Add custom policies support (#568)

* add default policies Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> * cleanup Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com> Signed-off-by: Nikita Skrynnik <nikita.skrynnik@xored.com>
networkservicemesh · Dec 15, 2022 · 85459bd · 85459bd
1 parent 66918ad
commit 85459bd
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 7 deletions.
diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/edwarnicke/serialize v1.0.7
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/networkservicemesh/api v1.6.2-0.20221205183940-84c7ff837cdd
-	github.com/networkservicemesh/sdk v0.5.1-0.20221213182556-bb4ba1aaa7e3
+	github.com/networkservicemesh/sdk v0.5.1-0.20221215123931-9709ed4b3fb8
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spiffe/go-spiffe/v2 v2.0.0
 	github.com/stretchr/testify v1.8.0

diff --git a/go.sum b/go.sum
@@ -195,8 +195,8 @@ github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182aff
 github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/networkservicemesh/api v1.6.2-0.20221205183940-84c7ff837cdd h1:26HR90HrJFZHIPPP3SCLGNRpPCMFoEnSSZfhHH8MPSo=
 github.com/networkservicemesh/api v1.6.2-0.20221205183940-84c7ff837cdd/go.mod h1:hOF2844BSstH1311oDMDgqqXS+kdc77htZNPRKl9mf8=
-github.com/networkservicemesh/sdk v0.5.1-0.20221213182556-bb4ba1aaa7e3 h1:+braLFYY32nhII9xpupB3B+K5wvcwk3GwBgaTSmWmjk=
-github.com/networkservicemesh/sdk v0.5.1-0.20221213182556-bb4ba1aaa7e3/go.mod h1:zEYFbCVXGlTT5f0x6sx8XtL2GazkYBpCoEpooxkz2vE=
+github.com/networkservicemesh/sdk v0.5.1-0.20221215123931-9709ed4b3fb8 h1:E6YXsYdfzTMgiwdl99pZI8HdUeAM7VrOSwFxCzdfA6E=
+github.com/networkservicemesh/sdk v0.5.1-0.20221215123931-9709ed4b3fb8/go.mod h1:zEYFbCVXGlTT5f0x6sx8XtL2GazkYBpCoEpooxkz2vE=
 github.com/open-policy-agent/opa v0.44.0 h1:sEZthsrWBqIN+ShTMJ0Hcz6a3GkYsY4FaB2S/ou2hZk=
 github.com/open-policy-agent/opa v0.44.0/go.mod h1:YpJaFIk5pq89n/k72c1lVvfvR5uopdJft2tMg1CW/yU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

diff --git a/internal/config/config.go b/internal/config/config.go
@@ -28,6 +28,8 @@ type Config struct {
 	ListenOn                    []url.URL     `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to listen on. tcp:// one will be used a public to register NSM." split_words:"true"`
 	RegistryURL                 url.URL       `default:"tcp://localhost:5001" desc:"A NSE registry url to use" split_words:"true"`
 	MaxTokenLifetime            time.Duration `default:"10m" desc:"maximum lifetime of tokens" split_words:"true"`
+	RegistryServerPolicies      []string      `default:"etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/server/.*.rego" desc:"paths to files and directories that contain registry server policies" split_words:"true"`
+	RegistryClientPolicies      []string      `default:"etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/client/.*.rego" desc:"paths to files and directories that contain registry client policies" split_words:"true"`
 	LogLevel                    string        `default:"INFO" desc:"Log level" split_words:"true"`
 	DialTimeout                 time.Duration `default:"100ms" desc:"Timeout for the dial the next endpoint" split_words:"true"`
 	ForwarderNetworkServiceName string        `default:"forwarder" desc:"the default service name for forwarder discovering" split_words:"true"`

diff --git a/internal/manager/manager.go b/internal/manager/manager.go
@@ -125,10 +125,14 @@ func RunNsmgr(ctx context.Context, configuration *config.Config) error {
 		nsmgr.WithURL(u.String()),
 		nsmgr.WithAuthorizeServer(authorize.NewServer(authorize.WithSpiffeIDConnectionMap(&spiffeIDConnMap))),
 		nsmgr.WithAuthorizeMonitorConnectionServer(authmonitor.NewMonitorConnectionServer(authmonitor.WithSpiffeIDConnectionMap(&spiffeIDConnMap))),
-		nsmgr.WithAuthorizeNSERegistryServer(registryauthorize.NewNetworkServiceEndpointRegistryServer()),
-		nsmgr.WithAuthorizeNSERegistryClient(registryauthorize.NewNetworkServiceEndpointRegistryClient()),
-		nsmgr.WithAuthorizeNSRegistryServer(registryauthorize.NewNetworkServiceRegistryServer()),
-		nsmgr.WithAuthorizeNSRegistryClient(registryauthorize.NewNetworkServiceRegistryClient()),
+		nsmgr.WithAuthorizeNSERegistryServer(registryauthorize.NewNetworkServiceEndpointRegistryServer(
+			registryauthorize.WithPolicies(configuration.RegistryServerPolicies...))),
+		nsmgr.WithAuthorizeNSERegistryClient(registryauthorize.NewNetworkServiceEndpointRegistryClient(
+			registryauthorize.WithPolicies(configuration.RegistryClientPolicies...))),
+		nsmgr.WithAuthorizeNSRegistryServer(registryauthorize.NewNetworkServiceRegistryServer(
+			registryauthorize.WithPolicies(configuration.RegistryServerPolicies...))),
+		nsmgr.WithAuthorizeNSRegistryClient(registryauthorize.NewNetworkServiceRegistryClient(
+			registryauthorize.WithPolicies(configuration.RegistryClientPolicies...))),
 		nsmgr.WithDialTimeout(configuration.DialTimeout),
 		nsmgr.WithForwarderServiceName(configuration.ForwarderNetworkServiceName),
 		nsmgr.WithDialOptions(