istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/xds/auth.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pilot/pkg/xds/auth.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package xds
    16  
    17  import (
    18  	"context"
    19  	"fmt"
    20  
    21  	"google.golang.org/grpc/codes"
    22  	"google.golang.org/grpc/status"
    23  
    24  	"istio.io/istio/pilot/pkg/features"
    25  	"istio.io/istio/pilot/pkg/model"
    26  	"istio.io/istio/pkg/security"
    27  	"istio.io/istio/pkg/spiffe"
    28  )
    29  
    30  // authenticate authenticates the ADS request using the configured authenticators.
    31  // Returns the validated principals or an error.
    32  // If no authenticators are configured, or if the request is on a non-secure
    33  // stream ( 15010 ) - returns an empty list of principals and no errors.
    34  func (s *DiscoveryServer) authenticate(ctx context.Context) ([]string, error) {
    35  	c, err := security.Authenticate(ctx, s.Authenticators)
    36  	if c != nil {
    37  		return c.Identities, nil
    38  	}
    39  	return nil, err
    40  }
    41  
    42  func (s *DiscoveryServer) authorize(con *Connection, identities []string) error {
    43  	if con == nil || con.proxy == nil {
    44  		return nil
    45  	}
    46  
    47  	if features.EnableXDSIdentityCheck && identities != nil {
    48  		// TODO: allow locking down, rejecting unauthenticated requests.
    49  		id, err := checkConnectionIdentity(con.proxy, identities)
    50  		if err != nil {
    51  			log.Warnf("Unauthorized XDS: %v with identity %v: %v", con.Peer(), identities, err)
    52  			return status.Newf(codes.PermissionDenied, "authorization failed: %v", err).Err()
    53  		}
    54  		con.proxy.VerifiedIdentity = id
    55  	}
    56  	return nil
    57  }
    58  
    59  func checkConnectionIdentity(proxy *model.Proxy, identities []string) (*spiffe.Identity, error) {
    60  	for _, rawID := range identities {
    61  		spiffeID, err := spiffe.ParseIdentity(rawID)
    62  		if err != nil {
    63  			continue
    64  		}
    65  		if proxy.ConfigNamespace != "" && spiffeID.Namespace != proxy.ConfigNamespace {
    66  			continue
    67  		}
    68  		if proxy.Metadata.ServiceAccount != "" && spiffeID.ServiceAccount != proxy.Metadata.ServiceAccount {
    69  			continue
    70  		}
    71  		return &spiffeID, nil
    72  	}
    73  	return nil, fmt.Errorf("no identities (%v) matched %v/%v", identities, proxy.ConfigNamespace, proxy.Metadata.ServiceAccount)
    74  }