This repository has been archived by the owner on Jul 11, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 279
/
rbac.go
54 lines (43 loc) · 1.67 KB
/
rbac.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
package route
import (
"errors"
xds_rbac "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
xds_http_rbac "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3"
"github.com/golang/protobuf/ptypes/any"
"google.golang.org/protobuf/types/known/anypb"
"github.com/openservicemesh/osm/pkg/envoy/rbac"
"github.com/openservicemesh/osm/pkg/trafficpolicy"
)
const (
rbacPerRoutePolicyName = "rbac-for-route"
)
// buildInboundRBACFilterForRule builds an HTTP RBAC per route filter based on the given traffic policy rule.
// The principals in the RBAC policy are derived from the allowed service accounts specified in the given rule.
// The permissions in the RBAC policy are implicitly set to ANY (all permissions).
func buildInboundRBACFilterForRule(rule *trafficpolicy.Rule, trustDomain string) (*any.Any, error) {
if rule.AllowedPrincipals == nil {
return nil, errors.New("traffipolicy.Rule.AllowedPrincipals not set")
}
pb := &rbac.PolicyBuilder{}
// Create the list of principals for this policy
for downstream := range rule.AllowedPrincipals.Iter() {
pb.AddPrincipal(downstream.(string))
}
// A single RBAC policy per route
rbacPolicyMap := map[string]*xds_rbac.Policy{rbacPerRoutePolicyName: pb.Build()}
// Map generic RBAC policy to HTTP RBAC policy
httpRBAC := &xds_http_rbac.RBAC{
Rules: &xds_rbac.RBAC{
Action: xds_rbac.RBAC_ALLOW, // Allows the request if and only if there is a policy that matches the request
Policies: rbacPolicyMap,
},
}
httpRBACPerRoute := &xds_http_rbac.RBACPerRoute{
Rbac: httpRBAC,
}
marshalled, err := anypb.New(httpRBACPerRoute)
if err != nil {
return nil, err
}
return marshalled, nil
}