github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Pass trust domain to RBAC to validate and fix use of wrong peer trust bundles (#13508)

pull/13516/head
Chris S. Kim 2 years ago committed by GitHub
parent
d870928197
commit
fb5eb20563
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
41 changed files with 135 additions and 126 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      agent/proxycfg/connect_proxy.go
  2. 4
      agent/proxycfg/manager_test.go
  3. 26
      agent/proxycfg/snapshot.go
  4. 14
      agent/proxycfg/state_test.go
  5. 8
      agent/xds/clusters.go
  6. 11
      agent/xds/listeners.go
  7. 42
      agent/xds/rbac.go
  8. 18
      agent/xds/rbac_test.go
  9. 4
      agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden
  10. 6
      agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden
  11. 6
      agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden
  12. 6
      agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden
  13. 12
      agent/xds/testdata/rbac/default-allow-kitchen-sink--httpfilter.golden
  14. 12
      agent/xds/testdata/rbac/default-allow-kitchen-sink.golden
  15. 2
      agent/xds/testdata/rbac/default-allow-one-deny--httpfilter.golden
  16. 2
      agent/xds/testdata/rbac/default-allow-one-deny.golden
  17. 2
      agent/xds/testdata/rbac/default-allow-path-allow.golden
  18. 2
      agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden
  19. 2
      agent/xds/testdata/rbac/default-allow-path-deny.golden
  20. 2
      agent/xds/testdata/rbac/default-allow-service-wildcard-deny--httpfilter.golden
  21. 2
      agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden
  22. 2
      agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden
  23. 2
      agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms.golden
  24. 2
      agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow--httpfilter.golden
  25. 2
      agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow.golden
  26. 4
      agent/xds/testdata/rbac/default-deny-allow-deny--httpfilter.golden
  27. 4
      agent/xds/testdata/rbac/default-deny-allow-deny.golden
  28. 2
      agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden
  29. 12
      agent/xds/testdata/rbac/default-deny-kitchen-sink--httpfilter.golden
  30. 12
      agent/xds/testdata/rbac/default-deny-kitchen-sink.golden
  31. 2
      agent/xds/testdata/rbac/default-deny-mixed-precedence--httpfilter.golden
  32. 2
      agent/xds/testdata/rbac/default-deny-mixed-precedence.golden
  33. 2
      agent/xds/testdata/rbac/default-deny-one-allow--httpfilter.golden
  34. 2
      agent/xds/testdata/rbac/default-deny-one-allow.golden
  35. 2
      agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden
  36. 2
      agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden
  37. 2
      agent/xds/testdata/rbac/default-deny-peered-kitchen-sink.golden
  38. 2
      agent/xds/testdata/rbac/default-deny-service-wildcard-allow--httpfilter.golden
  39. 2
      agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden
  40. 2
      agent/xds/testdata/rbac/default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden
  41. 2
      agent/xds/testdata/rbac/default-deny-two-path-deny-and-path-allow--httpfilter.golden

14
agent/proxycfg/connect_proxy.go
Unescape View File

@ -22,8 +22,8 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
snap.ConnectProxy.WatchedDiscoveryChains = make(map[UpstreamID]context.CancelFunc)
snap.ConnectProxy.WatchedUpstreams = make(map[UpstreamID]map[string]context.CancelFunc)
snap.ConnectProxy.WatchedUpstreamEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
snap.ConnectProxy.WatchedPeerTrustBundles = make(map[string]context.CancelFunc)
snap.ConnectProxy.PeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle)
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = make(map[string]context.CancelFunc)
snap.ConnectProxy.UpstreamPeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle)
snap.ConnectProxy.WatchedGateways = make(map[UpstreamID]map[string]context.CancelFunc)
snap.ConnectProxy.WatchedGatewayEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
snap.ConnectProxy.WatchedServiceChecks = make(map[structs.ServiceID][]structs.CheckType)
@ -212,7 +212,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
}
// Check whether a watch for this peer exists to avoid duplicates.
if _, ok := snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer]; !ok {
if _, ok := snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer]; !ok {
peerCtx, cancel := context.WithCancel(ctx)
if err := s.dataSources.TrustBundle.Notify(peerCtx, &pbpeering.TrustBundleReadRequest{
Name: uid.Peer,
@ -222,7 +222,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
return snap, fmt.Errorf("error while watching trust bundle for peer %q: %w", uid.Peer, err)
}
snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer] = cancel
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer] = cancel
}
continue
}
@ -270,7 +270,7 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
}
peer := strings.TrimPrefix(u.CorrelationID, peerTrustBundleIDPrefix)
if resp.Bundle != nil {
snap.ConnectProxy.PeerTrustBundles[peer] = resp.Bundle
snap.ConnectProxy.UpstreamPeerTrustBundles[peer] = resp.Bundle
}
case u.CorrelationID == peeringTrustBundlesWatchID:
@ -279,9 +279,9 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
return fmt.Errorf("invalid type for response: %T", u.Result)
}
if len(resp.Bundles) > 0 {
snap.ConnectProxy.PeeringTrustBundles = resp.Bundles
snap.ConnectProxy.InboundPeerTrustBundles = resp.Bundles
}
snap.ConnectProxy.PeeringTrustBundlesSet = true
snap.ConnectProxy.InboundPeerTrustBundlesSet = true
case u.CorrelationID == intentionsWatchID:
resp, ok := u.Result.(*structs.IndexedIntentionMatches)

4
agent/proxycfg/manager_test.go
Unescape View File

@ -238,7 +238,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
},
PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{},
PassthroughIndices: map[string]indexedTarget{},
PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{},
PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{},
},
@ -299,7 +299,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
},
PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{},
PassthroughIndices: map[string]indexedTarget{},
PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{},
PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{},
},

26
agent/proxycfg/snapshot.go
Unescape View File

@ -44,13 +44,13 @@ type ConfigSnapshotUpstreams struct {
// endpoints of an upstream.
WatchedUpstreamEndpoints map[UpstreamID]map[string]structs.CheckServiceNodes
// WatchedPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel
// WatchedUpstreamPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel
// watches for peer trust bundles any time the list of upstream peers changes.
WatchedPeerTrustBundles map[string]context.CancelFunc
WatchedUpstreamPeerTrustBundles map[string]context.CancelFunc
// PeerTrustBundles is a map of (PeerName -> PeeringTrustBundle).
// UpstreamPeerTrustBundles is a map of (PeerName -> PeeringTrustBundle).
// It is used to store trust bundles for upstream TLS transport sockets.
PeerTrustBundles map[string]*pbpeering.PeeringTrustBundle
UpstreamPeerTrustBundles map[string]*pbpeering.PeeringTrustBundle
// WatchedGateways is a map of UpstreamID -> (map of GatewayKey.String() ->
// CancelFunc) in order to cancel watches for mesh gateways
@ -128,8 +128,8 @@ func gatewayKeyFromString(s string) GatewayKey {
type configSnapshotConnectProxy struct {
ConfigSnapshotUpstreams
PeeringTrustBundlesSet bool
PeeringTrustBundles []*pbpeering.PeeringTrustBundle
InboundPeerTrustBundlesSet bool
InboundPeerTrustBundles []*pbpeering.PeeringTrustBundle
WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection
PreparedQueryEndpoints map[UpstreamID]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints
@ -152,8 +152,8 @@ func (c *configSnapshotConnectProxy) isEmpty() bool {
len(c.WatchedDiscoveryChains) == 0 &&
len(c.WatchedUpstreams) == 0 &&
len(c.WatchedUpstreamEndpoints) == 0 &&
len(c.WatchedPeerTrustBundles) == 0 &&
len(c.PeerTrustBundles) == 0 &&
len(c.WatchedUpstreamPeerTrustBundles) == 0 &&
len(c.UpstreamPeerTrustBundles) == 0 &&
len(c.WatchedGateways) == 0 &&
len(c.WatchedGatewayEndpoints) == 0 &&
len(c.WatchedServiceChecks) == 0 &&
@ -161,7 +161,7 @@ func (c *configSnapshotConnectProxy) isEmpty() bool {
len(c.UpstreamConfig) == 0 &&
len(c.PassthroughUpstreams) == 0 &&
len(c.IntentionUpstreams) == 0 &&
!c.PeeringTrustBundlesSet &&
!c.InboundPeerTrustBundlesSet &&
!c.MeshConfigSet &&
len(c.PeerUpstreamEndpoints) == 0 &&
len(c.PeerUpstreamEndpointsUseHostnames) == 0
@ -637,7 +637,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
snap.ConnectProxy.WatchedUpstreams = nil
snap.ConnectProxy.WatchedGateways = nil
snap.ConnectProxy.WatchedDiscoveryChains = nil
snap.ConnectProxy.WatchedPeerTrustBundles = nil
snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = nil
case structs.ServiceKindTerminatingGateway:
snap.TerminatingGateway.WatchedServices = nil
snap.TerminatingGateway.WatchedIntentions = nil
@ -652,7 +652,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
snap.IngressGateway.WatchedUpstreams = nil
snap.IngressGateway.WatchedGateways = nil
snap.IngressGateway.WatchedDiscoveryChains = nil
snap.IngressGateway.WatchedPeerTrustBundles = nil
snap.IngressGateway.WatchedUpstreamPeerTrustBundles = nil
// only ingress-gateway
snap.IngressGateway.LeafCertWatchCancel = nil
}
@ -676,7 +676,7 @@ func (s *ConfigSnapshot) Leaf() *structs.IssuedCert {
func (s *ConfigSnapshot) PeeringTrustBundles() []*pbpeering.PeeringTrustBundle {
switch s.Kind {
case structs.ServiceKindConnectProxy:
return s.ConnectProxy.PeeringTrustBundles
return s.ConnectProxy.InboundPeerTrustBundles
case structs.ServiceKindMeshGateway:
return s.MeshGateway.PeeringTrustBundles
default:
@ -755,7 +755,7 @@ func (u *ConfigSnapshotUpstreams) PeeredUpstreamIDs() []UpstreamID {
continue
}
if _, ok := u.PeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok {
if _, ok := u.UpstreamPeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok {
// The trust bundle for this upstream is not available yet, skip for now.
continue
}

14
agent/proxycfg/state_test.go
Unescape View File

@ -2572,15 +2572,15 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Len(t, snap.ConnectProxy.WatchedGateways, 0, "%+v", snap.ConnectProxy.WatchedGateways)
require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 0, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints)
require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerTrustBundles, 0, "%+v", snap.ConnectProxy.PeerTrustBundles)
require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.UpstreamPeerTrustBundles, 0, "%+v", snap.ConnectProxy.UpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 0, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints)
require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
require.Len(t, snap.ConnectProxy.PeeringTrustBundles, 0, "%+v", snap.ConnectProxy.PeeringTrustBundles)
require.False(t, snap.ConnectProxy.PeeringTrustBundlesSet)
require.Len(t, snap.ConnectProxy.InboundPeerTrustBundles, 0, "%+v", snap.ConnectProxy.InboundPeerTrustBundles)
require.False(t, snap.ConnectProxy.InboundPeerTrustBundlesSet)
},
},
{
@ -2655,7 +2655,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Equal(t, indexedRoots, snap.Roots)
require.Equal(t, issuedCert, snap.ConnectProxy.Leaf)
prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.PeeringTrustBundles)
prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.InboundPeerTrustBundles)
require.Len(t, snap.ConnectProxy.DiscoveryChain, 1, "%+v", snap.ConnectProxy.DiscoveryChain)
require.Len(t, snap.ConnectProxy.WatchedUpstreams, 1, "%+v", snap.ConnectProxy.WatchedUpstreams)
@ -2663,8 +2663,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Len(t, snap.ConnectProxy.WatchedGateways, 1, "%+v", snap.ConnectProxy.WatchedGateways)
require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 1, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints)
require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.PeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedPeerTrustBundles)
require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.UpstreamPeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 1, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints)
require.NotNil(t, snap.ConnectProxy.PeerUpstreamEndpoints[extApiUID])

8
agent/xds/clusters.go
Unescape View File

@ -465,9 +465,9 @@ func (s *ResourceGenerator) makeDestinationClusters(cfgSnap *proxycfg.ConfigSnap
cluster := s.makeDynamicForwardProxyCluster(cfgSnap, opts)
// TODO (dans): might be relevant later for TLS addons like CA validation
//if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil {
// if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil {
// return nil, err
//}
// }
clusters = append(clusters, cluster)
}
return clusters, nil
@ -695,7 +695,7 @@ func (s *ResourceGenerator) makeUpstreamClusterForPeerService(
rootPEMs := cfgSnap.RootPEMs()
if uid.Peer != "" {
rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
}
// Enable TLS upstream with the configured client certificate.
@ -999,7 +999,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
rootPEMs := cfgSnap.RootPEMs()
if uid.Peer != "" {
rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
}
commonTLSContext := makeCommonTLSContext(
cfgSnap.Leaf(),

11
agent/xds/listeners.go
Unescape View File

@ -697,7 +697,8 @@ func (s *ResourceGenerator) injectConnectFilters(cfgSnap *proxycfg.ConfigSnapsho
authzFilter, err := makeRBACNetworkFilter(
cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles,
cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
)
if err != nil {
return err
@ -952,7 +953,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
httpAuthzFilter, err := makeRBACHTTPFilter(
cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles,
cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
)
if err != nil {
return nil, err
@ -1009,7 +1011,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
filterOpts.httpAuthzFilter, err = makeRBACHTTPFilter(
cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles,
cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
)
if err != nil {
return nil, err
@ -1307,6 +1310,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
authFilter, err := makeRBACNetworkFilter(
intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.Roots.TrustDomain,
nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway
)
if err != nil {
@ -1344,6 +1348,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
opts.httpAuthzFilter, err = makeRBACHTTPFilter(
intentions,
cfgSnap.IntentionDefaultAllow,
cfgSnap.Roots.TrustDomain,
nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway
)
if err != nil {

42
agent/xds/rbac.go
Unescape View File

@ -21,9 +21,10 @@ import (
func makeRBACNetworkFilter(
intentions structs.Intentions,
intentionDefaultAllow bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
trustDomain string,
peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_listener_v3.Filter, error) {
rules, err := makeRBACRules(intentions, intentionDefaultAllow, false, peerTrustBundles)
rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, false, peerTrustBundles)
if err != nil {
return nil, err
}
@ -38,9 +39,10 @@ func makeRBACNetworkFilter(
func makeRBACHTTPFilter(
intentions structs.Intentions,
intentionDefaultAllow bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
trustDomain string,
peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_http_v3.HttpFilter, error) {
rules, err := makeRBACRules(intentions, intentionDefaultAllow, true, peerTrustBundles)
rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, true, peerTrustBundles)
if err != nil {
return nil, err
}
@ -53,6 +55,7 @@ func makeRBACHTTPFilter(
func intentionListToIntermediateRBACForm(
intentions structs.Intentions,
trustDomain string,
isHTTP bool,
trustBundlesByPeer map[string]*pbpeering.PeeringTrustBundle,
) []*rbacIntention {
@ -72,7 +75,7 @@ func intentionListToIntermediateRBACForm(
continue
}
rixn := intentionToIntermediateRBACForm(ixn, isHTTP, trustBundle)
rixn := intentionToIntermediateRBACForm(ixn, trustDomain, isHTTP, trustBundle)
rbacIxns = append(rbacIxns, rixn)
}
return rbacIxns
@ -210,11 +213,12 @@ func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction
return out
}
func intentionToIntermediateRBACForm(ixn *structs.Intention, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention {
func intentionToIntermediateRBACForm(ixn *structs.Intention, trustDomain string, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention {
rixn := &rbacIntention{
Source: rbacService{
ServiceName: ixn.SourceServiceName(),
Peer: ixn.SourcePeer,
TrustDomain: trustDomain,
},
Precedence: ixn.Precedence,
}
@ -426,25 +430,21 @@ func simplifyNotSourceSlice(notSources []rbacService) []rbacService {
func makeRBACRules(
intentions structs.Intentions,
intentionDefaultAllow bool,
trustDomain string,
isHTTP bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle,
peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_rbac_v3.RBAC, error) {
// Note that we DON'T explicitly validate the trust-domain matches ours.
//
// For now we don't validate the trust domain of the _destination_ at all.
// The RBAC policies below ignore the trust domain and it's implicit that
// the request is for the correct cluster. We might want to reconsider this
// later but plumbing in additional machinery to check the clusterID here
// is not really necessary for now unless the Envoys are badly configured.
// Our threat model _requires_ correctly configured and well behaved
// proxies given that they have ACLs to fetch certs and so can do whatever
// they want including not authorizing traffic at all or routing it do a
// different service than they auth'd against.
// TODO(banks,rb): Implement revocation list checking?
// TODO(peering): mkeeler asked that these maps come from proxycfg instead of
// being constructed in xds to save memory allocation and gc pressure. Low priority.
trustBundlesByPeer := make(map[string]*pbpeering.PeeringTrustBundle, len(peerTrustBundles))
for _, ptb := range peerTrustBundles {
trustBundlesByPeer[ptb.PeerName] = ptb
}
// First build up just the basic principal matches.
rbacIxns := intentionListToIntermediateRBACForm(intentions, isHTTP, peerTrustBundles)
rbacIxns := intentionListToIntermediateRBACForm(intentions, trustDomain, isHTTP, trustBundlesByPeer)
// Normalize: if we are in default-deny then all intentions must be allows and vice versa
intentionDefaultAction := intentionActionFromBool(intentionDefaultAllow)
@ -641,7 +641,7 @@ const anyPath = `[^/]+`
func makeSpiffePattern(src rbacService) string {
var (
host = anyPath // TODO(peering): We match trust domain on any value but should be defaulting to the local trust domain
host = src.TrustDomain
ap = src.PartitionOrDefault()
ns = src.NamespaceOrDefault()
svc = src.Name

18
agent/xds/rbac_test.go
Unescape View File

@ -58,10 +58,13 @@ func TestRemoveIntentionPrecedence(t *testing.T) {
ExportedPartition: "part1",
},
}
testTrustDomain := "test.consul"
var (
nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil)}
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil)}
nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil),
TrustDomain: testTrustDomain}
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil),
TrustDomain: testTrustDomain}
nameWildPeered = rbacService{ServiceName: structs.NewServiceName("*", nil),
Peer: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1"}
nameWebPeered = rbacService{ServiceName: structs.NewServiceName("web", nil),
@ -439,7 +442,7 @@ func TestRemoveIntentionPrecedence(t *testing.T) {
for name, tt := range tests {
t.Run(name, func(t *testing.T) {
rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, tt.http, testPeerTrustBundle)
rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, testTrustDomain, tt.http, testPeerTrustBundle)
intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow)
rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction)
@ -472,13 +475,14 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
ixn.Permissions = perms
return ixn
}
testPeerTrustBundle := map[string]*pbpeering.PeeringTrustBundle{
"peer1": {
testPeerTrustBundle := []*pbpeering.PeeringTrustBundle{
{
PeerName: "peer1",
TrustDomain: "peer1.domain",
ExportedPartition: "part1",
},
}
testTrustDomain := "test.consul"
sorted := func(ixns ...*structs.Intention) structs.Intentions {
sort.SliceStable(ixns, func(i, j int) bool {
return ixns[j].Precedence < ixns[i].Precedence
@ -797,7 +801,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
tt := tt
t.Run(name, func(t *testing.T) {
t.Run("network filter", func(t *testing.T) {
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle)
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle)
require.NoError(t, err)
t.Run("current", func(t *testing.T) {
@ -807,7 +811,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
})
})
t.Run("http filter", func(t *testing.T) {
filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle)
filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle)
require.NoError(t, err)
t.Run("current", func(t *testing.T) {

4
agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden vendored
Unescape View File

@ -22,7 +22,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -35,7 +35,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -34,7 +34,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -47,7 +47,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden vendored
Unescape View File

@ -22,7 +22,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -35,7 +35,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -64,7 +64,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -34,7 +34,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -47,7 +47,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

12
agent/xds/testdata/rbac/default-allow-kitchen-sink--httpfilter.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}
@ -31,7 +31,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -46,7 +46,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -59,7 +59,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -73,7 +73,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
}
@ -87,7 +87,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}

12
agent/xds/testdata/rbac/default-allow-kitchen-sink.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}
@ -31,7 +31,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -46,7 +46,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -59,7 +59,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -73,7 +73,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
}
@ -87,7 +87,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-one-deny--httpfilter.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-one-deny.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-path-allow.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden vendored
Unescape View File

@ -23,7 +23,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-path-deny.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-service-wildcard-deny--httpfilter.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden vendored
Unescape View File

@ -227,7 +227,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow--httpfilter.golden vendored
Unescape View File

@ -45,7 +45,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow.golden vendored
Unescape View File

@ -19,7 +19,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

4
agent/xds/testdata/rbac/default-deny-allow-deny--httpfilter.golden vendored
Unescape View File

@ -21,7 +21,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -34,7 +34,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

4
agent/xds/testdata/rbac/default-deny-allow-deny.golden vendored
Unescape View File

@ -21,7 +21,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -34,7 +34,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden vendored
Unescape View File

@ -22,7 +22,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

12
agent/xds/testdata/rbac/default-deny-kitchen-sink--httpfilter.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}
@ -30,7 +30,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -45,7 +45,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -58,7 +58,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -72,7 +72,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
}
@ -86,7 +86,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}

12
agent/xds/testdata/rbac/default-deny-kitchen-sink.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}
@ -30,7 +30,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -45,7 +45,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}
@ -58,7 +58,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
@ -72,7 +72,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
}
}
}
@ -86,7 +86,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-mixed-precedence--httpfilter.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-mixed-precedence.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-one-allow--httpfilter.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-one-allow.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden vendored
Unescape View File

@ -22,7 +22,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-peered-kitchen-sink.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-service-wildcard-allow--httpfilter.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden vendored
Unescape View File

@ -18,7 +18,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden vendored
Unescape View File

@ -226,7 +226,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

2
agent/xds/testdata/rbac/default-deny-two-path-deny-and-path-allow--httpfilter.golden vendored
Unescape View File

@ -46,7 +46,7 @@
"googleRe2": {
},
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$"
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}

Write Preview
Loading…
Cancel
Save