Fix V2 Wildcard RBAC Regular Expressions (#18941)

fix wildcard rbac regular expressions
2023-09-21 13:53:49 -04:00 · 2023-09-21 13:53:49 -04:00 · f87ae3636c
parent bc142cd152
commit f87ae3636c
2 changed files with 12 additions and 13 deletions
--- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
@ -11,7 +11,6 @@ import (
 	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
 	pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1"
 	"github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate"
-	"github.com/hashicorp/consul/proto-public/pbresource"
 )

 func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.ComputedTrafficPermissions) *Builder {
@ -190,17 +189,17 @@ func sourceToSpiffe(trustDomain string, s pbauth.SourceToSpiffe) *pbproxystate.S
 		name = anyPath
 	}

-	spiffeMatcher := connect.SpiffeIDFromIdentityRef(trustDomain, &pbresource.Reference{
-		Name: name,
-		Tenancy: &pbresource.Tenancy{
-			Partition: ap,
-			Namespace: ns,
-			PeerName:  s.GetPeer(),
-		},
-	})
+	spiffeURI := connect.SpiffeIDWorkloadIdentity{
+		TrustDomain:      trustDomain,
+		Partition:        ap,
+		Namespace:        ns,
+		WorkloadIdentity: name,
+	}.URI()
+
+	matcher := fmt.Sprintf(`^%s://%s%s$`, spiffeURI.Scheme, spiffeURI.Host, spiffeURI.Path)

 	return &pbproxystate.Spiffe{
-		Regex: fmt.Sprintf(`^%s$`, spiffeMatcher),
+		Regex: matcher,
 	}
 }

--- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go
+++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go
@ -243,7 +243,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
 						{
 							Principals: []*pbproxystate.Principal{
 								{
-									Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`},
+									Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/[^/]+$`},
 									ExcludeSpiffes: []*pbproxystate.Spiffe{
 										{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"},
 									},
@ -273,7 +273,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
 						{
 							Principals: []*pbproxystate.Principal{
 								{
-									Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`},
+									Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/[^/]+$`},
 									ExcludeSpiffes: []*pbproxystate.Spiffe{
 										{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"},
 									},
@ -288,7 +288,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
 									Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/foo$"},
 								},
 								{
-									Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`},
+									Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/[^/]+$`},
 									ExcludeSpiffes: []*pbproxystate.Spiffe{
 										{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/bar$"},
 									},