feat(policy): add interfaces for policy plugins

Rework the way policy plugins work to be able to handle policy matching in the plugin Signed-off-by: Charly Molter <charly.molter@konghq.com>
kumahq · Aug 29, 2022 · 8215749 · 8215749
1 parent 5d376a6
commit 8215749
Show file tree

Hide file tree

Showing 6 changed files with 245 additions and 121 deletions.
diff --git a/pkg/core/plugins/interfaces.go b/pkg/core/plugins/interfaces.go
@@ -5,10 +5,13 @@ import (
 
 	"github.com/kumahq/kuma/pkg/api-server/authn"
 	core_ca "github.com/kumahq/kuma/pkg/core/ca"
+	core_mesh "github.com/kumahq/kuma/pkg/core/resources/apis/mesh"
 	core_store "github.com/kumahq/kuma/pkg/core/resources/store"
 	core_runtime "github.com/kumahq/kuma/pkg/core/runtime"
 	secret_store "github.com/kumahq/kuma/pkg/core/secrets/store"
+	core_xds "github.com/kumahq/kuma/pkg/core/xds"
 	"github.com/kumahq/kuma/pkg/events"
+	xds_context "github.com/kumahq/kuma/pkg/xds/context"
 )
 
 type Plugin interface{}
@@ -80,3 +83,13 @@ type AuthnAPIServerPlugin interface {
 	Plugin
 	NewAuthenticator(PluginContext) (authn.Authenticator, error)
 }
+
+// PolicyPlugin a plugin to add a Policy to Kuma
+type PolicyPlugin interface {
+	Plugin
+	// MatchedPolicies return all the policies of the plugins' type matching this dataplane. This is used in the inspect api and accessible in Apply through `proxy.Policies.Dynamic`
+	MatchedPolicies(dataplane *core_mesh.DataplaneResource, resources xds_context.Resources) (core_xds.TypedMatchingPolicies, error)
+	// Apply to `rs` using the `ctx` and `proxy` the mutation for all policies of the type this plugin implements.
+	// You can access matching policies by using `proxy.Policies.Dynamic`.
+	Apply(rs *core_xds.ResourceSet, ctx xds_context.Context, proxy *core_xds.Proxy) error
+}
diff --git a/pkg/core/plugins/registry.go b/pkg/core/plugins/registry.go
@@ -16,6 +16,7 @@ const (
 	runtimePlugin       pluginType = "runtime"
 	caPlugin            pluginType = "ca"
 	authnAPIServer      pluginType = "authn-api-server"
+	policyPlugin        pluginType = "policy"
 )
 
 type PluginName string
@@ -39,6 +40,7 @@ type Registry interface {
 	RuntimePlugins() map[PluginName]RuntimePlugin
 	CaPlugins() map[PluginName]CaPlugin
 	AuthnAPIServer() map[PluginName]AuthnAPIServerPlugin
+	PolicyPlugins() map[PluginName]PolicyPlugin
 }
 
 type RegistryMutator interface {
@@ -59,6 +61,7 @@ func NewRegistry() MutableRegistry {
 		runtime:        make(map[PluginName]RuntimePlugin),
 		ca:             make(map[PluginName]CaPlugin),
 		authnAPIServer: make(map[PluginName]AuthnAPIServerPlugin),
+		policy:         make(map[PluginName]PolicyPlugin),
 	}
 }
 
@@ -72,6 +75,7 @@ type registry struct {
 	runtime        map[PluginName]RuntimePlugin
 	ca             map[PluginName]CaPlugin
 	authnAPIServer map[PluginName]AuthnAPIServerPlugin
+	policy         map[PluginName]PolicyPlugin
 }
 
 func (r *registry) ResourceStore(name PluginName) (ResourceStorePlugin, error) {
@@ -106,6 +110,10 @@ func (r *registry) RuntimePlugins() map[PluginName]RuntimePlugin {
 	return r.runtime
 }
 
+func (r *registry) PolicyPlugins() map[PluginName]PolicyPlugin {
+	return r.policy
+}
+
 func (r *registry) BootstrapPlugins() []BootstrapPlugin {
 	var plugins []BootstrapPlugin
 	for _, plugin := range r.bootstrap {
@@ -172,6 +180,12 @@ func (r *registry) Register(name PluginName, plugin Plugin) error {
 		}
 		r.authnAPIServer[name] = authn
 	}
+	if policy, ok := plugin.(PolicyPlugin); ok {
+		if old, exists := r.policy[name]; exists {
+			return pluginAlreadyRegisteredError(policyPlugin, name, old, policy)
+		}
+		r.policy[name] = policy
+	}
 	return nil
 }
 

diff --git a/pkg/core/xds/matched_policies.go b/pkg/core/xds/matched_policies.go
@@ -9,6 +9,16 @@ import (
 	core_model "github.com/kumahq/kuma/pkg/core/resources/model"
 )
 
+type MatchingPolicyMap map[core_model.ResourceType][]core_model.Resource
+
+// TypedMatchingPolicies all policies of this type matching
+type TypedMatchingPolicies struct {
+	Type              core_model.ResourceType
+	InboundPolicies   map[mesh_proto.InboundInterface][]core_model.Resource
+	OutboundPolicies  map[mesh_proto.OutboundInterface][]core_model.Resource
+	ServicePolicies   map[ServiceName][]core_model.Resource
+	DataplanePolicies []core_model.Resource
+}
 type MatchedPolicies struct {
 	// Inbound(Listener) -> Policy
 	TrafficPermissions    TrafficPermissionMap
@@ -32,6 +42,19 @@ type MatchedPolicies struct {
 	TrafficTrace *core_mesh.TrafficTraceResource
 	// Actual Envoy Configuration is generated without taking this ProxyTemplate into account
 	ProxyTemplate *core_mesh.ProxyTemplateResource
+
+	Dynamic map[core_model.ResourceType]TypedMatchingPolicies
+}
+
+func (m *MatchedPolicies) orderedDynamicPolicies() []core_model.ResourceType {
+	var all []core_model.ResourceType
+	for k := range m.Dynamic {
+		all = append(all, k)
+	}
+	sort.Slice(all, func(i, j int) bool {
+		return all[i] < all[j]
+	})
+	return all
 }
 
 type AttachmentType int64
@@ -190,6 +213,11 @@ func getInboundMatchedPolicies(matchedPolicies *MatchedPolicies) map[mesh_proto.
 			result[inbound] = append(result[inbound], customList)
 		}
 	}
+	for _, tpe := range matchedPolicies.orderedDynamicPolicies() {
+		for inbound, elts := range matchedPolicies.Dynamic[tpe].InboundPolicies {
+			result[inbound] = append(result[inbound], elts...)
+		}
+	}
 
 	return result
 }
@@ -203,8 +231,13 @@ func getOutboundMatchedPolicies(matchedPolicies *MatchedPolicies) map[mesh_proto
 	for outbound, rl := range matchedPolicies.RateLimitsOutbound {
 		result[outbound] = append(result[outbound], rl)
 	}
-	for outboud, tr := range matchedPolicies.TrafficRoutes {
-		result[outboud] = append(result[outboud], tr)
+	for outbound, tr := range matchedPolicies.TrafficRoutes {
+		result[outbound] = append(result[outbound], tr)
+	}
+	for _, tpe := range matchedPolicies.orderedDynamicPolicies() {
+		for outbound, elts := range matchedPolicies.Dynamic[tpe].OutboundPolicies {
+			result[outbound] = append(result[outbound], elts...)
+		}
 	}
 
 	return result
@@ -225,6 +258,11 @@ func getServiceMatchedPolicies(matchedPolicies *MatchedPolicies) map[ServiceName
 	for service, retry := range matchedPolicies.Retries {
 		result[service] = append(result[service], retry)
 	}
+	for _, tpe := range matchedPolicies.orderedDynamicPolicies() {
+		for serviceName, elts := range matchedPolicies.Dynamic[tpe].ServicePolicies {
+			result[serviceName] = append(result[serviceName], elts...)
+		}
+	}
 
 	return result
 }
@@ -237,6 +275,9 @@ func getDataplaneMatchedPolicies(matchedPolicies *MatchedPolicies) []core_model.
 	if matchedPolicies.ProxyTemplate != nil {
 		resources = append(resources, matchedPolicies.ProxyTemplate)
 	}
+	for _, tpe := range matchedPolicies.orderedDynamicPolicies() {
+		resources = append(resources, matchedPolicies.Dynamic[tpe].DataplanePolicies...)
+	}
 	return resources
 }