// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

syntax = "proto3";

package hashicorp.consul.mesh.v2beta1.pbproxystate;

message TrafficPermissions {
  repeated Permission allow_permissions = 1;
  repeated Permission deny_permissions = 2;
  // default_allow determines if the workload is in default allow mode. This is determined
  // by combining the cluster's default allow setting with the is_default property on
  // computed traffic permissions.
  bool default_allow = 4;
}

message Permission {
  repeated Principal principals = 1;

  // In the case of multiple ports, the sidecar proxy controller is responsible for filtering
  // per-port permissions.
  repeated DestinationRule destination_rules = 2;
}

message Principal {
  Spiffe spiffe = 1;
  repeated Spiffe exclude_spiffes = 2;
}

message Spiffe {
  // regex is the regular expression for matching spiffe ids.
  string regex = 1;

  // xfcc_regex specifies that Envoy needs to find the spiffe id in an xfcc header.
  // It is currently unused, but considering this is important for to avoid breaking changes.
  string xfcc_regex = 2;
}

message DestinationRule {
  string path_exact = 1;
  string path_prefix = 2;
  string path_regex = 3;
  repeated string methods = 4;
  repeated DestinationRuleHeader destination_rule_header = 5;
  repeated ExcludePermissionRule exclude = 6;
}

message DestinationRuleHeader {
  string name = 1;
  bool present = 2;
  string exact = 3;
  string prefix = 4;
  string suffix = 5;
  string regex = 6;
  bool invert = 7;
}

message ExcludePermissionRule {
  string path_exact = 1;
  string path_prefix = 2;
  string path_regex = 3;
  repeated string methods = 4;
  repeated DestinationRuleHeader headers = 5;
}