envoy.extensions.rbac.principals.mtls_authenticated.v3.mtls_authenticated.proto Maven / Gradle / Ivy

Go to download

Show more of this group Show more artifacts with this name
Show all versions of api Show documentation

The newest version!

syntax = "proto3";

package envoy.extensions.rbac.principals.mtls_authenticated.v3;

import "envoy/extensions/transport_sockets/tls/v3/common.proto";

import "udpa/annotations/status.proto";

option java_package = "io.envoyproxy.envoy.extensions.rbac.principals.mtls_authenticated.v3";
option java_outer_classname = "MtlsAuthenticatedProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/rbac/principals/mtls_authenticated/v3;mtls_authenticatedv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: RBAC MTls Authenticated Principal]
// [#extension: envoy.rbac.principals.mtls_authenticated]

// Authentication attributes for a downstream mTLS connection. All modes require that a peer certificate
// was presented and validated using the ValidationContext in the DownstreamTlsContext configuration.
//
// If neither field is set, a configuration loading error will be generated. This is so that
// not validating SANs requires an affirmative configuration to disable, to prevent accidentally
// not configuring SAN validation.
//
// If ``any_validated_client_certificate`` is set in addition to ``san_matcher`` or a future field
// which specifies additional validation, the other field always takes precedence over
// ``any_validated_client_certificate`` and all specified validation is performed.
message Config {
  // Specifies a SAN that must be present in the validated peer certificate.
  transport_sockets.tls.v3.SubjectAltNameMatcher san_matcher = 1;

  // Only require that the peer certificate is present and valid.
  bool any_validated_client_certificate = 2;
}