-
Notifications
You must be signed in to change notification settings - Fork 38
/
check.go
184 lines (170 loc) · 5.31 KB
/
check.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
// Copyright (c) 2018 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package checker
import (
"strings"
"github.com/projectcalico/app-policy/policystore"
"github.com/projectcalico/app-policy/proto"
authz "github.com/envoyproxy/data-plane-api/envoy/service/auth/v2"
"github.com/gogo/googleapis/google/rpc"
log "github.com/sirupsen/logrus"
)
var OK = rpc.Code_value["OK"]
var PERMISSION_DENIED = rpc.Code_value["PERMISSION_DENIED"]
var UNAVAILABLE = rpc.Code_value["UNAVAILABLE"]
var INVALID_ARGUMENT = rpc.Code_value["INVALID_ARGUMENT"]
var INTERNAL = rpc.Code_value["INTERNAL"]
// Action is an enumeration of actions a policy rule can take if it is matched.
type Action int
const (
ALLOW Action = iota
DENY
LOG
PASS
NO_MATCH // Indicates policy did not match request. Cannot be assigned to rule.
)
// checkStore applies the policy in the given store and returns OK if the check passes, or PERMISSION_DENIED if the
// check fails. Note, if no policy matches, the default is PERMISSION_DENIED.
func checkStore(store *policystore.PolicyStore, req *authz.CheckRequest) (s rpc.Status) {
s = rpc.Status{Code: PERMISSION_DENIED}
ep := store.Endpoint
if ep == nil {
log.Warning("CheckRequest before we synced Endpoint information.")
return
}
reqCache, err := NewRequestCache(store, req)
if err != nil {
log.WithField("error", err).Error("Failed to init requestCache")
return
}
defer func() {
if r := recover(); r != nil {
// Recover from the panic if we know what it is and we know what to do with it.
if _, ok := r.(*InvalidDataFromDataPlane); ok {
s = rpc.Status{Code: INVALID_ARGUMENT}
} else {
panic(r)
}
}
}()
if len(ep.Tiers) > 0 {
// We only support a single tier.
log.Debug("Checking policy tier 1.")
tier := ep.Tiers[0]
policies := tier.IngressPolicies
action := NO_MATCH
Policy:
for i, name := range policies {
pID := proto.PolicyID{Tier: tier.GetName(), Name: name}
policy := store.PolicyByID[pID]
action = checkPolicy(policy, reqCache)
log.WithFields(log.Fields{
"ordinal": i,
"PolicyID": pID,
"result": action,
}).Debug("Policy checked")
switch action {
case NO_MATCH:
continue
// If the Policy matches, end evaluation (skipping profiles, if any)
case ALLOW:
s.Code = OK
return
case DENY:
s.Code = PERMISSION_DENIED
return
case PASS:
// Pass means end evaluation of policies and proceed to profiles, if any.
break Policy
case LOG:
panic("policy should never return LOG action")
}
}
// Done evaluating policies in the tier. If no policy rules have matched, there is an implicit default deny
// at the end of the tier.
if action == NO_MATCH {
log.Debug("No policy matched. Tier default DENY applies.")
s.Code = PERMISSION_DENIED
return
}
}
// If we reach here, there were either no tiers, or a policy PASSed the request.
if len(ep.ProfileIds) > 0 {
for i, name := range ep.ProfileIds {
pID := proto.ProfileID{Name: name}
profile := store.ProfileByID[pID]
action := checkProfile(profile, reqCache)
log.WithFields(log.Fields{
"ordinal": i,
"ProfileID": pID,
"result": action,
}).Debug("Profile checked")
switch action {
case NO_MATCH:
continue
case ALLOW:
s.Code = OK
return
case DENY, PASS:
s.Code = PERMISSION_DENIED
return
case LOG:
log.Panic("profile should never return LOG action")
}
}
} else {
log.Debug("0 active profiles, deny request.")
s.Code = PERMISSION_DENIED
}
return
}
// checkPolicy checks if the policy matches the request data, and returns the action.
func checkPolicy(policy *proto.Policy, req *requestCache) (action Action) {
// Note that we support only inbound policy.
return checkRules(policy.InboundRules, req, policy.Namespace)
}
func checkProfile(p *proto.Profile, req *requestCache) (action Action) {
return checkRules(p.InboundRules, req, "")
}
func checkRules(rules []*proto.Rule, req *requestCache, policyNamespace string) (action Action) {
for _, r := range rules {
if match(r, req, policyNamespace) {
log.Debugf("Rule matched.")
a := actionFromString(r.Action)
if a != LOG {
// We don't support actually logging requests, but if we hit a LOG action, we should
// continue processing rules.
return a
}
}
}
return NO_MATCH
}
// actionFromString converts a string action name, like "allow" into an Action.
func actionFromString(s string) Action {
// Felix currently passes us the v1 resource types where the "pass" action is called "next-tier".
// Here we support both the v1 and v3 action names.
m := map[string]Action{
"allow": ALLOW,
"deny": DENY,
"pass": PASS,
"next-tier": PASS,
"log": LOG,
}
a, found := m[strings.ToLower(s)]
if !found {
log.Errorf("Got bad action %v", s)
log.Panic("got bad action")
}
return a
}