syntax = "proto3";

package envoy.type.matcher.v3;

import "envoy/type/matcher/v3/value.proto";

import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.type.matcher.v3";
option java_outer_classname = "MetadataProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: Metadata matcher]

// MetadataMatcher provides a general interface to check if a given value is matched in
// :ref:`Metadata <envoy_v3_api_msg_config.core.v3.Metadata>`. It uses `filter` and `path` to retrieve the value
// from the Metadata and then check if it's matched to the specified value.
//
// For example, for the following Metadata:
//
// .. code-block:: yaml
//
//    filter_metadata:
//      envoy.filters.http.rbac:
//        fields:
//          a:
//            struct_value:
//              fields:
//                b:
//                  struct_value:
//                    fields:
//                      c:
//                        string_value: pro
//                t:
//                  list_value:
//                    values:
//                      - string_value: m
//                      - string_value: n
//
// The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value "pro"
// from the Metadata which is matched to the specified prefix match.
//
// .. code-block:: yaml
//
//    filter: envoy.filters.http.rbac
//    path:
//    - key: a
//    - key: b
//    - key: c
//    value:
//      string_match:
//        prefix: pr
//
// The following MetadataMatcher is matched as the code will match one of the string values in the
// list at the path [a, t].
//
// .. code-block:: yaml
//
//    filter: envoy.filters.http.rbac
//    path:
//    - key: a
//    - key: t
//    value:
//      list_match:
//        one_of:
//          string_match:
//            exact: m
//
// An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to
// enforce access control based on dynamic metadata in a request. See :ref:`Permission
// <envoy_v3_api_msg_config.rbac.v3.Permission>` and :ref:`Principal
// <envoy_v3_api_msg_config.rbac.v3.Principal>`.

// [#next-major-version: MetadataMatcher should use StructMatcher]
message MetadataMatcher {
  option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.MetadataMatcher";

  // Specifies the segment in a path to retrieve value from Metadata.
  // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that
  // if the segment key refers to a list, it has to be the last segment in a path.
  message PathSegment {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.type.matcher.MetadataMatcher.PathSegment";

    oneof segment {
      option (validate.required) = true;

      // If specified, use the key to retrieve the value in a Struct.
      string key = 1 [(validate.rules).string = {min_len: 1}];
    }
  }

  // The filter name to retrieve the Struct from the Metadata.
  string filter = 1 [(validate.rules).string = {min_len: 1}];

  // The path to retrieve the Value from the Struct.
  repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}];

  // The MetadataMatcher is matched if the value retrieved by path is matched to this value.
  ValueMatcher value = 3 [(validate.rules).message = {required: true}];

  // If true, the match result will be inverted.
  bool invert = 4;
}