Sync APIs. @tag-name=gloo-extauth-gme-parity

api/gloo/enterprise.gloo/v1/auth_config.proto

@@ -1071,6 +1071,10 @@ message AccessTokenValidation {
         // in the future we may add other types of scope validation (e.g. predicate matching)
     }
 
+    message ScopeList {
+      repeated string scope = 1;
+    }
+
     // Map of metadata key to claim. Ie:
     // dynamic_metadata_from_claims:
     //   issuer: iss
@@ -1081,10 +1085,6 @@ message AccessTokenValidation {
     // The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
     // and the structure of the claim value will be preserved in the metadata struct.
     map<string, string> dynamic_metadata_from_claims = 7;
-
-    message ScopeList {
-      repeated string scope = 1;
-    }
 }
 
 message OauthSecret {
@@ -1260,6 +1260,9 @@ message AerospikeApiKeyStorage {
     map<string, string> label_selector = 17;
 }
 
+// When no storage backend is specified, the default storage backend defined in the extauth server is used.
+message DefaultApiKeyStorage{}
+
 message ApiKey {
     // The string value of the API key.
     string api_key = 2;
@@ -1874,9 +1877,20 @@ message ExtAuthConfig {
             string path=1;
         }
 
-    // Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
-    // The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
+        // Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
+        // The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
         FrontChannelLogout front_channel_logout = 28;
+
+
+        // Map of metadata key to claim. Ie:
+        // dynamic_metadata_from_claims:
+        //   issuer: iss
+        //   email: email
+        // When specified, the matching claims from the ID token will be emitted as dynamic metadata.
+        // Note that metadata keys must be unique, and the claim names must be alphanumeric and use `-` or `_` as separators.
+        // The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
+        // and the structure of the claim value will be preserved in the metadata struct.
+        map<string, string> dynamic_metadata_from_claims = 29;
     }
 
     message AccessTokenValidationConfig {
@@ -2005,6 +2019,17 @@ message ExtAuthConfig {
         message ScopeList {
             repeated string scope = 1;
         }
+
+        // Map of metadata key to claim. Ie:
+        // dynamic_metadata_from_claims:
+        //   issuer: iss
+        //   email: email
+        // When specified, the matching claims from the access token will be emitted as dynamic metadata.
+        // Note that metadata keys must be unique, and the claim names must be alphanumeric and use `-` or `_` as separators.
+        // Works when the access token is a JWT or when the access token is opaque, in which case the claims will refer to field in the response from the token introspection endpoint.
+        // The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
+        // and the structure of the claim value will be preserved in the metadata struct.
+        map<string, string> dynamic_metadata_from_claims = 7;
     }
 
     message PlainOAuth2Config {
@@ -2113,11 +2138,12 @@ message ExtAuthConfig {
         oneof storage_backend {
             K8sSecretApiKeyStorage k8s_secret_apikey_storage = 4;
             AerospikeApiKeyStorage aerospike_apikey_storage = 5;
+            DefaultApiKeyStorage default_apikey_storage = 7;
         }
 
-    // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
-    // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
-    // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
+        // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
+        // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
+        // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
         bool skip_metadata_validation = 6;
     }
 

api/gloo/gloo/v1/enterprise/options/ai/ai.proto

@@ -78,6 +78,7 @@ message SingleAuthToken {
 */
 message UpstreamSpec {
 
+  // Settings to configure a custom host to send the traffic to
   message CustomHost {
     // Custom host to send the traffic to
     string host = 1;
@@ -125,6 +126,25 @@ message UpstreamSpec {
     string api_version = 4;
   }
 
+  // Settings for the Gemini API
+  message Gemini {
+    // Auth Token to use for the Gemini API
+    // This token will be placed into the `key` header
+    oneof auth_token_source {
+      // Auth Token to use for the Gemini API
+      // This token will be placed into the `key` header
+      SingleAuthToken auth_token = 1;
+      // TODO: use oauth
+    }
+
+    // The model name to use
+    // This value can be found https://generativelanguage.googleapis.com/{version}/models/{model}:generateContent?key={api_key}
+    string model = 2;
+    // The version of the API to use
+    // This value can be found https://generativelanguage.googleapis.com/{api_version}/models/{model}:generateContent?key={api_key}
+    string api_version = 3;
+  }
+
   // Settings for the Mistral API
   message Mistral {
     // Auth Token to use for the Mistral API.
@@ -139,6 +159,7 @@ message UpstreamSpec {
     string model = 3;
   }
 
+  // Settings for the Anthropic API
   message Anthropic {
     // Auth Token to use for the Anthropic API.
     // This token will be placed into the `x-api-key` header
@@ -201,10 +222,14 @@ message UpstreamSpec {
         Anthropic anthropic = 3;
         // Azure OpenAI upstream
         AzureOpenAI azure_openai = 4;
+        // Gemini upstream
+        Gemini gemini = 5;
       }
     }
 
+    // Priority represents a single endpoint pool with a given priority
     message Priority {
+      // list of backends representing a single endpoint pool
       repeated Backend pool = 1;
     }
 
@@ -224,6 +249,8 @@ message UpstreamSpec {
     AzureOpenAI azure_openai = 4;
     // multi upstream
     MultiPool multi = 5;
+    // Gemini upstream
+    Gemini gemini = 6;
   }
 }
 
@@ -277,15 +304,17 @@ message RouteSettings {
     promptGuard:
       request:
         customResponseMessage: "Rejected due to inappropriate content"
-        matches:
-        - "credit card"
+        regex:
+          matches:
+          - "credit card"
       response:
-        matches:
-        # Mastercard
-        - '(?:^|\D)(5[1-5][0-9]{2}(?:\ |\-|)[0-9]{4}(?:\ |\-|)[0-9]{4}(?:\ |\-|)[0-9]{4})(?:\D|$)'
+        regex:
+          matches:
+          # Mastercard
+          - '(?:^|\D)(5[1-5][0-9]{2}(?:\ |\-|)[0-9]{4}(?:\ |\-|)[0-9]{4}(?:\ |\-|)[0-9]{4})(?:\D|$)'
     ````
   */
-  AIPromptGaurd prompt_guard = 2;
+  AIPromptGuard prompt_guard = 2;
 
   /*
     Retrieval Augmented Generation. https://research.ibm.com/blog/retrieval-augmented-generation-RAG
@@ -311,6 +340,7 @@ message RouteSettings {
     ```
   */
   RAG rag = 3;
+
   /*
     Semantic caching configuration
     Semantic caching allows you to cache previous model responses in order to provide
@@ -386,6 +416,8 @@ message Postgres {
 
 
 message Embedding {
+
+  // OpenAI embedding
   message OpenAI {
     oneof auth_token_source {
       SingleAuthToken auth_token = 1;
@@ -394,6 +426,7 @@ message Embedding {
     }
   }
 
+  // Azure OpenAI embedding
   message AzureOpenAI {
     oneof auth_token_source {
       // Auth Token to use for the OpenAI API
@@ -424,7 +457,10 @@ message Embedding {
   }
 }
 
+// Settings for the Semantic Caching feature
 message SemanticCache {
+
+  // Settings for the Redis database
   message Redis {
     // Connection string to the Redis database
     string connection_string = 1;
@@ -438,6 +474,7 @@ message SemanticCache {
     float score_threshold = 2;
   }
 
+  // Settings for the Weaviate database
   message Weaviate {
     // Connection string to the Weaviate database, scheme should NOT be included.
     // For example: weaviate.my-ns.svc.cluster.local
@@ -450,6 +487,7 @@ message SemanticCache {
     // Whether or not to use a secure connection, true by default
     bool insecure = 4;
   }
+
   // Data store from which to cache the request/response pairs
   message DataStore {
     oneof datastore {
@@ -473,6 +511,7 @@ message SemanticCache {
   Mode mode = 4;
 }
 
+// Settings for the Retrieval Augmented Generation feature
 message RAG {
   message DataStore {
     oneof datastore {
@@ -487,11 +526,7 @@ message RAG {
   string prompt_template = 3;
 }
 
-message RateLimiting {
-  // List of rate_limit configs to apply
-  repeated string rate_limit_configs = 1;
-}
-
+// Settings for the Prompt Enrichment feature
 message AIPromptEnrichment {
   message Message {
     // Role of the message.
@@ -508,39 +543,88 @@ message AIPromptEnrichment {
 
 }
 
-message AIPromptGaurd {
-  message Request {
-    // A list of Regex patterns to match against the prompt.
-    // Each one will be checked against the prompt and if any match
-    // the request will be rejected.
+// Settings for the Prompt Guard feature
+message AIPromptGuard {
+
+  // Regex settings for prompt guard
+  message Regex {
+    enum BuiltIn {
+      // Default REGEX for Social Security Numbers
+      SSN = 0;
+      // Default REGEX for Credit Card Numbers
+      CREDIT_CARD = 1;
+    }
+    // A list of Regex patterns to match against the response.
+    // All matches will be masked before being sent back to the client.
+    // matches and builtins are additive.
     repeated string matches = 1;
+    // A list of built-in regexes to mask in the response.
+    // matches and builtins are additive.
+    repeated BuiltIn builtins = 2;
+  }
+
+  // Webhook settings for prompt guard
+  message Webhook {
+    // Host to send the traffic to.
+    string host = 1;
+    // Port to send the traffic to
+    uint32 port = 2;
+    message HeaderMatch {
+      enum MatchType {
+        // Exact match
+        EXACT = 0;
+        // Prefix match
+        PREFIX = 1;
+        // Suffix match
+        SUFFIX = 2;
+        // Contains match
+        CONTAINS = 3;
+        // Regex match
+        REGEX = 4;
+      }
+      // Header key to match
+      string key = 1;
+      // Type of match to use
+      MatchType match_type = 2;
+    }
+    // Headers to forward with the request
+    repeated HeaderMatch headers = 3;
+  }
+
+
+  // Request settings for Prompt Guard
+  message Request {
+    message CustomResponse {
+      // Custom response message to send back to the client.
+      // If not specified, the following default message will be used:
+      // "The request was rejected due to inappropriate content"
+      string message = 1;
+
+      // Status code to send back to the client.
+      uint32 status_code = 2;
+    }
     // Custom response message to send back to the client.
     // If not specified, the following default message will be used:
     // "The request was rejected due to inappropriate content"
-    string custom_response_message = 2;
+    CustomResponse custom_response = 1;
+
+    // Regex request guard
+    Regex regex = 2;
+
+    // Webhook request guard
+    Webhook webhook = 3;
   }
 
+  // Request settings for Prompt Guard
   message Response {
-      enum BuiltIn {
-        // Default REGEX for Social Security Numbers
-        SSN = 0;
-        // Default REGEX for Credit Card Numbers
-        CREDIT_CARD = 1;
-        // Default REGEX for Email Addresses
-        EMAIL = 2;
-        // Default REGEX for Phone Numbers
-        PHONE_NUMBER = 3;
-      }
-      // A list of Regex patterns to match against the response.
-      // All matches will be masked before being sent back to the client.
-      // matches and builtins are additive.
-      repeated string matches = 1;
-      // A list of built-in regexes to mask in the response.
-      // matches and builtins are additive.
-      repeated BuiltIn builtins = 2;
+    // Regex response guard
+    Regex regex = 1;
+
+    // Webhook response guard
+    Webhook webhook = 2;
   }
   // Guards for the prompt request
-  Request request = 2;
+  Request request = 1;
   // Guards for the LLM response
-  Response response = 3;
+  Response response = 2;
 }