pkg/config/analysis/analyzers/virtualservice/jwtclaimroute.go - dubbo-go-pixiu - Git at Google

 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package virtualservice

 import (
 	"strings"
 )

 import (
 	"istio.io/api/networking/v1alpha3"
 	"istio.io/api/security/v1beta1"
 	k8s_labels "k8s.io/apimachinery/pkg/labels"
 )

 import (
 	"github.com/apache/dubbo-go-pixiu/pilot/pkg/util/constant"
 	"github.com/apache/dubbo-go-pixiu/pkg/config/analysis"
 	"github.com/apache/dubbo-go-pixiu/pkg/config/analysis/analyzers/util"
 	"github.com/apache/dubbo-go-pixiu/pkg/config/analysis/msg"
 	"github.com/apache/dubbo-go-pixiu/pkg/config/constants"
 	"github.com/apache/dubbo-go-pixiu/pkg/config/resource"
 	"github.com/apache/dubbo-go-pixiu/pkg/config/schema/collection"
 	"github.com/apache/dubbo-go-pixiu/pkg/config/schema/collections"
 )

 type JWTClaimRouteAnalyzer struct{}

 var _ analysis.Analyzer = &JWTClaimRouteAnalyzer{}

 // Metadata implements Analyzer
 func (s *JWTClaimRouteAnalyzer) Metadata() analysis.Metadata {
 	return analysis.Metadata{
 		Name:        "virtualservice.JWTClaimRouteAnalyzer",
 		Description: "Checks the VirtualService using JWT claim based routing has corresponding RequestAuthentication",
 		Inputs: collection.Names{
 			collections.IstioNetworkingV1Alpha3Virtualservices.Name(),
 			collections.IstioSecurityV1Beta1Requestauthentications.Name(),
 			collections.IstioNetworkingV1Alpha3Gateways.Name(),
 			collections.K8SCoreV1Pods.Name(),
 		},
 	}
 }

 // Analyze implements Analyzer
 func (s *JWTClaimRouteAnalyzer) Analyze(c analysis.Context) {
 	requestAuthNByNamespace := map[string][]k8s_labels.Selector{}
 	c.ForEach(collections.IstioSecurityV1Beta1Requestauthentications.Name(), func(r *resource.Instance) bool {
 		ns := r.Metadata.FullName.Namespace.String()
 		if _, found := requestAuthNByNamespace[ns]; !found {
 			requestAuthNByNamespace[ns] = []k8s_labels.Selector{}
 		}
 		ra := r.Message.(*v1beta1.RequestAuthentication)
 		raSelector := k8s_labels.SelectorFromSet(ra.GetSelector().GetMatchLabels())
 		requestAuthNByNamespace[ns] = append(requestAuthNByNamespace[ns], raSelector)
 		return true
 	})

 	c.ForEach(collections.IstioNetworkingV1Alpha3Virtualservices.Name(), func(r *resource.Instance) bool {
 		s.analyze(r, c, requestAuthNByNamespace)
 		return true
 	})
 }

 func (s *JWTClaimRouteAnalyzer) analyze(r *resource.Instance, c analysis.Context, requestAuthNByNamespace map[string][]k8s_labels.Selector) {
 	// Check if the virtual service is using JWT claim based routing.
 	vs := r.Message.(*v1alpha3.VirtualService)
 	var vsRouteKey string
 	if vsRouteKey = routeBasedOnJWTClaimKey(vs); vsRouteKey == "" {
 		return
 	}
 	vsNs := r.Metadata.FullName.Namespace

 	// Check if the virtual service is applied to gateway.
 	for _, gwName := range vs.Gateways {
 		if gwName == util.MeshGateway {
 			continue
 		}

 		gwFullName := resource.NewShortOrFullName(vsNs, gwName)
 		gwRes := c.Find(collections.IstioNetworkingV1Alpha3Gateways.Name(), gwFullName)
 		if gwRes == nil {
 			// The gateway does not exist, this should already be covered by the gateway analyzer.
 			continue
 		}

 		gw := gwRes.Message.(*v1alpha3.Gateway)
 		gwSelector := k8s_labels.SelectorFromSet(gw.Selector)

 		// Check each pod selected by the gateway.
 		c.ForEach(collections.K8SCoreV1Pods.Name(), func(rPod *resource.Instance) bool {
 			podLabels := k8s_labels.Set(rPod.Metadata.Labels)
 			if !gwSelector.Matches(podLabels) {
 				return true
 			}

 			// Check if there is request authentication applied to the pod.
 			var hasRequestAuthNForPod bool

 			raSelectors := requestAuthNByNamespace[constants.IstioSystemNamespace]
 			raSelectors = append(raSelectors, requestAuthNByNamespace[rPod.Metadata.FullName.Namespace.String()]...)
 			for _, raSelector := range raSelectors {
 				if raSelector.Matches(podLabels) {
 					hasRequestAuthNForPod = true
 					break
 				}
 			}
 			if !hasRequestAuthNForPod {
 				m := msg.NewJwtClaimBasedRoutingWithoutRequestAuthN(r, vsRouteKey, gwFullName.String(), rPod.Metadata.FullName.Name.String())
 				c.Report(collections.IstioNetworkingV1Alpha3Virtualservices.Name(), m)
 			}
 			return true
 		})
 	}
 }

 func routeBasedOnJWTClaimKey(vs *v1alpha3.VirtualService) string {
 	for _, httpRoute := range vs.GetHttp() {
 		for _, match := range httpRoute.GetMatch() {
 			for key := range match.GetHeaders() {
 				if strings.HasPrefix(key, constant.HeaderJWTClaim) {
 					return key
 				}
 			}
 			for key := range match.GetWithoutHeaders() {
 				if strings.HasPrefix(key, constant.HeaderJWTClaim) {
 					return key
 				}
 			}
 		}
 	}
 	return ""
 }
	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package virtualservice

	import (
	"strings"
	)

	import (
	"istio.io/api/networking/v1alpha3"
	"istio.io/api/security/v1beta1"
	k8s_labels "k8s.io/apimachinery/pkg/labels"
	)

	import (
	"github.com/apache/dubbo-go-pixiu/pilot/pkg/util/constant"
	"github.com/apache/dubbo-go-pixiu/pkg/config/analysis"
	"github.com/apache/dubbo-go-pixiu/pkg/config/analysis/analyzers/util"
	"github.com/apache/dubbo-go-pixiu/pkg/config/analysis/msg"
	"github.com/apache/dubbo-go-pixiu/pkg/config/constants"
	"github.com/apache/dubbo-go-pixiu/pkg/config/resource"
	"github.com/apache/dubbo-go-pixiu/pkg/config/schema/collection"
	"github.com/apache/dubbo-go-pixiu/pkg/config/schema/collections"
	)

	type JWTClaimRouteAnalyzer struct{}

	var _ analysis.Analyzer = &JWTClaimRouteAnalyzer{}

	// Metadata implements Analyzer
	func (s *JWTClaimRouteAnalyzer) Metadata() analysis.Metadata {
	return analysis.Metadata{
	Name: "virtualservice.JWTClaimRouteAnalyzer",
	Description: "Checks the VirtualService using JWT claim based routing has corresponding RequestAuthentication",
	Inputs: collection.Names{
	collections.IstioNetworkingV1Alpha3Virtualservices.Name(),
	collections.IstioSecurityV1Beta1Requestauthentications.Name(),
	collections.IstioNetworkingV1Alpha3Gateways.Name(),
	collections.K8SCoreV1Pods.Name(),
	},
	}
	}

	// Analyze implements Analyzer
	func (s *JWTClaimRouteAnalyzer) Analyze(c analysis.Context) {
	requestAuthNByNamespace := map[string][]k8s_labels.Selector{}
	c.ForEach(collections.IstioSecurityV1Beta1Requestauthentications.Name(), func(r *resource.Instance) bool {
	ns := r.Metadata.FullName.Namespace.String()
	if _, found := requestAuthNByNamespace[ns]; !found {
	requestAuthNByNamespace[ns] = []k8s_labels.Selector{}
	}
	ra := r.Message.(*v1beta1.RequestAuthentication)
	raSelector := k8s_labels.SelectorFromSet(ra.GetSelector().GetMatchLabels())
	requestAuthNByNamespace[ns] = append(requestAuthNByNamespace[ns], raSelector)
	return true
	})

	c.ForEach(collections.IstioNetworkingV1Alpha3Virtualservices.Name(), func(r *resource.Instance) bool {
	s.analyze(r, c, requestAuthNByNamespace)
	return true
	})
	}

	func (s JWTClaimRouteAnalyzer) analyze(r resource.Instance, c analysis.Context, requestAuthNByNamespace map[string][]k8s_labels.Selector) {
	// Check if the virtual service is using JWT claim based routing.
	vs := r.Message.(*v1alpha3.VirtualService)
	var vsRouteKey string
	if vsRouteKey = routeBasedOnJWTClaimKey(vs); vsRouteKey == "" {
	return
	}
	vsNs := r.Metadata.FullName.Namespace

	// Check if the virtual service is applied to gateway.
	for _, gwName := range vs.Gateways {
	if gwName == util.MeshGateway {
	continue
	}

	gwFullName := resource.NewShortOrFullName(vsNs, gwName)
	gwRes := c.Find(collections.IstioNetworkingV1Alpha3Gateways.Name(), gwFullName)
	if gwRes == nil {
	// The gateway does not exist, this should already be covered by the gateway analyzer.
	continue
	}

	gw := gwRes.Message.(*v1alpha3.Gateway)
	gwSelector := k8s_labels.SelectorFromSet(gw.Selector)

	// Check each pod selected by the gateway.
	c.ForEach(collections.K8SCoreV1Pods.Name(), func(rPod *resource.Instance) bool {
	podLabels := k8s_labels.Set(rPod.Metadata.Labels)
	if !gwSelector.Matches(podLabels) {
	return true
	}

	// Check if there is request authentication applied to the pod.
	var hasRequestAuthNForPod bool

	raSelectors := requestAuthNByNamespace[constants.IstioSystemNamespace]
	raSelectors = append(raSelectors, requestAuthNByNamespace[rPod.Metadata.FullName.Namespace.String()]...)
	for _, raSelector := range raSelectors {
	if raSelector.Matches(podLabels) {
	hasRequestAuthNForPod = true
	break
	}
	}
	if !hasRequestAuthNForPod {
	m := msg.NewJwtClaimBasedRoutingWithoutRequestAuthN(r, vsRouteKey, gwFullName.String(), rPod.Metadata.FullName.Name.String())
	c.Report(collections.IstioNetworkingV1Alpha3Virtualservices.Name(), m)
	}
	return true
	})
	}
	}

	func routeBasedOnJWTClaimKey(vs *v1alpha3.VirtualService) string {
	for _, httpRoute := range vs.GetHttp() {
	for _, match := range httpRoute.GetMatch() {
	for key := range match.GetHeaders() {
	if strings.HasPrefix(key, constant.HeaderJWTClaim) {
	return key
	}
	}
	for key := range match.GetWithoutHeaders() {
	if strings.HasPrefix(key, constant.HeaderJWTClaim) {
	return key
	}
	}
	}
	}
	return ""
	}