in xds/utils/rbac/matchers.go [90:145]
func matchersFromPermissions(permissions []*v3rbacpb.Permission) ([]matcher, error) {
var matchers []matcher
for _, permission := range permissions {
switch permission.GetRule().(type) {
case *v3rbacpb.Permission_AndRules:
mList, err := matchersFromPermissions(permission.GetAndRules().Rules)
if err != nil {
return nil, err
}
matchers = append(matchers, &andMatcher{matchers: mList})
case *v3rbacpb.Permission_OrRules:
mList, err := matchersFromPermissions(permission.GetOrRules().Rules)
if err != nil {
return nil, err
}
matchers = append(matchers, &orMatcher{matchers: mList})
case *v3rbacpb.Permission_Any:
matchers = append(matchers, &alwaysMatcher{})
case *v3rbacpb.Permission_Header:
m, err := newHeaderMatcher(permission.GetHeader())
if err != nil {
return nil, err
}
matchers = append(matchers, m)
case *v3rbacpb.Permission_UrlPath:
m, err := newURLPathMatcher(permission.GetUrlPath())
if err != nil {
return nil, err
}
matchers = append(matchers, m)
case *v3rbacpb.Permission_DestinationIp:
// Due to this being on server side, the destination IP is the local
// IP.
m, err := newLocalIPMatcher(permission.GetDestinationIp())
if err != nil {
return nil, err
}
matchers = append(matchers, m)
case *v3rbacpb.Permission_DestinationPort:
matchers = append(matchers, newPortMatcher(permission.GetDestinationPort()))
case *v3rbacpb.Permission_NotRule:
mList, err := matchersFromPermissions([]*v3rbacpb.Permission{{Rule: permission.GetNotRule().Rule}})
if err != nil {
return nil, err
}
matchers = append(matchers, ¬Matcher{matcherToNot: mList[0]})
case *v3rbacpb.Permission_Metadata:
// Not supported in gRPC RBAC currently - a permission typed as
// Metadata in the initial config will be a no-op.
case *v3rbacpb.Permission_RequestedServerName:
// Not supported in gRPC RBAC currently - a permission typed as
// requested server name in the initial config will be a no-op.
}
}
return matchers, nil
}