block some status endpoints

allegro · Dec 13, 2023 · 1a35778 · 1a35778
1 parent 2f820d6
commit 1a35778
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/...e/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt b/...e/src/main/kotlin/pl/allegro/tech/servicemesh/envoycontrol/snapshot/SnapshotProperties.kt
@@ -199,6 +199,7 @@ class AdminRouteProperties {
 class StatusRouteProperties {
     var enabled = false
     var endpoints: MutableList<EndpointMatch> = mutableListOf()
+    var blockedStatusEndpoints: MutableList<EndpointMatch> = mutableListOf()
     var createVirtualCluster = false
 }
 

diff --git a/...ro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/RBACFilterFactory.kt b/...ro/tech/servicemesh/envoycontrol/snapshot/resource/listeners/filters/RBACFilterFactory.kt
@@ -275,13 +275,22 @@ class RBACFilterFactory(
 
     private fun createStatusRoutePolicy(statusRouteProperties: StatusRouteProperties): Map<String, Policy.Builder> {
         return if (statusRouteProperties.enabled) {
+            val notRules = statusRouteProperties.blockedStatusEndpoints.map {
+                rBACFilterPermissions.createPathPermission(
+                    path = it.path,
+                    matchingType = it.matchingType
+                ).build()
+            }
             val permissions = statusRouteProperties.endpoints
                 .map {
-                    rBACFilterPermissions.createPathPermission(
+                    val permission = rBACFilterPermissions.createPathPermission(
                         path = it.path,
                         matchingType = it.matchingType
-                    ).build()
+                    )
+                    notRules.forEach { permission.setNotRule(it) }
+                    permission.build()
                 }
+
             val policy = Policy.newBuilder()
                 .addPrincipals(anyPrincipal)
                 .addPermissions(anyOf(permissions))
@@ -368,15 +377,18 @@ class RBACFilterFactory(
                         principal
                     )
                 )
+
                 OAuth.Policy.STRICT -> mergePrincipals(
                     listOf(
                         strictPolicyPrincipal,
                         principal
                     )
                 )
+
                 OAuth.Policy.ALLOW_MISSING_OR_FAILED -> {
                     principal
                 }
+
                 null -> {
                     principal
                 }