22
matcherpb "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
24
"istio.io/istio/pilot/pkg/security/authz/matcher"
25
"istio.io/istio/pilot/pkg/xds/filters"
29
func convertToPort(v string) (uint32, error) {
30
p, err := strconv.ParseUint(v, 10, 32)
31
if err != nil || p > 65535 {
32
return 0, fmt.Errorf("invalid port %s: %v", v, err)
37
func extractNameInBrackets(s string) (string, error) {
38
if !strings.HasPrefix(s, "[") || !strings.HasSuffix(s, "]") {
39
return "", fmt.Errorf("expecting format [<NAME>], but found %s", s)
41
return strings.TrimPrefix(strings.TrimSuffix(s, "]"), "["), nil
44
func extractNameInNestedBrackets(s string) ([]string, error) {
46
findEndBracket := func(begin int) int {
47
if begin >= len(s) || s[begin] != '[' {
50
for i := begin + 1; i < len(s); i++ {
60
for begin := 0; begin < len(s); {
61
end := findEndBracket(begin)
63
ret, err := extractNameInBrackets(s)
67
return []string{ret}, nil
69
claims = append(claims, s[begin+1:end])
75
func MetadataStringMatcherForJWTClaim(claim string, m *matcherpb.StringMatcher) *matcherpb.MetadataMatcher {
76
return MetadataValueMatcherForJWTClaim(claim, &matcherpb.ValueMatcher{
77
MatchPattern: &matcherpb.ValueMatcher_StringMatch{
83
func MetadataValueMatcherForJWTClaim(claim string, m *matcherpb.ValueMatcher) *matcherpb.MetadataMatcher {
84
return &matcherpb.MetadataMatcher{
85
Filter: filters.EnvoyJwtFilterName,
86
Path: []*matcherpb.MetadataMatcher_PathSegment{
88
Segment: &matcherpb.MetadataMatcher_PathSegment_Key{
89
Key: filters.EnvoyJwtFilterPayload,
93
Segment: &matcherpb.MetadataMatcher_PathSegment_Key{
103
func MetadataListValueMatcherForJWTClaims(claims []string, value *matcherpb.ValueMatcher) *matcherpb.MetadataMatcher {
104
return matcher.MetadataListValueMatcher(filters.EnvoyJwtFilterName, append([]string{filters.EnvoyJwtFilterPayload}, claims...), value, true)
108
func MetadataMatcherForJWTClaims(claims []string, value *matcherpb.StringMatcher, useExtendedJwt bool) *matcherpb.MetadataMatcher {
110
return matcher.MetadataListMatcher(filters.EnvoyJwtFilterName, append([]string{filters.EnvoyJwtFilterPayload}, claims...), value, true)
112
return matcher.MetadataListMatcher(filters.AuthnFilterName, append([]string{attrRequestClaims}, claims...), value, false)