// Copyright 2019 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";

import "google/api/field_behavior.proto";
import "type/v1beta1/selector.proto";

// $schema: istio.security.v1beta1.AuthorizationPolicy
// $title: Authorization Policy
// $description: Configuration for access control on workloads.
// $location: https://istio.io/docs/reference/config/security/authorization-policy.html
// $weight: 20
// $aliases: [/docs/reference/config/authorization/authorization-policy]

// Istio Authorization Policy enables access control on workloads in the mesh.
//
// Authorization policy supports both allow and deny policies. When allow and
// deny policies are used for a workload at the same time, the deny policies are
// evaluated first. The evaluation is determined by the following rules:
//
// 1. If there are any DENY policies that match the request, deny the request.
// 2. If there are no ALLOW policies for the workload, allow the request.
// 3. If any of the ALLOW policies match the request, allow the request.
// 4. Deny the request.
//
// For example, the following authorization policy sets the `action` to "ALLOW"
// to create an allow policy. The default action is "ALLOW" but it is useful
// to be explicit in the policy.
//
// It allows requests from:
//
// - service account "cluster.local/ns/default/sa/sleep" or
// - namespace "test"
//
// to access the workload with:
//
// - "GET" method at paths of prefix "/info" or,
// - "POST" method at path "/data".
//
// when the request has a valid JWT token issued by "https://accounts.google.com".
//
// Any other requests will be denied.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
//  name: httpbin
//  namespace: foo
// spec:
//  action: ALLOW
//  rules:
//  - from:
//    - source:
//        principals: ["cluster.local/ns/default/sa/sleep"]
//    - source:
//        namespaces: ["test"]
//    to:
//    - operation:
//        methods: ["GET"]
//        paths: ["/info*"]
//    - operation:
//        methods: ["POST"]
//        paths: ["/data"]
//    when:
//    - key: request.auth.claims[iss]
//      values: ["https://accounts.google.com"]
// ```
//
// The following is another example that sets `action` to "DENY" to create a deny policy.
// It denies requests from the "dev" namespace to the "POST" method on all workloads
// in the "foo" namespace.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
//  name: httpbin
//  namespace: foo
// spec:
//  action: DENY
//  rules:
//  - from:
//    - source:
//        namespaces: ["dev"]
//    to:
//    - operation:
//        methods: ["POST"]
// ```
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
// an optional "selector".
//
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
// - workload "selector" can be used to further restrict where a policy applies.
//
// For example,
//
// The following authorization policy applies to workloads containing label
// "app: httpbin" in namespace bar.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
//  name: policy
//  namespace: bar
// spec:
//  selector:
//    matchLabels:
//      app: httpbin
// ```
//
// The following authorization policy applies to all workloads in namespace foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
//  name: policy
//  namespace: foo
// spec:
//   {}
// ```
//
// The following authorization policy applies to workloads containing label
// "version: v1" in all namespaces in the mesh. (Assuming the root namespace is
// configured to "istio-config").
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
//  name: policy
//  namespace: istio-config
// spec:
//  selector:
//    matchLabels:
//      version: v1
// ```
package istio.security.v1beta1;

option go_package="istio.io/api/security/v1beta1";

// AuthorizationPolicy enables access control on workloads.
//
// For example, the following authorization policy denies all requests to workloads
// in namespace foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
//  name: deny-all
//  namespace: foo
// spec:
//   {}
// ```
//
// The following authorization policy allows all requests to workloads in namespace
// foo.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
//  name: allow-all
//  namespace: foo
// spec:
//  rules:
//  - {}
// ```
//
// <!-- crd generation tags
// +cue-gen:AuthorizationPolicy:groupName:security.istio.io
// +cue-gen:AuthorizationPolicy:version:v1beta1
// +cue-gen:AuthorizationPolicy:storageVersion
// +cue-gen:AuthorizationPolicy:annotations:helm.sh/resource-policy=keep
// +cue-gen:AuthorizationPolicy:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
// +cue-gen:AuthorizationPolicy:subresource:status
// +cue-gen:AuthorizationPolicy:scope:Namespaced
// +cue-gen:AuthorizationPolicy:resource:categories=istio-io,security-istio-io,plural=authorizationpolicies
// +cue-gen:AuthorizationPolicy:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
// +genclient
// +k8s:deepcopy-gen=true
// -->
message AuthorizationPolicy {
  // Optional. Workload selector decides where to apply the authorization policy.
  // If not set, the authorization policy will be applied to all workloads in the
  // same namespace as the authorization policy.
  istio.type.v1beta1.WorkloadSelector selector = 1;

  // Optional. A list of rules to match the request. A match occurs when at least
  // one rule matches the request.
  //
  // If not set, the match will never occur. This is equivalent to setting a
  // default of deny for the target workloads.
  repeated Rule rules = 2;

  // Action specifies the operation to take.
  enum Action {
    // Allow a request only if it matches the rules. This is the default type.
    ALLOW = 0;

    // Deny a request if it matches any of the rules.
    DENY = 1;
  }

  // Optional. The action to take if the request is matched with the rules.
  Action action = 3;
}

// Rule matches requests from a list of sources that perform a list of operations subject to a
// list of conditions. A match occurs when at least one source, operation and condition
// matches the request. An empty rule is always matched.
//
// Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
//
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
// - Presence match: "*" will match when value is not empty.
message Rule {
  // From includes a list or sources.
  message From {
    // Source specifies the source of a request.
    Source source = 1;
  }

  // Optional. from specifies the source of a request.
  //
  // If not set, any source is allowed.
  repeated From from = 1;

  // To includes a list or operations.
  message To {
    // Operation specifies the operation of a request.
    Operation operation = 1;
  }

  // Optional. to specifies the operation of a request.
  //
  // If not set, any operation is allowed.
  repeated To to = 2;

  // Optional. when specifies a list of additional conditions of a request.
  //
  // If not set, any condition is allowed.
  repeated Condition when = 3;
}

// Source specifies the source identities of a request. Fields in the source are
// ANDed together.
//
// For example, the following source matches if the principal is "admin" or "dev"
// and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
//
// ```yaml
// principals: ["admin", "dev"]
// namespaces: ["prod", "test"]
// not_ipblocks: ["1.2.3.4"]
// ```
message Source {
  // Optional. A list of source peer identities (i.e. service account), which
  // matches to the "source.principal" attribute. This field requires mTLS enabled.
  //
  // If not set, any principal is allowed.
  repeated string principals = 1;

  // Optional. A list of negative match of source peer identities.
  repeated string not_principals = 5;

  // Optional. A list of request identities (i.e. "iss/sub" claims), which
  // matches to the "request.auth.principal" attribute.
  //
  // If not set, any request principal is allowed.
  repeated string request_principals = 2;

  // Optional. A list of negative match of request identities.
  repeated string not_request_principals = 6;

  // Optional. A list of namespaces, which matches to the "source.namespace"
  // attribute. This field requires mTLS enabled.
  //
  // If not set, any namespace is allowed.
  repeated string namespaces = 3;

  // Optional. A list of negative match of namespaces.
  repeated string not_namespaces = 7;

  // Optional. A list of IP blocks, which matches to the "source.ip" attribute.
  // Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
  //
  // If not set, any IP is allowed.
  repeated string ip_blocks = 4;

  // Optional. A list of negative match of IP blocks.
  repeated string not_ip_blocks = 8;
}

// Operation specifies the operations of a request. Fields in the operation are
// ANDed together.
//
// For example, the following operation matches if the host has suffix ".example.com"
// and the method is "GET" or "HEAD" and the path doesn't have prefix "/admin".
//
// ```yaml
// hosts: ["*.example.com"]
// methods: ["GET", "HEAD"]
// not_paths: ["/admin*"]
// ```
message Operation {
  // Optional. A list of hosts, which matches to the "request.host" attribute.
  //
  // If not set, any host is allowed. Must be used only with HTTP.
  repeated string hosts = 1;

  // Optional. A list of negative match of hosts.
  repeated string not_hosts = 5;

  // Optional. A list of ports, which matches to the "destination.port" attribute.
  //
  // If not set, any port is allowed.
  repeated string ports = 2;

  // Optional. A list of negative match of ports.
  repeated string not_ports = 6;

  // Optional. A list of methods, which matches to the "request.method" attribute.
  // For gRPC service, this will always be "POST".
  //
  // If not set, any method is allowed. Must be used only with HTTP.
  repeated string methods = 3;

  // Optional. A list of negative match of methods.
  repeated string not_methods = 7;

  // Optional. A list of paths, which matches to the "request.url_path" attribute.
  // For gRPC service, this will be the fully-qualified name in the form of
  // "/package.service/method".
  //
  // If not set, any path is allowed. Must be used only with HTTP.
  repeated string paths = 4;

  // Optional. A list of negative match of paths.
  repeated string not_paths = 8;
}

// Condition specifies additional required attributes.
message Condition {
  // The name of an Istio attribute.
  // See the [full list of supported attributes](https://istio.io/docs/reference/config/security/conditions/).
  string key = 1 [(google.api.field_behavior) = REQUIRED];

  // Optional. A list of allowed values for the attribute.
  // Note: at least one of values or not_values must be set.
  repeated string values = 2;

  // Optional. A list of negative match of values for the attribute.
  // Note: at least one of values or not_values must be set.
  repeated string not_values = 3;
}