istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/model/permission.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package model 16 17 import ( 18 core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" 19 rbacpb "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3" 20 routepb "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" 21 uri_template "github.com/envoyproxy/go-control-plane/envoy/extensions/path/match/uri_template/v3" 22 matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" 23 24 "istio.io/istio/pilot/pkg/util/protoconv" 25 ) 26 27 func permissionAny() *rbacpb.Permission { 28 return &rbacpb.Permission{ 29 Rule: &rbacpb.Permission_Any{ 30 Any: true, 31 }, 32 } 33 } 34 35 func permissionAnd(permission []*rbacpb.Permission) *rbacpb.Permission { 36 return &rbacpb.Permission{ 37 Rule: &rbacpb.Permission_AndRules{ 38 AndRules: &rbacpb.Permission_Set{ 39 Rules: permission, 40 }, 41 }, 42 } 43 } 44 45 func permissionOr(permission []*rbacpb.Permission) *rbacpb.Permission { 46 return &rbacpb.Permission{ 47 Rule: &rbacpb.Permission_OrRules{ 48 OrRules: &rbacpb.Permission_Set{ 49 Rules: permission, 50 }, 51 }, 52 } 53 } 54 55 func permissionNot(permission *rbacpb.Permission) *rbacpb.Permission { 56 return &rbacpb.Permission{ 57 Rule: &rbacpb.Permission_NotRule{ 58 NotRule: permission, 59 }, 60 } 61 } 62 63 func permissionDestinationIP(cidr *core.CidrRange) *rbacpb.Permission { 64 return &rbacpb.Permission{ 65 Rule: &rbacpb.Permission_DestinationIp{ 66 DestinationIp: cidr, 67 }, 68 } 69 } 70 71 func permissionDestinationPort(port uint32) *rbacpb.Permission { 72 return &rbacpb.Permission{ 73 Rule: &rbacpb.Permission_DestinationPort{ 74 DestinationPort: port, 75 }, 76 } 77 } 78 79 func permissionRequestedServerName(name *matcher.StringMatcher) *rbacpb.Permission { 80 return &rbacpb.Permission{ 81 Rule: &rbacpb.Permission_RequestedServerName{ 82 RequestedServerName: name, 83 }, 84 } 85 } 86 87 func permissionMetadata(metadata *matcher.MetadataMatcher) *rbacpb.Permission { 88 return &rbacpb.Permission{ 89 Rule: &rbacpb.Permission_Metadata{ 90 Metadata: metadata, 91 }, 92 } 93 } 94 95 func permissionHeader(header *routepb.HeaderMatcher) *rbacpb.Permission { 96 return &rbacpb.Permission{ 97 Rule: &rbacpb.Permission_Header{ 98 Header: header, 99 }, 100 } 101 } 102 103 func permissionPath(path *matcher.PathMatcher) *rbacpb.Permission { 104 return &rbacpb.Permission{ 105 Rule: &rbacpb.Permission_UrlPath{ 106 UrlPath: path, 107 }, 108 } 109 } 110 111 func permissionPathTemplate(path *uri_template.UriTemplateMatchConfig) *rbacpb.Permission { 112 return &rbacpb.Permission{ 113 Rule: &rbacpb.Permission_UriTemplate{ 114 UriTemplate: &core.TypedExtensionConfig{ 115 Name: "uri-template", 116 TypedConfig: protoconv.MessageToAny(path), 117 }, 118 }, 119 } 120 }