diff --git a/pkg/controlplane/api/authz.go b/pkg/controlplane/api/authz.go index ff5594d2..13d008e0 100644 --- a/pkg/controlplane/api/authz.go +++ b/pkg/controlplane/api/authz.go @@ -13,7 +13,10 @@ package api -import "github.com/lestrrat-go/jwx/jwa" +import ( + "github.com/clusterlink-net/clusterlink/pkg/controlplane/authz/connectivitypdp" + "github.com/lestrrat-go/jwx/jwa" +) const ( // RemotePeerAuthorizationPath is the path remote peers use to send an authorization request. @@ -50,6 +53,8 @@ type AuthorizationRequest struct { ServiceName string // ServiceNamespace is the namespace of the requested exported service. ServiceNamespace string + // Attributes of the source workload, to be used by the PDP on the remote peer + SrcAttributes connectivitypdp.WorkloadAttrs } // AuthorizationResponse represents a response for a successful AuthorizationRequest. diff --git a/pkg/controlplane/authz/manager.go b/pkg/controlplane/authz/manager.go index fceb9f18..b7114431 100644 --- a/pkg/controlplane/authz/manager.go +++ b/pkg/controlplane/authz/manager.go @@ -71,6 +71,8 @@ type egressAuthorizationResponse struct { type ingressAuthorizationRequest struct { // Service is the name of the requested exported service. ServiceName types.NamespacedName + // Attributes of the source workload, to be used by the PDP on the remote peer + SrcAttributes connectivitypdp.WorkloadAttrs } // ingressAuthorizationResponse (from remote peer controlplane) represents a response for an ingressAuthorizationRequest. @@ -263,6 +265,7 @@ func (m *Manager) authorizeEgress(ctx context.Context, req *egressAuthorizationR peerResp, err := cl.Authorize(&cpapi.AuthorizationRequest{ ServiceName: DstName, ServiceNamespace: DstNamespace, + SrcAttributes: srcAttributes, }) if err != nil { m.logger.Infof("Unable to get access token from peer: %v", err) @@ -322,7 +325,6 @@ func (m *Manager) parseAuthorizationHeader(token string) (string, error) { func (m *Manager) authorizeIngress( ctx context.Context, req *ingressAuthorizationRequest, - pr string, ) (*ingressAuthorizationResponse, error) { m.logger.Infof("Received ingress authorization request: %v.", req) @@ -344,13 +346,12 @@ func (m *Manager) authorizeIngress( resp.ServiceExists = true - srcAttributes := connectivitypdp.WorkloadAttrs{GatewayNameLabel: pr} dstAttributes := connectivitypdp.WorkloadAttrs{ ServiceNameLabel: req.ServiceName.Name, ServiceNamespaceLabel: req.ServiceName.Namespace, GatewayNameLabel: m.peerName, } - decision, err := m.connectivityPDP.Decide(srcAttributes, dstAttributes, req.ServiceName.Namespace) + decision, err := m.connectivityPDP.Decide(req.SrcAttributes, dstAttributes, req.ServiceName.Namespace) if err != nil { return nil, fmt.Errorf("error deciding on an ingress connection: %w", err) } diff --git a/pkg/controlplane/authz/server.go b/pkg/controlplane/authz/server.go index b91667f6..7ad9c2f5 100644 --- a/pkg/controlplane/authz/server.go +++ b/pkg/controlplane/authz/server.go @@ -141,7 +141,6 @@ func (s *server) PeerAuthorize(w http.ResponseWriter, r *http.Request) { return } - peerName := r.TLS.PeerCertificates[0].DNSNames[0] resp, err := s.manager.authorizeIngress( r.Context(), &ingressAuthorizationRequest{ @@ -149,8 +148,8 @@ func (s *server) PeerAuthorize(w http.ResponseWriter, r *http.Request) { Namespace: req.ServiceNamespace, Name: req.ServiceName, }, - }, - peerName) + SrcAttributes: req.SrcAttributes, + }) switch { case err != nil: http.Error(w, err.Error(), http.StatusInternalServerError)