3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 02:16:28 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/pkg/grpc/config/config.proto
Kenneth Jenkins 21b9e7890c
authorize: add filter options for JWT groups (#5417) 
Add a new option for filtering to a subset of directory groups in the
Pomerium JWT and Impersonate-Group headers. Add a JWTGroupsFilter field
to both the Options struct (for a global filter) and to the Policy
struct (for per-route filter). These will be populated only from the
config protos, and not from a config file.

If either filter is set, then for each of a user's groups, the group
name or group ID will be added to the JWT groups claim only if it is an
exact string match with one of the elements of either filter.
2025-01-08 13:57:57 -08:00

286 lines
9.6 KiB
Protocol Buffer
Raw Blame History

syntax = "proto3";
package pomerium.config;
option go_package = "github.com/pomerium/pomerium/pkg/grpc/config";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "envoy/config/cluster/v3/cluster.proto";
import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto";
message Config {
string name = 1;
repeated Route routes = 2;
Settings settings = 3;
}
message RouteRewriteHeader {
string header = 1;
oneof matcher { string prefix = 3; }
string value = 2;
}
message RouteRedirect {
optional bool https_redirect = 1;
optional string scheme_redirect = 2;
optional string host_redirect = 3;
optional uint32 port_redirect = 4;
optional string path_redirect = 5;
optional string prefix_rewrite = 6;
optional int32 response_code = 7;
optional bool strip_query = 8;
}
message RouteDirectResponse {
uint32 status = 1;
string body = 2;
}
enum IssuerFormat {
// Issuer strings will be the hostname of the route, with no scheme or
// trailing slash.
IssuerHostOnly = 0;
// Issuer strings will be a complete URI, including the scheme and ending
// with a trailing slash.
IssuerURI = 1;
}
// Next ID: 67.
message Route {
string name = 1;
string from = 2;
repeated string to = 3;
RouteRedirect redirect = 34;
RouteDirectResponse response = 62;
// https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto#envoy-v3-api-msg-config-endpoint-v3-lbendpoint
// optional load balancing weights assigned to upstream servers defined in TO
// if not specified, all upstream servers would be assigned the same weight
// if provided, load_balancing_weights[i] >= 1 and len(to) ==
// len(load_balancing_weights)
repeated uint32 load_balancing_weights = 37;
repeated string allowed_users = 4 [ deprecated = true ];
// repeated string allowed_groups = 5 [ deprecated = true ];
repeated string allowed_domains = 6 [ deprecated = true ];
map<string, google.protobuf.ListValue> allowed_idp_claims = 32
[ deprecated = true ];
string prefix = 7;
string path = 8;
string regex = 9;
string prefix_rewrite = 29;
string regex_rewrite_pattern = 30;
string regex_rewrite_substitution = 31;
optional int64 regex_priority_order = 61;
bool cors_allow_preflight = 10;
bool allow_public_unauthenticated_access = 11;
bool allow_any_authenticated_user = 33;
google.protobuf.Duration timeout = 12;
google.protobuf.Duration idle_timeout = 43;
bool allow_websockets = 13;
bool allow_spdy = 44;
bool tls_skip_verify = 14;
string tls_server_name = 15;
string tls_upstream_server_name = 57;
string tls_downstream_server_name = 58;
string tls_custom_ca = 16;
string tls_custom_ca_file = 17;
string tls_client_cert = 18;
string tls_client_key = 19;
string tls_client_cert_file = 20;
string tls_client_key_file = 21;
string tls_downstream_client_ca = 38;
string tls_downstream_client_ca_file = 39;
bool tls_upstream_allow_renegotiation = 60;
map<string, string> set_request_headers = 22;
repeated string remove_request_headers = 23;
map<string, string> set_response_headers = 41;
repeated RouteRewriteHeader rewrite_response_headers = 40;
// AuthorizationHeaderMode set_authorization_header = 54;
bool preserve_host_header = 24;
optional bool pass_identity_headers = 25;
string kubernetes_service_account_token = 26;
string kubernetes_service_account_token_file = 64;
bool enable_google_cloud_serverless_authentication = 42;
IssuerFormat jwt_issuer_format = 65;
repeated string jwt_groups_filter = 66;
envoy.config.cluster.v3.Cluster envoy_opts = 36;
repeated Policy policies = 27;
repeated PPLPolicy ppl_policies = 63;
string id = 28;
optional string host_rewrite = 50;
optional string host_rewrite_header = 51;
optional string host_path_regex_rewrite_pattern = 52;
optional string host_path_regex_rewrite_substitution = 53;
optional string idp_client_id = 55;
optional string idp_client_secret = 56;
bool show_error_details = 59;
}
message PPLPolicy { bytes raw = 1; }
message Policy {
string id = 1;
string name = 2;
repeated string allowed_users = 3;
// repeated string allowed_groups = 4;
repeated string allowed_domains = 5;
map<string, google.protobuf.ListValue> allowed_idp_claims = 7;
repeated string rego = 6;
string explanation = 8;
string remediation = 9;
}
// Next ID: 120.
message Settings {
message Certificate {
bytes cert_bytes = 3;
bytes key_bytes = 4;
string id = 5;
}
message StringList { repeated string values = 1; }
optional string installation_id = 71;
optional string log_level = 3;
optional StringList access_log_fields = 114;
optional StringList authorize_log_fields = 115;
optional string proxy_log_level = 4;
optional string shared_secret = 5;
optional string services = 6;
optional string address = 7;
optional bool insecure_server = 8;
optional string dns_lookup_family = 60;
repeated Certificate certificates = 9;
optional string http_redirect_addr = 10;
optional google.protobuf.Duration timeout_read = 11;
optional google.protobuf.Duration timeout_write = 12;
optional google.protobuf.Duration timeout_idle = 13;
optional string authenticate_service_url = 14;
optional string authenticate_internal_service_url = 82;
optional string signout_redirect_url = 93;
optional string authenticate_callback_path = 15;
optional string cookie_name = 16;
optional string cookie_secret = 17;
optional string cookie_domain = 18;
// optional bool cookie_secure = 19;
optional bool cookie_http_only = 20;
optional google.protobuf.Duration cookie_expire = 21;
optional string cookie_same_site = 113;
optional string idp_client_id = 22;
optional string idp_client_secret = 23;
optional string idp_provider = 24;
optional string idp_provider_url = 25;
repeated string scopes = 26;
// optional string idp_service_account = 27;
// optional google.protobuf.Duration idp_refresh_directory_timeout = 28;
// optional google.protobuf.Duration idp_refresh_directory_interval = 29;
map<string, string> request_params = 30;
repeated string authorize_service_urls = 32;
optional string authorize_internal_service_url = 83;
optional string override_certificate_name = 33;
optional string certificate_authority = 34;
optional string derive_tls = 96;
optional string signing_key = 36;
map<string, string> set_response_headers = 69;
// repeated string jwt_claims_headers = 37;
map<string, string> jwt_claims_headers = 63;
repeated string jwt_groups_filter = 119;
optional google.protobuf.Duration default_upstream_timeout = 39;
optional string metrics_address = 40;
optional string metrics_basic_auth = 64;
optional Certificate metrics_certificate = 65;
optional string metrics_client_ca = 66;
optional string tracing_provider = 41;
optional double tracing_sample_rate = 42;
optional string tracing_datadog_address = 98;
optional string tracing_jaeger_collector_endpoint = 43;
optional string tracing_jaeger_agent_endpoint = 44;
optional string tracing_zipkin_endpoint = 45;
optional string grpc_address = 46;
optional bool grpc_insecure = 47;
optional google.protobuf.Duration grpc_client_timeout = 99;
reserved 100; // grpc_client_dns_roundrobin
// optional string forward_auth_url = 50;
repeated string databroker_service_urls = 52;
optional string databroker_internal_service_url = 84;
optional string databroker_storage_type = 101;
optional string databroker_storage_connection_string = 102;
reserved 106; // databroker_storage_tls_skip_verify
optional DownstreamMtlsSettings downstream_mtls = 116;
// optional string client_ca = 53;
// optional string client_crl = 74;
optional string google_cloud_serverless_authentication_service_account = 55;
optional bool use_proxy_protocol = 107;
optional bool autocert = 56;
optional string autocert_ca = 76;
optional string autocert_email = 77;
optional bool autocert_use_staging = 57;
optional string autocert_eab_key_id = 78;
optional string autocert_eab_mac_key = 79;
optional bool autocert_must_staple = 58;
optional string autocert_dir = 59;
optional string autocert_trusted_ca = 80;
optional bool skip_xff_append = 61;
optional uint32 xff_num_trusted_hops = 70;
optional string envoy_admin_access_log_path = 108;
optional string envoy_admin_profile_path = 109;
optional string envoy_admin_address = 110;
optional string envoy_bind_config_source_address = 111;
optional bool envoy_bind_config_freebind = 112;
repeated string programmatic_redirect_domain_whitelist = 68;
optional envoy.extensions.filters.network.http_connection_manager.v3
.HttpConnectionManager.CodecType codec_type = 73;
// optional pomerium.crypt.PublicKeyEncryptionKey audit_key = 72;
optional string primary_color = 85;
optional string secondary_color = 86;
optional string darkmode_primary_color = 87;
optional string darkmode_secondary_color = 88;
optional string logo_url = 89;
optional string favicon_url = 90;
optional string error_message_first_paragraph = 91;
optional bool pass_identity_headers = 117;
map<string, bool> runtime_flags = 118;
}
message DownstreamMtlsSettings {
optional string ca = 1;
optional string crl = 2;
optional MtlsEnforcementMode enforcement = 3;
repeated SANMatcher match_subject_alt_names = 4;
optional uint32 max_verify_depth = 5;
}
enum MtlsEnforcementMode {
UNKNOWN = 0;
POLICY = 1;
POLICY_WITH_DEFAULT_DENY = 2;
REJECT_CONNECTION = 3;
}
message SANMatcher {
enum SANType {
SAN_TYPE_UNSPECIFIED = 0;
EMAIL = 1;
DNS = 2;
URI = 3;
IP_ADDRESS = 4;
USER_PRINCIPAL_NAME = 5;
}
SANType san_type = 1;
string pattern = 2;
}
Reference in a new issue View git blame Copy permalink