mirror of
https://github.com/alibaba/higress.git
synced 2026-02-24 20:50:51 +08:00
95 lines
2.3 KiB
Go
95 lines
2.3 KiB
Go
// Copyright (c) 2022 Alibaba Group Holding Ltd.
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package annotations
|
|
|
|
import (
|
|
networking "istio.io/api/networking/v1alpha3"
|
|
"istio.io/istio/pilot/pkg/networking/core/v1alpha3/mseingress"
|
|
)
|
|
|
|
const (
|
|
whitelist = "whitelist-source-range"
|
|
)
|
|
|
|
var (
|
|
_ Parser = &ipAccessControl{}
|
|
_ RouteHandler = &ipAccessControl{}
|
|
)
|
|
|
|
type IPAccessControl struct {
|
|
isWhite bool
|
|
remoteIp []string
|
|
}
|
|
|
|
type IPAccessControlConfig struct {
|
|
Route *IPAccessControl
|
|
}
|
|
|
|
type ipAccessControl struct{}
|
|
|
|
func (i ipAccessControl) Parse(annotations Annotations, config *Ingress, _ *GlobalContext) error {
|
|
if !needIPAccessControlConfig(annotations) {
|
|
return nil
|
|
}
|
|
|
|
ipConfig := &IPAccessControlConfig{}
|
|
defer func() {
|
|
config.IPAccessControl = ipConfig
|
|
}()
|
|
|
|
var route *IPAccessControl
|
|
if rawWhitelist, err := annotations.ParseStringASAP(whitelist); err == nil {
|
|
route = &IPAccessControl{
|
|
isWhite: true,
|
|
remoteIp: splitStringWithSpaceTrim(rawWhitelist),
|
|
}
|
|
}
|
|
|
|
if route != nil {
|
|
ipConfig.Route = route
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (i ipAccessControl) ApplyVirtualServiceHandler(_ *networking.VirtualService, _ *Ingress) {
|
|
// DO NOTHING
|
|
}
|
|
|
|
func (i ipAccessControl) ApplyRoute(route *networking.HTTPRoute, config *Ingress) {
|
|
ac := config.IPAccessControl
|
|
if ac == nil || ac.Route == nil {
|
|
return
|
|
}
|
|
|
|
filter := &networking.IPAccessControl{}
|
|
if ac.Route.isWhite {
|
|
filter.RemoteIpBlocks = ac.Route.remoteIp
|
|
} else {
|
|
filter.NotRemoteIpBlocks = ac.Route.remoteIp
|
|
}
|
|
|
|
route.RouteHTTPFilters = append(route.RouteHTTPFilters, &networking.HTTPFilter{
|
|
Name: mseingress.IPAccessControl,
|
|
Filter: &networking.HTTPFilter_IpAccessControl{
|
|
IpAccessControl: filter,
|
|
},
|
|
})
|
|
}
|
|
|
|
func needIPAccessControlConfig(annotations Annotations) bool {
|
|
return annotations.HasASAP(whitelist)
|
|
}
|