diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 7c2948565d2..ef811bbc852 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -6769,6 +6769,12 @@ spec: selected workloads' proxy. items: properties: + allow: + description: Allow specifies a Jwt requirement. + enum: + - ALLOW_MISSING + - ALLOW_MISSING_OR_FAILED + type: string audiences: items: type: string @@ -6853,6 +6859,12 @@ spec: selected workloads' proxy. items: properties: + allow: + description: Allow specifies a Jwt requirement. + enum: + - ALLOW_MISSING + - ALLOW_MISSING_OR_FAILED + type: string audiences: items: type: string diff --git a/proto.lock b/proto.lock index 6e07cbcf0da..a3b51b988d0 100644 --- a/proto.lock +++ b/proto.lock @@ -44233,6 +44233,20 @@ { "protopath": "security:/:v1:/:jwt.proto", "def": { + "enums": [ + { + "name": "JWTRule.Allow", + "enum_fields": [ + { + "name": "ALLOW_MISSING" + }, + { + "name": "ALLOW_MISSING_OR_FAILED", + "integer": 1 + } + ] + } + ], "messages": [ { "name": "JWTRule", @@ -44291,6 +44305,11 @@ "name": "output_claim_to_headers", "type": "ClaimToHeader", "is_repeated": true + }, + { + "id": 12, + "name": "allow", + "type": "Allow" } ] }, @@ -44729,6 +44748,20 @@ { "protopath": "security:/:v1beta1:/:jwt.proto", "def": { + "enums": [ + { + "name": "JWTRule.Allow", + "enum_fields": [ + { + "name": "ALLOW_MISSING" + }, + { + "name": "ALLOW_MISSING_OR_FAILED", + "integer": 1 + } + ] + } + ], "messages": [ { "name": "JWTRule", @@ -44787,6 +44820,11 @@ "name": "output_claim_to_headers", "type": "ClaimToHeader", "is_repeated": true + }, + { + "id": 12, + "name": "allow", + "type": "Allow" } ] }, diff --git a/security/v1/jwt.pb.go b/security/v1/jwt.pb.go index 383ca6a256d..87b525c2544 100644 --- a/security/v1/jwt.pb.go +++ b/security/v1/jwt.pb.go @@ -41,6 +41,62 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// Allow specifies a Jwt requirement. +type JWTRule_Allow int32 + +const ( + // The requirement is satisfied if JWT is missing, but failed if JWT is + // presented but invalid. Similar to ALLOW_MISSING_OR_FAILED, this is used + // to only verify JWTs and pass the verified payload to another filter. The + // different is this mode will reject requests with invalid tokens. + // This is the default behavior. + JWTRule_ALLOW_MISSING JWTRule_Allow = 0 + // The requirement is always satisfied even if JWT is missing or the JWT + // verification fails. A typical usage is: this filter is used to only verify + // JWTs and pass the verified JWT payloads to another filter, the other filter + // will make decision. In this mode, all JWT tokens will be verified. + JWTRule_ALLOW_MISSING_OR_FAILED JWTRule_Allow = 1 +) + +// Enum value maps for JWTRule_Allow. +var ( + JWTRule_Allow_name = map[int32]string{ + 0: "ALLOW_MISSING", + 1: "ALLOW_MISSING_OR_FAILED", + } + JWTRule_Allow_value = map[string]int32{ + "ALLOW_MISSING": 0, + "ALLOW_MISSING_OR_FAILED": 1, + } +) + +func (x JWTRule_Allow) Enum() *JWTRule_Allow { + p := new(JWTRule_Allow) + *p = x + return p +} + +func (x JWTRule_Allow) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (JWTRule_Allow) Descriptor() protoreflect.EnumDescriptor { + return file_security_v1_jwt_proto_enumTypes[0].Descriptor() +} + +func (JWTRule_Allow) Type() protoreflect.EnumType { + return &file_security_v1_jwt_proto_enumTypes[0] +} + +func (x JWTRule_Allow) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use JWTRule_Allow.Descriptor instead. +func (JWTRule_Allow) EnumDescriptor() ([]byte, []int) { + return file_security_v1_jwt_proto_rawDescGZIP(), []int{0, 0} +} + // @@ -168,6 +224,8 @@ type JWTRule struct { // ``` // [Experimental] This feature is a experimental feature. OutputClaimToHeaders []*ClaimToHeader `protobuf:"bytes,11,rep,name=output_claim_to_headers,json=outputClaimToHeaders,proto3" json:"output_claim_to_headers,omitempty"` // [TODO:Update the status whenever this feature is promoted.] + // Allow specifies a Jwt requirement. This is Optional, the default value is ALLOW_MISSING. + Allow JWTRule_Allow `protobuf:"varint,12,opt,name=allow,proto3,enum=istio.security.v1.JWTRule_Allow" json:"allow,omitempty"` } func (x *JWTRule) Reset() { @@ -265,6 +323,13 @@ func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader { return nil } +func (x *JWTRule) GetAllow() JWTRule_Allow { + if x != nil { + return x.Allow + } + return JWTRule_ALLOW_MISSING +} + // This message specifies a header location to extract JWT token. type JWTHeader struct { state protoimpl.MessageState @@ -391,7 +456,7 @@ var file_security_v1_jwt_proto_rawDesc = []byte{ 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, - 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x9d, 0x03, 0x0a, 0x07, + 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8e, 0x04, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, @@ -417,17 +482,24 @@ var file_security_v1_jwt_proto_rawDesc = []byte{ 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x14, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x43, 0x6c, 0x61, - 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x22, 0x3c, 0x0a, 0x09, 0x4a, - 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, - 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, 0x61, - 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, 0x65, - 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, - 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1a, 0x5a, 0x18, 0x69, 0x73, 0x74, 0x69, - 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, - 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x36, 0x0a, 0x05, 0x61, + 0x6c, 0x6c, 0x6f, 0x77, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, + 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x4a, + 0x57, 0x54, 0x52, 0x75, 0x6c, 0x65, 0x2e, 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x52, 0x05, 0x61, 0x6c, + 0x6c, 0x6f, 0x77, 0x22, 0x37, 0x0a, 0x05, 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x12, 0x11, 0x0a, 0x0d, + 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x4e, 0x47, 0x10, 0x00, 0x12, + 0x1b, 0x0a, 0x17, 0x41, 0x4c, 0x4c, 0x4f, 0x57, 0x5f, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x4e, 0x47, + 0x5f, 0x4f, 0x52, 0x5f, 0x46, 0x41, 0x49, 0x4c, 0x45, 0x44, 0x10, 0x01, 0x22, 0x3c, 0x0a, 0x09, + 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, + 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a, 0x0d, 0x43, 0x6c, + 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x68, + 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x68, 0x65, 0x61, + 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1a, 0x5a, 0x18, 0x69, 0x73, 0x74, + 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, + 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -442,20 +514,23 @@ func file_security_v1_jwt_proto_rawDescGZIP() []byte { return file_security_v1_jwt_proto_rawDescData } +var file_security_v1_jwt_proto_enumTypes = make([]protoimpl.EnumInfo, 1) var file_security_v1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3) var file_security_v1_jwt_proto_goTypes = []interface{}{ - (*JWTRule)(nil), // 0: istio.security.v1.JWTRule - (*JWTHeader)(nil), // 1: istio.security.v1.JWTHeader - (*ClaimToHeader)(nil), // 2: istio.security.v1.ClaimToHeader + (JWTRule_Allow)(0), // 0: istio.security.v1.JWTRule.Allow + (*JWTRule)(nil), // 1: istio.security.v1.JWTRule + (*JWTHeader)(nil), // 2: istio.security.v1.JWTHeader + (*ClaimToHeader)(nil), // 3: istio.security.v1.ClaimToHeader } var file_security_v1_jwt_proto_depIdxs = []int32{ - 1, // 0: istio.security.v1.JWTRule.from_headers:type_name -> istio.security.v1.JWTHeader - 2, // 1: istio.security.v1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1.ClaimToHeader - 2, // [2:2] is the sub-list for method output_type - 2, // [2:2] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 2, // 0: istio.security.v1.JWTRule.from_headers:type_name -> istio.security.v1.JWTHeader + 3, // 1: istio.security.v1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1.ClaimToHeader + 0, // 2: istio.security.v1.JWTRule.allow:type_name -> istio.security.v1.JWTRule.Allow + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_security_v1_jwt_proto_init() } @@ -506,13 +581,14 @@ func file_security_v1_jwt_proto_init() { File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_security_v1_jwt_proto_rawDesc, - NumEnums: 0, + NumEnums: 1, NumMessages: 3, NumExtensions: 0, NumServices: 0, }, GoTypes: file_security_v1_jwt_proto_goTypes, DependencyIndexes: file_security_v1_jwt_proto_depIdxs, + EnumInfos: file_security_v1_jwt_proto_enumTypes, MessageInfos: file_security_v1_jwt_proto_msgTypes, }.Build() File_security_v1_jwt_proto = out.File diff --git a/security/v1/jwt.pb.html b/security/v1/jwt.pb.html index 16d4eb44ba4..7d98cbc0d72 100644 --- a/security/v1/jwt.pb.html +++ b/security/v1/jwt.pb.html @@ -6,7 +6,7 @@ generator: protoc-gen-docs schema: istio.security.v1.JWTRule aliases: [/docs/reference/config/security/v1/jwt] -number_of_entries: 3 +number_of_entries: 4 ---
[Experimental] This feature is a experimental feature.
+ +allow
Allow
Allow specifies a Jwt requirement. This is Optional, the default value is ALLOW_MISSING.
+Allow specifies a Jwt requirement.
+ +Name | +Description | +
---|---|
ALLOW_MISSING |
+
+ The requirement is satisfied if JWT is missing, but failed if JWT is +presented but invalid. Similar to ALLOW_MISSING_OR_FAILED, this is used +to only verify JWTs and pass the verified payload to another filter. The +different is this mode will reject requests with invalid tokens. +This is the default behavior. + + |
+
ALLOW_MISSING_OR_FAILED |
+
+ The requirement is always satisfied even if JWT is missing or the JWT +verification fails. A typical usage is: this filter is used to only verify +JWTs and pass the verified JWT payloads to another filter, the other filter +will make decision. In this mode, all JWT tokens will be verified. + + |
+
[Experimental] This feature is a experimental feature.
+allow
Allow
Allow specifies a Jwt requirement. This is Optional, the default value is ALLOW_MISSING.
+Allow specifies a Jwt requirement.
+ +Name | +Description | +
---|---|
ALLOW_MISSING |
+
+ The requirement is satisfied if JWT is missing, but failed if JWT is +presented but invalid. Similar to ALLOW_MISSING_OR_FAILED, this is used +to only verify JWTs and pass the verified payload to another filter. The +different is this mode will reject requests with invalid tokens. +This is the default behavior. + + |
+
ALLOW_MISSING_OR_FAILED |
+
+ The requirement is always satisfied even if JWT is missing or the JWT +verification fails. A typical usage is: this filter is used to only verify +JWTs and pass the verified JWT payloads to another filter, the other filter +will make decision. In this mode, all JWT tokens will be verified. + + |
+