istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/networking/plugin/authz/authorization.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/networking/plugin/authz/authorization.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package authz
    16  
    17  import (
    18  	listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
    19  	hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
    20  
    21  	"istio.io/istio/pilot/pkg/model"
    22  	"istio.io/istio/pilot/pkg/networking"
    23  	"istio.io/istio/pilot/pkg/security/authz/builder"
    24  	"istio.io/istio/pilot/pkg/security/trustdomain"
    25  )
    26  
    27  type ActionType int
    28  
    29  const (
    30  	// Local for action ALLOW, DENY and AUDIT and is enforced by Envoy RBAC filter.
    31  	Local ActionType = iota
    32  	// Custom action is enforced by Envoy ext_authz filter.
    33  	Custom
    34  )
    35  
    36  type Builder struct {
    37  	// Lazy load
    38  	httpBuilt, tcpBuilt bool
    39  
    40  	httpFilters []*hcm.HttpFilter
    41  	tcpFilters  []*listener.Filter
    42  	builder     *builder.Builder
    43  }
    44  
    45  func NewBuilder(actionType ActionType, push *model.PushContext, proxy *model.Proxy, useFilterState bool) *Builder {
    46  	return NewBuilderForService(actionType, push, proxy, useFilterState, nil)
    47  }
    48  
    49  func NewBuilderForService(actionType ActionType, push *model.PushContext, proxy *model.Proxy, useFilterState bool, svc *model.Service) *Builder {
    50  	tdBundle := trustdomain.NewBundle(push.Mesh.TrustDomain, push.Mesh.TrustDomainAliases)
    51  	option := builder.Option{
    52  		IsCustomBuilder: actionType == Custom,
    53  		UseFilterState:  useFilterState,
    54  		UseExtendedJwt:  proxy.SupportsEnvoyExtendedJwt(),
    55  	}
    56  	selectionOpts := model.PolicyMatcherForProxy(proxy).WithService(svc)
    57  	policies := push.AuthzPolicies.ListAuthorizationPolicies(selectionOpts)
    58  	b := builder.New(tdBundle, push, policies, option)
    59  	return &Builder{builder: b}
    60  }
    61  
    62  func (b *Builder) BuildTCP() []*listener.Filter {
    63  	if b == nil || b.builder == nil {
    64  		return nil
    65  	}
    66  	if b.tcpBuilt {
    67  		return b.tcpFilters
    68  	}
    69  	b.tcpBuilt = true
    70  	b.tcpFilters = b.builder.BuildTCP()
    71  
    72  	return b.tcpFilters
    73  }
    74  
    75  func (b *Builder) BuildHTTP(class networking.ListenerClass) []*hcm.HttpFilter {
    76  	if b == nil || b.builder == nil {
    77  		return nil
    78  	}
    79  	if class == networking.ListenerClassSidecarOutbound {
    80  		// Only applies to inbound and gateways
    81  		return nil
    82  	}
    83  	if b.httpBuilt {
    84  		return b.httpFilters
    85  	}
    86  	b.httpBuilt = true
    87  	b.httpFilters = b.builder.BuildHTTP()
    88  
    89  	return b.httpFilters
    90  }