Merge pull request kmesh-net#1222 from yp969803/issue#214

feat: dump authorizationPolicy

Author: kmesh-bot

pkg/auth/policy_store.go

@@ -124,3 +124,15 @@ func (ps *policyStore) getByNamespace(namespace string) []string {
 	}
 	return nil
 }
+
+// List returns a copied list of all policies
+func (p *policyStore) list() []*security.Authorization {
+	p.rwLock.RLock()
+	defer p.rwLock.RUnlock()
+	out := make([]*security.Authorization, 0, len(p.byKey))
+	for _, pol := range p.byKey {
+		out = append(out, pol)
+	}
+
+	return out
+}

pkg/auth/rbac.go

@@ -516,3 +516,8 @@ func (r *Rbac) getIdentityByIp(ip []byte) Identity {
 		serviceAccount: workload.GetServiceAccount(),
 	}
 }
+
+// List returns a copied list of all policies
+func (r *Rbac) PoliciesList() []*security.Authorization {
+	return r.policyStore.list()
+}

pkg/controller/workload/workload_processor.go

@@ -909,6 +909,7 @@ func (p *Processor) handleAuthorizationTypeResponse(rsp *service_discovery_v3.De
 		if err := rbac.UpdatePolicy(authPolicy); err != nil {
 			return err
 		}
+
 		policyKey := authPolicy.ResourceName()
 		if err := maps_v2.AuthorizationUpdate(p.hashName.Hash(policyKey), authPolicy); err != nil {
 			return fmt.Errorf("AuthorizationUpdate %s failed %v ", policyKey, err)

pkg/status/api.go

@@ -20,6 +20,7 @@ import (
 	"net"
 
 	"kmesh.net/kmesh/api/v2/workloadapi"
+	"kmesh.net/kmesh/api/v2/workloadapi/security"
 )
 
 type Workload struct {
@@ -75,6 +76,14 @@ type Service struct {
 	Waypoint     *Waypoint           `json:"waypoint"`
 }
 
+type AuthorizationPolicy struct {
+	Name      string           `json:"name"`
+	Namespace string           `json:"namespace"`
+	Scope     string           `json:"scope"`
+	Action    string           `json:"action"`
+	Rules     []*security.Rule `json:"rules"`
+}
+
 type NetworkAddress struct {
 	// Network represents the network this address is on.
 	Network string
@@ -162,3 +171,15 @@ func ConvertService(s *workloadapi.Service) *Service {
 
 	return out
 }
+
+func ConvertAuthorizationPolicy(p *security.Authorization) *AuthorizationPolicy {
+	out := &AuthorizationPolicy{
+		Name:      p.GetName(),
+		Namespace: p.GetNamespace(),
+		Scope:     p.GetScope().String(),
+		Action:    p.GetAction().String(),
+		Rules:     p.Rules,
+	}
+
+	return out
+}

pkg/status/status_server.go

@@ -31,7 +31,6 @@ import (
 	"google.golang.org/protobuf/encoding/protojson"
 
 	adminv2 "kmesh.net/kmesh/api/v2/admin"
-	"kmesh.net/kmesh/api/v2/workloadapi/security"
 	"kmesh.net/kmesh/daemon/options"
 	"kmesh.net/kmesh/pkg/bpf"
 	bpfads "kmesh.net/kmesh/pkg/bpf/ads"
@@ -461,8 +460,7 @@ func (s *Server) configDumpAds(w http.ResponseWriter, r *http.Request) {
 type WorkloadDump struct {
 	Workloads []*Workload
 	Services  []*Service
-	// TODO: add authorization
-	Policies []*security.Authorization
+	Policies  []*AuthorizationPolicy
 }
 
 func (s *Server) configDumpWorkload(w http.ResponseWriter, r *http.Request) {
@@ -474,16 +472,21 @@ func (s *Server) configDumpWorkload(w http.ResponseWriter, r *http.Request) {
 
 	workloads := client.WorkloadController.Processor.WorkloadCache.List()
 	services := client.WorkloadController.Processor.ServiceCache.List()
+	policies := client.WorkloadController.Rbac.PoliciesList()
 	workloadDump := WorkloadDump{
 		Workloads: make([]*Workload, 0, len(workloads)),
 		Services:  make([]*Service, 0, len(services)),
+		Policies:  make([]*AuthorizationPolicy, 0, len(policies)),
 	}
 	for _, w := range workloads {
 		workloadDump.Workloads = append(workloadDump.Workloads, ConvertWorkload(w))
 	}
 	for _, s := range services {
 		workloadDump.Services = append(workloadDump.Services, ConvertService(s))
 	}
+	for _, p := range policies {
+		workloadDump.Policies = append(workloadDump.Policies, ConvertAuthorizationPolicy(p))
+	}
 	printWorkloadDump(w, workloadDump)
 }
 

pkg/status/status_server_test.go

@@ -37,7 +37,9 @@ import (
 	"kmesh.net/kmesh/api/v2/core"
 	"kmesh.net/kmesh/api/v2/listener"
 	"kmesh.net/kmesh/api/v2/workloadapi"
+	"kmesh.net/kmesh/api/v2/workloadapi/security"
 	"kmesh.net/kmesh/daemon/options"
+	"kmesh.net/kmesh/pkg/auth"
 	"kmesh.net/kmesh/pkg/bpf"
 	maps_v2 "kmesh.net/kmesh/pkg/cache/v2/maps"
 	"kmesh.net/kmesh/pkg/constants"
@@ -198,10 +200,18 @@ func TestServer_configDumpWorkload(t *testing.T) {
 				},
 			},
 		}}
+	policy := &security.Authorization{
+		Name:      "policy",
+		Namespace: "ns",
+		Scope:     security.Scope_GLOBAL,
+		Action:    security.Action_ALLOW,
+	}
 	fakeWorkloadCache := cache.NewWorkloadCache()
 	fakeServiceCache := cache.NewServiceCache()
 	fakeWorkloadCache.AddOrUpdateWorkload(w1)
 	fakeServiceCache.AddOrUpdateService(svc)
+	fakeAuth := auth.NewRbac(fakeWorkloadCache)
+	fakeAuth.UpdatePolicy(policy)
 	// Create a new instance of the Server struct
 	server := &Server{
 		xdsClient: &controller.XdsClient{
@@ -210,6 +220,7 @@ func TestServer_configDumpWorkload(t *testing.T) {
 					WorkloadCache: fakeWorkloadCache,
 					ServiceCache:  fakeServiceCache,
 				},
+				Rbac: fakeAuth,
 			},
 		},
 	}

pkg/status/testdata/workload_configdump.json

@@ -51,5 +51,13 @@
             }
         }
     ],
-    "Policies": null
+    "Policies": [
+        {
+            "name": "policy",
+            "namespace": "ns",
+            "scope": "GLOBAL",
+            "action": "ALLOW",
+            "rules": null
+        }
+    ]
 }