MCPcopy
hub / github.com/grpc/grpc-go / matchersFromPermissions

Function matchersFromPermissions

internal/xds/rbac/matchers.go:78–136  ·  view source on GitHub ↗

matchersFromPermissions takes a list of permissions (can also be a single permission, e.g. from a not matcher which is logically !permission) and returns a list of matchers which correspond to that permission. This will be called in many instances throughout the initial construction of the RBAC engi

(permissions []*v3rbacpb.Permission)

Source from the content-addressed store, hash-verified

76// be called in many instances throughout the initial construction of the RBAC
77// engine from the AND and OR matchers and also from the NOT matcher.
78func matchersFromPermissions(permissions []*v3rbacpb.Permission) ([]matcher, error) {
79 var matchers []matcher
80 for _, permission := range permissions {
81 switch permission.GetRule().(type) {
82 case *v3rbacpb.Permission_AndRules:
83 mList, err := matchersFromPermissions(permission.GetAndRules().Rules)
84 if err != nil {
85 return nil, err
86 }
87 matchers = append(matchers, &andMatcher{matchers: mList})
88 case *v3rbacpb.Permission_OrRules:
89 mList, err := matchersFromPermissions(permission.GetOrRules().Rules)
90 if err != nil {
91 return nil, err
92 }
93 matchers = append(matchers, &orMatcher{matchers: mList})
94 case *v3rbacpb.Permission_Any:
95 matchers = append(matchers, &alwaysMatcher{})
96 case *v3rbacpb.Permission_Header:
97 m, err := newHeaderMatcher(permission.GetHeader())
98 if err != nil {
99 return nil, err
100 }
101 matchers = append(matchers, m)
102 case *v3rbacpb.Permission_UrlPath:
103 m, err := newURLPathMatcher(permission.GetUrlPath())
104 if err != nil {
105 return nil, err
106 }
107 matchers = append(matchers, m)
108 case *v3rbacpb.Permission_DestinationIp:
109 // Due to this being on server side, the destination IP is the local
110 // IP.
111 m, err := newLocalIPMatcher(permission.GetDestinationIp())
112 if err != nil {
113 return nil, err
114 }
115 matchers = append(matchers, m)
116 case *v3rbacpb.Permission_DestinationPort:
117 matchers = append(matchers, newPortMatcher(permission.GetDestinationPort()))
118 case *v3rbacpb.Permission_NotRule:
119 mList, err := matchersFromPermissions([]*v3rbacpb.Permission{{Rule: permission.GetNotRule().Rule}})
120 if err != nil {
121 return nil, err
122 }
123 matchers = append(matchers, &notMatcher{matcherToNot: mList[0]})
124 case *v3rbacpb.Permission_Metadata:
125 // Never matches - so no-op if not inverted, always match if
126 // inverted.
127 if permission.GetMetadata().GetInvert() { // Test metadata being no-op and also metadata with invert always matching
128 matchers = append(matchers, &alwaysMatcher{})
129 }
130 case *v3rbacpb.Permission_RequestedServerName:
131 // Not supported in gRPC RBAC currently - a permission typed as
132 // requested server name in the initial config will be a no-op.
133 }
134 }
135 return matchers, nil

Callers 1

newPolicyMatcherFunction · 0.85

Calls 5

newHeaderMatcherFunction · 0.85
newURLPathMatcherFunction · 0.85
newLocalIPMatcherFunction · 0.85
newPortMatcherFunction · 0.85
GetMetadataMethod · 0.65

Tested by

no test coverage detected