istio.io/istio@v0.0.0-20240520182934-d79c90f27776/istioctl/pkg/authz/analyzer.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/istioctl/pkg/authz/analyzer.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // The auth package provides support for checking the authentication and authorization policy applied
    16  // in the mesh. It aims to increase the debuggability and observability of auth policies.
    17  // Note: this is still under active development and is not ready for real use.
    18  package authz
    19  
    20  import (
    21  	"fmt"
    22  	"io"
    23  
    24  	envoy_admin "github.com/envoyproxy/go-control-plane/envoy/admin/v3"
    25  	listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
    26  
    27  	"istio.io/istio/istioctl/pkg/util/configdump"
    28  	v3 "istio.io/istio/pilot/pkg/xds/v3"
    29  )
    30  
    31  // Analyzer that can be used to check authorization policy.
    32  type Analyzer struct {
    33  	listenerDump *envoy_admin.ListenersConfigDump
    34  }
    35  
    36  // NewAnalyzer creates a new analyzer for a given pod based on its envoy config.
    37  func NewAnalyzer(envoyConfig *configdump.Wrapper) (*Analyzer, error) {
    38  	listeners, err := envoyConfig.GetDynamicListenerDump(true)
    39  	if err != nil {
    40  		return nil, fmt.Errorf("failed to get dynamic listener dump: %s", err)
    41  	}
    42  
    43  	return &Analyzer{listenerDump: listeners}, nil
    44  }
    45  
    46  // Print print the analysis results.
    47  func (a *Analyzer) Print(writer io.Writer) {
    48  	var listeners []*listener.Listener
    49  	for _, l := range a.listenerDump.DynamicListeners {
    50  		listenerTyped := &listener.Listener{}
    51  		// Support v2 or v3 in config dump. See ads.go:RequestedTypes for more info.
    52  		l.ActiveState.Listener.TypeUrl = v3.ListenerType
    53  		err := l.ActiveState.Listener.UnmarshalTo(listenerTyped)
    54  		if err != nil {
    55  			return
    56  		}
    57  		listeners = append(listeners, listenerTyped)
    58  	}
    59  	Print(writer, listeners)
    60  }