policy: return hasAuthType from GetAuthType

Make GetAuthType return both if the auth type is explicitly present, and the auth type itself. This becomes necessary when considering if the auth type of a more generic entiry should override the one in a more specific entry in future. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme · Jul 12, 2023 · 59e7981 · 59e7981
1 parent 8be4aef
commit 59e7981
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 24 deletions.
diff --git a/pkg/policy/l4.go b/pkg/policy/l4.go
@@ -235,18 +235,36 @@ const (
 	AuthTypeAlwaysFail
 )
 
+type HasAuthType bool
+
+const (
+	DefaultAuthType  HasAuthType = false
+	ExplicitAuthType HasAuthType = true
+)
+
 // GetAuthType returns the AuthType of the L4Filter.
-func (a *PerSelectorPolicy) GetAuthType() AuthType {
-	if a == nil || a.Authentication == nil {
-		return AuthTypeDisabled
+func (a *PerSelectorPolicy) GetAuthType() (HasAuthType, AuthType) {
+	if a == nil {
+		return DefaultAuthType, AuthTypeDisabled
+	}
+	return GetAuthType(a.Authentication)
+}
+
+// GetAuthType returns boolean HasAuthType and AuthType for the api.Authentication
+// If there is no explicit auth type, (DefaultAuthType, AuthTypeDisabled) is returned
+func GetAuthType(auth *api.Authentication) (HasAuthType, AuthType) {
+	if auth == nil {
+		return DefaultAuthType, AuthTypeDisabled
 	}
-	switch a.Authentication.Mode {
+	switch auth.Mode {
+	case api.AuthenticationModeDisabled:
+		return ExplicitAuthType, AuthTypeDisabled
 	case api.AuthenticationModeRequired:
-		return AuthTypeSpire
+		return ExplicitAuthType, AuthTypeSpire
 	case api.AuthenticationModeAlwaysFail:
-		return AuthTypeAlwaysFail
+		return ExplicitAuthType, AuthTypeAlwaysFail
 	default:
-		return AuthTypeDisabled
+		return DefaultAuthType, AuthTypeDisabled
 	}
 }
 
@@ -551,7 +569,8 @@ func (l4Filter *L4Filter) toMapState(p *EndpointPolicy, identities Identities, f
 			}
 		}
 
-		entry := NewMapStateEntry(cs, l4Filter.RuleOrigin[cs], currentRule.IsRedirect(), isDenyRule, currentRule.GetAuthType())
+		_, authType := currentRule.GetAuthType()
+		entry := NewMapStateEntry(cs, l4Filter.RuleOrigin[cs], currentRule.IsRedirect(), isDenyRule, authType)
 		if cs.IsWildcard() {
 			keyToAdd.Identity = 0
 			if entryCb(keyToAdd, &entry) {
@@ -623,7 +642,7 @@ func (l4 *L4Filter) IdentitySelectionUpdated(selector CachedSelector, added, del
 		}
 		perSelectorPolicy := l4.PerSelectorPolicies[selector]
 		isRedirect := perSelectorPolicy.IsRedirect()
-		authType := perSelectorPolicy.GetAuthType()
+		_, authType := perSelectorPolicy.GetAuthType()
 		isDeny := perSelectorPolicy != nil && perSelectorPolicy.IsDeny
 		l4Policy.AccumulateMapChanges(selector, added, deleted, l4, direction, isRedirect, isDeny, authType)
 	}
@@ -864,20 +883,22 @@ func (l4 *L4Filter) attach(ctx PolicyContext, l4Policy *L4Policy) policyFeatures
 			if cp.IsDeny {
 				features.setFeature(denyRules)
 			}
-			if cp.Authentication != nil {
+
+			hasAuth, authType := GetAuthType(cp.Authentication)
+			if hasAuth {
 				features.setFeature(authRules)
-			}
 
-			if authType := cp.GetAuthType(); authType != AuthTypeDisabled {
-				if l4Policy.AuthMap == nil {
-					l4Policy.AuthMap = make(AuthMap, 1)
-				}
-				authTypes := l4Policy.AuthMap[cs]
-				if authTypes == nil {
-					authTypes = make(AuthTypes, 1)
+				if authType != AuthTypeDisabled {
+					if l4Policy.AuthMap == nil {
+						l4Policy.AuthMap = make(AuthMap, 1)
+					}
+					authTypes := l4Policy.AuthMap[cs]
+					if authTypes == nil {
+						authTypes = make(AuthTypes, 1)
+					}
+					authTypes[authType] = struct{}{}
+					l4Policy.AuthMap[cs] = authTypes
 				}
-				authTypes[authType] = struct{}{}
-				l4Policy.AuthMap[cs] = authTypes
 			}
 
 			// Compute Envoy policies when a policy is ready to be used

diff --git a/pkg/policy/l4_test.go b/pkg/policy/l4_test.go
@@ -149,15 +149,19 @@ func (s *PolicyTestSuite) TestCreateL4Filter(c *C) {
 		c.Assert(err, IsNil)
 		c.Assert(len(filter.PerSelectorPolicies), Equals, 1)
 		for _, r := range filter.PerSelectorPolicies {
-			c.Assert(r.GetAuthType(), Equals, AuthTypeDisabled)
+			hasAuth, authType := r.GetAuthType()
+			c.Assert(hasAuth, Equals, DefaultAuthType)
+			c.Assert(authType, Equals, AuthTypeDisabled)
 		}
 		c.Assert(filter.redirectType(), Equals, redirectTypeEnvoy)
 
 		filter, err = createL4EgressFilter(testPolicyContext, eps, nil, portrule, tuple, tuple.Protocol, nil, nil)
 		c.Assert(err, IsNil)
 		c.Assert(len(filter.PerSelectorPolicies), Equals, 1)
 		for _, r := range filter.PerSelectorPolicies {
-			c.Assert(r.GetAuthType(), Equals, AuthTypeDisabled)
+			hasAuth, authType := r.GetAuthType()
+			c.Assert(hasAuth, Equals, DefaultAuthType)
+			c.Assert(authType, Equals, AuthTypeDisabled)
 		}
 		c.Assert(filter.redirectType(), Equals, redirectTypeEnvoy)
 	}
@@ -188,15 +192,19 @@ func (s *PolicyTestSuite) TestCreateL4FilterAuthRequired(c *C) {
 		c.Assert(err, IsNil)
 		c.Assert(len(filter.PerSelectorPolicies), Equals, 1)
 		for _, r := range filter.PerSelectorPolicies {
-			c.Assert(r.GetAuthType(), Equals, AuthTypeDisabled)
+			hasAuth, authType := r.GetAuthType()
+			c.Assert(hasAuth, Equals, ExplicitAuthType)
+			c.Assert(authType, Equals, AuthTypeDisabled)
 		}
 		c.Assert(filter.redirectType(), Equals, redirectTypeEnvoy)
 
 		filter, err = createL4EgressFilter(testPolicyContext, eps, auth, portrule, tuple, tuple.Protocol, nil, nil)
 		c.Assert(err, IsNil)
 		c.Assert(len(filter.PerSelectorPolicies), Equals, 1)
 		for _, r := range filter.PerSelectorPolicies {
-			c.Assert(r.GetAuthType(), Equals, AuthTypeDisabled)
+			hasAuth, authType := r.GetAuthType()
+			c.Assert(hasAuth, Equals, ExplicitAuthType)
+			c.Assert(authType, Equals, AuthTypeDisabled)
 		}
 		c.Assert(filter.redirectType(), Equals, redirectTypeEnvoy)
 	}