authz_filter: configuration to support Ambassador authorization flow

docs/BUILD

@@ -26,7 +26,7 @@ proto_library(
         "//envoy/config/bootstrap/v2:bootstrap",
         "//envoy/config/filter/accesslog/v2:accesslog",
         "//envoy/config/filter/http/buffer/v2:buffer",
-        "//envoy/config/filter/http/ext_authz/v2:ext_authz",
+        "//envoy/config/filter/http/ext_authz/v2alpha:ext_authz",
         "//envoy/config/filter/http/fault/v2:fault",
         "//envoy/config/filter/http/gzip/v2:gzip",
         "//envoy/config/filter/http/health_check/v2:health_check",

envoy/config/filter/http/ext_authz/v2/BUILD → envoy/config/filter/http/ext_authz/v2alpha/BUILD

@@ -5,5 +5,8 @@ licenses(["notice"])  # Apache 2
 api_proto_library(
     name = "ext_authz",
     srcs = ["ext_authz.proto"],
-    deps = ["//envoy/api/v2/core:grpc_service"],
+    deps = [
+        "//envoy/api/v2/core:grpc_service",
+        "//envoy/api/v2/core:http_uri",
+    ],
 )

envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto

@@ -0,0 +1,41 @@
+syntax = "proto3";
+
+package envoy.config.filter.http.ext_authz.v2alpha;
+option go_package = "v2";
+
+import "envoy/api/v2/core/grpc_service.proto";
+import "envoy/api/v2/core/http_uri.proto";
+
+import "google/protobuf/duration.proto";
+import "gogoproto/gogo.proto";
+
+// The external authorization HTTP service configuration.
+message HttpService {
+  // Sets the HTTP server URI which the authorization requests must be sent to.
+  envoy.api.v2.core.HttpUri server_uri = 1;
+
+  // Sets the time, in milliseconds, within the service should respond to an authorization
+  // request.
+  google.protobuf.Duration timeout = 2 [(gogoproto.stdduration) = true];
+
+  // Sets an optional prefix to the value of authorization request header `path`.
+  string path_prefix = 3;
+}
+
+message ExtAuthz {
+
+  oneof services {
+    // The external authorization gRPC service configuration.
+    envoy.api.v2.core.GrpcService grpc_service = 1;
+
+    // The external authorization HTTP service configuration.
+    HttpService http_service = 3;
+  }
+
+  // The filter's behaviour in case the external authorization service does
+  // not respond back. If set to true then in case of failure to get a
+  // response back from the authorization service or getting a response that
+  // is NOT denied then traffic will be permitted.
+  // Defaults to false.
+  bool failure_mode_allow = 2;
+}

envoy/service/auth/v2/attribute_context.proto → envoy/service/auth/v2alpha/attribute_context.proto

@@ -2,7 +2,7 @@ syntax = "proto3";
 
 // [#proto-status: draft]
 
-package envoy.service.auth.v2;
+package envoy.service.auth.v2alpha;
 
 import "envoy/api/v2/core/address.proto";
 

envoy/service/auth/v2/external_auth.proto → envoy/service/auth/v2alpha/external_auth.proto

@@ -2,13 +2,14 @@ syntax = "proto3";
 
 // [#proto-status: draft]
 
-package envoy.service.auth.v2;
+package envoy.service.auth.v2alpha;
 option go_package = "v2";
 option java_generic_services = true;
 
-import "envoy/service/auth/v2/attribute_context.proto";
+import "envoy/service/auth/v2alpha/attribute_context.proto";
 
 import "google/rpc/status.proto";
+import "validate/validate.proto";
 
 // A generic interface for performing authorization check on incoming
 // requests to a networked service.
@@ -26,4 +27,18 @@ message CheckRequest {
 message CheckResponse {
   // Status `OK` allows the request. Any other status indicates the request should be denied.
   google.rpc.Status status = 1;
+
+  // An optional message that contains HTTP response attributes. This message is
+  // used when the authorization service needs to send custom responses to the
+  // downstream client or, to modify/add request headers being dispatched to the upstream.
+  message HttpResponse {
+    // Http status code.
+    uint32 status_code = 1 [(validate.rules).uint32 = {gte: 100, lt: 600}];
+
+    // Http entity headers.
+    map<string, string> headers = 2;
+
+    // Http entity body.
+    string body = 3;
+  }
 }