mirror of https://github.com/grpc/grpc-node.git
grpc-js-xds: Implement RBAC engine
This commit is contained in:
parent
6f81b4ef9b
commit
2e39783b36
|
@ -12,7 +12,7 @@
|
|||
"prepare": "npm run generate-types && npm run compile",
|
||||
"pretest": "npm run compile",
|
||||
"posttest": "npm run check",
|
||||
"generate-types": "proto-loader-gen-types --keepCase --longs String --enums String --defaults --oneofs --includeComments --includeDirs deps/envoy-api/ deps/xds/ deps/googleapis/ deps/protoc-gen-validate/ -O src/generated/ --grpcLib @grpc/grpc-js envoy/service/discovery/v3/ads.proto envoy/service/load_stats/v3/lrs.proto envoy/config/listener/v3/listener.proto envoy/config/route/v3/route.proto envoy/config/cluster/v3/cluster.proto envoy/config/endpoint/v3/endpoint.proto envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto udpa/type/v1/typed_struct.proto xds/type/v3/typed_struct.proto envoy/extensions/filters/http/fault/v3/fault.proto envoy/service/status/v3/csds.proto envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto envoy/extensions/clusters/aggregate/v3/cluster.proto envoy/extensions/transport_sockets/tls/v3/tls.proto",
|
||||
"generate-types": "proto-loader-gen-types --keepCase --longs String --enums String --defaults --oneofs --includeComments --includeDirs deps/envoy-api/ deps/xds/ deps/googleapis/ deps/protoc-gen-validate/ -O src/generated/ --grpcLib @grpc/grpc-js envoy/service/discovery/v3/ads.proto envoy/service/load_stats/v3/lrs.proto envoy/config/listener/v3/listener.proto envoy/config/route/v3/route.proto envoy/config/cluster/v3/cluster.proto envoy/config/endpoint/v3/endpoint.proto envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto udpa/type/v1/typed_struct.proto xds/type/v3/typed_struct.proto envoy/extensions/filters/http/fault/v3/fault.proto envoy/service/status/v3/csds.proto envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto envoy/extensions/clusters/aggregate/v3/cluster.proto envoy/extensions/transport_sockets/tls/v3/tls.proto envoy/config/rbac/v3/rbac.proto",
|
||||
"generate-interop-types": "proto-loader-gen-types --keep-case --longs String --enums String --defaults --oneofs --json --includeComments --includeDirs proto/ -O interop/generated --grpcLib @grpc/grpc-js grpc/testing/test.proto",
|
||||
"generate-test-types": "proto-loader-gen-types --keep-case --longs String --enums String --defaults --oneofs --json --includeComments --includeDirs proto/ -O test/generated --grpcLib @grpc/grpc-js grpc/testing/echo.proto"
|
||||
},
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
|
||||
|
||||
import type { _envoy_config_rbac_v3_RBAC_Action, _envoy_config_rbac_v3_RBAC_Action__Output } from '../../../../envoy/config/rbac/v3/RBAC';
|
||||
|
||||
/**
|
||||
* Action defines the result of allowance or denial when a request matches the matcher.
|
||||
*/
|
||||
export interface Action {
|
||||
/**
|
||||
* The name indicates the policy name.
|
||||
*/
|
||||
'name'?: (string);
|
||||
/**
|
||||
* The action to take if the matcher matches. Every action either allows or denies a request,
|
||||
* and can also carry out action-specific operations.
|
||||
*
|
||||
* Actions:
|
||||
*
|
||||
* * ``ALLOW``: If the request gets matched on ALLOW, it is permitted.
|
||||
* * ``DENY``: If the request gets matched on DENY, it is not permitted.
|
||||
* * ``LOG``: If the request gets matched on LOG, it is permitted. Besides, the
|
||||
* dynamic metadata key ``access_log_hint`` under the shared key namespace
|
||||
* ``envoy.common`` will be set to the value ``true``.
|
||||
* * If the request cannot get matched, it will fallback to ``DENY``.
|
||||
*
|
||||
* Log behavior:
|
||||
*
|
||||
* If the RBAC matcher contains at least one LOG action, the dynamic
|
||||
* metadata key ``access_log_hint`` will be set based on if the request
|
||||
* get matched on the LOG action.
|
||||
*/
|
||||
'action'?: (_envoy_config_rbac_v3_RBAC_Action);
|
||||
}
|
||||
|
||||
/**
|
||||
* Action defines the result of allowance or denial when a request matches the matcher.
|
||||
*/
|
||||
export interface Action__Output {
|
||||
/**
|
||||
* The name indicates the policy name.
|
||||
*/
|
||||
'name': (string);
|
||||
/**
|
||||
* The action to take if the matcher matches. Every action either allows or denies a request,
|
||||
* and can also carry out action-specific operations.
|
||||
*
|
||||
* Actions:
|
||||
*
|
||||
* * ``ALLOW``: If the request gets matched on ALLOW, it is permitted.
|
||||
* * ``DENY``: If the request gets matched on DENY, it is not permitted.
|
||||
* * ``LOG``: If the request gets matched on LOG, it is permitted. Besides, the
|
||||
* dynamic metadata key ``access_log_hint`` under the shared key namespace
|
||||
* ``envoy.common`` will be set to the value ``true``.
|
||||
* * If the request cannot get matched, it will fallback to ``DENY``.
|
||||
*
|
||||
* Log behavior:
|
||||
*
|
||||
* If the RBAC matcher contains at least one LOG action, the dynamic
|
||||
* metadata key ``access_log_hint`` will be set based on if the request
|
||||
* get matched on the LOG action.
|
||||
*/
|
||||
'action': (_envoy_config_rbac_v3_RBAC_Action__Output);
|
||||
}
|
|
@ -0,0 +1,198 @@
|
|||
// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
|
||||
|
||||
import type { HeaderMatcher as _envoy_config_route_v3_HeaderMatcher, HeaderMatcher__Output as _envoy_config_route_v3_HeaderMatcher__Output } from '../../../../envoy/config/route/v3/HeaderMatcher';
|
||||
import type { CidrRange as _envoy_config_core_v3_CidrRange, CidrRange__Output as _envoy_config_core_v3_CidrRange__Output } from '../../../../envoy/config/core/v3/CidrRange';
|
||||
import type { MetadataMatcher as _envoy_type_matcher_v3_MetadataMatcher, MetadataMatcher__Output as _envoy_type_matcher_v3_MetadataMatcher__Output } from '../../../../envoy/type/matcher/v3/MetadataMatcher';
|
||||
import type { Permission as _envoy_config_rbac_v3_Permission, Permission__Output as _envoy_config_rbac_v3_Permission__Output } from '../../../../envoy/config/rbac/v3/Permission';
|
||||
import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher';
|
||||
import type { PathMatcher as _envoy_type_matcher_v3_PathMatcher, PathMatcher__Output as _envoy_type_matcher_v3_PathMatcher__Output } from '../../../../envoy/type/matcher/v3/PathMatcher';
|
||||
import type { Int32Range as _envoy_type_v3_Int32Range, Int32Range__Output as _envoy_type_v3_Int32Range__Output } from '../../../../envoy/type/v3/Int32Range';
|
||||
import type { TypedExtensionConfig as _envoy_config_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _envoy_config_core_v3_TypedExtensionConfig__Output } from '../../../../envoy/config/core/v3/TypedExtensionConfig';
|
||||
|
||||
/**
|
||||
* Used in the ``and_rules`` and ``or_rules`` fields in the ``rule`` oneof. Depending on the context,
|
||||
* each are applied with the associated behavior.
|
||||
*/
|
||||
export interface _envoy_config_rbac_v3_Permission_Set {
|
||||
'rules'?: (_envoy_config_rbac_v3_Permission)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Used in the ``and_rules`` and ``or_rules`` fields in the ``rule`` oneof. Depending on the context,
|
||||
* each are applied with the associated behavior.
|
||||
*/
|
||||
export interface _envoy_config_rbac_v3_Permission_Set__Output {
|
||||
'rules': (_envoy_config_rbac_v3_Permission__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Permission defines an action (or actions) that a principal can take.
|
||||
* [#next-free-field: 14]
|
||||
*/
|
||||
export interface Permission {
|
||||
/**
|
||||
* A set of rules that all must match in order to define the action.
|
||||
*/
|
||||
'and_rules'?: (_envoy_config_rbac_v3_Permission_Set | null);
|
||||
/**
|
||||
* A set of rules where at least one must match in order to define the action.
|
||||
*/
|
||||
'or_rules'?: (_envoy_config_rbac_v3_Permission_Set | null);
|
||||
/**
|
||||
* When any is set, it matches any action.
|
||||
*/
|
||||
'any'?: (boolean);
|
||||
/**
|
||||
* A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
|
||||
* available for HTTP request.
|
||||
* Note: the pseudo-header :path includes the query and fragment string. Use the ``url_path``
|
||||
* field if you want to match the URL path without the query and fragment string.
|
||||
*/
|
||||
'header'?: (_envoy_config_route_v3_HeaderMatcher | null);
|
||||
/**
|
||||
* A CIDR block that describes the destination IP.
|
||||
*/
|
||||
'destination_ip'?: (_envoy_config_core_v3_CidrRange | null);
|
||||
/**
|
||||
* A port number that describes the destination port connecting to.
|
||||
*/
|
||||
'destination_port'?: (number);
|
||||
/**
|
||||
* Metadata that describes additional information about the action.
|
||||
*/
|
||||
'metadata'?: (_envoy_type_matcher_v3_MetadataMatcher | null);
|
||||
/**
|
||||
* Negates matching the provided permission. For instance, if the value of
|
||||
* ``not_rule`` would match, this permission would not match. Conversely, if
|
||||
* the value of ``not_rule`` would not match, this permission would match.
|
||||
*/
|
||||
'not_rule'?: (_envoy_config_rbac_v3_Permission | null);
|
||||
/**
|
||||
* The request server from the client's connection request. This is
|
||||
* typically TLS SNI.
|
||||
*
|
||||
* .. attention::
|
||||
*
|
||||
* The behavior of this field may be affected by how Envoy is configured
|
||||
* as explained below.
|
||||
*
|
||||
* * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
|
||||
* filter is not added, and if a ``FilterChainMatch`` is not defined for
|
||||
* the :ref:`server name
|
||||
* <envoy_v3_api_field_config.listener.v3.FilterChainMatch.server_names>`,
|
||||
* a TLS connection's requested SNI server name will be treated as if it
|
||||
* wasn't present.
|
||||
*
|
||||
* * A :ref:`listener filter <arch_overview_listener_filters>` may
|
||||
* overwrite a connection's requested server name within Envoy.
|
||||
*
|
||||
* Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
|
||||
* setup SNI.
|
||||
*/
|
||||
'requested_server_name'?: (_envoy_type_matcher_v3_StringMatcher | null);
|
||||
/**
|
||||
* A URL path on the incoming HTTP request. Only available for HTTP.
|
||||
*/
|
||||
'url_path'?: (_envoy_type_matcher_v3_PathMatcher | null);
|
||||
/**
|
||||
* A port number range that describes a range of destination ports connecting to.
|
||||
*/
|
||||
'destination_port_range'?: (_envoy_type_v3_Int32Range | null);
|
||||
/**
|
||||
* Extension for configuring custom matchers for RBAC.
|
||||
* [#extension-category: envoy.rbac.matchers]
|
||||
*/
|
||||
'matcher'?: (_envoy_config_core_v3_TypedExtensionConfig | null);
|
||||
/**
|
||||
* URI template path matching.
|
||||
* [#extension-category: envoy.path.match]
|
||||
*/
|
||||
'uri_template'?: (_envoy_config_core_v3_TypedExtensionConfig | null);
|
||||
'rule'?: "and_rules"|"or_rules"|"any"|"header"|"url_path"|"destination_ip"|"destination_port"|"destination_port_range"|"metadata"|"not_rule"|"requested_server_name"|"matcher"|"uri_template";
|
||||
}
|
||||
|
||||
/**
|
||||
* Permission defines an action (or actions) that a principal can take.
|
||||
* [#next-free-field: 14]
|
||||
*/
|
||||
export interface Permission__Output {
|
||||
/**
|
||||
* A set of rules that all must match in order to define the action.
|
||||
*/
|
||||
'and_rules'?: (_envoy_config_rbac_v3_Permission_Set__Output | null);
|
||||
/**
|
||||
* A set of rules where at least one must match in order to define the action.
|
||||
*/
|
||||
'or_rules'?: (_envoy_config_rbac_v3_Permission_Set__Output | null);
|
||||
/**
|
||||
* When any is set, it matches any action.
|
||||
*/
|
||||
'any'?: (boolean);
|
||||
/**
|
||||
* A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
|
||||
* available for HTTP request.
|
||||
* Note: the pseudo-header :path includes the query and fragment string. Use the ``url_path``
|
||||
* field if you want to match the URL path without the query and fragment string.
|
||||
*/
|
||||
'header'?: (_envoy_config_route_v3_HeaderMatcher__Output | null);
|
||||
/**
|
||||
* A CIDR block that describes the destination IP.
|
||||
*/
|
||||
'destination_ip'?: (_envoy_config_core_v3_CidrRange__Output | null);
|
||||
/**
|
||||
* A port number that describes the destination port connecting to.
|
||||
*/
|
||||
'destination_port'?: (number);
|
||||
/**
|
||||
* Metadata that describes additional information about the action.
|
||||
*/
|
||||
'metadata'?: (_envoy_type_matcher_v3_MetadataMatcher__Output | null);
|
||||
/**
|
||||
* Negates matching the provided permission. For instance, if the value of
|
||||
* ``not_rule`` would match, this permission would not match. Conversely, if
|
||||
* the value of ``not_rule`` would not match, this permission would match.
|
||||
*/
|
||||
'not_rule'?: (_envoy_config_rbac_v3_Permission__Output | null);
|
||||
/**
|
||||
* The request server from the client's connection request. This is
|
||||
* typically TLS SNI.
|
||||
*
|
||||
* .. attention::
|
||||
*
|
||||
* The behavior of this field may be affected by how Envoy is configured
|
||||
* as explained below.
|
||||
*
|
||||
* * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
|
||||
* filter is not added, and if a ``FilterChainMatch`` is not defined for
|
||||
* the :ref:`server name
|
||||
* <envoy_v3_api_field_config.listener.v3.FilterChainMatch.server_names>`,
|
||||
* a TLS connection's requested SNI server name will be treated as if it
|
||||
* wasn't present.
|
||||
*
|
||||
* * A :ref:`listener filter <arch_overview_listener_filters>` may
|
||||
* overwrite a connection's requested server name within Envoy.
|
||||
*
|
||||
* Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
|
||||
* setup SNI.
|
||||
*/
|
||||
'requested_server_name'?: (_envoy_type_matcher_v3_StringMatcher__Output | null);
|
||||
/**
|
||||
* A URL path on the incoming HTTP request. Only available for HTTP.
|
||||
*/
|
||||
'url_path'?: (_envoy_type_matcher_v3_PathMatcher__Output | null);
|
||||
/**
|
||||
* A port number range that describes a range of destination ports connecting to.
|
||||
*/
|
||||
'destination_port_range'?: (_envoy_type_v3_Int32Range__Output | null);
|
||||
/**
|
||||
* Extension for configuring custom matchers for RBAC.
|
||||
* [#extension-category: envoy.rbac.matchers]
|
||||
*/
|
||||
'matcher'?: (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
|
||||
/**
|
||||
* URI template path matching.
|
||||
* [#extension-category: envoy.path.match]
|
||||
*/
|
||||
'uri_template'?: (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
|
||||
'rule'?: "and_rules"|"or_rules"|"any"|"header"|"url_path"|"destination_ip"|"destination_port"|"destination_port_range"|"metadata"|"not_rule"|"requested_server_name"|"matcher"|"uri_template";
|
||||
}
|
|
@ -0,0 +1,76 @@
|
|||
// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
|
||||
|
||||
import type { Permission as _envoy_config_rbac_v3_Permission, Permission__Output as _envoy_config_rbac_v3_Permission__Output } from '../../../../envoy/config/rbac/v3/Permission';
|
||||
import type { Principal as _envoy_config_rbac_v3_Principal, Principal__Output as _envoy_config_rbac_v3_Principal__Output } from '../../../../envoy/config/rbac/v3/Principal';
|
||||
import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
|
||||
import type { CheckedExpr as _google_api_expr_v1alpha1_CheckedExpr, CheckedExpr__Output as _google_api_expr_v1alpha1_CheckedExpr__Output } from '../../../../google/api/expr/v1alpha1/CheckedExpr';
|
||||
|
||||
/**
|
||||
* Policy specifies a role and the principals that are assigned/denied the role.
|
||||
* A policy matches if and only if at least one of its permissions match the
|
||||
* action taking place AND at least one of its principals match the downstream
|
||||
* AND the condition is true if specified.
|
||||
*/
|
||||
export interface Policy {
|
||||
/**
|
||||
* Required. The set of permissions that define a role. Each permission is
|
||||
* matched with OR semantics. To match all actions for this policy, a single
|
||||
* Permission with the ``any`` field set to true should be used.
|
||||
*/
|
||||
'permissions'?: (_envoy_config_rbac_v3_Permission)[];
|
||||
/**
|
||||
* Required. The set of principals that are assigned/denied the role based on
|
||||
* “action”. Each principal is matched with OR semantics. To match all
|
||||
* downstreams for this policy, a single Principal with the ``any`` field set to
|
||||
* true should be used.
|
||||
*/
|
||||
'principals'?: (_envoy_config_rbac_v3_Principal)[];
|
||||
/**
|
||||
* An optional symbolic expression specifying an access control
|
||||
* :ref:`condition <arch_overview_condition>`. The condition is combined
|
||||
* with the permissions and the principals as a clause with AND semantics.
|
||||
* Only be used when checked_condition is not used.
|
||||
*/
|
||||
'condition'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* [#not-implemented-hide:]
|
||||
* An optional symbolic expression that has been successfully type checked.
|
||||
* Only be used when condition is not used.
|
||||
*/
|
||||
'checked_condition'?: (_google_api_expr_v1alpha1_CheckedExpr | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Policy specifies a role and the principals that are assigned/denied the role.
|
||||
* A policy matches if and only if at least one of its permissions match the
|
||||
* action taking place AND at least one of its principals match the downstream
|
||||
* AND the condition is true if specified.
|
||||
*/
|
||||
export interface Policy__Output {
|
||||
/**
|
||||
* Required. The set of permissions that define a role. Each permission is
|
||||
* matched with OR semantics. To match all actions for this policy, a single
|
||||
* Permission with the ``any`` field set to true should be used.
|
||||
*/
|
||||
'permissions': (_envoy_config_rbac_v3_Permission__Output)[];
|
||||
/**
|
||||
* Required. The set of principals that are assigned/denied the role based on
|
||||
* “action”. Each principal is matched with OR semantics. To match all
|
||||
* downstreams for this policy, a single Principal with the ``any`` field set to
|
||||
* true should be used.
|
||||
*/
|
||||
'principals': (_envoy_config_rbac_v3_Principal__Output)[];
|
||||
/**
|
||||
* An optional symbolic expression specifying an access control
|
||||
* :ref:`condition <arch_overview_condition>`. The condition is combined
|
||||
* with the permissions and the principals as a clause with AND semantics.
|
||||
* Only be used when checked_condition is not used.
|
||||
*/
|
||||
'condition': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* [#not-implemented-hide:]
|
||||
* An optional symbolic expression that has been successfully type checked.
|
||||
* Only be used when condition is not used.
|
||||
*/
|
||||
'checked_condition': (_google_api_expr_v1alpha1_CheckedExpr__Output | null);
|
||||
}
|
|
@ -0,0 +1,209 @@
|
|||
// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
|
||||
|
||||
import type { CidrRange as _envoy_config_core_v3_CidrRange, CidrRange__Output as _envoy_config_core_v3_CidrRange__Output } from '../../../../envoy/config/core/v3/CidrRange';
|
||||
import type { HeaderMatcher as _envoy_config_route_v3_HeaderMatcher, HeaderMatcher__Output as _envoy_config_route_v3_HeaderMatcher__Output } from '../../../../envoy/config/route/v3/HeaderMatcher';
|
||||
import type { MetadataMatcher as _envoy_type_matcher_v3_MetadataMatcher, MetadataMatcher__Output as _envoy_type_matcher_v3_MetadataMatcher__Output } from '../../../../envoy/type/matcher/v3/MetadataMatcher';
|
||||
import type { Principal as _envoy_config_rbac_v3_Principal, Principal__Output as _envoy_config_rbac_v3_Principal__Output } from '../../../../envoy/config/rbac/v3/Principal';
|
||||
import type { PathMatcher as _envoy_type_matcher_v3_PathMatcher, PathMatcher__Output as _envoy_type_matcher_v3_PathMatcher__Output } from '../../../../envoy/type/matcher/v3/PathMatcher';
|
||||
import type { FilterStateMatcher as _envoy_type_matcher_v3_FilterStateMatcher, FilterStateMatcher__Output as _envoy_type_matcher_v3_FilterStateMatcher__Output } from '../../../../envoy/type/matcher/v3/FilterStateMatcher';
|
||||
import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher';
|
||||
|
||||
/**
|
||||
* Authentication attributes for a downstream.
|
||||
*/
|
||||
export interface _envoy_config_rbac_v3_Principal_Authenticated {
|
||||
/**
|
||||
* The name of the principal. If set, The URI SAN or DNS SAN in that order
|
||||
* is used from the certificate, otherwise the subject field is used. If
|
||||
* unset, it applies to any user that is authenticated.
|
||||
*/
|
||||
'principal_name'?: (_envoy_type_matcher_v3_StringMatcher | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Authentication attributes for a downstream.
|
||||
*/
|
||||
export interface _envoy_config_rbac_v3_Principal_Authenticated__Output {
|
||||
/**
|
||||
* The name of the principal. If set, The URI SAN or DNS SAN in that order
|
||||
* is used from the certificate, otherwise the subject field is used. If
|
||||
* unset, it applies to any user that is authenticated.
|
||||
*/
|
||||
'principal_name': (_envoy_type_matcher_v3_StringMatcher__Output | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Used in the ``and_ids`` and ``or_ids`` fields in the ``identifier`` oneof.
|
||||
* Depending on the context, each are applied with the associated behavior.
|
||||
*/
|
||||
export interface _envoy_config_rbac_v3_Principal_Set {
|
||||
'ids'?: (_envoy_config_rbac_v3_Principal)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Used in the ``and_ids`` and ``or_ids`` fields in the ``identifier`` oneof.
|
||||
* Depending on the context, each are applied with the associated behavior.
|
||||
*/
|
||||
export interface _envoy_config_rbac_v3_Principal_Set__Output {
|
||||
'ids': (_envoy_config_rbac_v3_Principal__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Principal defines an identity or a group of identities for a downstream
|
||||
* subject.
|
||||
* [#next-free-field: 13]
|
||||
*/
|
||||
export interface Principal {
|
||||
/**
|
||||
* A set of identifiers that all must match in order to define the
|
||||
* downstream.
|
||||
*/
|
||||
'and_ids'?: (_envoy_config_rbac_v3_Principal_Set | null);
|
||||
/**
|
||||
* A set of identifiers at least one must match in order to define the
|
||||
* downstream.
|
||||
*/
|
||||
'or_ids'?: (_envoy_config_rbac_v3_Principal_Set | null);
|
||||
/**
|
||||
* When any is set, it matches any downstream.
|
||||
*/
|
||||
'any'?: (boolean);
|
||||
/**
|
||||
* Authenticated attributes that identify the downstream.
|
||||
*/
|
||||
'authenticated'?: (_envoy_config_rbac_v3_Principal_Authenticated | null);
|
||||
/**
|
||||
* A CIDR block that describes the downstream IP.
|
||||
* This address will honor proxy protocol, but will not honor XFF.
|
||||
*
|
||||
* This field is deprecated; either use :ref:`remote_ip
|
||||
* <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` for the same
|
||||
* behavior, or use
|
||||
* :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`.
|
||||
* @deprecated
|
||||
*/
|
||||
'source_ip'?: (_envoy_config_core_v3_CidrRange | null);
|
||||
/**
|
||||
* A header (or pseudo-header such as :path or :method) on the incoming HTTP
|
||||
* request. Only available for HTTP request. Note: the pseudo-header :path
|
||||
* includes the query and fragment string. Use the ``url_path`` field if you
|
||||
* want to match the URL path without the query and fragment string.
|
||||
*/
|
||||
'header'?: (_envoy_config_route_v3_HeaderMatcher | null);
|
||||
/**
|
||||
* Metadata that describes additional information about the principal.
|
||||
*/
|
||||
'metadata'?: (_envoy_type_matcher_v3_MetadataMatcher | null);
|
||||
/**
|
||||
* Negates matching the provided principal. For instance, if the value of
|
||||
* ``not_id`` would match, this principal would not match. Conversely, if the
|
||||
* value of ``not_id`` would not match, this principal would match.
|
||||
*/
|
||||
'not_id'?: (_envoy_config_rbac_v3_Principal | null);
|
||||
/**
|
||||
* A URL path on the incoming HTTP request. Only available for HTTP.
|
||||
*/
|
||||
'url_path'?: (_envoy_type_matcher_v3_PathMatcher | null);
|
||||
/**
|
||||
* A CIDR block that describes the downstream remote/origin address.
|
||||
* Note: This is always the physical peer even if the
|
||||
* :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` is
|
||||
* inferred from for example the x-forwarder-for header, proxy protocol,
|
||||
* etc.
|
||||
*/
|
||||
'direct_remote_ip'?: (_envoy_config_core_v3_CidrRange | null);
|
||||
/**
|
||||
* A CIDR block that describes the downstream remote/origin address.
|
||||
* Note: This may not be the physical peer and could be different from the
|
||||
* :ref:`direct_remote_ip
|
||||
* <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`. E.g, if the
|
||||
* remote ip is inferred from for example the x-forwarder-for header, proxy
|
||||
* protocol, etc.
|
||||
*/
|
||||
'remote_ip'?: (_envoy_config_core_v3_CidrRange | null);
|
||||
/**
|
||||
* Identifies the principal using a filter state object.
|
||||
*/
|
||||
'filter_state'?: (_envoy_type_matcher_v3_FilterStateMatcher | null);
|
||||
'identifier'?: "and_ids"|"or_ids"|"any"|"authenticated"|"source_ip"|"direct_remote_ip"|"remote_ip"|"header"|"url_path"|"metadata"|"filter_state"|"not_id";
|
||||
}
|
||||
|
||||
/**
|
||||
* Principal defines an identity or a group of identities for a downstream
|
||||
* subject.
|
||||
* [#next-free-field: 13]
|
||||
*/
|
||||
export interface Principal__Output {
|
||||
/**
|
||||
* A set of identifiers that all must match in order to define the
|
||||
* downstream.
|
||||
*/
|
||||
'and_ids'?: (_envoy_config_rbac_v3_Principal_Set__Output | null);
|
||||
/**
|
||||
* A set of identifiers at least one must match in order to define the
|
||||
* downstream.
|
||||
*/
|
||||
'or_ids'?: (_envoy_config_rbac_v3_Principal_Set__Output | null);
|
||||
/**
|
||||
* When any is set, it matches any downstream.
|
||||
*/
|
||||
'any'?: (boolean);
|
||||
/**
|
||||
* Authenticated attributes that identify the downstream.
|
||||
*/
|
||||
'authenticated'?: (_envoy_config_rbac_v3_Principal_Authenticated__Output | null);
|
||||
/**
|
||||
* A CIDR block that describes the downstream IP.
|
||||
* This address will honor proxy protocol, but will not honor XFF.
|
||||
*
|
||||
* This field is deprecated; either use :ref:`remote_ip
|
||||
* <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` for the same
|
||||
* behavior, or use
|
||||
* :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`.
|
||||
* @deprecated
|
||||
*/
|
||||
'source_ip'?: (_envoy_config_core_v3_CidrRange__Output | null);
|
||||
/**
|
||||
* A header (or pseudo-header such as :path or :method) on the incoming HTTP
|
||||
* request. Only available for HTTP request. Note: the pseudo-header :path
|
||||
* includes the query and fragment string. Use the ``url_path`` field if you
|
||||
* want to match the URL path without the query and fragment string.
|
||||
*/
|
||||
'header'?: (_envoy_config_route_v3_HeaderMatcher__Output | null);
|
||||
/**
|
||||
* Metadata that describes additional information about the principal.
|
||||
*/
|
||||
'metadata'?: (_envoy_type_matcher_v3_MetadataMatcher__Output | null);
|
||||
/**
|
||||
* Negates matching the provided principal. For instance, if the value of
|
||||
* ``not_id`` would match, this principal would not match. Conversely, if the
|
||||
* value of ``not_id`` would not match, this principal would match.
|
||||
*/
|
||||
'not_id'?: (_envoy_config_rbac_v3_Principal__Output | null);
|
||||
/**
|
||||
* A URL path on the incoming HTTP request. Only available for HTTP.
|
||||
*/
|
||||
'url_path'?: (_envoy_type_matcher_v3_PathMatcher__Output | null);
|
||||
/**
|
||||
* A CIDR block that describes the downstream remote/origin address.
|
||||
* Note: This is always the physical peer even if the
|
||||
* :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` is
|
||||
* inferred from for example the x-forwarder-for header, proxy protocol,
|
||||
* etc.
|
||||
*/
|
||||
'direct_remote_ip'?: (_envoy_config_core_v3_CidrRange__Output | null);
|
||||
/**
|
||||
* A CIDR block that describes the downstream remote/origin address.
|
||||
* Note: This may not be the physical peer and could be different from the
|
||||
* :ref:`direct_remote_ip
|
||||
* <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`. E.g, if the
|
||||
* remote ip is inferred from for example the x-forwarder-for header, proxy
|
||||
* protocol, etc.
|
||||
*/
|
||||
'remote_ip'?: (_envoy_config_core_v3_CidrRange__Output | null);
|
||||
/**
|
||||
* Identifies the principal using a filter state object.
|
||||
*/
|
||||
'filter_state'?: (_envoy_type_matcher_v3_FilterStateMatcher__Output | null);
|
||||
'identifier'?: "and_ids"|"or_ids"|"any"|"authenticated"|"source_ip"|"direct_remote_ip"|"remote_ip"|"header"|"url_path"|"metadata"|"filter_state"|"not_id";
|
||||
}
|
|
@ -0,0 +1,335 @@
|
|||
// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
|
||||
|
||||
import type { Policy as _envoy_config_rbac_v3_Policy, Policy__Output as _envoy_config_rbac_v3_Policy__Output } from '../../../../envoy/config/rbac/v3/Policy';
|
||||
import type { TypedExtensionConfig as _envoy_config_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _envoy_config_core_v3_TypedExtensionConfig__Output } from '../../../../envoy/config/core/v3/TypedExtensionConfig';
|
||||
|
||||
// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
|
||||
|
||||
/**
|
||||
* Should we do safe-list or block-list style access control?
|
||||
*/
|
||||
export const _envoy_config_rbac_v3_RBAC_Action = {
|
||||
/**
|
||||
* The policies grant access to principals. The rest are denied. This is safe-list style
|
||||
* access control. This is the default type.
|
||||
*/
|
||||
ALLOW: 'ALLOW',
|
||||
/**
|
||||
* The policies deny access to principals. The rest are allowed. This is block-list style
|
||||
* access control.
|
||||
*/
|
||||
DENY: 'DENY',
|
||||
/**
|
||||
* The policies set the ``access_log_hint`` dynamic metadata key based on if requests match.
|
||||
* All requests are allowed.
|
||||
*/
|
||||
LOG: 'LOG',
|
||||
} as const;
|
||||
|
||||
/**
|
||||
* Should we do safe-list or block-list style access control?
|
||||
*/
|
||||
export type _envoy_config_rbac_v3_RBAC_Action =
|
||||
/**
|
||||
* The policies grant access to principals. The rest are denied. This is safe-list style
|
||||
* access control. This is the default type.
|
||||
*/
|
||||
| 'ALLOW'
|
||||
| 0
|
||||
/**
|
||||
* The policies deny access to principals. The rest are allowed. This is block-list style
|
||||
* access control.
|
||||
*/
|
||||
| 'DENY'
|
||||
| 1
|
||||
/**
|
||||
* The policies set the ``access_log_hint`` dynamic metadata key based on if requests match.
|
||||
* All requests are allowed.
|
||||
*/
|
||||
| 'LOG'
|
||||
| 2
|
||||
|
||||
/**
|
||||
* Should we do safe-list or block-list style access control?
|
||||
*/
|
||||
export type _envoy_config_rbac_v3_RBAC_Action__Output = typeof _envoy_config_rbac_v3_RBAC_Action[keyof typeof _envoy_config_rbac_v3_RBAC_Action]
|
||||
|
||||
// Original file: deps/envoy-api/envoy/config/rbac/v3/rbac.proto
|
||||
|
||||
/**
|
||||
* Deny and allow here refer to RBAC decisions, not actions.
|
||||
*/
|
||||
export const _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition = {
|
||||
/**
|
||||
* Never audit.
|
||||
*/
|
||||
NONE: 'NONE',
|
||||
/**
|
||||
* Audit when RBAC denies the request.
|
||||
*/
|
||||
ON_DENY: 'ON_DENY',
|
||||
/**
|
||||
* Audit when RBAC allows the request.
|
||||
*/
|
||||
ON_ALLOW: 'ON_ALLOW',
|
||||
/**
|
||||
* Audit whether RBAC allows or denies the request.
|
||||
*/
|
||||
ON_DENY_AND_ALLOW: 'ON_DENY_AND_ALLOW',
|
||||
} as const;
|
||||
|
||||
/**
|
||||
* Deny and allow here refer to RBAC decisions, not actions.
|
||||
*/
|
||||
export type _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition =
|
||||
/**
|
||||
* Never audit.
|
||||
*/
|
||||
| 'NONE'
|
||||
| 0
|
||||
/**
|
||||
* Audit when RBAC denies the request.
|
||||
*/
|
||||
| 'ON_DENY'
|
||||
| 1
|
||||
/**
|
||||
* Audit when RBAC allows the request.
|
||||
*/
|
||||
| 'ON_ALLOW'
|
||||
| 2
|
||||
/**
|
||||
* Audit whether RBAC allows or denies the request.
|
||||
*/
|
||||
| 'ON_DENY_AND_ALLOW'
|
||||
| 3
|
||||
|
||||
/**
|
||||
* Deny and allow here refer to RBAC decisions, not actions.
|
||||
*/
|
||||
export type _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition__Output = typeof _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition[keyof typeof _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition]
|
||||
|
||||
/**
|
||||
* [#not-implemented-hide:]
|
||||
*/
|
||||
export interface _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig {
|
||||
/**
|
||||
* Typed logger configuration.
|
||||
*
|
||||
* [#extension-category: envoy.rbac.audit_loggers]
|
||||
*/
|
||||
'audit_logger'?: (_envoy_config_core_v3_TypedExtensionConfig | null);
|
||||
/**
|
||||
* If true, when the logger is not supported, the data plane will not NACK but simply ignore it.
|
||||
*/
|
||||
'is_optional'?: (boolean);
|
||||
}
|
||||
|
||||
/**
|
||||
* [#not-implemented-hide:]
|
||||
*/
|
||||
export interface _envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig__Output {
|
||||
/**
|
||||
* Typed logger configuration.
|
||||
*
|
||||
* [#extension-category: envoy.rbac.audit_loggers]
|
||||
*/
|
||||
'audit_logger': (_envoy_config_core_v3_TypedExtensionConfig__Output | null);
|
||||
/**
|
||||
* If true, when the logger is not supported, the data plane will not NACK but simply ignore it.
|
||||
*/
|
||||
'is_optional': (boolean);
|
||||
}
|
||||
|
||||
export interface _envoy_config_rbac_v3_RBAC_AuditLoggingOptions {
|
||||
/**
|
||||
* Condition for the audit logging to happen.
|
||||
* If this condition is met, all the audit loggers configured here will be invoked.
|
||||
*
|
||||
* [#not-implemented-hide:]
|
||||
*/
|
||||
'audit_condition'?: (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition);
|
||||
/**
|
||||
* Configurations for RBAC-based authorization audit loggers.
|
||||
*
|
||||
* [#not-implemented-hide:]
|
||||
*/
|
||||
'logger_configs'?: (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig)[];
|
||||
}
|
||||
|
||||
export interface _envoy_config_rbac_v3_RBAC_AuditLoggingOptions__Output {
|
||||
/**
|
||||
* Condition for the audit logging to happen.
|
||||
* If this condition is met, all the audit loggers configured here will be invoked.
|
||||
*
|
||||
* [#not-implemented-hide:]
|
||||
*/
|
||||
'audit_condition': (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditCondition__Output);
|
||||
/**
|
||||
* Configurations for RBAC-based authorization audit loggers.
|
||||
*
|
||||
* [#not-implemented-hide:]
|
||||
*/
|
||||
'logger_configs': (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions_AuditLoggerConfig__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Role Based Access Control (RBAC) provides service-level and method-level access control for a
|
||||
* service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
|
||||
* found. For instance, if the action is ALLOW and a matching policy is found the request should be
|
||||
* allowed.
|
||||
*
|
||||
* RBAC can also be used to make access logging decisions by communicating with access loggers
|
||||
* through dynamic metadata. When the action is LOG and at least one policy matches, the
|
||||
* ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
|
||||
* the request should be logged.
|
||||
*
|
||||
* Here is an example of RBAC configuration. It has two policies:
|
||||
*
|
||||
* * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
|
||||
* does "cluster.local/ns/default/sa/superuser".
|
||||
*
|
||||
* * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
|
||||
* destination port is either 80 or 443.
|
||||
*
|
||||
* .. code-block:: yaml
|
||||
*
|
||||
* action: ALLOW
|
||||
* policies:
|
||||
* "service-admin":
|
||||
* permissions:
|
||||
* - any: true
|
||||
* principals:
|
||||
* - authenticated:
|
||||
* principal_name:
|
||||
* exact: "cluster.local/ns/default/sa/admin"
|
||||
* - authenticated:
|
||||
* principal_name:
|
||||
* exact: "cluster.local/ns/default/sa/superuser"
|
||||
* "product-viewer":
|
||||
* permissions:
|
||||
* - and_rules:
|
||||
* rules:
|
||||
* - header:
|
||||
* name: ":method"
|
||||
* string_match:
|
||||
* exact: "GET"
|
||||
* - url_path:
|
||||
* path: { prefix: "/products" }
|
||||
* - or_rules:
|
||||
* rules:
|
||||
* - destination_port: 80
|
||||
* - destination_port: 443
|
||||
* principals:
|
||||
* - any: true
|
||||
*/
|
||||
export interface RBAC {
|
||||
/**
|
||||
* The action to take if a policy matches. Every action either allows or denies a request,
|
||||
* and can also carry out action-specific operations.
|
||||
*
|
||||
* Actions:
|
||||
*
|
||||
* * ``ALLOW``: Allows the request if and only if there is a policy that matches
|
||||
* the request.
|
||||
* * ``DENY``: Allows the request if and only if there are no policies that
|
||||
* match the request.
|
||||
* * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
|
||||
* metadata key ``access_log_hint`` is set to the value ``true`` under the shared
|
||||
* key namespace ``envoy.common``. If no policies match, it is set to ``false``.
|
||||
* Other actions do not modify this key.
|
||||
*/
|
||||
'action'?: (_envoy_config_rbac_v3_RBAC_Action);
|
||||
/**
|
||||
* Maps from policy name to policy. A match occurs when at least one policy matches the request.
|
||||
* The policies are evaluated in lexicographic order of the policy name.
|
||||
*/
|
||||
'policies'?: ({[key: string]: _envoy_config_rbac_v3_Policy});
|
||||
/**
|
||||
* Audit logging options that include the condition for audit logging to happen
|
||||
* and audit logger configurations.
|
||||
*
|
||||
* [#not-implemented-hide:]
|
||||
*/
|
||||
'audit_logging_options'?: (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Role Based Access Control (RBAC) provides service-level and method-level access control for a
|
||||
* service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
|
||||
* found. For instance, if the action is ALLOW and a matching policy is found the request should be
|
||||
* allowed.
|
||||
*
|
||||
* RBAC can also be used to make access logging decisions by communicating with access loggers
|
||||
* through dynamic metadata. When the action is LOG and at least one policy matches, the
|
||||
* ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
|
||||
* the request should be logged.
|
||||
*
|
||||
* Here is an example of RBAC configuration. It has two policies:
|
||||
*
|
||||
* * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
|
||||
* does "cluster.local/ns/default/sa/superuser".
|
||||
*
|
||||
* * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
|
||||
* destination port is either 80 or 443.
|
||||
*
|
||||
* .. code-block:: yaml
|
||||
*
|
||||
* action: ALLOW
|
||||
* policies:
|
||||
* "service-admin":
|
||||
* permissions:
|
||||
* - any: true
|
||||
* principals:
|
||||
* - authenticated:
|
||||
* principal_name:
|
||||
* exact: "cluster.local/ns/default/sa/admin"
|
||||
* - authenticated:
|
||||
* principal_name:
|
||||
* exact: "cluster.local/ns/default/sa/superuser"
|
||||
* "product-viewer":
|
||||
* permissions:
|
||||
* - and_rules:
|
||||
* rules:
|
||||
* - header:
|
||||
* name: ":method"
|
||||
* string_match:
|
||||
* exact: "GET"
|
||||
* - url_path:
|
||||
* path: { prefix: "/products" }
|
||||
* - or_rules:
|
||||
* rules:
|
||||
* - destination_port: 80
|
||||
* - destination_port: 443
|
||||
* principals:
|
||||
* - any: true
|
||||
*/
|
||||
export interface RBAC__Output {
|
||||
/**
|
||||
* The action to take if a policy matches. Every action either allows or denies a request,
|
||||
* and can also carry out action-specific operations.
|
||||
*
|
||||
* Actions:
|
||||
*
|
||||
* * ``ALLOW``: Allows the request if and only if there is a policy that matches
|
||||
* the request.
|
||||
* * ``DENY``: Allows the request if and only if there are no policies that
|
||||
* match the request.
|
||||
* * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
|
||||
* metadata key ``access_log_hint`` is set to the value ``true`` under the shared
|
||||
* key namespace ``envoy.common``. If no policies match, it is set to ``false``.
|
||||
* Other actions do not modify this key.
|
||||
*/
|
||||
'action': (_envoy_config_rbac_v3_RBAC_Action__Output);
|
||||
/**
|
||||
* Maps from policy name to policy. A match occurs when at least one policy matches the request.
|
||||
* The policies are evaluated in lexicographic order of the policy name.
|
||||
*/
|
||||
'policies': ({[key: string]: _envoy_config_rbac_v3_Policy__Output});
|
||||
/**
|
||||
* Audit logging options that include the condition for audit logging to happen
|
||||
* and audit logger configurations.
|
||||
*
|
||||
* [#not-implemented-hide:]
|
||||
*/
|
||||
'audit_logging_options': (_envoy_config_rbac_v3_RBAC_AuditLoggingOptions__Output | null);
|
||||
}
|
33
packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/FilterStateMatcher.ts
generated
Normal file
33
packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/FilterStateMatcher.ts
generated
Normal file
|
@ -0,0 +1,33 @@
|
|||
// Original file: deps/envoy-api/envoy/type/matcher/v3/filter_state.proto
|
||||
|
||||
import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher';
|
||||
|
||||
/**
|
||||
* FilterStateMatcher provides a general interface for matching the filter state objects.
|
||||
*/
|
||||
export interface FilterStateMatcher {
|
||||
/**
|
||||
* The filter state key to retrieve the object.
|
||||
*/
|
||||
'key'?: (string);
|
||||
/**
|
||||
* Matches the filter state object as a string value.
|
||||
*/
|
||||
'string_match'?: (_envoy_type_matcher_v3_StringMatcher | null);
|
||||
'matcher'?: "string_match";
|
||||
}
|
||||
|
||||
/**
|
||||
* FilterStateMatcher provides a general interface for matching the filter state objects.
|
||||
*/
|
||||
export interface FilterStateMatcher__Output {
|
||||
/**
|
||||
* The filter state key to retrieve the object.
|
||||
*/
|
||||
'key': (string);
|
||||
/**
|
||||
* Matches the filter state object as a string value.
|
||||
*/
|
||||
'string_match'?: (_envoy_type_matcher_v3_StringMatcher__Output | null);
|
||||
'matcher'?: "string_match";
|
||||
}
|
|
@ -0,0 +1,29 @@
|
|||
// Original file: deps/envoy-api/envoy/type/matcher/v3/path.proto
|
||||
|
||||
import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher';
|
||||
|
||||
/**
|
||||
* Specifies the way to match a path on HTTP request.
|
||||
*/
|
||||
export interface PathMatcher {
|
||||
/**
|
||||
* The ``path`` must match the URL path portion of the :path header. The query and fragment
|
||||
* string (if present) are removed in the URL path portion.
|
||||
* For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``.
|
||||
*/
|
||||
'path'?: (_envoy_type_matcher_v3_StringMatcher | null);
|
||||
'rule'?: "path";
|
||||
}
|
||||
|
||||
/**
|
||||
* Specifies the way to match a path on HTTP request.
|
||||
*/
|
||||
export interface PathMatcher__Output {
|
||||
/**
|
||||
* The ``path`` must match the URL path portion of the :path header. The query and fragment
|
||||
* string (if present) are removed in the URL path portion.
|
||||
* For example, the path ``/data`` will match the ``:path`` header ``/data#fragment?param=value``.
|
||||
*/
|
||||
'path'?: (_envoy_type_matcher_v3_StringMatcher__Output | null);
|
||||
'rule'?: "path";
|
||||
}
|
|
@ -0,0 +1,90 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
|
||||
|
||||
import type { Reference as _google_api_expr_v1alpha1_Reference, Reference__Output as _google_api_expr_v1alpha1_Reference__Output } from '../../../../google/api/expr/v1alpha1/Reference';
|
||||
import type { Type as _google_api_expr_v1alpha1_Type, Type__Output as _google_api_expr_v1alpha1_Type__Output } from '../../../../google/api/expr/v1alpha1/Type';
|
||||
import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
|
||||
import type { SourceInfo as _google_api_expr_v1alpha1_SourceInfo, SourceInfo__Output as _google_api_expr_v1alpha1_SourceInfo__Output } from '../../../../google/api/expr/v1alpha1/SourceInfo';
|
||||
|
||||
/**
|
||||
* A CEL expression which has been successfully type checked.
|
||||
*/
|
||||
export interface CheckedExpr {
|
||||
/**
|
||||
* A map from expression ids to resolved references.
|
||||
*
|
||||
* The following entries are in this table:
|
||||
*
|
||||
* - An Ident or Select expression is represented here if it resolves to a
|
||||
* declaration. For instance, if `a.b.c` is represented by
|
||||
* `select(select(id(a), b), c)`, and `a.b` resolves to a declaration,
|
||||
* while `c` is a field selection, then the reference is attached to the
|
||||
* nested select expression (but not to the id or or the outer select).
|
||||
* In turn, if `a` resolves to a declaration and `b.c` are field selections,
|
||||
* the reference is attached to the ident expression.
|
||||
* - Every Call expression has an entry here, identifying the function being
|
||||
* called.
|
||||
* - Every CreateStruct expression for a message has an entry, identifying
|
||||
* the message.
|
||||
*/
|
||||
'reference_map'?: ({[key: number]: _google_api_expr_v1alpha1_Reference});
|
||||
/**
|
||||
* A map from expression ids to types.
|
||||
*
|
||||
* Every expression node which has a type different than DYN has a mapping
|
||||
* here. If an expression has type DYN, it is omitted from this map to save
|
||||
* space.
|
||||
*/
|
||||
'type_map'?: ({[key: number]: _google_api_expr_v1alpha1_Type});
|
||||
/**
|
||||
* The checked expression. Semantically equivalent to the parsed `expr`, but
|
||||
* may have structural differences.
|
||||
*/
|
||||
'expr'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* The source info derived from input that generated the parsed `expr` and
|
||||
* any optimizations made during the type-checking pass.
|
||||
*/
|
||||
'source_info'?: (_google_api_expr_v1alpha1_SourceInfo | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* A CEL expression which has been successfully type checked.
|
||||
*/
|
||||
export interface CheckedExpr__Output {
|
||||
/**
|
||||
* A map from expression ids to resolved references.
|
||||
*
|
||||
* The following entries are in this table:
|
||||
*
|
||||
* - An Ident or Select expression is represented here if it resolves to a
|
||||
* declaration. For instance, if `a.b.c` is represented by
|
||||
* `select(select(id(a), b), c)`, and `a.b` resolves to a declaration,
|
||||
* while `c` is a field selection, then the reference is attached to the
|
||||
* nested select expression (but not to the id or or the outer select).
|
||||
* In turn, if `a` resolves to a declaration and `b.c` are field selections,
|
||||
* the reference is attached to the ident expression.
|
||||
* - Every Call expression has an entry here, identifying the function being
|
||||
* called.
|
||||
* - Every CreateStruct expression for a message has an entry, identifying
|
||||
* the message.
|
||||
*/
|
||||
'reference_map': ({[key: number]: _google_api_expr_v1alpha1_Reference__Output});
|
||||
/**
|
||||
* A map from expression ids to types.
|
||||
*
|
||||
* Every expression node which has a type different than DYN has a mapping
|
||||
* here. If an expression has type DYN, it is omitted from this map to save
|
||||
* space.
|
||||
*/
|
||||
'type_map': ({[key: number]: _google_api_expr_v1alpha1_Type__Output});
|
||||
/**
|
||||
* The checked expression. Semantically equivalent to the parsed `expr`, but
|
||||
* may have structural differences.
|
||||
*/
|
||||
'expr': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* The source info derived from input that generated the parsed `expr` and
|
||||
* any optimizations made during the type-checking pass.
|
||||
*/
|
||||
'source_info': (_google_api_expr_v1alpha1_SourceInfo__Output | null);
|
||||
}
|
|
@ -0,0 +1,134 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
|
||||
|
||||
import type { NullValue as _google_protobuf_NullValue, NullValue__Output as _google_protobuf_NullValue__Output } from '../../../../google/protobuf/NullValue';
|
||||
import type { Duration as _google_protobuf_Duration, Duration__Output as _google_protobuf_Duration__Output } from '../../../../google/protobuf/Duration';
|
||||
import type { Timestamp as _google_protobuf_Timestamp, Timestamp__Output as _google_protobuf_Timestamp__Output } from '../../../../google/protobuf/Timestamp';
|
||||
import type { Long } from '@grpc/proto-loader';
|
||||
|
||||
/**
|
||||
* Represents a primitive literal.
|
||||
*
|
||||
* Named 'Constant' here for backwards compatibility.
|
||||
*
|
||||
* This is similar as the primitives supported in the well-known type
|
||||
* `google.protobuf.Value`, but richer so it can represent CEL's full range of
|
||||
* primitives.
|
||||
*
|
||||
* Lists and structs are not included as constants as these aggregate types may
|
||||
* contain [Expr][google.api.expr.v1alpha1.Expr] elements which require evaluation and are thus not constant.
|
||||
*
|
||||
* Examples of literals include: `"hello"`, `b'bytes'`, `1u`, `4.2`, `-2`,
|
||||
* `true`, `null`.
|
||||
*/
|
||||
export interface Constant {
|
||||
/**
|
||||
* null value.
|
||||
*/
|
||||
'null_value'?: (_google_protobuf_NullValue);
|
||||
/**
|
||||
* boolean value.
|
||||
*/
|
||||
'bool_value'?: (boolean);
|
||||
/**
|
||||
* int64 value.
|
||||
*/
|
||||
'int64_value'?: (number | string | Long);
|
||||
/**
|
||||
* uint64 value.
|
||||
*/
|
||||
'uint64_value'?: (number | string | Long);
|
||||
/**
|
||||
* double value.
|
||||
*/
|
||||
'double_value'?: (number | string);
|
||||
/**
|
||||
* string value.
|
||||
*/
|
||||
'string_value'?: (string);
|
||||
/**
|
||||
* bytes value.
|
||||
*/
|
||||
'bytes_value'?: (Buffer | Uint8Array | string);
|
||||
/**
|
||||
* protobuf.Duration value.
|
||||
*
|
||||
* Deprecated: duration is no longer considered a builtin cel type.
|
||||
* @deprecated
|
||||
*/
|
||||
'duration_value'?: (_google_protobuf_Duration | null);
|
||||
/**
|
||||
* protobuf.Timestamp value.
|
||||
*
|
||||
* Deprecated: timestamp is no longer considered a builtin cel type.
|
||||
* @deprecated
|
||||
*/
|
||||
'timestamp_value'?: (_google_protobuf_Timestamp | null);
|
||||
/**
|
||||
* Required. The valid constant kinds.
|
||||
*/
|
||||
'constant_kind'?: "null_value"|"bool_value"|"int64_value"|"uint64_value"|"double_value"|"string_value"|"bytes_value"|"duration_value"|"timestamp_value";
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents a primitive literal.
|
||||
*
|
||||
* Named 'Constant' here for backwards compatibility.
|
||||
*
|
||||
* This is similar as the primitives supported in the well-known type
|
||||
* `google.protobuf.Value`, but richer so it can represent CEL's full range of
|
||||
* primitives.
|
||||
*
|
||||
* Lists and structs are not included as constants as these aggregate types may
|
||||
* contain [Expr][google.api.expr.v1alpha1.Expr] elements which require evaluation and are thus not constant.
|
||||
*
|
||||
* Examples of literals include: `"hello"`, `b'bytes'`, `1u`, `4.2`, `-2`,
|
||||
* `true`, `null`.
|
||||
*/
|
||||
export interface Constant__Output {
|
||||
/**
|
||||
* null value.
|
||||
*/
|
||||
'null_value'?: (_google_protobuf_NullValue__Output);
|
||||
/**
|
||||
* boolean value.
|
||||
*/
|
||||
'bool_value'?: (boolean);
|
||||
/**
|
||||
* int64 value.
|
||||
*/
|
||||
'int64_value'?: (string);
|
||||
/**
|
||||
* uint64 value.
|
||||
*/
|
||||
'uint64_value'?: (string);
|
||||
/**
|
||||
* double value.
|
||||
*/
|
||||
'double_value'?: (number);
|
||||
/**
|
||||
* string value.
|
||||
*/
|
||||
'string_value'?: (string);
|
||||
/**
|
||||
* bytes value.
|
||||
*/
|
||||
'bytes_value'?: (Buffer);
|
||||
/**
|
||||
* protobuf.Duration value.
|
||||
*
|
||||
* Deprecated: duration is no longer considered a builtin cel type.
|
||||
* @deprecated
|
||||
*/
|
||||
'duration_value'?: (_google_protobuf_Duration__Output | null);
|
||||
/**
|
||||
* protobuf.Timestamp value.
|
||||
*
|
||||
* Deprecated: timestamp is no longer considered a builtin cel type.
|
||||
* @deprecated
|
||||
*/
|
||||
'timestamp_value'?: (_google_protobuf_Timestamp__Output | null);
|
||||
/**
|
||||
* Required. The valid constant kinds.
|
||||
*/
|
||||
'constant_kind'?: "null_value"|"bool_value"|"int64_value"|"uint64_value"|"double_value"|"string_value"|"bytes_value"|"duration_value"|"timestamp_value";
|
||||
}
|
|
@ -0,0 +1,266 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
|
||||
|
||||
import type { Type as _google_api_expr_v1alpha1_Type, Type__Output as _google_api_expr_v1alpha1_Type__Output } from '../../../../google/api/expr/v1alpha1/Type';
|
||||
import type { Constant as _google_api_expr_v1alpha1_Constant, Constant__Output as _google_api_expr_v1alpha1_Constant__Output } from '../../../../google/api/expr/v1alpha1/Constant';
|
||||
|
||||
/**
|
||||
* Function declaration specifies one or more overloads which indicate the
|
||||
* function's parameter types and return type, and may optionally specify a
|
||||
* function definition in terms of CEL expressions.
|
||||
*
|
||||
* Functions have no observable side-effects (there may be side-effects like
|
||||
* logging which are not observable from CEL).
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Decl_FunctionDecl {
|
||||
/**
|
||||
* Required. List of function overloads, must contain at least one overload.
|
||||
*/
|
||||
'overloads'?: (_google_api_expr_v1alpha1_Decl_FunctionDecl_Overload)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Function declaration specifies one or more overloads which indicate the
|
||||
* function's parameter types and return type, and may optionally specify a
|
||||
* function definition in terms of CEL expressions.
|
||||
*
|
||||
* Functions have no observable side-effects (there may be side-effects like
|
||||
* logging which are not observable from CEL).
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Decl_FunctionDecl__Output {
|
||||
/**
|
||||
* Required. List of function overloads, must contain at least one overload.
|
||||
*/
|
||||
'overloads': (_google_api_expr_v1alpha1_Decl_FunctionDecl_Overload__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Identifier declaration which specifies its type and optional `Expr` value.
|
||||
*
|
||||
* An identifier without a value is a declaration that must be provided at
|
||||
* evaluation time. An identifier with a value should resolve to a constant,
|
||||
* but may be used in conjunction with other identifiers bound at evaluation
|
||||
* time.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Decl_IdentDecl {
|
||||
/**
|
||||
* Required. The type of the identifier.
|
||||
*/
|
||||
'type'?: (_google_api_expr_v1alpha1_Type | null);
|
||||
/**
|
||||
* The constant value of the identifier. If not specified, the identifier
|
||||
* must be supplied at evaluation time.
|
||||
*/
|
||||
'value'?: (_google_api_expr_v1alpha1_Constant | null);
|
||||
/**
|
||||
* Documentation string for the identifier.
|
||||
*/
|
||||
'doc'?: (string);
|
||||
}
|
||||
|
||||
/**
|
||||
* Identifier declaration which specifies its type and optional `Expr` value.
|
||||
*
|
||||
* An identifier without a value is a declaration that must be provided at
|
||||
* evaluation time. An identifier with a value should resolve to a constant,
|
||||
* but may be used in conjunction with other identifiers bound at evaluation
|
||||
* time.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Decl_IdentDecl__Output {
|
||||
/**
|
||||
* Required. The type of the identifier.
|
||||
*/
|
||||
'type': (_google_api_expr_v1alpha1_Type__Output | null);
|
||||
/**
|
||||
* The constant value of the identifier. If not specified, the identifier
|
||||
* must be supplied at evaluation time.
|
||||
*/
|
||||
'value': (_google_api_expr_v1alpha1_Constant__Output | null);
|
||||
/**
|
||||
* Documentation string for the identifier.
|
||||
*/
|
||||
'doc': (string);
|
||||
}
|
||||
|
||||
/**
|
||||
* An overload indicates a function's parameter types and return type, and
|
||||
* may optionally include a function body described in terms of [Expr][google.api.expr.v1alpha1.Expr]
|
||||
* values.
|
||||
*
|
||||
* Functions overloads are declared in either a function or method
|
||||
* call-style. For methods, the `params[0]` is the expected type of the
|
||||
* target receiver.
|
||||
*
|
||||
* Overloads must have non-overlapping argument types after erasure of all
|
||||
* parameterized type variables (similar as type erasure in Java).
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Decl_FunctionDecl_Overload {
|
||||
/**
|
||||
* Required. Globally unique overload name of the function which reflects
|
||||
* the function name and argument types.
|
||||
*
|
||||
* This will be used by a [Reference][google.api.expr.v1alpha1.Reference] to indicate the `overload_id` that
|
||||
* was resolved for the function `name`.
|
||||
*/
|
||||
'overload_id'?: (string);
|
||||
/**
|
||||
* List of function parameter [Type][google.api.expr.v1alpha1.Type] values.
|
||||
*
|
||||
* Param types are disjoint after generic type parameters have been
|
||||
* replaced with the type `DYN`. Since the `DYN` type is compatible with
|
||||
* any other type, this means that if `A` is a type parameter, the
|
||||
* function types `int<A>` and `int<int>` are not disjoint. Likewise,
|
||||
* `map<string, string>` is not disjoint from `map<K, V>`.
|
||||
*
|
||||
* When the `result_type` of a function is a generic type param, the
|
||||
* type param name also appears as the `type` of on at least one params.
|
||||
*/
|
||||
'params'?: (_google_api_expr_v1alpha1_Type)[];
|
||||
/**
|
||||
* The type param names associated with the function declaration.
|
||||
*
|
||||
* For example, `function ex<K,V>(K key, map<K, V> map) : V` would yield
|
||||
* the type params of `K, V`.
|
||||
*/
|
||||
'type_params'?: (string)[];
|
||||
/**
|
||||
* Required. The result type of the function. For example, the operator
|
||||
* `string.isEmpty()` would have `result_type` of `kind: BOOL`.
|
||||
*/
|
||||
'result_type'?: (_google_api_expr_v1alpha1_Type | null);
|
||||
/**
|
||||
* Whether the function is to be used in a method call-style `x.f(...)`
|
||||
* of a function call-style `f(x, ...)`.
|
||||
*
|
||||
* For methods, the first parameter declaration, `params[0]` is the
|
||||
* expected type of the target receiver.
|
||||
*/
|
||||
'is_instance_function'?: (boolean);
|
||||
/**
|
||||
* Documentation string for the overload.
|
||||
*/
|
||||
'doc'?: (string);
|
||||
}
|
||||
|
||||
/**
|
||||
* An overload indicates a function's parameter types and return type, and
|
||||
* may optionally include a function body described in terms of [Expr][google.api.expr.v1alpha1.Expr]
|
||||
* values.
|
||||
*
|
||||
* Functions overloads are declared in either a function or method
|
||||
* call-style. For methods, the `params[0]` is the expected type of the
|
||||
* target receiver.
|
||||
*
|
||||
* Overloads must have non-overlapping argument types after erasure of all
|
||||
* parameterized type variables (similar as type erasure in Java).
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Decl_FunctionDecl_Overload__Output {
|
||||
/**
|
||||
* Required. Globally unique overload name of the function which reflects
|
||||
* the function name and argument types.
|
||||
*
|
||||
* This will be used by a [Reference][google.api.expr.v1alpha1.Reference] to indicate the `overload_id` that
|
||||
* was resolved for the function `name`.
|
||||
*/
|
||||
'overload_id': (string);
|
||||
/**
|
||||
* List of function parameter [Type][google.api.expr.v1alpha1.Type] values.
|
||||
*
|
||||
* Param types are disjoint after generic type parameters have been
|
||||
* replaced with the type `DYN`. Since the `DYN` type is compatible with
|
||||
* any other type, this means that if `A` is a type parameter, the
|
||||
* function types `int<A>` and `int<int>` are not disjoint. Likewise,
|
||||
* `map<string, string>` is not disjoint from `map<K, V>`.
|
||||
*
|
||||
* When the `result_type` of a function is a generic type param, the
|
||||
* type param name also appears as the `type` of on at least one params.
|
||||
*/
|
||||
'params': (_google_api_expr_v1alpha1_Type__Output)[];
|
||||
/**
|
||||
* The type param names associated with the function declaration.
|
||||
*
|
||||
* For example, `function ex<K,V>(K key, map<K, V> map) : V` would yield
|
||||
* the type params of `K, V`.
|
||||
*/
|
||||
'type_params': (string)[];
|
||||
/**
|
||||
* Required. The result type of the function. For example, the operator
|
||||
* `string.isEmpty()` would have `result_type` of `kind: BOOL`.
|
||||
*/
|
||||
'result_type': (_google_api_expr_v1alpha1_Type__Output | null);
|
||||
/**
|
||||
* Whether the function is to be used in a method call-style `x.f(...)`
|
||||
* of a function call-style `f(x, ...)`.
|
||||
*
|
||||
* For methods, the first parameter declaration, `params[0]` is the
|
||||
* expected type of the target receiver.
|
||||
*/
|
||||
'is_instance_function': (boolean);
|
||||
/**
|
||||
* Documentation string for the overload.
|
||||
*/
|
||||
'doc': (string);
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents a declaration of a named value or function.
|
||||
*
|
||||
* A declaration is part of the contract between the expression, the agent
|
||||
* evaluating that expression, and the caller requesting evaluation.
|
||||
*/
|
||||
export interface Decl {
|
||||
/**
|
||||
* The fully qualified name of the declaration.
|
||||
*
|
||||
* Declarations are organized in containers and this represents the full path
|
||||
* to the declaration in its container, as in `google.api.expr.Decl`.
|
||||
*
|
||||
* Declarations used as [FunctionDecl.Overload][google.api.expr.v1alpha1.Decl.FunctionDecl.Overload] parameters may or may not
|
||||
* have a name depending on whether the overload is function declaration or a
|
||||
* function definition containing a result [Expr][google.api.expr.v1alpha1.Expr].
|
||||
*/
|
||||
'name'?: (string);
|
||||
/**
|
||||
* Identifier declaration.
|
||||
*/
|
||||
'ident'?: (_google_api_expr_v1alpha1_Decl_IdentDecl | null);
|
||||
/**
|
||||
* Function declaration.
|
||||
*/
|
||||
'function'?: (_google_api_expr_v1alpha1_Decl_FunctionDecl | null);
|
||||
/**
|
||||
* Required. The declaration kind.
|
||||
*/
|
||||
'decl_kind'?: "ident"|"function";
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents a declaration of a named value or function.
|
||||
*
|
||||
* A declaration is part of the contract between the expression, the agent
|
||||
* evaluating that expression, and the caller requesting evaluation.
|
||||
*/
|
||||
export interface Decl__Output {
|
||||
/**
|
||||
* The fully qualified name of the declaration.
|
||||
*
|
||||
* Declarations are organized in containers and this represents the full path
|
||||
* to the declaration in its container, as in `google.api.expr.Decl`.
|
||||
*
|
||||
* Declarations used as [FunctionDecl.Overload][google.api.expr.v1alpha1.Decl.FunctionDecl.Overload] parameters may or may not
|
||||
* have a name depending on whether the overload is function declaration or a
|
||||
* function definition containing a result [Expr][google.api.expr.v1alpha1.Expr].
|
||||
*/
|
||||
'name': (string);
|
||||
/**
|
||||
* Identifier declaration.
|
||||
*/
|
||||
'ident'?: (_google_api_expr_v1alpha1_Decl_IdentDecl__Output | null);
|
||||
/**
|
||||
* Function declaration.
|
||||
*/
|
||||
'function'?: (_google_api_expr_v1alpha1_Decl_FunctionDecl__Output | null);
|
||||
/**
|
||||
* Required. The declaration kind.
|
||||
*/
|
||||
'decl_kind'?: "ident"|"function";
|
||||
}
|
|
@ -0,0 +1,493 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
|
||||
|
||||
import type { Constant as _google_api_expr_v1alpha1_Constant, Constant__Output as _google_api_expr_v1alpha1_Constant__Output } from '../../../../google/api/expr/v1alpha1/Constant';
|
||||
import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
|
||||
import type { Long } from '@grpc/proto-loader';
|
||||
|
||||
/**
|
||||
* A call expression, including calls to predefined functions and operators.
|
||||
*
|
||||
* For example, `value == 10`, `size(map_value)`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_Call {
|
||||
/**
|
||||
* The target of an method call-style expression. For example, `x` in
|
||||
* `x.f()`.
|
||||
*/
|
||||
'target'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* Required. The name of the function or method being called.
|
||||
*/
|
||||
'function'?: (string);
|
||||
/**
|
||||
* The arguments.
|
||||
*/
|
||||
'args'?: (_google_api_expr_v1alpha1_Expr)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* A call expression, including calls to predefined functions and operators.
|
||||
*
|
||||
* For example, `value == 10`, `size(map_value)`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_Call__Output {
|
||||
/**
|
||||
* The target of an method call-style expression. For example, `x` in
|
||||
* `x.f()`.
|
||||
*/
|
||||
'target': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* Required. The name of the function or method being called.
|
||||
*/
|
||||
'function': (string);
|
||||
/**
|
||||
* The arguments.
|
||||
*/
|
||||
'args': (_google_api_expr_v1alpha1_Expr__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* A comprehension expression applied to a list or map.
|
||||
*
|
||||
* Comprehensions are not part of the core syntax, but enabled with macros.
|
||||
* A macro matches a specific call signature within a parsed AST and replaces
|
||||
* the call with an alternate AST block. Macro expansion happens at parse
|
||||
* time.
|
||||
*
|
||||
* The following macros are supported within CEL:
|
||||
*
|
||||
* Aggregate type macros may be applied to all elements in a list or all keys
|
||||
* in a map:
|
||||
*
|
||||
* * `all`, `exists`, `exists_one` - test a predicate expression against
|
||||
* the inputs and return `true` if the predicate is satisfied for all,
|
||||
* any, or only one value `list.all(x, x < 10)`.
|
||||
* * `filter` - test a predicate expression against the inputs and return
|
||||
* the subset of elements which satisfy the predicate:
|
||||
* `payments.filter(p, p > 1000)`.
|
||||
* * `map` - apply an expression to all elements in the input and return the
|
||||
* output aggregate type: `[1, 2, 3].map(i, i * i)`.
|
||||
*
|
||||
* The `has(m.x)` macro tests whether the property `x` is present in struct
|
||||
* `m`. The semantics of this macro depend on the type of `m`. For proto2
|
||||
* messages `has(m.x)` is defined as 'defined, but not set`. For proto3, the
|
||||
* macro tests whether the property is set to its default. For map and struct
|
||||
* types, the macro tests whether the property `x` is defined on `m`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_Comprehension {
|
||||
/**
|
||||
* The name of the iteration variable.
|
||||
*/
|
||||
'iter_var'?: (string);
|
||||
/**
|
||||
* The range over which var iterates.
|
||||
*/
|
||||
'iter_range'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* The name of the variable used for accumulation of the result.
|
||||
*/
|
||||
'accu_var'?: (string);
|
||||
/**
|
||||
* The initial value of the accumulator.
|
||||
*/
|
||||
'accu_init'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* An expression which can contain iter_var and accu_var.
|
||||
*
|
||||
* Returns false when the result has been computed and may be used as
|
||||
* a hint to short-circuit the remainder of the comprehension.
|
||||
*/
|
||||
'loop_condition'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* An expression which can contain iter_var and accu_var.
|
||||
*
|
||||
* Computes the next value of accu_var.
|
||||
*/
|
||||
'loop_step'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* An expression which can contain accu_var.
|
||||
*
|
||||
* Computes the result.
|
||||
*/
|
||||
'result'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* A comprehension expression applied to a list or map.
|
||||
*
|
||||
* Comprehensions are not part of the core syntax, but enabled with macros.
|
||||
* A macro matches a specific call signature within a parsed AST and replaces
|
||||
* the call with an alternate AST block. Macro expansion happens at parse
|
||||
* time.
|
||||
*
|
||||
* The following macros are supported within CEL:
|
||||
*
|
||||
* Aggregate type macros may be applied to all elements in a list or all keys
|
||||
* in a map:
|
||||
*
|
||||
* * `all`, `exists`, `exists_one` - test a predicate expression against
|
||||
* the inputs and return `true` if the predicate is satisfied for all,
|
||||
* any, or only one value `list.all(x, x < 10)`.
|
||||
* * `filter` - test a predicate expression against the inputs and return
|
||||
* the subset of elements which satisfy the predicate:
|
||||
* `payments.filter(p, p > 1000)`.
|
||||
* * `map` - apply an expression to all elements in the input and return the
|
||||
* output aggregate type: `[1, 2, 3].map(i, i * i)`.
|
||||
*
|
||||
* The `has(m.x)` macro tests whether the property `x` is present in struct
|
||||
* `m`. The semantics of this macro depend on the type of `m`. For proto2
|
||||
* messages `has(m.x)` is defined as 'defined, but not set`. For proto3, the
|
||||
* macro tests whether the property is set to its default. For map and struct
|
||||
* types, the macro tests whether the property `x` is defined on `m`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_Comprehension__Output {
|
||||
/**
|
||||
* The name of the iteration variable.
|
||||
*/
|
||||
'iter_var': (string);
|
||||
/**
|
||||
* The range over which var iterates.
|
||||
*/
|
||||
'iter_range': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* The name of the variable used for accumulation of the result.
|
||||
*/
|
||||
'accu_var': (string);
|
||||
/**
|
||||
* The initial value of the accumulator.
|
||||
*/
|
||||
'accu_init': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* An expression which can contain iter_var and accu_var.
|
||||
*
|
||||
* Returns false when the result has been computed and may be used as
|
||||
* a hint to short-circuit the remainder of the comprehension.
|
||||
*/
|
||||
'loop_condition': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* An expression which can contain iter_var and accu_var.
|
||||
*
|
||||
* Computes the next value of accu_var.
|
||||
*/
|
||||
'loop_step': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* An expression which can contain accu_var.
|
||||
*
|
||||
* Computes the result.
|
||||
*/
|
||||
'result': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* A list creation expression.
|
||||
*
|
||||
* Lists may either be homogenous, e.g. `[1, 2, 3]`, or heterogenous, e.g.
|
||||
* `dyn([1, 'hello', 2.0])`
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_CreateList {
|
||||
/**
|
||||
* The elements part of the list.
|
||||
*/
|
||||
'elements'?: (_google_api_expr_v1alpha1_Expr)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* A list creation expression.
|
||||
*
|
||||
* Lists may either be homogenous, e.g. `[1, 2, 3]`, or heterogenous, e.g.
|
||||
* `dyn([1, 'hello', 2.0])`
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_CreateList__Output {
|
||||
/**
|
||||
* The elements part of the list.
|
||||
*/
|
||||
'elements': (_google_api_expr_v1alpha1_Expr__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* A map or message creation expression.
|
||||
*
|
||||
* Maps are constructed as `{'key_name': 'value'}`. Message construction is
|
||||
* similar, but prefixed with a type name and composed of field ids:
|
||||
* `types.MyType{field_id: 'value'}`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_CreateStruct {
|
||||
/**
|
||||
* The type name of the message to be created, empty when creating map
|
||||
* literals.
|
||||
*/
|
||||
'message_name'?: (string);
|
||||
/**
|
||||
* The entries in the creation expression.
|
||||
*/
|
||||
'entries'?: (_google_api_expr_v1alpha1_Expr_CreateStruct_Entry)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* A map or message creation expression.
|
||||
*
|
||||
* Maps are constructed as `{'key_name': 'value'}`. Message construction is
|
||||
* similar, but prefixed with a type name and composed of field ids:
|
||||
* `types.MyType{field_id: 'value'}`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_CreateStruct__Output {
|
||||
/**
|
||||
* The type name of the message to be created, empty when creating map
|
||||
* literals.
|
||||
*/
|
||||
'message_name': (string);
|
||||
/**
|
||||
* The entries in the creation expression.
|
||||
*/
|
||||
'entries': (_google_api_expr_v1alpha1_Expr_CreateStruct_Entry__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents an entry.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_CreateStruct_Entry {
|
||||
/**
|
||||
* Required. An id assigned to this node by the parser which is unique
|
||||
* in a given expression tree. This is used to associate type
|
||||
* information and other attributes to the node.
|
||||
*/
|
||||
'id'?: (number | string | Long);
|
||||
/**
|
||||
* The field key for a message creator statement.
|
||||
*/
|
||||
'field_key'?: (string);
|
||||
/**
|
||||
* The key expression for a map creation statement.
|
||||
*/
|
||||
'map_key'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* Required. The value assigned to the key.
|
||||
*/
|
||||
'value'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* The `Entry` key kinds.
|
||||
*/
|
||||
'key_kind'?: "field_key"|"map_key";
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents an entry.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_CreateStruct_Entry__Output {
|
||||
/**
|
||||
* Required. An id assigned to this node by the parser which is unique
|
||||
* in a given expression tree. This is used to associate type
|
||||
* information and other attributes to the node.
|
||||
*/
|
||||
'id': (string);
|
||||
/**
|
||||
* The field key for a message creator statement.
|
||||
*/
|
||||
'field_key'?: (string);
|
||||
/**
|
||||
* The key expression for a map creation statement.
|
||||
*/
|
||||
'map_key'?: (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* Required. The value assigned to the key.
|
||||
*/
|
||||
'value': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* The `Entry` key kinds.
|
||||
*/
|
||||
'key_kind'?: "field_key"|"map_key";
|
||||
}
|
||||
|
||||
/**
|
||||
* An identifier expression. e.g. `request`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_Ident {
|
||||
/**
|
||||
* Required. Holds a single, unqualified identifier, possibly preceded by a
|
||||
* '.'.
|
||||
*
|
||||
* Qualified names are represented by the [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression.
|
||||
*/
|
||||
'name'?: (string);
|
||||
}
|
||||
|
||||
/**
|
||||
* An identifier expression. e.g. `request`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_Ident__Output {
|
||||
/**
|
||||
* Required. Holds a single, unqualified identifier, possibly preceded by a
|
||||
* '.'.
|
||||
*
|
||||
* Qualified names are represented by the [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression.
|
||||
*/
|
||||
'name': (string);
|
||||
}
|
||||
|
||||
/**
|
||||
* A field selection expression. e.g. `request.auth`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_Select {
|
||||
/**
|
||||
* Required. The target of the selection expression.
|
||||
*
|
||||
* For example, in the select expression `request.auth`, the `request`
|
||||
* portion of the expression is the `operand`.
|
||||
*/
|
||||
'operand'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* Required. The name of the field to select.
|
||||
*
|
||||
* For example, in the select expression `request.auth`, the `auth` portion
|
||||
* of the expression would be the `field`.
|
||||
*/
|
||||
'field'?: (string);
|
||||
/**
|
||||
* Whether the select is to be interpreted as a field presence test.
|
||||
*
|
||||
* This results from the macro `has(request.auth)`.
|
||||
*/
|
||||
'test_only'?: (boolean);
|
||||
}
|
||||
|
||||
/**
|
||||
* A field selection expression. e.g. `request.auth`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Expr_Select__Output {
|
||||
/**
|
||||
* Required. The target of the selection expression.
|
||||
*
|
||||
* For example, in the select expression `request.auth`, the `request`
|
||||
* portion of the expression is the `operand`.
|
||||
*/
|
||||
'operand': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* Required. The name of the field to select.
|
||||
*
|
||||
* For example, in the select expression `request.auth`, the `auth` portion
|
||||
* of the expression would be the `field`.
|
||||
*/
|
||||
'field': (string);
|
||||
/**
|
||||
* Whether the select is to be interpreted as a field presence test.
|
||||
*
|
||||
* This results from the macro `has(request.auth)`.
|
||||
*/
|
||||
'test_only': (boolean);
|
||||
}
|
||||
|
||||
/**
|
||||
* An abstract representation of a common expression.
|
||||
*
|
||||
* Expressions are abstractly represented as a collection of identifiers,
|
||||
* select statements, function calls, literals, and comprehensions. All
|
||||
* operators with the exception of the '.' operator are modelled as function
|
||||
* calls. This makes it easy to represent new operators into the existing AST.
|
||||
*
|
||||
* All references within expressions must resolve to a [Decl][google.api.expr.v1alpha1.Decl] provided at
|
||||
* type-check for an expression to be valid. A reference may either be a bare
|
||||
* identifier `name` or a qualified identifier `google.api.name`. References
|
||||
* may either refer to a value or a function declaration.
|
||||
*
|
||||
* For example, the expression `google.api.name.startsWith('expr')` references
|
||||
* the declaration `google.api.name` within a [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression, and
|
||||
* the function declaration `startsWith`.
|
||||
*/
|
||||
export interface Expr {
|
||||
/**
|
||||
* Required. An id assigned to this node by the parser which is unique in a
|
||||
* given expression tree. This is used to associate type information and other
|
||||
* attributes to a node in the parse tree.
|
||||
*/
|
||||
'id'?: (number | string | Long);
|
||||
/**
|
||||
* A literal expression.
|
||||
*/
|
||||
'const_expr'?: (_google_api_expr_v1alpha1_Constant | null);
|
||||
/**
|
||||
* An identifier expression.
|
||||
*/
|
||||
'ident_expr'?: (_google_api_expr_v1alpha1_Expr_Ident | null);
|
||||
/**
|
||||
* A field selection expression, e.g. `request.auth`.
|
||||
*/
|
||||
'select_expr'?: (_google_api_expr_v1alpha1_Expr_Select | null);
|
||||
/**
|
||||
* A call expression, including calls to predefined functions and operators.
|
||||
*/
|
||||
'call_expr'?: (_google_api_expr_v1alpha1_Expr_Call | null);
|
||||
/**
|
||||
* A list creation expression.
|
||||
*/
|
||||
'list_expr'?: (_google_api_expr_v1alpha1_Expr_CreateList | null);
|
||||
/**
|
||||
* A map or message creation expression.
|
||||
*/
|
||||
'struct_expr'?: (_google_api_expr_v1alpha1_Expr_CreateStruct | null);
|
||||
/**
|
||||
* A comprehension expression.
|
||||
*/
|
||||
'comprehension_expr'?: (_google_api_expr_v1alpha1_Expr_Comprehension | null);
|
||||
/**
|
||||
* Required. Variants of expressions.
|
||||
*/
|
||||
'expr_kind'?: "const_expr"|"ident_expr"|"select_expr"|"call_expr"|"list_expr"|"struct_expr"|"comprehension_expr";
|
||||
}
|
||||
|
||||
/**
|
||||
* An abstract representation of a common expression.
|
||||
*
|
||||
* Expressions are abstractly represented as a collection of identifiers,
|
||||
* select statements, function calls, literals, and comprehensions. All
|
||||
* operators with the exception of the '.' operator are modelled as function
|
||||
* calls. This makes it easy to represent new operators into the existing AST.
|
||||
*
|
||||
* All references within expressions must resolve to a [Decl][google.api.expr.v1alpha1.Decl] provided at
|
||||
* type-check for an expression to be valid. A reference may either be a bare
|
||||
* identifier `name` or a qualified identifier `google.api.name`. References
|
||||
* may either refer to a value or a function declaration.
|
||||
*
|
||||
* For example, the expression `google.api.name.startsWith('expr')` references
|
||||
* the declaration `google.api.name` within a [Expr.Select][google.api.expr.v1alpha1.Expr.Select] expression, and
|
||||
* the function declaration `startsWith`.
|
||||
*/
|
||||
export interface Expr__Output {
|
||||
/**
|
||||
* Required. An id assigned to this node by the parser which is unique in a
|
||||
* given expression tree. This is used to associate type information and other
|
||||
* attributes to a node in the parse tree.
|
||||
*/
|
||||
'id': (string);
|
||||
/**
|
||||
* A literal expression.
|
||||
*/
|
||||
'const_expr'?: (_google_api_expr_v1alpha1_Constant__Output | null);
|
||||
/**
|
||||
* An identifier expression.
|
||||
*/
|
||||
'ident_expr'?: (_google_api_expr_v1alpha1_Expr_Ident__Output | null);
|
||||
/**
|
||||
* A field selection expression, e.g. `request.auth`.
|
||||
*/
|
||||
'select_expr'?: (_google_api_expr_v1alpha1_Expr_Select__Output | null);
|
||||
/**
|
||||
* A call expression, including calls to predefined functions and operators.
|
||||
*/
|
||||
'call_expr'?: (_google_api_expr_v1alpha1_Expr_Call__Output | null);
|
||||
/**
|
||||
* A list creation expression.
|
||||
*/
|
||||
'list_expr'?: (_google_api_expr_v1alpha1_Expr_CreateList__Output | null);
|
||||
/**
|
||||
* A map or message creation expression.
|
||||
*/
|
||||
'struct_expr'?: (_google_api_expr_v1alpha1_Expr_CreateStruct__Output | null);
|
||||
/**
|
||||
* A comprehension expression.
|
||||
*/
|
||||
'comprehension_expr'?: (_google_api_expr_v1alpha1_Expr_Comprehension__Output | null);
|
||||
/**
|
||||
* Required. Variants of expressions.
|
||||
*/
|
||||
'expr_kind'?: "const_expr"|"ident_expr"|"select_expr"|"call_expr"|"list_expr"|"struct_expr"|"comprehension_expr";
|
||||
}
|
|
@ -0,0 +1,32 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
|
||||
|
||||
import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
|
||||
import type { SourceInfo as _google_api_expr_v1alpha1_SourceInfo, SourceInfo__Output as _google_api_expr_v1alpha1_SourceInfo__Output } from '../../../../google/api/expr/v1alpha1/SourceInfo';
|
||||
|
||||
/**
|
||||
* An expression together with source information as returned by the parser.
|
||||
*/
|
||||
export interface ParsedExpr {
|
||||
/**
|
||||
* The parsed expression.
|
||||
*/
|
||||
'expr'?: (_google_api_expr_v1alpha1_Expr | null);
|
||||
/**
|
||||
* The source info derived from input that generated the parsed `expr`.
|
||||
*/
|
||||
'source_info'?: (_google_api_expr_v1alpha1_SourceInfo | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* An expression together with source information as returned by the parser.
|
||||
*/
|
||||
export interface ParsedExpr__Output {
|
||||
/**
|
||||
* The parsed expression.
|
||||
*/
|
||||
'expr': (_google_api_expr_v1alpha1_Expr__Output | null);
|
||||
/**
|
||||
* The source info derived from input that generated the parsed `expr`.
|
||||
*/
|
||||
'source_info': (_google_api_expr_v1alpha1_SourceInfo__Output | null);
|
||||
}
|
|
@ -0,0 +1,55 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
|
||||
|
||||
import type { Constant as _google_api_expr_v1alpha1_Constant, Constant__Output as _google_api_expr_v1alpha1_Constant__Output } from '../../../../google/api/expr/v1alpha1/Constant';
|
||||
|
||||
/**
|
||||
* Describes a resolved reference to a declaration.
|
||||
*/
|
||||
export interface Reference {
|
||||
/**
|
||||
* The fully qualified name of the declaration.
|
||||
*/
|
||||
'name'?: (string);
|
||||
/**
|
||||
* For references to functions, this is a list of `Overload.overload_id`
|
||||
* values which match according to typing rules.
|
||||
*
|
||||
* If the list has more than one element, overload resolution among the
|
||||
* presented candidates must happen at runtime because of dynamic types. The
|
||||
* type checker attempts to narrow down this list as much as possible.
|
||||
*
|
||||
* Empty if this is not a reference to a [Decl.FunctionDecl][google.api.expr.v1alpha1.Decl.FunctionDecl].
|
||||
*/
|
||||
'overload_id'?: (string)[];
|
||||
/**
|
||||
* For references to constants, this may contain the value of the
|
||||
* constant if known at compile time.
|
||||
*/
|
||||
'value'?: (_google_api_expr_v1alpha1_Constant | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Describes a resolved reference to a declaration.
|
||||
*/
|
||||
export interface Reference__Output {
|
||||
/**
|
||||
* The fully qualified name of the declaration.
|
||||
*/
|
||||
'name': (string);
|
||||
/**
|
||||
* For references to functions, this is a list of `Overload.overload_id`
|
||||
* values which match according to typing rules.
|
||||
*
|
||||
* If the list has more than one element, overload resolution among the
|
||||
* presented candidates must happen at runtime because of dynamic types. The
|
||||
* type checker attempts to narrow down this list as much as possible.
|
||||
*
|
||||
* Empty if this is not a reference to a [Decl.FunctionDecl][google.api.expr.v1alpha1.Decl.FunctionDecl].
|
||||
*/
|
||||
'overload_id': (string)[];
|
||||
/**
|
||||
* For references to constants, this may contain the value of the
|
||||
* constant if known at compile time.
|
||||
*/
|
||||
'value': (_google_api_expr_v1alpha1_Constant__Output | null);
|
||||
}
|
|
@ -0,0 +1,87 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
|
||||
|
||||
import type { Expr as _google_api_expr_v1alpha1_Expr, Expr__Output as _google_api_expr_v1alpha1_Expr__Output } from '../../../../google/api/expr/v1alpha1/Expr';
|
||||
|
||||
/**
|
||||
* Source information collected at parse time.
|
||||
*/
|
||||
export interface SourceInfo {
|
||||
/**
|
||||
* The syntax version of the source, e.g. `cel1`.
|
||||
*/
|
||||
'syntax_version'?: (string);
|
||||
/**
|
||||
* The location name. All position information attached to an expression is
|
||||
* relative to this location.
|
||||
*
|
||||
* The location could be a file, UI element, or similar. For example,
|
||||
* `acme/app/AnvilPolicy.cel`.
|
||||
*/
|
||||
'location'?: (string);
|
||||
/**
|
||||
* Monotonically increasing list of character offsets where newlines appear.
|
||||
*
|
||||
* The line number of a given position is the index `i` where for a given
|
||||
* `id` the `line_offsets[i] < id_positions[id] < line_offsets[i+1]`. The
|
||||
* column may be derivd from `id_positions[id] - line_offsets[i]`.
|
||||
*/
|
||||
'line_offsets'?: (number)[];
|
||||
/**
|
||||
* A map from the parse node id (e.g. `Expr.id`) to the character offset
|
||||
* within source.
|
||||
*/
|
||||
'positions'?: ({[key: number]: number});
|
||||
/**
|
||||
* A map from the parse node id where a macro replacement was made to the
|
||||
* call `Expr` that resulted in a macro expansion.
|
||||
*
|
||||
* For example, `has(value.field)` is a function call that is replaced by a
|
||||
* `test_only` field selection in the AST. Likewise, the call
|
||||
* `list.exists(e, e > 10)` translates to a comprehension expression. The key
|
||||
* in the map corresponds to the expression id of the expanded macro, and the
|
||||
* value is the call `Expr` that was replaced.
|
||||
*/
|
||||
'macro_calls'?: ({[key: number]: _google_api_expr_v1alpha1_Expr});
|
||||
}
|
||||
|
||||
/**
|
||||
* Source information collected at parse time.
|
||||
*/
|
||||
export interface SourceInfo__Output {
|
||||
/**
|
||||
* The syntax version of the source, e.g. `cel1`.
|
||||
*/
|
||||
'syntax_version': (string);
|
||||
/**
|
||||
* The location name. All position information attached to an expression is
|
||||
* relative to this location.
|
||||
*
|
||||
* The location could be a file, UI element, or similar. For example,
|
||||
* `acme/app/AnvilPolicy.cel`.
|
||||
*/
|
||||
'location': (string);
|
||||
/**
|
||||
* Monotonically increasing list of character offsets where newlines appear.
|
||||
*
|
||||
* The line number of a given position is the index `i` where for a given
|
||||
* `id` the `line_offsets[i] < id_positions[id] < line_offsets[i+1]`. The
|
||||
* column may be derivd from `id_positions[id] - line_offsets[i]`.
|
||||
*/
|
||||
'line_offsets': (number)[];
|
||||
/**
|
||||
* A map from the parse node id (e.g. `Expr.id`) to the character offset
|
||||
* within source.
|
||||
*/
|
||||
'positions': ({[key: number]: number});
|
||||
/**
|
||||
* A map from the parse node id where a macro replacement was made to the
|
||||
* call `Expr` that resulted in a macro expansion.
|
||||
*
|
||||
* For example, `has(value.field)` is a function call that is replaced by a
|
||||
* `test_only` field selection in the AST. Likewise, the call
|
||||
* `list.exists(e, e > 10)` translates to a comprehension expression. The key
|
||||
* in the map corresponds to the expression id of the expanded macro, and the
|
||||
* value is the call `Expr` that was replaced.
|
||||
*/
|
||||
'macro_calls': ({[key: number]: _google_api_expr_v1alpha1_Expr__Output});
|
||||
}
|
50
packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/SourcePosition.ts
generated
Normal file
50
packages/grpc-js-xds/src/generated/google/api/expr/v1alpha1/SourcePosition.ts
generated
Normal file
|
@ -0,0 +1,50 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/syntax.proto
|
||||
|
||||
|
||||
/**
|
||||
* A specific position in source.
|
||||
*/
|
||||
export interface SourcePosition {
|
||||
/**
|
||||
* The soucre location name (e.g. file name).
|
||||
*/
|
||||
'location'?: (string);
|
||||
/**
|
||||
* The character offset.
|
||||
*/
|
||||
'offset'?: (number);
|
||||
/**
|
||||
* The 1-based index of the starting line in the source text
|
||||
* where the issue occurs, or 0 if unknown.
|
||||
*/
|
||||
'line'?: (number);
|
||||
/**
|
||||
* The 0-based index of the starting position within the line of source text
|
||||
* where the issue occurs. Only meaningful if line is nonzero.
|
||||
*/
|
||||
'column'?: (number);
|
||||
}
|
||||
|
||||
/**
|
||||
* A specific position in source.
|
||||
*/
|
||||
export interface SourcePosition__Output {
|
||||
/**
|
||||
* The soucre location name (e.g. file name).
|
||||
*/
|
||||
'location': (string);
|
||||
/**
|
||||
* The character offset.
|
||||
*/
|
||||
'offset': (number);
|
||||
/**
|
||||
* The 1-based index of the starting line in the source text
|
||||
* where the issue occurs, or 0 if unknown.
|
||||
*/
|
||||
'line': (number);
|
||||
/**
|
||||
* The 0-based index of the starting position within the line of source text
|
||||
* where the issue occurs. Only meaningful if line is nonzero.
|
||||
*/
|
||||
'column': (number);
|
||||
}
|
|
@ -0,0 +1,416 @@
|
|||
// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
|
||||
|
||||
import type { Empty as _google_protobuf_Empty, Empty__Output as _google_protobuf_Empty__Output } from '../../../../google/protobuf/Empty';
|
||||
import type { NullValue as _google_protobuf_NullValue, NullValue__Output as _google_protobuf_NullValue__Output } from '../../../../google/protobuf/NullValue';
|
||||
import type { Type as _google_api_expr_v1alpha1_Type, Type__Output as _google_api_expr_v1alpha1_Type__Output } from '../../../../google/api/expr/v1alpha1/Type';
|
||||
|
||||
/**
|
||||
* Application defined abstract type.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Type_AbstractType {
|
||||
/**
|
||||
* The fully qualified name of this abstract type.
|
||||
*/
|
||||
'name'?: (string);
|
||||
/**
|
||||
* Parameter types for this abstract type.
|
||||
*/
|
||||
'parameter_types'?: (_google_api_expr_v1alpha1_Type)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Application defined abstract type.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Type_AbstractType__Output {
|
||||
/**
|
||||
* The fully qualified name of this abstract type.
|
||||
*/
|
||||
'name': (string);
|
||||
/**
|
||||
* Parameter types for this abstract type.
|
||||
*/
|
||||
'parameter_types': (_google_api_expr_v1alpha1_Type__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Function type with result and arg types.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Type_FunctionType {
|
||||
/**
|
||||
* Result type of the function.
|
||||
*/
|
||||
'result_type'?: (_google_api_expr_v1alpha1_Type | null);
|
||||
/**
|
||||
* Argument types of the function.
|
||||
*/
|
||||
'arg_types'?: (_google_api_expr_v1alpha1_Type)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* Function type with result and arg types.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Type_FunctionType__Output {
|
||||
/**
|
||||
* Result type of the function.
|
||||
*/
|
||||
'result_type': (_google_api_expr_v1alpha1_Type__Output | null);
|
||||
/**
|
||||
* Argument types of the function.
|
||||
*/
|
||||
'arg_types': (_google_api_expr_v1alpha1_Type__Output)[];
|
||||
}
|
||||
|
||||
/**
|
||||
* List type with typed elements, e.g. `list<example.proto.MyMessage>`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Type_ListType {
|
||||
/**
|
||||
* The element type.
|
||||
*/
|
||||
'elem_type'?: (_google_api_expr_v1alpha1_Type | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* List type with typed elements, e.g. `list<example.proto.MyMessage>`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Type_ListType__Output {
|
||||
/**
|
||||
* The element type.
|
||||
*/
|
||||
'elem_type': (_google_api_expr_v1alpha1_Type__Output | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Map type with parameterized key and value types, e.g. `map<string, int>`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Type_MapType {
|
||||
/**
|
||||
* The type of the key.
|
||||
*/
|
||||
'key_type'?: (_google_api_expr_v1alpha1_Type | null);
|
||||
/**
|
||||
* The type of the value.
|
||||
*/
|
||||
'value_type'?: (_google_api_expr_v1alpha1_Type | null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Map type with parameterized key and value types, e.g. `map<string, int>`.
|
||||
*/
|
||||
export interface _google_api_expr_v1alpha1_Type_MapType__Output {
|
||||
/**
|
||||
* The type of the key.
|
||||
*/
|
||||
'key_type': (_google_api_expr_v1alpha1_Type__Output | null);
|
||||
/**
|
||||
* The type of the value.
|
||||
*/
|
||||
'value_type': (_google_api_expr_v1alpha1_Type__Output | null);
|
||||
}
|
||||
|
||||
// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
|
||||
|
||||
/**
|
||||
* CEL primitive types.
|
||||
*/
|
||||
export const _google_api_expr_v1alpha1_Type_PrimitiveType = {
|
||||
/**
|
||||
* Unspecified type.
|
||||
*/
|
||||
PRIMITIVE_TYPE_UNSPECIFIED: 'PRIMITIVE_TYPE_UNSPECIFIED',
|
||||
/**
|
||||
* Boolean type.
|
||||
*/
|
||||
BOOL: 'BOOL',
|
||||
/**
|
||||
* Int64 type.
|
||||
*
|
||||
* Proto-based integer values are widened to int64.
|
||||
*/
|
||||
INT64: 'INT64',
|
||||
/**
|
||||
* Uint64 type.
|
||||
*
|
||||
* Proto-based unsigned integer values are widened to uint64.
|
||||
*/
|
||||
UINT64: 'UINT64',
|
||||
/**
|
||||
* Double type.
|
||||
*
|
||||
* Proto-based float values are widened to double values.
|
||||
*/
|
||||
DOUBLE: 'DOUBLE',
|
||||
/**
|
||||
* String type.
|
||||
*/
|
||||
STRING: 'STRING',
|
||||
/**
|
||||
* Bytes type.
|
||||
*/
|
||||
BYTES: 'BYTES',
|
||||
} as const;
|
||||
|
||||
/**
|
||||
* CEL primitive types.
|
||||
*/
|
||||
export type _google_api_expr_v1alpha1_Type_PrimitiveType =
|
||||
/**
|
||||
* Unspecified type.
|
||||
*/
|
||||
| 'PRIMITIVE_TYPE_UNSPECIFIED'
|
||||
| 0
|
||||
/**
|
||||
* Boolean type.
|
||||
*/
|
||||
| 'BOOL'
|
||||
| 1
|
||||
/**
|
||||
* Int64 type.
|
||||
*
|
||||
* Proto-based integer values are widened to int64.
|
||||
*/
|
||||
| 'INT64'
|
||||
| 2
|
||||
/**
|
||||
* Uint64 type.
|
||||
*
|
||||
* Proto-based unsigned integer values are widened to uint64.
|
||||
*/
|
||||
| 'UINT64'
|
||||
| 3
|
||||
/**
|
||||
* Double type.
|
||||
*
|
||||
* Proto-based float values are widened to double values.
|
||||
*/
|
||||
| 'DOUBLE'
|
||||
| 4
|
||||
/**
|
||||
* String type.
|
||||
*/
|
||||
| 'STRING'
|
||||
| 5
|
||||
/**
|
||||
* Bytes type.
|
||||
*/
|
||||
| 'BYTES'
|
||||
| 6
|
||||
|
||||
/**
|
||||
* CEL primitive types.
|
||||
*/
|
||||
export type _google_api_expr_v1alpha1_Type_PrimitiveType__Output = typeof _google_api_expr_v1alpha1_Type_PrimitiveType[keyof typeof _google_api_expr_v1alpha1_Type_PrimitiveType]
|
||||
|
||||
// Original file: deps/googleapis/google/api/expr/v1alpha1/checked.proto
|
||||
|
||||
/**
|
||||
* Well-known protobuf types treated with first-class support in CEL.
|
||||
*/
|
||||
export const _google_api_expr_v1alpha1_Type_WellKnownType = {
|
||||
/**
|
||||
* Unspecified type.
|
||||
*/
|
||||
WELL_KNOWN_TYPE_UNSPECIFIED: 'WELL_KNOWN_TYPE_UNSPECIFIED',
|
||||
/**
|
||||
* Well-known protobuf.Any type.
|
||||
*
|
||||
* Any types are a polymorphic message type. During type-checking they are
|
||||
* treated like `DYN` types, but at runtime they are resolved to a specific
|
||||
* message type specified at evaluation time.
|
||||
*/
|
||||
ANY: 'ANY',
|
||||
/**
|
||||
* Well-known protobuf.Timestamp type, internally referenced as `timestamp`.
|
||||
*/
|
||||
TIMESTAMP: 'TIMESTAMP',
|
||||
/**
|
||||
* Well-known protobuf.Duration type, internally referenced as `duration`.
|
||||
*/
|
||||
DURATION: 'DURATION',
|
||||
} as const;
|
||||
|
||||
/**
|
||||
* Well-known protobuf types treated with first-class support in CEL.
|
||||
*/
|
||||
export type _google_api_expr_v1alpha1_Type_WellKnownType =
|
||||
/**
|
||||
* Unspecified type.
|
||||
*/
|
||||
| 'WELL_KNOWN_TYPE_UNSPECIFIED'
|
||||
| 0
|
||||
/**
|
||||
* Well-known protobuf.Any type.
|
||||
*
|
||||
* Any types are a polymorphic message type. During type-checking they are
|
||||
* treated like `DYN` types, but at runtime they are resolved to a specific
|
||||
* message type specified at evaluation time.
|
||||
*/
|
||||
| 'ANY'
|
||||
| 1
|
||||
/**
|
||||
* Well-known protobuf.Timestamp type, internally referenced as `timestamp`.
|
||||
*/
|
||||
| 'TIMESTAMP'
|
||||
| 2
|
||||
/**
|
||||
* Well-known protobuf.Duration type, internally referenced as `duration`.
|
||||
*/
|
||||
| 'DURATION'
|
||||
| 3
|
||||
|
||||
/**
|
||||
* Well-known protobuf types treated with first-class support in CEL.
|
||||
*/
|
||||
export type _google_api_expr_v1alpha1_Type_WellKnownType__Output = typeof _google_api_expr_v1alpha1_Type_WellKnownType[keyof typeof _google_api_expr_v1alpha1_Type_WellKnownType]
|
||||
|
||||
/**
|
||||
* Represents a CEL type.
|
||||
*/
|
||||
export interface Type {
|
||||
/**
|
||||
* Dynamic type.
|
||||
*/
|
||||
'dyn'?: (_google_protobuf_Empty | null);
|
||||
/**
|
||||
* Null value.
|
||||
*/
|
||||
'null'?: (_google_protobuf_NullValue);
|
||||
/**
|
||||
* Primitive types: `true`, `1u`, `-2.0`, `'string'`, `b'bytes'`.
|
||||
*/
|
||||
'primitive'?: (_google_api_expr_v1alpha1_Type_PrimitiveType);
|
||||
/**
|
||||
* Wrapper of a primitive type, e.g. `google.protobuf.Int64Value`.
|
||||
*/
|
||||
'wrapper'?: (_google_api_expr_v1alpha1_Type_PrimitiveType);
|
||||
/**
|
||||
* Well-known protobuf type such as `google.protobuf.Timestamp`.
|
||||
*/
|
||||
'well_known'?: (_google_api_expr_v1alpha1_Type_WellKnownType);
|
||||
/**
|
||||
* Parameterized list with elements of `list_type`, e.g. `list<timestamp>`.
|
||||
*/
|
||||
'list_type'?: (_google_api_expr_v1alpha1_Type_ListType | null);
|
||||
/**
|
||||
* Parameterized map with typed keys and values.
|
||||
*/
|
||||
'map_type'?: (_google_api_expr_v1alpha1_Type_MapType | null);
|
||||
/**
|
||||
* Function type.
|
||||
*/
|
||||
'function'?: (_google_api_expr_v1alpha1_Type_FunctionType | null);
|
||||
/**
|
||||
* Protocol buffer message type.
|
||||
*
|
||||
* The `message_type` string specifies the qualified message type name. For
|
||||
* example, `google.plus.Profile`.
|
||||
*/
|
||||
'message_type'?: (string);
|
||||
/**
|
||||
* Type param type.
|
||||
*
|
||||
* The `type_param` string specifies the type parameter name, e.g. `list<E>`
|
||||
* would be a `list_type` whose element type was a `type_param` type
|
||||
* named `E`.
|
||||
*/
|
||||
'type_param'?: (string);
|
||||
/**
|
||||
* Type type.
|
||||
*
|
||||
* The `type` value specifies the target type. e.g. int is type with a
|
||||
* target type of `Primitive.INT`.
|
||||
*/
|
||||
'type'?: (_google_api_expr_v1alpha1_Type | null);
|
||||
/**
|
||||
* Error type.
|
||||
*
|
||||
* During type-checking if an expression is an error, its type is propagated
|
||||
* as the `ERROR` type. This permits the type-checker to discover other
|
||||
* errors present in the expression.
|
||||
*/
|
||||
'error'?: (_google_protobuf_Empty | null);
|
||||
/**
|
||||
* Abstract, application defined type.
|
||||
*/
|
||||
'abstract_type'?: (_google_api_expr_v1alpha1_Type_AbstractType | null);
|
||||
/**
|
||||
* The kind of type.
|
||||
*/
|
||||
'type_kind'?: "dyn"|"null"|"primitive"|"wrapper"|"well_known"|"list_type"|"map_type"|"function"|"message_type"|"type_param"|"type"|"error"|"abstract_type";
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents a CEL type.
|
||||
*/
|
||||
export interface Type__Output {
|
||||
/**
|
||||
* Dynamic type.
|
||||
*/
|
||||
'dyn'?: (_google_protobuf_Empty__Output | null);
|
||||
/**
|
||||
* Null value.
|
||||
*/
|
||||
'null'?: (_google_protobuf_NullValue__Output);
|
||||
/**
|
||||
* Primitive types: `true`, `1u`, `-2.0`, `'string'`, `b'bytes'`.
|
||||
*/
|
||||
'primitive'?: (_google_api_expr_v1alpha1_Type_PrimitiveType__Output);
|
||||
/**
|
||||
* Wrapper of a primitive type, e.g. `google.protobuf.Int64Value`.
|
||||
*/
|
||||
'wrapper'?: (_google_api_expr_v1alpha1_Type_PrimitiveType__Output);
|
||||
/**
|
||||
* Well-known protobuf type such as `google.protobuf.Timestamp`.
|
||||
*/
|
||||
'well_known'?: (_google_api_expr_v1alpha1_Type_WellKnownType__Output);
|
||||
/**
|
||||
* Parameterized list with elements of `list_type`, e.g. `list<timestamp>`.
|
||||
*/
|
||||
'list_type'?: (_google_api_expr_v1alpha1_Type_ListType__Output | null);
|
||||
/**
|
||||
* Parameterized map with typed keys and values.
|
||||
*/
|
||||
'map_type'?: (_google_api_expr_v1alpha1_Type_MapType__Output | null);
|
||||
/**
|
||||
* Function type.
|
||||
*/
|
||||
'function'?: (_google_api_expr_v1alpha1_Type_FunctionType__Output | null);
|
||||
/**
|
||||
* Protocol buffer message type.
|
||||
*
|
||||
* The `message_type` string specifies the qualified message type name. For
|
||||
* example, `google.plus.Profile`.
|
||||
*/
|
||||
'message_type'?: (string);
|
||||
/**
|
||||
* Type param type.
|
||||
*
|
||||
* The `type_param` string specifies the type parameter name, e.g. `list<E>`
|
||||
* would be a `list_type` whose element type was a `type_param` type
|
||||
* named `E`.
|
||||
*/
|
||||
'type_param'?: (string);
|
||||
/**
|
||||
* Type type.
|
||||
*
|
||||
* The `type` value specifies the target type. e.g. int is type with a
|
||||
* target type of `Primitive.INT`.
|
||||
*/
|
||||
'type'?: (_google_api_expr_v1alpha1_Type__Output | null);
|
||||
/**
|
||||
* Error type.
|
||||
*
|
||||
* During type-checking if an expression is an error, its type is propagated
|
||||
* as the `ERROR` type. This permits the type-checker to discover other
|
||||
* errors present in the expression.
|
||||
*/
|
||||
'error'?: (_google_protobuf_Empty__Output | null);
|
||||
/**
|
||||
* Abstract, application defined type.
|
||||
*/
|
||||
'abstract_type'?: (_google_api_expr_v1alpha1_Type_AbstractType__Output | null);
|
||||
/**
|
||||
* The kind of type.
|
||||
*/
|
||||
'type_kind'?: "dyn"|"null"|"primitive"|"wrapper"|"well_known"|"list_type"|"map_type"|"function"|"message_type"|"type_param"|"type"|"error"|"abstract_type";
|
||||
}
|
|
@ -50,7 +50,6 @@ export interface FieldOptions {
|
|||
'weak'?: (boolean);
|
||||
'uninterpretedOption'?: (_google_protobuf_UninterpretedOption)[];
|
||||
'.validate.rules'?: (_validate_FieldRules | null);
|
||||
'.udpa.annotations.sensitive'?: (boolean);
|
||||
'.envoy.annotations.deprecated_at_minor_version'?: (string);
|
||||
'.udpa.annotations.field_migrate'?: (_udpa_annotations_FieldMigrateAnnotation | null);
|
||||
'.envoy.annotations.disallowed_by_default'?: (boolean);
|
||||
|
@ -66,7 +65,6 @@ export interface FieldOptions__Output {
|
|||
'weak': (boolean);
|
||||
'uninterpretedOption': (_google_protobuf_UninterpretedOption__Output)[];
|
||||
'.validate.rules': (_validate_FieldRules__Output | null);
|
||||
'.udpa.annotations.sensitive': (boolean);
|
||||
'.envoy.annotations.deprecated_at_minor_version': (string);
|
||||
'.udpa.annotations.field_migrate': (_udpa_annotations_FieldMigrateAnnotation__Output | null);
|
||||
'.envoy.annotations.disallowed_by_default': (boolean);
|
||||
|
|
|
@ -0,0 +1,253 @@
|
|||
import type * as grpc from '@grpc/grpc-js';
|
||||
import type { EnumTypeDefinition, MessageTypeDefinition } from '@grpc/proto-loader';
|
||||
|
||||
|
||||
type SubtypeConstructor<Constructor extends new (...args: any) => any, Subtype> = {
|
||||
new(...args: ConstructorParameters<Constructor>): Subtype;
|
||||
};
|
||||
|
||||
export interface ProtoGrpcType {
|
||||
envoy: {
|
||||
annotations: {
|
||||
}
|
||||
config: {
|
||||
core: {
|
||||
v3: {
|
||||
Address: MessageTypeDefinition
|
||||
AsyncDataSource: MessageTypeDefinition
|
||||
BackoffStrategy: MessageTypeDefinition
|
||||
BindConfig: MessageTypeDefinition
|
||||
BuildVersion: MessageTypeDefinition
|
||||
CidrRange: MessageTypeDefinition
|
||||
ControlPlane: MessageTypeDefinition
|
||||
DataSource: MessageTypeDefinition
|
||||
EnvoyInternalAddress: MessageTypeDefinition
|
||||
Extension: MessageTypeDefinition
|
||||
ExtraSourceAddress: MessageTypeDefinition
|
||||
HeaderMap: MessageTypeDefinition
|
||||
HeaderValue: MessageTypeDefinition
|
||||
HeaderValueOption: MessageTypeDefinition
|
||||
HttpUri: MessageTypeDefinition
|
||||
KeyValue: MessageTypeDefinition
|
||||
KeyValueAppend: MessageTypeDefinition
|
||||
KeyValueMutation: MessageTypeDefinition
|
||||
Locality: MessageTypeDefinition
|
||||
Metadata: MessageTypeDefinition
|
||||
Node: MessageTypeDefinition
|
||||
Pipe: MessageTypeDefinition
|
||||
ProxyProtocolConfig: MessageTypeDefinition
|
||||
ProxyProtocolPassThroughTLVs: MessageTypeDefinition
|
||||
QueryParameter: MessageTypeDefinition
|
||||
RemoteDataSource: MessageTypeDefinition
|
||||
RequestMethod: EnumTypeDefinition
|
||||
RetryPolicy: MessageTypeDefinition
|
||||
RoutingPriority: EnumTypeDefinition
|
||||
RuntimeDouble: MessageTypeDefinition
|
||||
RuntimeFeatureFlag: MessageTypeDefinition
|
||||
RuntimeFractionalPercent: MessageTypeDefinition
|
||||
RuntimePercent: MessageTypeDefinition
|
||||
RuntimeUInt32: MessageTypeDefinition
|
||||
SocketAddress: MessageTypeDefinition
|
||||
SocketOption: MessageTypeDefinition
|
||||
SocketOptionsOverride: MessageTypeDefinition
|
||||
TcpKeepalive: MessageTypeDefinition
|
||||
TrafficDirection: EnumTypeDefinition
|
||||
TransportSocket: MessageTypeDefinition
|
||||
TypedExtensionConfig: MessageTypeDefinition
|
||||
WatchedDirectory: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
rbac: {
|
||||
v3: {
|
||||
Action: MessageTypeDefinition
|
||||
Permission: MessageTypeDefinition
|
||||
Policy: MessageTypeDefinition
|
||||
Principal: MessageTypeDefinition
|
||||
RBAC: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
route: {
|
||||
v3: {
|
||||
ClusterSpecifierPlugin: MessageTypeDefinition
|
||||
CorsPolicy: MessageTypeDefinition
|
||||
Decorator: MessageTypeDefinition
|
||||
DirectResponseAction: MessageTypeDefinition
|
||||
FilterAction: MessageTypeDefinition
|
||||
FilterConfig: MessageTypeDefinition
|
||||
HeaderMatcher: MessageTypeDefinition
|
||||
HedgePolicy: MessageTypeDefinition
|
||||
InternalRedirectPolicy: MessageTypeDefinition
|
||||
NonForwardingAction: MessageTypeDefinition
|
||||
QueryParameterMatcher: MessageTypeDefinition
|
||||
RateLimit: MessageTypeDefinition
|
||||
RedirectAction: MessageTypeDefinition
|
||||
RetryPolicy: MessageTypeDefinition
|
||||
Route: MessageTypeDefinition
|
||||
RouteAction: MessageTypeDefinition
|
||||
RouteList: MessageTypeDefinition
|
||||
RouteMatch: MessageTypeDefinition
|
||||
Tracing: MessageTypeDefinition
|
||||
VirtualCluster: MessageTypeDefinition
|
||||
VirtualHost: MessageTypeDefinition
|
||||
WeightedCluster: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
}
|
||||
type: {
|
||||
matcher: {
|
||||
v3: {
|
||||
DoubleMatcher: MessageTypeDefinition
|
||||
FilterStateMatcher: MessageTypeDefinition
|
||||
ListMatcher: MessageTypeDefinition
|
||||
ListStringMatcher: MessageTypeDefinition
|
||||
MetadataMatcher: MessageTypeDefinition
|
||||
OrMatcher: MessageTypeDefinition
|
||||
PathMatcher: MessageTypeDefinition
|
||||
RegexMatchAndSubstitute: MessageTypeDefinition
|
||||
RegexMatcher: MessageTypeDefinition
|
||||
StringMatcher: MessageTypeDefinition
|
||||
ValueMatcher: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
metadata: {
|
||||
v3: {
|
||||
MetadataKey: MessageTypeDefinition
|
||||
MetadataKind: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
tracing: {
|
||||
v3: {
|
||||
CustomTag: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
v3: {
|
||||
DoubleRange: MessageTypeDefinition
|
||||
FractionalPercent: MessageTypeDefinition
|
||||
Int32Range: MessageTypeDefinition
|
||||
Int64Range: MessageTypeDefinition
|
||||
Percent: MessageTypeDefinition
|
||||
SemanticVersion: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
}
|
||||
google: {
|
||||
api: {
|
||||
expr: {
|
||||
v1alpha1: {
|
||||
CheckedExpr: MessageTypeDefinition
|
||||
Constant: MessageTypeDefinition
|
||||
Decl: MessageTypeDefinition
|
||||
Expr: MessageTypeDefinition
|
||||
ParsedExpr: MessageTypeDefinition
|
||||
Reference: MessageTypeDefinition
|
||||
SourceInfo: MessageTypeDefinition
|
||||
SourcePosition: MessageTypeDefinition
|
||||
Type: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
}
|
||||
protobuf: {
|
||||
Any: MessageTypeDefinition
|
||||
BoolValue: MessageTypeDefinition
|
||||
BytesValue: MessageTypeDefinition
|
||||
DescriptorProto: MessageTypeDefinition
|
||||
DoubleValue: MessageTypeDefinition
|
||||
Duration: MessageTypeDefinition
|
||||
Empty: MessageTypeDefinition
|
||||
EnumDescriptorProto: MessageTypeDefinition
|
||||
EnumOptions: MessageTypeDefinition
|
||||
EnumValueDescriptorProto: MessageTypeDefinition
|
||||
EnumValueOptions: MessageTypeDefinition
|
||||
FieldDescriptorProto: MessageTypeDefinition
|
||||
FieldOptions: MessageTypeDefinition
|
||||
FileDescriptorProto: MessageTypeDefinition
|
||||
FileDescriptorSet: MessageTypeDefinition
|
||||
FileOptions: MessageTypeDefinition
|
||||
FloatValue: MessageTypeDefinition
|
||||
GeneratedCodeInfo: MessageTypeDefinition
|
||||
Int32Value: MessageTypeDefinition
|
||||
Int64Value: MessageTypeDefinition
|
||||
ListValue: MessageTypeDefinition
|
||||
MessageOptions: MessageTypeDefinition
|
||||
MethodDescriptorProto: MessageTypeDefinition
|
||||
MethodOptions: MessageTypeDefinition
|
||||
NullValue: EnumTypeDefinition
|
||||
OneofDescriptorProto: MessageTypeDefinition
|
||||
OneofOptions: MessageTypeDefinition
|
||||
ServiceDescriptorProto: MessageTypeDefinition
|
||||
ServiceOptions: MessageTypeDefinition
|
||||
SourceCodeInfo: MessageTypeDefinition
|
||||
StringValue: MessageTypeDefinition
|
||||
Struct: MessageTypeDefinition
|
||||
Timestamp: MessageTypeDefinition
|
||||
UInt32Value: MessageTypeDefinition
|
||||
UInt64Value: MessageTypeDefinition
|
||||
UninterpretedOption: MessageTypeDefinition
|
||||
Value: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
udpa: {
|
||||
annotations: {
|
||||
FieldMigrateAnnotation: MessageTypeDefinition
|
||||
FileMigrateAnnotation: MessageTypeDefinition
|
||||
MigrateAnnotation: MessageTypeDefinition
|
||||
PackageVersionStatus: EnumTypeDefinition
|
||||
StatusAnnotation: MessageTypeDefinition
|
||||
VersioningAnnotation: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
validate: {
|
||||
AnyRules: MessageTypeDefinition
|
||||
BoolRules: MessageTypeDefinition
|
||||
BytesRules: MessageTypeDefinition
|
||||
DoubleRules: MessageTypeDefinition
|
||||
DurationRules: MessageTypeDefinition
|
||||
EnumRules: MessageTypeDefinition
|
||||
FieldRules: MessageTypeDefinition
|
||||
Fixed32Rules: MessageTypeDefinition
|
||||
Fixed64Rules: MessageTypeDefinition
|
||||
FloatRules: MessageTypeDefinition
|
||||
Int32Rules: MessageTypeDefinition
|
||||
Int64Rules: MessageTypeDefinition
|
||||
KnownRegex: EnumTypeDefinition
|
||||
MapRules: MessageTypeDefinition
|
||||
MessageRules: MessageTypeDefinition
|
||||
RepeatedRules: MessageTypeDefinition
|
||||
SFixed32Rules: MessageTypeDefinition
|
||||
SFixed64Rules: MessageTypeDefinition
|
||||
SInt32Rules: MessageTypeDefinition
|
||||
SInt64Rules: MessageTypeDefinition
|
||||
StringRules: MessageTypeDefinition
|
||||
TimestampRules: MessageTypeDefinition
|
||||
UInt32Rules: MessageTypeDefinition
|
||||
UInt64Rules: MessageTypeDefinition
|
||||
}
|
||||
xds: {
|
||||
annotations: {
|
||||
v3: {
|
||||
FieldStatusAnnotation: MessageTypeDefinition
|
||||
FileStatusAnnotation: MessageTypeDefinition
|
||||
MessageStatusAnnotation: MessageTypeDefinition
|
||||
PackageVersionStatus: EnumTypeDefinition
|
||||
StatusAnnotation: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
core: {
|
||||
v3: {
|
||||
ContextParams: MessageTypeDefinition
|
||||
TypedExtensionConfig: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
type: {
|
||||
matcher: {
|
||||
v3: {
|
||||
ListStringMatcher: MessageTypeDefinition
|
||||
Matcher: MessageTypeDefinition
|
||||
RegexMatcher: MessageTypeDefinition
|
||||
StringMatcher: MessageTypeDefinition
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,396 @@
|
|||
/*
|
||||
* Copyright 2025 gRPC authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
import { Metadata } from "@grpc/grpc-js";
|
||||
import { Matcher, ValueMatcher } from "./matcher";
|
||||
import { CidrRange, cidrRangeMessageToCidrRange, inCidrRange } from "./cidr";
|
||||
import { PeerCertificate } from "tls";
|
||||
import { RBAC__Output } from "./generated/envoy/config/rbac/v3/RBAC";
|
||||
import { Policy__Output } from "./generated/envoy/config/rbac/v3/Policy";
|
||||
import { Permission__Output } from "./generated/envoy/config/rbac/v3/Permission";
|
||||
import { Principal__Output } from "./generated/envoy/config/rbac/v3/Principal";
|
||||
import { getPredicateForHeaderMatcher, getPredicateForStringMatcher } from "./route";
|
||||
|
||||
export interface RbacRule<InfoType> {
|
||||
apply(info: InfoType): boolean;
|
||||
toString(): string;
|
||||
}
|
||||
|
||||
export class AndRules<InfoType> implements RbacRule<InfoType> {
|
||||
constructor(private childRules: RbacRule<InfoType>[]) {}
|
||||
|
||||
apply(info: InfoType) {
|
||||
return this.childRules.every(rule => rule.apply(info));
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `And(${this.childRules.map(rule => rule.toString())})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class OrRules<InfoType> implements RbacRule<InfoType> {
|
||||
constructor(private childRules: RbacRule<InfoType>[]) {}
|
||||
|
||||
apply(info: InfoType) {
|
||||
return this.childRules.some(rule => rule.apply(info));
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `Or(${this.childRules.map(rule => rule.toString())})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class NotRule<InfoType> implements RbacRule<InfoType> {
|
||||
constructor(private childRule: RbacRule<InfoType>) {}
|
||||
|
||||
apply(info: InfoType) {
|
||||
return !this.childRule.apply(info);
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `Not(${this.childRule.toString()})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class AnyRule<InfoType> implements RbacRule<InfoType> {
|
||||
constructor() {}
|
||||
|
||||
apply(info: InfoType) {
|
||||
return true;
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `Any()`;
|
||||
}
|
||||
}
|
||||
|
||||
export class NoneRule<InfoType> implements RbacRule<InfoType> {
|
||||
constructor() {}
|
||||
|
||||
apply(info: InfoType) {
|
||||
return false;
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `None()`;
|
||||
}
|
||||
}
|
||||
|
||||
export interface PermissionInfo {
|
||||
headers: Metadata;
|
||||
urlPath: string;
|
||||
destinationIp: string;
|
||||
destinationPort: number;
|
||||
}
|
||||
|
||||
export type PermissionRule = RbacRule<PermissionInfo>;
|
||||
|
||||
export class HeaderPermission implements PermissionRule {
|
||||
constructor(private matcher: Matcher) {}
|
||||
|
||||
apply(info: PermissionInfo) {
|
||||
return this.matcher.apply(info.urlPath, info.headers);
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `Header(${this.matcher.toString()})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class UrlPathPermission implements PermissionRule {
|
||||
constructor(private matcher: ValueMatcher) {}
|
||||
|
||||
apply(info: PermissionInfo): boolean {
|
||||
return this.matcher.apply(info.urlPath);
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `UrlPath(${this.matcher.toString()})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class DestinationIpPermission implements PermissionRule {
|
||||
constructor(private cidrRange: CidrRange) {}
|
||||
|
||||
apply(info: PermissionInfo): boolean {
|
||||
return inCidrRange(this.cidrRange, info.destinationIp);
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `DestinationIp(${this.cidrRange.addressPrefix}/${this.cidrRange.prefixLen})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class DestinationPortPermission implements PermissionRule {
|
||||
constructor(private port: number) {}
|
||||
|
||||
apply(info: PermissionInfo): boolean {
|
||||
return info.destinationPort === this.port;
|
||||
}
|
||||
toString(): string {
|
||||
return `DestinationPort(${this.port})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class MetadataPermission implements PermissionRule {
|
||||
constructor() {}
|
||||
|
||||
apply(info: PermissionInfo): boolean {
|
||||
return false;
|
||||
}
|
||||
toString(): string {
|
||||
return `Metadata()`;
|
||||
}
|
||||
}
|
||||
|
||||
export class RequestedServerNamePermission implements PermissionRule {
|
||||
constructor(private matcher: ValueMatcher) {}
|
||||
|
||||
apply(info: PermissionInfo): boolean {
|
||||
return this.matcher.apply('');
|
||||
}
|
||||
toString(): string {
|
||||
return `RequestedServerName(${this.matcher.toString()})`;
|
||||
}
|
||||
}
|
||||
|
||||
export type BasicPeerCertificate = Pick<PeerCertificate, 'subjectaltname' | 'subject'>;
|
||||
|
||||
export interface PrincipalInfo {
|
||||
tls: boolean;
|
||||
peerCertificate: BasicPeerCertificate | null;
|
||||
sourceIp: string;
|
||||
headers: Metadata;
|
||||
urlPath: string;
|
||||
}
|
||||
|
||||
export type PrincipalRule = RbacRule<PrincipalInfo>;
|
||||
|
||||
interface SanEntry {
|
||||
type: string;
|
||||
value: string;
|
||||
}
|
||||
|
||||
function splitSanEntry(entry: string): SanEntry | null {
|
||||
const colonIndex = entry.indexOf(':');
|
||||
if (colonIndex < 0) {
|
||||
return null;
|
||||
}
|
||||
return {
|
||||
type: entry.substring(0, colonIndex),
|
||||
value: entry.substring(colonIndex + 1)
|
||||
}
|
||||
}
|
||||
|
||||
export class AuthenticatedPrincipal implements PrincipalRule {
|
||||
constructor(private nameMatcher: ValueMatcher | null) {}
|
||||
|
||||
apply(info: PrincipalInfo): boolean {
|
||||
if (this.nameMatcher === null) {
|
||||
return info.tls;
|
||||
}
|
||||
if (!info.peerCertificate) {
|
||||
return this.nameMatcher.apply('');
|
||||
}
|
||||
if (info.peerCertificate.subjectaltname) {
|
||||
const sanEntries = info.peerCertificate.subjectaltname.split(', ').map(splitSanEntry).filter(x => x !== null);
|
||||
if (sanEntries.some(entry => entry.type === 'URI')) {
|
||||
for (const entry of sanEntries) {
|
||||
if (entry.type === 'URI') {
|
||||
if (this.nameMatcher.apply(entry.value)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else if (sanEntries.some(entry => entry.type === 'DNS')) {
|
||||
for (const entry of sanEntries) {
|
||||
if (entry.type === 'DNS') {
|
||||
if (this.nameMatcher.apply(entry.value)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return this.nameMatcher.apply(info.peerCertificate.subject.CN);
|
||||
}
|
||||
toString(): string {
|
||||
return `Authenticated(principal=${this.nameMatcher?.toString() ?? null})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class SourceIpPrincipal implements PrincipalRule {
|
||||
constructor(private cidrRange: CidrRange) {}
|
||||
|
||||
apply(info: PrincipalInfo): boolean {
|
||||
return inCidrRange(this.cidrRange, info.sourceIp);
|
||||
}
|
||||
toString(): string {
|
||||
return `SourceIp(${this.cidrRange.addressPrefix}/${this.cidrRange.prefixLen})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class HeaderPrincipal implements PrincipalRule {
|
||||
constructor(private matcher: Matcher) {}
|
||||
|
||||
apply(info: PrincipalInfo) {
|
||||
return this.matcher.apply(info.urlPath, info.headers);
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `Header(${this.matcher.toString()})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class UrlPathPrincipal implements PrincipalRule {
|
||||
constructor(private matcher: ValueMatcher) {}
|
||||
|
||||
apply(info: PrincipalInfo): boolean {
|
||||
return this.matcher.apply(info.urlPath);
|
||||
}
|
||||
|
||||
toString(): string {
|
||||
return `UrlPath(${this.matcher.toString()})`;
|
||||
}
|
||||
}
|
||||
|
||||
export class MetadataPrincipal implements PrincipalRule {
|
||||
constructor() {}
|
||||
|
||||
apply(info: PrincipalInfo): boolean {
|
||||
return false;
|
||||
}
|
||||
toString(): string {
|
||||
return `Metadata()`;
|
||||
}
|
||||
}
|
||||
|
||||
export type RbacAction = 'ALLOW' | 'DENY';
|
||||
|
||||
export interface UnifiedInfo extends PermissionInfo, PrincipalInfo {}
|
||||
|
||||
export class RbacPolicy {
|
||||
private permission: PermissionRule;
|
||||
private principal: PrincipalRule;
|
||||
|
||||
constructor(permissions: PermissionRule[], principals: PrincipalRule[]) {
|
||||
this.permission = new OrRules(permissions);
|
||||
this.principal = new OrRules(principals);
|
||||
}
|
||||
|
||||
matches(info: UnifiedInfo) {
|
||||
return this.principal.apply(info) && this.permission.apply(info);
|
||||
}
|
||||
|
||||
toString() {
|
||||
return `principal=${this.principal.toString()} permission=${this.permission.toString()}`;
|
||||
}
|
||||
}
|
||||
|
||||
export class RbacPolicyGroup {
|
||||
constructor(private policies: Map<string, RbacPolicy>, private action: RbacAction) {}
|
||||
|
||||
apply(info: UnifiedInfo): RbacAction | null {
|
||||
for (const policy of this.policies.values()) {
|
||||
if (policy.matches(info)) {
|
||||
return this.action;
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
toString() {
|
||||
const policyStrings: string[] = [];
|
||||
for (const [name, policy] of this.policies) {
|
||||
policyStrings.push(`${name}: ${policy.toString()}`);
|
||||
}
|
||||
return `RBAC
|
||||
action=${this.action}
|
||||
policies:
|
||||
${policyStrings.join('\n')}`;
|
||||
}
|
||||
}
|
||||
|
||||
export function parsePermission(permission: Permission__Output): PermissionRule {
|
||||
switch (permission.rule) {
|
||||
case 'and_rules':
|
||||
return new AndRules(permission.and_rules!.rules.map(parsePermission));
|
||||
case 'or_rules':
|
||||
return new OrRules(permission.or_rules!.rules.map(parsePermission));
|
||||
case 'not_rule':
|
||||
return new NotRule(parsePermission(permission.not_rule!));
|
||||
case 'any':
|
||||
return new AnyRule();
|
||||
case 'destination_ip':
|
||||
return new DestinationIpPermission(cidrRangeMessageToCidrRange(permission.destination_ip!));
|
||||
case 'destination_port':
|
||||
return new DestinationPortPermission(permission.destination_port!);
|
||||
case 'header':
|
||||
return new HeaderPermission(getPredicateForHeaderMatcher(permission.header!));
|
||||
case 'metadata':
|
||||
return new MetadataPermission();
|
||||
case 'requested_server_name':
|
||||
return new RequestedServerNamePermission(getPredicateForStringMatcher(permission.requested_server_name!));
|
||||
case 'url_path':
|
||||
return new UrlPathPermission(getPredicateForStringMatcher(permission.url_path!.path!));
|
||||
default:
|
||||
return new NoneRule();
|
||||
}
|
||||
}
|
||||
|
||||
export function parsePrincipal(principal: Principal__Output): PrincipalRule {
|
||||
switch (principal.identifier) {
|
||||
case 'and_ids':
|
||||
return new AndRules(principal.and_ids!.ids.map(parsePrincipal));
|
||||
case 'or_ids':
|
||||
return new OrRules(principal.or_ids!.ids.map(parsePrincipal));
|
||||
case 'not_id':
|
||||
return new NotRule(parsePrincipal(principal.not_id!));
|
||||
case 'any':
|
||||
return new AnyRule();
|
||||
case 'authenticated':
|
||||
return new AuthenticatedPrincipal(principal.authenticated?.principal_name ? getPredicateForStringMatcher(principal.authenticated.principal_name) : null);
|
||||
case 'direct_remote_ip':
|
||||
return new SourceIpPrincipal(cidrRangeMessageToCidrRange(principal.direct_remote_ip!));
|
||||
case 'remote_ip':
|
||||
return new SourceIpPrincipal(cidrRangeMessageToCidrRange(principal.remote_ip!));
|
||||
case 'source_ip':
|
||||
return new SourceIpPrincipal(cidrRangeMessageToCidrRange(principal.source_ip!));
|
||||
case 'header':
|
||||
return new HeaderPrincipal(getPredicateForHeaderMatcher(principal.header!));
|
||||
case 'metadata':
|
||||
return new MetadataPrincipal();
|
||||
case 'url_path':
|
||||
return new UrlPathPrincipal(getPredicateForStringMatcher(principal.url_path!.path!));
|
||||
default:
|
||||
return new NoneRule();
|
||||
}
|
||||
}
|
||||
|
||||
export function parsePolicy(policy: Policy__Output): RbacPolicy {
|
||||
return new RbacPolicy(policy.permissions.map(parsePermission), policy.principals.map(parsePrincipal));
|
||||
}
|
||||
|
||||
export function parseConfig(rbac: RBAC__Output): RbacPolicyGroup {
|
||||
if (rbac.action === 'LOG') {
|
||||
throw new Error('Invalid RBAC action LOG');
|
||||
}
|
||||
const policyMap = new Map<string, RbacPolicy>();
|
||||
for (const [name, policyConfig] of Object.entries(rbac.policies)) {
|
||||
policyMap.set(name, parsePolicy(policyConfig));
|
||||
}
|
||||
return new RbacPolicyGroup(policyMap, rbac.action);
|
||||
}
|
|
@ -18,8 +18,26 @@ import { RouteMatch__Output } from './generated/envoy/config/route/v3/RouteMatch
|
|||
import { HeaderMatcher__Output } from './generated/envoy/config/route/v3/HeaderMatcher';
|
||||
import { ContainsValueMatcher, ExactValueMatcher, FullMatcher, HeaderMatcher, Matcher, PathExactValueMatcher, PathPrefixValueMatcher, PathSafeRegexValueMatcher, PrefixValueMatcher, PresentValueMatcher, RangeValueMatcher, RejectValueMatcher, SafeRegexValueMatcher, SuffixValueMatcher, ValueMatcher } from './matcher';
|
||||
import { envoyFractionToFraction, Fraction } from "./fraction";
|
||||
import { StringMatcher__Output } from './generated/envoy/type/matcher/v3/StringMatcher';
|
||||
|
||||
function getPredicateForHeaderMatcher(headerMatch: HeaderMatcher__Output): Matcher {
|
||||
export function getPredicateForStringMatcher(stringMatch: StringMatcher__Output): ValueMatcher {
|
||||
switch (stringMatch.match_pattern) {
|
||||
case 'exact':
|
||||
return new ExactValueMatcher(stringMatch.exact!, stringMatch.ignore_case);
|
||||
case 'safe_regex':
|
||||
return new SafeRegexValueMatcher(stringMatch.safe_regex!.regex);
|
||||
case 'prefix':
|
||||
return new PrefixValueMatcher(stringMatch.prefix!, stringMatch.ignore_case);
|
||||
case 'suffix':
|
||||
return new SuffixValueMatcher(stringMatch.suffix!, stringMatch.ignore_case);
|
||||
case 'contains':
|
||||
return new ContainsValueMatcher(stringMatch.contains!, stringMatch.ignore_case);
|
||||
default:
|
||||
return new RejectValueMatcher();
|
||||
}
|
||||
}
|
||||
|
||||
export function getPredicateForHeaderMatcher(headerMatch: HeaderMatcher__Output): Matcher {
|
||||
let valueChecker: ValueMatcher;
|
||||
switch (headerMatch.header_match_specifier) {
|
||||
case 'exact_match':
|
||||
|
@ -43,26 +61,7 @@ function getPredicateForHeaderMatcher(headerMatch: HeaderMatcher__Output): Match
|
|||
valueChecker = new SuffixValueMatcher(headerMatch.suffix_match!, false);
|
||||
break;
|
||||
case 'string_match':
|
||||
const stringMatch = headerMatch.string_match!;
|
||||
switch (stringMatch.match_pattern) {
|
||||
case 'exact':
|
||||
valueChecker = new ExactValueMatcher(stringMatch.exact!, stringMatch.ignore_case);
|
||||
break;
|
||||
case 'safe_regex':
|
||||
valueChecker = new SafeRegexValueMatcher(stringMatch.safe_regex!.regex);
|
||||
break;
|
||||
case 'prefix':
|
||||
valueChecker = new PrefixValueMatcher(stringMatch.prefix!, stringMatch.ignore_case);
|
||||
break;
|
||||
case 'suffix':
|
||||
valueChecker = new SuffixValueMatcher(stringMatch.suffix!, stringMatch.ignore_case);
|
||||
break;
|
||||
case 'contains':
|
||||
valueChecker = new ContainsValueMatcher(stringMatch.contains!, stringMatch.ignore_case);
|
||||
break;
|
||||
default:
|
||||
valueChecker = new RejectValueMatcher();
|
||||
}
|
||||
valueChecker = getPredicateForStringMatcher(headerMatch.string_match!);
|
||||
break;
|
||||
default:
|
||||
valueChecker = new RejectValueMatcher();
|
||||
|
|
|
@ -0,0 +1,376 @@
|
|||
/*
|
||||
* Copyright 2023 gRPC authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*/
|
||||
|
||||
import { Metadata } from '@grpc/grpc-js';
|
||||
import * as rbac from '../src/rbac';
|
||||
import * as assert from 'assert';
|
||||
import { ExactValueMatcher, HeaderMatcher } from '../src/matcher';
|
||||
|
||||
interface TestCase {
|
||||
rule: rbac.RbacRule<any>,
|
||||
input: any,
|
||||
expectedResult: boolean
|
||||
}
|
||||
|
||||
function createMetadata(key: string, value: string): Metadata {
|
||||
const metadata = new Metadata();
|
||||
metadata.set(key, value);
|
||||
return metadata;
|
||||
}
|
||||
|
||||
const testCases: TestCase[] = [
|
||||
{
|
||||
rule: new rbac.AnyRule(),
|
||||
input: {},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.NoneRule(),
|
||||
input: {},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.OrRules([new rbac.NoneRule(), new rbac.NoneRule(), new rbac.NoneRule()]),
|
||||
input: {},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.OrRules([new rbac.NoneRule(), new rbac.NoneRule(), new rbac.AnyRule()]),
|
||||
input: {},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.AndRules([new rbac.AnyRule(), new rbac.AnyRule(), new rbac.AnyRule()]),
|
||||
input: {},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.AndRules([new rbac.AnyRule(), new rbac.AnyRule(), new rbac.NoneRule()]),
|
||||
input: {},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.NotRule(new rbac.NoneRule()),
|
||||
input: {},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.NotRule(new rbac.AnyRule()),
|
||||
input: {},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.DestinationIpPermission({addressPrefix: '127.0.0.0', prefixLen: 8}),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.DestinationIpPermission({addressPrefix: '127.0.0.0', prefixLen: 8}),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/',
|
||||
destinationIp: '10.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.DestinationPortPermission(443),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.DestinationPortPermission(443),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 80
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.UrlPathPermission(new ExactValueMatcher('/', false)),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.UrlPathPermission(new ExactValueMatcher('/', false)),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/service/method',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.HeaderPermission(new HeaderMatcher('test', new ExactValueMatcher('value', false), false)),
|
||||
input: {
|
||||
headers: createMetadata('test', 'value'),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.HeaderPermission(new HeaderMatcher('test', new ExactValueMatcher('value', false), false)),
|
||||
input: {
|
||||
headers: createMetadata('test', 'incorrect'),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.MetadataPermission(),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.RequestedServerNamePermission(new ExactValueMatcher('', false)),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.RequestedServerNamePermission(new ExactValueMatcher('test', false)),
|
||||
input: {
|
||||
headers: new Metadata(),
|
||||
urlPath: '/',
|
||||
destinationIp: '127.0.0.1',
|
||||
destinationPort: 443
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.AuthenticatedPrincipal(null),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: null,
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.AuthenticatedPrincipal(null),
|
||||
input: {
|
||||
tls: false,
|
||||
peerCertificate: null,
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.AuthenticatedPrincipal(new ExactValueMatcher('test', false)),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: {
|
||||
subject: {
|
||||
C: '',
|
||||
ST: '',
|
||||
L: '',
|
||||
O: '',
|
||||
OU: '',
|
||||
CN: ''
|
||||
},
|
||||
subjectaltname: 'URI:test'
|
||||
},
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.AuthenticatedPrincipal(new ExactValueMatcher('test', false)),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: {
|
||||
subject: {
|
||||
C: '',
|
||||
ST: '',
|
||||
L: '',
|
||||
O: '',
|
||||
OU: '',
|
||||
CN: ''
|
||||
},
|
||||
subjectaltname: 'DNS:test'
|
||||
},
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.AuthenticatedPrincipal(new ExactValueMatcher('test', false)),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: {
|
||||
subject: {
|
||||
C: '',
|
||||
ST: '',
|
||||
L: '',
|
||||
O: '',
|
||||
OU: '',
|
||||
CN: ''
|
||||
},
|
||||
subjectaltname: 'URI:incorrect, DNS:test'
|
||||
},
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.AuthenticatedPrincipal(new ExactValueMatcher('test', false)),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: {
|
||||
subject: {
|
||||
C: '',
|
||||
ST: '',
|
||||
L: '',
|
||||
O: '',
|
||||
OU: '',
|
||||
CN: 'test'
|
||||
},
|
||||
},
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.SourceIpPrincipal({addressPrefix: '127.0.0.0', prefixLen: 8}),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: null,
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.SourceIpPrincipal({addressPrefix: '127.0.0.0', prefixLen: 8}),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: null,
|
||||
sourceIp: '10.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.HeaderPrincipal(new HeaderMatcher('test', new ExactValueMatcher('value', false), false)),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: null,
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: createMetadata('test', 'value'),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.HeaderPrincipal(new HeaderMatcher('test', new ExactValueMatcher('value', false), false)),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: null,
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: createMetadata('test', 'incorrect'),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.UrlPathPrincipal(new ExactValueMatcher('/', false)),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: null,
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: true
|
||||
},
|
||||
{
|
||||
rule: new rbac.UrlPathPrincipal(new ExactValueMatcher('/', false)),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: null,
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/service/method'
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
{
|
||||
rule: new rbac.MetadataPrincipal(),
|
||||
input: {
|
||||
tls: true,
|
||||
peerCertificate: null,
|
||||
sourceIp: '127.0.0.1',
|
||||
headers: new Metadata(),
|
||||
urlPath: '/'
|
||||
},
|
||||
expectedResult: false
|
||||
},
|
||||
];
|
||||
|
||||
describe('RBAC engine', () => {
|
||||
for (const testCase of testCases) {
|
||||
it(`rule=${testCase.rule.toString()} input=${JSON.stringify(testCase.input)} result=${testCase.expectedResult}`, () => {
|
||||
assert.strictEqual(testCase.rule.apply(testCase.input), testCase.expectedResult);
|
||||
});
|
||||
}
|
||||
});
|
Loading…
Reference in New Issue