policy

package
v0.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 14, 2017 License: Apache-2.0 Imports: 16 Imported by: 131

Documentation

Index

Constants

View Source 
const (
	RootNodeName      = "root"
	NodePathDelimiter = "."
	RootPrefix        = RootNodeName + NodePathDelimiter
)
View Source 
const (

	// MinimalNumericIdentity represents the minimal numeric identity not
	// used for reserved purposes.
	MinimalNumericIdentity = NumericIdentity(256)

	// InvalidIdentity is the identity assigned if the identity is invalid
	// or not determined yet
	InvalidIdentity = NumericIdentity(0)
)

Variables

View Source 
var (
	ReservedIdentities = map[string]NumericIdentity{
		labels.IDNameHost:  ID_HOST,
		labels.IDNameWorld: ID_WORLD,
	}
	ReservedIdentityNames = map[NumericIdentity]string{
		ID_HOST:  labels.IDNameHost,
		ID_WORLD: labels.IDNameWorld,
	}
)
View Source 
var (
	CoverageSHASize = len(fmt.Sprintf("%x", sha512.New512_256().Sum(nil)))
)

Functions

func JoinPath 

func JoinPath(a, b string) string

JoinPath returns a joined path from a and b.

func SplitNodePath 

func SplitNodePath(fullPath string) (string, string)

SplitNodePath returns path without extension and the extension if any.

Types

type AllowL4 

type AllowL4 struct {
	Ingress []L4Filter `json:"in-ports,omitempty"`
	Egress  []L4Filter `json:"out-ports,omitempty"`
}

func (*AllowL4) Merge 

func (l4 *AllowL4) Merge(result *L4Policy)

type AllowRule 

type AllowRule struct {
	Action ConsumableDecision `json:"action,omitempty"`
	Label  labels.Label       `json:"label"`
}

func (*AllowRule) Allows 

func (a *AllowRule) Allows(ctx *SearchContext) ConsumableDecision

func (*AllowRule) IsMergeable 

func (a *AllowRule) IsMergeable() bool

func (*AllowRule) String 

func (a *AllowRule) String() string

func (*AllowRule) UnmarshalJSON 

func (a *AllowRule) UnmarshalJSON(data []byte) error

type AuxRule 

type AuxRule struct {
	Expr string `json:"expr"`
}

type Consumable 

type Consumable struct {
	ID           NumericIdentity               `json:"id"`
	Iteration    int                           `json:"-"`
	Labels       *Identity                     `json:"labels"`
	LabelList    []labels.Label                `json:"-"`
	Maps         map[int]*policymap.PolicyMap  `json:"-"`
	Consumers    map[string]*Consumer          `json:"consumers"`
	ReverseRules map[NumericIdentity]*Consumer `json:"-"`
	L4Policy     *L4Policy                     `json:"l4-policy"`
	// contains filtered or unexported fields
}

Consumable is the entity that is being consumed by a Consumable.

func NewConsumable 

func NewConsumable(id NumericIdentity, lbls *Identity, cache *ConsumableCache) *Consumable

func (*Consumable) AddMap 

func (c *Consumable) AddMap(m *policymap.PolicyMap)

func (*Consumable) AllowConsumer 

func (c *Consumable) AllowConsumer(cache *ConsumableCache, id NumericIdentity) *Consumer

func (*Consumable) AllowConsumerAndReverse 

func (c *Consumable) AllowConsumerAndReverse(cache *ConsumableCache, id NumericIdentity)

func (*Consumable) Allows 

func (c *Consumable) Allows(id NumericIdentity) bool

func (*Consumable) BanConsumer 

func (c *Consumable) BanConsumer(id NumericIdentity)

func (*Consumable) DeepCopy 

func (c *Consumable) DeepCopy() *Consumable

func (*Consumable) Delete 

func (c *Consumable) Delete()

func (*Consumable) GetConsumer 

func (c *Consumable) GetConsumer(id NumericIdentity) *Consumer

func (*Consumable) GetModel 

func (c *Consumable) GetModel() *models.EndpointPolicy

func (*Consumable) RemoveMap 

func (c *Consumable) RemoveMap(m *policymap.PolicyMap)

type ConsumableCache 

type ConsumableCache struct {

	// List of consumables representing the reserved identities
	Reserved  []*Consumable
	Iteration int
	// contains filtered or unexported fields
}

func NewConsumableCache 

func NewConsumableCache() *ConsumableCache

func (*ConsumableCache) AddReserved 

func (c *ConsumableCache) AddReserved(elem *Consumable)

func (*ConsumableCache) GetOrCreate 

func (c *ConsumableCache) GetOrCreate(id NumericIdentity, lbls *Identity) *Consumable

func (*ConsumableCache) Lookup 

func (c *ConsumableCache) Lookup(id NumericIdentity) *Consumable

func (*ConsumableCache) Remove 

func (c *ConsumableCache) Remove(elem *Consumable)

type ConsumableDecision 

type ConsumableDecision byte
const (
	UNDECIDED ConsumableDecision = iota
	ACCEPT
	ALWAYS_ACCEPT
	DENY
)

func (ConsumableDecision) MarshalJSON 

func (d ConsumableDecision) MarshalJSON() ([]byte, error)

func (ConsumableDecision) String 

func (d ConsumableDecision) String() string

func (*ConsumableDecision) UnmarshalJSON 

func (d *ConsumableDecision) UnmarshalJSON(b []byte) error

type Consumer 

type Consumer struct {
	ID           NumericIdentity
	Reverse      *Consumer
	DeletionMark bool
	Decision     ConsumableDecision
}

Consumer is the entity that consumes a Consumable.

func NewConsumer 

func NewConsumer(id NumericIdentity) *Consumer

func (*Consumer) DeepCopy 

func (c *Consumer) DeepCopy() *Consumer

func (*Consumer) StringID 

func (c *Consumer) StringID() string

type Identity 

type Identity struct {
	// Identity's ID.
	ID NumericIdentity `json:"id"`
	// Endpoints that have this Identity where their value is the last time they were seen.
	Labels labels.Labels `json:"labels"`
	// Set of labels that belong to this Identity.
	Endpoints map[string]time.Time `json:"containers"`
}

Identity is the representation of the security context for a particular set of labels.

func NewIdentity 

func NewIdentity() *Identity

func NewIdentityFromModel 

func NewIdentityFromModel(base *models.Identity) *Identity

func (*Identity) AssociateEndpoint 

func (id *Identity) AssociateEndpoint(epID string)

AssociateEndpoint associates the endpoint with identity.

func (*Identity) DeepCopy 

func (id *Identity) DeepCopy() *Identity

func (*Identity) DisassociateEndpoint 

func (id *Identity) DisassociateEndpoint(epID string) bool

DisassociateEndpoint disassociates the endpoint endpoint with identity and return true if successful.

func (*Identity) GetModel 

func (id *Identity) GetModel() *models.Identity

func (*Identity) RefCount 

func (id *Identity) RefCount() int

type L4Filter 

type L4Filter struct {
	// Port is the destination port to allow
	Port int `json:"port,omitempty"`
	// Protocol is the L4 protocol to allow or NONE
	Protocol string `json:"protocol,omitempty"`
	// L7Parser specifies the L7 protocol parser (optional)
	L7Parser string `json:"l7-parser,omitempty"`
	// L7RedirectPort is the L7 proxy port to redirect to (optional)
	L7RedirectPort int `json:"l7-redirect-port,omitempty"`
	// L7Rules is a list of L7 rules which are passed to the L7 proxy (optional)
	L7Rules []AuxRule `json:"l7-rules,omitempty"`
}

func (*L4Filter) IsRedirect 

func (l4 *L4Filter) IsRedirect() bool

IsRedirect returns true if the L4 filter contains a port redirection

func (*L4Filter) Merge 

func (l4 *L4Filter) Merge(result *L4Policy, m map[string]L4Filter, proto string)

func (*L4Filter) String 

func (l4 *L4Filter) String() string

func (*L4Filter) UnmarshalJSON 

func (l4 *L4Filter) UnmarshalJSON(data []byte) error

type L4Policy 

type L4Policy struct {
	// key format: "proto:port"
	Ingress L4PolicyMap
	Egress  L4PolicyMap
}

func NewL4Policy 

func NewL4Policy() *L4Policy

func (*L4Policy) DeepCopy 

func (l4 *L4Policy) DeepCopy() *L4Policy

func (*L4Policy) GetModel 

func (l4 *L4Policy) GetModel() *models.L4Policy

func (*L4Policy) HasRedirect 

func (l4 *L4Policy) HasRedirect() bool

HasRedirect returns true if the L4 policy contains at least one port redirection

func (*L4Policy) RequiresConntrack 

func (l4 *L4Policy) RequiresConntrack() bool

RequiresConntrack returns true if if the L4 configuration requires connection tracking to be enabled.

type L4PolicyMap 

type L4PolicyMap map[string]L4Filter

func (L4PolicyMap) HasRedirect 

func (l4 L4PolicyMap) HasRedirect() bool

HasRedirect returns true if at least one L4 filter contains a port redirection

type Node 

type Node struct {
	Name     string           `json:"name"`
	Parent   *Node            `json:"-"`
	Rules    []PolicyRule     `json:"rules,omitempty"`
	Children map[string]*Node `json:"children,omitempty"`
	// contains filtered or unexported fields
}

Node to define hierarchy of rules

func NewNode 

func NewNode(name string, parent *Node) *Node

func (*Node) AddChild 

func (n *Node) AddChild(name string, child *Node) (bool, error)

func (*Node) Allows 

func (n *Node) Allows(ctx *SearchContext) ConsumableDecision

func (*Node) CanMerge 

func (n *Node) CanMerge(obj *Node) error

CanMerge returns an error if obj cannot be safely merged into an existing node

func (*Node) Covers 

func (n *Node) Covers(ctx *SearchContext) bool

func (*Node) DebugString 

func (n *Node) DebugString(level int) string

func (*Node) HasPolicyRule 

func (n *Node) HasPolicyRule(pr PolicyRule) bool

func (*Node) HasRules 

func (n *Node) HasRules() bool

HasRules returns true if a node has any rules attached or at least one child.

func (*Node) IsMergeable 

func (n *Node) IsMergeable() bool

IsMergeable returns true if the node is eligible to be merged with another node

func (*Node) JSONMarshal 

func (n *Node) JSONMarshal() string

func (*Node) Merge 

func (n *Node) Merge(obj *Node) (bool, error)

Merge incorporates the rules and children of obj into an existing node

func (*Node) NormalizeNames 

func (n *Node) NormalizeNames(path string) (string, error)

NormalizeNames walks all policy nodes and normalizes the policy node name according to to the path specified. Takes a node with a list of optional children and the path to where the node is/will be located in the tree.

1. If the name of a node is omitted, the node name will be derived from the path. The element after the last node path delimiter is assumed to be the node name, e.g. rootNode.parentNode.name

2. If the node name is an absolute path, it must match the path but will be translated to a relative node name.

func (*Node) Path 

func (n *Node) Path() string

func (*Node) ResolveL4Policy 

func (n *Node) ResolveL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy

func (*Node) ResolveName 

func (n *Node) ResolveName(name string) string

ResolveName translates a possibly relative name to an absolute path relative to the node

func (*Node) ResolveTree 

func (n *Node) ResolveTree() error

func (*Node) UnmarshalJSON 

func (n *Node) UnmarshalJSON(data []byte) error

type NumericIdentity 

type NumericIdentity uint32

NumericIdentity represents an identity of an entity to which consumer policy can be applied to. 

const (
	ID_UNKNOWN NumericIdentity = iota
	ID_HOST
	ID_WORLD
)

func GetReservedID 

func GetReservedID(name string) NumericIdentity

func ParseNumericIdentity 

func ParseNumericIdentity(id string) (NumericIdentity, error)

func (NumericIdentity) String 

func (id NumericIdentity) String() string

func (NumericIdentity) StringID 

func (id NumericIdentity) StringID() string

func (NumericIdentity) Uint32 

func (id NumericIdentity) Uint32() uint32

Uint32 normalizes the ID for use in BPF program.

type PolicyRule 

type PolicyRule interface {
	// Resolve must resolve any internal label members to the full path
	// assuming that the rule is attached to the specified node.
	Resolve(node *Node) error

	// SHA256Sum must return the SHA256 hash over the policy rule
	SHA256Sum() (string, error)

	// CoverageSHA256Sum must return the SHA256 hash over the coverage
	// section of the policy rule
	CoverageSHA256Sum() (string, error)

	// IsMergeable must return true if a rule allows merging with other
	// rules within a node. Certain rules are not additive and require
	// strict ordering, such rules may never be merged in a node as
	// merging may occur in undefined order.
	IsMergeable() bool
}

type Privilege 

type Privilege byte

Privilege represents the privileges available to define for a policy node. 

const (
	ALLOW Privilege = iota
	ALWAYS_ALLOW
	REQUIRES
	L4
)

func (Privilege) MarshalJSON 

func (p Privilege) MarshalJSON() ([]byte, error)

func (Privilege) String 

func (p Privilege) String() string

func (*Privilege) UnmarshalJSON 

func (p *Privilege) UnmarshalJSON(b []byte) error

type RuleConsumers 

type RuleConsumers struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Allow    []AllowRule    `json:"allow"`
}

RuleConsumers allows the following consumers.

func (*RuleConsumers) Allows 

func (prc *RuleConsumers) Allows(ctx *SearchContext) ConsumableDecision

func (*RuleConsumers) CoverageSHA256Sum 

func (prc *RuleConsumers) CoverageSHA256Sum() (string, error)

func (*RuleConsumers) IsMergeable 

func (prc *RuleConsumers) IsMergeable() bool

func (*RuleConsumers) Resolve 

func (prc *RuleConsumers) Resolve(node *Node) error

func (*RuleConsumers) SHA256Sum 

func (prc *RuleConsumers) SHA256Sum() (string, error)

func (*RuleConsumers) String 

func (prc *RuleConsumers) String() string

type RuleL4 

type RuleL4 struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Allow    []AllowL4      `json:"l4"`
}

func (*RuleL4) CoverageSHA256Sum 

func (l4 *RuleL4) CoverageSHA256Sum() (string, error)

func (*RuleL4) GetL4Policy 

func (l4 *RuleL4) GetL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy

func (*RuleL4) IsMergeable 

func (l4 *RuleL4) IsMergeable() bool

func (*RuleL4) Resolve 

func (l4 *RuleL4) Resolve(node *Node) error

func (*RuleL4) SHA256Sum 

func (l4 *RuleL4) SHA256Sum() (string, error)

type RuleRequires 

type RuleRequires struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Requires []labels.Label `json:"requires"`
}

RuleRequires any further consumer requires the specified list of labels in order to consume.

func (*RuleRequires) Allows 

func (prr *RuleRequires) Allows(ctx *SearchContext) ConsumableDecision

Allows a require rule imposes additional label requirements but does not imply access immediately. Hence if the label context is not sufficient access can be denied but fullfillment of the requirement only leads to the decision being UNDECIDED waiting on an explicit allow rule further down the tree

func (*RuleRequires) CoverageSHA256Sum 

func (prr *RuleRequires) CoverageSHA256Sum() (string, error)

func (*RuleRequires) IsMergeable 

func (prr *RuleRequires) IsMergeable() bool

func (*RuleRequires) Resolve 

func (prr *RuleRequires) Resolve(node *Node) error

func (*RuleRequires) SHA256Sum 

func (prr *RuleRequires) SHA256Sum() (string, error)

func (*RuleRequires) String 

func (prr *RuleRequires) String() string

type SearchContext 

type SearchContext struct {
	Trace   Tracing
	Depth   int
	Logging *logging.LogBackend
	// TODO: Put this as []*Label?
	From []labels.Label
	To   []labels.Label
}

func (*SearchContext) CallDepth 

func (s *SearchContext) CallDepth() string

func (*SearchContext) String 

func (s *SearchContext) String() string

func (*SearchContext) TargetCoveredBy 

func (s *SearchContext) TargetCoveredBy(coverage []labels.Label) bool

type SearchContextReply 

type SearchContextReply struct {
	Logging  []byte
	Decision ConsumableDecision
}

type Tracing 

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

type Tree 

type Tree struct {
	Root  *Node
	Mutex sync.RWMutex
}

Tree overall policy tree.

func (*Tree) Add 

func (t *Tree) Add(parentPath string, node *Node) (bool, error)

Add adds the provided policy node at the specified path.

func (*Tree) Allows 

func (t *Tree) Allows(ctx *SearchContext) ConsumableDecision

func (*Tree) Delete 

func (t *Tree) Delete(path string, coverage string) bool

func (*Tree) Lookup 

func (t *Tree) Lookup(path string) (node, parent *Node)

Lookup returns a policy node and its parent for a given path

func (*Tree) ResolveL4Policy 

func (t *Tree) ResolveL4Policy(ctx *SearchContext) *L4Policy

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.