Augment intention decision summary with DefaultAllow mode

4 years ago · 932fbddd27
5 changed files with 25 additions and 5 deletions
--- a/agent/consul/internal_endpoint_test.go
+++ b/agent/consul/internal_endpoint_test.go
@ -1721,6 +1721,7 @@ func TestInternal_ServiceTopology(t *testing.T) {

 			expectUp := map[string]structs.IntentionDecisionSummary{
 				web.String(): {
+					DefaultAllow:   true,
 					Allowed:        false,
 					HasPermissions: false,
 					ExternalSource: "nomad",
@ -1749,6 +1750,7 @@ func TestInternal_ServiceTopology(t *testing.T) {

 			expectDown := map[string]structs.IntentionDecisionSummary{
 				api.String(): {
+					DefaultAllow:   true,
 					Allowed:        false,
 					HasPermissions: false,
 					ExternalSource: "nomad",
@ -1764,6 +1766,7 @@ func TestInternal_ServiceTopology(t *testing.T) {

 			expectUp := map[string]structs.IntentionDecisionSummary{
 				redis.String(): {
+					DefaultAllow:   true,
 					Allowed:        false,
 					HasPermissions: true,
 					HasExact:       true,
@ -1791,6 +1794,7 @@ func TestInternal_ServiceTopology(t *testing.T) {

 			expectDown := map[string]structs.IntentionDecisionSummary{
 				web.String(): {
+					DefaultAllow:   true,
 					Allowed:        false,
 					HasPermissions: true,
 					HasExact:       true,
--- a/agent/consul/state/intention.go
+++ b/agent/consul/state/intention.go
@ -750,10 +750,12 @@ func (s *Store) IntentionDecision(
 		}
 	}

-	var resp structs.IntentionDecisionSummary
+	resp := structs.IntentionDecisionSummary{
+		DefaultAllow: defaultDecision == acl.Allow,
+	}
 	if ixnMatch == nil {
 		// No intention found, fall back to default
-		resp.Allowed = defaultDecision == acl.Allow
+		resp.Allowed = resp.DefaultAllow
 		return resp, nil
 	}

--- a/agent/consul/state/intention_test.go
+++ b/agent/consul/state/intention_test.go
@ -1774,7 +1774,10 @@ func TestStore_IntentionDecision(t *testing.T) {
 			dst:             "ditto",
 			matchType:       structs.IntentionMatchDestination,
 			defaultDecision: acl.Deny,
-			expect:          structs.IntentionDecisionSummary{Allowed: false},
+			expect: structs.IntentionDecisionSummary{
+				Allowed:      false,
+				DefaultAllow: false,
+			},
 		},
 		{
 			name:            "no matching intention and default allow",
@ -1782,7 +1785,10 @@ func TestStore_IntentionDecision(t *testing.T) {
 			dst:             "ditto",
 			matchType:       structs.IntentionMatchDestination,
 			defaultDecision: acl.Allow,
-			expect:          structs.IntentionDecisionSummary{Allowed: true},
+			expect: structs.IntentionDecisionSummary{
+				Allowed:      true,
+				DefaultAllow: true,
+			},
 		},
 		{
 			name:      "denied with permissions",
--- a/agent/structs/intention.go
+++ b/agent/structs/intention.go
@ -666,12 +666,14 @@ type IntentionQueryCheckResponse struct {
 // - Whether all actions are allowed
 // - Whether the matching intention has L7 permissions attached
 // - Whether the intention is managed by an external source like k8s
-// - Whether there is an exact, on-wildcard, intention referencing the two services
+// - Whether there is an exact, or wildcard, intention referencing the two services
+// - Whether ACLs are in DefaultAllow mode
 type IntentionDecisionSummary struct {
 	Allowed        bool
 	HasPermissions bool
 	ExternalSource string
 	HasExact       bool
+	DefaultAllow   bool
 }

 // IntentionQueryExact holds the parameters for performing a lookup of an
--- a/agent/ui_endpoint_test.go
+++ b/agent/ui_endpoint_test.go
@ -1431,6 +1431,7 @@ func TestUIServiceTopology(t *testing.T) {
 							EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
 						},
 						Intention: structs.IntentionDecisionSummary{
+							DefaultAllow:   true,
 							Allowed:        true,
 							HasPermissions: false,
 							HasExact:       true,
@ -1474,6 +1475,7 @@ func TestUIServiceTopology(t *testing.T) {
 							EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
 						},
 						Intention: structs.IntentionDecisionSummary{
+							DefaultAllow:   true,
 							Allowed:        true,
 							HasPermissions: false,
 							HasExact:       true,
@ -1493,6 +1495,7 @@ func TestUIServiceTopology(t *testing.T) {
 							EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
 						},
 						Intention: structs.IntentionDecisionSummary{
+							DefaultAllow:   true,
 							Allowed:        false,
 							HasPermissions: false,
 							ExternalSource: "nomad",
@ -1542,6 +1545,7 @@ func TestUIServiceTopology(t *testing.T) {
 							EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
 						},
 						Intention: structs.IntentionDecisionSummary{
+							DefaultAllow:   true,
 							Allowed:        false,
 							HasPermissions: true,
 							HasExact:       true,
@ -1559,6 +1563,7 @@ func TestUIServiceTopology(t *testing.T) {
 							EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
 						},
 						Intention: structs.IntentionDecisionSummary{
+							DefaultAllow:   true,
 							Allowed:        false,
 							HasPermissions: false,
 							ExternalSource: "nomad",
@ -1610,6 +1615,7 @@ func TestUIServiceTopology(t *testing.T) {
 							EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
 						},
 						Intention: structs.IntentionDecisionSummary{
+							DefaultAllow:   true,
 							Allowed:        false,
 							HasPermissions: true,
 							HasExact:       true,