2023-08-11 13:12:13 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
|
2023-07-17 22:15:22 +00:00
|
|
|
package sprawl
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/api"
|
|
|
|
"github.com/hashicorp/consul/testing/deployer/topology"
|
|
|
|
)
|
|
|
|
|
|
|
|
func policyForCrossNamespaceRead(partition string) *api.ACLPolicy {
|
|
|
|
return &api.ACLPolicy{
|
|
|
|
Name: "cross-ns-catalog-read",
|
|
|
|
Description: "cross-ns-catalog-read",
|
|
|
|
Partition: partition,
|
|
|
|
Rules: fmt.Sprintf(`
|
|
|
|
partition %[1]q {
|
|
|
|
namespace_prefix "" {
|
|
|
|
node_prefix "" { policy = "read" }
|
|
|
|
service_prefix "" { policy = "read" }
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`, partition),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
const anonymousTokenAccessorID = "00000000-0000-0000-0000-000000000002"
|
|
|
|
|
|
|
|
func anonymousToken() *api.ACLToken {
|
|
|
|
return &api.ACLToken{
|
|
|
|
AccessorID: anonymousTokenAccessorID,
|
|
|
|
// SecretID: "anonymous",
|
|
|
|
Description: "anonymous",
|
|
|
|
Local: false,
|
|
|
|
Policies: []*api.ACLTokenPolicyLink{
|
|
|
|
{
|
|
|
|
Name: "anonymous",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func anonymousPolicy(enterprise bool) *api.ACLPolicy {
|
|
|
|
p := &api.ACLPolicy{
|
|
|
|
Name: "anonymous",
|
|
|
|
Description: "anonymous",
|
|
|
|
}
|
|
|
|
if enterprise {
|
|
|
|
p.Rules = `
|
|
|
|
partition_prefix "" {
|
|
|
|
namespace_prefix "" {
|
|
|
|
node_prefix "" { policy = "read" }
|
|
|
|
service_prefix "" { policy = "read" }
|
|
|
|
}
|
|
|
|
}
|
|
|
|
`
|
|
|
|
} else {
|
|
|
|
p.Rules = `
|
|
|
|
node_prefix "" { policy = "read" }
|
|
|
|
service_prefix "" { policy = "read" }
|
|
|
|
`
|
|
|
|
}
|
|
|
|
return p
|
|
|
|
}
|
|
|
|
|
|
|
|
func tokenForNode(node *topology.Node, enterprise bool) *api.ACLToken {
|
|
|
|
nid := node.ID()
|
|
|
|
|
|
|
|
tokenName := "agent--" + nid.ACLString()
|
|
|
|
|
|
|
|
token := &api.ACLToken{
|
|
|
|
Description: tokenName,
|
|
|
|
Local: false,
|
|
|
|
NodeIdentities: []*api.ACLNodeIdentity{{
|
|
|
|
NodeName: node.PodName(),
|
|
|
|
Datacenter: node.Datacenter,
|
|
|
|
}},
|
|
|
|
}
|
|
|
|
if enterprise {
|
|
|
|
token.Partition = node.Partition
|
|
|
|
token.Namespace = "default"
|
|
|
|
}
|
|
|
|
return token
|
|
|
|
}
|
|
|
|
|
2023-11-10 19:22:06 +00:00
|
|
|
// Deprecated: tokenForWorkload
|
|
|
|
func tokenForService(wrk *topology.Workload, overridePolicy *api.ACLPolicy, enterprise bool) *api.ACLToken {
|
|
|
|
return tokenForWorkload(wrk, overridePolicy, enterprise)
|
|
|
|
}
|
|
|
|
|
|
|
|
func tokenForWorkload(wrk *topology.Workload, overridePolicy *api.ACLPolicy, enterprise bool) *api.ACLToken {
|
2023-07-17 22:15:22 +00:00
|
|
|
token := &api.ACLToken{
|
2023-11-10 19:22:06 +00:00
|
|
|
Description: "service--" + wrk.ID.ACLString(),
|
2023-07-17 22:15:22 +00:00
|
|
|
Local: false,
|
|
|
|
}
|
|
|
|
if overridePolicy != nil {
|
|
|
|
token.Policies = []*api.ACLTokenPolicyLink{{ID: overridePolicy.ID}}
|
|
|
|
} else {
|
|
|
|
token.ServiceIdentities = []*api.ACLServiceIdentity{{
|
2023-11-10 19:22:06 +00:00
|
|
|
ServiceName: wrk.ID.Name,
|
2023-07-17 22:15:22 +00:00
|
|
|
}}
|
|
|
|
}
|
|
|
|
|
|
|
|
if enterprise {
|
2023-11-10 19:22:06 +00:00
|
|
|
token.Namespace = wrk.ID.Namespace
|
|
|
|
token.Partition = wrk.ID.Partition
|
2023-07-17 22:15:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return token
|
|
|
|
}
|
|
|
|
|
2023-09-08 16:04:56 +00:00
|
|
|
const (
|
|
|
|
meshGatewayCommunityRules = `
|
|
|
|
service "mesh-gateway" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
agent_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
# for peering
|
|
|
|
mesh = "write"
|
|
|
|
peering = "read"
|
|
|
|
`
|
2023-07-17 22:15:22 +00:00
|
|
|
|
2023-09-08 16:04:56 +00:00
|
|
|
meshGatewayEntDefaultRules = `
|
2023-07-17 22:15:22 +00:00
|
|
|
namespace_prefix "" {
|
|
|
|
service "mesh-gateway" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
agent_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
# for peering
|
|
|
|
mesh = "write"
|
2023-09-08 16:04:56 +00:00
|
|
|
|
|
|
|
partition_prefix "" {
|
|
|
|
peering = "read"
|
2023-07-17 22:15:22 +00:00
|
|
|
}
|
2023-09-08 16:04:56 +00:00
|
|
|
`
|
|
|
|
|
|
|
|
meshGatewayEntNonDefaultRules = `
|
|
|
|
namespace_prefix "" {
|
|
|
|
service "mesh-gateway" {
|
|
|
|
policy = "write"
|
|
|
|
}
|
|
|
|
service_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
node_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
2023-07-17 22:15:22 +00:00
|
|
|
}
|
|
|
|
agent_prefix "" {
|
|
|
|
policy = "read"
|
|
|
|
}
|
|
|
|
# for peering
|
|
|
|
mesh = "write"
|
|
|
|
`
|
2023-09-08 16:04:56 +00:00
|
|
|
)
|
|
|
|
|
2023-11-10 19:22:06 +00:00
|
|
|
func policyForMeshGateway(wrk *topology.Workload, enterprise bool) *api.ACLPolicy {
|
|
|
|
policyName := "mesh-gateway--" + wrk.ID.ACLString()
|
2023-09-08 16:04:56 +00:00
|
|
|
|
|
|
|
policy := &api.ACLPolicy{
|
|
|
|
Name: policyName,
|
|
|
|
Description: policyName,
|
|
|
|
}
|
|
|
|
if enterprise {
|
2023-11-10 19:22:06 +00:00
|
|
|
policy.Partition = wrk.ID.Partition
|
2023-09-08 16:04:56 +00:00
|
|
|
policy.Namespace = "default"
|
|
|
|
}
|
|
|
|
|
|
|
|
if enterprise {
|
2023-11-10 19:22:06 +00:00
|
|
|
if wrk.ID.Partition == "default" {
|
2023-09-08 16:04:56 +00:00
|
|
|
policy.Rules = meshGatewayEntDefaultRules
|
|
|
|
} else {
|
|
|
|
policy.Rules = meshGatewayEntNonDefaultRules
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
policy.Rules = meshGatewayCommunityRules
|
2023-07-17 22:15:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return policy
|
|
|
|
}
|