Merge pull request #44 from AthenZ/filter-msd-rules

Support feature to filter out msd rules

Author: bhaskaramVaranasi

main.go

@@ -126,6 +126,7 @@ func main() {
 	header := flag.String("auth-header", "", "Authentication header field")
 	nTokenExpireTime := flag.String("ntoken-expiry", "1h0m0s", "Custom nToken expiration duration")
 	excludeNamespaces := flag.String("exclude-namespaces", "", "Namespaces to exclude from processing ex: 'kube-system,kube-public,acceptance-test'")
+	excludeMSDRules := flag.Bool("exclude-msd-rules", false, "Exclude MSD based role and policies when syncing Athenz domains")
 
 	klog.InitFlags(nil)
 	flag.Set("logtostderr", "false")
@@ -201,7 +202,7 @@ func main() {
 			exclusionList = append(exclusionList, item)
 		}
 	}
-	util := util.NewUtil(*adminDomain, processList, exclusionList)
+	util := util.NewUtil(*adminDomain, processList, exclusionList, *excludeMSDRules)
 
 	// construct the Controller object which has all of the necessary components to
 	// handle logging, connections, informing (listing and watching), the queue,

pkg/controller/controller.go

@@ -310,5 +310,10 @@ func (c *Controller) zmsGetSignedDomains(domain string) (*zms.SignedDomains, boo
 		log.Error("SignedDomain call returned an empty list")
 		return nil, false, nil
 	}
+
+	for i := range signedDomain.Domains {
+		signedDomain.Domains[i].Domain = c.util.FilterMSDRules(signedDomain.Domains[i].Domain)
+	}
+
 	return signedDomain, true, nil
 }

pkg/controller/controller_test.go

@@ -48,7 +48,7 @@ func newController() *Controller {
 	athenzclientset := fake.NewSimpleClientset()
 	clientset := k8sfake.NewSimpleClientset()
 	zmsclient := zms.NewClient("https://zms.athenz.com", &http.Transport{})
-	util := util.NewUtil("admin.domain", []string{"kube-system", "kube-public", "kube-test"}, []string{"acceptance-test"})
+	util := util.NewUtil("admin.domain", []string{"kube-system", "kube-public", "kube-test"}, []string{"acceptance-test"}, false)
 	cm := &cron.AthenzContactTimeConfigMap{
 		Namespace: "kube-yahoo",
 		Name:      "athenzcall-config",
@@ -253,7 +253,7 @@ func TestNsinformerhandler(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := newController()
-			c.util = util.NewUtil("admin.domain", []string{"kube-system"}, tt.excludedNS)
+			c.util = util.NewUtil("admin.domain", []string{"kube-system"}, tt.excludedNS, false)
 			mockQueue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())
 			c.queue = mockQueue
 

pkg/cron/cron_test.go

@@ -48,7 +48,7 @@ func newCron() *Cron {
 	clientset := k8sfake.NewSimpleClientset()
 	rateLimiter := ratelimiter.NewRateLimiter(250 * time.Millisecond)
 	queue := workqueue.NewRateLimitingQueue(rateLimiter)
-	util := util.NewUtil("test.domain", []string{"kube-system"}, []string{"acceptance-test"})
+	util := util.NewUtil("test.domain", []string{"kube-system"}, []string{"acceptance-test"}, false)
 	athenzclientset := fake.NewSimpleClientset()
 	informer := athenzInformer.NewAthenzDomainInformer(athenzclientset, 0, cache.Indexers{
 		"trustDomain": cr.TrustDomainIndexFunc,

pkg/util/util.go

@@ -19,17 +19,20 @@ import (
 	"fmt"
 	"os"
 	"strings"
+
+	"github.com/AthenZ/athenz/clients/go/zms"
 )
 
 // Util - struct with 2 fields adminDomain and list of system namespaces
 type Util struct {
 	adminDomain       string
 	systemNamespaces  []string
 	excludeNamespaces map[string]bool
+	excludeMSDRules   bool
 }
 
 // NewUtil - create new Util object
-func NewUtil(adminDomain string, systemNamespaces []string, excludeNamespaces []string) *Util {
+func NewUtil(adminDomain string, systemNamespaces []string, excludeNamespaces []string, excludeMSDRules bool) *Util {
 	excludedNamespaceMap := make(map[string]bool)
 	for _, ns := range excludeNamespaces {
 		excludedNamespaceMap[ns] = true
@@ -39,6 +42,7 @@ func NewUtil(adminDomain string, systemNamespaces []string, excludeNamespaces []
 		adminDomain:       adminDomain,
 		systemNamespaces:  systemNamespaces,
 		excludeNamespaces: excludedNamespaceMap,
+		excludeMSDRules:   excludeMSDRules,
 	}
 }
 
@@ -124,3 +128,45 @@ func HomeDir() string {
 	}
 	return os.Getenv("USERPROFILE") // windows
 }
+
+func filterMSDRules(domain *zms.DomainData) *zms.DomainData {
+	domainName := string(domain.Name)
+	var filteredRoles []*zms.Role
+	var filteredPolicies []*zms.Policy
+	// Filter out roles where the names starts with "domainName:role.acl." which are MSD roles
+	// Filter out roles that start with "domainName:role.msd-read-role-"
+	for _, role := range domain.Roles {
+		roleName := string(role.Name)
+		aclPrefix := domainName + ":role.acl."
+		msdReadPrefix := domainName + ":role.msd-read-role-"
+		if strings.HasPrefix(roleName, aclPrefix) ||
+			strings.HasPrefix(roleName, msdReadPrefix) {
+			continue
+		}
+		filteredRoles = append(filteredRoles, role)
+	}
+	domain.Roles = filteredRoles
+
+	// Filter out policies start with "domainName:policy.acl." which are MSD policies
+	// Filter out policies start with "domainName:policy.msd-read-policy-"
+	for _, policy := range domain.Policies.Contents.Policies {
+		policyName := string(policy.Name)
+		aclPrefix := domainName + ":policy.acl."
+		msdReadPrefix := domainName + ":policy.msd-read-policy-"
+		if strings.HasPrefix(policyName, aclPrefix) ||
+			strings.HasPrefix(policyName, msdReadPrefix) {
+			continue
+		}
+		filteredPolicies = append(filteredPolicies, policy)
+	}
+	domain.Policies.Contents.Policies = filteredPolicies
+
+	return domain
+}
+
+func (u *Util) FilterMSDRules(domainData *zms.DomainData) *zms.DomainData {
+	if !u.excludeMSDRules {
+		return domainData
+	}
+	return filterMSDRules(domainData)
+}