From 7d3a15de1e7d8c544727e8d7f62a76003bb70db0 Mon Sep 17 00:00:00 2001 From: soloio-bot Date: Tue, 1 Oct 2024 20:01:04 +0000 Subject: [PATCH] Sync Gloo APIs. Destination Branch: gloo-v1.17.x --- api/gloo/enterprise.gloo/v1/auth_config.proto | 60 +++++++++---------- .../envoy/config/core/v3/address.proto | 4 +- .../envoy/config/core/v3/grpc_service.proto | 4 +- .../filters/http/jwt_authn/v3/config.proto | 14 ++--- api/gloo/gloo/external/xds/core/v3/cidr.proto | 2 +- .../xds/core/v3/resource_locator.proto | 2 +- .../gloo/v1/options/protocol/protocol.proto | 2 +- api/gloo/gloo/v1/upstream.proto | 2 +- .../v1/auth_config.pb.go | 60 +++++++++---------- .../envoy/config/core/v3/address.pb.go | 4 +- .../envoy/config/core/v3/grpc_service.pb.go | 4 +- .../filters/http/jwt_authn/v3/config.pb.go | 14 ++--- .../v1/options/protocol/protocol.pb.go | 2 +- pkg/api/gloo.solo.io/v1/upstream.pb.go | 2 +- 14 files changed, 88 insertions(+), 88 deletions(-) diff --git a/api/gloo/enterprise.gloo/v1/auth_config.proto b/api/gloo/enterprise.gloo/v1/auth_config.proto index f563d6c67..ee4ca5df1 100644 --- a/api/gloo/enterprise.gloo/v1/auth_config.proto +++ b/api/gloo/enterprise.gloo/v1/auth_config.proto @@ -223,7 +223,7 @@ message CustomAuth { // This allows the server to base the auth decision on metadata that you define on the source of the request. // // This attribute is analogous to Envoy's config.filter.http.ext_authz.v2.CheckSettings. See the official - // [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto.html?highlight=ext_authz#config-filter-http-ext-authz-v2-checksettings) + // [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-http-ext-authz-v3-checksettings) // for more details. map context_extensions = 1; @@ -363,7 +363,7 @@ message OAuth2 { // provide the access token on the request and let gloo handle authorization. // - // according to https://tools.ietf.org/html/rfc6750 you can pass tokens through: + // according to https://datatracker.ietf.org/doc/html/rfc6750 you can pass tokens through: // - form-encoded body parameter. recommended, more likely to appear. e.g.: Authorization: Bearer mytoken123 // - URI query parameter e.g. access_token=mytoken123 // - and (preferably) secure cookies @@ -546,7 +546,7 @@ message DiscoveryOverride { string end_session_endpoint = 11; } -// The json web key set (JWKS) (https://tools.ietf.org/html/rfc7517) is discovered at an interval +// The json web key set (JWKS) (https://datatracker.ietf.org/doc/html/rfc7517) is discovered at an interval // from a remote source. When keys rotate in the remote source, there may be a delay in the // local source picking up those new keys. Therefore, a user could execute a request with a token // that has been signed by a key in the remote JWKS, but the local cache doesn't have the key yet. @@ -768,7 +768,7 @@ message OidcAuthorizationCode { message PrivateKeyJwt{ // Signing key for the JWT used to authenticate the client core.solo.io.ResourceRef signing_key_ref = 1; - // Amount of time for which the JWT is valid. No maximmum is enforced, but different IDPs may impose limits on how far in + // Amount of time for which the JWT is valid. No maximum is enforced, but different IDPs may impose limits on how far in // the future the expiration time is allowed to be. If omitted, default is 5s. google.protobuf.Duration valid_for = 2; } @@ -793,7 +793,7 @@ message OidcAuthorizationCode { message Default {} // For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider. - // This way, you can enable distibuted claims and caching for when users are members of more than 200 groups. + // This way, you can enable distributed claims and caching for when users are members of more than 200 groups. message Azure { // The client ID for the ExtAuthService app that is registered in MS Entra, // to access the Microsoft Graph API to retrieve distributed claims. @@ -805,7 +805,7 @@ message OidcAuthorizationCode { // depending on how your Azure account is provisioned. string tenant_id = 2; - // The client secret of the ExtAuthService app that is registered with MS Entra to communciate with the MS Graph API. + // The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API. core.solo.io.ResourceRef client_secret = 3; // Redis connection details to cache MS Entera claims. @@ -875,12 +875,12 @@ message PlainOAuth2 { // Defines how JSON Web Token (JWT) access tokens are validated. // // Tokens are validated using a JSON Web Key Set (as defined in -// [Section 5 of RFC7517](https://tools.ietf.org/html/rfc7517#section-5)), +// [Section 5 of RFC7517](https://datatracker.ietf.org/doc/html/rfc7517#section-5)), // which can be either inlined in the configuration or fetched from a remote location via HTTP. // Any keys in the JWKS that are not intended for signature verification (i.e. whose -// ["use" parameter](https://tools.ietf.org/html/rfc7517#section-4.2) is not "sig") +// ["use" parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2) is not "sig") // will be ignored by the system, as will keys that do not specify a -// ["kid" (Key ID) parameter](https://tools.ietf.org/html/rfc7517#section-4.2). +// ["kid" (Key ID) parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2). // // The JWT to be validated must define non-empty "kid" and "alg" headers. The "kid" header // determines which key in the JWKS will be used to verify the signature of the token; @@ -921,13 +921,13 @@ message JwtValidation { } // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated -// [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) +// [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) // // If the token introspection url requires client authentication, both the client_id and client_secret // are required. Unless disable_client_secret is set, when only one is provided, the config will be rejected. // These values will be encoded in a basic auth header in order to authenticate the client. message IntrospectionValidation { - // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. + // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. string introspection_url = 1; @@ -940,7 +940,7 @@ message IntrospectionValidation { // Optional: Use if the token introspection url requires client authentication. core.solo.io.ResourceRef client_secret_ref = 3; - // The name of the [introspection response](https://tools.ietf.org/html/rfc7662#section-2.2) + // The name of the [introspection response](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) // attribute that contains the ID of the resource owner (e.g. `sub`, `username`). // If specified, the external auth server will use the value of the attribute as the identifier of the // authenticated user and add it to the request headers and/or dynamic metadata (depending on how the @@ -956,7 +956,7 @@ message IntrospectionValidation { message AccessTokenValidation { oneof validation_type { - // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. + // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. // This field is deprecated as it does not support authenticated introspection requests @@ -967,7 +967,7 @@ message AccessTokenValidation { JwtValidation jwt = 2; // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated - // [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) specification. + // [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) specification. IntrospectionValidation introspection = 3; // In the future we may implement HMAC validation @@ -990,7 +990,7 @@ message AccessTokenValidation { // Require access token to have all of the scopes in the given list. // This configuration applies to both opaque and JWT tokens. In the case of opaque tokens, // this will check the scopes returned in the "scope" member of introspection response - // (as described in [Section 2.2 of RFC7662](https://tools.ietf.org/html/rfc7662#section-2.2). + // (as described in [Section 2.2 of RFC7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2). // In case of JWTs the scopes to be validated are expected to be contained in the "scope" claim of the // token in the form of a space-separated string. // Omitting this field means that scope validation will be skipped. @@ -1351,7 +1351,7 @@ message BackoffStrategy { } -// The message specifies the retry policy of the external gRPC service when unable to initally connect. +// The message specifies the retry policy of the external gRPC service when unable to initially connect. message RetryPolicy { // Specifies the allowed number of retries. This parameter is optional and @@ -1706,8 +1706,8 @@ message ExtAuthConfig { message PkJwtClientAuthenticationConfig{ // Signing key for the JWT used for client authentication string signing_key = 1 [(extproto.sensitive) = true]; - // Amount of time for which the JWT is valid. No maximmum is enforced, but different IDPs may impose limits on how far in - // the future the expiration time is allowed to be. Defaults in 5s in front end, but expected to be set explictly here + // Amount of time for which the JWT is valid. No maximum is enforced, but different IDPs may impose limits on how far in + // the future the expiration time is allowed to be. Defaults in 5s in front end, but expected to be set explicitly here google.protobuf.Duration valid_for = 2; } @@ -1754,7 +1754,7 @@ message ExtAuthConfig { message Default {} // For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider. - // This way, you can enable distibuted claims and caching for when users are members of more than 200 groups. + // This way, you can enable distributed claims and caching for when users are members of more than 200 groups. message Azure { // The client ID for the ExtAuthService app that is registered in MS Entra, // to access the Microsoft Graph API to retrieve distributed claims. @@ -1766,7 +1766,7 @@ message ExtAuthConfig { // depending on how your Azure account is provisioned. string tenant_id = 2; - // The client secret of the ExtAuthService app that is registered with MS Entra to communciate with the MS Graph API. + // The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API. string client_secret = 3 [(extproto.sensitive) = true]; // Redis connection details to cache MS Entera claims. @@ -1781,12 +1781,12 @@ message ExtAuthConfig { // Defines how JSON Web Token (JWT) access tokens are validated. // // Tokens are validated using a JSON Web Key Set (as defined in - // [Section 5 of RFC7517](https://tools.ietf.org/html/rfc7517#section-5)), + // [Section 5 of RFC7517](https://datatracker.ietf.org/doc/html/rfc7517#section-5)), // which can be either inlined in the configuration or fetched from a remote location via HTTP. // Any keys in the JWKS that are not intended for signature verification (i.e. whose - // ["use" parameter](https://tools.ietf.org/html/rfc7517#section-4.2) is not "sig") + // ["use" parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2) is not "sig") // will be ignored by the system, as will keys that do not specify a - // ["kid" (Key ID) parameter](https://tools.ietf.org/html/rfc7517#section-4.2). + // ["kid" (Key ID) parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2). // // The JWT to be validated must define non-empty "kid" and "alg" headers. The "kid" header // determines which key in the JWKS will be used to verify the signature of the token; @@ -1827,13 +1827,13 @@ message ExtAuthConfig { } // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated - // [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) + // [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) // // If the token introspection url requires client authentication, both the client_id and client_secret // are required. If only one is provided, the config will be rejected. // These values will be encoded in a basic auth header in order to authenticate the client. message IntrospectionValidation { - // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. + // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. string introspection_url = 1; @@ -1846,7 +1846,7 @@ message ExtAuthConfig { // Optional: Use if the token introspection url requires client authentication. string client_secret = 3 [(extproto.sensitive) = true]; - // The name of the [introspection response](https://tools.ietf.org/html/rfc7662#section-2.2) + // The name of the [introspection response](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) // attribute that contains the ID of the resource owner (e.g. `sub`, `username`). // If specified, the external auth server will use the value of the attribute as the identifier of the // authenticated user and add it to the request headers and/or dynamic metadata (depending on how the @@ -1857,7 +1857,7 @@ message ExtAuthConfig { } oneof validation_type { - // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. + // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. // This field is deprecated as it does not support authenticated introspection requests @@ -1868,7 +1868,7 @@ message ExtAuthConfig { JwtValidation jwt = 2; // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated - // [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) specification. + // [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) specification. IntrospectionValidation introspection = 3; // In the future we may implement HMAC validation @@ -1891,7 +1891,7 @@ message ExtAuthConfig { // Require access token to have all of the scopes in the given list. // This configuration applies to both opaque and JWT tokens. In the case of opaque tokens, // this will check the scopes returned in the "scope" member of introspection response - // (as described in [Section 2.2 of RFC7662](https://tools.ietf.org/html/rfc7662#section-2.2). + // (as described in [Section 2.2 of RFC7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2). // In case of JWTs the scopes to be validated are expected to be contained in the "scope" claim of the // token in the form of a space-separated string. // Omitting this field means that scope validation will be skipped. @@ -1970,7 +1970,7 @@ message ExtAuthConfig { // provide the access token on the request and let gloo handle authorization. // - // according to https://tools.ietf.org/html/rfc6750 you can pass tokens through: + // according to https://datatracker.ietf.org/doc/html/rfc6750 you can pass tokens through: // - form-encoded body parameter. recommended, more likely to appear. e.g.: Authorization: Bearer mytoken123 // - URI query parameter e.g. access_token=mytoken123 // - and (preferably) secure cookies diff --git a/api/gloo/gloo/external/envoy/config/core/v3/address.proto b/api/gloo/gloo/external/envoy/config/core/v3/address.proto index 8c361acc1..a2bea2553 100644 --- a/api/gloo/gloo/external/envoy/config/core/v3/address.proto +++ b/api/gloo/gloo/external/envoy/config/core/v3/address.proto @@ -73,7 +73,7 @@ message SocketAddress { string resolver_name = 5; // When binding to an IPv6 address above, this enables `IPv4 compatibility - // `_. Binding to ``::`` will + // `_. Binding to ``::`` will // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into // IPv6 space as ``::FFFF:``. bool ipv4_compat = 6; @@ -133,7 +133,7 @@ message Address { } // CidrRange specifies an IP Address and a prefix length to construct -// the subnet mask for a `CIDR `_ range. +// the subnet mask for a `CIDR `_ range. message CidrRange { option (solo.io.udpa.annotations.versioning).previous_message_type = "solo.io.envoy.api.v2.core.CidrRange"; diff --git a/api/gloo/gloo/external/envoy/config/core/v3/grpc_service.proto b/api/gloo/gloo/external/envoy/config/core/v3/grpc_service.proto index a6059cf98..9f543c7e2 100644 --- a/api/gloo/gloo/external/envoy/config/core/v3/grpc_service.proto +++ b/api/gloo/gloo/external/envoy/config/core/v3/grpc_service.proto @@ -137,7 +137,7 @@ message GrpcService { // Security token service configuration that allows Google gRPC to // fetch security token from an OAuth 2.0 authorization server. - // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and + // See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-16 and // https://github.com/grpc/grpc/pull/19587. // [#next-free-field: 10] message StsService { @@ -209,7 +209,7 @@ message GrpcService { MetadataCredentialsFromPlugin from_plugin = 6; // Custom security token service which implements OAuth 2.0 token exchange. - // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 + // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-16 // See https://github.com/grpc/grpc/pull/19587. StsService sts_service = 7; } diff --git a/api/gloo/gloo/external/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/gloo/gloo/external/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 900016943..1b9476ba0 100644 --- a/api/gloo/gloo/external/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/gloo/gloo/external/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -26,8 +26,8 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Please see following for JWT authentication flow: // -// * `JSON Web Token (JWT) `_ -// * `The OAuth 2.0 Authorization Framework `_ +// * `JSON Web Token (JWT) `_ +// * `The OAuth 2.0 Authorization Framework `_ // * `OpenID Connect `_ // // A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies: @@ -59,7 +59,7 @@ message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider"; - // Specify the `principal `_ that issued + // Specify the `principal `_ that issued // the JWT, usually a URL or an email address. // // It is optional. If specified, it has to match the *iss* field in JWT. @@ -81,7 +81,7 @@ message JwtProvider { // string issuer = 1; - // The list of JWT `audiences `_ are + // The list of JWT `audiences `_ are // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, // will not check audiences in the token. // @@ -95,7 +95,7 @@ message JwtProvider { // repeated string audiences = 2; - // `JSON Web Key Set (JWKS) `_ is needed to + // `JSON Web Key Set (JWKS) `_ is needed to // validate signature of a JWT. This field specifies where to fetch JWKS. oneof jwks_source_specifier { option (validate.required) = true; @@ -146,11 +146,11 @@ message JwtProvider { // If no explicit location is specified, the following default locations are tried in order: // // 1. The Authorization header using the `Bearer schema - // `_. Example:: + // `_. Example:: // // Authorization: Bearer . // - // 2. `access_token `_ query parameter. + // 2. `access_token `_ query parameter. // // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations // its provider specified or from the default locations. diff --git a/api/gloo/gloo/external/xds/core/v3/cidr.proto b/api/gloo/gloo/external/xds/core/v3/cidr.proto index c40dab2f2..5dd87b4d5 100644 --- a/api/gloo/gloo/external/xds/core/v3/cidr.proto +++ b/api/gloo/gloo/external/xds/core/v3/cidr.proto @@ -15,7 +15,7 @@ option go_package = "github.com/cncf/xds/go/xds/core/v3"; option (xds.annotations.v3.file_status).work_in_progress = true; // CidrRange specifies an IP Address and a prefix length to construct -// the subnet mask for a `CIDR `_ range. +// the subnet mask for a `CIDR `_ range. message CidrRange { // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; diff --git a/api/gloo/gloo/external/xds/core/v3/resource_locator.proto b/api/gloo/gloo/external/xds/core/v3/resource_locator.proto index 9b40d52fc..3fcdf9a0f 100644 --- a/api/gloo/gloo/external/xds/core/v3/resource_locator.proto +++ b/api/gloo/gloo/external/xds/core/v3/resource_locator.proto @@ -85,7 +85,7 @@ message ResourceLocator { // require percent encoding in a directive value are [',', '#', '[', ']', // '%']. These are the RFC3986 fragment reserved characters with the addition // of the xDS scheme specific ','. See - // https://tools.ietf.org/html/rfc3986#page-49 for further details on URI ABNF + // https://datatracker.ietf.org/doc/html/rfc3986#page-49 for further details on URI ABNF // and reserved characters. message Directive { oneof directive { diff --git a/api/gloo/gloo/v1/options/protocol/protocol.proto b/api/gloo/gloo/v1/options/protocol/protocol.proto index 7b4451013..ce14288e6 100644 --- a/api/gloo/gloo/v1/options/protocol/protocol.proto +++ b/api/gloo/gloo/v1/options/protocol/protocol.proto @@ -126,7 +126,7 @@ message Http2ProtocolOptions { // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging // ` // - // See `RFC7540, sec. 8.1 `_ for details. + // See `RFC7540, sec. 8.1 `_ for details. google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; } diff --git a/api/gloo/gloo/v1/upstream.proto b/api/gloo/gloo/v1/upstream.proto index 0cdd44fb4..9017d8611 100644 --- a/api/gloo/gloo/v1/upstream.proto +++ b/api/gloo/gloo/v1/upstream.proto @@ -126,7 +126,7 @@ message UpstreamSpec { // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging // ` // - // See `RFC7540, sec. 8.1 `_ for details. + // See `RFC7540, sec. 8.1 `_ for details. google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 26; // Tells envoy that the upstream is an HTTP proxy (e.g., another proxy in a DMZ) that supports HTTP Connect. diff --git a/pkg/api/enterprise.gloo.solo.io/v1/auth_config.pb.go b/pkg/api/enterprise.gloo.solo.io/v1/auth_config.pb.go index dcb204bfe..6dcc8259f 100644 --- a/pkg/api/enterprise.gloo.solo.io/v1/auth_config.pb.go +++ b/pkg/api/enterprise.gloo.solo.io/v1/auth_config.pb.go @@ -852,7 +852,7 @@ type CustomAuth struct { // This allows the server to base the auth decision on metadata that you define on the source of the request. // // This attribute is analogous to Envoy's config.filter.http.ext_authz.v2.CheckSettings. See the official - // [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto.html?highlight=ext_authz#config-filter-http-ext-authz-v2-checksettings) + // [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-http-ext-authz-v3-checksettings) // for more details. ContextExtensions map[string]string `protobuf:"bytes,1,rep,name=context_extensions,json=contextExtensions,proto3" json:"context_extensions,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // [Enterprise-only] @@ -1485,7 +1485,7 @@ type OAuth2_OidcAuthorizationCode struct { type OAuth2_AccessTokenValidation struct { // provide the access token on the request and let gloo handle authorization. // - // according to https://tools.ietf.org/html/rfc6750 you can pass tokens through: + // according to https://datatracker.ietf.org/doc/html/rfc6750 you can pass tokens through: // - form-encoded body parameter. recommended, more likely to appear. e.g.: Authorization: Bearer mytoken123 // - URI query parameter e.g. access_token=mytoken123 // - and (preferably) secure cookies @@ -1914,7 +1914,7 @@ func (x *DiscoveryOverride) GetEndSessionEndpoint() string { return "" } -// The json web key set (JWKS) (https://tools.ietf.org/html/rfc7517) is discovered at an interval +// The json web key set (JWKS) (https://datatracker.ietf.org/doc/html/rfc7517) is discovered at an interval // from a remote source. When keys rotate in the remote source, there may be a delay in the // local source picking up those new keys. Therefore, a user could execute a request with a token // that has been signed by a key in the remote JWKS, but the local cache doesn't have the key yet. @@ -2736,12 +2736,12 @@ func (x *PlainOAuth2) GetDisableClientSecret() *wrappers.BoolValue { // Defines how JSON Web Token (JWT) access tokens are validated. // // Tokens are validated using a JSON Web Key Set (as defined in -// [Section 5 of RFC7517](https://tools.ietf.org/html/rfc7517#section-5)), +// [Section 5 of RFC7517](https://datatracker.ietf.org/doc/html/rfc7517#section-5)), // which can be either inlined in the configuration or fetched from a remote location via HTTP. // Any keys in the JWKS that are not intended for signature verification (i.e. whose -// ["use" parameter](https://tools.ietf.org/html/rfc7517#section-4.2) is not "sig") +// ["use" parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2) is not "sig") // will be ignored by the system, as will keys that do not specify a -// ["kid" (Key ID) parameter](https://tools.ietf.org/html/rfc7517#section-4.2). +// ["kid" (Key ID) parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2). // // The JWT to be validated must define non-empty "kid" and "alg" headers. The "kid" header // determines which key in the JWKS will be used to verify the signature of the token; @@ -2845,7 +2845,7 @@ func (*JwtValidation_RemoteJwks_) isJwtValidation_JwksSourceSpecifier() {} func (*JwtValidation_LocalJwks_) isJwtValidation_JwksSourceSpecifier() {} // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated -// [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) +// [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) // // If the token introspection url requires client authentication, both the client_id and client_secret // are required. Unless disable_client_secret is set, when only one is provided, the config will be rejected. @@ -2855,7 +2855,7 @@ type IntrospectionValidation struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. + // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. IntrospectionUrl string `protobuf:"bytes,1,opt,name=introspection_url,json=introspectionUrl,proto3" json:"introspection_url,omitempty"` @@ -2865,7 +2865,7 @@ type IntrospectionValidation struct { // Your client secret as registered with the issuer. // Optional: Use if the token introspection url requires client authentication. ClientSecretRef *core.ResourceRef `protobuf:"bytes,3,opt,name=client_secret_ref,json=clientSecretRef,proto3" json:"client_secret_ref,omitempty"` - // The name of the [introspection response](https://tools.ietf.org/html/rfc7662#section-2.2) + // The name of the [introspection response](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) // attribute that contains the ID of the resource owner (e.g. `sub`, `username`). // If specified, the external auth server will use the value of the attribute as the identifier of the // authenticated user and add it to the request headers and/or dynamic metadata (depending on how the @@ -3085,7 +3085,7 @@ type isAccessTokenValidation_ValidationType interface { } type AccessTokenValidation_IntrospectionUrl struct { - // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. + // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. // This field is deprecated as it does not support authenticated introspection requests @@ -3102,7 +3102,7 @@ type AccessTokenValidation_Jwt struct { type AccessTokenValidation_Introspection struct { // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated - // [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) specification. + // [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) specification. Introspection *IntrospectionValidation `protobuf:"bytes,3,opt,name=introspection,proto3,oneof"` } @@ -3120,7 +3120,7 @@ type AccessTokenValidation_RequiredScopes struct { // Require access token to have all of the scopes in the given list. // This configuration applies to both opaque and JWT tokens. In the case of opaque tokens, // this will check the scopes returned in the "scope" member of introspection response - // (as described in [Section 2.2 of RFC7662](https://tools.ietf.org/html/rfc7662#section-2.2). + // (as described in [Section 2.2 of RFC7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2). // In case of JWTs the scopes to be validated are expected to be contained in the "scope" claim of the // token in the form of a space-separated string. // Omitting this field means that scope validation will be skipped. @@ -4334,7 +4334,7 @@ func (x *BackoffStrategy) GetMaxInterval() *duration.Duration { return nil } -// The message specifies the retry policy of the external gRPC service when unable to initally connect. +// The message specifies the retry policy of the external gRPC service when unable to initially connect. type RetryPolicy struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -6569,7 +6569,7 @@ func (*OidcAuthorizationCode_Default) Descriptor() ([]byte, []int) { } // For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider. -// This way, you can enable distibuted claims and caching for when users are members of more than 200 groups. +// This way, you can enable distributed claims and caching for when users are members of more than 200 groups. type OidcAuthorizationCode_Azure struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -6583,7 +6583,7 @@ type OidcAuthorizationCode_Azure struct { // This tenant ID may or may not be the same as in the top level `OidcAuthorizationCodeConfig`, // depending on how your Azure account is provisioned. TenantId string `protobuf:"bytes,2,opt,name=tenant_id,json=tenantId,proto3" json:"tenant_id,omitempty"` - // The client secret of the ExtAuthService app that is registered with MS Entra to communciate with the MS Graph API. + // The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API. ClientSecret *core.ResourceRef `protobuf:"bytes,3,opt,name=client_secret,json=clientSecret,proto3" json:"client_secret,omitempty"` // Redis connection details to cache MS Entera claims. // This way, you avoid performance issues of accessing the Microsoft Graph API too many times. @@ -6721,7 +6721,7 @@ type OidcAuthorizationCode_ClientAuthentication_PrivateKeyJwt struct { // Signing key for the JWT used to authenticate the client SigningKeyRef *core.ResourceRef `protobuf:"bytes,1,opt,name=signing_key_ref,json=signingKeyRef,proto3" json:"signing_key_ref,omitempty"` - // Amount of time for which the JWT is valid. No maximmum is enforced, but different IDPs may impose limits on how far in + // Amount of time for which the JWT is valid. No maximum is enforced, but different IDPs may impose limits on how far in // the future the expiration time is allowed to be. If omitted, default is 5s. ValidFor *duration.Duration `protobuf:"bytes,2,opt,name=valid_for,json=validFor,proto3" json:"valid_for,omitempty"` } @@ -8426,7 +8426,7 @@ type isExtAuthConfig_AccessTokenValidationConfig_ValidationType interface { } type ExtAuthConfig_AccessTokenValidationConfig_IntrospectionUrl struct { - // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. + // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. // This field is deprecated as it does not support authenticated introspection requests @@ -8443,7 +8443,7 @@ type ExtAuthConfig_AccessTokenValidationConfig_Jwt struct { type ExtAuthConfig_AccessTokenValidationConfig_Introspection struct { // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated - // [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) specification. + // [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) specification. Introspection *ExtAuthConfig_AccessTokenValidationConfig_IntrospectionValidation `protobuf:"bytes,3,opt,name=introspection,proto3,oneof"` } @@ -8464,7 +8464,7 @@ type ExtAuthConfig_AccessTokenValidationConfig_RequiredScopes struct { // Require access token to have all of the scopes in the given list. // This configuration applies to both opaque and JWT tokens. In the case of opaque tokens, // this will check the scopes returned in the "scope" member of introspection response - // (as described in [Section 2.2 of RFC7662](https://tools.ietf.org/html/rfc7662#section-2.2). + // (as described in [Section 2.2 of RFC7662](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2). // In case of JWTs the scopes to be validated are expected to be contained in the "scope" claim of the // token in the form of a space-separated string. // Omitting this field means that scope validation will be skipped. @@ -8739,7 +8739,7 @@ type ExtAuthConfig_OAuth2Config_OidcAuthorizationCode struct { type ExtAuthConfig_OAuth2Config_AccessTokenValidationConfig struct { // provide the access token on the request and let gloo handle authorization. // - // according to https://tools.ietf.org/html/rfc6750 you can pass tokens through: + // according to https://datatracker.ietf.org/doc/html/rfc6750 you can pass tokens through: // - form-encoded body parameter. recommended, more likely to appear. e.g.: Authorization: Bearer mytoken123 // - URI query parameter e.g. access_token=mytoken123 // - and (preferably) secure cookies @@ -9924,8 +9924,8 @@ type ExtAuthConfig_OidcAuthorizationCodeConfig_PkJwtClientAuthenticationConfig s // Signing key for the JWT used for client authentication SigningKey string `protobuf:"bytes,1,opt,name=signing_key,json=signingKey,proto3" json:"signing_key,omitempty"` - // Amount of time for which the JWT is valid. No maximmum is enforced, but different IDPs may impose limits on how far in - // the future the expiration time is allowed to be. Defaults in 5s in front end, but expected to be set explictly here + // Amount of time for which the JWT is valid. No maximum is enforced, but different IDPs may impose limits on how far in + // the future the expiration time is allowed to be. Defaults in 5s in front end, but expected to be set explicitly here ValidFor *duration.Duration `protobuf:"bytes,2,opt,name=valid_for,json=validFor,proto3" json:"valid_for,omitempty"` } @@ -10180,7 +10180,7 @@ func (*ExtAuthConfig_OidcAuthorizationCodeConfig_Default) Descriptor() ([]byte, } // For apps in Microsoft Azure, configure Microsoft Entra ID as the OpenID Connect (OIDC) provider. -// This way, you can enable distibuted claims and caching for when users are members of more than 200 groups. +// This way, you can enable distributed claims and caching for when users are members of more than 200 groups. type ExtAuthConfig_OidcAuthorizationCodeConfig_Azure struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -10194,7 +10194,7 @@ type ExtAuthConfig_OidcAuthorizationCodeConfig_Azure struct { // This tenant ID may or may not be the same as in the top level `OidcAuthorizationCodeConfig`, // depending on how your Azure account is provisioned. TenantId string `protobuf:"bytes,2,opt,name=tenant_id,json=tenantId,proto3" json:"tenant_id,omitempty"` - // The client secret of the ExtAuthService app that is registered with MS Entra to communciate with the MS Graph API. + // The client secret of the ExtAuthService app that is registered with MS Entra to communicate with the MS Graph API. ClientSecret string `protobuf:"bytes,3,opt,name=client_secret,json=clientSecret,proto3" json:"client_secret,omitempty"` // Redis connection details to cache MS Entera claims. // This way, you avoid performance issues of accessing the Microsoft Graph API too many times. @@ -10266,12 +10266,12 @@ func (x *ExtAuthConfig_OidcAuthorizationCodeConfig_Azure) GetClaimsCachingOption // Defines how JSON Web Token (JWT) access tokens are validated. // // Tokens are validated using a JSON Web Key Set (as defined in -// [Section 5 of RFC7517](https://tools.ietf.org/html/rfc7517#section-5)), +// [Section 5 of RFC7517](https://datatracker.ietf.org/doc/html/rfc7517#section-5)), // which can be either inlined in the configuration or fetched from a remote location via HTTP. // Any keys in the JWKS that are not intended for signature verification (i.e. whose -// ["use" parameter](https://tools.ietf.org/html/rfc7517#section-4.2) is not "sig") +// ["use" parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2) is not "sig") // will be ignored by the system, as will keys that do not specify a -// ["kid" (Key ID) parameter](https://tools.ietf.org/html/rfc7517#section-4.2). +// ["kid" (Key ID) parameter](https://datatracker.ietf.org/doc/html/rfc7517#section-4.2). // // The JWT to be validated must define non-empty "kid" and "alg" headers. The "kid" header // determines which key in the JWKS will be used to verify the signature of the token; @@ -10377,7 +10377,7 @@ func (*ExtAuthConfig_AccessTokenValidationConfig_JwtValidation_LocalJwks_) isExt } // Defines how (opaque) access tokens, received from the oauth authorization endpoint, are validated -// [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) +// [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) // // If the token introspection url requires client authentication, both the client_id and client_secret // are required. If only one is provided, the config will be rejected. @@ -10387,7 +10387,7 @@ type ExtAuthConfig_AccessTokenValidationConfig_IntrospectionValidation struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // The URL for the [OAuth2.0 Token Introspection](https://tools.ietf.org/html/rfc7662) endpoint. + // The URL for the [OAuth2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) endpoint. // If provided, the (opaque) access token provided or received from the oauth authorization endpoint // will be validated against this endpoint, or locally cached responses for this access token. IntrospectionUrl string `protobuf:"bytes,1,opt,name=introspection_url,json=introspectionUrl,proto3" json:"introspection_url,omitempty"` @@ -10397,7 +10397,7 @@ type ExtAuthConfig_AccessTokenValidationConfig_IntrospectionValidation struct { // Your client secret as registered with the issuer. // Optional: Use if the token introspection url requires client authentication. ClientSecret string `protobuf:"bytes,3,opt,name=client_secret,json=clientSecret,proto3" json:"client_secret,omitempty"` - // The name of the [introspection response](https://tools.ietf.org/html/rfc7662#section-2.2) + // The name of the [introspection response](https://datatracker.ietf.org/doc/html/rfc7662#section-2.2) // attribute that contains the ID of the resource owner (e.g. `sub`, `username`). // If specified, the external auth server will use the value of the attribute as the identifier of the // authenticated user and add it to the request headers and/or dynamic metadata (depending on how the diff --git a/pkg/api/gloo.solo.io/external/envoy/config/core/v3/address.pb.go b/pkg/api/gloo.solo.io/external/envoy/config/core/v3/address.pb.go index 530324a65..386654df5 100644 --- a/pkg/api/gloo.solo.io/external/envoy/config/core/v3/address.pb.go +++ b/pkg/api/gloo.solo.io/external/envoy/config/core/v3/address.pb.go @@ -162,7 +162,7 @@ type SocketAddress struct { // *STRICT_DNS* or *LOGICAL_DNS* will generate an error at runtime. ResolverName string `protobuf:"bytes,5,opt,name=resolver_name,json=resolverName,proto3" json:"resolver_name,omitempty"` // When binding to an IPv6 address above, this enables `IPv4 compatibility - // `_. Binding to “::“ will + // `_. Binding to “::“ will // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into // IPv6 space as “::FFFF:“. Ipv4Compat bool `protobuf:"varint,6,opt,name=ipv4_compat,json=ipv4Compat,proto3" json:"ipv4_compat,omitempty"` @@ -497,7 +497,7 @@ func (*Address_SocketAddress) isAddress_Address() {} func (*Address_Pipe) isAddress_Address() {} // CidrRange specifies an IP Address and a prefix length to construct -// the subnet mask for a `CIDR `_ range. +// the subnet mask for a `CIDR `_ range. type CidrRange struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/pkg/api/gloo.solo.io/external/envoy/config/core/v3/grpc_service.pb.go b/pkg/api/gloo.solo.io/external/envoy/config/core/v3/grpc_service.pb.go index a5588db24..43bdc46e0 100644 --- a/pkg/api/gloo.solo.io/external/envoy/config/core/v3/grpc_service.pb.go +++ b/pkg/api/gloo.solo.io/external/envoy/config/core/v3/grpc_service.pb.go @@ -696,7 +696,7 @@ type GrpcService_GoogleGrpc_CallCredentials_FromPlugin struct { type GrpcService_GoogleGrpc_CallCredentials_StsService_ struct { // Custom security token service which implements OAuth 2.0 token exchange. - // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 + // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-16 // See https://github.com/grpc/grpc/pull/19587. StsService *GrpcService_GoogleGrpc_CallCredentials_StsService `protobuf:"bytes,7,opt,name=sts_service,json=stsService,proto3,oneof"` } @@ -959,7 +959,7 @@ func (*GrpcService_GoogleGrpc_CallCredentials_MetadataCredentialsFromPlugin_Type // Security token service configuration that allows Google gRPC to // fetch security token from an OAuth 2.0 authorization server. -// See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and +// See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-exchange-16 and // https://github.com/grpc/grpc/pull/19587. // [#next-free-field: 10] type GrpcService_GoogleGrpc_CallCredentials_StsService struct { diff --git a/pkg/api/gloo.solo.io/external/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go b/pkg/api/gloo.solo.io/external/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go index 99dab97b1..3764a55c3 100644 --- a/pkg/api/gloo.solo.io/external/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go +++ b/pkg/api/gloo.solo.io/external/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go @@ -29,8 +29,8 @@ const ( // Please see following for JWT authentication flow: // -// * `JSON Web Token (JWT) `_ -// * `The OAuth 2.0 Authorization Framework `_ +// * `JSON Web Token (JWT) `_ +// * `The OAuth 2.0 Authorization Framework `_ // * `OpenID Connect `_ // // A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies: @@ -63,7 +63,7 @@ type JwtProvider struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - // Specify the `principal `_ that issued + // Specify the `principal `_ that issued // the JWT, usually a URL or an email address. // // It is optional. If specified, it has to match the *iss* field in JWT. @@ -83,7 +83,7 @@ type JwtProvider struct { // Example: https://securetoken.google.com // Example: 1234567-compute@developer.gserviceaccount.com Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"` - // The list of JWT `audiences `_ are + // The list of JWT `audiences `_ are // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, // will not check audiences in the token. // @@ -95,7 +95,7 @@ type JwtProvider struct { // - bookstore_android.apps.googleusercontent.com // - bookstore_web.apps.googleusercontent.com Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"` - // `JSON Web Key Set (JWKS) `_ is needed to + // `JSON Web Key Set (JWKS) `_ is needed to // validate signature of a JWT. This field specifies where to fetch JWKS. // // Types that are assignable to JwksSourceSpecifier: @@ -111,11 +111,11 @@ type JwtProvider struct { // If no explicit location is specified, the following default locations are tried in order: // // 1. The Authorization header using the `Bearer schema - // `_. Example:: + // `_. Example:: // // Authorization: Bearer . // - // 2. `access_token `_ query parameter. + // 2. `access_token `_ query parameter. // // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations // its provider specified or from the default locations. diff --git a/pkg/api/gloo.solo.io/v1/options/protocol/protocol.pb.go b/pkg/api/gloo.solo.io/v1/options/protocol/protocol.pb.go index 067df5d52..441aaa964 100644 --- a/pkg/api/gloo.solo.io/v1/options/protocol/protocol.pb.go +++ b/pkg/api/gloo.solo.io/v1/options/protocol/protocol.pb.go @@ -328,7 +328,7 @@ type Http2ProtocolOptions struct { // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging // ` // - // See `RFC7540, sec. 8.1 `_ for details. + // See `RFC7540, sec. 8.1 `_ for details. OverrideStreamErrorOnInvalidHttpMessage *wrappers.BoolValue `protobuf:"bytes,14,opt,name=override_stream_error_on_invalid_http_message,json=overrideStreamErrorOnInvalidHttpMessage,proto3" json:"override_stream_error_on_invalid_http_message,omitempty"` } diff --git a/pkg/api/gloo.solo.io/v1/upstream.pb.go b/pkg/api/gloo.solo.io/v1/upstream.pb.go index 75634193b..0456d87e3 100644 --- a/pkg/api/gloo.solo.io/v1/upstream.pb.go +++ b/pkg/api/gloo.solo.io/v1/upstream.pb.go @@ -217,7 +217,7 @@ type UpstreamSpec struct { // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging // ` // - // See `RFC7540, sec. 8.1 `_ for details. + // See `RFC7540, sec. 8.1 `_ for details. OverrideStreamErrorOnInvalidHttpMessage *wrappers.BoolValue `protobuf:"bytes,26,opt,name=override_stream_error_on_invalid_http_message,json=overrideStreamErrorOnInvalidHttpMessage,proto3" json:"override_stream_error_on_invalid_http_message,omitempty"` // Tells envoy that the upstream is an HTTP proxy (e.g., another proxy in a DMZ) that supports HTTP Connect. // This configuration sets the hostname used as part of the HTTP Connect request.