github.com/cilium/cilium@v1.16.2/pkg/maps/authmap/auth_map.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package authmap
     5  
     6  import (
     7  	"fmt"
     8  	"unsafe"
     9  
    10  	"golang.org/x/sys/unix"
    11  
    12  	"github.com/cilium/cilium/pkg/bpf"
    13  	"github.com/cilium/cilium/pkg/datapath/linux/utime"
    14  	"github.com/cilium/cilium/pkg/ebpf"
    15  )
    16  
    17  const (
    18  	MapName = "cilium_auth_map"
    19  )
    20  
    21  // Map provides access to the eBPF map auth.
    22  type Map interface {
    23  	// Lookup returns the auth map object associated with the provided
    24  	// (local identity, remote identity, remote host id, auth type) quadruple.
    25  	Lookup(key AuthKey) (AuthInfo, error)
    26  
    27  	// Update inserts or updates the auth map object associated with the provided
    28  	// (local identity, remote identity, remote host id, auth type) quadruple.
    29  	Update(key AuthKey, expiration utime.UTime) error
    30  
    31  	// Delete deletes the auth map object associated with the provided
    32  	// (local identity, remote identity, remote host id, auth type) quadruple.
    33  	Delete(key AuthKey) error
    34  
    35  	// IterateWithCallback iterates through all the keys/values of an auth map,
    36  	// passing each key/value pair to the cb callback.
    37  	IterateWithCallback(cb IterateCallback) error
    38  
    39  	// MaxEntries returns the maximum number of entries the auth map can hold.
    40  	MaxEntries() uint32
    41  }
    42  
    43  type authMap struct {
    44  	bpfMap *ebpf.Map
    45  }
    46  
    47  func newMap(maxEntries int) *authMap {
    48  	return &authMap{
    49  		bpfMap: ebpf.NewMap(&ebpf.MapSpec{
    50  			Name:       MapName,
    51  			Type:       ebpf.Hash,
    52  			KeySize:    uint32(unsafe.Sizeof(AuthKey{})),
    53  			ValueSize:  uint32(unsafe.Sizeof(AuthInfo{})),
    54  			MaxEntries: uint32(maxEntries),
    55  			Flags:      unix.BPF_F_NO_PREALLOC,
    56  			Pinning:    ebpf.PinByName,
    57  		}),
    58  	}
    59  }
    60  
    61  // LoadAuthMap loads the pre-initialized auth map for access.
    62  // This should only be used from components which aren't capable of using hive - mainly the Cilium CLI.
    63  // It needs to initialized beforehand via the Cilium Agent.
    64  func LoadAuthMap() (Map, error) {
    65  	bpfMap, err := ebpf.LoadRegisterMap(MapName)
    66  	if err != nil {
    67  		return nil, fmt.Errorf("failed to load bpf map: %w", err)
    68  	}
    69  
    70  	return &authMap{bpfMap: bpfMap}, nil
    71  }
    72  
    73  func (m *authMap) init() error {
    74  	if err := m.bpfMap.OpenOrCreate(); err != nil {
    75  		return fmt.Errorf("failed to init bpf map: %w", err)
    76  	}
    77  
    78  	return nil
    79  }
    80  
    81  func (m *authMap) close() error {
    82  	if err := m.bpfMap.Close(); err != nil {
    83  		return fmt.Errorf("failed to close bpf map: %w", err)
    84  	}
    85  
    86  	return nil
    87  }
    88  
    89  func (m *authMap) Update(key AuthKey, expiration utime.UTime) error {
    90  	val := AuthInfo{Expiration: expiration}
    91  	return m.bpfMap.Update(key, val, 0)
    92  }
    93  
    94  func (m *authMap) Delete(key AuthKey) error {
    95  	return m.bpfMap.Delete(key)
    96  }
    97  
    98  func (m *authMap) Lookup(key AuthKey) (AuthInfo, error) {
    99  	val := AuthInfo{}
   100  	err := m.bpfMap.Lookup(key, &val)
   101  	return val, err
   102  }
   103  
   104  // IterateCallback represents the signature of the callback function
   105  // expected by the IterateWithCallback method, which in turn is used to iterate
   106  // all the keys/values of an auth map.
   107  type IterateCallback func(*AuthKey, *AuthInfo)
   108  
   109  func (m *authMap) IterateWithCallback(cb IterateCallback) error {
   110  	return m.bpfMap.IterateWithCallback(&AuthKey{}, &AuthInfo{},
   111  		func(k, v interface{}) {
   112  			key := k.(*AuthKey)
   113  			value := v.(*AuthInfo)
   114  			cb(key, value)
   115  		},
   116  	)
   117  }
   118  
   119  func (m *authMap) MaxEntries() uint32 {
   120  	return m.bpfMap.MaxEntries()
   121  }
   122  
   123  // AuthKey implements the bpf.MapKey interface.
   124  //
   125  // Must be in sync with struct auth_key in <bpf/lib/common.h>
   126  type AuthKey struct {
   127  	LocalIdentity  uint32 `align:"local_sec_label"`
   128  	RemoteIdentity uint32 `align:"remote_sec_label"`
   129  	RemoteNodeID   uint16 `align:"remote_node_id"`
   130  	AuthType       uint8  `align:"auth_type"`
   131  	Pad            uint8  `align:"pad"`
   132  }
   133  
   134  func (r *AuthKey) String() string {
   135  	return fmt.Sprintf("localIdentity=%d, remoteIdentity=%d, remoteNodeID=%d, authType=%d", r.LocalIdentity, r.RemoteIdentity, r.RemoteNodeID, r.AuthType)
   136  }
   137  func (r *AuthKey) New() bpf.MapKey { return &AuthKey{} }
   138  
   139  // AuthInfo implements the bpf.MapValue interface.
   140  //
   141  // Must be in sync with struct auth_info in <bpf/lib/common.h>
   142  type AuthInfo struct {
   143  	Expiration utime.UTime `align:"expiration"`
   144  }
   145  
   146  func (r *AuthInfo) String() string {
   147  	return fmt.Sprintf("expiration=%q", r.Expiration)
   148  }