istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authn/factory.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authn/factory.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package authn
    16  
    17  import (
    18  	hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
    19  
    20  	"istio.io/istio/pilot/pkg/model"
    21  	"istio.io/istio/pkg/config/labels"
    22  )
    23  
    24  // NoOverride is an alias for MTLSUnknown to more clearly convey intent for InboundMTLSSettings
    25  const NoOverride = model.MTLSUnknown
    26  
    27  // PolicyApplier is the interface provides essential functionalities to help config Envoy (xDS) to enforce
    28  // authentication policy. Each version of authentication policy will implement this interface.
    29  type PolicyApplier interface {
    30  	// InboundMTLSSettings returns inbound mTLS settings for a given workload port
    31  	InboundMTLSSettings(endpointPort uint32, node *model.Proxy, trustDomainAliases []string, modeOverride model.MutualTLSMode) MTLSSettings
    32  
    33  	// JwtFilter returns the JWT HTTP filter to enforce the underlying authentication policy.
    34  	// It may return nil, if no JWT validation is needed.
    35  	JwtFilter(useExtendedJwt, clearRouteCache bool) *hcm.HttpFilter
    36  
    37  	// AuthNFilter returns the (authn) HTTP filter to enforce the underlying authentication policy.
    38  	// It may return nil, if no authentication is needed.
    39  	AuthNFilter(forSidecar bool) *hcm.HttpFilter
    40  
    41  	// PortLevelSetting returns port level mTLS settings.
    42  	PortLevelSetting() map[uint32]model.MutualTLSMode
    43  
    44  	MtlsPolicy
    45  }
    46  
    47  type MtlsPolicy interface {
    48  	// GetMutualTLSModeForPort gets the mTLS mode for the given port. If there is no port level setting, it
    49  	// returns the inherited namespace/mesh level setting.
    50  	GetMutualTLSModeForPort(endpointPort uint32) model.MutualTLSMode
    51  }
    52  
    53  // NewPolicyApplier returns the appropriate (policy) applier, depends on the versions of the policy exists
    54  // for the given service innstance.
    55  func NewPolicyApplier(push *model.PushContext, proxy *model.Proxy, svc *model.Service) PolicyApplier {
    56  	forWorkload := model.PolicyMatcherForProxy(proxy).WithService(svc)
    57  	return newPolicyApplier(
    58  		push.AuthnPolicies.GetRootNamespace(),
    59  		push.AuthnPolicies.GetJwtPoliciesForWorkload(forWorkload),
    60  		push.AuthnPolicies.GetPeerAuthenticationsForWorkload(forWorkload), push)
    61  }
    62  
    63  // NewMtlsPolicy returns a checker used to detect proxy mtls mode.
    64  func NewMtlsPolicy(push *model.PushContext, namespace string, labels labels.Instance, isWaypoint bool) MtlsPolicy {
    65  	return newPolicyApplier(
    66  		push.AuthnPolicies.GetRootNamespace(),
    67  		nil,
    68  		push.AuthnPolicies.GetPeerAuthenticationsForWorkload(model.PolicyMatcherFor(namespace, labels, isWaypoint)),
    69  		push,
    70  	)
    71  }