diff options
Diffstat (limited to 'src/rpc/envoy.config.rbac.v2.rs')
| -rw-r--r-- | src/rpc/envoy.config.rbac.v2.rs | 269 |
1 files changed, 0 insertions, 269 deletions
diff --git a/src/rpc/envoy.config.rbac.v2.rs b/src/rpc/envoy.config.rbac.v2.rs deleted file mode 100644 index 3bec8224..00000000 --- a/src/rpc/envoy.config.rbac.v2.rs +++ /dev/null @@ -1,269 +0,0 @@ -// @generated -// This file is @generated by prost-build. -// \[#protodoc-title: Role Based Access Control (RBAC)\] - -/// Role Based Access Control (RBAC) provides service-level and method-level access control for a -/// service. RBAC policies are additive. The policies are examined in order. A request is allowed -/// once a matching policy is found (suppose the `action` is ALLOW). -/// -/// Here is an example of RBAC configuration. It has two policies: -/// -/// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so -/// does "cluster.local/ns/default/sa/superuser". -/// -/// * Any user can read ("GET") the service at paths with prefix "/products", so long as the -/// destination port is either 80 or 443. -/// -/// .. code-block:: yaml -/// -/// action: ALLOW -/// policies: -/// "service-admin": -/// permissions: -/// - any: true -/// principals: -/// - authenticated: -/// principal_name: -/// exact: "cluster.local/ns/default/sa/admin" -/// - authenticated: -/// principal_name: -/// exact: "cluster.local/ns/default/sa/superuser" -/// "product-viewer": -/// permissions: -/// - and_rules: -/// rules: -/// - header: { name: ":method", exact_match: "GET" } -/// - url_path: -/// path: { prefix: "/products" } -/// - or_rules: -/// rules: -/// - destination_port: 80 -/// - destination_port: 443 -/// principals: -/// - any: true -/// -#[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Message)] -pub struct Rbac { - /// The action to take if a policy matches. The request is allowed if and only if: - /// - /// * `action` is "ALLOWED" and at least one policy matches - /// * `action` is "DENY" and none of the policies match - #[prost(enumeration="rbac::Action", tag="1")] - pub action: i32, - /// Maps from policy name to policy. A match occurs when at least one policy matches the request. - #[prost(map="string, message", tag="2")] - pub policies: ::std::collections::HashMap<::prost::alloc::string::String, Policy>, -} -/// Nested message and enum types in `RBAC`. -pub mod rbac { - /// Should we do safe-list or block-list style access control? - #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, ::prost::Enumeration)] - #[repr(i32)] - pub enum Action { - /// The policies grant access to principals. The rest is denied. This is safe-list style - /// access control. This is the default type. - Allow = 0, - /// The policies deny access to principals. The rest is allowed. This is block-list style - /// access control. - Deny = 1, - } - impl Action { - /// String value of the enum field names used in the ProtoBuf definition. - /// - /// The values are not transformed in any way and thus are considered stable - /// (if the ProtoBuf definition does not change) and safe for programmatic use. - pub fn as_str_name(&self) -> &'static str { - match self { - Action::Allow => "ALLOW", - Action::Deny => "DENY", - } - } - /// Creates an enum from field names used in the ProtoBuf definition. - pub fn from_str_name(value: &str) -> ::core::option::Option<Self> { - match value { - "ALLOW" => Some(Self::Allow), - "DENY" => Some(Self::Deny), - _ => None, - } - } - } -} -/// Policy specifies a role and the principals that are assigned/denied the role. A policy matches if -/// and only if at least one of its permissions match the action taking place AND at least one of its -/// principals match the downstream AND the condition is true if specified. -#[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Message)] -pub struct Policy { - /// Required. The set of permissions that define a role. Each permission is matched with OR - /// semantics. To match all actions for this policy, a single Permission with the `any` field set - /// to true should be used. - #[prost(message, repeated, tag="1")] - pub permissions: ::prost::alloc::vec::Vec<Permission>, - /// Required. The set of principals that are assigned/denied the role based on “action”. Each - /// principal is matched with OR semantics. To match all downstreams for this policy, a single - /// Principal with the `any` field set to true should be used. - #[prost(message, repeated, tag="2")] - pub principals: ::prost::alloc::vec::Vec<Principal>, - /// An optional symbolic expression specifying an access control - /// :ref:`condition <arch_overview_condition>`. The condition is combined - /// with the permissions and the principals as a clause with AND semantics. - #[prost(message, optional, tag="3")] - pub condition: ::core::option::Option<super::super::super::super::google::api::expr::v1alpha1::Expr>, -} -/// Permission defines an action (or actions) that a principal can take. -/// \[#next-free-field: 11\] -#[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Message)] -pub struct Permission { - #[prost(oneof="permission::Rule", tags="1, 2, 3, 4, 10, 5, 6, 7, 8, 9")] - pub rule: ::core::option::Option<permission::Rule>, -} -/// Nested message and enum types in `Permission`. -pub mod permission { - /// Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context, - /// each are applied with the associated behavior. - #[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Message)] - pub struct Set { - #[prost(message, repeated, tag="1")] - pub rules: ::prost::alloc::vec::Vec<super::Permission>, - } - #[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Oneof)] - pub enum Rule { - /// A set of rules that all must match in order to define the action. - #[prost(message, tag="1")] - AndRules(Set), - /// A set of rules where at least one must match in order to define the action. - #[prost(message, tag="2")] - OrRules(Set), - /// When any is set, it matches any action. - #[prost(bool, tag="3")] - Any(bool), - /// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only - /// available for HTTP request. - /// Note: the pseudo-header :path includes the query and fragment string. Use the `url_path` - /// field if you want to match the URL path without the query and fragment string. - #[prost(message, tag="4")] - Header(super::super::super::super::api::v2::route::HeaderMatcher), - /// A URL path on the incoming HTTP request. Only available for HTTP. - #[prost(message, tag="10")] - UrlPath(super::super::super::super::r#type::matcher::PathMatcher), - /// A CIDR block that describes the destination IP. - #[prost(message, tag="5")] - DestinationIp(super::super::super::super::api::v2::core::CidrRange), - /// A port number that describes the destination port connecting to. - #[prost(uint32, tag="6")] - DestinationPort(u32), - /// Metadata that describes additional information about the action. - #[prost(message, tag="7")] - Metadata(super::super::super::super::r#type::matcher::MetadataMatcher), - /// Negates matching the provided permission. For instance, if the value of `not_rule` would - /// match, this permission would not match. Conversely, if the value of `not_rule` would not - /// match, this permission would match. - #[prost(message, tag="8")] - NotRule(::prost::alloc::boxed::Box<super::Permission>), - /// The request server from the client's connection request. This is - /// typically TLS SNI. - /// - /// .. attention:: - /// - /// The behavior of this field may be affected by how Envoy is configured - /// as explained below. - /// - /// * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>` - /// filter is not added, and if a `FilterChainMatch` is not defined for - /// the :ref:`server name <envoy_api_field_listener.FilterChainMatch.server_names>`, - /// a TLS connection's requested SNI server name will be treated as if it - /// wasn't present. - /// - /// * A :ref:`listener filter <arch_overview_listener_filters>` may - /// overwrite a connection's requested server name within Envoy. - /// - /// Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to - /// setup SNI. - #[prost(message, tag="9")] - RequestedServerName(super::super::super::super::r#type::matcher::StringMatcher), - } -} -/// Principal defines an identity or a group of identities for a downstream subject. -/// \[#next-free-field: 12\] -#[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Message)] -pub struct Principal { - #[prost(oneof="principal::Identifier", tags="1, 2, 3, 4, 5, 10, 11, 6, 9, 7, 8")] - pub identifier: ::core::option::Option<principal::Identifier>, -} -/// Nested message and enum types in `Principal`. -pub mod principal { - /// Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context, - /// each are applied with the associated behavior. - #[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Message)] - pub struct Set { - #[prost(message, repeated, tag="1")] - pub ids: ::prost::alloc::vec::Vec<super::Principal>, - } - /// Authentication attributes for a downstream. - #[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Message)] - pub struct Authenticated { - /// The name of the principal. If set, The URI SAN or DNS SAN in that order is used from the - /// certificate, otherwise the subject field is used. If unset, it applies to any user that is - /// authenticated. - #[prost(message, optional, tag="2")] - pub principal_name: ::core::option::Option<super::super::super::super::r#type::matcher::StringMatcher>, - } - #[allow(clippy::derive_partial_eq_without_eq)] -#[derive(Clone, PartialEq, ::prost::Oneof)] - pub enum Identifier { - /// A set of identifiers that all must match in order to define the downstream. - #[prost(message, tag="1")] - AndIds(Set), - /// A set of identifiers at least one must match in order to define the downstream. - #[prost(message, tag="2")] - OrIds(Set), - /// When any is set, it matches any downstream. - #[prost(bool, tag="3")] - Any(bool), - /// Authenticated attributes that identify the downstream. - #[prost(message, tag="4")] - Authenticated(Authenticated), - /// A CIDR block that describes the downstream IP. - /// This address will honor proxy protocol, but will not honor XFF. - #[prost(message, tag="5")] - SourceIp(super::super::super::super::api::v2::core::CidrRange), - /// A CIDR block that describes the downstream remote/origin address. - /// Note: This is always the physical peer even if the - /// :ref:`remote_ip <envoy_api_field_config.rbac.v2.Principal.remote_ip>` is inferred - /// from for example the x-forwarder-for header, proxy protocol, etc. - #[prost(message, tag="10")] - DirectRemoteIp(super::super::super::super::api::v2::core::CidrRange), - /// A CIDR block that describes the downstream remote/origin address. - /// Note: This may not be the physical peer and could be different from the - /// :ref:`direct_remote_ip <envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>`. - /// E.g, if the remote ip is inferred from for example the x-forwarder-for header, - /// proxy protocol, etc. - #[prost(message, tag="11")] - RemoteIp(super::super::super::super::api::v2::core::CidrRange), - /// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only - /// available for HTTP request. - /// Note: the pseudo-header :path includes the query and fragment string. Use the `url_path` - /// field if you want to match the URL path without the query and fragment string. - #[prost(message, tag="6")] - Header(super::super::super::super::api::v2::route::HeaderMatcher), - /// A URL path on the incoming HTTP request. Only available for HTTP. - #[prost(message, tag="9")] - UrlPath(super::super::super::super::r#type::matcher::PathMatcher), - /// Metadata that describes additional information about the principal. - #[prost(message, tag="7")] - Metadata(super::super::super::super::r#type::matcher::MetadataMatcher), - /// Negates matching the provided principal. For instance, if the value of `not_id` would match, - /// this principal would not match. Conversely, if the value of `not_id` would not match, this - /// principal would match. - #[prost(message, tag="8")] - NotId(::prost::alloc::boxed::Box<super::Principal>), - } -} -// @@protoc_insertion_point(module) |