Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add authorize Monitor connection elements. #1333

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 24 additions & 9 deletions pkg/networkservice/chains/endpoint/server.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Copyright (c) 2020-2021 Cisco Systems, Inc.
// Copyright (c) 2020-2022 Cisco Systems, Inc.
//
// Copyright (c) 2020-2021 Doc.ai and/or its affiliates.
// Copyright (c) 2020-2022 Doc.ai and/or its affiliates.
//
// SPDX-License-Identifier: Apache-2.0
//
Expand Down Expand Up @@ -41,6 +41,8 @@ import (
"github.com/networkservicemesh/sdk/pkg/networkservice/common/updatetoken"
"github.com/networkservicemesh/sdk/pkg/networkservice/core/chain"
"github.com/networkservicemesh/sdk/pkg/tools/grpcutils"
authmonitor "github.com/networkservicemesh/sdk/pkg/tools/monitorconnection/authorize"
"github.com/networkservicemesh/sdk/pkg/tools/monitorconnection/next"
"github.com/networkservicemesh/sdk/pkg/tools/token"
)

Expand All @@ -60,9 +62,10 @@ type endpoint struct {
}

type serverOptions struct {
name string
authorizeServer networkservice.NetworkServiceServer
additionalFunctionality []networkservice.NetworkServiceServer
name string
authorizeServer networkservice.NetworkServiceServer
authorizeMonitorConnectionServer networkservice.MonitorConnectionServer
additionalFunctionality []networkservice.NetworkServiceServer
}

// Option modifies server option value
Expand All @@ -85,6 +88,16 @@ func WithAuthorizeServer(authorizeServer networkservice.NetworkServiceServer) Op
}
}

// WithAuthorizeMonitorConnectionServer sets authorization MonitorConnectionServer chain element
func WithAuthorizeMonitorConnectionServer(authorizeMonitorConnectionServer networkservice.MonitorConnectionServer) Option {
if authorizeMonitorConnectionServer == nil {
panic("authorizeMonitorConnectionServer cannot be nil")
}
return func(o *serverOptions) {
o.authorizeMonitorConnectionServer = authorizeMonitorConnectionServer
}
}

// WithAdditionalFunctionality sets additional NetworkServiceServer chain elements to be included in the chain
func WithAdditionalFunctionality(additionalFunctionality ...networkservice.NetworkServiceServer) Option {
return func(o *serverOptions) {
Expand All @@ -95,12 +108,14 @@ func WithAdditionalFunctionality(additionalFunctionality ...networkservice.Netwo
// NewServer - returns a NetworkServiceMesh client as a chain of the standard Client pieces plus whatever
func NewServer(ctx context.Context, tokenGenerator token.GeneratorFunc, options ...Option) Endpoint {
opts := &serverOptions{
name: "endpoint-" + uuid.New().String(),
authorizeServer: authorize.NewServer(authorize.Any()),
name: "endpoint-" + uuid.New().String(),
authorizeServer: authorize.NewServer(authorize.Any()),
authorizeMonitorConnectionServer: authmonitor.NewMonitorConnectionServer(authmonitor.Any()),
}
for _, opt := range options {
opt(opts)
}
var mcsPtr networkservice.MonitorConnectionServer

rv := &endpoint{}
rv.NetworkServiceServer = chain.NewNetworkServiceServer(
Expand All @@ -111,10 +126,10 @@ func NewServer(ctx context.Context, tokenGenerator token.GeneratorFunc, options
opts.authorizeServer,
metadata.NewServer(),
timeout.NewServer(ctx),
monitor.NewServer(ctx, &rv.MonitorConnectionServer),
monitor.NewServer(ctx, &mcsPtr),
trimpath.NewServer(),
}, opts.additionalFunctionality...)...)

rv.MonitorConnectionServer = next.NewMonitorConnectionServer(opts.authorizeMonitorConnectionServer, mcsPtr)
return rv
}

Expand Down
35 changes: 24 additions & 11 deletions pkg/networkservice/chains/nsmgr/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ import (
registryadapter "github.com/networkservicemesh/sdk/pkg/registry/core/adapters"
"github.com/networkservicemesh/sdk/pkg/registry/core/chain"
"github.com/networkservicemesh/sdk/pkg/tools/grpcutils"
authmonitor "github.com/networkservicemesh/sdk/pkg/tools/monitorconnection/authorize"
"github.com/networkservicemesh/sdk/pkg/tools/token"
)

Expand All @@ -74,13 +75,14 @@ type nsmgrServer struct {
}

type serverOptions struct {
authorizeServer networkservice.NetworkServiceServer
dialOptions []grpc.DialOption
dialTimeout time.Duration
regURL *url.URL
name string
url string
forwarderServiceName string
authorizeServer networkservice.NetworkServiceServer
authorizeMonitorConnectionServer networkservice.MonitorConnectionServer
dialOptions []grpc.DialOption
dialTimeout time.Duration
regURL *url.URL
name string
url string
forwarderServiceName string
}

// Option modifies server option value
Expand Down Expand Up @@ -118,6 +120,16 @@ func WithAuthorizeServer(authorizeServer networkservice.NetworkServiceServer) Op
}
}

// WithAuthorizeMonitorConnectionServer sets authorization MonitorConnectionServer chain element
func WithAuthorizeMonitorConnectionServer(authorizeMonitorConnectionServer networkservice.MonitorConnectionServer) Option {
if authorizeMonitorConnectionServer == nil {
panic("authorizeMonitorConnectionServer cannot be nil")
}
return func(o *serverOptions) {
o.authorizeMonitorConnectionServer = authorizeMonitorConnectionServer
}
}

// WithRegistry sets URL and dial options to reach the upstream registry, if not passed memory storage will be used.
func WithRegistry(regURL *url.URL) Option {
return func(o *serverOptions) {
Expand Down Expand Up @@ -147,16 +159,16 @@ var _ Nsmgr = (*nsmgrServer)(nil)
// options - a set of Nsmgr options.
func NewServer(ctx context.Context, tokenGenerator token.GeneratorFunc, options ...Option) Nsmgr {
opts := &serverOptions{
authorizeServer: authorize.NewServer(authorize.Any()),
name: "nsmgr-" + uuid.New().String(),
forwarderServiceName: "forwarder",
authorizeServer: authorize.NewServer(authorize.Any()),
authorizeMonitorConnectionServer: authmonitor.NewMonitorConnectionServer(authmonitor.Any()),
name: "nsmgr-" + uuid.New().String(),
forwarderServiceName: "forwarder",
}
for _, opt := range options {
opt(opts)
}

rv := &nsmgrServer{}

var nsRegistry = memory.NewNetworkServiceRegistryServer()
if opts.regURL != nil {
// Use remote registry
Expand Down Expand Up @@ -212,6 +224,7 @@ func NewServer(ctx context.Context, tokenGenerator token.GeneratorFunc, options
rv.Endpoint = endpoint.NewServer(ctx, tokenGenerator,
endpoint.WithName(opts.name),
endpoint.WithAuthorizeServer(opts.authorizeServer),
endpoint.WithAuthorizeMonitorConnectionServer(opts.authorizeMonitorConnectionServer),
endpoint.WithAdditionalFunctionality(
adapters.NewClientToServer(clientinfo.NewClient()),
discoverforwarder.NewServer(
Expand Down
35 changes: 24 additions & 11 deletions pkg/networkservice/chains/nsmgrproxy/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@ import (
"github.com/networkservicemesh/sdk/pkg/tools/fs"
"github.com/networkservicemesh/sdk/pkg/tools/grpcutils"
"github.com/networkservicemesh/sdk/pkg/tools/log"
authmonitor "github.com/networkservicemesh/sdk/pkg/tools/monitorconnection/authorize"
"github.com/networkservicemesh/sdk/pkg/tools/token"
)

Expand All @@ -67,12 +68,13 @@ type nsmgrProxyServer struct {
}

type serverOptions struct {
name string
mapipFilePath string
listenOn *url.URL
authorizeServer networkservice.NetworkServiceServer
dialOptions []grpc.DialOption
dialTimeout time.Duration
name string
mapipFilePath string
listenOn *url.URL
authorizeServer networkservice.NetworkServiceServer
authorizeMonitorConnectionServer networkservice.MonitorConnectionServer
dialOptions []grpc.DialOption
dialTimeout time.Duration
}

func (s *serverOptions) openMapIPChannel(ctx context.Context) <-chan map[string]string {
Expand Down Expand Up @@ -117,6 +119,16 @@ func WithAuthorizeServer(authorizeServer networkservice.NetworkServiceServer) Op
}
}

// WithAuthorizeMonitorConnectionServer sets authorization MonitorConnectionServer chain element
func WithAuthorizeMonitorConnectionServer(authorizeMonitorConnectionServer networkservice.MonitorConnectionServer) Option {
if authorizeMonitorConnectionServer == nil {
panic("authorizeMonitorConnectionServer cannot be nil")
}
return func(o *serverOptions) {
o.authorizeMonitorConnectionServer = authorizeMonitorConnectionServer
}
}

// WithListenOn sets current listenOn url
func WithListenOn(u *url.URL) Option {
return func(o *serverOptions) {
Expand Down Expand Up @@ -148,12 +160,12 @@ func WithDialTimeout(dialTimeout time.Duration) Option {
// NewServer creates new proxy NSMgr
func NewServer(ctx context.Context, regURL, proxyURL *url.URL, tokenGenerator token.GeneratorFunc, options ...Option) nsmgr.Nsmgr {
rv := new(nsmgrProxyServer)

opts := &serverOptions{
name: "nsmgr-proxy-" + uuid.New().String(),
authorizeServer: authorize.NewServer(authorize.Any()),
listenOn: &url.URL{Scheme: "unix", Host: "listen.on"},
mapipFilePath: "map-ip.yaml",
name: "nsmgr-proxy-" + uuid.New().String(),
authorizeServer: authorize.NewServer(authorize.Any()),
authorizeMonitorConnectionServer: authmonitor.NewMonitorConnectionServer(authmonitor.Any()),
listenOn: &url.URL{Scheme: "unix", Host: "listen.on"},
mapipFilePath: "map-ip.yaml",
}
for _, opt := range options {
opt(opts)
Expand Down Expand Up @@ -185,6 +197,7 @@ func NewServer(ctx context.Context, regURL, proxyURL *url.URL, tokenGenerator to
rv.Endpoint = endpoint.NewServer(ctx, tokenGenerator,
endpoint.WithName(opts.name),
endpoint.WithAuthorizeServer(opts.authorizeServer),
endpoint.WithAuthorizeMonitorConnectionServer(opts.authorizeMonitorConnectionServer),
endpoint.WithAdditionalFunctionality(
interdomainbypass.NewServer(&interdomainBypassNSEServer, opts.listenOn),
discover.NewServer(nsClient, nseClient),
Expand Down
17 changes: 9 additions & 8 deletions pkg/networkservice/common/authorize/client.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Copyright (c) 2020-2021 Doc.ai and/or its affiliates.
// Copyright (c) 2020-2022 Doc.ai and/or its affiliates.
//
// Copyright (c) 2020-2021 Cisco Systems, Inc.
// Copyright (c) 2020-2022 Cisco Systems, Inc.
//
// SPDX-License-Identifier: Apache-2.0
//
Expand Down Expand Up @@ -42,19 +42,20 @@ type authorizeClient struct {
// NewClient - returns a new authorization networkservicemesh.NetworkServiceClient
// Authorize client checks rigiht side of path.
func NewClient(opts ...Option) networkservice.NetworkServiceClient {
var result = &authorizeClient{
policies: []Policy{
o := &options{
policies: policiesList{
opa.WithTokensValidPolicy(),
opa.WithNextTokenSignedPolicy(),
opa.WithTokensExpiredPolicy(),
opa.WithTokenChainPolicy(),
},
}

for _, o := range opts {
o.apply(&result.policies)
for _, opt := range opts {
opt(o)
}
var result = &authorizeClient{
policies: o.policies,
}

return result
}

Expand Down
30 changes: 18 additions & 12 deletions pkg/networkservice/common/authorize/options.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// Copyright (c) 2020-2021 Doc.ai and/or its affiliates.
// Copyright (c) 2020-2022 Doc.ai and/or its affiliates.
//
// Copyright (c) 2020-2021 Cisco Systems, Inc.
// Copyright (c) 2020-2022 Cisco Systems, Inc.
//
// SPDX-License-Identifier: Apache-2.0
//
Expand All @@ -18,25 +18,31 @@

package authorize

// Option is authorization option for server
type Option interface {
apply(*policiesList)
import "github.com/networkservicemesh/sdk/pkg/tools/spire"

type options struct {
policies policiesList
spiffeIDConnectionMap *spire.SpiffeIDConnectionMap
}

// Option is authorization option for network service server
type Option func(*options)

// Any authorizes any call of request/close
func Any() Option {
return WithPolicies(nil)
}

// WithPolicies sets custom policies
func WithPolicies(p ...Policy) Option {
return optionFunc(func(l *policiesList) {
*l = p
})
return func(o *options) {
o.policies = p
}
}

type optionFunc func(*policiesList)

func (f optionFunc) apply(a *policiesList) {
f(a)
// WithSpiffeIDConnectionMap sets map to keep spiffeIDConnectionMap to authorize connections with MonitorConnectionServer
func WithSpiffeIDConnectionMap(s *spire.SpiffeIDConnectionMap) Option {
return func(o *options) {
o.spiffeIDConnectionMap = s
}
}
Loading