From 1a35778a85ccd47dc9606fd1007d72c1dcfb96f0 Mon Sep 17 00:00:00 2001 From: "radoslaw.chrzanowski" Date: Wed, 13 Dec 2023 13:34:00 +0100 Subject: [PATCH] block some status endpoints --- .../envoycontrol/snapshot/SnapshotProperties.kt | 1 + .../listeners/filters/RBACFilterFactory.kt | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt index fc4f93155..5e158e8da 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt @@ -199,6 +199,7 @@ class AdminRouteProperties { class StatusRouteProperties { var enabled = false var endpoints: MutableList = mutableListOf() + var blockedStatusEndpoints: MutableList = mutableListOf() var createVirtualCluster = false } diff --git a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/RBACFilterFactory.kt b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/RBACFilterFactory.kt index 572d7ad0c..df93f9140 100644 --- a/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/RBACFilterFactory.kt +++ b/envoy-control-core/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/RBACFilterFactory.kt @@ -275,13 +275,22 @@ class RBACFilterFactory( private fun createStatusRoutePolicy(statusRouteProperties: StatusRouteProperties): Map { return if (statusRouteProperties.enabled) { + val notRules = statusRouteProperties.blockedStatusEndpoints.map { + rBACFilterPermissions.createPathPermission( + path = it.path, + matchingType = it.matchingType + ).build() + } val permissions = statusRouteProperties.endpoints .map { - rBACFilterPermissions.createPathPermission( + val permission = rBACFilterPermissions.createPathPermission( path = it.path, matchingType = it.matchingType - ).build() + ) + notRules.forEach { permission.setNotRule(it) } + permission.build() } + val policy = Policy.newBuilder() .addPrincipals(anyPrincipal) .addPermissions(anyOf(permissions)) @@ -368,15 +377,18 @@ class RBACFilterFactory( principal ) ) + OAuth.Policy.STRICT -> mergePrincipals( listOf( strictPolicyPrincipal, principal ) ) + OAuth.Policy.ALLOW_MISSING_OR_FAILED -> { principal } + null -> { principal }