github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Pass trust domain to RBAC to validate and fix use of wrong peer trust bundles (#13508)

pull/13516/head
Chris S. Kim 2022-06-20 22:47:14 -04:00 committed by GitHub
parent d870928197
commit fb5eb20563
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
41 changed files with 135 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
agent/proxycfg/connect_proxy.go
View File

@ -22,8 +22,8 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
snap.ConnectProxy.WatchedDiscoveryChains = make(map[UpstreamID]context.CancelFunc) snap.ConnectProxy.WatchedDiscoveryChains = make(map[UpstreamID]context.CancelFunc)
snap.ConnectProxy.WatchedUpstreams = make(map[UpstreamID]map[string]context.CancelFunc) snap.ConnectProxy.WatchedUpstreams = make(map[UpstreamID]map[string]context.CancelFunc)
snap.ConnectProxy.WatchedUpstreamEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes) snap.ConnectProxy.WatchedUpstreamEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
snap.ConnectProxy.WatchedPeerTrustBundles = make(map[string]context.CancelFunc) snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = make(map[string]context.CancelFunc)
snap.ConnectProxy.PeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle) snap.ConnectProxy.UpstreamPeerTrustBundles = make(map[string]*pbpeering.PeeringTrustBundle)
snap.ConnectProxy.WatchedGateways = make(map[UpstreamID]map[string]context.CancelFunc) snap.ConnectProxy.WatchedGateways = make(map[UpstreamID]map[string]context.CancelFunc)
snap.ConnectProxy.WatchedGatewayEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes) snap.ConnectProxy.WatchedGatewayEndpoints = make(map[UpstreamID]map[string]structs.CheckServiceNodes)
snap.ConnectProxy.WatchedServiceChecks = make(map[structs.ServiceID][]structs.CheckType) snap.ConnectProxy.WatchedServiceChecks = make(map[structs.ServiceID][]structs.CheckType)
@ -212,7 +212,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
} }
// Check whether a watch for this peer exists to avoid duplicates. // Check whether a watch for this peer exists to avoid duplicates.
if _, ok := snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer]; !ok { if _, ok := snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer]; !ok {
peerCtx, cancel := context.WithCancel(ctx) peerCtx, cancel := context.WithCancel(ctx)
if err := s.dataSources.TrustBundle.Notify(peerCtx, &pbpeering.TrustBundleReadRequest{ if err := s.dataSources.TrustBundle.Notify(peerCtx, &pbpeering.TrustBundleReadRequest{
Name: uid.Peer, Name: uid.Peer,
@ -222,7 +222,7 @@ func (s *handlerConnectProxy) initialize(ctx context.Context) (ConfigSnapshot, e
return snap, fmt.Errorf("error while watching trust bundle for peer %q: %w", uid.Peer, err) return snap, fmt.Errorf("error while watching trust bundle for peer %q: %w", uid.Peer, err)
} }
snap.ConnectProxy.WatchedPeerTrustBundles[uid.Peer] = cancel snap.ConnectProxy.WatchedUpstreamPeerTrustBundles[uid.Peer] = cancel
} }
continue continue
} }
@ -270,7 +270,7 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
} }
peer := strings.TrimPrefix(u.CorrelationID, peerTrustBundleIDPrefix) peer := strings.TrimPrefix(u.CorrelationID, peerTrustBundleIDPrefix)
if resp.Bundle != nil { if resp.Bundle != nil {
snap.ConnectProxy.PeerTrustBundles[peer] = resp.Bundle snap.ConnectProxy.UpstreamPeerTrustBundles[peer] = resp.Bundle
} }
case u.CorrelationID == peeringTrustBundlesWatchID: case u.CorrelationID == peeringTrustBundlesWatchID:
@ -279,9 +279,9 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
return fmt.Errorf("invalid type for response: %T", u.Result) return fmt.Errorf("invalid type for response: %T", u.Result)
} }
if len(resp.Bundles) > 0 { if len(resp.Bundles) > 0 {
snap.ConnectProxy.PeeringTrustBundles = resp.Bundles snap.ConnectProxy.InboundPeerTrustBundles = resp.Bundles
} }
snap.ConnectProxy.PeeringTrustBundlesSet = true snap.ConnectProxy.InboundPeerTrustBundlesSet = true
case u.CorrelationID == intentionsWatchID: case u.CorrelationID == intentionsWatchID:
resp, ok := u.Result.(*structs.IndexedIntentionMatches) resp, ok := u.Result.(*structs.IndexedIntentionMatches)

4
agent/proxycfg/manager_test.go
View File

@ -238,7 +238,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
}, },
PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{}, PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{},
PassthroughIndices: map[string]indexedTarget{}, PassthroughIndices: map[string]indexedTarget{},
PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{}, UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{}, PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{},
PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{}, PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{},
}, },
@ -299,7 +299,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
}, },
PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{}, PassthroughUpstreams: map[UpstreamID]map[string]map[string]struct{}{},
PassthroughIndices: map[string]indexedTarget{}, PassthroughIndices: map[string]indexedTarget{},
PeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{}, UpstreamPeerTrustBundles: map[string]*pbpeering.PeeringTrustBundle{},
PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{}, PeerUpstreamEndpoints: map[UpstreamID]structs.CheckServiceNodes{},
PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{}, PeerUpstreamEndpointsUseHostnames: map[UpstreamID]struct{}{},
}, },

26
agent/proxycfg/snapshot.go
View File

@ -44,13 +44,13 @@ type ConfigSnapshotUpstreams struct {
// endpoints of an upstream. // endpoints of an upstream.
WatchedUpstreamEndpoints map[UpstreamID]map[string]structs.CheckServiceNodes WatchedUpstreamEndpoints map[UpstreamID]map[string]structs.CheckServiceNodes
// WatchedPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel // WatchedUpstreamPeerTrustBundles is a map of (PeerName -> CancelFunc) in order to cancel
// watches for peer trust bundles any time the list of upstream peers changes. // watches for peer trust bundles any time the list of upstream peers changes.
WatchedPeerTrustBundles map[string]context.CancelFunc WatchedUpstreamPeerTrustBundles map[string]context.CancelFunc
// PeerTrustBundles is a map of (PeerName -> PeeringTrustBundle). // UpstreamPeerTrustBundles is a map of (PeerName -> PeeringTrustBundle).
// It is used to store trust bundles for upstream TLS transport sockets. // It is used to store trust bundles for upstream TLS transport sockets.
PeerTrustBundles map[string]*pbpeering.PeeringTrustBundle UpstreamPeerTrustBundles map[string]*pbpeering.PeeringTrustBundle
// WatchedGateways is a map of UpstreamID -> (map of GatewayKey.String() -> // WatchedGateways is a map of UpstreamID -> (map of GatewayKey.String() ->
// CancelFunc) in order to cancel watches for mesh gateways // CancelFunc) in order to cancel watches for mesh gateways
@ -128,8 +128,8 @@ func gatewayKeyFromString(s string) GatewayKey {
type configSnapshotConnectProxy struct { type configSnapshotConnectProxy struct {
ConfigSnapshotUpstreams ConfigSnapshotUpstreams
PeeringTrustBundlesSet bool InboundPeerTrustBundlesSet bool
PeeringTrustBundles []*pbpeering.PeeringTrustBundle InboundPeerTrustBundles []*pbpeering.PeeringTrustBundle
WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection WatchedServiceChecks map[structs.ServiceID][]structs.CheckType // TODO: missing garbage collection
PreparedQueryEndpoints map[UpstreamID]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints PreparedQueryEndpoints map[UpstreamID]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints
@ -152,8 +152,8 @@ func (c *configSnapshotConnectProxy) isEmpty() bool {
len(c.WatchedDiscoveryChains) == 0 && len(c.WatchedDiscoveryChains) == 0 &&
len(c.WatchedUpstreams) == 0 && len(c.WatchedUpstreams) == 0 &&
len(c.WatchedUpstreamEndpoints) == 0 && len(c.WatchedUpstreamEndpoints) == 0 &&
len(c.WatchedPeerTrustBundles) == 0 && len(c.WatchedUpstreamPeerTrustBundles) == 0 &&
len(c.PeerTrustBundles) == 0 && len(c.UpstreamPeerTrustBundles) == 0 &&
len(c.WatchedGateways) == 0 && len(c.WatchedGateways) == 0 &&
len(c.WatchedGatewayEndpoints) == 0 && len(c.WatchedGatewayEndpoints) == 0 &&
len(c.WatchedServiceChecks) == 0 && len(c.WatchedServiceChecks) == 0 &&
@ -161,7 +161,7 @@ func (c *configSnapshotConnectProxy) isEmpty() bool {
len(c.UpstreamConfig) == 0 && len(c.UpstreamConfig) == 0 &&
len(c.PassthroughUpstreams) == 0 && len(c.PassthroughUpstreams) == 0 &&
len(c.IntentionUpstreams) == 0 && len(c.IntentionUpstreams) == 0 &&
!c.PeeringTrustBundlesSet && !c.InboundPeerTrustBundlesSet &&
!c.MeshConfigSet && !c.MeshConfigSet &&
len(c.PeerUpstreamEndpoints) == 0 && len(c.PeerUpstreamEndpoints) == 0 &&
len(c.PeerUpstreamEndpointsUseHostnames) == 0 len(c.PeerUpstreamEndpointsUseHostnames) == 0
@ -637,7 +637,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
snap.ConnectProxy.WatchedUpstreams = nil snap.ConnectProxy.WatchedUpstreams = nil
snap.ConnectProxy.WatchedGateways = nil snap.ConnectProxy.WatchedGateways = nil
snap.ConnectProxy.WatchedDiscoveryChains = nil snap.ConnectProxy.WatchedDiscoveryChains = nil
snap.ConnectProxy.WatchedPeerTrustBundles = nil snap.ConnectProxy.WatchedUpstreamPeerTrustBundles = nil
case structs.ServiceKindTerminatingGateway: case structs.ServiceKindTerminatingGateway:
snap.TerminatingGateway.WatchedServices = nil snap.TerminatingGateway.WatchedServices = nil
snap.TerminatingGateway.WatchedIntentions = nil snap.TerminatingGateway.WatchedIntentions = nil
@ -652,7 +652,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
snap.IngressGateway.WatchedUpstreams = nil snap.IngressGateway.WatchedUpstreams = nil
snap.IngressGateway.WatchedGateways = nil snap.IngressGateway.WatchedGateways = nil
snap.IngressGateway.WatchedDiscoveryChains = nil snap.IngressGateway.WatchedDiscoveryChains = nil
snap.IngressGateway.WatchedPeerTrustBundles = nil snap.IngressGateway.WatchedUpstreamPeerTrustBundles = nil
// only ingress-gateway // only ingress-gateway
snap.IngressGateway.LeafCertWatchCancel = nil snap.IngressGateway.LeafCertWatchCancel = nil
} }
@ -676,7 +676,7 @@ func (s *ConfigSnapshot) Leaf() *structs.IssuedCert {
func (s *ConfigSnapshot) PeeringTrustBundles() []*pbpeering.PeeringTrustBundle { func (s *ConfigSnapshot) PeeringTrustBundles() []*pbpeering.PeeringTrustBundle {
switch s.Kind { switch s.Kind {
case structs.ServiceKindConnectProxy: case structs.ServiceKindConnectProxy:
return s.ConnectProxy.PeeringTrustBundles return s.ConnectProxy.InboundPeerTrustBundles
case structs.ServiceKindMeshGateway: case structs.ServiceKindMeshGateway:
return s.MeshGateway.PeeringTrustBundles return s.MeshGateway.PeeringTrustBundles
default: default:
@ -755,7 +755,7 @@ func (u *ConfigSnapshotUpstreams) PeeredUpstreamIDs() []UpstreamID {
continue continue
} }
if _, ok := u.PeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok { if _, ok := u.UpstreamPeerTrustBundles[uid.Peer]; uid.Peer != "" && !ok {
// The trust bundle for this upstream is not available yet, skip for now. // The trust bundle for this upstream is not available yet, skip for now.
continue continue
} }

14
agent/proxycfg/state_test.go
View File

@ -2572,15 +2572,15 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Len(t, snap.ConnectProxy.WatchedGateways, 0, "%+v", snap.ConnectProxy.WatchedGateways) require.Len(t, snap.ConnectProxy.WatchedGateways, 0, "%+v", snap.ConnectProxy.WatchedGateways)
require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 0, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints) require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 0, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints)
require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles) require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerTrustBundles, 0, "%+v", snap.ConnectProxy.PeerTrustBundles) require.Len(t, snap.ConnectProxy.UpstreamPeerTrustBundles, 0, "%+v", snap.ConnectProxy.UpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 0, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints) require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 0, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints)
require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks) require.Len(t, snap.ConnectProxy.WatchedServiceChecks, 0, "%+v", snap.ConnectProxy.WatchedServiceChecks)
require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints) require.Len(t, snap.ConnectProxy.PreparedQueryEndpoints, 0, "%+v", snap.ConnectProxy.PreparedQueryEndpoints)
require.Len(t, snap.ConnectProxy.PeeringTrustBundles, 0, "%+v", snap.ConnectProxy.PeeringTrustBundles) require.Len(t, snap.ConnectProxy.InboundPeerTrustBundles, 0, "%+v", snap.ConnectProxy.InboundPeerTrustBundles)
require.False(t, snap.ConnectProxy.PeeringTrustBundlesSet) require.False(t, snap.ConnectProxy.InboundPeerTrustBundlesSet)
}, },
}, },
{ {
@ -2655,7 +2655,7 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Equal(t, indexedRoots, snap.Roots) require.Equal(t, indexedRoots, snap.Roots)
require.Equal(t, issuedCert, snap.ConnectProxy.Leaf) require.Equal(t, issuedCert, snap.ConnectProxy.Leaf)
prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.PeeringTrustBundles) prototest.AssertDeepEqual(t, peerTrustBundles.Bundles, snap.ConnectProxy.InboundPeerTrustBundles)
require.Len(t, snap.ConnectProxy.DiscoveryChain, 1, "%+v", snap.ConnectProxy.DiscoveryChain) require.Len(t, snap.ConnectProxy.DiscoveryChain, 1, "%+v", snap.ConnectProxy.DiscoveryChain)
require.Len(t, snap.ConnectProxy.WatchedUpstreams, 1, "%+v", snap.ConnectProxy.WatchedUpstreams) require.Len(t, snap.ConnectProxy.WatchedUpstreams, 1, "%+v", snap.ConnectProxy.WatchedUpstreams)
@ -2663,8 +2663,8 @@ func TestState_WatchesAndUpdates(t *testing.T) {
require.Len(t, snap.ConnectProxy.WatchedGateways, 1, "%+v", snap.ConnectProxy.WatchedGateways) require.Len(t, snap.ConnectProxy.WatchedGateways, 1, "%+v", snap.ConnectProxy.WatchedGateways)
require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 1, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints) require.Len(t, snap.ConnectProxy.WatchedGatewayEndpoints, 1, "%+v", snap.ConnectProxy.WatchedGatewayEndpoints)
require.Contains(t, snap.ConnectProxy.WatchedPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedPeerTrustBundles) require.Contains(t, snap.ConnectProxy.WatchedUpstreamPeerTrustBundles, "peer-a", "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.PeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedPeerTrustBundles) require.Equal(t, peerTrustBundles.Bundles[0], snap.ConnectProxy.UpstreamPeerTrustBundles["peer-a"], "%+v", snap.ConnectProxy.WatchedUpstreamPeerTrustBundles)
require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 1, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints) require.Len(t, snap.ConnectProxy.PeerUpstreamEndpoints, 1, "%+v", snap.ConnectProxy.PeerUpstreamEndpoints)
require.NotNil(t, snap.ConnectProxy.PeerUpstreamEndpoints[extApiUID]) require.NotNil(t, snap.ConnectProxy.PeerUpstreamEndpoints[extApiUID])

8
agent/xds/clusters.go
View File

@ -465,9 +465,9 @@ func (s *ResourceGenerator) makeDestinationClusters(cfgSnap *proxycfg.ConfigSnap
cluster := s.makeDynamicForwardProxyCluster(cfgSnap, opts) cluster := s.makeDynamicForwardProxyCluster(cfgSnap, opts)
// TODO (dans): might be relevant later for TLS addons like CA validation // TODO (dans): might be relevant later for TLS addons like CA validation
//if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil { // if err := s.injectGatewayServiceAddons(cfgSnap, cluster, svc, loadBalancer); err != nil {
// return nil, err // return nil, err
//} // }
clusters = append(clusters, cluster) clusters = append(clusters, cluster)
} }
return clusters, nil return clusters, nil
@ -695,7 +695,7 @@ func (s *ResourceGenerator) makeUpstreamClusterForPeerService(
rootPEMs := cfgSnap.RootPEMs() rootPEMs := cfgSnap.RootPEMs()
if uid.Peer != "" { if uid.Peer != "" {
rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs() rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
} }
// Enable TLS upstream with the configured client certificate. // Enable TLS upstream with the configured client certificate.
@ -999,7 +999,7 @@ func (s *ResourceGenerator) makeUpstreamClustersForDiscoveryChain(
rootPEMs := cfgSnap.RootPEMs() rootPEMs := cfgSnap.RootPEMs()
if uid.Peer != "" { if uid.Peer != "" {
rootPEMs = cfgSnap.ConnectProxy.PeerTrustBundles[uid.Peer].ConcatenatedRootPEMs() rootPEMs = cfgSnap.ConnectProxy.UpstreamPeerTrustBundles[uid.Peer].ConcatenatedRootPEMs()
} }
commonTLSContext := makeCommonTLSContext( commonTLSContext := makeCommonTLSContext(
cfgSnap.Leaf(), cfgSnap.Leaf(),

11
agent/xds/listeners.go
View File

@ -697,7 +697,8 @@ func (s *ResourceGenerator) injectConnectFilters(cfgSnap *proxycfg.ConfigSnapsho
authzFilter, err := makeRBACNetworkFilter( authzFilter, err := makeRBACNetworkFilter(
cfgSnap.ConnectProxy.Intentions, cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow, cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles, cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
) )
if err != nil { if err != nil {
return err return err
@ -952,7 +953,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
httpAuthzFilter, err := makeRBACHTTPFilter( httpAuthzFilter, err := makeRBACHTTPFilter(
cfgSnap.ConnectProxy.Intentions, cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow, cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles, cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
) )
if err != nil { if err != nil {
return nil, err return nil, err
@ -1009,7 +1011,8 @@ func (s *ResourceGenerator) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot
filterOpts.httpAuthzFilter, err = makeRBACHTTPFilter( filterOpts.httpAuthzFilter, err = makeRBACHTTPFilter(
cfgSnap.ConnectProxy.Intentions, cfgSnap.ConnectProxy.Intentions,
cfgSnap.IntentionDefaultAllow, cfgSnap.IntentionDefaultAllow,
cfgSnap.ConnectProxy.PeerTrustBundles, cfgSnap.Roots.TrustDomain,
cfgSnap.ConnectProxy.InboundPeerTrustBundles,
) )
if err != nil { if err != nil {
return nil, err return nil, err
@ -1307,6 +1310,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
authFilter, err := makeRBACNetworkFilter( authFilter, err := makeRBACNetworkFilter(
intentions, intentions,
cfgSnap.IntentionDefaultAllow, cfgSnap.IntentionDefaultAllow,
cfgSnap.Roots.TrustDomain,
nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway
) )
if err != nil { if err != nil {
@ -1344,6 +1348,7 @@ func (s *ResourceGenerator) makeFilterChainTerminatingGateway(cfgSnap *proxycfg.
opts.httpAuthzFilter, err = makeRBACHTTPFilter( opts.httpAuthzFilter, err = makeRBACHTTPFilter(
intentions, intentions,
cfgSnap.IntentionDefaultAllow, cfgSnap.IntentionDefaultAllow,
cfgSnap.Roots.TrustDomain,
nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway nil, // TODO(peering): verify intentions w peers don't apply to terminatingGateway
) )
if err != nil { if err != nil {

42
agent/xds/rbac.go
View File

@ -21,9 +21,10 @@ import (
func makeRBACNetworkFilter( func makeRBACNetworkFilter(
intentions structs.Intentions, intentions structs.Intentions,
intentionDefaultAllow bool, intentionDefaultAllow bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle, trustDomain string,
peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_listener_v3.Filter, error) { ) (*envoy_listener_v3.Filter, error) {
rules, err := makeRBACRules(intentions, intentionDefaultAllow, false, peerTrustBundles) rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, false, peerTrustBundles)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -38,9 +39,10 @@ func makeRBACNetworkFilter(
func makeRBACHTTPFilter( func makeRBACHTTPFilter(
intentions structs.Intentions, intentions structs.Intentions,
intentionDefaultAllow bool, intentionDefaultAllow bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle, trustDomain string,
peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_http_v3.HttpFilter, error) { ) (*envoy_http_v3.HttpFilter, error) {
rules, err := makeRBACRules(intentions, intentionDefaultAllow, true, peerTrustBundles) rules, err := makeRBACRules(intentions, intentionDefaultAllow, trustDomain, true, peerTrustBundles)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -53,6 +55,7 @@ func makeRBACHTTPFilter(
func intentionListToIntermediateRBACForm( func intentionListToIntermediateRBACForm(
intentions structs.Intentions, intentions structs.Intentions,
trustDomain string,
isHTTP bool, isHTTP bool,
trustBundlesByPeer map[string]*pbpeering.PeeringTrustBundle, trustBundlesByPeer map[string]*pbpeering.PeeringTrustBundle,
) []*rbacIntention { ) []*rbacIntention {
@ -72,7 +75,7 @@ func intentionListToIntermediateRBACForm(
continue continue
} }
rixn := intentionToIntermediateRBACForm(ixn, isHTTP, trustBundle) rixn := intentionToIntermediateRBACForm(ixn, trustDomain, isHTTP, trustBundle)
rbacIxns = append(rbacIxns, rixn) rbacIxns = append(rbacIxns, rixn)
} }
return rbacIxns return rbacIxns
@ -210,11 +213,12 @@ func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction
return out return out
} }
func intentionToIntermediateRBACForm(ixn *structs.Intention, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention { func intentionToIntermediateRBACForm(ixn *structs.Intention, trustDomain string, isHTTP bool, bundle *pbpeering.PeeringTrustBundle) *rbacIntention {
rixn := &rbacIntention{ rixn := &rbacIntention{
Source: rbacService{ Source: rbacService{
ServiceName: ixn.SourceServiceName(), ServiceName: ixn.SourceServiceName(),
Peer: ixn.SourcePeer, Peer: ixn.SourcePeer,
TrustDomain: trustDomain,
}, },
Precedence: ixn.Precedence, Precedence: ixn.Precedence,
} }
@ -426,25 +430,21 @@ func simplifyNotSourceSlice(notSources []rbacService) []rbacService {
func makeRBACRules( func makeRBACRules(
intentions structs.Intentions, intentions structs.Intentions,
intentionDefaultAllow bool, intentionDefaultAllow bool,
trustDomain string,
isHTTP bool, isHTTP bool,
peerTrustBundles map[string]*pbpeering.PeeringTrustBundle, peerTrustBundles []*pbpeering.PeeringTrustBundle,
) (*envoy_rbac_v3.RBAC, error) { ) (*envoy_rbac_v3.RBAC, error) {
// Note that we DON'T explicitly validate the trust-domain matches ours.
//
// For now we don't validate the trust domain of the _destination_ at all.
// The RBAC policies below ignore the trust domain and it's implicit that
// the request is for the correct cluster. We might want to reconsider this
// later but plumbing in additional machinery to check the clusterID here
// is not really necessary for now unless the Envoys are badly configured.
// Our threat model _requires_ correctly configured and well behaved
// proxies given that they have ACLs to fetch certs and so can do whatever
// they want including not authorizing traffic at all or routing it do a
// different service than they auth'd against.
// TODO(banks,rb): Implement revocation list checking? // TODO(banks,rb): Implement revocation list checking?
// TODO(peering): mkeeler asked that these maps come from proxycfg instead of
// being constructed in xds to save memory allocation and gc pressure. Low priority.
trustBundlesByPeer := make(map[string]*pbpeering.PeeringTrustBundle, len(peerTrustBundles))
for _, ptb := range peerTrustBundles {
trustBundlesByPeer[ptb.PeerName] = ptb
}
// First build up just the basic principal matches. // First build up just the basic principal matches.
rbacIxns := intentionListToIntermediateRBACForm(intentions, isHTTP, peerTrustBundles) rbacIxns := intentionListToIntermediateRBACForm(intentions, trustDomain, isHTTP, trustBundlesByPeer)
// Normalize: if we are in default-deny then all intentions must be allows and vice versa // Normalize: if we are in default-deny then all intentions must be allows and vice versa
intentionDefaultAction := intentionActionFromBool(intentionDefaultAllow) intentionDefaultAction := intentionActionFromBool(intentionDefaultAllow)
@ -641,7 +641,7 @@ const anyPath = `[^/]+`
func makeSpiffePattern(src rbacService) string { func makeSpiffePattern(src rbacService) string {
var ( var (
host = anyPath // TODO(peering): We match trust domain on any value but should be defaulting to the local trust domain host = src.TrustDomain
ap = src.PartitionOrDefault() ap = src.PartitionOrDefault()
ns = src.NamespaceOrDefault() ns = src.NamespaceOrDefault()
svc = src.Name svc = src.Name

18
agent/xds/rbac_test.go
View File

@ -58,10 +58,13 @@ func TestRemoveIntentionPrecedence(t *testing.T) {
ExportedPartition: "part1", ExportedPartition: "part1",
}, },
} }
testTrustDomain := "test.consul"
var ( var (
nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil)} nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil),
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil)} TrustDomain: testTrustDomain}
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil),
TrustDomain: testTrustDomain}
nameWildPeered = rbacService{ServiceName: structs.NewServiceName("*", nil), nameWildPeered = rbacService{ServiceName: structs.NewServiceName("*", nil),
Peer: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1"} Peer: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1"}
nameWebPeered = rbacService{ServiceName: structs.NewServiceName("web", nil), nameWebPeered = rbacService{ServiceName: structs.NewServiceName("web", nil),
@ -439,7 +442,7 @@ func TestRemoveIntentionPrecedence(t *testing.T) {
for name, tt := range tests { for name, tt := range tests {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, tt.http, testPeerTrustBundle) rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, testTrustDomain, tt.http, testPeerTrustBundle)
intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow) intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow)
rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction) rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction)
@ -472,13 +475,14 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
ixn.Permissions = perms ixn.Permissions = perms
return ixn return ixn
} }
testPeerTrustBundle := map[string]*pbpeering.PeeringTrustBundle{ testPeerTrustBundle := []*pbpeering.PeeringTrustBundle{
"peer1": { {
PeerName: "peer1", PeerName: "peer1",
TrustDomain: "peer1.domain", TrustDomain: "peer1.domain",
ExportedPartition: "part1", ExportedPartition: "part1",
}, },
} }
testTrustDomain := "test.consul"
sorted := func(ixns ...*structs.Intention) structs.Intentions { sorted := func(ixns ...*structs.Intention) structs.Intentions {
sort.SliceStable(ixns, func(i, j int) bool { sort.SliceStable(ixns, func(i, j int) bool {
return ixns[j].Precedence < ixns[i].Precedence return ixns[j].Precedence < ixns[i].Precedence
@ -797,7 +801,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
tt := tt tt := tt
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
t.Run("network filter", func(t *testing.T) { t.Run("network filter", func(t *testing.T) {
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle) filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle)
require.NoError(t, err) require.NoError(t, err)
t.Run("current", func(t *testing.T) { t.Run("current", func(t *testing.T) {
@ -807,7 +811,7 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
}) })
}) })
t.Run("http filter", func(t *testing.T) { t.Run("http filter", func(t *testing.T) {
filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testPeerTrustBundle) filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testTrustDomain, testPeerTrustBundle)
require.NoError(t, err) require.NoError(t, err)
t.Run("current", func(t *testing.T) { t.Run("current", func(t *testing.T) {

4
agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden vendored
View File

@ -22,7 +22,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -35,7 +35,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -34,7 +34,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -47,7 +47,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden vendored
View File

@ -22,7 +22,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -35,7 +35,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -64,7 +64,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

6
agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -34,7 +34,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -47,7 +47,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

12
agent/xds/testdata/rbac/default-allow-kitchen-sink--httpfilter.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
} }
} }
} }
@ -31,7 +31,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -46,7 +46,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -59,7 +59,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -73,7 +73,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
} }
} }
} }
@ -87,7 +87,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
} }
} }
} }

12
agent/xds/testdata/rbac/default-allow-kitchen-sink.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
} }
} }
} }
@ -31,7 +31,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -46,7 +46,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -59,7 +59,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -73,7 +73,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
} }
} }
} }
@ -87,7 +87,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-one-deny--httpfilter.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-one-deny.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-path-allow.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden vendored
View File

@ -23,7 +23,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-path-deny.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-service-wildcard-deny--httpfilter.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-service-wildcard-deny.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms--httpfilter.golden vendored
View File

@ -227,7 +227,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-single-intention-with-kitchen-sink-perms.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow--httpfilter.golden vendored
View File

@ -45,7 +45,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-allow-two-path-deny-and-path-allow.golden vendored
View File

@ -19,7 +19,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

4
agent/xds/testdata/rbac/default-deny-allow-deny--httpfilter.golden vendored
View File

@ -21,7 +21,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -34,7 +34,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

4
agent/xds/testdata/rbac/default-deny-allow-deny.golden vendored
View File

@ -21,7 +21,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -34,7 +34,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden vendored
View File

@ -22,7 +22,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

12
agent/xds/testdata/rbac/default-deny-kitchen-sink--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
} }
} }
} }
@ -30,7 +30,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -45,7 +45,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -58,7 +58,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -72,7 +72,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
} }
} }
} }
@ -86,7 +86,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
} }
} }
} }

12
agent/xds/testdata/rbac/default-deny-kitchen-sink.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
} }
} }
} }
@ -30,7 +30,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -45,7 +45,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }
@ -58,7 +58,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }
@ -72,7 +72,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/unsafe$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/unsafe$"
} }
} }
} }
@ -86,7 +86,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/cron$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-mixed-precedence--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-mixed-precedence.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-one-allow--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-one-allow.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden vendored
View File

@ -22,7 +22,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-peered-kitchen-sink--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-peered-kitchen-sink.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-service-wildcard-allow--httpfilter.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-service-wildcard-allow.golden vendored
View File

@ -18,7 +18,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/[^/]+$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-single-intention-with-kitchen-sink-perms--httpfilter.golden vendored
View File

@ -226,7 +226,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }

2
agent/xds/testdata/rbac/default-deny-two-path-deny-and-path-allow--httpfilter.golden vendored
View File

@ -46,7 +46,7 @@
"googleRe2": { "googleRe2": {
}, },
"regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
} }
} }
} }