func createRBACPerRouteConfig()

in grpc-xds/control-plane-go/pkg/xds/rds/route_grpc_server.go [79:131]

• 48 lines of code
• 2 McCabe index (conditional complexity)

func createRBACPerRouteConfig(allowNamespaces ...string) (*anypb.Any, error) {
	if len(allowNamespaces) == 0 {
		allowNamespaces = []string{".+"}
	}
	pipedNamespaces := strings.Join(allowNamespaces, "|")
	return anypb.New(&rbacfilterv3.RBACPerRoute{
		Rbac: &rbacfilterv3.RBAC{
			Rules: &rbacv3.RBAC{
				Action: rbacv3.RBAC_ALLOW,
				Policies: map[string]*rbacv3.Policy{
					"greeter-clients": {
						Permissions: []*rbacv3.Permission{
							{
								// Permissions can match URL path, headers/metadata, and more.
								Rule: &rbacv3.Permission_UrlPath{
									UrlPath: &matcherv3.PathMatcher{
										Rule: &matcherv3.PathMatcher_Path{
											Path: &matcherv3.StringMatcher{
												MatchPattern: &matcherv3.StringMatcher_Prefix{
													Prefix: "/helloworld.Greeter/",
												},
												IgnoreCase: true,
											},
										},
									},
								},
								// Rule: &rbacv3.Permission_Any{
								// 	Any: true,
								// },
							},
						},
						Principals: []*rbacv3.Principal{
							{
								Identifier: &rbacv3.Principal_Authenticated_{
									Authenticated: &rbacv3.Principal_Authenticated{
										PrincipalName: &matcherv3.StringMatcher{
											MatchPattern: &matcherv3.StringMatcher_SafeRegex{
												SafeRegex: &matcherv3.RegexMatcher{
													// Matches against URI SANs, then DNS SANs, then Subject DN.
													Regex: fmt.Sprintf("spiffe://[^/]+/ns/(%s)/sa/.+", pipedNamespaces),
												},
											},
										},
									},
								},
							},
						},
					},
				},
			},
		},
	})
}