout: 1s
	//      provider2:
	//        issuer: provider2
	//        local_jwks:
	//          inline_string: jwks_string
	//
	Providers map[string]*JwtProvider `` /* 159-byte string literal not displayed */
	// Specifies requirements based on the route matches. The first matched requirement will be
	// applied. If there are overlapped match conditions, please put the most specific match first.
	//
	// Examples
	//
	// .. code-block:: yaml
	//
	//   rules:
	//     - match:
	//         prefix: /healthz
	//     - match:
	//         prefix: /baz
	//       requires:
	//         provider_name: provider1
	//     - match:
	//         prefix: /foo
	//       requires:
	//         requires_any:
	//           requirements:
	//             - provider_name: provider1
	//             - provider_name: provider2
	//     - match:
	//         prefix: /bar
	//       requires:
	//         requires_all:
	//           requirements:
	//             - provider_name: provider1
	//             - provider_name: provider2
	//
	Rules []*RequirementRule `protobuf:"bytes,2,rep,name=rules,proto3" json:"rules,omitempty"`
	// This message specifies Jwt requirements based on stream_info.filterState.
	// Other HTTP filters can use it to specify Jwt requirements dynamically.
	// The *rules* field above is checked first, if it could not find any matches,
	// check this one.
	FilterStateRules *FilterStateRule `protobuf:"bytes,3,opt,name=filter_state_rules,json=filterStateRules,proto3" json:"filter_state_rules,omitempty"`
	// When set to true, bypass the `CORS preflight request
	// <http://www.w3.org/TR/cors/#cross-origin-request-with-preflight>`_ regardless of JWT
	// requirements specified in the rules.
	BypassCorsPreflight bool `protobuf:"varint,4,opt,name=bypass_cors_preflight,json=bypassCorsPreflight,proto3" json:"bypass_cors_preflight,omitempty"`
	// A map of unique requirement_names to JwtRequirements.
	// :ref:`requirement_name <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.PerRouteConfig.requirement_name>`
	// in `PerRouteConfig` uses this map to specify a JwtRequirement.
	RequirementMap map[string]*JwtRequirement `` /* 191-byte string literal not displayed */
	// contains filtered or unexported fields
}

This is the Envoy HTTP filter config for JWT authentication.

For example:

.. code-block:: yaml 

providers:
   provider1:
     issuer: issuer1
     audiences:
     - audience1
     - audience2
     remote_jwks:
       http_uri:
         uri: https://example.com/.well-known/jwks.json
         cluster: example_jwks_cluster
         timeout: 1s
   provider2:
     issuer: issuer2
     local_jwks:
       inline_string: jwks_string

rules:
   # Not jwt verification is required for /health path
   - match:
       prefix: /health

   # Jwt verification for provider1 is required for path prefixed with "prefix"
   - match:
       prefix: /prefix
     requires:
       provider_name: provider1

   # Jwt verification for either provider1 or provider2 is required for all other requests.
   - match:
       prefix: /
     requires:
       requires_any:
         requirements:
           - provider_name: provider1
           - provider_name: provider2

[#next-free-field: 6]

func (*JwtAuthentication) Descriptor deprecated 

func (*JwtAuthentication) Descriptor() ([]byte, []int)

Deprecated: Use JwtAuthentication.ProtoReflect.Descriptor instead.

func (*JwtAuthentication) GetBypassCorsPreflight 

func (x *JwtAuthentication) GetBypassCorsPreflight() bool

func (*JwtAuthentication) GetFilterStateRules 

func (x *JwtAuthentication) GetFilterStateRules() *FilterStateRule

func (*JwtAuthentication) GetProviders 

func (x *JwtAuthentication) GetProviders() map[string]*JwtProvider

func (*JwtAuthentication) GetRequirementMap added in v0.9.8 

func (x *JwtAuthentication) GetRequirementMap() map[string]*JwtRequirement

func (*JwtAuthentication) GetRules 

func (x *JwtAuthentication) GetRules() []*RequirementRule

func (*JwtAuthentication) ProtoMessage 

func (*JwtAuthentication) ProtoMessage()

func (*JwtAuthentication) ProtoReflect added in v0.9.6 

func (x *JwtAuthentication) ProtoReflect() protoreflect.Message

func (*JwtAuthentication) Reset 

func (x *JwtAuthentication) Reset()

func (*JwtAuthentication) String 

func (x *JwtAuthentication) String() string

func (*JwtAuthentication) Validate 

func (m *JwtAuthentication) Validate() error

Validate checks the field values on JwtAuthentication with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type JwtAuthenticationValidationError 

type JwtAuthenticationValidationError struct {
	// contains filtered or unexported fields
}

JwtAuthenticationValidationError is the validation error returned by JwtAuthentication.Validate if the designated constraints aren't met.

func (JwtAuthenticationValidationError) Cause 

func (e JwtAuthenticationValidationError) Cause() error

Cause function returns cause value.

func (JwtAuthenticationValidationError) Error 

func (e JwtAuthenticationValidationError) Error() string

Error satisfies the builtin error interface

func (JwtAuthenticationValidationError) ErrorName 

func (e JwtAuthenticationValidationError) ErrorName() string

ErrorName returns error name.

func (JwtAuthenticationValidationError) Field 

func (e JwtAuthenticationValidationError) Field() string

Field function returns field value.

func (JwtAuthenticationValidationError) Key 

func (e JwtAuthenticationValidationError) Key() bool

Key function returns key value.

func (JwtAuthenticationValidationError) Reason 

func (e JwtAuthenticationValidationError) Reason() string

Reason function returns reason value.

type JwtHeader 

type JwtHeader struct {

	// The HTTP header name.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// The value prefix. The value format is "value_prefix<token>"
	// For example, for "Authorization: Bearer <token>", value_prefix="Bearer " with a space at the
	// end.
	ValuePrefix string `protobuf:"bytes,2,opt,name=value_prefix,json=valuePrefix,proto3" json:"value_prefix,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a header location to extract JWT token.

func (*JwtHeader) Descriptor deprecated 

func (*JwtHeader) Descriptor() ([]byte, []int)

Deprecated: Use JwtHeader.ProtoReflect.Descriptor instead.

func (*JwtHeader) GetName 

func (x *JwtHeader) GetName() string

func (*JwtHeader) GetValuePrefix 

func (x *JwtHeader) GetValuePrefix() string

func (*JwtHeader) ProtoMessage 

func (*JwtHeader) ProtoMessage()

func (*JwtHeader) ProtoReflect added in v0.9.6 

func (x *JwtHeader) ProtoReflect() protoreflect.Message

func (*JwtHeader) Reset 

func (x *JwtHeader) Reset()

func (*JwtHeader) String 

func (x *JwtHeader) String() string

func (*JwtHeader) Validate 

func (m *JwtHeader) Validate() error

Validate checks the field values on JwtHeader with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type JwtHeaderValidationError 

type JwtHeaderValidationError struct {
	// contains filtered or unexported fields
}

JwtHeaderValidationError is the validation error returned by JwtHeader.Validate if the designated constraints aren't met.

func (JwtHeaderValidationError) Cause 

func (e JwtHeaderValidationError) Cause() error

Cause function returns cause value.

func (JwtHeaderValidationError) Error 

func (e JwtHeaderValidationError) Error() string

Error satisfies the builtin error interface

func (JwtHeaderValidationError) ErrorName 

func (e JwtHeaderValidationError) ErrorName() string

ErrorName returns error name.

func (JwtHeaderValidationError) Field 

func (e JwtHeaderValidationError) Field() string

Field function returns field value.

func (JwtHeaderValidationError) Key 

func (e JwtHeaderValidationError) Key() bool

Key function returns key value.

func (JwtHeaderValidationError) Reason 

func (e JwtHeaderValidationError) Reason() string

Reason function returns reason value.

type JwtProvider 

type JwtProvider struct {

	// Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
	// the JWT, usually a URL or an email address.
	//
	// It is optional. If specified, it has to match the *iss* field in JWT.
	//
	// If a JWT has *iss* field and this field is specified, they have to match, otherwise the
	// JWT *iss* field is not checked.
	//
	// Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
	// and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`
	// are implemented differently than other *JwtRequirements*. Hence the usage of this field
	// is different as follows if *allow_missing* or *allow_missing_or_failed* is used:
	//
	// * If a JWT has *iss* field, it needs to be specified by this field in one of *JwtProviders*.
	// * If a JWT doesn't have *iss* field, one of *JwtProviders* should fill this field empty.
	// * Multiple *JwtProviders* should not have same value in this field.
	//
	// Example: https://securetoken.google.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	//
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// The list of JWT `audiences <https://tools.ietf.org/html/rfc7519#section-4.1.3>`_ are
	// allowed to access. A JWT containing any of these audiences will be accepted. If not specified,
	// will not check audiences in the token.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//     audiences:
	//     - bookstore_android.apps.googleusercontent.com
	//     - bookstore_web.apps.googleusercontent.com
	//
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// `JSON Web Key Set (JWKS) <https://tools.ietf.org/html/rfc7517#appendix-A>`_ is needed to
	// validate signature of a JWT. This field specifies where to fetch JWKS.
	//
	// Types that are assignable to JwksSourceSpecifier:
	//	*JwtProvider_RemoteJwks
	//	*JwtProvider_LocalJwks
	JwksSourceSpecifier isJwtProvider_JwksSourceSpecifier `protobuf_oneof:"jwks_source_specifier"`
	// If false, the JWT is removed in the request after a success verification. If true, the JWT is
	// not removed in the request. Default value is false.
	Forward bool `protobuf:"varint,5,opt,name=forward,proto3" json:"forward,omitempty"`
	// Two fields below define where to extract the JWT from an HTTP request.
	//
	// If no explicit location is specified, the following default locations are tried in order:
	//
	// 1. The Authorization header using the `Bearer schema
	// <https://tools.ietf.org/html/rfc6750#section-2.1>`_. Example::
	//
	//    Authorization: Bearer <token>.
	//
	// 2. `access_token <https://tools.ietf.org/html/rfc6750#section-2.3>`_ query parameter.
	//
	// Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations
	// its provider specified or from the default locations.
	//
	// Specify the HTTP headers to extract JWT token. For examples, following config:
	//
	// .. code-block:: yaml
	//
	//   from_headers:
	//   - name: x-goog-iap-jwt-assertion
	//
	// can be used to extract token from header::
	//
	//   “x-goog-iap-jwt-assertion: <JWT>“.
	//
	FromHeaders []*JwtHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"`
	// JWT is sent in a query parameter. `jwt_params` represents the query parameter names.
	//
	// For example, if config is:
	//
	// .. code-block:: yaml
	//
	//   from_params:
	//   - jwt_token
	//
	// The JWT format in query parameter is::
	//
	//    /path?jwt_token=<JWT>
	//
	FromParams []string `protobuf:"bytes,7,rep,name=from_params,json=fromParams,proto3" json:"from_params,omitempty"`
	// This field specifies the header name to forward a successfully verified JWT payload to the
	// backend. The forwarded data is::
	//
	//    base64url_encoded(jwt_payload_in_JSON)
	//
	// If it is not specified, the payload will not be forwarded.
	ForwardPayloadHeader string `protobuf:"bytes,8,opt,name=forward_payload_header,json=forwardPayloadHeader,proto3" json:"forward_payload_header,omitempty"`
	// If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata
	// in the format as: *namespace* is the jwt_authn filter name as **envoy.filters.http.jwt_authn**
	// The value is the *protobuf::Struct*. The value of this field will be the key for its *fields*
	// and the value is the *protobuf::Struct* converted from JWT JSON payload.
	//
	// For example, if payload_in_metadata is *my_payload*:
	//
	// .. code-block:: yaml
	//
	//   envoy.filters.http.jwt_authn:
	//     my_payload:
	//       iss: https://example.com
	//       sub: test@example.com
	//       aud: https://example.com
	//       exp: 1501281058
	//
	PayloadInMetadata string `protobuf:"bytes,9,opt,name=payload_in_metadata,json=payloadInMetadata,proto3" json:"payload_in_metadata,omitempty"`
	// Specify the clock skew in seconds when verifying JWT time constraint,
	// such as `exp`, and `nbf`. If not specified, default is 60 seconds.
	ClockSkewSeconds uint32 `protobuf:"varint,10,opt,name=clock_skew_seconds,json=clockSkewSeconds,proto3" json:"clock_skew_seconds,omitempty"`
	// contains filtered or unexported fields
}

Please see following for JWT authentication flow:

* `JSON Web Token (JWT) <https://tools.ietf.org/html/rfc7519>`_ * `The OAuth 2.0 Authorization Framework <https://tools.ietf.org/html/rfc6749>`_ * `OpenID Connect <http://openid.net/connect>`_

A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies:

* issuer: the principal that issues the JWT. If specified, it has to match the *iss* field in JWT. * allowed audiences: the ones in the token have to be listed here. * how to fetch public key JWKS to verify the token signature. * how to extract JWT token in the request. * how to pass successfully verified token payload.

Example:

.. code-block:: yaml 

issuer: https://example.com
audiences:
- bookstore_android.apps.googleusercontent.com
- bookstore_web.apps.googleusercontent.com
remote_jwks:
  http_uri:
    uri: https://example.com/.well-known/jwks.json
    cluster: example_jwks_cluster
    timeout: 1s
  cache_duration:
    seconds: 300

[#next-free-field: 11]

func (*JwtProvider) Descriptor deprecated 

func (*JwtProvider) Descriptor() ([]byte, []int)

Deprecated: Use JwtProvider.ProtoReflect.Descriptor instead.

func (*JwtProvider) GetAudiences 

func (x *JwtProvider) GetAudiences() []string

func (*JwtProvider) GetClockSkewSeconds added in v0.9.8 

func (x *JwtProvider) GetClockSkewSeconds() uint32

func (*JwtProvider) GetForward 

func (x *JwtProvider) GetForward() bool

func (*JwtProvider) GetForwardPayloadHeader 

func (x *JwtProvider) GetForwardPayloadHeader() string

func (*JwtProvider) GetFromHeaders 

func (x *JwtProvider) GetFromHeaders() []*JwtHeader

func (*JwtProvider) GetFromParams 

func (x *JwtProvider) GetFromParams() []string

func (*JwtProvider) GetIssuer 

func (x *JwtProvider) GetIssuer() string

func (*JwtProvider) GetJwksSourceSpecifier 

func (m *JwtProvider) GetJwksSourceSpecifier() isJwtProvider_JwksSourceSpecifier

func (*JwtProvider) GetLocalJwks 

func (x *JwtProvider) GetLocalJwks() *v3.DataSource

func (*JwtProvider) GetPayloadInMetadata 

func (x *JwtProvider) GetPayloadInMetadata() string

func (*JwtProvider) GetRemoteJwks 

func (x *JwtProvider) GetRemoteJwks() *RemoteJwks

func (*JwtProvider) ProtoMessage 

func (*JwtProvider) ProtoMessage()

func (*JwtProvider) ProtoReflect added in v0.9.6 

func (x *JwtProvider) ProtoReflect() protoreflect.Message

func (*JwtProvider) Reset 

func (x *JwtProvider) Reset()

func (*JwtProvider) String 

func (x *JwtProvider) String() string

func (*JwtProvider) Validate 

func (m *JwtProvider) Validate() error

Validate checks the field values on JwtProvider with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type JwtProviderValidationError 

type JwtProviderValidationError struct {
	// contains filtered or unexported fields
}

JwtProviderValidationError is the validation error returned by JwtProvider.Validate if the designated constraints aren't met.

func (JwtProviderValidationError) Cause 

func (e JwtProviderValidationError) Cause() error

Cause function returns cause value.

func (JwtProviderValidationError) Error 

func (e JwtProviderValidationError) Error() string

Error satisfies the builtin error interface

func (JwtProviderValidationError) ErrorName 

func (e JwtProviderValidationError) ErrorName() string

ErrorName returns error name.

func (JwtProviderValidationError) Field 

func (e JwtProviderValidationError) Field() string

Field function returns field value.

func (JwtProviderValidationError) Key 

func (e JwtProviderValidationError) Key() bool

Key function returns key value.

func (JwtProviderValidationError) Reason 

func (e JwtProviderValidationError) Reason() string

Reason function returns reason value.

type JwtProvider_LocalJwks 

type JwtProvider_LocalJwks struct {
	// JWKS is in local data source. It could be either in a local file or embedded in the
	// inline_string.
	//
	// Example: local file
	//
	// .. code-block:: yaml
	//
	//    local_jwks:
	//      filename: /etc/envoy/jwks/jwks1.txt
	//
	// Example: inline_string
	//
	// .. code-block:: yaml
	//
	//    local_jwks:
	//      inline_string: ACADADADADA
	//
	LocalJwks *v3.DataSource `protobuf:"bytes,4,opt,name=local_jwks,json=localJwks,proto3,oneof"`
}

type JwtProvider_RemoteJwks 

type JwtProvider_RemoteJwks struct {
	// JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP
	// URI and how the fetched JWKS should be cached.
	//
	// Example:
	//
	// .. code-block:: yaml
	//
	//    remote_jwks:
	//      http_uri:
	//        uri: https://www.googleapis.com/oauth2/v1/certs
	//        cluster: jwt.www.googleapis.com|443
	//        timeout: 1s
	//      cache_duration:
	//        seconds: 300
	//
	RemoteJwks *RemoteJwks `protobuf:"bytes,3,opt,name=remote_jwks,json=remoteJwks,proto3,oneof"`
}

type JwtRequirement 

type JwtRequirement struct {

	// Types that are assignable to RequiresType:
	//	*JwtRequirement_ProviderName
	//	*JwtRequirement_ProviderAndAudiences
	//	*JwtRequirement_RequiresAny
	//	*JwtRequirement_RequiresAll
	//	*JwtRequirement_AllowMissingOrFailed
	//	*JwtRequirement_AllowMissing
	RequiresType isJwtRequirement_RequiresType `protobuf_oneof:"requires_type"`
	// contains filtered or unexported fields
}

This message specifies a Jwt requirement. An empty message means JWT verification is not required. Here are some config examples:

.. code-block:: yaml 

# Example 1: not required with an empty message

# Example 2: require A
provider_name: provider-A

# Example 3: require A or B
requires_any:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 4: require A and B
requires_all:
  requirements:
    - provider_name: provider-A
    - provider_name: provider-B

# Example 5: require A and (B or C)
requires_all:
  requirements:
    - provider_name: provider-A
    - requires_any:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 6: require A or (B and C)
requires_any:
  requirements:
    - provider_name: provider-A
    - requires_all:
      requirements:
        - provider_name: provider-B
        - provider_name: provider-C

# Example 7: A is optional (if token from A is provided, it must be valid, but also allows
missing token.)
requires_any:
  requirements:
  - provider_name: provider-A
  - allow_missing: {}

# Example 8: A is optional and B is required.
requires_all:
  requirements:
  - requires_any:
      requirements:
      - provider_name: provider-A
      - allow_missing: {}
  - provider_name: provider-B

[#next-free-field: 7]

func (*JwtRequirement) Descriptor deprecated 

func (*JwtRequirement) Descriptor() ([]byte, []int)

Deprecated: Use JwtRequirement.ProtoReflect.Descriptor instead.

func (*JwtRequirement) GetAllowMissing 

func (x *JwtRequirement) GetAllowMissing() *emptypb.Empty

func (*JwtRequirement) GetAllowMissingOrFailed 

func (x *JwtRequirement) GetAllowMissingOrFailed() *emptypb.Empty

func (*JwtRequirement) GetProviderAndAudiences 

func (x *JwtRequirement) GetProviderAndAudiences() *ProviderWithAudiences

func (*JwtRequirement) GetProviderName 

func (x *JwtRequirement) GetProviderName() string

func (*JwtRequirement) GetRequiresAll 

func (x *JwtRequirement) GetRequiresAll() *JwtRequirementAndList

func (*JwtRequirement) GetRequiresAny 

func (x *JwtRequirement) GetRequiresAny() *JwtRequirementOrList

func (*JwtRequirement) GetRequiresType 

func (m *JwtRequirement) GetRequiresType() isJwtRequirement_RequiresType

func (*JwtRequirement) ProtoMessage 

func (*JwtRequirement) ProtoMessage()

func (*JwtRequirement) ProtoReflect added in v0.9.6 

func (x *JwtRequirement) ProtoReflect() protoreflect.Message

func (*JwtRequirement) Reset 

func (x *JwtRequirement) Reset()

func (*JwtRequirement) String 

func (x *JwtRequirement) String() string

func (*JwtRequirement) Validate 

func (m *JwtRequirement) Validate() error

Validate checks the field values on JwtRequirement with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type JwtRequirementAndList 

type JwtRequirementAndList struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a list of RequiredProvider. Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails.

func (*JwtRequirementAndList) Descriptor deprecated 

func (*JwtRequirementAndList) Descriptor() ([]byte, []int)

Deprecated: Use JwtRequirementAndList.ProtoReflect.Descriptor instead.

func (*JwtRequirementAndList) GetRequirements 

func (x *JwtRequirementAndList) GetRequirements() []*JwtRequirement

func (*JwtRequirementAndList) ProtoMessage 

func (*JwtRequirementAndList) ProtoMessage()

func (*JwtRequirementAndList) ProtoReflect added in v0.9.6 

func (x *JwtRequirementAndList) ProtoReflect() protoreflect.Message

func (*JwtRequirementAndList) Reset 

func (x *JwtRequirementAndList) Reset()

func (*JwtRequirementAndList) String 

func (x *JwtRequirementAndList) String() string

func (*JwtRequirementAndList) Validate 

func (m *JwtRequirementAndList) Validate() error

Validate checks the field values on JwtRequirementAndList with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type JwtRequirementAndListValidationError 

type JwtRequirementAndListValidationError struct {
	// contains filtered or unexported fields
}

JwtRequirementAndListValidationError is the validation error returned by JwtRequirementAndList.Validate if the designated constraints aren't met.

func (JwtRequirementAndListValidationError) Cause 

func (e JwtRequirementAndListValidationError) Cause() error

Cause function returns cause value.

func (JwtRequirementAndListValidationError) Error 

func (e JwtRequirementAndListValidationError) Error() string

Error satisfies the builtin error interface

func (JwtRequirementAndListValidationError) ErrorName 

func (e JwtRequirementAndListValidationError) ErrorName() string

ErrorName returns error name.

func (JwtRequirementAndListValidationError) Field 

func (e JwtRequirementAndListValidationError) Field() string

Field function returns field value.

func (JwtRequirementAndListValidationError) Key 

func (e JwtRequirementAndListValidationError) Key() bool

Key function returns key value.

func (JwtRequirementAndListValidationError) Reason 

func (e JwtRequirementAndListValidationError) Reason() string

Reason function returns reason value.

type JwtRequirementOrList 

type JwtRequirementOrList struct {

	// Specify a list of JwtRequirement.
	Requirements []*JwtRequirement `protobuf:"bytes,1,rep,name=requirements,proto3" json:"requirements,omitempty"`
	// contains filtered or unexported fields
}

This message specifies a list of RequiredProvider. Their results are OR-ed; if any one of them passes, the result is passed

func (*JwtRequirementOrList) Descriptor deprecated 

func (*JwtRequirementOrList) Descriptor() ([]byte, []int)

Deprecated: Use JwtRequirementOrList.ProtoReflect.Descriptor instead.

func (*JwtRequirementOrList) GetRequirements 

func (x *JwtRequirementOrList) GetRequirements() []*JwtRequirement

func (*JwtRequirementOrList) ProtoMessage 

func (*JwtRequirementOrList) ProtoMessage()

func (*JwtRequirementOrList) ProtoReflect added in v0.9.6 

func (x *JwtRequirementOrList) ProtoReflect() protoreflect.Message

func (*JwtRequirementOrList) Reset 

func (x *JwtRequirementOrList) Reset()

func (*JwtRequirementOrList) String 

func (x *JwtRequirementOrList) String() string

func (*JwtRequirementOrList) Validate 

func (m *JwtRequirementOrList) Validate() error

Validate checks the field values on JwtRequirementOrList with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type JwtRequirementOrListValidationError 

type JwtRequirementOrListValidationError struct {
	// contains filtered or unexported fields
}

JwtRequirementOrListValidationError is the validation error returned by JwtRequirementOrList.Validate if the designated constraints aren't met.

func (JwtRequirementOrListValidationError) Cause 

func (e JwtRequirementOrListValidationError) Cause() error

Cause function returns cause value.

func (JwtRequirementOrListValidationError) Error 

func (e JwtRequirementOrListValidationError) Error() string

Error satisfies the builtin error interface

func (JwtRequirementOrListValidationError) ErrorName 

func (e JwtRequirementOrListValidationError) ErrorName() string

ErrorName returns error name.

func (JwtRequirementOrListValidationError) Field 

func (e JwtRequirementOrListValidationError) Field() string

Field function returns field value.

func (JwtRequirementOrListValidationError) Key 

func (e JwtRequirementOrListValidationError) Key() bool

Key function returns key value.

func (JwtRequirementOrListValidationError) Reason 

func (e JwtRequirementOrListValidationError) Reason() string

Reason function returns reason value.

type JwtRequirementValidationError 

type JwtRequirementValidationError struct {
	// contains filtered or unexported fields
}

JwtRequirementValidationError is the validation error returned by JwtRequirement.Validate if the designated constraints aren't met.

func (JwtRequirementValidationError) Cause 

func (e JwtRequirementValidationError) Cause() error

Cause function returns cause value.

func (JwtRequirementValidationError) Error 

func (e JwtRequirementValidationError) Error() string

Error satisfies the builtin error interface

func (JwtRequirementValidationError) ErrorName 

func (e JwtRequirementValidationError) ErrorName() string

ErrorName returns error name.

func (JwtRequirementValidationError) Field 

func (e JwtRequirementValidationError) Field() string

Field function returns field value.

func (JwtRequirementValidationError) Key 

func (e JwtRequirementValidationError) Key() bool

Key function returns key value.

func (JwtRequirementValidationError) Reason 

func (e JwtRequirementValidationError) Reason() string

Reason function returns reason value.

type JwtRequirement_AllowMissing 

type JwtRequirement_AllowMissing struct {
	// The requirement is satisfied if JWT is missing, but failed if JWT is
	// presented but invalid. Similar to allow_missing_or_failed, this is used
	// to only verify JWTs and pass the verified payload to another filter. The
	// different is this mode will reject requests with invalid tokens.
	AllowMissing *emptypb.Empty `protobuf:"bytes,6,opt,name=allow_missing,json=allowMissing,proto3,oneof"`
}

type JwtRequirement_AllowMissingOrFailed 

type JwtRequirement_AllowMissingOrFailed struct {
	// The requirement is always satisfied even if JWT is missing or the JWT
	// verification fails. A typical usage is: this filter is used to only verify
	// JWTs and pass the verified JWT payloads to another filter, the other filter
	// will make decision. In this mode, all JWT tokens will be verified.
	AllowMissingOrFailed *emptypb.Empty `protobuf:"bytes,5,opt,name=allow_missing_or_failed,json=allowMissingOrFailed,proto3,oneof"`
}

type JwtRequirement_ProviderAndAudiences 

type JwtRequirement_ProviderAndAudiences struct {
	// Specify a required provider with audiences.
	ProviderAndAudiences *ProviderWithAudiences `protobuf:"bytes,2,opt,name=provider_and_audiences,json=providerAndAudiences,proto3,oneof"`
}

type JwtRequirement_ProviderName 

type JwtRequirement_ProviderName struct {
	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3,oneof"`
}

type JwtRequirement_RequiresAll 

type JwtRequirement_RequiresAll struct {
	// Specify list of JwtRequirement. Their results are AND-ed.
	// All of them must pass, if one of them fails or missing, it fails.
	RequiresAll *JwtRequirementAndList `protobuf:"bytes,4,opt,name=requires_all,json=requiresAll,proto3,oneof"`
}

type JwtRequirement_RequiresAny 

type JwtRequirement_RequiresAny struct {
	// Specify list of JwtRequirement. Their results are OR-ed.
	// If any one of them passes, the result is passed.
	RequiresAny *JwtRequirementOrList `protobuf:"bytes,3,opt,name=requires_any,json=requiresAny,proto3,oneof"`
}

type PerRouteConfig added in v0.9.8 

type PerRouteConfig struct {

	// Types that are assignable to RequirementSpecifier:
	//	*PerRouteConfig_Disabled
	//	*PerRouteConfig_RequirementName
	RequirementSpecifier isPerRouteConfig_RequirementSpecifier `protobuf_oneof:"requirement_specifier"`
	// contains filtered or unexported fields
}

Specify per-route config.

func (*PerRouteConfig) Descriptor deprecated added in v0.9.8 

func (*PerRouteConfig) Descriptor() ([]byte, []int)

Deprecated: Use PerRouteConfig.ProtoReflect.Descriptor instead.

func (*PerRouteConfig) GetDisabled added in v0.9.8 

func (x *PerRouteConfig) GetDisabled() bool

func (*PerRouteConfig) GetRequirementName added in v0.9.8 

func (x *PerRouteConfig) GetRequirementName() string

func (*PerRouteConfig) GetRequirementSpecifier added in v0.9.8 

func (m *PerRouteConfig) GetRequirementSpecifier() isPerRouteConfig_RequirementSpecifier

func (*PerRouteConfig) ProtoMessage added in v0.9.8 

func (*PerRouteConfig) ProtoMessage()

func (*PerRouteConfig) ProtoReflect added in v0.9.8 

func (x *PerRouteConfig) ProtoReflect() protoreflect.Message

func (*PerRouteConfig) Reset added in v0.9.8 

func (x *PerRouteConfig) Reset()

func (*PerRouteConfig) String added in v0.9.8 

func (x *PerRouteConfig) String() string

func (*PerRouteConfig) Validate added in v0.9.8 

func (m *PerRouteConfig) Validate() error

Validate checks the field values on PerRouteConfig with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type PerRouteConfigValidationError added in v0.9.8 

type PerRouteConfigValidationError struct {
	// contains filtered or unexported fields
}

PerRouteConfigValidationError is the validation error returned by PerRouteConfig.Validate if the designated constraints aren't met.

func (PerRouteConfigValidationError) Cause added in v0.9.8 

func (e PerRouteConfigValidationError) Cause() error

Cause function returns cause value.

func (PerRouteConfigValidationError) Error added in v0.9.8 

func (e PerRouteConfigValidationError) Error() string

Error satisfies the builtin error interface

func (PerRouteConfigValidationError) ErrorName added in v0.9.8 

func (e PerRouteConfigValidationError) ErrorName() string

ErrorName returns error name.

func (PerRouteConfigValidationError) Field added in v0.9.8 

func (e PerRouteConfigValidationError) Field() string

Field function returns field value.

func (PerRouteConfigValidationError) Key added in v0.9.8 

func (e PerRouteConfigValidationError) Key() bool

Key function returns key value.

func (PerRouteConfigValidationError) Reason added in v0.9.8 

func (e PerRouteConfigValidationError) Reason() string

Reason function returns reason value.

type PerRouteConfig_Disabled added in v0.9.8 

type PerRouteConfig_Disabled struct {
	// Disable Jwt Authentication for this route.
	Disabled bool `protobuf:"varint,1,opt,name=disabled,proto3,oneof"`
}

type PerRouteConfig_RequirementName added in v0.9.8 

type PerRouteConfig_RequirementName struct {
	// Use requirement_name to specify a JwtRequirement.
	// This requirement_name MUST be specified at the
	// :ref:`requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map>`
	// in `JwtAuthentication`. If no, the requests using this route will be rejected with 403.
	RequirementName string `protobuf:"bytes,2,opt,name=requirement_name,json=requirementName,proto3,oneof"`
}

type ProviderWithAudiences 

type ProviderWithAudiences struct {

	// Specify a required provider name.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"`
	// This field overrides the one specified in the JwtProvider.
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// contains filtered or unexported fields
}

Specify a required provider with audiences.

func (*ProviderWithAudiences) Descriptor deprecated 

func (*ProviderWithAudiences) Descriptor() ([]byte, []int)

Deprecated: Use ProviderWithAudiences.ProtoReflect.Descriptor instead.

func (*ProviderWithAudiences) GetAudiences 

func (x *ProviderWithAudiences) GetAudiences() []string

func (*ProviderWithAudiences) GetProviderName 

func (x *ProviderWithAudiences) GetProviderName() string

func (*ProviderWithAudiences) ProtoMessage 

func (*ProviderWithAudiences) ProtoMessage()

func (*ProviderWithAudiences) ProtoReflect added in v0.9.6 

func (x *ProviderWithAudiences) ProtoReflect() protoreflect.Message

func (*ProviderWithAudiences) Reset 

func (x *ProviderWithAudiences) Reset()

func (*ProviderWithAudiences) String 

func (x *ProviderWithAudiences) String() string

func (*ProviderWithAudiences) Validate 

func (m *ProviderWithAudiences) Validate() error

Validate checks the field values on ProviderWithAudiences with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type ProviderWithAudiencesValidationError 

type ProviderWithAudiencesValidationError struct {
	// contains filtered or unexported fields
}

ProviderWithAudiencesValidationError is the validation error returned by ProviderWithAudiences.Validate if the designated constraints aren't met.

func (ProviderWithAudiencesValidationError) Cause 

func (e ProviderWithAudiencesValidationError) Cause() error

Cause function returns cause value.

func (ProviderWithAudiencesValidationError) Error 

func (e ProviderWithAudiencesValidationError) Error() string

Error satisfies the builtin error interface

func (ProviderWithAudiencesValidationError) ErrorName 

func (e ProviderWithAudiencesValidationError) ErrorName() string

ErrorName returns error name.

func (ProviderWithAudiencesValidationError) Field 

func (e ProviderWithAudiencesValidationError) Field() string

Field function returns field value.

func (ProviderWithAudiencesValidationError) Key 

func (e ProviderWithAudiencesValidationError) Key() bool

Key function returns key value.

func (ProviderWithAudiencesValidationError) Reason 

func (e ProviderWithAudiencesValidationError) Reason() string

Reason function returns reason value.

type RemoteJwks 

type RemoteJwks struct {

	// The HTTP URI to fetch the JWKS. For example:
	//
	// .. code-block:: yaml
	//
	//    http_uri:
	//      uri: https://www.googleapis.com/oauth2/v1/certs
	//      cluster: jwt.www.googleapis.com|443
	//      timeout: 1s
	//
	HttpUri *v3.HttpUri `protobuf:"bytes,1,opt,name=http_uri,json=httpUri,proto3" json:"http_uri,omitempty"`
	// Duration after which the cached JWKS should be expired. If not specified, default cache
	// duration is 5 minutes.
	CacheDuration *duration.Duration `protobuf:"bytes,2,opt,name=cache_duration,json=cacheDuration,proto3" json:"cache_duration,omitempty"`
	// contains filtered or unexported fields
}

This message specifies how to fetch JWKS from remote and how to cache it.

func (*RemoteJwks) Descriptor deprecated 

func (*RemoteJwks) Descriptor() ([]byte, []int)

Deprecated: Use RemoteJwks.ProtoReflect.Descriptor instead.

func (*RemoteJwks) GetCacheDuration 

func (x *RemoteJwks) GetCacheDuration() *duration.Duration

func (*RemoteJwks) GetHttpUri 

func (x *RemoteJwks) GetHttpUri() *v3.HttpUri

func (*RemoteJwks) ProtoMessage 

func (*RemoteJwks) ProtoMessage()

func (*RemoteJwks) ProtoReflect added in v0.9.6 

func (x *RemoteJwks) ProtoReflect() protoreflect.Message

func (*RemoteJwks) Reset 

func (x *RemoteJwks) Reset()

func (*RemoteJwks) String 

func (x *RemoteJwks) String() string

func (*RemoteJwks) Validate 

func (m *RemoteJwks) Validate() error

Validate checks the field values on RemoteJwks with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type RemoteJwksValidationError 

type RemoteJwksValidationError struct {
	// contains filtered or unexported fields
}

RemoteJwksValidationError is the validation error returned by RemoteJwks.Validate if the designated constraints aren't met.

func (RemoteJwksValidationError) Cause 

func (e RemoteJwksValidationError) Cause() error

Cause function returns cause value.

func (RemoteJwksValidationError) Error 

func (e RemoteJwksValidationError) Error() string

Error satisfies the builtin error interface

func (RemoteJwksValidationError) ErrorName 

func (e RemoteJwksValidationError) ErrorName() string

ErrorName returns error name.

func (RemoteJwksValidationError) Field 

func (e RemoteJwksValidationError) Field() string

Field function returns field value.

func (RemoteJwksValidationError) Key 

func (e RemoteJwksValidationError) Key() bool

Key function returns key value.

func (RemoteJwksValidationError) Reason 

func (e RemoteJwksValidationError) Reason() string

Reason function returns reason value.

type RequirementRule 

type RequirementRule struct {

	// The route matching parameter. Only when the match is satisfied, the "requires" field will
	// apply.
	//
	// For example: following match will match all requests.
	//
	// .. code-block:: yaml
	//
	//    match:
	//      prefix: /
	//
	Match *v31.RouteMatch `protobuf:"bytes,1,opt,name=match,proto3" json:"match,omitempty"`
	// Specify a Jwt requirement.
	// If not specified, Jwt verification is disabled.
	//
	// Types that are assignable to RequirementType:
	//	*RequirementRule_Requires
	//	*RequirementRule_RequirementName
	RequirementType isRequirementRule_RequirementType `protobuf_oneof:"requirement_type"`
	// contains filtered or unexported fields
}

This message specifies a Jwt requirement for a specific Route condition. Example 1:

.. code-block:: yaml

  • match: prefix: /healthz

In above example, "requires" field is empty for /healthz prefix match, it means that requests matching the path prefix don't require JWT authentication.

Example 2:

.. code-block:: yaml

  • match: prefix: / requires: { provider_name: provider-A }

In above example, all requests matched the path prefix require jwt authentication from "provider-A".

func (*RequirementRule) Descriptor deprecated 

func (*RequirementRule) Descriptor() ([]byte, []int)

Deprecated: Use RequirementRule.ProtoReflect.Descriptor instead.

func (*RequirementRule) GetMatch 

func (x *RequirementRule) GetMatch() *v31.RouteMatch

func (*RequirementRule) GetRequirementName added in v0.9.8 

func (x *RequirementRule) GetRequirementName() string

func (*RequirementRule) GetRequirementType added in v0.9.8 

func (m *RequirementRule) GetRequirementType() isRequirementRule_RequirementType

func (*RequirementRule) GetRequires 

func (x *RequirementRule) GetRequires() *JwtRequirement

func (*RequirementRule) ProtoMessage 

func (*RequirementRule) ProtoMessage()

func (*RequirementRule) ProtoReflect added in v0.9.6 

func (x *RequirementRule) ProtoReflect() protoreflect.Message

func (*RequirementRule) Reset 

func (x *RequirementRule) Reset()

func (*RequirementRule) String 

func (x *RequirementRule) String() string

func (*RequirementRule) Validate 

func (m *RequirementRule) Validate() error

Validate checks the field values on RequirementRule with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type RequirementRuleValidationError 

type RequirementRuleValidationError struct {
	// contains filtered or unexported fields
}

RequirementRuleValidationError is the validation error returned by RequirementRule.Validate if the designated constraints aren't met.

func (RequirementRuleValidationError) Cause 

func (e RequirementRuleValidationError) Cause() error

Cause function returns cause value.

func (RequirementRuleValidationError) Error 

func (e RequirementRuleValidationError) Error() string

Error satisfies the builtin error interface

func (RequirementRuleValidationError) ErrorName 

func (e RequirementRuleValidationError) ErrorName() string

ErrorName returns error name.

func (RequirementRuleValidationError) Field 

func (e RequirementRuleValidationError) Field() string

Field function returns field value.

func (RequirementRuleValidationError) Key 

func (e RequirementRuleValidationError) Key() bool

Key function returns key value.

func (RequirementRuleValidationError) Reason 

func (e RequirementRuleValidationError) Reason() string

Reason function returns reason value.

type RequirementRule_RequirementName added in v0.9.8 

type RequirementRule_RequirementName struct {
	// Use requirement_name to specify a Jwt requirement.
	// This requirement_name MUST be specified at the
	// :ref:`requirement_map <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtAuthentication.requirement_map>`
	// in `JwtAuthentication`.
	RequirementName string `protobuf:"bytes,3,opt,name=requirement_name,json=requirementName,proto3,oneof"`
}

type RequirementRule_Requires added in v0.9.8 

type RequirementRule_Requires struct {
	// Specify a Jwt requirement. Please see detail comment in message JwtRequirement.
	Requires *JwtRequirement `protobuf:"bytes,2,opt,name=requires,proto3,oneof"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.