ClientIdentityAware produces a middleware function nearly identical to `ClientIdentityRequired`.

ClientIdentityRequired produces a middleware function that determines the client identity used in a connection secured with mTLS.

ExtractAndVerifyClientIdentity enables extracting client identity from a request.

GetClientIdentity returns the client identity of the calling service or `""` if the client identity is unset.

IsExtractionError is a helper to check if an error is an `*XFCCExtractionError`.

IsFatalError is a helper to check if an error is an `*XFCCFatalError`.

IsValidationError is a helper to check if an error is an `*XFCCValidationError`.

MaybeWaitForAdmin will check if Envoy is running if the `WAIT_FOR_ENVOY` environment variable is set.

OptAllowedIdentities adds allowed identities to the processor.

OptAllowedTrustDomains adds allowed trust domains to the processor.

OptDeniedIdentities adds denied identities to the processor.

OptDeniedTrustDomains adds denied trust domains to the processor.

OptFormatIdentity sets the `FormatIdentity` on the processor.

OptIdentityType sets the identity type for the processor.

ParseXFCC parses the XFCC header.

SPIFFEClientIdentityProvider produces a function satisfying `IdentityProvider`.

SPIFFEServerIdentityProvider produces a verifier function satisfying `VerifyXFCC`.

WithClientIdentity adds the client identity to a context.

ClientIdentity represents client identity.

DefaultAdminPort is the default port used for the Envoy Admin API.

EnumStateLive is a `envoy.admin.v3.ServerInfo.State` value indicating the Envoy server is LIVE.

EnvVarAdminPort is an environment variable which provides an override for the Envoy Admin API port.

EnvVarWaitFlag is an environment variable which specifies whether a wait function should wait for the Envoy Admin API to be ready.

ErrDeniedClientIdentity is the error returned when a parsed client identity is in a deny list or not in an allow list.

ErrDeniedServerIdentity is the error returned when a parsed client identity is in a deny list or not in an allow list.

ErrInvalidClientIdentity is the error returned when XFCC has a missing / invalid client identity.

ErrInvalidServerIdentity is the error returned when XFCC has a missing / invalid client identity.

ErrInvalidXFCC is the error returned when XFCC is invalid.

ErrMissingExtractFunction is the message used when the "extract client identity" function is `nil` or not provided.

ErrMissingXFCC is the error returned when XFCC is missing.

ErrVerifierNil is the message prefix used when a provided verifier is `nil`.

ErrXFCCParsing is the class of error returned when parsing XFCC fails.

HeaderXFCC is the header key for forwarded client cert.

ServerIdentity represents server identity.

ErrFailedAttempt is an error class returned when Envoy fails to be ready on a single attempt.

ErrTimedOut is an error class returned when Envoy fails to be ready after exhausting all attempts.

IdentityProcessor provides configurable fields that can be used to help validate a parsed SPIFFE URI and produce and validate an identity from a parsed SPIFFE URI.

WaitForAdmin encapsulates the settings needed to wait until the Envoy Admin API is ready.

XFCCElement is an element in an XFCC header (see `XFCC`).

XFCCExtractionError contains metadata about an XFCC header that could not be parsed or extracted.

XFCCFatalError contains metadata about an unrecoverable failure when parsing an XFCC header.

XFCCValidationError contains metadata about an XFCC header that could not be parsed or extracted.

HTTPGetClient captures a small part of the `http.Client` interface needed to execute a GET request.

IdentityFormatter describes functions that will produce an identity string from a parsed SPIFFE URI.

IdentityProcessorOption mutates an identity processor.

IdentityProvider is a function to extract the client or server identity from a parsed XFCC header.

IdentityType represents the type of identity that will be extracted by an `IdentityProcessor`.

VerifyXFCC is an "extra" verifier for an XFCC, for example if the server identity (from the `By` field in an XFCC element) should be verified in addition to the client identity.

XFCC represents a proxy header containing certificate information for the client that is sending the request to the proxy.