JWTRule add allow field to specify jwt requirements

istio · Mar 17, 2023 · 293498c · 293498c
1 parent 2516db5
commit 293498c
Show file tree

Hide file tree

Showing 10 changed files with 405 additions and 49 deletions.
diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
diff --git a/proto.lock b/proto.lock
@@ -44233,6 +44233,20 @@
     {
       "protopath": "security:/:v1:/:jwt.proto",
       "def": {
+        "enums": [
+          {
+            "name": "JWTRule.Allow",
+            "enum_fields": [
+              {
+                "name": "ALLOW_MISSING"
+              },
+              {
+                "name": "ALLOW_MISSING_OR_FAILED",
+                "integer": 1
+              }
+            ]
+          }
+        ],
         "messages": [
           {
             "name": "JWTRule",
@@ -44291,6 +44305,11 @@
                 "name": "output_claim_to_headers",
                 "type": "ClaimToHeader",
                 "is_repeated": true
+              },
+              {
+                "id": 12,
+                "name": "allow",
+                "type": "Allow"
               }
             ]
           },
@@ -44729,6 +44748,20 @@
     {
       "protopath": "security:/:v1beta1:/:jwt.proto",
       "def": {
+        "enums": [
+          {
+            "name": "JWTRule.Allow",
+            "enum_fields": [
+              {
+                "name": "ALLOW_MISSING"
+              },
+              {
+                "name": "ALLOW_MISSING_OR_FAILED",
+                "integer": 1
+              }
+            ]
+          }
+        ],
         "messages": [
           {
             "name": "JWTRule",
@@ -44787,6 +44820,11 @@
                 "name": "output_claim_to_headers",
                 "type": "ClaimToHeader",
                 "is_repeated": true
+              },
+              {
+                "id": 12,
+                "name": "allow",
+                "type": "Allow"
               }
             ]
           },

diff --git a/security/v1/jwt.pb.go b/security/v1/jwt.pb.go
diff --git a/security/v1/jwt.pb.html b/security/v1/jwt.pb.html
diff --git a/security/v1/jwt.proto b/security/v1/jwt.proto
@@ -162,6 +162,25 @@ message JWTRule {
   // ```
   // [Experimental] This feature is a experimental feature.
   repeated ClaimToHeader output_claim_to_headers = 11; // [TODO:Update the status whenever this feature is promoted.]
+
+  // Allow specifies a Jwt requirement.
+  enum Allow {
+    // The requirement is satisfied if JWT is missing, but failed if JWT is
+    // presented but invalid. Similar to ALLOW_MISSING_OR_FAILED, this is used
+    // to only verify JWTs and pass the verified payload to another filter. The
+    // different is this mode will reject requests with invalid tokens.
+    // This is the default behavior.
+    ALLOW_MISSING = 0;
+
+    // The requirement is always satisfied even if JWT is missing or the JWT
+    // verification fails. A typical usage is: this filter is used to only verify
+    // JWTs and pass the verified JWT payloads to another filter, the other filter
+    // will make decision. In this mode, all JWT tokens will be verified.
+    ALLOW_MISSING_OR_FAILED = 1;
+  }
+
+  // Allow specifies a Jwt requirement. This is Optional, the default value is ALLOW_MISSING.
+  Allow allow = 12;
 }
 
 // This message specifies a header location to extract JWT token.

diff --git a/security/v1beta1/jwt.gen.json b/security/v1beta1/jwt.gen.json