1
// Copyright Istio Authors
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
7
// http://www.apache.org/licenses/LICENSE-2.0
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
21
rbacpb "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
22
matcherpb "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
24
"istio.io/istio/pilot/pkg/networking/util"
25
"istio.io/istio/pilot/pkg/security/authz/matcher"
26
"istio.io/istio/pilot/pkg/xds/filters"
27
"istio.io/istio/pkg/spiffe"
30
type generator interface {
31
permission(key, value string, forTCP bool) (*rbacpb.Permission, error)
32
principal(key, value string, forTCP bool, useAuthenticated bool) (*rbacpb.Principal, error)
35
type extendedGenerator interface {
36
extendedPermission(key string, value []string, forTCP bool) (*rbacpb.Permission, error)
37
extendedPrincipal(key string, value []string, forTCP bool) (*rbacpb.Principal, error)
40
type destIPGenerator struct{}
42
func (destIPGenerator) permission(_, value string, _ bool) (*rbacpb.Permission, error) {
43
cidrRange, err := util.AddrStrToCidrRange(value)
47
return permissionDestinationIP(cidrRange), nil
50
func (destIPGenerator) principal(_, _ string, _ bool, _ bool) (*rbacpb.Principal, error) {
51
return nil, fmt.Errorf("unimplemented")
54
type destPortGenerator struct{}
56
func (destPortGenerator) permission(_, value string, _ bool) (*rbacpb.Permission, error) {
57
portValue, err := convertToPort(value)
61
return permissionDestinationPort(portValue), nil
64
func (destPortGenerator) principal(_, _ string, _ bool, _ bool) (*rbacpb.Principal, error) {
65
return nil, fmt.Errorf("unimplemented")
68
type connSNIGenerator struct{}
70
func (connSNIGenerator) permission(_, value string, _ bool) (*rbacpb.Permission, error) {
71
m := matcher.StringMatcher(value)
72
return permissionRequestedServerName(m), nil
75
func (connSNIGenerator) principal(_, _ string, _ bool, _ bool) (*rbacpb.Principal, error) {
76
return nil, fmt.Errorf("unimplemented")
79
type envoyFilterGenerator struct{}
81
func (efg envoyFilterGenerator) permission(key, value string, _ bool) (*rbacpb.Permission, error) {
82
// Split key of format "experimental.envoy.filters.a.b[c]" to "envoy.filters.a.b" and "c".
83
parts := strings.SplitN(strings.TrimSuffix(strings.TrimPrefix(key, "experimental."), "]"), "[", 2)
86
return nil, fmt.Errorf("invalid key: %v", key)
89
// If value is of format [v], create a list matcher.
90
// Else, if value is of format v, create a string matcher.
91
if strings.HasPrefix(value, "[") && strings.HasSuffix(value, "]") {
92
m := matcher.MetadataListMatcher(parts[0], parts[1:], matcher.StringMatcher(strings.Trim(value, "[]")), false)
93
return permissionMetadata(m), nil
95
m := matcher.MetadataStringMatcher(parts[0], parts[1], matcher.StringMatcher(value))
96
return permissionMetadata(m), nil
99
func (efg envoyFilterGenerator) extendedPermission(key string, values []string, _ bool) (*rbacpb.Permission, error) {
100
// Split key of format "experimental.envoy.filters.a.b[c]" to "envoy.filters.a.b" and "c".
101
parts := strings.SplitN(strings.TrimSuffix(strings.TrimPrefix(key, "experimental."), "]"), "[", 2)
104
return nil, fmt.Errorf("invalid key: %v", key)
107
matchers := []*matcherpb.ValueMatcher{}
108
for _, value := range values {
109
if strings.HasPrefix(value, "[") && strings.HasSuffix(value, "]") {
110
matchers = append(matchers, &matcherpb.ValueMatcher{
111
MatchPattern: &matcherpb.ValueMatcher_ListMatch{
112
ListMatch: &matcherpb.ListMatcher{
113
MatchPattern: &matcherpb.ListMatcher_OneOf{
114
OneOf: &matcherpb.ValueMatcher{
115
MatchPattern: &matcherpb.ValueMatcher_StringMatch{
116
StringMatch: matcher.StringMatcher(strings.Trim(value, "[]")),
124
matchers = append(matchers, &matcherpb.ValueMatcher{
125
MatchPattern: &matcherpb.ValueMatcher_StringMatch{
126
StringMatch: matcher.StringMatcher(value),
131
m := matcher.MetadataValueMatcher(parts[0], parts[1], matcher.OrMatcher(matchers))
132
return permissionMetadata(m), nil
135
func (envoyFilterGenerator) principal(_, _ string, _ bool, _ bool) (*rbacpb.Principal, error) {
136
return nil, fmt.Errorf("unimplemented")
139
func (envoyFilterGenerator) extendedPrincipal(_ string, _ []string, _ bool) (*rbacpb.Principal, error) {
140
return nil, fmt.Errorf("unimplemented")
143
type srcIPGenerator struct{}
145
func (srcIPGenerator) permission(_, _ string, _ bool) (*rbacpb.Permission, error) {
146
return nil, fmt.Errorf("unimplemented")
149
func (srcIPGenerator) principal(_, value string, _ bool, _ bool) (*rbacpb.Principal, error) {
150
cidr, err := util.AddrStrToCidrRange(value)
154
return principalDirectRemoteIP(cidr), nil
157
type remoteIPGenerator struct{}
159
func (remoteIPGenerator) permission(_, _ string, _ bool) (*rbacpb.Permission, error) {
160
return nil, fmt.Errorf("unimplemented")
163
func (remoteIPGenerator) principal(_, value string, _ bool, _ bool) (*rbacpb.Principal, error) {
164
cidr, err := util.AddrStrToCidrRange(value)
168
return principalRemoteIP(cidr), nil
171
type srcNamespaceGenerator struct{}
173
func (srcNamespaceGenerator) permission(_, _ string, _ bool) (*rbacpb.Permission, error) {
174
return nil, fmt.Errorf("unimplemented")
177
func (srcNamespaceGenerator) principal(_, value string, _ bool, useAuthenticated bool) (*rbacpb.Principal, error) {
178
v := strings.Replace(value, "*", ".*", -1)
179
m := matcher.StringMatcherRegex(fmt.Sprintf(".*/ns/%s/.*", v))
180
return principalAuthenticated(m, useAuthenticated), nil
183
type srcPrincipalGenerator struct{}
185
func (srcPrincipalGenerator) permission(_, _ string, _ bool) (*rbacpb.Permission, error) {
186
return nil, fmt.Errorf("unimplemented")
189
func (srcPrincipalGenerator) principal(key, value string, _ bool, useAuthenticated bool) (*rbacpb.Principal, error) {
190
m := matcher.StringMatcherWithPrefix(value, spiffe.URIPrefix)
191
return principalAuthenticated(m, useAuthenticated), nil
194
type requestPrincipalGenerator struct{}
196
func (requestPrincipalGenerator) permission(_, _ string, _ bool) (*rbacpb.Permission, error) {
197
return nil, fmt.Errorf("unimplemented")
200
func (requestPrincipalGenerator) extendedPermission(_ string, _ []string, _ bool) (*rbacpb.Permission, error) {
201
return nil, fmt.Errorf("unimplemented")
204
func (rpg requestPrincipalGenerator) principal(key, value string, forTCP bool, _ bool) (*rbacpb.Principal, error) {
206
return nil, fmt.Errorf("%q is HTTP only", key)
208
m := matcher.MetadataStringMatcher(filters.AuthnFilterName, key, matcher.StringMatcher(value))
209
return principalMetadata(m), nil
212
var matchAny = matcher.StringMatcherRegex(".+")
214
func (rpg requestPrincipalGenerator) extendedPrincipal(key string, values []string, forTCP bool) (*rbacpb.Principal, error) {
216
return nil, fmt.Errorf("%q is HTTP only", key)
218
var or []*rbacpb.Principal
219
for _, value := range values {
220
// Use the last index of "/" since issuer may be an URL
221
idx := strings.LastIndex(value, "/")
225
iss, sub = value[:idx], value[idx+1:]
229
var matchIss, matchSub *matcherpb.StringMatcher
234
case strings.HasPrefix(value, "*"):
239
matchIss = matcher.StringMatcherSuffix(strings.TrimPrefix(iss, "*"), false)
241
matchSub = matcher.StringMatcherExact(sub, false)
244
matchSub = matcher.StringMatcherSuffix(strings.TrimPrefix(value, "*"), false)
246
case strings.HasSuffix(value, "*"):
248
matchIss = matcher.StringMatcherExact(iss, false)
252
matchSub = matcher.StringMatcherPrefix(strings.TrimSuffix(sub, "*"), false)
255
matchIss = matcher.StringMatcherPrefix(strings.TrimSuffix(value, "*"), false)
259
matchSub = matcher.StringMatcherExact(sub, false)
260
matchIss = matcher.StringMatcherExact(iss, false)
262
im := MetadataStringMatcherForJWTClaim("iss", matchIss)
263
sm := MetadataStringMatcherForJWTClaim("sub", matchSub)
264
or = append(or, principalAnd([]*rbacpb.Principal{principalMetadata(im), principalMetadata(sm)}))
268
} else if len(or) > 0 {
269
return principalOr(or), nil
274
type requestAudiencesGenerator struct{}
276
func (requestAudiencesGenerator) permission(key, value string, forTCP bool) (*rbacpb.Permission, error) {
277
return requestPrincipalGenerator{}.permission(key, value, forTCP)
280
func (requestAudiencesGenerator) extendedPermission(key string, values []string, forTCP bool) (*rbacpb.Permission, error) {
281
return requestPrincipalGenerator{}.extendedPermission(key, values, forTCP)
284
func (rag requestAudiencesGenerator) principal(key, value string, forTCP bool, useAuthenticated bool) (*rbacpb.Principal, error) {
286
return nil, fmt.Errorf("%q is HTTP only", key)
288
m := matcher.MetadataStringMatcher(filters.AuthnFilterName, key, matcher.StringMatcher(value))
289
return principalMetadata(m), nil
292
func (rag requestAudiencesGenerator) extendedPrincipal(key string, values []string, forTCP bool) (*rbacpb.Principal, error) {
294
return nil, fmt.Errorf("%q is HTTP only", key)
296
return principalMetadata(MetadataValueMatcherForJWTClaim("aud", matcher.StringOrMatcher(values))), nil
299
type requestPresenterGenerator struct{}
301
func (requestPresenterGenerator) permission(key, value string, forTCP bool) (*rbacpb.Permission, error) {
302
return requestPrincipalGenerator{}.permission(key, value, forTCP)
305
func (requestPresenterGenerator) extendedPermission(key string, values []string, forTCP bool) (*rbacpb.Permission, error) {
306
return requestPrincipalGenerator{}.extendedPermission(key, values, forTCP)
309
func (rpg requestPresenterGenerator) principal(key, value string, forTCP bool, useAuthenticated bool) (*rbacpb.Principal, error) {
311
return nil, fmt.Errorf("%q is HTTP only", key)
313
m := matcher.MetadataStringMatcher(filters.AuthnFilterName, key, matcher.StringMatcher(value))
314
return principalMetadata(m), nil
317
func (rpg requestPresenterGenerator) extendedPrincipal(key string, values []string, forTCP bool) (*rbacpb.Principal, error) {
319
return nil, fmt.Errorf("%q is HTTP only", key)
321
return principalMetadata(MetadataListValueMatcherForJWTClaims([]string{"azp"}, matcher.StringOrMatcher(values))), nil
324
type requestHeaderGenerator struct{}
326
func (requestHeaderGenerator) permission(_, _ string, _ bool) (*rbacpb.Permission, error) {
327
return nil, fmt.Errorf("unimplemented")
330
func (requestHeaderGenerator) principal(key, value string, forTCP bool, _ bool) (*rbacpb.Principal, error) {
332
return nil, fmt.Errorf("%q is HTTP only", key)
335
header, err := extractNameInBrackets(strings.TrimPrefix(key, attrRequestHeader))
339
m := matcher.HeaderMatcher(header, value)
340
return principalHeader(m), nil
343
type requestClaimGenerator struct{}
345
func (requestClaimGenerator) permission(_, _ string, _ bool) (*rbacpb.Permission, error) {
346
return nil, fmt.Errorf("unimplemented")
349
func (requestClaimGenerator) extendedPermission(_ string, _ []string, _ bool) (*rbacpb.Permission, error) {
350
return nil, fmt.Errorf("unimplemented")
353
func (rcg requestClaimGenerator) principal(key, value string, forTCP bool, _ bool) (*rbacpb.Principal, error) {
355
return nil, fmt.Errorf("%q is HTTP only", key)
358
claims, err := extractNameInNestedBrackets(strings.TrimPrefix(key, attrRequestClaims))
362
// Generate a metadata list matcher for the given path keys and value.
363
// On proxy side, the value should be of list type.
364
m := MetadataMatcherForJWTClaims(claims, matcher.StringMatcher(value), false)
365
return principalMetadata(m), nil
368
func (rcg requestClaimGenerator) extendedPrincipal(key string, values []string, forTCP bool) (*rbacpb.Principal, error) {
370
return nil, fmt.Errorf("%q is HTTP only", key)
373
claims, err := extractNameInNestedBrackets(strings.TrimPrefix(key, attrRequestClaims))
377
m := MetadataListValueMatcherForJWTClaims(claims, matcher.StringOrMatcher(values))
378
return principalMetadata(m), nil
381
type hostGenerator struct{}
383
func (hg hostGenerator) permission(key, value string, forTCP bool) (*rbacpb.Permission, error) {
385
return nil, fmt.Errorf("%q is HTTP only", key)
388
return permissionHeader(matcher.HostMatcher(hostHeader, value)), nil
391
func (hostGenerator) principal(key, value string, forTCP bool, _ bool) (*rbacpb.Principal, error) {
392
return nil, fmt.Errorf("unimplemented")
395
type pathGenerator struct{}
397
func (g pathGenerator) permission(key, value string, forTCP bool) (*rbacpb.Permission, error) {
399
return nil, fmt.Errorf("%q is HTTP only", key)
402
m := matcher.PathMatcher(value)
403
return permissionPath(m), nil
406
func (pathGenerator) principal(key, value string, forTCP bool, _ bool) (*rbacpb.Principal, error) {
407
return nil, fmt.Errorf("unimplemented")
410
type methodGenerator struct{}
412
func (methodGenerator) permission(key, value string, forTCP bool) (*rbacpb.Permission, error) {
414
return nil, fmt.Errorf("%q is HTTP only", key)
417
m := matcher.HeaderMatcher(methodHeader, value)
418
return permissionHeader(m), nil
421
func (methodGenerator) principal(key, value string, forTCP bool, _ bool) (*rbacpb.Principal, error) {
422
return nil, fmt.Errorf("unimplemented")