istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/matcher/metadata.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/matcher/metadata.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package matcher
    16  
    17  import (
    18  	matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
    19  )
    20  
    21  // MetadataStringMatcher creates a metadata string matcher for the given filter, key and the
    22  // string matcher.
    23  func MetadataStringMatcher(filter, key string, m *matcher.StringMatcher) *matcher.MetadataMatcher {
    24  	return MetadataValueMatcher(filter, key, &matcher.ValueMatcher{
    25  		MatchPattern: &matcher.ValueMatcher_StringMatch{
    26  			StringMatch: m,
    27  		},
    28  	})
    29  }
    30  
    31  // MetadataValueMatcher creates a metadata value matcher for the given filter, key and the
    32  // string matcher.
    33  func MetadataValueMatcher(filter, key string, m *matcher.ValueMatcher) *matcher.MetadataMatcher {
    34  	return &matcher.MetadataMatcher{
    35  		Filter: filter,
    36  		Path: []*matcher.MetadataMatcher_PathSegment{
    37  			{
    38  				Segment: &matcher.MetadataMatcher_PathSegment_Key{
    39  					Key: key,
    40  				},
    41  			},
    42  		},
    43  		Value: m,
    44  	}
    45  }
    46  
    47  // MetadataListMatcher creates a metadata list matcher for the given path keys and value.
    48  func MetadataListMatcher(filter string, keys []string, value *matcher.StringMatcher, useExtendedJwt bool) *matcher.MetadataMatcher {
    49  	return MetadataListValueMatcher(filter, keys, &matcher.ValueMatcher{
    50  		MatchPattern: &matcher.ValueMatcher_StringMatch{
    51  			StringMatch: value,
    52  		},
    53  	}, useExtendedJwt)
    54  }
    55  
    56  // MetadataListValueMatcher creates a metadata list matcher for the given path keys and value.
    57  func MetadataListValueMatcher(filter string, keys []string, value *matcher.ValueMatcher, useExtendedJwt bool) *matcher.MetadataMatcher {
    58  	listMatcher := &matcher.ListMatcher{
    59  		MatchPattern: &matcher.ListMatcher_OneOf{
    60  			OneOf: value,
    61  		},
    62  	}
    63  
    64  	paths := make([]*matcher.MetadataMatcher_PathSegment, 0, len(keys))
    65  	for _, k := range keys {
    66  		paths = append(paths, &matcher.MetadataMatcher_PathSegment{
    67  			Segment: &matcher.MetadataMatcher_PathSegment_Key{
    68  				Key: k,
    69  			},
    70  		})
    71  	}
    72  
    73  	out := &matcher.MetadataMatcher{
    74  		Filter: filter,
    75  		Path:   paths,
    76  	}
    77  	if useExtendedJwt {
    78  		out.Value = &matcher.ValueMatcher{
    79  			MatchPattern: &matcher.ValueMatcher_OrMatch{
    80  				OrMatch: &matcher.OrMatcher{
    81  					ValueMatchers: []*matcher.ValueMatcher{
    82  						{
    83  							MatchPattern: &matcher.ValueMatcher_ListMatch{
    84  								ListMatch: listMatcher,
    85  							},
    86  						},
    87  						value,
    88  					},
    89  				},
    90  			},
    91  		}
    92  	} else {
    93  		out.Value = &matcher.ValueMatcher{
    94  			MatchPattern: &matcher.ValueMatcher_ListMatch{
    95  				ListMatch: listMatcher,
    96  			},
    97  		}
    98  	}
    99  	return out
   100  }