consul/agent/grpc-external/services/resource/read.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package resource

import (
	"context"
	"errors"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/internal/resource"
	"github.com/hashicorp/consul/internal/storage"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

func (s *Server) Read(ctx context.Context, req *pbresource.ReadRequest) (*pbresource.ReadResponse, error) {
	// Light first pass validation based on what user passed in and not much more.
	reg, err := s.validateReadRequest(req)
	if err != nil {
		return nil, err
	}

	// acl.EnterpriseMeta acl.AuthorizerContext follow rules for V1 resources since they integrate with the V1 acl subsystem.
	// pbresource.Tenacy follows rules for V2 resources and the Resource service.
	// Example:
	//
	//    A CE namespace scoped resource:
	//      V1: EnterpriseMeta{}
	//      V2: Tenancy {Partition: "default", Namespace: "default"}
	//
	//   An ENT namespace scoped resource:
	//      V1: EnterpriseMeta{Partition: "default", Namespace: "default"}
	//      V2: Tenancy {Partition: "default", Namespace: "default"}
	//
	// It is necessary to convert back and forth depending on which component supports which version, V1 or V2.
	entMeta := v2TenancyToV1EntMeta(req.Id.Tenancy)
	authz, authzContext, err := s.getAuthorizer(tokenFromContext(ctx), entMeta)
	if err != nil {
		return nil, err
	}

	v1EntMetaToV2Tenancy(reg, entMeta, req.Id.Tenancy)

	// ACL check usually comes before tenancy existence checks to not leak
	// tenancy "existence", unless the ACL check requires the data payload
	// to function.
	authzNeedsData := false
	err = reg.ACLs.Read(authz, authzContext, req.Id, nil)
	switch {
	case errors.Is(err, resource.ErrNeedResource):
		authzNeedsData = true
		err = nil
	case acl.IsErrPermissionDenied(err):
		return nil, status.Error(codes.PermissionDenied, err.Error())
	case err != nil:
		return nil, status.Errorf(codes.Internal, "failed read acl: %v", err)
	}

	// Check V1 tenancy exists for the V2 resource.
	if err = v1TenancyExists(reg, s.TenancyBridge, req.Id.Tenancy, codes.NotFound); err != nil {
		return nil, err
	}

	resource, err := s.Backend.Read(ctx, readConsistencyFrom(ctx), req.Id)
	switch {
	case errors.Is(err, storage.ErrNotFound):
		return nil, status.Error(codes.NotFound, err.Error())
	case errors.As(err, &storage.GroupVersionMismatchError{}):
		return nil, status.Error(codes.InvalidArgument, err.Error())
	case err != nil:
		return nil, status.Errorf(codes.Internal, "failed read: %v", err)
	}

	if authzNeedsData {
		err = reg.ACLs.Read(authz, authzContext, req.Id, resource)
		switch {
		case acl.IsErrPermissionDenied(err):
			return nil, status.Error(codes.PermissionDenied, err.Error())
		case err != nil:
			return nil, status.Errorf(codes.Internal, "failed read acl: %v", err)
		}
	}

	return &pbresource.ReadResponse{Resource: resource}, nil
}

func (s *Server) validateReadRequest(req *pbresource.ReadRequest) (*resource.Registration, error) {
	if req.Id == nil {
		return nil, status.Errorf(codes.InvalidArgument, "id is required")
	}

	if err := validateId(req.Id, "id"); err != nil {
		return nil, err
	}

	// Check type exists.
	reg, err := s.resolveType(req.Id.Type)
	if err != nil {
		return nil, err
	}

	// Check scope
	if reg.Scope == resource.ScopePartition && req.Id.Tenancy.Namespace != "" {
		return nil, status.Errorf(
			codes.InvalidArgument,
			"partition scoped resource %s cannot have a namespace. got: %s",
			resource.ToGVK(req.Id.Type),
			req.Id.Tenancy.Namespace,
		)
	}
	if reg.Scope == resource.ScopeCluster {
		if req.Id.Tenancy.Partition != "" {
			return nil, status.Errorf(
				codes.InvalidArgument,
				"cluster scoped resource %s cannot have a partition: %s",
				resource.ToGVK(req.Id.Type),
				req.Id.Tenancy.Partition,
			)
		}
		if req.Id.Tenancy.Namespace != "" {
			return nil, status.Errorf(
				codes.InvalidArgument,
				"cluster scoped resource %s cannot have a namespace: %s",
				resource.ToGVK(req.Id.Type),
				req.Id.Tenancy.Namespace,
			)
		}
	}
	return reg, nil
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00
Read(...) endpoint for the resource service (#16655) 2023-03-27 15:35:39 +00:00			`package resource`

			`import (`
			`"context"`
			`"errors"`

			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/status"`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`"github.com/hashicorp/consul/acl"`
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`"github.com/hashicorp/consul/internal/resource"`
Read(...) endpoint for the resource service (#16655) 2023-03-27 15:35:39 +00:00			`"github.com/hashicorp/consul/internal/storage"`
			`"github.com/hashicorp/consul/proto-public/pbresource"`
			`)`

			`func (s Server) Read(ctx context.Context, req pbresource.ReadRequest) (*pbresource.ReadResponse, error) {`
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`// Light first pass validation based on what user passed in and not much more.`
			`reg, err := s.validateReadRequest(req)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`if err != nil {`
Resource service List(..) endpoint (#16753) 2023-03-27 21:25:27 +00:00			`return nil, err`
Read(...) endpoint for the resource service (#16655) 2023-03-27 15:35:39 +00:00			`}`

resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`// acl.EnterpriseMeta acl.AuthorizerContext follow rules for V1 resources since they integrate with the V1 acl subsystem.`
			`// pbresource.Tenacy follows rules for V2 resources and the Resource service.`
			`// Example:`
			`//`
OSS -> CE (community edition) changes (#18517) 2023-08-22 14:46:03 +00:00			`// A CE namespace scoped resource:`
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`// V1: EnterpriseMeta{}`
			`// V2: Tenancy {Partition: "default", Namespace: "default"}`
			`//`
			`// An ENT namespace scoped resource:`
			`// V1: EnterpriseMeta{Partition: "default", Namespace: "default"}`
			`// V2: Tenancy {Partition: "default", Namespace: "default"}`
			`//`
			`// It is necessary to convert back and forth depending on which component supports which version, V1 or V2.`
			`entMeta := v2TenancyToV1EntMeta(req.Id.Tenancy)`
			`authz, authzContext, err := s.getAuthorizer(tokenFromContext(ctx), entMeta)`
Read(...) endpoint for the resource service (#16655) 2023-03-27 15:35:39 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`v1EntMetaToV2Tenancy(reg, entMeta, req.Id.Tenancy)`

resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925) The ACLs.Read hook for a resource only allows for the identity of a resource to be passed in for use in authz consideration. For some resources we wish to allow for the current stored value to dictate how to enforce the ACLs (such as reading a list of applicable services from the payload and allowing service:read on any of them to control reading the enclosing resource). This change update the interface to usually accept a *pbresource.ID, but if the hook decides it needs more data it returns a sentinel error and the resource service knows to defer the authz check until after fetching the data from storage. 2023-09-22 14:53:55 +00:00			`// ACL check usually comes before tenancy existence checks to not leak`
			`// tenancy "existence", unless the ACL check requires the data payload`
			`// to function.`
			`authzNeedsData := false`
			`err = reg.ACLs.Read(authz, authzContext, req.Id, nil)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`switch {`
Backport of catalog, mesh: implement missing ACL hooks into release/1.17.x (#19212) catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. Co-authored-by: Iryna Shustava <ishustava@users.noreply.github.com> 2023-10-14 01:50:22 +00:00			`case errors.Is(err, resource.ErrNeedResource):`
resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925) The ACLs.Read hook for a resource only allows for the identity of a resource to be passed in for use in authz consideration. For some resources we wish to allow for the current stored value to dictate how to enforce the ACLs (such as reading a list of applicable services from the payload and allowing service:read on any of them to control reading the enclosing resource). This change update the interface to usually accept a *pbresource.ID, but if the hook decides it needs more data it returns a sentinel error and the resource service knows to defer the authz check until after fetching the data from storage. 2023-09-22 14:53:55 +00:00			`authzNeedsData = true`
			`err = nil`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`case acl.IsErrPermissionDenied(err):`
			`return nil, status.Error(codes.PermissionDenied, err.Error())`
			`case err != nil:`
			`return nil, status.Errorf(codes.Internal, "failed read acl: %v", err)`
			`}`

resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`// Check V1 tenancy exists for the V2 resource.`
add v2 tenancy bridge Flag and v2 Tenancy Bridge initial implementation (#18830) * add v2 tenancy bridge and a feature flag for v2 tenancy * move tenancy bridge v2 under resource package 2023-09-18 16:25:05 +00:00			`if err = v1TenancyExists(reg, s.TenancyBridge, req.Id.Tenancy, codes.NotFound); err != nil {`
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`return nil, err`
			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`resource, err := s.Backend.Read(ctx, readConsistencyFrom(ctx), req.Id)`
			`switch {`
			`case errors.Is(err, storage.ErrNotFound):`
			`return nil, status.Error(codes.NotFound, err.Error())`
			`case errors.As(err, &storage.GroupVersionMismatchError{}):`
			`return nil, status.Error(codes.InvalidArgument, err.Error())`
resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925) The ACLs.Read hook for a resource only allows for the identity of a resource to be passed in for use in authz consideration. For some resources we wish to allow for the current stored value to dictate how to enforce the ACLs (such as reading a list of applicable services from the payload and allowing service:read on any of them to control reading the enclosing resource). This change update the interface to usually accept a *pbresource.ID, but if the hook decides it needs more data it returns a sentinel error and the resource service knows to defer the authz check until after fetching the data from storage. 2023-09-22 14:53:55 +00:00			`case err != nil:`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`return nil, status.Errorf(codes.Internal, "failed read: %v", err)`
			`}`
resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925) The ACLs.Read hook for a resource only allows for the identity of a resource to be passed in for use in authz consideration. For some resources we wish to allow for the current stored value to dictate how to enforce the ACLs (such as reading a list of applicable services from the payload and allowing service:read on any of them to control reading the enclosing resource). This change update the interface to usually accept a *pbresource.ID, but if the hook decides it needs more data it returns a sentinel error and the resource service knows to defer the authz check until after fetching the data from storage. 2023-09-22 14:53:55 +00:00
			`if authzNeedsData {`
			`err = reg.ACLs.Read(authz, authzContext, req.Id, resource)`
			`switch {`
			`case acl.IsErrPermissionDenied(err):`
			`return nil, status.Error(codes.PermissionDenied, err.Error())`
			`case err != nil:`
			`return nil, status.Errorf(codes.Internal, "failed read acl: %v", err)`
			`}`
			`}`

			`return &pbresource.ReadResponse{Resource: resource}, nil`
Read(...) endpoint for the resource service (#16655) 2023-03-27 15:35:39 +00:00			`}`
Tenancy wildcard validaton for `Write`, `Read`, and `Delete` endpoints (#17004) 2023-04-17 21:33:20 +00:00
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`func (s Server) validateReadRequest(req pbresource.ReadRequest) (*resource.Registration, error) {`
Tenancy wildcard validaton for `Write`, `Read`, and `Delete` endpoints (#17004) 2023-04-17 21:33:20 +00:00			`if req.Id == nil {`
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`return nil, status.Errorf(codes.InvalidArgument, "id is required")`
Tenancy wildcard validaton for `Write`, `Read`, and `Delete` endpoints (#17004) 2023-04-17 21:33:20 +00:00			`}`

			`if err := validateId(req.Id, "id"); err != nil {`
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`return nil, err`
Tenancy wildcard validaton for `Write`, `Read`, and `Delete` endpoints (#17004) 2023-04-17 21:33:20 +00:00			`}`
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00
			`// Check type exists.`
			`reg, err := s.resolveType(req.Id.Type)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Check scope`
			`if reg.Scope == resource.ScopePartition && req.Id.Tenancy.Namespace != "" {`
			`return nil, status.Errorf(`
			`codes.InvalidArgument,`
			`"partition scoped resource %s cannot have a namespace. got: %s",`
			`resource.ToGVK(req.Id.Type),`
			`req.Id.Tenancy.Namespace,`
			`)`
			`}`
v2tenancy: cluster scoped reads (#19082) 2023-10-10 18:30:23 +00:00			`if reg.Scope == resource.ScopeCluster {`
			`if req.Id.Tenancy.Partition != "" {`
			`return nil, status.Errorf(`
			`codes.InvalidArgument,`
			`"cluster scoped resource %s cannot have a partition: %s",`
			`resource.ToGVK(req.Id.Type),`
			`req.Id.Tenancy.Partition,`
			`)`
			`}`
			`if req.Id.Tenancy.Namespace != "" {`
			`return nil, status.Errorf(`
			`codes.InvalidArgument,`
			`"cluster scoped resource %s cannot have a namespace: %s",`
			`resource.ToGVK(req.Id.Type),`
			`req.Id.Tenancy.Namespace,`
			`)`
			`}`
			`}`
resource: Make resource read tenancy aware (#18397) 2023-08-07 21:37:03 +00:00			`return reg, nil`
Tenancy wildcard validaton for `Write`, `Read`, and `Delete` endpoints (#17004) 2023-04-17 21:33:20 +00:00			`}`