consul/agent/grpc-external/services/resource/watch.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package resource

import (
	"errors"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/internal/resource"
	"github.com/hashicorp/consul/internal/storage"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

func (s *Server) WatchList(req *pbresource.WatchListRequest, stream pbresource.ResourceService_WatchListServer) error {
	reg, err := s.ensureWatchListRequestValid(req)
	if err != nil {
		return err
	}

	// v1 ACL subsystem is "wildcard" aware so just pass on through.
	entMeta := v2TenancyToV1EntMeta(req.Tenancy)
	token := tokenFromContext(stream.Context())
	authz, authzContext, err := s.getAuthorizer(token, entMeta)
	if err != nil {
		return err
	}

	// Check list ACL.
	err = reg.ACLs.List(authz, authzContext)
	switch {
	case acl.IsErrPermissionDenied(err):
		return status.Error(codes.PermissionDenied, err.Error())
	case err != nil:
		return status.Errorf(codes.Internal, "failed list acl: %v", err)
	}

	// Ensure we're defaulting correctly when request tenancy units are empty.
	v1EntMetaToV2Tenancy(reg, entMeta, req.Tenancy)

	unversionedType := storage.UnversionedTypeFrom(req.Type)
	watch, err := s.Backend.WatchList(
		stream.Context(),
		unversionedType,
		req.Tenancy,
		req.NamePrefix,
	)
	if err != nil {
		return err
	}
	defer watch.Close()

	for {
		event, err := watch.Next(stream.Context())
		switch {
		case errors.Is(err, storage.ErrWatchClosed):
			return status.Error(codes.Aborted, "watch closed by the storage backend (possibly due to snapshot restoration)")
		case err != nil:
			return status.Errorf(codes.Internal, "failed next: %v", err)
		}

		// drop group versions that don't match
		if event.Resource.Id.Type.GroupVersion != req.Type.GroupVersion {
			continue
		}

		// Need to rebuild authorizer per resource since wildcard inputs may
		// result in different tenancies. Consider caching per tenancy if this
		// is deemed expensive.
		entMeta = v2TenancyToV1EntMeta(event.Resource.Id.Tenancy)
		authz, authzContext, err = s.getAuthorizer(token, entMeta)
		if err != nil {
			return err
		}

		// filter out items that don't pass read ACLs
		err = reg.ACLs.Read(authz, authzContext, event.Resource.Id, event.Resource)
		switch {
		case acl.IsErrPermissionDenied(err):
			continue
		case err != nil:
			return status.Errorf(codes.Internal, "failed read acl: %v", err)
		}

		if err = stream.Send(event); err != nil {
			return err
		}
	}
}

func (s *Server) ensureWatchListRequestValid(req *pbresource.WatchListRequest) (*resource.Registration, error) {
	if req.Type == nil {
		return nil, status.Errorf(codes.InvalidArgument, "type is required")
	}

	// Check type exists.
	reg, err := s.resolveType(req.Type)
	if err != nil {
		return nil, err
	}

	// if no tenancy is passed defaults to wildcard
	if req.Tenancy == nil {
		req.Tenancy = wildcardTenancyFor(reg.Scope)
	}

	if err = checkV2Tenancy(s.UseV2Tenancy, req.Type); err != nil {
		return nil, err
	}

	if err := validateWildcardTenancy(req.Tenancy, req.NamePrefix); err != nil {
		return nil, err
	}

	// Check scope
	if err = validateScopedTenancy(reg.Scope, req.Type, req.Tenancy); err != nil {
		return nil, err
	}

	return reg, nil
}

func wildcardTenancyFor(scope resource.Scope) *pbresource.Tenancy {
	var defaultTenancy *pbresource.Tenancy

	switch scope {
	case resource.ScopeCluster:
		defaultTenancy = &pbresource.Tenancy{
			PeerName: storage.Wildcard,
		}
	case resource.ScopePartition:
		defaultTenancy = &pbresource.Tenancy{
			Partition: storage.Wildcard,
			PeerName:  storage.Wildcard,
		}
	default:
		defaultTenancy = &pbresource.Tenancy{
			Partition: storage.Wildcard,
			PeerName:  storage.Wildcard,
			Namespace: storage.Wildcard,
		}
	}
	return defaultTenancy
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2 years ago			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 1 year ago			`// SPDX-License-Identifier: BUSL-1.1`
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2 years ago
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`package resource`

			`import (`
resource: handle `ErrWatchClosed` in `WatchList` endpoint (#17289) 2 years ago			`"errors"`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/status"`

			`"github.com/hashicorp/consul/acl"`
resource: Make resource watchlist tenancy aware (#18539) 1 year ago			`"github.com/hashicorp/consul/internal/resource"`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`"github.com/hashicorp/consul/internal/storage"`
			`"github.com/hashicorp/consul/proto-public/pbresource"`
			`)`

			`func (s Server) WatchList(req pbresource.WatchListRequest, stream pbresource.ResourceService_WatchListServer) error {`
Net-6291/fix/watch resources (#19467) * fix: update watch endpoint to default based on scope * test: additional test * refactor: rename list validate function * refactor: rename validate<Op>Request() -> ensure<Op>RequestValid() for consistency 1 year ago			`reg, err := s.ensureWatchListRequestValid(req)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`if err != nil {`
			`return err`
			`}`

resource: Make resource watchlist tenancy aware (#18539) 1 year ago			`// v1 ACL subsystem is "wildcard" aware so just pass on through.`
			`entMeta := v2TenancyToV1EntMeta(req.Tenancy)`
			`token := tokenFromContext(stream.Context())`
			`authz, authzContext, err := s.getAuthorizer(token, entMeta)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`if err != nil {`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`return err`
			`}`

resource: Make resource watchlist tenancy aware (#18539) 1 year ago			`// Check list ACL.`
resource: Make resource list tenancy aware (#18475) 1 year ago			`err = reg.ACLs.List(authz, authzContext)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`switch {`
			`case acl.IsErrPermissionDenied(err):`
			`return status.Error(codes.PermissionDenied, err.Error())`
			`case err != nil:`
			`return status.Errorf(codes.Internal, "failed list acl: %v", err)`
			`}`

resource: Make resource watchlist tenancy aware (#18539) 1 year ago			`// Ensure we're defaulting correctly when request tenancy units are empty.`
			`v1EntMetaToV2Tenancy(reg, entMeta, req.Tenancy)`

WatchList(..) endpoint for the resource service (#16726) 2 years ago			`unversionedType := storage.UnversionedTypeFrom(req.Type)`
Raft storage backend (#16619) 2 years ago			`watch, err := s.Backend.WatchList(`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`stream.Context(),`
			`unversionedType,`
			`req.Tenancy,`
			`req.NamePrefix,`
			`)`
			`if err != nil {`
			`return err`
			`}`
storage: fix resource leak in Watch (#16817) 2 years ago			`defer watch.Close()`
WatchList(..) endpoint for the resource service (#16726) 2 years ago
			`for {`
			`event, err := watch.Next(stream.Context())`
resource: handle `ErrWatchClosed` in `WatchList` endpoint (#17289) 2 years ago			`switch {`
			`case errors.Is(err, storage.ErrWatchClosed):`
			`return status.Error(codes.Aborted, "watch closed by the storage backend (possibly due to snapshot restoration)")`
			`case err != nil:`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`return status.Errorf(codes.Internal, "failed next: %v", err)`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`// drop group versions that don't match`
WatchList(..) endpoint for the resource service (#16726) 2 years ago			`if event.Resource.Id.Type.GroupVersion != req.Type.GroupVersion {`
			`continue`
			`}`

resource: Make resource watchlist tenancy aware (#18539) 1 year ago			`// Need to rebuild authorizer per resource since wildcard inputs may`
			`// result in different tenancies. Consider caching per tenancy if this`
			`// is deemed expensive.`
			`entMeta = v2TenancyToV1EntMeta(event.Resource.Id.Tenancy)`
			`authz, authzContext, err = s.getAuthorizer(token, entMeta)`
			`if err != nil {`
			`return err`
			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`// filter out items that don't pass read ACLs`
resource: allow for the ACLs.Read hook to request the entire data payload to perform the authz check (#18925) The ACLs.Read hook for a resource only allows for the identity of a resource to be passed in for use in authz consideration. For some resources we wish to allow for the current stored value to dictate how to enforce the ACLs (such as reading a list of applicable services from the payload and allowing service:read on any of them to control reading the enclosing resource). This change update the interface to usually accept a *pbresource.ID, but if the hook decides it needs more data it returns a sentinel error and the resource service knows to defer the authz check until after fetching the data from storage. 1 year ago			`err = reg.ACLs.Read(authz, authzContext, event.Resource.Id, event.Resource)`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2 years ago			`switch {`
			`case acl.IsErrPermissionDenied(err):`
			`continue`
			`case err != nil:`
			`return status.Errorf(codes.Internal, "failed read acl: %v", err)`
			`}`

WatchList(..) endpoint for the resource service (#16726) 2 years ago			`if err = stream.Send(event); err != nil {`
			`return err`
			`}`
			`}`
			`}`
resource: add missing validation to the `List` and `WatchList` endpoints (#17213) 2 years ago
Net-6291/fix/watch resources (#19467) * fix: update watch endpoint to default based on scope * test: additional test * refactor: rename list validate function * refactor: rename validate<Op>Request() -> ensure<Op>RequestValid() for consistency 1 year ago			`func (s Server) ensureWatchListRequestValid(req pbresource.WatchListRequest) (*resource.Registration, error) {`
			`if req.Type == nil {`
			`return nil, status.Errorf(codes.InvalidArgument, "type is required")`
resource: Make resource watchlist tenancy aware (#18539) 1 year ago			`}`

			`// Check type exists.`
			`reg, err := s.resolveType(req.Type)`
			`if err != nil {`
			`return nil, err`
			`}`

Net-6291/fix/watch resources (#19467) * fix: update watch endpoint to default based on scope * test: additional test * refactor: rename list validate function * refactor: rename validate<Op>Request() -> ensure<Op>RequestValid() for consistency 1 year ago			`// if no tenancy is passed defaults to wildcard`
			`if req.Tenancy == nil {`
			`req.Tenancy = wildcardTenancyFor(reg.Scope)`
			`}`

resource: resource service now checks for `v2tenancy` feature flag (#19400) 1 year ago			`if err = checkV2Tenancy(s.UseV2Tenancy, req.Type); err != nil {`
			`return nil, err`
			`}`

resource: enforce lowercase v2 resource names (#19218) 1 year ago			`if err := validateWildcardTenancy(req.Tenancy, req.NamePrefix); err != nil {`
			`return nil, err`
			`}`
resource: Make resource watchlist tenancy aware (#18539) 1 year ago
Net-6291/fix/watch resources (#19467) * fix: update watch endpoint to default based on scope * test: additional test * refactor: rename list validate function * refactor: rename validate<Op>Request() -> ensure<Op>RequestValid() for consistency 1 year ago			`// Check scope`
			`if err = validateScopedTenancy(reg.Scope, req.Type, req.Tenancy); err != nil {`
			`return nil, err`
resource: Make resource watchlist tenancy aware (#18539) 1 year ago			`}`

			`return reg, nil`
resource: add missing validation to the `List` and `WatchList` endpoints (#17213) 2 years ago			`}`
Net-6291/fix/watch resources (#19467) * fix: update watch endpoint to default based on scope * test: additional test * refactor: rename list validate function * refactor: rename validate<Op>Request() -> ensure<Op>RequestValid() for consistency 1 year ago
			`func wildcardTenancyFor(scope resource.Scope) *pbresource.Tenancy {`
			`var defaultTenancy *pbresource.Tenancy`

			`switch scope {`
			`case resource.ScopeCluster:`
			`defaultTenancy = &pbresource.Tenancy{`
			`PeerName: storage.Wildcard,`
			`}`
			`case resource.ScopePartition:`
			`defaultTenancy = &pbresource.Tenancy{`
			`Partition: storage.Wildcard,`
			`PeerName: storage.Wildcard,`
			`}`
			`default:`
			`defaultTenancy = &pbresource.Tenancy{`
			`Partition: storage.Wildcard,`
			`PeerName: storage.Wildcard,`
			`Namespace: storage.Wildcard,`
			`}`
			`}`
			`return defaultTenancy`
			`}`