consul/agent/connect_auth.go

package agent

import (
	"context"
	"fmt"
	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/agent/cache"
	cachetype "github.com/hashicorp/consul/agent/cache-types"
	"github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/agent/structs"
)

// TODO(rb/intentions): this should move back into the agent endpoint since
// there is no ext_authz implementation anymore.
//
// ConnectAuthorize implements the core authorization logic for Connect. It's in
// a separate agent method here because we need to re-use this both in our own
// HTTP API authz endpoint and in the gRPX xDS/ext_authz API for envoy.
//
// NOTE: This treats any L7 intentions as DENY.
//
// The ACL token and the auth request are provided and the auth decision (true
// means authorized) and reason string are returned.
//
// If the request input is invalid the error returned will be a BadRequestError,
// if the token doesn't grant necessary access then an acl.ErrPermissionDenied
// error is returned, otherwise error indicates an unexpected server failure. If
// access is denied, no error is returned but the first return value is false.
func (a *Agent) ConnectAuthorize(token string,
	req *structs.ConnectAuthorizeRequest) (allowed bool, reason string, m *cache.ResultMeta, err error) {

	// Helper to make the error cases read better without resorting to named
	// returns which get messy and prone to mistakes in a method this long.
	returnErr := func(err error) (bool, string, *cache.ResultMeta, error) {
		return false, "", nil, err
	}

	if req == nil {
		return returnErr(BadRequestError{"Invalid request"})
	}

	// We need to have a target to check intentions
	if req.Target == "" {
		return returnErr(BadRequestError{"Target service must be specified"})
	}

	// Parse the certificate URI from the client ID
	uri, err := connect.ParseCertURIFromString(req.ClientCertURI)
	if err != nil {
		return returnErr(BadRequestError{"ClientCertURI not a valid Connect identifier"})
	}

	uriService, ok := uri.(*connect.SpiffeIDService)
	if !ok {
		return returnErr(BadRequestError{"ClientCertURI not a valid Service identifier"})
	}

	// We need to verify service:write permissions for the given token.
	// We do this manually here since the RPC request below only verifies
	// service:read.
	var authzContext acl.AuthorizerContext
	authz, err := a.resolveTokenAndDefaultMeta(token, &req.EnterpriseMeta, &authzContext)
	if err != nil {
		return returnErr(err)
	}

	if authz != nil && authz.ServiceWrite(req.Target, &authzContext) != acl.Allow {
		return returnErr(acl.ErrPermissionDenied)
	}

	// Note that we DON'T explicitly validate the trust-domain matches ours. See
	// the PR for this change for details.

	// TODO(banks): Implement revocation list checking here.

	// Get the intentions for this target service.
	args := &structs.IntentionQueryRequest{
		Datacenter: a.config.Datacenter,
		Match: &structs.IntentionQueryMatch{
			Type: structs.IntentionMatchDestination,
			Entries: []structs.IntentionMatchEntry{
				{
					Namespace: req.TargetNamespace(),
					Name:      req.Target,
				},
			},
		},
		QueryOptions: structs.QueryOptions{Token: token},
	}

	raw, meta, err := a.cache.Get(context.TODO(), cachetype.IntentionMatchName, args)
	if err != nil {
		return returnErr(err)
	}

	reply, ok := raw.(*structs.IndexedIntentionMatches)
	if !ok {
		return returnErr(fmt.Errorf("internal error: response type not correct"))
	}
	if len(reply.Matches) != 1 {
		return returnErr(fmt.Errorf("Internal error loading matches"))
	}

	// Figure out which source matches this request.
	var ixnMatch *structs.Intention
	for _, ixn := range reply.Matches[0] {
		// We match on the intention source because the uriService is the source of the connection to authorize.
		if _, ok := connect.AuthorizeIntentionTarget(uriService.Service, uriService.Namespace, ixn, structs.IntentionMatchSource); ok {
			ixnMatch = ixn
			break
		}
	}

	if ixnMatch != nil {
		if len(ixnMatch.Permissions) == 0 {
			// This is an L4 intention.
			reason = fmt.Sprintf("Matched L4 intention: %s", ixnMatch.String())
			auth := ixnMatch.Action == structs.IntentionActionAllow
			return auth, reason, &meta, nil
		}

		// This is an L7 intention, so DENY.
		reason = fmt.Sprintf("Matched L7 intention: %s", ixnMatch.String())
		return false, reason, &meta, nil
	}

	// No match, we need to determine the default behavior. We do this by
	// fetching the default intention behavior from the resolved authorizer. The
	// default behavior if ACLs are disabled is to allow connections to mimic the
	// behavior of Consul itself: everything is allowed if ACLs are disabled.
	if authz == nil {
		// ACLs not enabled at all, the default is allow all.
		return true, "ACLs disabled, access is allowed by default", &meta, nil
	}
	reason = "Default behavior configured by ACLs"
	return authz.IntentionDefaultAllow(nil) == acl.Allow, reason, &meta, nil
}
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`package agent`

			`import (`
Make the Agent Cache more Context aware (#8092) Blocking queries issues will still be uncancellable (that cannot be helped until we get rid of net/rpc). However this makes it so that if calling getWithIndex (like during a cache Notify go routine) we can cancell the outer routine. Previously it would keep issuing more blocking queries until the result state actually changed. 5 years ago			`"context"`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`"fmt"`
			`"github.com/hashicorp/consul/acl"`
			`"github.com/hashicorp/consul/agent/cache"`
			`cachetype "github.com/hashicorp/consul/agent/cache-types"`
			`"github.com/hashicorp/consul/agent/connect"`
			`"github.com/hashicorp/consul/agent/structs"`
			`)`

connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp). 4 years ago			`// TODO(rb/intentions): this should move back into the agent endpoint since`
			`// there is no ext_authz implementation anymore.`
			`//`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`// ConnectAuthorize implements the core authorization logic for Connect. It's in`
			`// a separate agent method here because we need to re-use this both in our own`
			`// HTTP API authz endpoint and in the gRPX xDS/ext_authz API for envoy.`
			`//`
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp). 4 years ago			`// NOTE: This treats any L7 intentions as DENY.`
			`//`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`// The ACL token and the auth request are provided and the auth decision (true`
fix typos reported by golangci-lint:misspell (#5434) 6 years ago			`// means authorized) and reason string are returned.`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`//`
			`// If the request input is invalid the error returned will be a BadRequestError,`
			`// if the token doesn't grant necessary access then an acl.ErrPermissionDenied`
			`// error is returned, otherwise error indicates an unexpected server failure. If`
			`// access is denied, no error is returned but the first return value is false.`
			`func (a *Agent) ConnectAuthorize(token string,`
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow. 5 years ago			`req structs.ConnectAuthorizeRequest) (allowed bool, reason string, m cache.ResultMeta, err error) {`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago
			`// Helper to make the error cases read better without resorting to named`
			`// returns which get messy and prone to mistakes in a method this long.`
			`returnErr := func(err error) (bool, string, *cache.ResultMeta, error) {`
			`return false, "", nil, err`
			`}`

			`if req == nil {`
			`return returnErr(BadRequestError{"Invalid request"})`
			`}`

			`// We need to have a target to check intentions`
			`if req.Target == "" {`
			`return returnErr(BadRequestError{"Target service must be specified"})`
			`}`

			`// Parse the certificate URI from the client ID`
			`uri, err := connect.ParseCertURIFromString(req.ClientCertURI)`
			`if err != nil {`
			`return returnErr(BadRequestError{"ClientCertURI not a valid Connect identifier"})`
			`}`

			`uriService, ok := uri.(*connect.SpiffeIDService)`
			`if !ok {`
			`return returnErr(BadRequestError{"ClientCertURI not a valid Service identifier"})`
			`}`

			`// We need to verify service:write permissions for the given token.`
			`// We do this manually here since the RPC request below only verifies`
			`// service:read.`
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow. 5 years ago			`var authzContext acl.AuthorizerContext`
			`authz, err := a.resolveTokenAndDefaultMeta(token, &req.EnterpriseMeta, &authzContext)`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`if err != nil {`
			`return returnErr(err)`
			`}`
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow. 5 years ago
			`if authz != nil && authz.ServiceWrite(req.Target, &authzContext) != acl.Allow {`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`return returnErr(acl.ErrPermissionDenied)`
			`}`

connect: remove additional trust-domain validation (#4934) * connct: Remove additional trust-domain validation * Comment typos * Update connect_ca.go 6 years ago			`// Note that we DON'T explicitly validate the trust-domain matches ours. See`
			`// the PR for this change for details.`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago
			`// TODO(banks): Implement revocation list checking here.`

			`// Get the intentions for this target service.`
			`args := &structs.IntentionQueryRequest{`
			`Datacenter: a.config.Datacenter,`
			`Match: &structs.IntentionQueryMatch{`
			`Type: structs.IntentionMatchDestination,`
			`Entries: []structs.IntentionMatchEntry{`
			`{`
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow. 5 years ago			`Namespace: req.TargetNamespace(),`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`Name: req.Target,`
			`},`
			`},`
			`},`
			`QueryOptions: structs.QueryOptions{Token: token},`
			`}`

Make the Agent Cache more Context aware (#8092) Blocking queries issues will still be uncancellable (that cannot be helped until we get rid of net/rpc). However this makes it so that if calling getWithIndex (like during a cache Notify go routine) we can cancell the outer routine. Previously it would keep issuing more blocking queries until the result state actually changed. 5 years ago			`raw, meta, err := a.cache.Get(context.TODO(), cachetype.IntentionMatchName, args)`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`if err != nil {`
			`return returnErr(err)`
			`}`

			`reply, ok := raw.(*structs.IndexedIntentionMatches)`
			`if !ok {`
			`return returnErr(fmt.Errorf("internal error: response type not correct"))`
			`}`
			`if len(reply.Matches) != 1 {`
			`return returnErr(fmt.Errorf("Internal error loading matches"))`
			`}`

connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp). 4 years ago			`// Figure out which source matches this request.`
			`var ixnMatch *structs.Intention`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`for _, ixn := range reply.Matches[0] {`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 4 years ago			`// We match on the intention source because the uriService is the source of the connection to authorize.`
			`if _, ok := connect.AuthorizeIntentionTarget(uriService.Service, uriService.Namespace, ixn, structs.IntentionMatchSource); ok {`
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp). 4 years ago			`ixnMatch = ixn`
			`break`
			`}`
			`}`

			`if ixnMatch != nil {`
			`if len(ixnMatch.Permissions) == 0 {`
			`// This is an L4 intention.`
			`reason = fmt.Sprintf("Matched L4 intention: %s", ixnMatch.String())`
			`auth := ixnMatch.Action == structs.IntentionActionAllow`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`return auth, reason, &meta, nil`
			`}`
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp). 4 years ago
			`// This is an L7 intention, so DENY.`
			`reason = fmt.Sprintf("Matched L7 intention: %s", ixnMatch.String())`
			`return false, reason, &meta, nil`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`}`

			`// No match, we need to determine the default behavior. We do this by`
Return intention info in svc topology endpoint (#8853) 4 years ago			`// fetching the default intention behavior from the resolved authorizer. The`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`// default behavior if ACLs are disabled is to allow connections to mimic the`
			`// behavior of Consul itself: everything is allowed if ACLs are disabled.`
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow. 5 years ago			`if authz == nil {`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`// ACLs not enabled at all, the default is allow all.`
			`return true, "ACLs disabled, access is allowed by default", &meta, nil`
			`}`
			`reason = "Default behavior configured by ACLs"`
Intentions ACL enforcement updates (#7028) * Renamed structs.IntentionWildcard to structs.WildcardSpecifier * Refactor ACL Config Get rid of remnants of enterprise only renaming. Add a WildcardName field for specifying what string should be used to indicate a wildcard. * Add wildcard support in the ACL package For read operations they can call anyAllowed to determine if any read access to the given resource would be granted. For write operations they can call allAllowed to ensure that write access is granted to everything. * Make v1/agent/connect/authorize namespace aware * Update intention ACL enforcement This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior. Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself. * Refactor Intention.Apply to make things easier to follow. 5 years ago			`return authz.IntentionDefaultAllow(nil) == acl.Allow, reason, &meta, nil`
Connect Envoy Command (#4735) * Plumb xDS server and proxyxfg into the agent startup * Add `consul connect envoy` command to allow running Envoy as a connect sidecar. * Add test for help tabs; typos and style fixups from review 6 years ago			`}`