matchersFromPermissions takes a list of permissions (can also be a single permission, e.g. from a not matcher which is logically !permission) and returns a list of matchers which correspond to that permission. This will be called in many instances throughout the initial construction of the RBAC engi
(permissions []*v3rbacpb.Permission)
| 76 | // be called in many instances throughout the initial construction of the RBAC |
| 77 | // engine from the AND and OR matchers and also from the NOT matcher. |
| 78 | func matchersFromPermissions(permissions []*v3rbacpb.Permission) ([]matcher, error) { |
| 79 | var matchers []matcher |
| 80 | for _, permission := range permissions { |
| 81 | switch permission.GetRule().(type) { |
| 82 | case *v3rbacpb.Permission_AndRules: |
| 83 | mList, err := matchersFromPermissions(permission.GetAndRules().Rules) |
| 84 | if err != nil { |
| 85 | return nil, err |
| 86 | } |
| 87 | matchers = append(matchers, &andMatcher{matchers: mList}) |
| 88 | case *v3rbacpb.Permission_OrRules: |
| 89 | mList, err := matchersFromPermissions(permission.GetOrRules().Rules) |
| 90 | if err != nil { |
| 91 | return nil, err |
| 92 | } |
| 93 | matchers = append(matchers, &orMatcher{matchers: mList}) |
| 94 | case *v3rbacpb.Permission_Any: |
| 95 | matchers = append(matchers, &alwaysMatcher{}) |
| 96 | case *v3rbacpb.Permission_Header: |
| 97 | m, err := newHeaderMatcher(permission.GetHeader()) |
| 98 | if err != nil { |
| 99 | return nil, err |
| 100 | } |
| 101 | matchers = append(matchers, m) |
| 102 | case *v3rbacpb.Permission_UrlPath: |
| 103 | m, err := newURLPathMatcher(permission.GetUrlPath()) |
| 104 | if err != nil { |
| 105 | return nil, err |
| 106 | } |
| 107 | matchers = append(matchers, m) |
| 108 | case *v3rbacpb.Permission_DestinationIp: |
| 109 | // Due to this being on server side, the destination IP is the local |
| 110 | // IP. |
| 111 | m, err := newLocalIPMatcher(permission.GetDestinationIp()) |
| 112 | if err != nil { |
| 113 | return nil, err |
| 114 | } |
| 115 | matchers = append(matchers, m) |
| 116 | case *v3rbacpb.Permission_DestinationPort: |
| 117 | matchers = append(matchers, newPortMatcher(permission.GetDestinationPort())) |
| 118 | case *v3rbacpb.Permission_NotRule: |
| 119 | mList, err := matchersFromPermissions([]*v3rbacpb.Permission{{Rule: permission.GetNotRule().Rule}}) |
| 120 | if err != nil { |
| 121 | return nil, err |
| 122 | } |
| 123 | matchers = append(matchers, ¬Matcher{matcherToNot: mList[0]}) |
| 124 | case *v3rbacpb.Permission_Metadata: |
| 125 | // Never matches - so no-op if not inverted, always match if |
| 126 | // inverted. |
| 127 | if permission.GetMetadata().GetInvert() { // Test metadata being no-op and also metadata with invert always matching |
| 128 | matchers = append(matchers, &alwaysMatcher{}) |
| 129 | } |
| 130 | case *v3rbacpb.Permission_RequestedServerName: |
| 131 | // Not supported in gRPC RBAC currently - a permission typed as |
| 132 | // requested server name in the initial config will be a no-op. |
| 133 | } |
| 134 | } |
| 135 | return matchers, nil |
no test coverage detected