Move codes to pkg (#46)

pkg/ingress/kube/annotations/ip_access_control.go

@@ -0,0 +1,144 @@
+// Copyright (c) 2022 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package annotations
+
+import (
+	networking "istio.io/api/networking/v1alpha3"
+	"istio.io/istio/pilot/pkg/networking/core/v1alpha3/mseingress"
+)
+
+const (
+	domainWhitelist = "domain-whitelist-source-range"
+	domainBlacklist = "domain-blacklist-source-range"
+	whitelist       = "whitelist-source-range"
+	blacklist       = "blacklist-source-range"
+)
+
+var (
+	_ Parser       = &ipAccessControl{}
+	_ RouteHandler = &ipAccessControl{}
+)
+
+type IPAccessControl struct {
+	isWhite  bool
+	remoteIp []string
+}
+
+type IPAccessControlConfig struct {
+	Domain *IPAccessControl
+	Route  *IPAccessControl
+}
+
+type ipAccessControl struct{}
+
+func (i ipAccessControl) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
+	if !needIPAccessControlConfig(annotations) {
+		return nil
+	}
+
+	ipConfig := &IPAccessControlConfig{}
+	defer func() {
+		config.IPAccessControl = ipConfig
+	}()
+
+	var domain *IPAccessControl
+	rawWhitelist, err := annotations.ParseStringForMSE(domainWhitelist)
+	if err == nil {
+		domain = &IPAccessControl{
+			isWhite:  true,
+			remoteIp: splitStringWithSpaceTrim(rawWhitelist),
+		}
+	} else {
+		if rawBlacklist, err := annotations.ParseStringForMSE(domainBlacklist); err == nil {
+			domain = &IPAccessControl{
+				isWhite:  false,
+				remoteIp: splitStringWithSpaceTrim(rawBlacklist),
+			}
+		}
+	}
+	if domain != nil {
+		ipConfig.Domain = domain
+	}
+
+	var route *IPAccessControl
+	rawWhitelist, err = annotations.ParseStringASAP(whitelist)
+	if err == nil {
+		route = &IPAccessControl{
+			isWhite:  true,
+			remoteIp: splitStringWithSpaceTrim(rawWhitelist),
+		}
+	} else {
+		if rawBlacklist, err := annotations.ParseStringForMSE(blacklist); err == nil {
+			route = &IPAccessControl{
+				isWhite:  false,
+				remoteIp: splitStringWithSpaceTrim(rawBlacklist),
+			}
+		}
+	}
+	if route != nil {
+		ipConfig.Route = route
+	}
+
+	return nil
+}
+
+func (i ipAccessControl) ApplyVirtualServiceHandler(virtualService *networking.VirtualService, config *Ingress) {
+	ac := config.IPAccessControl
+	if ac == nil || ac.Domain == nil {
+		return
+	}
+
+	filter := &networking.IPAccessControl{}
+	if ac.Domain.isWhite {
+		filter.RemoteIpBlocks = ac.Domain.remoteIp
+	} else {
+		filter.NotRemoteIpBlocks = ac.Domain.remoteIp
+	}
+
+	virtualService.HostHTTPFilters = append(virtualService.HostHTTPFilters, &networking.HTTPFilter{
+		Name: mseingress.IPAccessControl,
+		Filter: &networking.HTTPFilter_IpAccessControl{
+			IpAccessControl: filter,
+		},
+	})
+}
+
+func (i ipAccessControl) ApplyRoute(route *networking.HTTPRoute, config *Ingress) {
+	ac := config.IPAccessControl
+	if ac == nil || ac.Route == nil {
+		return
+	}
+
+	filter := &networking.IPAccessControl{}
+	if ac.Route.isWhite {
+		filter.RemoteIpBlocks = ac.Route.remoteIp
+	} else {
+		filter.NotRemoteIpBlocks = ac.Route.remoteIp
+	}
+
+	route.RouteHTTPFilters = append(route.RouteHTTPFilters, &networking.HTTPFilter{
+		Name: mseingress.IPAccessControl,
+		Filter: &networking.HTTPFilter_IpAccessControl{
+			IpAccessControl: filter,
+		},
+	})
+}
+
+func needIPAccessControlConfig(annotations Annotations) bool {
+	return annotations.HasMSE(domainWhitelist) ||
+		annotations.HasMSE(domainBlacklist) ||
+		annotations.HasASAP(whitelist) ||
+		annotations.HasMSE(blacklist)
+}