policy: Move exported Lookup to EndpointPolicy

Move the exported Lookup function to EndpointPolicy, so that it can actually be used from other packages. Signed-off-by: Jarno Rajahalme <[email protected]>
DataDog · Dec 24, 2024 · 4390931 · 4390931
1 parent 4680363
commit 4390931
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 11 deletions.
diff --git a/pkg/policy/mapstate.go b/pkg/policy/mapstate.go
@@ -394,17 +394,6 @@ func (ms *mapState) lookup(key Key) (mapStateEntry, bool) {
 	return mapStateEntry{MapStateEntry: types.DenyEntry()}, false
 }
 
-// Lookup finds the policy verdict applicable to the given 'key' using the same precedence logic
-// between L3 and L4-only policies as the bpf datapath  when both match the given 'key'.
-// To be used in testing in place of the bpf datapath when full integration testing is not desired.
-// Returns the closest matching covering policy entry, the labels of the rules that contributed to
-// that verdict, and 'true' if found.
-// 'key' must not have a wildcard identity or port.
-func (ms *mapState) Lookup(key Key) (MapStateEntry, labels.LabelArrayList, bool) {
-	entry, found := ms.lookup(key)
-	return entry.MapStateEntry, entry.derivedFromRules, found
-}
-
 func (ms *mapState) Len() int {
 	return len(ms.entries)
 }

diff --git a/pkg/policy/resolve.go b/pkg/policy/resolve.go
@@ -103,6 +103,18 @@ func (p *EndpointPolicy) LookupRedirectPort(ingress bool, protocol string, port
 	return 0, fmt.Errorf("Proxy port for redirect %q not found", proxyID)
 }
 
+// Lookup finds the policy verdict applicable to the given 'key' using the same precedence logic
+// between L3 and L4-only policies like the bpf datapath when both match the given 'key'.
+// To be used in testing in place of the bpf datapath when full integration testing is not desired.
+// Returns the closest matching covering policy entry, the labels of the rules that contributed to
+// that verdict, and 'true' if found.
+// Returns a deny entry when a match is not found, mirroring the datapath default deny behavior.
+// 'key' must not have a wildcard identity or port.
+func (p *EndpointPolicy) Lookup(key Key) (MapStateEntry, labels.LabelArrayList, bool) {
+	entry, found := p.policyMapState.lookup(key)
+	return entry.MapStateEntry, entry.derivedFromRules, found
+}
+
 // PolicyOwner is anything which consumes a EndpointPolicy.
 type PolicyOwner interface {
 	GetID() uint64