mirror of https://github.com/hashicorp/consul
Add HasExact to topology endpoint (#9010)
parent
46071cbb03
commit
9c04cbc40f
|
@ -1622,6 +1622,8 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
||||||
// web and web-proxy on node bar - upstream: redis
|
// web and web-proxy on node bar - upstream: redis
|
||||||
// web and web-proxy on node baz - upstream: redis
|
// web and web-proxy on node baz - upstream: redis
|
||||||
// redis and redis-proxy on node zip
|
// redis and redis-proxy on node zip
|
||||||
|
// wildcard deny intention
|
||||||
|
// web -> redis exact intentino
|
||||||
registerTestTopologyEntries(t, codec, "")
|
registerTestTopologyEntries(t, codec, "")
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -1650,6 +1652,9 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
|
|
||||||
|
// From wildcard deny
|
||||||
|
HasExact: false,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions)
|
require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions)
|
||||||
|
@ -1675,6 +1680,9 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
|
|
||||||
|
// From wildcard deny
|
||||||
|
HasExact: false,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions)
|
require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions)
|
||||||
|
@ -1686,6 +1694,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
||||||
redis.String(): {
|
redis.String(): {
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
|
HasExact: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions)
|
require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions)
|
||||||
|
@ -1712,6 +1721,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
||||||
web.String(): {
|
web.String(): {
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
|
HasExact: true,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions)
|
require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions)
|
||||||
|
|
|
@ -500,6 +500,12 @@ func (s *Store) IntentionDecision(
|
||||||
}
|
}
|
||||||
resp.ExternalSource = ixnMatch.Meta[structs.MetaExternalSource]
|
resp.ExternalSource = ixnMatch.Meta[structs.MetaExternalSource]
|
||||||
|
|
||||||
|
// Intentions with wildcard namespaces but specific names are not allowed (*/web -> */api)
|
||||||
|
// So we don't check namespaces to see if there's an exact intention
|
||||||
|
if ixnMatch.SourceName != structs.WildcardSpecifier && ixnMatch.DestinationName != structs.WildcardSpecifier {
|
||||||
|
resp.HasExact = true
|
||||||
|
}
|
||||||
|
|
||||||
return resp, nil
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -1132,6 +1132,16 @@ func TestStore_IntentionDecision(t *testing.T) {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
&structs.ServiceIntentionsConfigEntry{
|
||||||
|
Kind: structs.ServiceIntentions,
|
||||||
|
Name: "mysql",
|
||||||
|
Sources: []*structs.SourceIntention{
|
||||||
|
{
|
||||||
|
Name: "*",
|
||||||
|
Action: structs.IntentionActionAllow,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
s := testConfigStateStore(t)
|
s := testConfigStateStore(t)
|
||||||
|
@ -1167,6 +1177,7 @@ func TestStore_IntentionDecision(t *testing.T) {
|
||||||
expect: structs.IntentionDecisionSummary{
|
expect: structs.IntentionDecisionSummary{
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
|
HasExact: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1176,6 +1187,7 @@ func TestStore_IntentionDecision(t *testing.T) {
|
||||||
expect: structs.IntentionDecisionSummary{
|
expect: structs.IntentionDecisionSummary{
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
|
HasExact: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -1186,6 +1198,17 @@ func TestStore_IntentionDecision(t *testing.T) {
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
|
HasExact: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "allowed by source wildcard not exact",
|
||||||
|
src: "anything",
|
||||||
|
dst: "mysql",
|
||||||
|
expect: structs.IntentionDecisionSummary{
|
||||||
|
Allowed: true,
|
||||||
|
HasPermissions: false,
|
||||||
|
HasExact: false,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
|
@ -645,11 +645,13 @@ type IntentionQueryCheckResponse struct {
|
||||||
// Currently contains:
|
// Currently contains:
|
||||||
// - Whether all actions are allowed
|
// - Whether all actions are allowed
|
||||||
// - Whether the matching intention has L7 permissions attached
|
// - Whether the matching intention has L7 permissions attached
|
||||||
// - Whether the intention is managed by an external source like k8s,
|
// - Whether the intention is managed by an external source like k8s
|
||||||
|
// - Whether there is an exact, on-wildcard, intention referencing the two services
|
||||||
type IntentionDecisionSummary struct {
|
type IntentionDecisionSummary struct {
|
||||||
Allowed bool
|
Allowed bool
|
||||||
HasPermissions bool
|
HasPermissions bool
|
||||||
ExternalSource string
|
ExternalSource string
|
||||||
|
HasExact bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// IntentionQueryExact holds the parameters for performing a lookup of an
|
// IntentionQueryExact holds the parameters for performing a lookup of an
|
||||||
|
|
|
@ -316,8 +316,8 @@ RPC:
|
||||||
downstreams, _ := summarizeServices(out.ServiceTopology.Downstreams.ToServiceDump(), nil, "")
|
downstreams, _ := summarizeServices(out.ServiceTopology.Downstreams.ToServiceDump(), nil, "")
|
||||||
|
|
||||||
var (
|
var (
|
||||||
upstreamResp []*ServiceTopologySummary
|
upstreamResp = make([]*ServiceTopologySummary, 0)
|
||||||
downstreamResp []*ServiceTopologySummary
|
downstreamResp = make([]*ServiceTopologySummary, 0)
|
||||||
)
|
)
|
||||||
|
|
||||||
// Sort and attach intention data for upstreams and downstreams
|
// Sort and attach intention data for upstreams and downstreams
|
||||||
|
|
|
@ -1369,9 +1369,11 @@ func TestUIServiceTopology(t *testing.T) {
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
|
HasExact: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Downstreams: []*ServiceTopologySummary{},
|
||||||
FilteredByACLs: false,
|
FilteredByACLs: false,
|
||||||
}
|
}
|
||||||
result := obj.(ServiceTopology)
|
result := obj.(ServiceTopology)
|
||||||
|
@ -1410,6 +1412,7 @@ func TestUIServiceTopology(t *testing.T) {
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
|
HasExact: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1429,6 +1432,9 @@ func TestUIServiceTopology(t *testing.T) {
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
|
|
||||||
|
// From wildcard deny
|
||||||
|
HasExact: false,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1474,6 +1480,7 @@ func TestUIServiceTopology(t *testing.T) {
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
|
HasExact: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1491,6 +1498,9 @@ func TestUIServiceTopology(t *testing.T) {
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
|
|
||||||
|
// From wildcard deny
|
||||||
|
HasExact: false,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
@ -1521,7 +1531,8 @@ func TestUIServiceTopology(t *testing.T) {
|
||||||
require.NoError(r, checkIndex(resp))
|
require.NoError(r, checkIndex(resp))
|
||||||
|
|
||||||
expect := ServiceTopology{
|
expect := ServiceTopology{
|
||||||
Protocol: "http",
|
Protocol: "http",
|
||||||
|
Upstreams: []*ServiceTopologySummary{},
|
||||||
Downstreams: []*ServiceTopologySummary{
|
Downstreams: []*ServiceTopologySummary{
|
||||||
{
|
{
|
||||||
ServiceSummary: ServiceSummary{
|
ServiceSummary: ServiceSummary{
|
||||||
|
@ -1537,6 +1548,7 @@ func TestUIServiceTopology(t *testing.T) {
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
|
HasExact: true,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in New Issue