/
authorization_policy_processor.go
86 lines (67 loc) · 3.01 KB
/
authorization_policy_processor.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
package processors
import (
"context"
gatewayv1beta1 "github.com/kyma-project/api-gateway/apis/gateway/v1beta1"
"github.com/go-logr/logr"
"github.com/kyma-project/api-gateway/internal/processing"
"github.com/kyma-project/api-gateway/internal/processing/hashbasedstate"
securityv1beta1 "istio.io/client-go/pkg/apis/security/v1beta1"
ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
)
// AuthorizationPolicyProcessor is the generic processor that handles the Istio JwtAuthorization Policies in the reconciliation of API Rule.
type AuthorizationPolicyProcessor struct {
Creator AuthorizationPolicyCreator
Log *logr.Logger
}
// AuthorizationPolicyCreator provides the creation of AuthorizationPolicies using the configuration in the given APIRule.
// The key of the map is expected to be unique and comparable with the
type AuthorizationPolicyCreator interface {
Create(ctx context.Context, client ctrlclient.Client, api *gatewayv1beta1.APIRule) (hashbasedstate.Desired, error)
}
func (r AuthorizationPolicyProcessor) EvaluateReconciliation(ctx context.Context, client ctrlclient.Client, apiRule *gatewayv1beta1.APIRule) ([]*processing.ObjectChange, error) {
desired, err := r.getDesiredState(ctx, client, apiRule)
if err != nil {
return nil, err
}
actual, err := r.getActualState(ctx, client, apiRule)
if err != nil {
return make([]*processing.ObjectChange, 0), err
}
changes := r.getObjectChanges(desired, actual)
return changes, nil
}
func (r AuthorizationPolicyProcessor) getDesiredState(ctx context.Context, client ctrlclient.Client, api *gatewayv1beta1.APIRule) (hashbasedstate.Desired, error) {
hashDummy, err := r.Creator.Create(ctx, client, api)
if err != nil {
return hashDummy, err
}
return hashDummy, nil
}
func (r AuthorizationPolicyProcessor) getActualState(ctx context.Context, client ctrlclient.Client, api *gatewayv1beta1.APIRule) (hashbasedstate.Actual, error) {
state := hashbasedstate.NewActual()
labels := processing.GetOwnerLabels(api)
var apList securityv1beta1.AuthorizationPolicyList
if err := client.List(ctx, &apList, ctrlclient.MatchingLabels(labels)); err != nil {
return state, err
}
for _, ap := range apList.Items {
h := hashbasedstate.NewAuthorizationPolicy(ap)
state.Add(&h)
}
return state, nil
}
func (r AuthorizationPolicyProcessor) getObjectChanges(desired hashbasedstate.Desired, actual hashbasedstate.Actual) []*processing.ObjectChange {
var apObjectActionsToApply []*processing.ObjectChange
changes := hashbasedstate.GetChanges(desired, actual)
r.Log.Info("Authorization policy changes that will be applied", "changes", changes)
for _, ap := range changes.Create {
apObjectActionsToApply = append(apObjectActionsToApply, processing.NewObjectCreateAction(ap))
}
for _, ap := range changes.Update {
apObjectActionsToApply = append(apObjectActionsToApply, processing.NewObjectUpdateAction(ap))
}
for _, ap := range changes.Delete {
apObjectActionsToApply = append(apObjectActionsToApply, processing.NewObjectDeleteAction(ap))
}
return apObjectActionsToApply
}