Documentation
¶
Overview ¶
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */
Index ¶
- Constants
- func ParseRbacFilterConfig(cfg map[string]interface{}) (*v2.RBACConfig, error)
- type DefaultUrlPathMatcher
- type ExactStringMatcher
- type HeaderMatcher
- type HeaderMatcherPresentMatch
- type HeaderMatcherRangeMatch
- type InheritPermission
- type InheritPolicy
- type InheritPrincipal
- type PermissionAndRules
- type PermissionAny
- type PermissionDestinationIp
- type PermissionDestinationPort
- type PermissionHeader
- type PermissionNotRule
- type PermissionOrRules
- type PermissionUrlPath
- type PrefixStringMatcher
- type PrincipalAndIds
- type PrincipalAny
- type PrincipalDirectRemoteIp
- type PrincipalHeader
- type PrincipalMetadata
- type PrincipalNotId
- type PrincipalOrIds
- type PrincipalRemoteIp
- type PrincipalSourceIp
- type RegexStringMatcher
- type RoleBasedAccessControlEngine
- type StringMatcher
- type SuffixStringMatcher
- type UrlPathMatcher
Constants ¶
View Source
const ( PseudoHeaderMethod = ":method" PseudoHeaderPath = ":path" // indicate method name in rpc protocol PseudoHeaderScheme = ":scheme" PseudoHeaderAuthority = ":authority" )
Variables ¶
This section is empty.
Functions ¶
func ParseRbacFilterConfig ¶
func ParseRbacFilterConfig(cfg map[string]interface{}) (*v2.RBACConfig, error)
parse rbac filter config to v2.RBAC struct
Types ¶
type DefaultUrlPathMatcher ¶
type DefaultUrlPathMatcher struct {
Matcher StringMatcher
}
func (*DefaultUrlPathMatcher) Equal ¶
func (matcher *DefaultUrlPathMatcher) Equal(targetValue string) bool
type ExactStringMatcher ¶
type ExactStringMatcher struct {
ExactMatch string
}
StringMatcher_Exact
func (*ExactStringMatcher) Equal ¶
func (matcher *ExactStringMatcher) Equal(targetValue string) bool
type HeaderMatcher ¶
HeaderMatcher
func NewHeaderMatcher ¶
func NewHeaderMatcher(header *envoy_config_route_v3.HeaderMatcher) (HeaderMatcher, error)
type HeaderMatcherPresentMatch ¶
type HeaderMatcherPresentMatch struct {
PresentMatch bool
}
HeaderMatcher_PresentMatch
func (*HeaderMatcherPresentMatch) Equal ¶
func (matcher *HeaderMatcherPresentMatch) Equal(targetValue string) bool
type HeaderMatcherRangeMatch ¶
HeaderMatcher_RangeMatch
func (*HeaderMatcherRangeMatch) Equal ¶
func (matcher *HeaderMatcherRangeMatch) Equal(targetValue string) bool
type InheritPermission ¶
type InheritPermission interface {
// A policy matches if and only if at least one of InheritPermission.Match return true
// AND at least one of InheritPrincipal.Match return true
Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
// contains filtered or unexported methods
}
func NewInheritPermission ¶
func NewInheritPermission(permission *envoy_config_rabc_v3.Permission) (InheritPermission, error)
Receive the v2alpha.Permission input and convert it to mosn rbac permission
type InheritPolicy ¶
type InheritPolicy struct {
// The set of permissions that define a role.
// Each permission is matched with OR semantics.
// To match all actions for this policy, a single Permission with the `any` field set to true should be used.
InheritPermissions []InheritPermission
// The set of principals that are assigned/denied the role based on “action”.
// Each principal is matched with OR semantics.
// To match all downstreams for this policy, a single Principal with the `any` field set to true should be used.
InheritPrincipals []InheritPrincipal
}
func NewInheritPolicy ¶
func NewInheritPolicy(policy *envoy_config_rabc_v3.Policy) (*InheritPolicy, error)
Receive the v2alpha.Policy input and convert it to mosn rbac policy
func (*InheritPolicy) Match ¶
func (inheritPolicy *InheritPolicy) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
A policy matches if and only if at least one of its permissions match the action taking place AND at least one of its principals match the downstream.
type InheritPrincipal ¶
type InheritPrincipal interface {
// A policy matches if and only if at least one of InheritPermission.Match return true
// AND at least one of InheritPrincipal.Match return true
Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
// contains filtered or unexported methods
}
func NewInheritPrincipal ¶
func NewInheritPrincipal(principal *envoy_config_rabc_v3.Principal) (InheritPrincipal, error)
Receive the v2alpha.Principal input and convert it to mosn rbac principal
type PermissionAndRules ¶
type PermissionAndRules struct {
AndRules []InheritPermission
}
Permission_AndRules
func NewPermissionAndRules ¶
func NewPermissionAndRules(permission *envoy_config_rabc_v3.Permission_AndRules) (*PermissionAndRules, error)
func (*PermissionAndRules) Match ¶
func (permission *PermissionAndRules) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PermissionAny ¶
type PermissionAny struct {
Any bool
}
Permission_Any
func NewPermissionAny ¶
func NewPermissionAny(permission *envoy_config_rabc_v3.Permission_Any) (*PermissionAny, error)
func (*PermissionAny) Match ¶
func (permission *PermissionAny) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PermissionDestinationIp ¶
Permission_DestinationIp
func NewPermissionDestinationIp ¶
func NewPermissionDestinationIp(permission *envoy_config_rabc_v3.Permission_DestinationIp) (*PermissionDestinationIp, error)
func (*PermissionDestinationIp) Match ¶
func (permission *PermissionDestinationIp) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PermissionDestinationPort ¶
type PermissionDestinationPort struct {
DestinationPort uint32
}
Permission_DestinationPort
func NewPermissionDestinationPort ¶
func NewPermissionDestinationPort(permission *envoy_config_rabc_v3.Permission_DestinationPort) (*PermissionDestinationPort, error)
func (*PermissionDestinationPort) Match ¶
func (permission *PermissionDestinationPort) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PermissionHeader ¶
type PermissionHeader struct {
Target string
Matcher HeaderMatcher
InvertMatch bool
}
Permission_Header
func NewPermissionHeader ¶
func NewPermissionHeader(permission *envoy_config_rabc_v3.Permission_Header) (*PermissionHeader, error)
func (*PermissionHeader) Match ¶
func (permission *PermissionHeader) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PermissionNotRule ¶
type PermissionNotRule struct {
NotRule InheritPermission
}
Permission_NotRule
func NewPermissionNotRule ¶
func NewPermissionNotRule(permission *envoy_config_rabc_v3.Permission_NotRule) (*PermissionNotRule, error)
func (*PermissionNotRule) Match ¶
func (permission *PermissionNotRule) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PermissionOrRules ¶
type PermissionOrRules struct {
OrRules []InheritPermission
}
Permission_OrRules
func NewPermissionOrRules ¶
func NewPermissionOrRules(permission *envoy_config_rabc_v3.Permission_OrRules) (*PermissionOrRules, error)
func (*PermissionOrRules) Match ¶
func (permission *PermissionOrRules) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PermissionUrlPath ¶
type PermissionUrlPath struct {
Matcher UrlPathMatcher
}
Permission_NotRule
func NewPermissionUrlPath ¶
func NewPermissionUrlPath(permission *envoy_config_rabc_v3.Permission_UrlPath) (*PermissionUrlPath, error)
func (*PermissionUrlPath) Match ¶
func (permission *PermissionUrlPath) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrefixStringMatcher ¶
type PrefixStringMatcher struct {
PrefixMatch string
}
StringMatcher_Prefix
func (*PrefixStringMatcher) Equal ¶
func (matcher *PrefixStringMatcher) Equal(targetValue string) bool
type PrincipalAndIds ¶
type PrincipalAndIds struct {
AndIds []InheritPrincipal
}
Principal_AndIds
func NewPrincipalAndIds ¶
func NewPrincipalAndIds(principal *envoy_config_rabc_v3.Principal_AndIds) (*PrincipalAndIds, error)
func (*PrincipalAndIds) Match ¶
func (principal *PrincipalAndIds) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrincipalAny ¶
type PrincipalAny struct {
Any bool
}
Principal_Any
func NewPrincipalAny ¶
func NewPrincipalAny(principal *envoy_config_rabc_v3.Principal_Any) (*PrincipalAny, error)
func (*PrincipalAny) Match ¶
func (principal *PrincipalAny) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrincipalDirectRemoteIp ¶
Principal_DirectRemoteIp
func NewPrincipalDirectRemoteIp ¶
func NewPrincipalDirectRemoteIp(principal *envoy_config_rabc_v3.Principal_DirectRemoteIp) (*PrincipalDirectRemoteIp, error)
func (*PrincipalDirectRemoteIp) Match ¶
func (principal *PrincipalDirectRemoteIp) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrincipalHeader ¶
type PrincipalHeader struct {
Target string
Matcher HeaderMatcher
InvertMatch bool
}
Principal_Header
func NewPrincipalHeader ¶
func NewPrincipalHeader(principal *envoy_config_rabc_v3.Principal_Header) (*PrincipalHeader, error)
func (*PrincipalHeader) Match ¶
func (principal *PrincipalHeader) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrincipalMetadata ¶
type PrincipalMetadata struct {
Filter string
Path string
Matcher StringMatcher
}
Principal_Metadata
func NewPrincipalMetadata ¶
func NewPrincipalMetadata(principal *envoy_config_rabc_v3.Principal_Metadata) (*PrincipalMetadata, error)
func (*PrincipalMetadata) Match ¶
func (principal *PrincipalMetadata) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrincipalNotId ¶
type PrincipalNotId struct {
NotId InheritPrincipal
}
Principal_NotId
func NewPrincipalNotId ¶
func NewPrincipalNotId(principal *envoy_config_rabc_v3.Principal_NotId) (*PrincipalNotId, error)
func (*PrincipalNotId) Match ¶
func (principal *PrincipalNotId) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrincipalOrIds ¶
type PrincipalOrIds struct {
OrIds []InheritPrincipal
}
Principal_OrIds
func NewPrincipalOrIds ¶
func NewPrincipalOrIds(principal *envoy_config_rabc_v3.Principal_OrIds) (*PrincipalOrIds, error)
func (*PrincipalOrIds) Match ¶
func (principal *PrincipalOrIds) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrincipalRemoteIp ¶
Principal_DirectRemoteIp
func NewPrincipalRemoteIp ¶
func NewPrincipalRemoteIp(principal *envoy_config_rabc_v3.Principal_RemoteIp) (*PrincipalRemoteIp, error)
func (*PrincipalRemoteIp) Match ¶
func (principal *PrincipalRemoteIp) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type PrincipalSourceIp ¶
Principal_SourceIp
func NewPrincipalSourceIp ¶
func NewPrincipalSourceIp(principal *envoy_config_rabc_v3.Principal_SourceIp) (*PrincipalSourceIp, error)
func (*PrincipalSourceIp) Match ¶
func (principal *PrincipalSourceIp) Match(cb api.StreamReceiverFilterHandler, headers api.HeaderMap) bool
type RegexStringMatcher ¶
StringMatcher_Regex
func (*RegexStringMatcher) Equal ¶
func (matcher *RegexStringMatcher) Equal(targetValue string) bool
type RoleBasedAccessControlEngine ¶
type RoleBasedAccessControlEngine struct {
// The request is allowed if and only if:
// * `action` is "ALLOWED" and at least one policy matches
// * `action` is "DENY" and none of the policies match
// default is ALLOWED
Action envoy_config_rabc_v3.RBAC_Action
// Maps from policy name to policy. A match occurs when at least one policy matches the request.
InheritPolicies map[string]*InheritPolicy
}
func NewRoleBasedAccessControlEngine ¶
func NewRoleBasedAccessControlEngine(rbacConfig *envoy_config_rabc_v3.RBAC) (*RoleBasedAccessControlEngine, error)
Receive the v2alpha.RBAC input and convert it to mosn rbac engine
func (*RoleBasedAccessControlEngine) Allowed ¶
func (engine *RoleBasedAccessControlEngine) Allowed(cb api.StreamReceiverFilterHandler, ctx context.Context, headers api.HeaderMap) (allowed bool, matchPolicyName string)
echo request will be handled in `Allowed` function
func (*RoleBasedAccessControlEngine) GetPoliciesSize ¶
func (engine *RoleBasedAccessControlEngine) GetPoliciesSize() int
type StringMatcher ¶
type StringMatcher interface {
// *StringMatcher_Exact (supported)
// *StringMatcher_Prefix (supported)
// *StringMatcher_Suffix (supported)
// *StringMatcher_SafeRegex
// TODO:
// *StringMatcher_HiddenEnvoyDeprecatedRegex
// *StringMatcher_Contains
Equal(string) bool
}
StringMatcher
func NewStringMatcher ¶
func NewStringMatcher(match *envoy_type_matcher_v3.StringMatcher) (StringMatcher, error)
type SuffixStringMatcher ¶
type SuffixStringMatcher struct {
SuffixMatch string
}
StringMatcher_Suffix
func (*SuffixStringMatcher) Equal ¶
func (matcher *SuffixStringMatcher) Equal(targetValue string) bool
type UrlPathMatcher ¶
UrlPathMatcher
func NewUrlPathMatcher ¶
func NewUrlPathMatcher(urlPath *envoy_type_matcher_v3.PathMatcher) (UrlPathMatcher, error)
Source Files
Click to show internal directories.
Click to hide internal directories.