istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/matcher/header.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package matcher 16 17 import ( 18 "regexp" 19 "strings" 20 21 routepb "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" 22 matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" 23 ) 24 25 // HeaderMatcher converts a key, value string pair to a corresponding HeaderMatcher. 26 func HeaderMatcher(k, v string) *routepb.HeaderMatcher { 27 // We must check "*" first to make sure we'll generate a non empty value in the prefix/suffix case. 28 // Empty prefix/suffix value is invalid in HeaderMatcher. 29 if v == "*" { 30 return &routepb.HeaderMatcher{ 31 Name: k, 32 HeaderMatchSpecifier: &routepb.HeaderMatcher_PresentMatch{ 33 PresentMatch: true, 34 }, 35 } 36 } else if strings.HasPrefix(v, "*") { 37 return &routepb.HeaderMatcher{ 38 Name: k, 39 HeaderMatchSpecifier: &routepb.HeaderMatcher_StringMatch{ 40 StringMatch: StringMatcherSuffix(v[1:], false), 41 }, 42 } 43 } else if strings.HasSuffix(v, "*") { 44 return &routepb.HeaderMatcher{ 45 Name: k, 46 HeaderMatchSpecifier: &routepb.HeaderMatcher_StringMatch{ 47 StringMatch: StringMatcherPrefix(v[:len(v)-1], false), 48 }, 49 } 50 } 51 return &routepb.HeaderMatcher{ 52 Name: k, 53 HeaderMatchSpecifier: &routepb.HeaderMatcher_StringMatch{ 54 StringMatch: StringMatcherExact(v, false), 55 }, 56 } 57 } 58 59 // HostMatcherWithRegex creates a host matcher for a host using regex for proxies before 1.11. 60 func HostMatcherWithRegex(k, v string) *routepb.HeaderMatcher { 61 var regex string 62 if v == "*" { 63 return &routepb.HeaderMatcher{ 64 Name: k, 65 HeaderMatchSpecifier: &routepb.HeaderMatcher_PresentMatch{ 66 PresentMatch: true, 67 }, 68 } 69 } else if strings.HasPrefix(v, "*") { 70 regex = `.*` + regexp.QuoteMeta(v[1:]) 71 } else if strings.HasSuffix(v, "*") { 72 regex = regexp.QuoteMeta(v[:len(v)-1]) + `.*` 73 } else { 74 regex = regexp.QuoteMeta(v) 75 } 76 return &routepb.HeaderMatcher{ 77 Name: k, 78 HeaderMatchSpecifier: &routepb.HeaderMatcher_StringMatch{ 79 StringMatch: StringMatcherRegex(`(?i)` + regex), 80 }, 81 } 82 } 83 84 // HostMatcher creates a host matcher for a host. 85 func HostMatcher(k, v string) *routepb.HeaderMatcher { 86 // We must check "*" first to make sure we'll generate a non empty value in the prefix/suffix case. 87 // Empty prefix/suffix value is invalid in HeaderMatcher. 88 if v == "*" { 89 return &routepb.HeaderMatcher{ 90 Name: k, 91 HeaderMatchSpecifier: &routepb.HeaderMatcher_PresentMatch{ 92 PresentMatch: true, 93 }, 94 } 95 } else if strings.HasPrefix(v, "*") { 96 return &routepb.HeaderMatcher{ 97 Name: k, 98 HeaderMatchSpecifier: &routepb.HeaderMatcher_StringMatch{ 99 StringMatch: StringMatcherSuffix(v[1:], true), 100 }, 101 } 102 } else if strings.HasSuffix(v, "*") { 103 return &routepb.HeaderMatcher{ 104 Name: k, 105 HeaderMatchSpecifier: &routepb.HeaderMatcher_StringMatch{ 106 StringMatch: StringMatcherPrefix(v[:len(v)-1], true), 107 }, 108 } 109 } 110 return &routepb.HeaderMatcher{ 111 Name: k, 112 HeaderMatchSpecifier: &routepb.HeaderMatcher_StringMatch{ 113 StringMatch: StringMatcherExact(v, true), 114 }, 115 } 116 } 117 118 // PathMatcher creates a path matcher for a path. 119 func PathMatcher(path string) *matcher.PathMatcher { 120 return &matcher.PathMatcher{ 121 Rule: &matcher.PathMatcher_Path{ 122 Path: StringMatcher(path), 123 }, 124 } 125 }