Browse Source

Fix V2 Wildcard RBAC Regular Expressions (#18941)

fix wildcard rbac regular expressions
pull/18948/head
Eric Haberkorn 1 year ago committed by GitHub
parent
commit
f87ae3636c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 19
      internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
  2. 6
      internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go

19
internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go

@ -11,7 +11,6 @@ import (
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1"
"github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate" "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate"
"github.com/hashicorp/consul/proto-public/pbresource"
) )
func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.ComputedTrafficPermissions) *Builder { func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.ComputedTrafficPermissions) *Builder {
@ -190,17 +189,17 @@ func sourceToSpiffe(trustDomain string, s pbauth.SourceToSpiffe) *pbproxystate.S
name = anyPath name = anyPath
} }
spiffeMatcher := connect.SpiffeIDFromIdentityRef(trustDomain, &pbresource.Reference{ spiffeURI := connect.SpiffeIDWorkloadIdentity{
Name: name, TrustDomain: trustDomain,
Tenancy: &pbresource.Tenancy{ Partition: ap,
Partition: ap, Namespace: ns,
Namespace: ns, WorkloadIdentity: name,
PeerName: s.GetPeer(), }.URI()
},
}) matcher := fmt.Sprintf(`^%s://%s%s$`, spiffeURI.Scheme, spiffeURI.Host, spiffeURI.Path)
return &pbproxystate.Spiffe{ return &pbproxystate.Spiffe{
Regex: fmt.Sprintf(`^%s$`, spiffeMatcher), Regex: matcher,
} }
} }

6
internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go

@ -243,7 +243,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
{ {
Principals: []*pbproxystate.Principal{ Principals: []*pbproxystate.Principal{
{ {
Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`}, Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/[^/]+$`},
ExcludeSpiffes: []*pbproxystate.Spiffe{ ExcludeSpiffes: []*pbproxystate.Spiffe{
{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"}, {Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"},
}, },
@ -273,7 +273,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
{ {
Principals: []*pbproxystate.Principal{ Principals: []*pbproxystate.Principal{
{ {
Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`}, Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/[^/]+$`},
ExcludeSpiffes: []*pbproxystate.Spiffe{ ExcludeSpiffes: []*pbproxystate.Spiffe{
{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"}, {Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"},
}, },
@ -288,7 +288,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/foo$"}, Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/foo$"},
}, },
{ {
Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`}, Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/[^/]+$`},
ExcludeSpiffes: []*pbproxystate.Spiffe{ ExcludeSpiffes: []*pbproxystate.Spiffe{
{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/bar$"}, {Regex: "^spiffe://test.consul/ap/default/ns/default/identity/bar$"},
}, },

Loading…
Cancel
Save