Package io.envoyproxy.envoy.extensions.filters.network.reverse_tunnel.v3

Class Validation

java.lang.Object
com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessage
com.google.protobuf.GeneratedMessageV3
io.envoyproxy.envoy.extensions.filters.network.reverse_tunnel.v3.Validation
All Implemented Interfaces:
com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, ValidationOrBuilder, Serializable
public final class Validation extends com.google.protobuf.GeneratedMessageV3 implements ValidationOrBuilder
 Validation configuration for reverse tunnel identifiers.
 Validates the node ID and cluster ID extracted from reverse tunnel handshake headers
 against expected values specified using format strings.
Protobuf type envoy.extensions.filters.network.reverse_tunnel.v3.Validation
See Also:

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static final class 
    Validation.Builder
    Validation configuration for reverse tunnel identifiers.

    Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageV3

    com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageT extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageT>,BuilderT extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageT,BuilderT>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageT extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageT>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageT extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageT>>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable, com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter

    Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite

    com.google.protobuf.AbstractMessageLite.InternalOneOfEnum

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final int
    CLUSTER_ID_FORMAT_FIELD_NUMBER
     
    static final int
    DYNAMIC_METADATA_NAMESPACE_FIELD_NUMBER
     
    static final int
    EMIT_DYNAMIC_METADATA_FIELD_NUMBER
     
    static final int
    NODE_ID_FORMAT_FIELD_NUMBER
     

    Fields inherited from class com.google.protobuf.GeneratedMessageV3

    alwaysUseFieldBuilders, unknownFields

    Fields inherited from class com.google.protobuf.AbstractMessage

    memoizedSize

    Fields inherited from class com.google.protobuf.AbstractMessageLite

    memoizedHashCode

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    equals(Object obj)
     
    String
    getClusterIdFormat()
    Format string to extract the expected cluster identifier for validation.
    com.google.protobuf.ByteString
    getClusterIdFormatBytes()
    Format string to extract the expected cluster identifier for validation.
    static Validation
    getDefaultInstance()
     
    Validation
    getDefaultInstanceForType()
     
    static final com.google.protobuf.Descriptors.Descriptor
    getDescriptor()
     
    String
    getDynamicMetadataNamespace()
    Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
    com.google.protobuf.ByteString
    getDynamicMetadataNamespaceBytes()
    Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
    boolean
    getEmitDynamicMetadata()
    Whether to emit validation results as dynamic metadata.
    String
    getNodeIdFormat()
    Format string to extract the expected node identifier for validation.
    com.google.protobuf.ByteString
    getNodeIdFormatBytes()
    Format string to extract the expected node identifier for validation.
    com.google.protobuf.Parser<Validation>
    getParserForType()
     
    int
    getSerializedSize()
     
    int
    hashCode()
     
    protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable
    internalGetFieldAccessorTable()
     
    final boolean
    isInitialized()
     
    static Validation.Builder
    newBuilder()
     
    static Validation.Builder
    newBuilder(Validation prototype)
     
    Validation.Builder
    newBuilderForType()
     
    protected Validation.Builder
    newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
     
    protected Object
    newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
     
    static Validation
    parseDelimitedFrom(InputStream input)
     
    static Validation
    parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Validation
    parseFrom(byte[] data)
     
    static Validation
    parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Validation
    parseFrom(com.google.protobuf.ByteString data)
     
    static Validation
    parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Validation
    parseFrom(com.google.protobuf.CodedInputStream input)
     
    static Validation
    parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Validation
    parseFrom(InputStream input)
     
    static Validation
    parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static Validation
    parseFrom(ByteBuffer data)
     
    static Validation
    parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static com.google.protobuf.Parser<Validation>
    parser()
     
    Validation.Builder
    toBuilder()
     
    void
    writeTo(com.google.protobuf.CodedOutputStream output)
     

    Methods inherited from class com.google.protobuf.GeneratedMessageV3

    canUseUnsafe, computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyList, emptyLongList, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, internalGetMapFieldReflection, isStringEmpty, makeExtensionsImmutable, makeMutableCopy, makeMutableCopy, mergeFromAndMakeImmutableInternal, mutableCopy, mutableCopy, mutableCopy, mutableCopy, mutableCopy, newBooleanList, newBuilderForType, newDoubleList, newFloatList, newIntList, newLongList, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag

    Methods inherited from class com.google.protobuf.AbstractMessage

    findInitializationErrors, getInitializationErrorString, hashBoolean, hashEnum, hashEnumList, hashFields, hashLong, toString

    Methods inherited from class com.google.protobuf.AbstractMessageLite

    addAll, addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait

    Methods inherited from interface com.google.protobuf.MessageLite

    toByteArray, toByteString, writeDelimitedTo, writeTo

    Methods inherited from interface com.google.protobuf.MessageOrBuilder

    findInitializationErrors, getAllFields, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

  • Field Details

    • NODE_ID_FORMAT_FIELD_NUMBER

      public static final int NODE_ID_FORMAT_FIELD_NUMBER
      See Also:

    • CLUSTER_ID_FORMAT_FIELD_NUMBER

      public static final int CLUSTER_ID_FORMAT_FIELD_NUMBER
      See Also:

    • EMIT_DYNAMIC_METADATA_FIELD_NUMBER

      public static final int EMIT_DYNAMIC_METADATA_FIELD_NUMBER
      See Also:

    • DYNAMIC_METADATA_NAMESPACE_FIELD_NUMBER

      public static final int DYNAMIC_METADATA_NAMESPACE_FIELD_NUMBER
      See Also:

  • Method Details

    • newInstance

      protected Object newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
      Overrides:
      newInstance in class com.google.protobuf.GeneratedMessageV3

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

    • getNodeIdFormat

      public String getNodeIdFormat()
       Format string to extract the expected node identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports Envoy's :ref:`command operators <config_access_log_command_operators>`:

 * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata.
 * ``%FILTER_STATE(key)%``: Extract expected value from filter state.
 * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address.
 * Plain strings: Use a static expected value.

 If empty, node ID validation is skipped.

 Example using dynamic metadata allowlist:

 .. code-block:: yaml

    node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"
      string node_id_format = 1 [(.validate.rules) = { ... }
      Specified by:
      getNodeIdFormat in interface ValidationOrBuilder
      Returns:
      The nodeIdFormat.

    • getNodeIdFormatBytes

      public com.google.protobuf.ByteString getNodeIdFormatBytes()
       Format string to extract the expected node identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports Envoy's :ref:`command operators <config_access_log_command_operators>`:

 * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata.
 * ``%FILTER_STATE(key)%``: Extract expected value from filter state.
 * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address.
 * Plain strings: Use a static expected value.

 If empty, node ID validation is skipped.

 Example using dynamic metadata allowlist:

 .. code-block:: yaml

    node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%"
      string node_id_format = 1 [(.validate.rules) = { ... }
      Specified by:
      getNodeIdFormatBytes in interface ValidationOrBuilder
      Returns:
      The bytes for nodeIdFormat.

    • getClusterIdFormat

      public String getClusterIdFormat()
       Format string to extract the expected cluster identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports the same :ref:`command operators <config_access_log_command_operators>` as
 ``node_id_format``.

 If empty, cluster ID validation is skipped.

 Example using filter state:

 .. code-block:: yaml

    cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"
      string cluster_id_format = 2 [(.validate.rules) = { ... }
      Specified by:
      getClusterIdFormat in interface ValidationOrBuilder
      Returns:
      The clusterIdFormat.

    • getClusterIdFormatBytes

      public com.google.protobuf.ByteString getClusterIdFormatBytes()
       Format string to extract the expected cluster identifier for validation.
 The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header
 from the incoming handshake request. If they do not match, the connection is rejected
 with HTTP ``403 Forbidden``.

 Supports the same :ref:`command operators <config_access_log_command_operators>` as
 ``node_id_format``.

 If empty, cluster ID validation is skipped.

 Example using filter state:

 .. code-block:: yaml

    cluster_id_format: "%FILTER_STATE(expected_cluster_id)%"
      string cluster_id_format = 2 [(.validate.rules) = { ... }
      Specified by:
      getClusterIdFormatBytes in interface ValidationOrBuilder
      Returns:
      The bytes for clusterIdFormat.

    • getEmitDynamicMetadata

      public boolean getEmitDynamicMetadata()
       Whether to emit validation results as dynamic metadata.
 When enabled, the filter emits metadata under the namespace specified by
 ``dynamic_metadata_namespace`` containing:

 * ``node_id``: The actual node ID from the handshake request.
 * ``cluster_id``: The actual cluster ID from the handshake request.
 * ``validation_result``: Either ``allowed`` or ``denied``.

 This metadata can be used by subsequent filters or for access logging.
 Defaults to ``false``.
      bool emit_dynamic_metadata = 3;
      Specified by:
      getEmitDynamicMetadata in interface ValidationOrBuilder
      Returns:
      The emitDynamicMetadata.

    • getDynamicMetadataNamespace

      public String getDynamicMetadataNamespace()
       Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
 If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
      string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }
      Specified by:
      getDynamicMetadataNamespace in interface ValidationOrBuilder
      Returns:
      The dynamicMetadataNamespace.

    • getDynamicMetadataNamespaceBytes

      public com.google.protobuf.ByteString getDynamicMetadataNamespaceBytes()
       Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``.
 If not specified, defaults to ``envoy.filters.network.reverse_tunnel``.
      string dynamic_metadata_namespace = 4 [(.validate.rules) = { ... }
      Specified by:
      getDynamicMetadataNamespaceBytes in interface ValidationOrBuilder
      Returns:
      The bytes for dynamicMetadataNamespace.

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3

    • writeTo

      public void writeTo(com.google.protobuf.CodedOutputStream output) throws IOException
      Specified by:
      writeTo in interface com.google.protobuf.MessageLite
      Overrides:
      writeTo in class com.google.protobuf.GeneratedMessageV3
      Throws:
      IOException

    • getSerializedSize

      public int getSerializedSize()
      Specified by:
      getSerializedSize in interface com.google.protobuf.MessageLite
      Overrides:
      getSerializedSize in class com.google.protobuf.GeneratedMessageV3

    • equals

      public boolean equals(Object obj)
      Specified by:
      equals in interface com.google.protobuf.Message
      Overrides:
      equals in class com.google.protobuf.AbstractMessage

    • hashCode

      public int hashCode()
      Specified by:
      hashCode in interface com.google.protobuf.Message
      Overrides:
      hashCode in class com.google.protobuf.AbstractMessage

    • parseFrom

      public static Validation parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Validation parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Validation parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Validation parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Validation parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Validation parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static Validation parseFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static Validation parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static Validation parseDelimitedFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static Validation parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseFrom

      public static Validation parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static Validation parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • newBuilderForType

      public Validation.Builder newBuilderForType()
      Specified by:
      newBuilderForType in interface com.google.protobuf.Message
      Specified by:
      newBuilderForType in interface com.google.protobuf.MessageLite

    • newBuilder

      public static Validation.Builder newBuilder()

    • newBuilder

      public static Validation.Builder newBuilder(Validation prototype)

    • toBuilder

      public Validation.Builder toBuilder()
      Specified by:
      toBuilder in interface com.google.protobuf.Message
      Specified by:
      toBuilder in interface com.google.protobuf.MessageLite

    • newBuilderForType

      protected Validation.Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
      Specified by:
      newBuilderForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstance

      public static Validation getDefaultInstance()

    • parser

      public static com.google.protobuf.Parser<Validation> parser()

    • getParserForType

      public com.google.protobuf.Parser<Validation> getParserForType()
      Specified by:
      getParserForType in interface com.google.protobuf.Message
      Specified by:
      getParserForType in interface com.google.protobuf.MessageLite
      Overrides:
      getParserForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstanceForType

      public Validation getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder