consul/agent/connect/sni.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package connect

import (
	"fmt"
	"strings"

	"github.com/hashicorp/consul/agent/structs"
)

const (
	internal        = "internal"
	version         = "v1"
	internalVersion = internal + "-" + version
	external        = "external"
)

func UpstreamSNI(u *structs.Upstream, subset string, dc string, trustDomain string) string {
	if u.Datacenter != "" {
		dc = u.Datacenter
	}

	if u.DestinationType == structs.UpstreamDestTypePreparedQuery {
		return QuerySNI(u.DestinationName, dc, trustDomain)
	}
	// TODO(peering): account for peer here?
	return ServiceSNI(u.DestinationName, subset, u.DestinationNamespace, u.DestinationPartition, dc, trustDomain)
}

func GatewaySNI(dc string, partition, trustDomain string) string {
	if partition == "" {
		// TODO(partitions) Make default available in CE as a constant for uses like this one
		partition = "default"
	}

	switch partition {
	case "default":
		return dotJoin(dc, internal, trustDomain)
	default:
		return dotJoin(partition, dc, internalVersion, trustDomain)
	}
}

func ServiceSNI(service string, subset string, namespace string, partition string, datacenter string, trustDomain string) string {
	if namespace == "" {
		namespace = structs.IntentionDefaultNamespace
	}
	if partition == "" {
		// TODO(partitions) Make default available in CE as a constant for uses like this one
		partition = "default"
	}

	switch partition {
	case "default":
		if subset == "" {
			return dotJoin(service, namespace, datacenter, internal, trustDomain)
		} else {
			return dotJoin(subset, service, namespace, datacenter, internal, trustDomain)
		}
	default:
		if subset == "" {
			return dotJoin(service, namespace, partition, datacenter, internalVersion, trustDomain)
		} else {
			return dotJoin(subset, service, namespace, partition, datacenter, internalVersion, trustDomain)
		}
	}
}

func dotSplitLast(s string, n int) string {
	tokens := strings.SplitN(s, ".", n)
	if len(tokens) != n {
		return ""
	}
	return tokens[n-1]
}

func TrustDomainForTarget(target structs.DiscoveryTarget) string {
	if target.External {
		return ""
	}

	switch target.Partition {
	case "default":
		if target.ServiceSubset == "" {
			// service, namespace, datacenter, internal, trustDomain
			return dotSplitLast(target.SNI, 5)
		} else {
			// subset, service, namespace, datacenter, internal, trustDomain
			return dotSplitLast(target.SNI, 6)
		}
	default:
		if target.ServiceSubset == "" {
			// service, namespace, partition, datacenter, internalVersion, trustDomain
			return dotSplitLast(target.SNI, 6)
		} else {
			// subset, service, namespace, partition, datacenter, internalVersion, trustDomain
			return dotSplitLast(target.SNI, 7)
		}
	}
}

func PeeredServiceSNI(service, namespace, partition, peerName, trustDomain string) string {
	if peerName == "" {
		panic("peer name is a requirement for this function and does not make sense without it")
	}
	if namespace == "" {
		namespace = structs.IntentionDefaultNamespace
	}
	if partition == "" {
		// TODO(partitions) Make default available in CE as a constant for uses like this one
		partition = "default"
	}

	return dotJoin(service, namespace, partition, peerName, external, trustDomain)
}

func dotJoin(parts ...string) string {
	return strings.Join(parts, ".")
}

func QuerySNI(service string, datacenter string, trustDomain string) string {
	return fmt.Sprintf("%s.default.%s.query.%s", service, datacenter, trustDomain)
}

func TargetSNI(target *structs.DiscoveryTarget, trustDomain string) string {
	return ServiceSNI(target.Service, target.ServiceSubset, target.Namespace, target.Partition, target.Datacenter, trustDomain)
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2 years ago			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 1 year ago			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2 years ago
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`package connect`

			`import (`
			`"fmt"`
add partition to SNI when partition is non default (#10917) 3 years ago			`"strings"`
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago
			`"github.com/hashicorp/consul/agent/structs"`
			`)`

add partition to SNI when partition is non default (#10917) 3 years ago			`const (`
			`internal = "internal"`
			`version = "v1"`
			`internalVersion = internal + "-" + version`
peering: replicate expected SNI, SPIFFE, and service protocol to peers (#13218) The importing peer will need to know what SNI and SPIFFE name corresponds to each exported service. Additionally it will need to know at a high level the protocol in use (L4/L7) to generate the appropriate connection pool and local metrics. For replicated connect synthetic entities we edit the `Connect{}` part of a `NodeService` to have a new section: { "PeerMeta": { "SNI": [ "web.default.default.owt.external.183150d5-1033-3672-c426-c29205a576b8.consul" ], "SpiffeID": [ "spiffe://183150d5-1033-3672-c426-c29205a576b8.consul/ns/default/dc/dc1/svc/web" ], "Protocol": "tcp" } } This data is then replicated and saved as-is at the importing side. Both SNI and SpiffeID are slices for now until I can be sure we don't need them for how mesh gateways will ultimately work. 3 years ago			`external = "external"`
add partition to SNI when partition is non default (#10917) 3 years ago			`)`

connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`func UpstreamSNI(u *structs.Upstream, subset string, dc string, trustDomain string) string {`
			`if u.Datacenter != "" {`
			`dc = u.Datacenter`
			`}`

			`if u.DestinationType == structs.UpstreamDestTypePreparedQuery {`
			`return QuerySNI(u.DestinationName, dc, trustDomain)`
			`}`
peering: Make Upstream peer-aware (#12900) Adds DestinationPeer field to Upstream. Adds Peer field to UpstreamID and its string conversion functions. 3 years ago			`// TODO(peering): account for peer here?`
add partition to SNI when partition is non default (#10917) 3 years ago			`return ServiceSNI(u.DestinationName, subset, u.DestinationNamespace, u.DestinationPartition, dc, trustDomain)`
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`}`

Account for partition in SNI for gateways 3 years ago			`func GatewaySNI(dc string, partition, trustDomain string) string {`
			`if partition == "" {`
OSS -> CE (community edition) changes (#18517) 1 year ago			`// TODO(partitions) Make default available in CE as a constant for uses like this one`
Account for partition in SNI for gateways 3 years ago			`partition = "default"`
			`}`

			`switch partition {`
			`case "default":`
			`return dotJoin(dc, internal, trustDomain)`
			`default:`
			`return dotJoin(partition, dc, internalVersion, trustDomain)`
			`}`
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`}`

add partition to SNI when partition is non default (#10917) 3 years ago			`func ServiceSNI(service string, subset string, namespace string, partition string, datacenter string, trustDomain string) string {`
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`if namespace == "" {`
Leave todo about default name 3 years ago			`namespace = structs.IntentionDefaultNamespace`
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`}`
add partition to SNI when partition is non default (#10917) 3 years ago			`if partition == "" {`
OSS -> CE (community edition) changes (#18517) 1 year ago			`// TODO(partitions) Make default available in CE as a constant for uses like this one`
add partition to SNI when partition is non default (#10917) 3 years ago			`partition = "default"`
			`}`
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago
add partition to SNI when partition is non default (#10917) 3 years ago			`switch partition {`
			`case "default":`
			`if subset == "" {`
			`return dotJoin(service, namespace, datacenter, internal, trustDomain)`
			`} else {`
			`return dotJoin(subset, service, namespace, datacenter, internal, trustDomain)`
			`}`
			`default:`
			`if subset == "" {`
			`return dotJoin(service, namespace, partition, datacenter, internalVersion, trustDomain)`
			`} else {`
			`return dotJoin(subset, service, namespace, partition, datacenter, internalVersion, trustDomain)`
			`}`
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`}`
			`}`

[API Gateway] Add integration test for HTTP routes (#16236) * [API Gateway] Add integration test for conflicted TCP listeners * [API Gateway] Update simple test to leverage intentions and multiple listeners * Fix broken unit test * [API Gateway] Add integration test for HTTP routes 2 years ago			`func dotSplitLast(s string, n int) string {`
			`tokens := strings.SplitN(s, ".", n)`
			`if len(tokens) != n {`
			`return ""`
			`}`
			`return tokens[n-1]`
			`}`

			`func TrustDomainForTarget(target structs.DiscoveryTarget) string {`
			`if target.External {`
			`return ""`
			`}`

			`switch target.Partition {`
			`case "default":`
			`if target.ServiceSubset == "" {`
			`// service, namespace, datacenter, internal, trustDomain`
			`return dotSplitLast(target.SNI, 5)`
			`} else {`
			`// subset, service, namespace, datacenter, internal, trustDomain`
			`return dotSplitLast(target.SNI, 6)`
			`}`
			`default:`
			`if target.ServiceSubset == "" {`
			`// service, namespace, partition, datacenter, internalVersion, trustDomain`
			`return dotSplitLast(target.SNI, 6)`
			`} else {`
			`// subset, service, namespace, partition, datacenter, internalVersion, trustDomain`
			`return dotSplitLast(target.SNI, 7)`
			`}`
			`}`
			`}`

peering: replicate expected SNI, SPIFFE, and service protocol to peers (#13218) The importing peer will need to know what SNI and SPIFFE name corresponds to each exported service. Additionally it will need to know at a high level the protocol in use (L4/L7) to generate the appropriate connection pool and local metrics. For replicated connect synthetic entities we edit the `Connect{}` part of a `NodeService` to have a new section: { "PeerMeta": { "SNI": [ "web.default.default.owt.external.183150d5-1033-3672-c426-c29205a576b8.consul" ], "SpiffeID": [ "spiffe://183150d5-1033-3672-c426-c29205a576b8.consul/ns/default/dc/dc1/svc/web" ], "Protocol": "tcp" } } This data is then replicated and saved as-is at the importing side. Both SNI and SpiffeID are slices for now until I can be sure we don't need them for how mesh gateways will ultimately work. 3 years ago			`func PeeredServiceSNI(service, namespace, partition, peerName, trustDomain string) string {`
			`if peerName == "" {`
			`panic("peer name is a requirement for this function and does not make sense without it")`
			`}`
			`if namespace == "" {`
			`namespace = structs.IntentionDefaultNamespace`
			`}`
			`if partition == "" {`
OSS -> CE (community edition) changes (#18517) 1 year ago			`// TODO(partitions) Make default available in CE as a constant for uses like this one`
peering: replicate expected SNI, SPIFFE, and service protocol to peers (#13218) The importing peer will need to know what SNI and SPIFFE name corresponds to each exported service. Additionally it will need to know at a high level the protocol in use (L4/L7) to generate the appropriate connection pool and local metrics. For replicated connect synthetic entities we edit the `Connect{}` part of a `NodeService` to have a new section: { "PeerMeta": { "SNI": [ "web.default.default.owt.external.183150d5-1033-3672-c426-c29205a576b8.consul" ], "SpiffeID": [ "spiffe://183150d5-1033-3672-c426-c29205a576b8.consul/ns/default/dc/dc1/svc/web" ], "Protocol": "tcp" } } This data is then replicated and saved as-is at the importing side. Both SNI and SpiffeID are slices for now until I can be sure we don't need them for how mesh gateways will ultimately work. 3 years ago			`partition = "default"`
			`}`

			`return dotJoin(service, namespace, partition, peerName, external, trustDomain)`
			`}`

add partition to SNI when partition is non default (#10917) 3 years ago			`func dotJoin(parts ...string) string {`
			`return strings.Join(parts, ".")`
			`}`

connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`func QuerySNI(service string, datacenter string, trustDomain string) string {`
			`return fmt.Sprintf("%s.default.%s.query.%s", service, datacenter, trustDomain)`
			`}`

			`func TargetSNI(target *structs.DiscoveryTarget, trustDomain string) string {`
add partition to SNI when partition is non default (#10917) 3 years ago			`return ServiceSNI(target.Service, target.ServiceSubset, target.Namespace, target.Partition, target.Datacenter, trustDomain)`
connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 5 years ago			`}`