envoy/lds: use rbac policy builder (#2093)

This change uses the RBAC policy builder added by commit f20c7b5 to generate the policies. No functional change introduced apart from additional error checking due to usage of a new api. Signed-off-by: Shashank Ram <shashank08@gmail.com>
openservicemesh · Nov 19, 2020 · d9bbd3e · d9bbd3e
1 parent f20c7b5
commit d9bbd3e
Showing 1 changed file with 14 additions and 31 deletions.
diff --git a/pkg/envoy/lds/rbac.go b/pkg/envoy/lds/rbac.go
@@ -6,10 +6,10 @@ import (
 	xds_listener "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3"
 	xds_rbac "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
 	xds_network_rbac "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3"
-	xds_matcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
 	"github.com/envoyproxy/go-control-plane/pkg/wellknown"
 
 	"github.com/openservicemesh/osm/pkg/envoy"
+	"github.com/openservicemesh/osm/pkg/envoy/rbac"
 	"github.com/openservicemesh/osm/pkg/identity"
 	"github.com/openservicemesh/osm/pkg/service"
 )
@@ -53,7 +53,11 @@ func (lb *listenerBuilder) buildInboundRBACPolicies() (*xds_network_rbac.RBAC, e
 	for _, downstreamSvcAccount := range allowsInboundSvcAccounts {
 		policyName := getPolicyName(downstreamSvcAccount, lb.svcAccount)
 		principal := identity.GetKubernetesServiceIdentity(downstreamSvcAccount, identity.ClusterLocalTrustDomain)
-		rbacPolicies[policyName] = buildAllowAllPermissionsPolicy(principal)
+		if policy, err := buildAllowAllPermissionsPolicy(principal); err != nil {
+			log.Error().Err(err).Msgf("Error building RBAC policy for ServiceAccount %q and downstream %q", lb.svcAccount, downstreamSvcAccount)
+		} else {
+			rbacPolicies[policyName] = policy
+		}
 	}
 
 	// Create an inbound RBAC policy that denies a request by default, unless a policy explicitly allows it
@@ -69,43 +73,22 @@ func (lb *listenerBuilder) buildInboundRBACPolicies() (*xds_network_rbac.RBAC, e
 }
 
 // buildAllowAllPermissionsPolicy creates an XDS RBAC policy for the given client principal to be granted all access
-func buildAllowAllPermissionsPolicy(clientPrincipal identity.ServiceIdentity) *xds_rbac.Policy {
-	return &xds_rbac.Policy{
-		Permissions: []*xds_rbac.Permission{
+func buildAllowAllPermissionsPolicy(clientPrincipal identity.ServiceIdentity) (*xds_rbac.Policy, error) {
+	policy := &rbac.Policy{
+		Principals: []rbac.RulesList{
 			{
-				// Grant the given principal all access
-				Rule: &xds_rbac.Permission_Any{Any: true},
-			},
-		},
-		Principals: []*xds_rbac.Principal{
-			{
-				Identifier: &xds_rbac.Principal_OrIds{
-					OrIds: &xds_rbac.Principal_Set{
-						Ids: []*xds_rbac.Principal{
-							getPrincipalAuthenticated(clientPrincipal.String()),
-						},
-					},
+				OrRules: []rbac.Rule{
+					{Attribute: rbac.DownstreamAuthPrincipal, Value: clientPrincipal.String()},
 				},
 			},
 		},
+		// Permissions set to ANY if not specified, which grants all access for the given Principals
 	}
+
+	return policy.Generate()
 }
 
 // getPolicyName returns a policy name for the policy used to authorize a downstream service account by the upstream
 func getPolicyName(downstream, upstream service.K8sServiceAccount) string {
 	return fmt.Sprintf("%s to %s", downstream, upstream)
 }
-
-func getPrincipalAuthenticated(principalName string) *xds_rbac.Principal {
-	return &xds_rbac.Principal{
-		Identifier: &xds_rbac.Principal_Authenticated_{
-			Authenticated: &xds_rbac.Principal_Authenticated{
-				PrincipalName: &xds_matcher.StringMatcher{
-					MatchPattern: &xds_matcher.StringMatcher_Exact{
-						Exact: principalName,
-					},
-				},
-			},
-		},
-	}
-}