basic_auth: add allow_missing field and emit dynamic metadata on success

[QuentinBisson]

Description

This PR adds two related features to the BasicAuth HTTP filter that enable OR-semantics
when combining it with other auth filters (e.g. JWT):

1. allow_missing field

When allow_missing: true is set, the filter passes through requests that have no Basic
credentials (missing Authorization header, or a non-Basic scheme such as Bearer).
Requests that do present Basic credentials are still fully validated — invalid credentials
are still rejected.

This mirrors the existing allow_missing / allow_missing_or_failed semantics in the
JWT authn filter.

2. Dynamic metadata on success

On successful authentication the filter now emits dynamic metadata under the
envoy.filters.http.basic_auth namespace with key username set to the authenticated
username. This allows downstream filters (e.g. RBAC) to detect that BasicAuth succeeded.

Motivation

Addresses the AND-semantics problem described in envoyproxy/gateway#8491: when a SecurityPolicy
configures both jwt and basicAuth, each filter independently rejects requests that
don't carry its expected credential type.

With these two changes, OR semantics can be assembled entirely from existing filters:

# JWT filter
allow_missing: true   # pass through if no Bearer token; set metadata on success

# BasicAuth filter
allow_missing: true   # pass through if no Basic creds; set metadata on success

# RBAC filter — enforce "at least one auth succeeded"
rules:
  action: ALLOW
  policies:
    require-any-auth:
      permissions: [any: true]
      principals:
      - or_ids:
          ids:
          - metadata:
              filter: envoy.filters.http.jwt_authn
              path: [{key: sub}]
              value: {present_match: true}
          - metadata:
              filter: envoy.filters.http.basic_auth
              path: [{key: username}]
              value: {present_match: true}

With this setup:

• Request with valid Bearer → JWT validates, BasicAuth passes through → RBAC sees JWT metadata → allowed
• Request with valid Basic → JWT passes through, BasicAuth validates → RBAC sees basic_auth metadata → allowed
• Request with no credentials → both pass through, no metadata set → RBAC rejects → 401
• Request with invalid credentials → the relevant filter rejects → 401

Changes

• api/envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto: add bool allow_missing = 4
• source/extensions/filters/http/basic_auth/basic_auth_filter.h: add allow_missing_ member, allowMissing() getter, setDynamicMetadata() method
• source/extensions/filters/http/basic_auth/basic_auth_filter.cc: implement allow_missing pass-through and setDynamicMetadata() on success
• source/extensions/filters/http/basic_auth/config.cc: wire proto_config.allow_missing() through to FilterConfig
• test/extensions/filters/http/basic_auth/filter_test.cc: add tests for dynamic metadata emission and full AllowMissingFilterTest suite

Risk

Low. allow_missing defaults to false, preserving all existing behaviour. The dynamic
metadata emission on success is additive and has no effect on filters that don't consume it.

[repokitteh-read-only]

Hi @QuentinBisson, welcome and thank you for your contribution.

We will try to review your Pull Request as quickly as possible.

In the meantime, please take a look at the contribution guidelines if you have not done so already.

🐱

Caused by: #43911 was opened by QuentinBisson.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #43911 was opened by QuentinBisson.

see: more, trace.

[paul-r-gall]

my only problem with this PR is this line, which does a moderately expensive "copy and set metadata" regardless.

[QuentinBisson]

Do you have any idea on how to improve on this?