rbac: add metadata support to rbac filter

api/docs/BUILD

@@ -65,5 +65,8 @@ proto_library(
         "//envoy/service/metrics/v2:metrics_service",
         "//envoy/type:percent",
         "//envoy/type:range",
+        "//envoy/type/matcher:metadata",
+        "//envoy/type/matcher:number",
+        "//envoy/type/matcher:string",
     ],
 )

api/envoy/config/rbac/v2alpha/BUILD

@@ -9,7 +9,7 @@ api_proto_library(
     deps = [
         "//envoy/api/v2/core:address",
         "//envoy/api/v2/route",
-        "//envoy/type:string_match",
+        "//envoy/type/matcher:metadata",
     ],
 )
 
@@ -19,6 +19,6 @@ api_go_proto_library(
     deps = [
         "//envoy/api/v2/core:address_go_proto",
         "//envoy/api/v2/route:route_go_proto",
-        "//envoy/type:string_match_go_proto",
+        "//envoy/type/matcher:metadata_go_proto",
     ],
 )

api/envoy/config/rbac/v2alpha/rbac.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 import "validate/validate.proto";
 import "envoy/api/v2/core/address.proto";
 import "envoy/api/v2/route/route.proto";
+import "envoy/type/matcher/metadata.proto";
 
 package envoy.config.rbac.v2alpha;
 option go_package = "v2alpha";
@@ -111,6 +112,9 @@ message Permission {
 
     // A port number that describes the destination port connecting to.
     uint32 destination_port = 6 [(validate.rules).uint32.lte = 65535];
+
+    // A metadata that describes additional information about the action.
+    envoy.type.matcher.MetadataMatcher metadata = 7;
   }
 }
 
@@ -150,5 +154,8 @@ message Principal {
 
     // A header (or psuedo-header such as :path or :method) on the incoming HTTP request.
     envoy.api.v2.route.HeaderMatcher header = 6;
+
+    // A metadata that describes additional information about the principal.
+    envoy.type.matcher.MetadataMatcher metadata = 7;
   }
 }

api/envoy/type/BUILD

@@ -23,14 +23,3 @@ api_go_proto_library(
     name = "range",
     proto = ":range",
 )
-
-api_proto_library(
-    name = "string_match",
-    srcs = ["string_match.proto"],
-    visibility = ["//visibility:public"],
-)
-
-api_go_proto_library(
-    name = "string_match",
-    proto = ":string_match",
-)

api/envoy/type/matcher/BUILD

@@ -0,0 +1,50 @@
+load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "metadata",
+    srcs = ["metadata.proto"],
+    visibility = ["//visibility:public"],
+    deps = [
+        ":number",
+        ":string",
+    ],
+)
+
+api_go_proto_library(
+    name = "metadata",
+    proto = ":metadata",
+    deps = [
+        ":number_go_proto",
+        ":string_go_proto",
+    ],
+)
+
+api_proto_library(
+    name = "number",
+    srcs = ["number.proto"],
+    visibility = ["//visibility:public"],
+    deps = [
+        "//envoy/type:range",
+    ],
+)
+
+api_go_proto_library(
+    name = "number",
+    proto = ":number",
+    deps = [
+        "//envoy/type:range_go_proto",
+    ],
+)
+
+api_proto_library(
+    name = "string",
+    srcs = ["string.proto"],
+    visibility = ["//visibility:public"],
+)
+
+api_go_proto_library(
+    name = "string",
+    proto = ":string",
+)

api/envoy/type/matcher/metadata.proto

@@ -0,0 +1,73 @@
+syntax = "proto3";
+
+package envoy.type.matcher;
+option go_package = "matcher";
+
+import "envoy/type/matcher/string.proto";
+import "envoy/type/matcher/number.proto";
+
+import "validate/validate.proto";
+
+// [#protodoc-title: MetadataMatcher]
+
+// MetadataMatcher provides a general interface to check if a given value is matched in
+// :ref:`Metadata <envoy_api_msg_core.Metadata>`. It uses `filter` and `path` to retrieve the value
+// from the Metadata and then check if it's matched to one of the specified values.
+//
+// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to
+// enforce access control based on dynamic metadata in a request.
+message MetadataMatcher {
+  // Specifies the segment in a path to retrieve value from Metadata.
+  // Note: Array is not supported for now and will result a not match directly.
+  message PathSegment {
+    oneof segment {
+      option (validate.required) = true;
+
+      // If specified, use the key to retrieve the value in a Struct.
+      string key = 1 [(validate.rules).string.min_bytes = 1];
+    }
+  }
+
+  // Specifies the value to match. Only primitive value is supported. For non-primitive value, the
+  // result is always not matched.
+  message Value {
+    // NullMatch is an empty message to specify a null value.
+    message NullMatch {
+    }
+
+    // Specifies how to match a value. Only have effect on primitive value.
+    oneof match_pattern {
+      option (validate.required) = true;
+
+      // If specified, it's matched if and only if the target value is a NullValue.
+      NullMatch null_match = 1;
+
+      // If specified, it's matched if and only if the target value is a double value and is matched
+      // to this field.
+      DoubleMatcher double_match = 2;
+
+      // If specified, it's matched if and only if the target value is a string value and is matched
+      // to this field.
+      StringMatcher string_match = 3;
+
+      // If specified, it's matched if and only if the target value is a bool value and is equal to
+      // this field.
+      bool bool_match = 4;
+
+      // If specified, value match will be performed based on whether the path is referring to a
+      // valid primitive value in the metadata. If the path is referring to a non-primitive value,
+      // the result is always not matched.
+      bool present_match = 5;
+    }
+  }
+
+  // Required. The filter name to retrieve the Struct from the Metadata.
+  string filter = 1 [(validate.rules).string.min_bytes = 1];
+
+  // Required. The path to retrieve the Value from the Struct.
+  repeated PathSegment path = 2 [(validate.rules).repeated .min_items = 1];
+
+  // Required. A set of values to match. The MetadataMatcher is matched if at least one value is
+  // matched, in other words, it's matched with OR semantics.
+  repeated Value values = 3 [(validate.rules).repeated .min_items = 1];
+}

api/envoy/type/matcher/number.proto

@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package envoy.type.matcher;
+option go_package = "matcher";
+
+import "envoy/type/range.proto";
+
+import "validate/validate.proto";
+
+// [#protodoc-title: NumberMatcher]
+
+// Specifies the way to match a double value.
+message DoubleMatcher {
+  oneof match_pattern {
+    option (validate.required) = true;
+
+    // If specified, the input double value must be in the range specified here.
+    envoy.type.DoubleRange range = 1;
+
+    // If specified, the input double value must be equal to the value specified here.
+    double exact = 2;
+  }
+}

api/envoy/type/matcher/string.proto

@@ -0,0 +1,49 @@
+syntax = "proto3";
+
+package envoy.type.matcher;
+option go_package = "matcher";
+
+import "validate/validate.proto";
+
+// [#protodoc-title: StringMatcher]
+
+// Specifies the way to match a string.
+message StringMatcher {
+  oneof match_pattern {
+    option (validate.required) = true;
+
+    // The input string must match exactly the string specified here.
+    //
+    // Examples:
+    //
+    // * *abc* only matches the value *abc*.
+    string exact = 1;
+
+    // The input string must have the prefix specified here.
+    // Note: empty prefix is not allowed, please use regex instead.
+    //
+    // Examples:
+    //
+    // * *abc* matches the value *abc.xyz*
+    string prefix = 2 [(validate.rules).string.min_bytes = 1];
+
+    // The input string must have the suffix specified here.
+    // Note: empty prefix is not allowed, please use regex instead.
+    //
+    // Examples:
+    //
+    // * *abc* matches the value *xyz.abc*
+    string suffix = 3 [(validate.rules).string.min_bytes = 1];
+
+    // The input string must match the regular expression specified here.
+    // The regex grammar is defined `here
+    // <http://en.cppreference.com/w/cpp/regex/ecmascript>`_.
+    //
+    // Examples:
+    //
+    // * The regex *\d{3}* matches the value *123*
+    // * The regex *\d{3}* does not match the value *1234*
+    // * The regex *\d{3}* does not match the value *123.456*
+    string regex = 4;
+  }
+}

api/envoy/type/range.proto

@@ -18,3 +18,13 @@ message Int64Range {
   // end of the range (exclusive)
   int64 end = 2;
 }
+
+// Specifies the double start and end of the range using half-open interval semantics [start,
+// end).
+message DoubleRange {
+  // start of the range (inclusive)
+  double start = 1;
+
+  // end of the range (exclusive)
+  double end = 2;
+}

docs/build.sh

@@ -107,6 +107,9 @@ PROTO_RST="
   /envoy/service/auth/v2alpha/external_auth/envoy/service/auth/v2alpha/external_auth.proto.rst
   /envoy/type/percent/envoy/type/percent.proto.rst
   /envoy/type/range/envoy/type/range.proto.rst
+  /envoy/type/matcher/metadata/envoy/type/matcher/metadata.proto.rst
+  /envoy/type/matcher/number/envoy/type/matcher/number.proto.rst
+  /envoy/type/matcher/string/envoy/type/matcher/string.proto.rst
 "
 
 # Dump all the generated RST so they can be added to PROTO_RST easily.

docs/root/api-v2/types/types.rst

@@ -7,3 +7,6 @@ Types
 
   ../type/percent.proto
   ../type/range.proto
+  ../type/matcher/metadata.proto
+  ../type/matcher/number.proto
+  ../type/matcher/string.proto

source/common/common/BUILD

@@ -113,6 +113,20 @@ envoy_cc_library(
     hdrs = ["macros.h"],
 )
 
+envoy_cc_library(
+    name = "matchers_lib",
+    srcs = ["matchers.cc"],
+    hdrs = ["matchers.h"],
+    deps = [
+        ":utility_lib",
+        "//source/common/config:metadata_lib",
+        "//source/common/protobuf",
+        "@envoy_api//envoy/type/matcher:metadata_cc",
+        "@envoy_api//envoy/type/matcher:number_cc",
+        "@envoy_api//envoy/type/matcher:string_cc",
+    ],
+)
+
 envoy_cc_library(
     name = "non_copyable",
     hdrs = ["non_copyable.h"],