Merge remote-tracking branch 'origin/feat/core.124-add.envoy.filter' into feat/integrate.workflow.changes

api/api.swagger.json

@@ -28,7 +28,7 @@
           "200": {
             "description": "A successful response.",
             "schema": {
-              "properties": {}
+              "$ref": "#/definitions/IsValidTokenResponse"
             }
           }
         },
@@ -1870,6 +1870,14 @@
         }
       }
     },
+    "IsValidTokenResponse": {
+      "type": "object",
+      "properties": {
+        "domain": {
+          "type": "string"
+        }
+      }
+    },
     "KeyValue": {
       "type": "object",
       "properties": {

api/auth.pb.go

@@ -104,30 +104,143 @@ func (m *IsValidTokenRequest) GetToken() *TokenWrapper {
 	return nil
 }
 
+type IsValidTokenResponse struct {
+	Domain               string   `protobuf:"bytes,2,opt,name=domain,proto3" json:"domain,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *IsValidTokenResponse) Reset()         { *m = IsValidTokenResponse{} }
+func (m *IsValidTokenResponse) String() string { return proto.CompactTextString(m) }
+func (*IsValidTokenResponse) ProtoMessage()    {}
+func (*IsValidTokenResponse) Descriptor() ([]byte, []int) {
+	return fileDescriptor_8bbd6f3875b0e874, []int{2}
+}
+
+func (m *IsValidTokenResponse) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_IsValidTokenResponse.Unmarshal(m, b)
+}
+func (m *IsValidTokenResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_IsValidTokenResponse.Marshal(b, m, deterministic)
+}
+func (m *IsValidTokenResponse) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_IsValidTokenResponse.Merge(m, src)
+}
+func (m *IsValidTokenResponse) XXX_Size() int {
+	return xxx_messageInfo_IsValidTokenResponse.Size(m)
+}
+func (m *IsValidTokenResponse) XXX_DiscardUnknown() {
+	xxx_messageInfo_IsValidTokenResponse.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_IsValidTokenResponse proto.InternalMessageInfo
+
+func (m *IsValidTokenResponse) GetDomain() string {
+	if m != nil {
+		return m.Domain
+	}
+	return ""
+}
+
+type IsWorkspaceAuthenticatedRequest struct {
+	FQDN                 string   `protobuf:"bytes,1,opt,name=FQDN,proto3" json:"FQDN,omitempty"`
+	XOriginalMethod      string   `protobuf:"bytes,2,opt,name=XOriginalMethod,proto3" json:"XOriginalMethod,omitempty"`
+	XOriginalAuthority   string   `protobuf:"bytes,3,opt,name=XOriginalAuthority,proto3" json:"XOriginalAuthority,omitempty"`
+	XOriginalUri         string   `protobuf:"bytes,4,opt,name=XOriginalUri,proto3" json:"XOriginalUri,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *IsWorkspaceAuthenticatedRequest) Reset()         { *m = IsWorkspaceAuthenticatedRequest{} }
+func (m *IsWorkspaceAuthenticatedRequest) String() string { return proto.CompactTextString(m) }
+func (*IsWorkspaceAuthenticatedRequest) ProtoMessage()    {}
+func (*IsWorkspaceAuthenticatedRequest) Descriptor() ([]byte, []int) {
+	return fileDescriptor_8bbd6f3875b0e874, []int{3}
+}
+
+func (m *IsWorkspaceAuthenticatedRequest) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_IsWorkspaceAuthenticatedRequest.Unmarshal(m, b)
+}
+func (m *IsWorkspaceAuthenticatedRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_IsWorkspaceAuthenticatedRequest.Marshal(b, m, deterministic)
+}
+func (m *IsWorkspaceAuthenticatedRequest) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_IsWorkspaceAuthenticatedRequest.Merge(m, src)
+}
+func (m *IsWorkspaceAuthenticatedRequest) XXX_Size() int {
+	return xxx_messageInfo_IsWorkspaceAuthenticatedRequest.Size(m)
+}
+func (m *IsWorkspaceAuthenticatedRequest) XXX_DiscardUnknown() {
+	xxx_messageInfo_IsWorkspaceAuthenticatedRequest.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_IsWorkspaceAuthenticatedRequest proto.InternalMessageInfo
+
+func (m *IsWorkspaceAuthenticatedRequest) GetFQDN() string {
+	if m != nil {
+		return m.FQDN
+	}
+	return ""
+}
+
+func (m *IsWorkspaceAuthenticatedRequest) GetXOriginalMethod() string {
+	if m != nil {
+		return m.XOriginalMethod
+	}
+	return ""
+}
+
+func (m *IsWorkspaceAuthenticatedRequest) GetXOriginalAuthority() string {
+	if m != nil {
+		return m.XOriginalAuthority
+	}
+	return ""
+}
+
+func (m *IsWorkspaceAuthenticatedRequest) GetXOriginalUri() string {
+	if m != nil {
+		return m.XOriginalUri
+	}
+	return ""
+}
+
 func init() {
 	proto.RegisterType((*TokenWrapper)(nil), "api.TokenWrapper")
 	proto.RegisterType((*IsValidTokenRequest)(nil), "api.IsValidTokenRequest")
+	proto.RegisterType((*IsValidTokenResponse)(nil), "api.IsValidTokenResponse")
+	proto.RegisterType((*IsWorkspaceAuthenticatedRequest)(nil), "api.IsWorkspaceAuthenticatedRequest")
 }
 
 func init() { proto.RegisterFile("auth.proto", fileDescriptor_8bbd6f3875b0e874) }
 
 var fileDescriptor_8bbd6f3875b0e874 = []byte{
-	// 228 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4a, 0x2c, 0x2d, 0xc9,
-	0xd0, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x4e, 0x2c, 0xc8, 0x94, 0x92, 0x49, 0xcf, 0xcf,
-	0x4f, 0xcf, 0x49, 0xd5, 0x4f, 0x2c, 0xc8, 0xd4, 0x4f, 0xcc, 0xcb, 0xcb, 0x2f, 0x49, 0x2c, 0xc9,
-	0xcc, 0xcf, 0x2b, 0x86, 0x28, 0x91, 0x92, 0x86, 0xca, 0x82, 0x79, 0x49, 0xa5, 0x69, 0xfa, 0xa9,
-	0xb9, 0x05, 0x25, 0x95, 0x10, 0x49, 0x25, 0x15, 0x2e, 0x9e, 0x90, 0xfc, 0xec, 0xd4, 0xbc, 0xf0,
-	0xa2, 0xc4, 0x82, 0x82, 0xd4, 0x22, 0x21, 0x11, 0x2e, 0xd6, 0x12, 0x10, 0x5f, 0x82, 0x51, 0x81,
-	0x51, 0x83, 0x33, 0x08, 0xc2, 0x51, 0xb2, 0xe3, 0x12, 0xf6, 0x2c, 0x0e, 0x4b, 0xcc, 0xc9, 0x4c,
-	0x01, 0x2b, 0x0e, 0x4a, 0x2d, 0x2c, 0x4d, 0x2d, 0x2e, 0x11, 0x52, 0x47, 0x56, 0xcc, 0x6d, 0x24,
-	0xa8, 0x97, 0x58, 0x90, 0xa9, 0x87, 0x6c, 0x1c, 0x54, 0xbf, 0x51, 0x05, 0x17, 0xb7, 0x63, 0x69,
-	0x49, 0x46, 0x70, 0x6a, 0x51, 0x59, 0x66, 0x72, 0xaa, 0x50, 0x26, 0x17, 0x0f, 0xb2, 0x71, 0x42,
-	0x12, 0x60, 0x8d, 0x58, 0x6c, 0x90, 0x12, 0xd3, 0x83, 0x38, 0x5e, 0x0f, 0xe6, 0x78, 0x3d, 0x57,
-	0x90, 0xe3, 0x95, 0xd4, 0x9b, 0x2e, 0x3f, 0x99, 0xcc, 0xa4, 0xa8, 0x24, 0x01, 0xf2, 0x73, 0xb1,
-	0x7e, 0x99, 0x61, 0x52, 0x6a, 0x49, 0xa2, 0xa1, 0x3e, 0x28, 0x60, 0xf4, 0xc1, 0x56, 0x5a, 0x41,
-	0x6c, 0x4e, 0x62, 0x03, 0x6b, 0x34, 0x06, 0x04, 0x00, 0x00, 0xff, 0xff, 0x8e, 0xdc, 0xc7, 0x76,
-	0x34, 0x01, 0x00, 0x00,
+	// 381 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x52, 0xcd, 0x6e, 0x1a, 0x31,
+	0x10, 0xd6, 0x02, 0x45, 0xea, 0x80, 0x54, 0xd5, 0x45, 0x68, 0xbb, 0xad, 0x54, 0x6a, 0x21, 0xc1,
+	0xc9, 0x2b, 0xe8, 0xad, 0x87, 0x4a, 0x54, 0x50, 0x95, 0x43, 0x1b, 0x85, 0xfc, 0x90, 0xab, 0x61,
+	0x1d, 0xb0, 0x58, 0x6c, 0xc7, 0xf6, 0x22, 0x71, 0x8b, 0x78, 0x85, 0x3c, 0x4a, 0x1e, 0x25, 0xaf,
+	0x90, 0x07, 0x89, 0xd6, 0xbb, 0x20, 0x88, 0x20, 0xb7, 0x9d, 0xf9, 0xbe, 0x6f, 0x66, 0xf6, 0xf3,
+	0x07, 0x40, 0x13, 0x3b, 0x27, 0x4a, 0x4b, 0x2b, 0x51, 0x91, 0x2a, 0x1e, 0x7c, 0x9d, 0x49, 0x39,
+	0x8b, 0x59, 0x48, 0x15, 0x0f, 0xa9, 0x10, 0xd2, 0x52, 0xcb, 0xa5, 0x30, 0x19, 0x25, 0xf8, 0x92,
+	0xa3, 0xae, 0x9a, 0x24, 0xb7, 0x21, 0x5b, 0x2a, 0xbb, 0xce, 0x40, 0xdc, 0x84, 0xea, 0xa5, 0x5c,
+	0x30, 0x31, 0xd6, 0x54, 0x29, 0xa6, 0x51, 0x0d, 0xde, 0xd9, 0xb4, 0xf6, 0xbd, 0x86, 0xd7, 0x7e,
+	0x3f, 0xca, 0x0a, 0xfc, 0x0b, 0x3e, 0x0d, 0xcd, 0x35, 0x8d, 0x79, 0xe4, 0xc8, 0x23, 0x76, 0x97,
+	0x30, 0x63, 0x51, 0x6b, 0x9f, 0x5c, 0xe9, 0x7e, 0x24, 0x54, 0x71, 0xb2, 0x3f, 0x6e, 0xab, 0x27,
+	0x50, 0x3b, 0xd4, 0x1b, 0x25, 0x85, 0x61, 0xa8, 0x0e, 0xe5, 0x48, 0x2e, 0x29, 0x17, 0x7e, 0xc1,
+	0xad, 0xcb, 0x2b, 0xfc, 0xe8, 0xc1, 0xb7, 0xa1, 0x19, 0x4b, 0xbd, 0x30, 0x8a, 0x4e, 0x59, 0x2f,
+	0xb1, 0x73, 0x26, 0x2c, 0x9f, 0x52, 0xcb, 0xa2, 0xed, 0x72, 0x04, 0xa5, 0x3f, 0xe7, 0xfd, 0xff,
+	0xf9, 0xa1, 0xee, 0x1b, 0xb5, 0xe1, 0xc3, 0xcd, 0x99, 0xe6, 0x33, 0x2e, 0x68, 0xfc, 0x8f, 0xd9,
+	0xb9, 0x8c, 0xf2, 0xc1, 0xaf, 0xdb, 0x88, 0x00, 0xda, 0xb5, 0xd2, 0xf1, 0x52, 0x73, 0xbb, 0xf6,
+	0x8b, 0x8e, 0x7c, 0x04, 0x41, 0x18, 0xaa, 0xbb, 0xee, 0x95, 0xe6, 0x7e, 0xc9, 0x31, 0x0f, 0x7a,
+	0xdd, 0xfb, 0x02, 0x54, 0x52, 0xc5, 0x05, 0xd3, 0x2b, 0x3e, 0x65, 0x28, 0x86, 0xea, 0xfe, 0x5f,
+	0x23, 0xdf, 0xf9, 0x73, 0xc4, 0xc8, 0xe0, 0xf3, 0x11, 0x24, 0xb3, 0x08, 0xb7, 0x36, 0x4f, 0xcf,
+	0x0f, 0x85, 0xef, 0xd8, 0x4f, 0x5f, 0xd7, 0x84, 0xab, 0xce, 0x84, 0x59, 0xda, 0x09, 0xd3, 0x08,
+	0x84, 0xce, 0xdc, 0x9f, 0x99, 0xc7, 0x68, 0xe3, 0x81, 0x7f, 0xca, 0x33, 0xd4, 0xcc, 0x17, 0xbc,
+	0x69, 0x69, 0x50, 0x27, 0x59, 0x54, 0xc8, 0x36, 0x2a, 0x64, 0x90, 0x46, 0x05, 0xb7, 0xdd, 0x0d,
+	0xf8, 0x77, 0x03, 0x4a, 0x7f, 0x07, 0xbd, 0x3e, 0x3a, 0x79, 0xcb, 0xa4, 0xec, 0x94, 0x3f, 0x5e,
+	0x02, 0x00, 0x00, 0xff, 0xff, 0xa1, 0xec, 0x3b, 0x98, 0xa3, 0x02, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -142,7 +255,8 @@ const _ = grpc.SupportPackageIsVersion4
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
 type AuthServiceClient interface {
-	IsValidToken(ctx context.Context, in *IsValidTokenRequest, opts ...grpc.CallOption) (*empty.Empty, error)
+	IsValidToken(ctx context.Context, in *IsValidTokenRequest, opts ...grpc.CallOption) (*IsValidTokenResponse, error)
+	IsWorkspaceAuthenticated(ctx context.Context, in *IsWorkspaceAuthenticatedRequest, opts ...grpc.CallOption) (*empty.Empty, error)
 }
 
 type authServiceClient struct {
@@ -153,8 +267,8 @@ func NewAuthServiceClient(cc *grpc.ClientConn) AuthServiceClient {
 	return &authServiceClient{cc}
 }
 
-func (c *authServiceClient) IsValidToken(ctx context.Context, in *IsValidTokenRequest, opts ...grpc.CallOption) (*empty.Empty, error) {
-	out := new(empty.Empty)
+func (c *authServiceClient) IsValidToken(ctx context.Context, in *IsValidTokenRequest, opts ...grpc.CallOption) (*IsValidTokenResponse, error) {
+	out := new(IsValidTokenResponse)
 	err := c.cc.Invoke(ctx, "/api.AuthService/IsValidToken", in, out, opts...)
 	if err != nil {
 		return nil, err
@@ -162,18 +276,31 @@ func (c *authServiceClient) IsValidToken(ctx context.Context, in *IsValidTokenRe
 	return out, nil
 }
 
+func (c *authServiceClient) IsWorkspaceAuthenticated(ctx context.Context, in *IsWorkspaceAuthenticatedRequest, opts ...grpc.CallOption) (*empty.Empty, error) {
+	out := new(empty.Empty)
+	err := c.cc.Invoke(ctx, "/api.AuthService/IsWorkspaceAuthenticated", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // AuthServiceServer is the server API for AuthService service.
 type AuthServiceServer interface {
-	IsValidToken(context.Context, *IsValidTokenRequest) (*empty.Empty, error)
+	IsValidToken(context.Context, *IsValidTokenRequest) (*IsValidTokenResponse, error)
+	IsWorkspaceAuthenticated(context.Context, *IsWorkspaceAuthenticatedRequest) (*empty.Empty, error)
 }
 
 // UnimplementedAuthServiceServer can be embedded to have forward compatible implementations.
 type UnimplementedAuthServiceServer struct {
 }
 
-func (*UnimplementedAuthServiceServer) IsValidToken(ctx context.Context, req *IsValidTokenRequest) (*empty.Empty, error) {
+func (*UnimplementedAuthServiceServer) IsValidToken(ctx context.Context, req *IsValidTokenRequest) (*IsValidTokenResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method IsValidToken not implemented")
 }
+func (*UnimplementedAuthServiceServer) IsWorkspaceAuthenticated(ctx context.Context, req *IsWorkspaceAuthenticatedRequest) (*empty.Empty, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method IsWorkspaceAuthenticated not implemented")
+}
 
 func RegisterAuthServiceServer(s *grpc.Server, srv AuthServiceServer) {
 	s.RegisterService(&_AuthService_serviceDesc, srv)
@@ -197,6 +324,24 @@ func _AuthService_IsValidToken_Handler(srv interface{}, ctx context.Context, dec
 	return interceptor(ctx, in, info, handler)
 }
 
+func _AuthService_IsWorkspaceAuthenticated_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(IsWorkspaceAuthenticatedRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(AuthServiceServer).IsWorkspaceAuthenticated(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/api.AuthService/IsWorkspaceAuthenticated",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(AuthServiceServer).IsWorkspaceAuthenticated(ctx, req.(*IsWorkspaceAuthenticatedRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 var _AuthService_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "api.AuthService",
 	HandlerType: (*AuthServiceServer)(nil),
@@ -205,6 +350,10 @@ var _AuthService_serviceDesc = grpc.ServiceDesc{
 			MethodName: "IsValidToken",
 			Handler:    _AuthService_IsValidToken_Handler,
 		},
+		{
+			MethodName: "IsWorkspaceAuthenticated",
+			Handler:    _AuthService_IsWorkspaceAuthenticated_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "auth.proto",

api/auth.pb.gw.go

@@ -65,6 +65,39 @@ func local_request_AuthService_IsValidToken_0(ctx context.Context, marshaler run
 
 }
 
+var (
+	filter_AuthService_IsWorkspaceAuthenticated_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
+
+func request_AuthService_IsWorkspaceAuthenticated_0(ctx context.Context, marshaler runtime.Marshaler, client AuthServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq IsWorkspaceAuthenticatedRequest
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_AuthService_IsWorkspaceAuthenticated_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.IsWorkspaceAuthenticated(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_AuthService_IsWorkspaceAuthenticated_0(ctx context.Context, marshaler runtime.Marshaler, server AuthServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq IsWorkspaceAuthenticatedRequest
+	var metadata runtime.ServerMetadata
+
+	if err := runtime.PopulateQueryParameters(&protoReq, req.URL.Query(), filter_AuthService_IsWorkspaceAuthenticated_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.IsWorkspaceAuthenticated(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 // RegisterAuthServiceHandlerServer registers the http handlers for service AuthService to "mux".
 // UnaryRPC     :call AuthServiceServer directly.
 // StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906.
@@ -90,6 +123,26 @@ func RegisterAuthServiceHandlerServer(ctx context.Context, mux *runtime.ServeMux
 
 	})
 
+	mux.Handle("HEAD", pattern_AuthService_IsWorkspaceAuthenticated_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_AuthService_IsWorkspaceAuthenticated_0(rctx, inboundMarshaler, server, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_IsWorkspaceAuthenticated_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }
 
@@ -151,13 +204,37 @@ func RegisterAuthServiceHandlerClient(ctx context.Context, mux *runtime.ServeMux
 
 	})
 
+	mux.Handle("HEAD", pattern_AuthService_IsWorkspaceAuthenticated_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_AuthService_IsWorkspaceAuthenticated_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_AuthService_IsWorkspaceAuthenticated_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }
 
 var (
 	pattern_AuthService_IsValidToken_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"apis", "v1beta1", "auth", "token"}, "", runtime.AssumeColonVerbOpt(true)))
+
+	pattern_AuthService_IsWorkspaceAuthenticated_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"apis", "v1beta1", "auth", "token"}, "", runtime.AssumeColonVerbOpt(true)))
 )
 
 var (
 	forward_AuthService_IsValidToken_0 = runtime.ForwardResponseMessage
+
+	forward_AuthService_IsWorkspaceAuthenticated_0 = runtime.ForwardResponseMessage
 )

api/auth.proto

@@ -6,12 +6,21 @@ import "google/api/annotations.proto";
 import "google/protobuf/empty.proto";
 
 service AuthService {
-    rpc IsValidToken(IsValidTokenRequest) returns (google.protobuf.Empty) {
+    rpc IsValidToken(IsValidTokenRequest) returns (IsValidTokenResponse) {
         option (google.api.http) = {
             post: "/apis/v1beta1/auth/token"
             body: "token"
         };
     }
+
+    rpc IsWorkspaceAuthenticated(IsWorkspaceAuthenticatedRequest) returns (google.protobuf.Empty) {
+        option (google.api.http) = {
+            custom: {
+                kind: "HEAD"
+                path: "/apis/v1beta1/auth/token"
+            }
+        };
+    }
 }
 
 message TokenWrapper {
@@ -21,3 +30,14 @@ message TokenWrapper {
 message IsValidTokenRequest {
     TokenWrapper token = 1;
 }
+
+message IsValidTokenResponse {
+    string domain = 2;
+}
+
+message IsWorkspaceAuthenticatedRequest {
+    string FQDN = 1;
+    string XOriginalMethod = 2;
+    string XOriginalAuthority = 3;
+    string XOriginalUri = 4;
+}

server/auth/auth.go

@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"errors"
+	"fmt"
 	"github.com/onepanelio/core/api"
 	"net/http"
 	"strings"
@@ -104,6 +105,28 @@ func UnaryInterceptor(kubeConfig *v1.Config, db *v1.DB) grpc.UnaryServerIntercep
 			return handler(ctx, req)
 		}
 
+		// if you don't need the token,
+		if info.FullMethod == "/api.AuthService/IsWorkspaceAuthenticated" {
+			md, ok := metadata.FromIncomingContext(ctx)
+			fmt.Printf("%+v\n", md) //todo remove
+			if !ok {
+				ctx = nil
+				return handler(ctx, req)
+			}
+			xOriginalAuthority := md.Get("x-original-authority")[0]
+			fqdn := md.Get("fqdn")[0]
+			//expected format: https://nginx-0--default.test-0.onepanel.site/
+			if xOriginalAuthority != fqdn { //Ignore fully qualified domain uris
+				ctx, err = getClient(ctx, kubeConfig, db)
+				if err != nil {
+					return
+				}
+
+				return handler(ctx, req)
+			}
+		}
+
+		// This guy checks for the token
 		ctx, err = getClient(ctx, kubeConfig, db)
 		if err != nil {
 			return

server/auth_server.go

@@ -8,7 +8,9 @@ import (
 	"github.com/onepanelio/core/server/auth"
 	"github.com/pkg/errors"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
+	"strings"
 )
 
 type AuthServer struct{}
@@ -16,8 +18,32 @@ type AuthServer struct{}
 func NewAuthServer() *AuthServer {
 	return &AuthServer{}
 }
+func (a *AuthServer) IsWorkspaceAuthenticated(ctx context.Context, request *api.IsWorkspaceAuthenticatedRequest) (*empty.Empty, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return &empty.Empty{}, errors.New("Error parsing headers.")
+	}
+	//Expected format: x-original-authority:[name--default.alexcluster.onepanel.io]
+	xOriginalAuth := md.Get("x-original-authority")[0]
+	fqdn := md.Get("fqdn")[0]
+	if xOriginalAuth == fqdn {
+		return &empty.Empty{}, nil
+	}
+	pos := strings.Index(xOriginalAuth, ".")
+	if pos == -1 {
+		return &empty.Empty{}, errors.New("Error parsing x-original-authority. No '.' character.")
+	}
+	workspaceAndNamespace := xOriginalAuth[0:pos]
+	pieces := strings.Split(workspaceAndNamespace, "--")
+	client := ctx.Value("kubeClient").(*v1.Client)
+	allowed, err := auth.IsAuthorized(client, pieces[1], "create", "apps/v1", "statefulsets", pieces[0])
+	if err != nil || !allowed {
+		return &empty.Empty{}, err
+	}
+	return &empty.Empty{}, nil
+}
 
-func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequest) (*empty.Empty, error) {
+func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequest) (res *api.IsValidTokenResponse, err error) {
 	if ctx == nil {
 		return nil, status.Error(codes.Unauthenticated, "Unauthenticated.")
 	}
@@ -45,5 +71,12 @@ func (a *AuthServer) IsValidToken(ctx context.Context, req *api.IsValidTokenRequ
 		return nil, status.Error(codes.Unauthenticated, "Unauthenticated.")
 	}
 
-	return &empty.Empty{}, nil
+	config, err := client.GetSystemConfig()
+	if err != nil {
+		return
+	}
+	res = &api.IsValidTokenResponse{}
+	res.Domain = config["ONEPANEL_DOMAIN"]
+
+	return res, nil
 }