istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/model/principal.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/security/authz/model/principal.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package model
    16  
    17  import (
    18  	core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
    19  	rbacpb "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
    20  	routepb "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
    21  	matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
    22  )
    23  
    24  func principalAny() *rbacpb.Principal {
    25  	return &rbacpb.Principal{
    26  		Identifier: &rbacpb.Principal_Any{
    27  			Any: true,
    28  		},
    29  	}
    30  }
    31  
    32  func principalOr(principals []*rbacpb.Principal) *rbacpb.Principal {
    33  	return &rbacpb.Principal{
    34  		Identifier: &rbacpb.Principal_OrIds{
    35  			OrIds: &rbacpb.Principal_Set{
    36  				Ids: principals,
    37  			},
    38  		},
    39  	}
    40  }
    41  
    42  func principalAnd(principals []*rbacpb.Principal) *rbacpb.Principal {
    43  	return &rbacpb.Principal{
    44  		Identifier: &rbacpb.Principal_AndIds{
    45  			AndIds: &rbacpb.Principal_Set{
    46  				Ids: principals,
    47  			},
    48  		},
    49  	}
    50  }
    51  
    52  func principalNot(principal *rbacpb.Principal) *rbacpb.Principal {
    53  	return &rbacpb.Principal{
    54  		Identifier: &rbacpb.Principal_NotId{
    55  			NotId: principal,
    56  		},
    57  	}
    58  }
    59  
    60  func principalAuthenticated(name *matcher.StringMatcher, useAuthenticated bool) *rbacpb.Principal {
    61  	if useAuthenticated {
    62  		return &rbacpb.Principal{
    63  			Identifier: &rbacpb.Principal_Authenticated_{
    64  				Authenticated: &rbacpb.Principal_Authenticated{
    65  					PrincipalName: name,
    66  				},
    67  			},
    68  		}
    69  	}
    70  	return &rbacpb.Principal{
    71  		Identifier: &rbacpb.Principal_FilterState{
    72  			FilterState: &matcher.FilterStateMatcher{
    73  				Key: "io.istio.peer_principal",
    74  				Matcher: &matcher.FilterStateMatcher_StringMatch{
    75  					StringMatch: name,
    76  				},
    77  			},
    78  		},
    79  	}
    80  }
    81  
    82  func principalDirectRemoteIP(cidr *core.CidrRange) *rbacpb.Principal {
    83  	return &rbacpb.Principal{
    84  		Identifier: &rbacpb.Principal_DirectRemoteIp{
    85  			DirectRemoteIp: cidr,
    86  		},
    87  	}
    88  }
    89  
    90  func principalRemoteIP(cidr *core.CidrRange) *rbacpb.Principal {
    91  	return &rbacpb.Principal{
    92  		Identifier: &rbacpb.Principal_RemoteIp{
    93  			RemoteIp: cidr,
    94  		},
    95  	}
    96  }
    97  
    98  func principalMetadata(metadata *matcher.MetadataMatcher) *rbacpb.Principal {
    99  	return &rbacpb.Principal{
   100  		Identifier: &rbacpb.Principal_Metadata{
   101  			Metadata: metadata,
   102  		},
   103  	}
   104  }
   105  
   106  func principalHeader(header *routepb.HeaderMatcher) *rbacpb.Principal {
   107  	return &rbacpb.Principal{
   108  		Identifier: &rbacpb.Principal_Header{
   109  			Header: header,
   110  		},
   111  	}
   112  }