consul/internal/resource/registry.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package resource

import (
	"fmt"
	"regexp"
	"sync"

	"google.golang.org/protobuf/proto"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

var (
	groupRegexp        = regexp.MustCompile(`^[a-z][a-z\d_]+$`)
	groupVersionRegexp = regexp.MustCompile(`^v([a-z\d]+)?\d$`)
	kindRegexp         = regexp.MustCompile(`^[A-Z][A-Za-z\d]+$`)
)

type Registry interface {
	// Register the given resource type and its hooks.
	Register(reg Registration)

	// Resolve the given resource type and its hooks.
	Resolve(typ *pbresource.Type) (reg Registration, ok bool)

	Types() []Registration
}

type Registration struct {
	// Type is the GVK of the resource type.
	Type *pbresource.Type

	// Proto is the resource's protobuf message type.
	Proto proto.Message

	// ACLs are hooks called to perform authorization on RPCs.
	ACLs *ACLHooks

	// Validate is called to structurally validate the resource (e.g.
	// check for required fields).
	Validate func(*pbresource.Resource) error

	// Mutate is called to fill out any autogenerated fields (e.g. UUIDs) or
	// apply defaults before validation.
	Mutate func(*pbresource.Resource) error

	// Scope describes the tenancy scope of a resource.
	Scope Scope
}

type ACLHooks struct {
	// Read is used to authorize Read RPCs and to filter results in List
	// RPCs.
	//
	// If it is omitted, `operator:read` permission is assumed.
	Read func(acl.Authorizer, *acl.AuthorizerContext, *pbresource.ID) error

	// Write is used to authorize Write and Delete RPCs.
	//
	// If it is omitted, `operator:write` permission is assumed.
	Write func(acl.Authorizer, *acl.AuthorizerContext, *pbresource.Resource) error

	// List is used to authorize List RPCs.
	//
	// If it is omitted, we only filter the results using Read.
	List func(acl.Authorizer, *pbresource.Tenancy) error
}

// Resource type registry
type TypeRegistry struct {
	// registrations keyed by GVK
	registrations map[string]Registration
	lock          sync.RWMutex
}

func NewRegistry() Registry {
	registry := &TypeRegistry{registrations: make(map[string]Registration)}
	// Tombstone is an implicitly registered type since it is used to implement
	// the cascading deletion of resources. ACLs end up being defaulted to
	// operator:<read,write>. It is useful to note that tombstone creation
	// does not get routed through the resource service and bypasses ACLs
	// as part of the Delete endpoint.
	registry.Register(Registration{
		Type:  TypeV1Tombstone,
		Proto: &pbresource.Tombstone{},
	})
	return registry
}

func (r *TypeRegistry) Register(registration Registration) {
	typ := registration.Type
	if typ.Group == "" || typ.GroupVersion == "" || typ.Kind == "" {
		panic("type field(s) cannot be empty")
	}

	switch {
	case !groupRegexp.MatchString(typ.Group):
		panic(fmt.Sprintf("Type.Group must be in snake_case. Got: %q", typ.Group))
	case !groupVersionRegexp.MatchString(typ.GroupVersion):
		panic(fmt.Sprintf("Type.GroupVersion must be lowercase, start with `v`, and end with a number (e.g. `v2` or `v1alpha1`). Got: %q", typ.Group))
	case !kindRegexp.MatchString(typ.Kind):
		panic(fmt.Sprintf("Type.Kind must be in PascalCase. Got: %q", typ.Kind))
	}

	r.lock.Lock()
	defer r.lock.Unlock()

	key := ToGVK(registration.Type)
	if _, ok := r.registrations[key]; ok {
		panic(fmt.Sprintf("resource type %s already registered", key))
	}

	// set default acl hooks for those not provided
	if registration.ACLs == nil {
		registration.ACLs = &ACLHooks{}
	}
	if registration.ACLs.Read == nil {
		registration.ACLs.Read = func(authz acl.Authorizer, authzContext *acl.AuthorizerContext, id *pbresource.ID) error {
			return authz.ToAllowAuthorizer().OperatorReadAllowed(authzContext)
		}
	}
	if registration.ACLs.Write == nil {
		registration.ACLs.Write = func(authz acl.Authorizer, authzContext *acl.AuthorizerContext, id *pbresource.Resource) error {
			return authz.ToAllowAuthorizer().OperatorWriteAllowed(authzContext)
		}
	}
	if registration.ACLs.List == nil {
		registration.ACLs.List = func(authz acl.Authorizer, tenancy *pbresource.Tenancy) error {
			return authz.ToAllowAuthorizer().OperatorReadAllowed(&acl.AuthorizerContext{})
		}
	}

	// default validation to a no-op
	if registration.Validate == nil {
		registration.Validate = func(resource *pbresource.Resource) error { return nil }
	}

	// default mutate to a no-op
	if registration.Mutate == nil {
		registration.Mutate = func(resource *pbresource.Resource) error { return nil }
	}

	r.registrations[key] = registration
}

func (r *TypeRegistry) Resolve(typ *pbresource.Type) (reg Registration, ok bool) {
	r.lock.RLock()
	defer r.lock.RUnlock()

	if registration, ok := r.registrations[ToGVK(typ)]; ok {
		return registration, true
	}
	return Registration{}, false
}

func (r *TypeRegistry) Types() []Registration {
	r.lock.RLock()
	defer r.lock.RUnlock()

	types := make([]Registration, 0, len(r.registrations))
	for _, v := range r.registrations {
		types = append(types, v)
	}
	return types
}

func ToGVK(resourceType *pbresource.Type) string {
	return fmt.Sprintf("%s.%s.%s", resourceType.Group, resourceType.GroupVersion, resourceType.Kind)
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2 years ago			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 1 year ago			`// SPDX-License-Identifier: BUSL-1.1`
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2 years ago
Basic resource type registry (#16622) 2 years ago			`package resource`

			`import (`
			`"fmt"`
resource: enforce consistent naming of resource types (#17611) For consistency, resource type names must follow these rules: - `Group` must be snake case, and in most cases a single word. - `GroupVersion` must be lowercase, start with a "v" and end with a number. - `Kind` must be pascal case. These were chosen because they map to our protobuf type naming conventions. 1 year ago			`"regexp"`
Basic resource type registry (#16622) 2 years ago			`"sync"`

Resource `Write` endpoint (#16786) 2 years ago			`"google.golang.org/protobuf/proto"`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`"github.com/hashicorp/consul/acl"`
Basic resource type registry (#16622) 2 years ago			`"github.com/hashicorp/consul/proto-public/pbresource"`
			`)`

resource: enforce consistent naming of resource types (#17611) For consistency, resource type names must follow these rules: - `Group` must be snake case, and in most cases a single word. - `GroupVersion` must be lowercase, start with a "v" and end with a number. - `Kind` must be pascal case. These were chosen because they map to our protobuf type naming conventions. 1 year ago			`var (`
			groupRegexp = regexp.MustCompile(`^[a-z][a-z\d_]+$`)
			groupVersionRegexp = regexp.MustCompile(`^v([a-z\d]+)?\d$`)
			kindRegexp = regexp.MustCompile(`^[A-Z][A-Za-z\d]+$`)
			`)`

Basic resource type registry (#16622) 2 years ago			`type Registry interface {`
			`// Register the given resource type and its hooks.`
			`Register(reg Registration)`

			`// Resolve the given resource type and its hooks.`
			`Resolve(typ *pbresource.Type) (reg Registration, ok bool)`
expose grpc as http endpoint (#18221) expose resource grpc endpoints as http endpoints 1 year ago
			`Types() []Registration`
Basic resource type registry (#16622) 2 years ago			`}`

			`type Registration struct {`
			`// Type is the GVK of the resource type.`
			`Type *pbresource.Type`

Resource `Write` endpoint (#16786) 2 years ago			`// Proto is the resource's protobuf message type.`
			`Proto proto.Message`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`// ACLs are hooks called to perform authorization on RPCs.`
			`ACLs *ACLHooks`

Resource validation hook for `Write` endpoint (#16950) 2 years ago			`// Validate is called to structurally validate the resource (e.g.`
			`// check for required fields).`
			`Validate func(*pbresource.Resource) error`

Call resource mutate hook before validate hook (NET-4907) (#18178) 1 year ago			`// Mutate is called to fill out any autogenerated fields (e.g. UUIDs) or`
			`// apply defaults before validation.`
Add mutate hook to `Write` endpoint (#16958) 2 years ago			`Mutate func(*pbresource.Resource) error`
resource: Add scope to resource type registration [NET-4976] (#18214) Enables querying a resource type's registration to determine if a resource is cluster, partition, or partition and namespace scoped. 1 year ago
			`// Scope describes the tenancy scope of a resource.`
			`Scope Scope`
Basic resource type registry (#16622) 2 years ago			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`type ACLHooks struct {`
			`// Read is used to authorize Read RPCs and to filter results in List`
			`// RPCs.`
			`//`
			// If it is omitted, `operator:read` permission is assumed.
resource: Make resource read tenancy aware (#18397) 1 year ago			`Read func(acl.Authorizer, acl.AuthorizerContext, pbresource.ID) error`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago
			`// Write is used to authorize Write and Delete RPCs.`
			`//`
			// If it is omitted, `operator:write` permission is assumed.
resource: Make resource write tenancy aware (#18423) 1 year ago			`Write func(acl.Authorizer, acl.AuthorizerContext, pbresource.Resource) error`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago
			`// List is used to authorize List RPCs.`
			`//`
			`// If it is omitted, we only filter the results using Read.`
			`List func(acl.Authorizer, *pbresource.Tenancy) error`
			`}`
Basic resource type registry (#16622) 2 years ago
			`// Resource type registry`
			`type TypeRegistry struct {`
			`// registrations keyed by GVK`
			`registrations map[string]Registration`
			`lock sync.RWMutex`
			`}`

			`func NewRegistry() Registry {`
Create tombstone on resource `Delete` (#17108) 2 years ago			`registry := &TypeRegistry{registrations: make(map[string]Registration)}`
			`// Tombstone is an implicitly registered type since it is used to implement`
			`// the cascading deletion of resources. ACLs end up being defaulted to`
			`// operator:<read,write>. It is useful to note that tombstone creation`
			`// does not get routed through the resource service and bypasses ACLs`
			`// as part of the Delete endpoint.`
			`registry.Register(Registration{`
			`Type: TypeV1Tombstone,`
			`Proto: &pbresource.Tombstone{},`
			`})`
			`return registry`
Basic resource type registry (#16622) 2 years ago			`}`

			`func (r *TypeRegistry) Register(registration Registration) {`
			`typ := registration.Type`
			`if typ.Group == "" \|\| typ.GroupVersion == "" \|\| typ.Kind == "" {`
			`panic("type field(s) cannot be empty")`
			`}`

resource: enforce consistent naming of resource types (#17611) For consistency, resource type names must follow these rules: - `Group` must be snake case, and in most cases a single word. - `GroupVersion` must be lowercase, start with a "v" and end with a number. - `Kind` must be pascal case. These were chosen because they map to our protobuf type naming conventions. 1 year ago			`switch {`
			`case !groupRegexp.MatchString(typ.Group):`
			`panic(fmt.Sprintf("Type.Group must be in snake_case. Got: %q", typ.Group))`
			`case !groupVersionRegexp.MatchString(typ.GroupVersion):`
			panic(fmt.Sprintf("Type.GroupVersion must be lowercase, start with `v`, and end with a number (e.g. `v2` or `v1alpha1`). Got: %q", typ.Group))
			`case !kindRegexp.MatchString(typ.Kind):`
			`panic(fmt.Sprintf("Type.Kind must be in PascalCase. Got: %q", typ.Kind))`
			`}`

			`r.lock.Lock()`
			`defer r.lock.Unlock()`

Basic resource type registry (#16622) 2 years ago			`key := ToGVK(registration.Type)`
			`if _, ok := r.registrations[key]; ok {`
			`panic(fmt.Sprintf("resource type %s already registered", key))`
			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`// set default acl hooks for those not provided`
			`if registration.ACLs == nil {`
			`registration.ACLs = &ACLHooks{}`
			`}`
			`if registration.ACLs.Read == nil {`
resource: Make resource read tenancy aware (#18397) 1 year ago			`registration.ACLs.Read = func(authz acl.Authorizer, authzContext acl.AuthorizerContext, id pbresource.ID) error {`
			`return authz.ToAllowAuthorizer().OperatorReadAllowed(authzContext)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`}`
			`}`
			`if registration.ACLs.Write == nil {`
resource: Make resource write tenancy aware (#18423) 1 year ago			`registration.ACLs.Write = func(authz acl.Authorizer, authzContext acl.AuthorizerContext, id pbresource.Resource) error {`
			`return authz.ToAllowAuthorizer().OperatorWriteAllowed(authzContext)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`}`
			`}`
			`if registration.ACLs.List == nil {`
			`registration.ACLs.List = func(authz acl.Authorizer, tenancy *pbresource.Tenancy) error {`
			`return authz.ToAllowAuthorizer().OperatorReadAllowed(&acl.AuthorizerContext{})`
			`}`
			`}`
Resource validation hook for `Write` endpoint (#16950) 2 years ago
			`// default validation to a no-op`
			`if registration.Validate == nil {`
			`registration.Validate = func(resource *pbresource.Resource) error { return nil }`
			`}`

Add mutate hook to `Write` endpoint (#16958) 2 years ago			`// default mutate to a no-op`
			`if registration.Mutate == nil {`
			`registration.Mutate = func(resource *pbresource.Resource) error { return nil }`
			`}`

Basic resource type registry (#16622) 2 years ago			`r.registrations[key] = registration`
			`}`

			`func (r TypeRegistry) Resolve(typ pbresource.Type) (reg Registration, ok bool) {`
			`r.lock.RLock()`
			`defer r.lock.RUnlock()`

			`if registration, ok := r.registrations[ToGVK(typ)]; ok {`
			`return registration, true`
			`}`
			`return Registration{}, false`
			`}`

expose grpc as http endpoint (#18221) expose resource grpc endpoints as http endpoints 1 year ago			`func (r *TypeRegistry) Types() []Registration {`
			`r.lock.RLock()`
			`defer r.lock.RUnlock()`

			`types := make([]Registration, 0, len(r.registrations))`
			`for _, v := range r.registrations {`
			`types = append(types, v)`
			`}`
			`return types`
			`}`

Basic resource type registry (#16622) 2 years ago			`func ToGVK(resourceType *pbresource.Type) string {`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`return fmt.Sprintf("%s.%s.%s", resourceType.Group, resourceType.GroupVersion, resourceType.Kind)`
Basic resource type registry (#16622) 2 years ago			`}`