envoy: upgrade to v1.17.1 (#1993)

authorize/check_response.go

@@ -7,9 +7,9 @@ import (
 	"sort"
 	"strings"
 
-	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
-	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
-	envoy_type "github.com/envoyproxy/go-control-plane/envoy/type"
+	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	"github.com/golang/protobuf/ptypes/wrappers"
 	"google.golang.org/genproto/googleapis/rpc/status"
 	"google.golang.org/grpc/codes"
@@ -20,8 +20,8 @@ import (
 	"github.com/pomerium/pomerium/internal/urlutil"
 )
 
-func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.CheckResponse {
-	var requestHeaders []*envoy_api_v2_core.HeaderValueOption
+func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v3.CheckResponse {
+	var requestHeaders []*envoy_config_core_v3.HeaderValueOption
 	for k, v := range reply.Headers {
 		requestHeaders = append(requestHeaders, mkHeader(k, v, false))
 	}
@@ -29,10 +29,10 @@ func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.C
 	sort.Slice(requestHeaders, func(i, j int) bool {
 		return requestHeaders[i].Header.Key < requestHeaders[j].Header.Value
 	})
-	return &envoy_service_auth_v2.CheckResponse{
+	return &envoy_service_auth_v3.CheckResponse{
 		Status: &status.Status{Code: int32(codes.OK), Message: reply.Message},
-		HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{
-			OkResponse: &envoy_service_auth_v2.OkHttpResponse{
+		HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{
+			OkResponse: &envoy_service_auth_v3.OkHttpResponse{
 				Headers: requestHeaders,
 			},
 		},
@@ -40,9 +40,9 @@ func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.C
 }
 
 func (a *Authorize) deniedResponse(
-	in *envoy_service_auth_v2.CheckRequest,
+	in *envoy_service_auth_v3.CheckRequest,
 	code int32, reason string, headers map[string]string,
-) (*envoy_service_auth_v2.CheckResponse, error) {
+) (*envoy_service_auth_v3.CheckResponse, error) {
 	returnHTMLError := true
 	inHeaders := in.GetAttributes().GetRequest().GetHttp().GetHeaders()
 	if inHeaders != nil {
@@ -56,9 +56,9 @@ func (a *Authorize) deniedResponse(
 }
 
 func (a *Authorize) htmlDeniedResponse(
-	in *envoy_service_auth_v2.CheckRequest,
+	in *envoy_service_auth_v3.CheckRequest,
 	code int32, reason string, headers map[string]string,
-) (*envoy_service_auth_v2.CheckResponse, error) {
+) (*envoy_service_auth_v3.CheckResponse, error) {
 	opts := a.currentOptions.Load()
 	authenticateURL, err := opts.GetAuthenticateURL()
 	if err != nil {
@@ -106,19 +106,19 @@ func (a *Authorize) htmlDeniedResponse(
 		log.Error().Err(err).Msg("error executing error template")
 	}
 
-	envoyHeaders := []*envoy_api_v2_core.HeaderValueOption{
+	envoyHeaders := []*envoy_config_core_v3.HeaderValueOption{
 		mkHeader("Content-Type", "text/html", false),
 	}
 	for k, v := range headers {
 		envoyHeaders = append(envoyHeaders, mkHeader(k, v, false))
 	}
 
-	return &envoy_service_auth_v2.CheckResponse{
+	return &envoy_service_auth_v3.CheckResponse{
 		Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
-		HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
-			DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{
-				Status: &envoy_type.HttpStatus{
-					Code: envoy_type.StatusCode(code),
+		HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
+			DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{
+				Status: &envoy_type_v3.HttpStatus{
+					Code: envoy_type_v3.StatusCode(code),
 				},
 				Headers: envoyHeaders,
 				Body:    buf.String(),
@@ -127,20 +127,20 @@ func (a *Authorize) htmlDeniedResponse(
 	}, nil
 }
 
-func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v2.CheckResponse {
-	envoyHeaders := []*envoy_api_v2_core.HeaderValueOption{
+func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v3.CheckResponse {
+	envoyHeaders := []*envoy_config_core_v3.HeaderValueOption{
 		mkHeader("Content-Type", "text/plain", false),
 	}
 	for k, v := range headers {
 		envoyHeaders = append(envoyHeaders, mkHeader(k, v, false))
 	}
 
-	return &envoy_service_auth_v2.CheckResponse{
+	return &envoy_service_auth_v3.CheckResponse{
 		Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
-		HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
-			DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{
-				Status: &envoy_type.HttpStatus{
-					Code: envoy_type.StatusCode(code),
+		HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
+			DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{
+				Status: &envoy_type_v3.HttpStatus{
+					Code: envoy_type_v3.StatusCode(code),
 				},
 				Headers: envoyHeaders,
 				Body:    reason,
@@ -149,7 +149,7 @@ func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers m
 	}
 }
 
-func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) (*envoy_service_auth_v2.CheckResponse, error) {
+func (a *Authorize) redirectResponse(in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
 	opts := a.currentOptions.Load()
 	authenticateURL, err := opts.GetAuthenticateURL()
 	if err != nil {
@@ -174,9 +174,9 @@ func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) (*e
 	})
 }
 
-func mkHeader(k, v string, shouldAppend bool) *envoy_api_v2_core.HeaderValueOption {
-	return &envoy_api_v2_core.HeaderValueOption{
-		Header: &envoy_api_v2_core.HeaderValue{
+func mkHeader(k, v string, shouldAppend bool) *envoy_config_core_v3.HeaderValueOption {
+	return &envoy_config_core_v3.HeaderValueOption{
+		Header: &envoy_config_core_v3.HeaderValue{
 			Key:   k,
 			Value: v,
 		},

authorize/check_response_test.go

@@ -6,9 +6,9 @@ import (
 	"net/url"
 	"testing"
 
-	envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
-	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
-	envoy_type "github.com/envoyproxy/go-control-plane/envoy/type"
+	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
+	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/genproto/googleapis/rpc/status"
@@ -57,12 +57,12 @@ func TestAuthorize_okResponse(t *testing.T) {
 	tests := []struct {
 		name  string
 		reply *evaluator.Result
-		want  *envoy_service_auth_v2.CheckResponse
+		want  *envoy_service_auth_v3.CheckResponse
 	}{
 		{
 			"ok reply",
 			&evaluator.Result{Status: 0, Message: "ok"},
-			&envoy_service_auth_v2.CheckResponse{
+			&envoy_service_auth_v3.CheckResponse{
 				Status: &status.Status{Code: 0, Message: "ok"},
 			},
 		},
@@ -75,7 +75,7 @@ func TestAuthorize_okResponse(t *testing.T) {
 					KubernetesServiceAccountToken: "k8s-svc-account",
 				},
 			},
-			&envoy_service_auth_v2.CheckResponse{
+			&envoy_service_auth_v3.CheckResponse{
 				Status: &status.Status{Code: 0, Message: "ok"},
 			},
 		},
@@ -88,7 +88,7 @@ func TestAuthorize_okResponse(t *testing.T) {
 					KubernetesServiceAccountToken: "k8s-svc-account",
 				},
 			},
-			&envoy_service_auth_v2.CheckResponse{
+			&envoy_service_auth_v3.CheckResponse{
 				Status: &status.Status{Code: 0, Message: "ok"},
 			},
 		},
@@ -98,7 +98,7 @@ func TestAuthorize_okResponse(t *testing.T) {
 				Status:  0,
 				Message: "ok",
 			},
-			&envoy_service_auth_v2.CheckResponse{
+			&envoy_service_auth_v3.CheckResponse{
 				Status: &status.Status{Code: 0, Message: "ok"},
 			},
 		},
@@ -131,11 +131,11 @@ func TestAuthorize_deniedResponse(t *testing.T) {
 
 	tests := []struct {
 		name    string
-		in      *envoy_service_auth_v2.CheckRequest
+		in      *envoy_service_auth_v3.CheckRequest
 		code    int32
 		reason  string
 		headers map[string]string
-		want    *envoy_service_auth_v2.CheckResponse
+		want    *envoy_service_auth_v3.CheckResponse
 	}{
 		{
 			"html denied",
@@ -143,14 +143,14 @@ func TestAuthorize_deniedResponse(t *testing.T) {
 			http.StatusBadRequest,
 			"Access Denied",
 			nil,
-			&envoy_service_auth_v2.CheckResponse{
+			&envoy_service_auth_v3.CheckResponse{
 				Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
-				HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
-					DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{
-						Status: &envoy_type.HttpStatus{
-							Code: envoy_type.StatusCode(codes.InvalidArgument),
+				HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
+					DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{
+						Status: &envoy_type_v3.HttpStatus{
+							Code: envoy_type_v3.StatusCode(codes.InvalidArgument),
 						},
-						Headers: []*envoy_api_v2_core.HeaderValueOption{
+						Headers: []*envoy_config_core_v3.HeaderValueOption{
 							mkHeader("Content-Type", "text/html", false),
 						},
 						Body: "Access Denied",
@@ -160,10 +160,10 @@ func TestAuthorize_deniedResponse(t *testing.T) {
 		},
 		{
 			"plain text denied",
-			&envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+			&envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Headers: map[string]string{},
 						},
 					},
@@ -172,14 +172,14 @@ func TestAuthorize_deniedResponse(t *testing.T) {
 			http.StatusBadRequest,
 			"Access Denied",
 			map[string]string{},
-			&envoy_service_auth_v2.CheckResponse{
+			&envoy_service_auth_v3.CheckResponse{
 				Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
-				HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
-					DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{
-						Status: &envoy_type.HttpStatus{
-							Code: envoy_type.StatusCode(codes.InvalidArgument),
+				HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
+					DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{
+						Status: &envoy_type_v3.HttpStatus{
+							Code: envoy_type_v3.StatusCode(codes.InvalidArgument),
 						},
-						Headers: []*envoy_api_v2_core.HeaderValueOption{
+						Headers: []*envoy_config_core_v3.HeaderValueOption{
 							mkHeader("Content-Type", "text/plain", false),
 						},
 						Body: "Access Denied",

authorize/grpc.go

@@ -24,11 +24,11 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/grpcutil"
 
-	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 )
 
 // Check implements the envoy auth server gRPC endpoint.
-func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v2.CheckRequest) (*envoy_service_auth_v2.CheckResponse, error) {
+func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
 	ctx, span := trace.StartSpan(ctx, "authorize.grpc.Check")
 	defer span.End()
 
@@ -179,7 +179,7 @@ func getForwardAuthURL(r *http.Request) *url.URL {
 }
 
 // isForwardAuth returns if the current request is a forward auth route.
-func (a *Authorize) isForwardAuth(req *envoy_service_auth_v2.CheckRequest) bool {
+func (a *Authorize) isForwardAuth(req *envoy_service_auth_v3.CheckRequest) bool {
 	opts := a.currentOptions.Load()
 
 	if opts.ForwardAuthURL == nil {
@@ -197,7 +197,7 @@ func (a *Authorize) isForwardAuth(req *envoy_service_auth_v2.CheckRequest) bool
 }
 
 func (a *Authorize) getEvaluatorRequestFromCheckRequest(
-	in *envoy_service_auth_v2.CheckRequest,
+	in *envoy_service_auth_v3.CheckRequest,
 	sessionState *sessions.State,
 ) (*evaluator.Request, error) {
 	requestURL := getCheckRequestURL(in)
@@ -261,7 +261,7 @@ func (a *Authorize) getMatchingPolicy(requestURL url.URL) *config.Policy {
 	return nil
 }
 
-func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v2.CheckRequest) *http.Request {
+func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v3.CheckRequest) *http.Request {
 	hattrs := req.GetAttributes().GetRequest().GetHttp()
 	u := getCheckRequestURL(req)
 	hreq := &http.Request{
@@ -278,7 +278,7 @@ func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v2.CheckRequest) *ht
 	return hreq
 }
 
-func getCheckRequestHeaders(req *envoy_service_auth_v2.CheckRequest) map[string]string {
+func getCheckRequestHeaders(req *envoy_service_auth_v3.CheckRequest) map[string]string {
 	hdrs := make(map[string]string)
 	ch := req.GetAttributes().GetRequest().GetHttp().GetHeaders()
 	for k, v := range ch {
@@ -287,7 +287,7 @@ func getCheckRequestHeaders(req *envoy_service_auth_v2.CheckRequest) map[string]
 	return hdrs
 }
 
-func getCheckRequestURL(req *envoy_service_auth_v2.CheckRequest) url.URL {
+func getCheckRequestURL(req *envoy_service_auth_v3.CheckRequest) url.URL {
 	h := req.GetAttributes().GetRequest().GetHttp()
 	u := url.URL{
 		Scheme: h.GetScheme(),
@@ -305,7 +305,7 @@ func getCheckRequestURL(req *envoy_service_auth_v2.CheckRequest) url.URL {
 }
 
 // getPeerCertificate gets the PEM-encoded peer certificate from the check request
-func getPeerCertificate(in *envoy_service_auth_v2.CheckRequest) string {
+func getPeerCertificate(in *envoy_service_auth_v3.CheckRequest) string {
 	// ignore the error as we will just return the empty string in that case
 	cert, _ := url.QueryUnescape(in.GetAttributes().GetSource().GetCertificate())
 	return cert
@@ -313,7 +313,7 @@ func getPeerCertificate(in *envoy_service_auth_v2.CheckRequest) string {
 
 func logAuthorizeCheck(
 	ctx context.Context,
-	in *envoy_service_auth_v2.CheckRequest,
+	in *envoy_service_auth_v3.CheckRequest,
 	reply *evaluator.Result,
 	u *user.User,
 ) {

authorize/grpc_test.go

@@ -6,7 +6,7 @@ import (
 	"net/url"
 	"testing"
 
-	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"github.com/golang/protobuf/ptypes"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/go-cmp/cmp/cmpopts"
@@ -63,13 +63,13 @@ func Test_getEvaluatorRequest(t *testing.T) {
 	})
 
 	actual, err := a.getEvaluatorRequestFromCheckRequest(
-		&envoy_service_auth_v2.CheckRequest{
-			Attributes: &envoy_service_auth_v2.AttributeContext{
-				Source: &envoy_service_auth_v2.AttributeContext_Peer{
+		&envoy_service_auth_v3.CheckRequest{
+			Attributes: &envoy_service_auth_v3.AttributeContext{
+				Source: &envoy_service_auth_v3.AttributeContext_Peer{
 					Certificate: url.QueryEscape(certPEM),
 				},
-				Request: &envoy_service_auth_v2.AttributeContext_Request{
-					Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+				Request: &envoy_service_auth_v3.AttributeContext_Request{
+					Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 						Id:     "id-1234",
 						Method: "GET",
 						Headers: map[string]string{
@@ -110,19 +110,19 @@ func Test_getEvaluatorRequest(t *testing.T) {
 func Test_handleForwardAuth(t *testing.T) {
 	tests := []struct {
 		name           string
-		checkReq       *envoy_service_auth_v2.CheckRequest
+		checkReq       *envoy_service_auth_v3.CheckRequest
 		forwardAuthURL string
 		want           bool
 	}{
 		{
 			name: "enabled",
-			checkReq: &envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Source: &envoy_service_auth_v2.AttributeContext_Peer{
+			checkReq: &envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Source: &envoy_service_auth_v3.AttributeContext_Peer{
 						Certificate: url.QueryEscape(certPEM),
 					},
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Method: "GET",
 							Path:   "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"),
 							Host:   "forward-auth.example.com",
@@ -142,13 +142,13 @@ func Test_handleForwardAuth(t *testing.T) {
 		},
 		{
 			name: "honor x-forwarded-uri set",
-			checkReq: &envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Source: &envoy_service_auth_v2.AttributeContext_Peer{
+			checkReq: &envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Source: &envoy_service_auth_v3.AttributeContext_Peer{
 						Certificate: url.QueryEscape(certPEM),
 					},
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Method: "GET",
 							Path:   "/",
 							Host:   "forward-auth.example.com",
@@ -167,13 +167,13 @@ func Test_handleForwardAuth(t *testing.T) {
 		},
 		{
 			name: "request with invalid forward auth url",
-			checkReq: &envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Source: &envoy_service_auth_v2.AttributeContext_Peer{
+			checkReq: &envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Source: &envoy_service_auth_v3.AttributeContext_Peer{
 						Certificate: url.QueryEscape(certPEM),
 					},
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Method: "GET",
 							Path:   "/verify?uri=" + url.QueryEscape("https://example.com?q=foo"),
 							Host:   "fake-forward-auth.example.com",
@@ -187,13 +187,13 @@ func Test_handleForwardAuth(t *testing.T) {
 		},
 		{
 			name: "request with invalid path",
-			checkReq: &envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Source: &envoy_service_auth_v2.AttributeContext_Peer{
+			checkReq: &envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Source: &envoy_service_auth_v3.AttributeContext_Peer{
 						Certificate: url.QueryEscape(certPEM),
 					},
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Method: "GET",
 							Path:   "/foo?uri=" + url.QueryEscape("https://example.com?q=foo"),
 							Host:   "forward-auth.example.com",
@@ -207,13 +207,13 @@ func Test_handleForwardAuth(t *testing.T) {
 		},
 		{
 			name: "request with empty uri",
-			checkReq: &envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Source: &envoy_service_auth_v2.AttributeContext_Peer{
+			checkReq: &envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Source: &envoy_service_auth_v3.AttributeContext_Peer{
 						Certificate: url.QueryEscape(certPEM),
 					},
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Method: "GET",
 							Path:   "/verify?uri=",
 							Host:   "forward-auth.example.com",
@@ -227,13 +227,13 @@ func Test_handleForwardAuth(t *testing.T) {
 		},
 		{
 			name: "request with invalid uri",
-			checkReq: &envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Source: &envoy_service_auth_v2.AttributeContext_Peer{
+			checkReq: &envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Source: &envoy_service_auth_v3.AttributeContext_Peer{
 						Certificate: url.QueryEscape(certPEM),
 					},
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Method: "GET",
 							Path:   "/verify?uri= http://example.com/foo",
 							Host:   "forward-auth.example.com",
@@ -279,13 +279,13 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
 		}},
 	})
 
-	actual, err := a.getEvaluatorRequestFromCheckRequest(&envoy_service_auth_v2.CheckRequest{
-		Attributes: &envoy_service_auth_v2.AttributeContext{
-			Source: &envoy_service_auth_v2.AttributeContext_Peer{
+	actual, err := a.getEvaluatorRequestFromCheckRequest(&envoy_service_auth_v3.CheckRequest{
+		Attributes: &envoy_service_auth_v3.AttributeContext{
+			Source: &envoy_service_auth_v3.AttributeContext_Peer{
 				Certificate: url.QueryEscape(certPEM),
 			},
-			Request: &envoy_service_auth_v2.AttributeContext_Request{
-				Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+			Request: &envoy_service_auth_v3.AttributeContext_Request{
+				Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 					Id:     "id-1234",
 					Method: "GET",
 					Headers: map[string]string{
@@ -473,25 +473,25 @@ func TestAuthorize_Check(t *testing.T) {
 	a.currentOptions.Store(&config.Options{ForwardAuthURL: mustParseURL("https://forward-auth.example.com")})
 
 	cmpOpts := []cmp.Option{
-		cmpopts.IgnoreUnexported(envoy_service_auth_v2.CheckResponse{}),
+		cmpopts.IgnoreUnexported(envoy_service_auth_v3.CheckResponse{}),
 		cmpopts.IgnoreUnexported(status.Status{}),
-		cmpopts.IgnoreTypes(envoy_service_auth_v2.DeniedHttpResponse{}),
+		cmpopts.IgnoreTypes(envoy_service_auth_v3.DeniedHttpResponse{}),
 	}
 	tests := []struct {
 		name    string
-		in      *envoy_service_auth_v2.CheckRequest
-		want    *envoy_service_auth_v2.CheckResponse
+		in      *envoy_service_auth_v3.CheckRequest
+		want    *envoy_service_auth_v3.CheckResponse
 		wantErr bool
 	}{
 		{
 			"basic deny",
-			&envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Source: &envoy_service_auth_v2.AttributeContext_Peer{
+			&envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Source: &envoy_service_auth_v3.AttributeContext_Peer{
 						Certificate: url.QueryEscape(certPEM),
 					},
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Id:     "id-1234",
 							Method: "GET",
 							Headers: map[string]string{
@@ -506,23 +506,23 @@ func TestAuthorize_Check(t *testing.T) {
 					},
 				},
 			},
-			&envoy_service_auth_v2.CheckResponse{
+			&envoy_service_auth_v3.CheckResponse{
 				Status: &status.Status{Code: 7, Message: "Access Denied"},
-				HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
-					DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{},
+				HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
+					DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{},
 				},
 			},
 			false,
 		},
 		{
 			"basic forward-auth deny",
-			&envoy_service_auth_v2.CheckRequest{
-				Attributes: &envoy_service_auth_v2.AttributeContext{
-					Source: &envoy_service_auth_v2.AttributeContext_Peer{
+			&envoy_service_auth_v3.CheckRequest{
+				Attributes: &envoy_service_auth_v3.AttributeContext{
+					Source: &envoy_service_auth_v3.AttributeContext_Peer{
 						Certificate: url.QueryEscape(certPEM),
 					},
-					Request: &envoy_service_auth_v2.AttributeContext_Request{
-						Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{
+					Request: &envoy_service_auth_v3.AttributeContext_Request{
+						Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
 							Method: "GET",
 							Path:   "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"),
 							Host:   "forward-auth.example.com",
@@ -531,10 +531,10 @@ func TestAuthorize_Check(t *testing.T) {
 					},
 				},
 			},
-			&envoy_service_auth_v2.CheckResponse{
+			&envoy_service_auth_v3.CheckResponse{
 				Status: &status.Status{Code: 7, Message: "Access Denied"},
-				HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{
-					DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{},
+				HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
+					DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{},
 				},
 			},
 			false,

authorize/session_test.go

@@ -5,7 +5,7 @@ import (
 	"regexp"
 	"testing"
 
-	envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
+	envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/pomerium/pomerium/config"
@@ -25,10 +25,10 @@ func TestLoadSession(t *testing.T) {
 		return
 	}
 
-	load := func(t *testing.T, hattrs *envoy_service_auth_v2.AttributeContext_HttpRequest) (*sessions.State, error) {
-		req := getHTTPRequestFromCheckRequest(&envoy_service_auth_v2.CheckRequest{
-			Attributes: &envoy_service_auth_v2.AttributeContext{
-				Request: &envoy_service_auth_v2.AttributeContext_Request{
+	load := func(t *testing.T, hattrs *envoy_service_auth_v3.AttributeContext_HttpRequest) (*sessions.State, error) {
+		req := getHTTPRequestFromCheckRequest(&envoy_service_auth_v3.CheckRequest{
+			Attributes: &envoy_service_auth_v3.AttributeContext{
+				Request: &envoy_service_auth_v3.AttributeContext_Request{
 					Http: hattrs,
 				},
 			},
@@ -56,7 +56,7 @@ func TestLoadSession(t *testing.T) {
 		}
 		cookie := regexp.MustCompile(`^([^;]+)(;.*)?$`).ReplaceAllString(hdrs["Set-Cookie"], "$1")
 
-		hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{
+		hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{
 			Id:     "req-1",
 			Method: "GET",
 			Headers: map[string]string{
@@ -71,7 +71,7 @@ func TestLoadSession(t *testing.T) {
 		assert.NotNil(t, sess)
 	})
 	t.Run("header", func(t *testing.T) {
-		hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{
+		hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{
 			Id:     "req-1",
 			Method: "GET",
 			Headers: map[string]string{
@@ -86,7 +86,7 @@ func TestLoadSession(t *testing.T) {
 		assert.NotNil(t, sess)
 	})
 	t.Run("query param", func(t *testing.T) {
-		hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{
+		hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{
 			Id:     "req-1",
 			Method: "GET",
 			Path: "/hello/world?" + url.Values{