consul/agent/grpc-external/services/resource/watch.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package resource

import (
	"errors"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/internal/storage"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

func (s *Server) WatchList(req *pbresource.WatchListRequest, stream pbresource.ResourceService_WatchListServer) error {
	if err := validateWatchListRequest(req); err != nil {
		return err
	}

	// check type exists
	reg, err := s.resolveType(req.Type)
	if err != nil {
		return err
	}

	// TODO(spatel): Refactor _ and entMeta as part of NET-4914
	authz, authzContext, err := s.getAuthorizer(tokenFromContext(stream.Context()), acl.DefaultEnterpriseMeta())
	if err != nil {
		return err
	}

	// check acls
	err = reg.ACLs.List(authz, req.Tenancy)
	switch {
	case acl.IsErrPermissionDenied(err):
		return status.Error(codes.PermissionDenied, err.Error())
	case err != nil:
		return status.Errorf(codes.Internal, "failed list acl: %v", err)
	}

	unversionedType := storage.UnversionedTypeFrom(req.Type)
	watch, err := s.Backend.WatchList(
		stream.Context(),
		unversionedType,
		req.Tenancy,
		req.NamePrefix,
	)
	if err != nil {
		return err
	}
	defer watch.Close()

	for {
		event, err := watch.Next(stream.Context())
		switch {
		case errors.Is(err, storage.ErrWatchClosed):
			return status.Error(codes.Aborted, "watch closed by the storage backend (possibly due to snapshot restoration)")
		case err != nil:
			return status.Errorf(codes.Internal, "failed next: %v", err)
		}

		// drop group versions that don't match
		if event.Resource.Id.Type.GroupVersion != req.Type.GroupVersion {
			continue
		}

		// filter out items that don't pass read ACLs
		err = reg.ACLs.Read(authz, authzContext, event.Resource.Id)
		switch {
		case acl.IsErrPermissionDenied(err):
			continue
		case err != nil:
			return status.Errorf(codes.Internal, "failed read acl: %v", err)
		}

		if err = stream.Send(event); err != nil {
			return err
		}
	}
}

func validateWatchListRequest(req *pbresource.WatchListRequest) error {
	var field string
	switch {
	case req.Type == nil:
		field = "type"
	case req.Tenancy == nil:
		field = "tenancy"
	default:
		return nil
	}
	return status.Errorf(codes.InvalidArgument, "%s is required", field)
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2 years ago			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 1 year ago			`// SPDX-License-Identifier: BUSL-1.1`
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2 years ago
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`package resource`

			`import (`
resource: handle `ErrWatchClosed` in `WatchList` endpoint (#17289) 2 years ago			`"errors"`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/status"`

			`"github.com/hashicorp/consul/acl"`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`"github.com/hashicorp/consul/internal/storage"`
			`"github.com/hashicorp/consul/proto-public/pbresource"`
			`)`

			`func (s Server) WatchList(req pbresource.WatchListRequest, stream pbresource.ResourceService_WatchListServer) error {`
resource: add missing validation to the `List` and `WatchList` endpoints (#17213) 2 years ago			`if err := validateWatchListRequest(req); err != nil {`
			`return err`
			`}`

WatchList(..) endpoint for the resource service (#16726) 2 years ago			`// check type exists`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`reg, err := s.resolveType(req.Type)`
			`if err != nil {`
			`return err`
			`}`

resource: Make resource read tenancy aware (#18397) 1 year ago			`// TODO(spatel): Refactor _ and entMeta as part of NET-4914`
			`authz, authzContext, err := s.getAuthorizer(tokenFromContext(stream.Context()), acl.DefaultEnterpriseMeta())`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`if err != nil {`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`return err`
			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`// check acls`
			`err = reg.ACLs.List(authz, req.Tenancy)`
			`switch {`
			`case acl.IsErrPermissionDenied(err):`
			`return status.Error(codes.PermissionDenied, err.Error())`
			`case err != nil:`
			`return status.Errorf(codes.Internal, "failed list acl: %v", err)`
			`}`

WatchList(..) endpoint for the resource service (#16726) 2 years ago			`unversionedType := storage.UnversionedTypeFrom(req.Type)`
Raft storage backend (#16619) 2 years ago			`watch, err := s.Backend.WatchList(`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`stream.Context(),`
			`unversionedType,`
			`req.Tenancy,`
			`req.NamePrefix,`
			`)`
			`if err != nil {`
			`return err`
			`}`
storage: fix resource leak in Watch (#16817) 2 years ago			`defer watch.Close()`
WatchList(..) endpoint for the resource service (#16726) 2 years ago
			`for {`
			`event, err := watch.Next(stream.Context())`
resource: handle `ErrWatchClosed` in `WatchList` endpoint (#17289) 2 years ago			`switch {`
			`case errors.Is(err, storage.ErrWatchClosed):`
			`return status.Error(codes.Aborted, "watch closed by the storage backend (possibly due to snapshot restoration)")`
			`case err != nil:`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`return status.Errorf(codes.Internal, "failed next: %v", err)`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`// drop group versions that don't match`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`if event.Resource.Id.Type.GroupVersion != req.Type.GroupVersion {`
			`continue`
			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`// filter out items that don't pass read ACLs`
resource: Make resource read tenancy aware (#18397) 1 year ago			`err = reg.ACLs.Read(authz, authzContext, event.Resource.Id)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`switch {`
			`case acl.IsErrPermissionDenied(err):`
			`continue`
			`case err != nil:`
			`return status.Errorf(codes.Internal, "failed read acl: %v", err)`
			`}`

WatchList(..) endpoint for the resource service (#16726) 2 years ago			`if err = stream.Send(event); err != nil {`
			`return err`
			`}`
			`}`
			`}`
resource: add missing validation to the `List` and `WatchList` endpoints (#17213) 2 years ago
			`func validateWatchListRequest(req *pbresource.WatchListRequest) error {`
			`var field string`
			`switch {`
			`case req.Type == nil:`
			`field = "type"`
			`case req.Tenancy == nil:`
			`field = "tenancy"`
			`default:`
			`return nil`
			`}`
			`return status.Errorf(codes.InvalidArgument, "%s is required", field)`
			`}`