istio

1
// Copyright Istio Authors
2
//
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
6
//
7
//     http://www.apache.org/licenses/LICENSE-2.0
8
//
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
14

15
package model
16

17
import (
18
	"fmt"
19
	"strconv"
20
	"strings"
21

22
	matcherpb "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
23

24
	"istio.io/istio/pilot/pkg/security/authz/matcher"
25
	"istio.io/istio/pilot/pkg/xds/filters"
26
)
27

28
// convertToPort converts a port string to a uint32.
29
func convertToPort(v string) (uint32, error) {
30
	p, err := strconv.ParseUint(v, 10, 32)
31
	if err != nil || p > 65535 {
32
		return 0, fmt.Errorf("invalid port %s: %v", v, err)
33
	}
34
	return uint32(p), nil
35
}
36

37
func extractNameInBrackets(s string) (string, error) {
38
	if !strings.HasPrefix(s, "[") || !strings.HasSuffix(s, "]") {
39
		return "", fmt.Errorf("expecting format [<NAME>], but found %s", s)
40
	}
41
	return strings.TrimPrefix(strings.TrimSuffix(s, "]"), "["), nil
42
}
43

44
func extractNameInNestedBrackets(s string) ([]string, error) {
45
	var claims []string
46
	findEndBracket := func(begin int) int {
47
		if begin >= len(s) || s[begin] != '[' {
48
			return -1
49
		}
50
		for i := begin + 1; i < len(s); i++ {
51
			if s[i] == '[' {
52
				return -1
53
			}
54
			if s[i] == ']' {
55
				return i
56
			}
57
		}
58
		return -1
59
	}
60
	for begin := 0; begin < len(s); {
61
		end := findEndBracket(begin)
62
		if end == -1 {
63
			ret, err := extractNameInBrackets(s)
64
			if err != nil {
65
				return nil, err
66
			}
67
			return []string{ret}, nil
68
		}
69
		claims = append(claims, s[begin+1:end])
70
		begin = end + 1
71
	}
72
	return claims, nil
73
}
74

75
func MetadataStringMatcherForJWTClaim(claim string, m *matcherpb.StringMatcher) *matcherpb.MetadataMatcher {
76
	return MetadataValueMatcherForJWTClaim(claim, &matcherpb.ValueMatcher{
77
		MatchPattern: &matcherpb.ValueMatcher_StringMatch{
78
			StringMatch: m,
79
		},
80
	})
81
}
82

83
func MetadataValueMatcherForJWTClaim(claim string, m *matcherpb.ValueMatcher) *matcherpb.MetadataMatcher {
84
	return &matcherpb.MetadataMatcher{
85
		Filter: filters.EnvoyJwtFilterName,
86
		Path: []*matcherpb.MetadataMatcher_PathSegment{
87
			{
88
				Segment: &matcherpb.MetadataMatcher_PathSegment_Key{
89
					Key: filters.EnvoyJwtFilterPayload,
90
				},
91
			},
92
			{
93
				Segment: &matcherpb.MetadataMatcher_PathSegment_Key{
94
					Key: claim,
95
				},
96
			},
97
		},
98
		Value: m,
99
	}
100
}
101

102
// MetadataValueMatcherForJWTClaims for Envoy JWT
103
func MetadataListValueMatcherForJWTClaims(claims []string, value *matcherpb.ValueMatcher) *matcherpb.MetadataMatcher {
104
	return matcher.MetadataListValueMatcher(filters.EnvoyJwtFilterName, append([]string{filters.EnvoyJwtFilterPayload}, claims...), value, true)
105
}
106

107
// MetadataMatcherForJWTClaims is a convenient method for generating metadata matcher for JWT claims.
108
func MetadataMatcherForJWTClaims(claims []string, value *matcherpb.StringMatcher, useExtendedJwt bool) *matcherpb.MetadataMatcher {
109
	if useExtendedJwt {
110
		return matcher.MetadataListMatcher(filters.EnvoyJwtFilterName, append([]string{filters.EnvoyJwtFilterPayload}, claims...), value, true)
111
	}
112
	return matcher.MetadataListMatcher(filters.AuthnFilterName, append([]string{attrRequestClaims}, claims...), value, false)
113
}
114