1// Copyright 2018 Istio Authors
2//
3//   Licensed under the Apache License, Version 2.0 (the "License");
4//   you may not use this file except in compliance with the License.
5//   You may obtain a copy of the License at
6//
7//       http://www.apache.org/licenses/LICENSE-2.0
8//
9//   Unless required by applicable law or agreed to in writing, software
10//   distributed under the License is distributed on an "AS IS" BASIS,
11//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12//   See the License for the specific language governing permissions and
13//   limitations under the License.
14
15syntax = "proto3";
16
17// $schema: istio.authentication.v1alpha1.Policy
18
19// This package defines user-facing authentication policy.
20package istio.authentication.v1alpha1;
21
22import "google/api/field_behavior.proto";
23
24option go_package = "istio.io/api/authentication/v1alpha1";
25
26// $hide_from_docs
27// Describes how to match a given string. Match is case-sensitive.
28message StringMatch {
29  oneof match_type {
30    // exact string match.
31    string exact = 1;
32
33    // prefix-based match.
34    string prefix = 2;
35
36    // suffix-based match.
37    string suffix = 3;
38
39    // RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
40    string regex = 4;
41  }
42}
43
44// $hide_from_docs
45// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
46// TLS authentication params.
47message MutualTls {
48  // $hide_from_docs
49  // Defines the acceptable connection TLS mode.
50  enum Mode {
51    // Client cert must be presented, connection is in TLS.
52    STRICT = 0;
53
54    // Connection can be either plaintext or TLS with Client cert.
55    PERMISSIVE = 1;
56  };
57
58  // Deprecated. Please use mode = PERMISSIVE instead.
59  // If set, will translate to `TLS_PERMISSIVE` mode.
60  // Set this flag to true to allow regular TLS (i.e without client x509
61  // certificate). If request carries client certificate, identity will be
62  // extracted and used (set to peer identity). Otherwise, peer identity will
63  // be left unset.
64  // When the flag is false (default), request must have client certificate.
65  bool allow_tls = 1 [deprecated=true];
66
67  // Defines the mode of mTLS authentication.
68  Mode mode = 2;
69}
70
71// $hide_from_docs
72// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
73// JSON Web Token (JWT) token format for authentication as defined by
74// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
75// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
76// authentication flow.
77//
78// For example:
79//
80// A JWT for any requests:
81//
82// ```yaml
83// issuer: https://example.com
84// audiences:
85// - bookstore_android.apps.googleusercontent.com
86//   bookstore_web.apps.googleusercontent.com
87// jwksUri: https://example.com/.well-known/jwks.json
88// ```
89//
90// A JWT for all requests except request at path `/health_check` and path with
91// prefix `/status/`. This is useful to expose some paths for public access but
92// keep others JWT validated.
93//
94// ```yaml
95// issuer: https://example.com
96// jwksUri: https://example.com/.well-known/jwks.json
97// triggerRules:
98// - excludedPaths:
99//   - exact: /health_check
100//   - prefix: /status/
101// ```
102//
103// A JWT only for requests at path `/admin`. This is useful to only require JWT
104// validation on a specific set of paths but keep others public accessible.
105//
106// ```yaml
107// issuer: https://example.com
108// jwksUri: https://example.com/.well-known/jwks.json
109// triggerRules:
110// - includedPaths:
111//   - prefix: /admin
112// ```
113//
114// A JWT only for requests at path of prefix `/status/` but except the path of
115// `/status/version`. This means for any request path with prefix `/status/` except
116// `/status/version` will require a valid JWT to proceed.
117//
118// ```yaml
119// issuer: https://example.com
120// jwksUri: https://example.com/.well-known/jwks.json
121// triggerRules:
122// - excludedPaths:
123//   - exact: /status/version
124//   includedPaths:
125//   - prefix: /status/
126// ```
127message Jwt {
128  // Identifies the issuer that issued the JWT. See
129  // [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
130  // Usually a URL or an email address.
131  //
132  // Example: https://securetoken.google.com
133  // Example: 1234567-compute@developer.gserviceaccount.com
134  string issuer = 1;
135
136  // The list of JWT
137  // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
138  // that are allowed to access. A JWT containing any of these
139  // audiences will be accepted.
140  //
141  // The service name will be accepted if audiences is empty.
142  //
143  // Example:
144  //
145  // ```yaml
146  // audiences:
147  // - bookstore_android.apps.googleusercontent.com
148  //   bookstore_web.apps.googleusercontent.com
149  // ```
150  repeated string audiences = 2;
151
152  // URL of the provider's public key set to validate signature of the
153  // JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
154  //
155  // Optional if the key set document can either (a) be retrieved from
156  // [OpenID
157  // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
158  // the issuer or (b) inferred from the email domain of the issuer (e.g. a
159  // Google service account).
160  //
161  // Example: `https://www.googleapis.com/oauth2/v1/certs`
162  //
163  // Note: Only one of jwks_uri and jwks should be used.
164  string jwks_uri = 3;
165
166  // JSON Web Key Set of public keys to validate signature of the JWT.
167  // See https://auth0.com/docs/jwks.
168  //
169  // Note: Only one of jwks_uri and jwks should be used.
170  string jwks = 10;
171
172  // Two fields below define where to extract the JWT from an HTTP request.
173  //
174  // If no explicit location is specified the following default
175  // locations are tried in order:
176  //
177  //     1) The Authorization header using the Bearer schema,
178  //        e.g. Authorization: Bearer <token>. (see
179  //        [Authorization Request Header
180  //        Field](https://tools.ietf.org/html/rfc6750#section-2.1))
181  //
182  //     2) `access_token` query parameter (see
183  //     [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3))
184
185  // JWT is sent in a request header. `header` represents the
186  // header name.
187  //
188  // For example, if `header=x-goog-iap-jwt-assertion`, the header
189  // format will be `x-goog-iap-jwt-assertion: <JWT>`.
190  repeated string jwt_headers = 6;
191
192  // JWT is sent in a query parameter. `query` represents the
193  // query parameter name.
194  //
195  // For example, `query=jwt_token`.
196  repeated string jwt_params = 7;
197
198  // $hide_from_docs
199  // Trigger rule to match against a request. The trigger rule is satisfied if
200  // and only if both rules, excluded_paths and include_paths are satisfied.
201  message TriggerRule {
202    // List of paths to be excluded from the request. The rule is satisfied if
203    // request path does not match to any of the path in this list.
204    repeated StringMatch excluded_paths = 1;
205
206    // List of paths that the request must include. If the list is not empty, the
207    // rule is satisfied if request path matches at least one of the path in the list.
208    // If the list is empty, the rule is ignored, in other words the rule is always satisfied.
209    repeated StringMatch included_paths = 2;
210  }
211
212  // List of trigger rules to decide if this JWT should be used to validate the
213  // request. The JWT validation happens if any one of the rules matched.
214  // If the list is not empty and none of the rules matched, authentication will
215  // skip the JWT validation.
216  // Leave this empty to always trigger the JWT validation.
217  repeated TriggerRule trigger_rules = 9;
218
219  // $hide_from_docs
220  // Next available field number: 11
221}
222
223// $hide_from_docs
224// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
225// PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported
226// at the moment.
227// The type can be progammatically determine by checking the type of the
228// "params" field.
229message PeerAuthenticationMethod {
230  // $hide_from_docs
231  oneof params {
232    // Set if mTLS is used.
233    MutualTls mtls = 1;
234
235    // $hide_from_docs
236    // Deprecated.
237    // Set if JWT is used. This option was never available.
238    Jwt jwt = 2 [deprecated=true];
239  }
240}
241
242// $hide_from_docs
243// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
244// OriginAuthenticationMethod defines authentication method/params for origin
245// authentication. Origin could be end-user, device, delegate service etc.
246// Currently, only JWT is supported for origin authentication.
247message OriginAuthenticationMethod {
248  // Jwt params for the method.
249  Jwt jwt = 1;
250}
251
252// $hide_from_docs
253// Deprecated. When using security/v1beta1/RequestAuthentication, the request principal always
254// comes from request authentication (i.e JWT).
255// Associates authentication with request principal.
256enum PrincipalBinding {
257  // Principal will be set to the identity from peer authentication.
258  USE_PEER = 0;
259
260  // Principal will be set to the identity from origin authentication.
261  USE_ORIGIN = 1;
262}
263
264// $hide_from_docs
265// Policy defines what authentication methods can be accepted on workload(s),
266// and if authenticated, which method/certificate will set the request principal
267// (i.e request.auth.principal attribute).
268//
269// Authentication policy is composed of 2-part authentication:
270// - peer: verify caller service credentials. This part will set source.user
271// (peer identity).
272// - origin: verify the origin credentials. This part will set request.auth.user
273// (origin identity), as well as other attributes like request.auth.presenter,
274// request.auth.audiences and raw claims. Note that the identity could be
275// end-user, service account, device etc.
276//
277// Last but not least, the principal binding rule defines which identity (peer
278// or origin) should be used as principal. By default, it uses peer.
279//
280// Examples:
281//
282// Policy to enable mTLS for all services in namespace frod. The policy name must be
283// `default`, and it contains no rule for `targets`.
284//
285// ```yaml
286// apiVersion: authentication.istio.io/v1alpha1
287// kind: Policy
288// metadata:
289//   name: default
290//   namespace: frod
291// spec:
292//   peers:
293//   - mtls:
294// ```
295// Policy to disable mTLS for "productpage" service
296//
297// ```yaml
298// apiVersion: authentication.istio.io/v1alpha1
299// kind: Policy
300// metadata:
301//   name: productpage-mTLS-disable
302//   namespace: frod
303// spec:
304//   targets:
305//   - name: productpage
306// ```
307// Policy to require mTLS for peer authentication, and JWT for origin authentication
308// for productpage:9000 except the path '/health_check' . Principal is set from origin identity.
309//
310// ```yaml
311// apiVersion: authentication.istio.io/v1alpha1
312// kind: Policy
313// metadata:
314//   name: productpage-mTLS-with-JWT
315//   namespace: frod
316// spec:
317//   targets:
318//   - name: productpage
319//     ports:
320//     - number: 9000
321//   peers:
322//   - mtls:
323//   origins:
324//   - jwt:
325//       issuer: "https://securetoken.google.com"
326//       audiences:
327//       - "productpage"
328//       jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
329//       jwtHeaders:
330//       - "x-goog-iap-jwt-assertion"
331//       triggerRules:
332//       - excludedPaths:
333//         - exact: /health_check
334//   principalBinding: USE_ORIGIN
335// ```
336message Policy {
337  // Deprecated. Only mesh-level and namespace-level policies are supported.
338  // List rules to select workloads that the policy should be applied on.
339  // If empty, policy will be used on all workloads in the same namespace.
340  repeated TargetSelector targets = 1 [deprecated=true];
341
342  // $hide_from_docs
343  // Deprecated. Please use security/v1beta1/PeerAuthentication instead.
344  // List of authentication methods that can be used for peer authentication.
345  // They will be evaluated in order; the first validate one will be used to
346  // set peer identity (source.user) and other peer attributes. If none of
347  // these methods pass, request will be rejected with authentication failed error (401).
348  // Leave the list empty if peer authentication is not required
349  repeated PeerAuthenticationMethod peers = 2;
350
351  // Deprecated. Should set mTLS to PERMISSIVE instead.
352  // Set this flag to true to accept request (for peer authentication perspective),
353  // even when none of the peer authentication methods defined above satisfied.
354  // Typically, this is used to delay the rejection decision to next layer (e.g
355  // authorization).
356  // This flag is ignored if no authentication defined for peer (peers field is empty).
357  bool peer_is_optional = 3 [deprecated=true];
358
359  // Deprecated. Please use security/v1beta1/RequestAuthentication instead.
360  // List of authentication methods that can be used for origin authentication.
361  // Similar to peers, these will be evaluated in order; the first validate one
362  // will be used to set origin identity and attributes (i.e request.auth.user,
363  // request.auth.issuer etc). If none of these methods pass, request will be
364  // rejected with authentication failed error (401).
365  // A method may be skipped, depends on its trigger rule. If all of these methods
366  // are skipped, origin authentication will be ignored, as if it is not defined.
367  // Leave the list empty if origin authentication is not required.
368  repeated OriginAuthenticationMethod origins = 4 [deprecated=true];
369
370  // Deprecated. Please use security/v1beta1/RequestAuthentication instead.
371  // Set this flag to true to accept request (for origin authentication perspective),
372  // even when none of the origin authentication methods defined above satisfied.
373  // Typically, this is used to delay the rejection decision to next layer (e.g
374  // authorization).
375  // This flag is ignored if no authentication defined for origin (origins field is empty).
376  bool origin_is_optional = 5 [deprecated=true];
377
378  // Deprecated. Source principal is always from peer, and request principal is always from
379  // RequestAuthentication.
380  // Define whether peer or origin identity should be use for principal. Default
381  // value is USE_PEER.
382  // If peer (or origin) identity is not available, either because of peer/origin
383  // authentication is not defined, or failed, principal will be left unset.
384  // In other words, binding rule does not affect the decision to accept or
385  // reject request.
386  PrincipalBinding principal_binding = 6 [deprecated=true];
387}
388
389// $hide_from_docs
390// Deprecated. Only support mesh and namespace level policy in the future.
391// TargetSelector defines a matching rule to a workload. A workload is selected
392// if it is associated with the service name and service port(s) specified in the selector rule.
393message TargetSelector {
394  // The name must be a short name from the service registry. The
395  // fully qualified domain name will be resolved in a platform specific manner.
396  string name = 1 [(google.api.field_behavior) = REQUIRED];
397
398  reserved 3;
399  reserved "labels";
400
401  // Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.
402  // For example, if a service is defined as below, then `8000` should be used, not `9000`.
403  // ```yaml
404  // kind: Service
405  // metadata:
406  //   ...
407  // spec:
408  //   ports:
409  //   - name: http
410  //     port: 8000
411  //     targetPort: 9000
412  //   selector:
413  //     app: backend
414  // ```
415  //Leave empty to match all ports that are exposed.
416  repeated PortSelector ports = 2;
417}
418
419// $hide_from_docs
420// Deprecated. Only support mesh and namespace level policy in the future.
421// PortSelector specifies the name or number of a port to be used for
422// matching targets for authentication policy. This is copied from
423// networking API to avoid dependency.
424message PortSelector {
425  oneof port {
426    // Valid port number
427    uint32 number = 1;
428    // Port name
429    string name = 2;
430  }
431}
432