NET-6251 API gateway templated policy (#19728)

pull/19730/head
Ronald 2023-11-24 12:55:05 -05:00 committed by GitHub
parent 78f918a103
commit c1dbf00a85
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 75 additions and 7 deletions

3
.changelog/19728.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
acl: add api-gateway templated policy
```

View File

@ -1407,7 +1407,7 @@ func TestACL_HTTP(t *testing.T) {
var list map[string]api.ACLTemplatedPolicyResponse var list map[string]api.ACLTemplatedPolicyResponse
require.NoError(t, json.NewDecoder(resp.Body).Decode(&list)) require.NoError(t, json.NewDecoder(resp.Body).Decode(&list))
require.Len(t, list, 5) require.Len(t, list, 6)
require.Equal(t, api.ACLTemplatedPolicyResponse{ require.Equal(t, api.ACLTemplatedPolicyResponse{
TemplateName: api.ACLTemplatedPolicyServiceName, TemplateName: api.ACLTemplatedPolicyServiceName,

View File

@ -29,6 +29,9 @@ var ACLTemplatedPolicyServiceSchema string
//go:embed acltemplatedpolicy/schemas/workload-identity.json //go:embed acltemplatedpolicy/schemas/workload-identity.json
var ACLTemplatedPolicyWorkloadIdentitySchema string var ACLTemplatedPolicyWorkloadIdentitySchema string
//go:embed acltemplatedpolicy/schemas/api-gateway.json
var ACLTemplatedPolicyAPIGatewaySchema string
type ACLTemplatedPolicies []*ACLTemplatedPolicy type ACLTemplatedPolicies []*ACLTemplatedPolicy
const ( const (
@ -37,6 +40,7 @@ const (
ACLTemplatedPolicyDNSID = "00000000-0000-0000-0000-000000000005" ACLTemplatedPolicyDNSID = "00000000-0000-0000-0000-000000000005"
ACLTemplatedPolicyNomadServerID = "00000000-0000-0000-0000-000000000006" ACLTemplatedPolicyNomadServerID = "00000000-0000-0000-0000-000000000006"
ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007" ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007"
ACLTemplatedPolicyAPIGatewayID = "00000000-0000-0000-0000-000000000008"
ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema
) )
@ -84,6 +88,12 @@ var (
Schema: ACLTemplatedPolicyWorkloadIdentitySchema, Schema: ACLTemplatedPolicyWorkloadIdentitySchema,
Template: ACLTemplatedPolicyWorkloadIdentity, Template: ACLTemplatedPolicyWorkloadIdentity,
}, },
api.ACLTemplatedPolicyAPIGatewayName: {
TemplateID: ACLTemplatedPolicyAPIGatewayID,
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
Schema: ACLTemplatedPolicyAPIGatewaySchema,
Template: ACLTemplatedPolicyAPIGateway,
},
} }
) )

View File

@ -22,6 +22,9 @@ var ACLTemplatedPolicyNomadServer string
//go:embed acltemplatedpolicy/policies/ce/workload-identity.hcl //go:embed acltemplatedpolicy/policies/ce/workload-identity.hcl
var ACLTemplatedPolicyWorkloadIdentity string var ACLTemplatedPolicyWorkloadIdentity string
//go:embed acltemplatedpolicy/policies/ce/api-gateway.hcl
var ACLTemplatedPolicyAPIGateway string
func (t *ACLToken) TemplatedPolicyList() []*ACLTemplatedPolicy { func (t *ACLToken) TemplatedPolicyList() []*ACLTemplatedPolicy {
if len(t.TemplatedPolicies) == 0 { if len(t.TemplatedPolicies) == 0 {
return nil return nil

View File

@ -95,6 +95,28 @@ query_prefix "" {
Description: "synthetic policy generated from templated policy: builtin/workload-identity", Description: "synthetic policy generated from templated policy: builtin/workload-identity",
Rules: `identity "api" { Rules: `identity "api" {
policy = "write" policy = "write"
}`,
},
},
"api-gateway-template": {
templatedPolicy: &ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyAPIGatewayID,
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: "api-gateway",
},
},
expectedPolicy: &ACLPolicy{
Description: "synthetic policy generated from templated policy: builtin/api-gateway",
Rules: `mesh = "read"
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
service "api-gateway" {
policy = "write"
}`, }`,
}, },
}, },

View File

@ -0,0 +1,10 @@
mesh = "read"
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
service "{{.Name}}" {
policy = "write"
}

View File

@ -0,0 +1,13 @@
{
"type": "object",
"properties": {
"name": { "type": "string", "$ref": "#/definitions/min-length-one" }
},
"required": ["name"],
"definitions": {
"min-length-one": {
"type": "string",
"minLength": 1
}
}
}

View File

@ -26,6 +26,7 @@ const (
ACLTemplatedPolicyDNSName = "builtin/dns" ACLTemplatedPolicyDNSName = "builtin/dns"
ACLTemplatedPolicyNomadServerName = "builtin/nomad-server" ACLTemplatedPolicyNomadServerName = "builtin/nomad-server"
ACLTemplatedPolicyWorkloadIdentityName = "builtin/workload-identity" ACLTemplatedPolicyWorkloadIdentityName = "builtin/workload-identity"
ACLTemplatedPolicyAPIGatewayName = "builtin/api-gateway"
) )
type ACLLink struct { type ACLLink struct {

View File

@ -69,13 +69,13 @@ func (f *prettyFormatter) FormatTemplatedPolicy(templatedPolicy api.ACLTemplated
buffer.WriteString("Input variables:") buffer.WriteString("Input variables:")
switch templatedPolicy.TemplateName { switch templatedPolicy.TemplateName {
case api.ACLTemplatedPolicyServiceName: case api.ACLTemplatedPolicyServiceName:
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - The name of the service.\n", WhitespaceIndent)) nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The name of the service", "api")
buffer.WriteString("Example usage:\n")
buffer.WriteString(WhitespaceIndent + "consul acl token create -templated-policy builtin/service -var name:api\n")
case api.ACLTemplatedPolicyNodeName: case api.ACLTemplatedPolicyNodeName:
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - The node name.\n", WhitespaceIndent)) nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The node name", "node-1")
buffer.WriteString("Example usage:\n") case api.ACLTemplatedPolicyWorkloadIdentityName:
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy builtin/node -var name:node-1\n", WhitespaceIndent)) nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The workload name", "api")
case api.ACLTemplatedPolicyAPIGatewayName:
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The api gateway service name", "api-gateway")
case api.ACLTemplatedPolicyDNSName, api.ACLTemplatedPolicyNomadServerName: case api.ACLTemplatedPolicyDNSName, api.ACLTemplatedPolicyNomadServerName:
noRequiredVariablesOutput(&buffer, templatedPolicy.TemplateName) noRequiredVariablesOutput(&buffer, templatedPolicy.TemplateName)
default: default:
@ -98,6 +98,12 @@ func noRequiredVariablesOutput(buffer *bytes.Buffer, templateName string) {
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy %s\n", WhitespaceIndent, templateName)) buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy %s\n", WhitespaceIndent, templateName))
} }
func nameRequiredVariableOutput(buffer *bytes.Buffer, templateName, description, exampleName string) {
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - %s.\n", WhitespaceIndent, description))
buffer.WriteString("Example usage:\n")
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy %s -var name:%s\n", WhitespaceIndent, templateName, exampleName))
}
func (f *prettyFormatter) FormatTemplatedPolicyList(policies map[string]api.ACLTemplatedPolicyResponse) (string, error) { func (f *prettyFormatter) FormatTemplatedPolicyList(policies map[string]api.ACLTemplatedPolicyResponse) (string, error) {
var buffer bytes.Buffer var buffer bytes.Buffer