status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
consul/agent/xds/rbac_test.go

1287 lines
43 KiB
Go
Raw Normal View History

copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files
2023-03-28 18:39:22 +00:00
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
package xds
import (
"fmt"
"path/filepath"
Add the Lua Envoy extension (#15906)
2023-01-06 17:13:40 +00:00
"regexp"
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
"sort"
"testing"
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
envoy_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
xds: remove deprecated usages of xDS (#9602) Note that this does NOT upgrade to xDS v3. That will come in a future PR. Additionally: - Ignored staticcheck warnings about how github.com/golang/protobuf is deprecated. - Shuffled some agent/xds imports in advance of a later xDS v3 upgrade. - Remove support for envoy 1.13.x but don't add in 1.17.x yet. We have to wait until the xDS v3 support is added in a follow-up PR. Fixes #8425
2021-02-22 21:00:15 +00:00
"github.com/hashicorp/consul/agent/structs"
Protobuf Refactoring for Multi-Module Cleanliness (#16302) Protobuf Refactoring for Multi-Module Cleanliness This commit includes the following: Moves all packages that were within proto/ to proto/private Rewrites imports to account for the packages being moved Adds in buf.work.yaml to enable buf workspaces Names the proto-public buf module so that we can override the Go package imports within proto/buf.yaml Bumps the buf version dependency to 1.14.0 (I was trying out the version to see if it would get around an issue - it didn't but it also doesn't break things and it seemed best to keep up with the toolchain changes) Why: In the future we will need to consume other protobuf dependencies such as the Google HTTP annotations for openapi generation or grpc-gateway usage. There were some recent changes to have our own ratelimiting annotations. The two combined were not working when I was trying to use them together (attempting to rebase another branch) Buf workspaces should be the solution to the problem Buf workspaces means that each module will have generated Go code that embeds proto file names relative to the proto dir and not the top level repo root. This resulted in proto file name conflicts in the Go global protobuf type registry. The solution to that was to add in a private/ directory into the path within the proto/ directory. That then required rewriting all the imports. Is this safe? AFAICT yes The gRPC wire protocol doesn't seem to care about the proto file names (although the Go grpc code does tack on the proto file name as Metadata in the ServiceDesc) Other than imports, there were no changes to any generated code as a result of this.
2023-02-17 21:14:46 +00:00
"github.com/hashicorp/consul/proto/private/pbpeering"
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
)
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
func TestRemoveIntentionPrecedence(t *testing.T) {
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
type ixnOpts struct {
src string
peer string
action structs.IntentionAction
}
testIntention := func(t *testing.T, opts ixnOpts) *structs.Intention {
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
t.Helper()
ixn := structs.TestIntention(t)
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
ixn.SourceName = opts.src
ixn.SourcePeer = opts.peer
ixn.Action = opts.action
// Destination is hardcoded, since RBAC rules are generated for a single destination
ixn.DestinationName = "api"
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
//nolint:staticcheck
ixn.UpdatePrecedence()
return ixn
}
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention := func(opts ixnOpts) *structs.Intention {
return testIntention(t, opts)
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
}
testSourcePermIntention := func(src string, perms ...*structs.IntentionPermission) *structs.Intention {
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
opts := ixnOpts{src: src}
ixn := testIntention(t, opts)
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
ixn.Permissions = perms
return ixn
}
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
sorted := func(ixns ...*structs.Intention) structs.SimplifiedIntentions {
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
sort.SliceStable(ixns, func(i, j int) bool {
return ixns[j].Precedence < ixns[i].Precedence
})
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
return structs.SimplifiedIntentions(ixns)
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
}
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testPeerTrustBundle := map[string]*pbpeering.PeeringTrustBundle{
"peer1": {
PeerName: "peer1",
TrustDomain: "peer1.domain",
ExportedPartition: "part1",
},
}
Pass trust domain to RBAC to validate and fix use of wrong peer trust bundles (#13508)
2022-06-21 02:47:14 +00:00
testTrustDomain := "test.consul"
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
var (
Pass trust domain to RBAC to validate and fix use of wrong peer trust bundles (#13508)
2022-06-21 02:47:14 +00:00
nameWild = rbacService{ServiceName: structs.NewServiceName("*", nil),
TrustDomain: testTrustDomain}
nameWeb = rbacService{ServiceName: structs.NewServiceName("web", nil),
TrustDomain: testTrustDomain}
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
nameWildPeered = rbacService{ServiceName: structs.NewServiceName("*", nil),
Peer: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1"}
nameWebPeered = rbacService{ServiceName: structs.NewServiceName("web", nil),
Peer: "peer1", TrustDomain: "peer1.domain", ExportedPartition: "part1"}
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
permSlashPrefix = &structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
}
permDenySlashPrefix = &structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
}
xdsPermSlashPrefix = &envoy_rbac_v3.Permission{
Rule: &envoy_rbac_v3.Permission_UrlPath{
UrlPath: &envoy_matcher_v3.PathMatcher{
Rule: &envoy_matcher_v3.PathMatcher_Path{
Path: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Prefix{
Prefix: "/",
},
},
},
},
},
}
)
// NOTE: these default=(allow|deny) wild=(allow|deny) path=(allow|deny)
// tests below are meant to verify some of the behaviors work as expected
// when the default acl mode changes for the system
tests := map[string]struct {
intentionDefaultAllow bool
http bool
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
intentions structs.SimplifiedIntentions
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
expect []*rbacIntention
}{
"default-allow-path-allow": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
),
expect: []*rbacIntention{}, // EMPTY, just use the defaults
},
"default-deny-path-allow": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permSlashPrefix,
Action: intentionActionAllow,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
},
},
"default-allow-path-deny": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permDenySlashPrefix,
Action: intentionActionDeny,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
},
},
"default-deny-path-deny": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
),
expect: []*rbacIntention{},
},
// ========================
"default-allow-deny-all-and-path-allow": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention(ixnOpts{src: "*", action: structs.IntentionActionDeny}),
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
),
expect: []*rbacIntention{
{
Source: nameWild,
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
NotSources: []rbacService{
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
nameWeb,
},
Action: intentionActionDeny,
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWild),
notPrincipal(
idPrincipal(nameWeb),
),
},
),
},
},
},
"default-deny-deny-all-and-path-allow": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention(ixnOpts{src: "*", action: structs.IntentionActionDeny}),
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permSlashPrefix,
Action: intentionActionAllow,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
},
},
"default-allow-deny-all-and-path-deny": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention(ixnOpts{src: "*", action: structs.IntentionActionDeny}),
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permDenySlashPrefix,
Action: intentionActionDeny,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
{
Source: nameWild,
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
NotSources: []rbacService{
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
nameWeb,
},
Action: intentionActionDeny,
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWild),
notPrincipal(
idPrincipal(nameWeb),
),
},
),
},
},
},
"default-deny-deny-all-and-path-deny": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention(ixnOpts{src: "*", action: structs.IntentionActionDeny}),
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
),
expect: []*rbacIntention{},
},
// ========================
"default-allow-allow-all-and-path-allow": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention(ixnOpts{src: "*", action: structs.IntentionActionAllow}),
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
),
expect: []*rbacIntention{},
},
"default-deny-allow-all-and-path-allow": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention(ixnOpts{src: "*", action: structs.IntentionActionAllow}),
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permSlashPrefix,
Action: intentionActionAllow,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
{
Source: nameWild,
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
NotSources: []rbacService{
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
nameWeb,
},
Action: intentionActionAllow,
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWild),
notPrincipal(
idPrincipal(nameWeb),
),
},
),
},
},
},
"default-allow-allow-all-and-path-deny": {
intentionDefaultAllow: true,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention(ixnOpts{src: "*", action: structs.IntentionActionAllow}),
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
),
expect: []*rbacIntention{
{
Source: nameWeb,
Action: intentionActionLayer7,
Permissions: []*rbacPermission{
{
Definition: permDenySlashPrefix,
Action: intentionActionDeny,
Perm: xdsPermSlashPrefix,
NotPerms: nil,
Skip: false,
ComputedPermission: xdsPermSlashPrefix,
},
},
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWeb),
},
},
},
"default-deny-allow-all-and-path-deny": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testSourceIntention(ixnOpts{src: "*", action: structs.IntentionActionAllow}),
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
),
expect: []*rbacIntention{
{
Source: nameWild,
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
NotSources: []rbacService{
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
nameWeb,
},
Action: intentionActionAllow,
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWild),
notPrincipal(
idPrincipal(nameWeb),
),
},
),
},
},
},
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
// ========= Sanity check that peers get passed through
"default-deny-peered": {
intentionDefaultAllow: false,
http: true,
intentions: sorted(
testSourceIntention(ixnOpts{
src: "*",
action: structs.IntentionActionAllow,
peer: "peer1",
}),
testSourceIntention(ixnOpts{
src: "web",
action: structs.IntentionActionAllow,
peer: "peer1",
}),
),
expect: []*rbacIntention{
{
Source: nameWebPeered,
Action: intentionActionAllow,
Permissions: nil,
Precedence: 9,
Skip: false,
ComputedPrincipal: idPrincipal(nameWebPeered),
},
{
Source: nameWildPeered,
Action: intentionActionAllow,
NotSources: []rbacService{
nameWebPeered,
},
Permissions: nil,
Precedence: 8,
Skip: false,
ComputedPrincipal: andPrincipals(
[]*envoy_rbac_v3.Principal{
idPrincipal(nameWildPeered),
notPrincipal(
idPrincipal(nameWebPeered),
),
},
),
},
},
},
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
}
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation.
2022-06-29 15:29:54 +00:00
testLocalInfo := rbacLocalInfo{
trustDomain: testTrustDomain,
datacenter: "dc1",
}
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
for name, tt := range tests {
t.Run(name, func(t *testing.T) {
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
rbacIxns, err := intentionListToIntermediateRBACForm(tt.intentions, testLocalInfo, tt.http, testPeerTrustBundle, nil)
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow)
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation.
2022-06-29 15:29:54 +00:00
rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction, testLocalInfo)
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
require.NoError(t, err)
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
require.Equal(t, tt.expect, rbacIxns)
})
}
}
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention {
t.Helper()
ixn := structs.TestIntention(t)
ixn.SourceName = src
ixn.DestinationName = dst
ixn.Action = action
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
//nolint:staticcheck
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
ixn.UpdatePrecedence()
return ixn
}
testSourceIntention := func(src string, action structs.IntentionAction) *structs.Intention {
return testIntention(t, src, "api", action)
}
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testIntentionPeered := func(src string, peer string, action structs.IntentionAction) *structs.Intention {
ixn := testIntention(t, src, "api", action)
ixn.SourcePeer = peer
return ixn
}
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
testSourcePermIntention := func(src string, perms ...*structs.IntentionPermission) *structs.Intention {
ixn := testIntention(t, src, "api", "")
ixn.Permissions = perms
return ixn
}
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
testIntentionWithJWT := func(src string, action structs.IntentionAction, jwt *structs.IntentionJWTRequirement, perms ...*structs.IntentionPermission) *structs.Intention {
ixn := testIntention(t, src, "api", action)
ixn.JWT = jwt
ixn.Action = action
if perms != nil {
ixn.Permissions = perms
ixn.Action = ""
}
return ixn
}
Pass trust domain to RBAC to validate and fix use of wrong peer trust bundles (#13508)
2022-06-21 02:47:14 +00:00
testPeerTrustBundle := []*pbpeering.PeeringTrustBundle{
{
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
PeerName: "peer1",
TrustDomain: "peer1.domain",
ExportedPartition: "part1",
},
}
Pass trust domain to RBAC to validate and fix use of wrong peer trust bundles (#13508)
2022-06-21 02:47:14 +00:00
testTrustDomain := "test.consul"
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
sorted := func(ixns ...*structs.Intention) structs.SimplifiedIntentions {
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
sort.SliceStable(ixns, func(i, j int) bool {
return ixns[j].Precedence < ixns[i].Precedence
})
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
return structs.SimplifiedIntentions(ixns)
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
var (
permSlashPrefix = &structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
}
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
oktaWithClaims = structs.IntentionJWTProvider{
Name: "okta",
VerifyClaims: []*structs.IntentionJWTClaimVerification{
{Path: []string{"roles"}, Value: "testing"},
},
}
auth0WithClaims = structs.IntentionJWTProvider{
Name: "auth0",
VerifyClaims: []*structs.IntentionJWTClaimVerification{
{Path: []string{"perms", "role"}, Value: "admin"},
},
}
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
testJWTProviderConfigEntry = map[string]*structs.JWTProviderConfigEntry{
"okta": {Name: "okta", Issuer: "mytest.okta-issuer"},
"auth0": {Name: "auth0", Issuer: "mytest.auth0-issuer"},
}
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
jwtRequirement = &structs.IntentionJWTRequirement{
Providers: []*structs.IntentionJWTProvider{
&oktaWithClaims,
},
}
auth0Requirement = &structs.IntentionJWTRequirement{
Providers: []*structs.IntentionJWTProvider{
&auth0WithClaims,
},
}
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
permDenySlashPrefix = &structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
}
)
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
tests := map[string]struct {
intentionDefaultAllow bool
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
intentions structs.SimplifiedIntentions
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}{
"default-deny-mixed-precedence": {
intentionDefaultAllow: false,
intentions: sorted(
testIntention(t, "web", "api", structs.IntentionActionAllow),
testIntention(t, "*", "api", structs.IntentionActionDeny),
testIntention(t, "web", "*", structs.IntentionActionDeny),
),
},
"default-deny-service-wildcard-allow": {
intentionDefaultAllow: false,
intentions: sorted(
testSourceIntention("*", structs.IntentionActionAllow),
),
},
"default-allow-service-wildcard-deny": {
intentionDefaultAllow: true,
intentions: sorted(
testSourceIntention("*", structs.IntentionActionDeny),
),
},
"default-deny-one-allow": {
intentionDefaultAllow: false,
intentions: sorted(
testSourceIntention("web", structs.IntentionActionAllow),
),
},
"default-allow-one-deny": {
intentionDefaultAllow: true,
intentions: sorted(
testSourceIntention("web", structs.IntentionActionDeny),
),
},
"default-deny-allow-deny": {
intentionDefaultAllow: false,
intentions: sorted(
testSourceIntention("web", structs.IntentionActionDeny),
testSourceIntention("*", structs.IntentionActionAllow),
),
},
"default-deny-kitchen-sink": {
intentionDefaultAllow: false,
intentions: sorted(
// (double exact)
testSourceIntention("web", structs.IntentionActionAllow),
testSourceIntention("unsafe", structs.IntentionActionDeny),
testSourceIntention("cron", structs.IntentionActionAllow),
testSourceIntention("*", structs.IntentionActionAllow),
),
},
"default-allow-kitchen-sink": {
intentionDefaultAllow: true,
intentions: sorted(
// (double exact)
testSourceIntention("web", structs.IntentionActionDeny),
testSourceIntention("unsafe", structs.IntentionActionAllow),
testSourceIntention("cron", structs.IntentionActionDeny),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
"default-deny-peered-kitchen-sink": {
intentionDefaultAllow: false,
intentions: sorted(
testSourceIntention("web", structs.IntentionActionAllow),
testIntentionPeered("*", "peer1", structs.IntentionActionAllow),
testIntentionPeered("web", "peer1", structs.IntentionActionDeny),
),
},
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619)
2021-07-15 15:09:00 +00:00
// ========================
"default-allow-path-allow": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
),
},
"default-deny-path-allow": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web", permSlashPrefix),
),
},
"default-allow-path-deny": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
),
},
"default-deny-path-deny": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web", permDenySlashPrefix),
),
},
// ========================
"default-allow-deny-all-and-path-allow": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
"default-deny-deny-all-and-path-allow": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
"default-allow-deny-all-and-path-deny": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
"default-deny-deny-all-and-path-deny": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
testSourceIntention("*", structs.IntentionActionDeny),
),
},
// ========================
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
"default-deny-two-path-deny-and-path-allow": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/secret",
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/admin",
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
),
},
"default-allow-two-path-deny-and-path-allow": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/secret",
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/admin",
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/",
},
},
),
),
},
"default-deny-single-intention-with-kitchen-sink-perms": {
intentionDefaultAllow: false,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/secret",
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/v1",
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathRegex: "/v[123]",
Methods: []string{"GET", "HEAD", "OPTIONS"},
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
Header: []structs.IntentionHTTPHeaderPermission{
{Name: "x-foo", Present: true},
{Name: "x-bar", Exact: "xyz"},
{Name: "x-dib", Prefix: "gaz"},
{Name: "x-gir", Suffix: "zim"},
{Name: "x-zim", Regex: "gi[rR]"},
{Name: "z-foo", Present: true, Invert: true},
{Name: "z-bar", Exact: "xyz", Invert: true},
{Name: "z-dib", Prefix: "gaz", Invert: true},
{Name: "z-gir", Suffix: "zim", Invert: true},
{Name: "z-zim", Regex: "gi[rR]", Invert: true},
},
},
},
),
),
},
"default-allow-single-intention-with-kitchen-sink-perms": {
intentionDefaultAllow: true,
intentions: sorted(
testSourcePermIntention("web",
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/secret",
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "/v1",
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
PathRegex: "/v[123]",
Methods: []string{"GET", "HEAD", "OPTIONS"},
},
},
&structs.IntentionPermission{
Action: structs.IntentionActionDeny,
HTTP: &structs.IntentionHTTPPermission{
Header: []structs.IntentionHTTPHeaderPermission{
{Name: "x-foo", Present: true},
{Name: "x-bar", Exact: "xyz"},
{Name: "x-dib", Prefix: "gaz"},
{Name: "x-gir", Suffix: "zim"},
{Name: "x-zim", Regex: "gi[rR]"},
{Name: "z-foo", Present: true, Invert: true},
{Name: "z-bar", Exact: "xyz", Invert: true},
{Name: "z-dib", Prefix: "gaz", Invert: true},
{Name: "z-gir", Suffix: "zim", Invert: true},
{Name: "z-zim", Regex: "gi[rR]", Invert: true},
},
},
},
),
),
},
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
// ========= JWTAuthn Filter checks
"top-level-jwt-no-permissions": {
intentionDefaultAllow: false,
intentions: sorted(
testIntentionWithJWT("web", structs.IntentionActionAllow, jwtRequirement),
),
},
"empty-top-level-jwt-with-one-permission": {
intentionDefaultAllow: false,
intentions: sorted(
testIntentionWithJWT("web", structs.IntentionActionAllow, nil, &structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathPrefix: "some-path",
},
JWT: jwtRequirement,
}),
),
},
"top-level-jwt-with-one-permission": {
intentionDefaultAllow: false,
intentions: sorted(
testIntentionWithJWT("web",
structs.IntentionActionAllow,
jwtRequirement,
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/secret",
},
JWT: auth0Requirement,
},
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/admin",
},
},
),
),
},
"top-level-jwt-with-multiple-permissions": {
intentionDefaultAllow: false,
intentions: sorted(
testIntentionWithJWT("web",
structs.IntentionActionAllow,
jwtRequirement,
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/secret",
},
JWT: auth0Requirement,
},
&structs.IntentionPermission{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
PathExact: "/v1/admin",
},
JWT: auth0Requirement,
},
),
),
},
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation.
2022-06-29 15:29:54 +00:00
testLocalInfo := rbacLocalInfo{
trustDomain: testTrustDomain,
datacenter: "dc1",
}
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
for name, tt := range tests {
tt := tt
t.Run(name, func(t *testing.T) {
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
t.Run("network filter", func(t *testing.T) {
xds: modify rbac rules to use the XFCC header for peered L7 enforcement (#13629) When the protocol is http-like, and an intention has a peered source then the normal RBAC mTLS SAN field check is replaces with a joint combo of: mTLS SAN field must be the service's local mesh gateway leaf cert AND the first XFCC header (from the MGW) must have a URI field that matches the original intention source Also: - Update the regex program limit to be much higher than the teeny defaults, since the RBAC regex constructions are more complicated now. - Fix a few stray panics in xds generation.
2022-06-29 15:29:54 +00:00
filter, err := makeRBACNetworkFilter(tt.intentions, tt.intentionDefaultAllow, testLocalInfo, testPeerTrustBundle)
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
require.NoError(t, err)
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
t.Run("current", func(t *testing.T) {
gotJSON := protoToJSON(t, filter)
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
require.JSONEq(t, goldenSimple(t, filepath.Join("rbac", name), gotJSON), gotJSON)
})
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
})
t.Run("http filter", func(t *testing.T) {
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
filter, err := makeRBACHTTPFilter(tt.intentions, tt.intentionDefaultAllow, testLocalInfo, testPeerTrustBundle, testJWTProviderConfigEntry)
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
require.NoError(t, err)
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
xds: default to speaking xDS v3, but allow for v2 to be spoken upon request (#9658) - Also add support for envoy 1.17.0
2021-02-26 22:23:15 +00:00
t.Run("current", func(t *testing.T) {
gotJSON := protoToJSON(t, filter)
require.JSONEq(t, goldenSimple(t, filepath.Join("rbac", name+"--httpfilter"), gotJSON), gotJSON)
})
connect: support defining intentions using layer 7 criteria (#8839) Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
2020-10-06 22:09:13 +00:00
})
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
})
}
}
func TestRemoveSameSourceIntentions(t *testing.T) {
testIntention := func(t *testing.T, src, dst string) *structs.Intention {
t.Helper()
ixn := structs.TestIntention(t)
ixn.SourceName = src
ixn.DestinationName = dst
connect: intentions are now managed as a new config entry kind "service-intentions" (#8834) - Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
2020-10-06 18:24:05 +00:00
//nolint:staticcheck
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
ixn.UpdatePrecedence()
return ixn
}
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
testIntentionPeered := func(t *testing.T, src, dst, peer string) *structs.Intention {
t.Helper()
ixn := structs.TestIntention(t)
ixn.SourceName = src
ixn.SourcePeer = peer
ixn.DestinationName = dst
//nolint:staticcheck
ixn.UpdatePrecedence()
return ixn
}
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
sorted := func(ixns ...*structs.Intention) structs.SimplifiedIntentions {
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
sort.SliceStable(ixns, func(i, j int) bool {
return ixns[j].Precedence < ixns[i].Precedence
})
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
return structs.SimplifiedIntentions(ixns)
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}
tests := map[string]struct {
Add sameness groups to service intentions. (#17064)
2023-04-20 16:16:04 +00:00
in structs.SimplifiedIntentions
expect structs.SimplifiedIntentions
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}{
"empty": {},
"one": {
in: sorted(
testIntention(t, "*", "*"),
),
expect: sorted(
testIntention(t, "*", "*"),
),
},
"two with no match": {
in: sorted(
testIntention(t, "*", "foo"),
testIntention(t, "bar", "*"),
),
expect: sorted(
testIntention(t, "*", "foo"),
testIntention(t, "bar", "*"),
),
},
"two with match, exact": {
in: sorted(
testIntention(t, "bar", "foo"),
testIntention(t, "bar", "*"),
),
expect: sorted(
testIntention(t, "bar", "foo"),
),
},
"two with match, wildcard": {
in: sorted(
testIntention(t, "*", "foo"),
testIntention(t, "*", "*"),
),
expect: sorted(
testIntention(t, "*", "foo"),
),
},
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
"kitchen sink with peers": {
in: sorted(
testIntention(t, "bar", "foo"),
testIntentionPeered(t, "bar", "foo", "peer1"),
testIntentionPeered(t, "bar", "*", "peer1"),
testIntentionPeered(t, "*", "foo", "peer1"),
testIntentionPeered(t, "*", "*", "peer1"),
),
expect: sorted(
testIntention(t, "bar", "foo"),
testIntentionPeered(t, "bar", "foo", "peer1"),
testIntentionPeered(t, "*", "foo", "peer1"),
),
},
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}
for name, tc := range tests {
tc := tc
t.Run(name, func(t *testing.T) {
got := removeSameSourceIntentions(tc.in)
require.Equal(t, tc.expect, got)
})
}
}
func TestSimplifyNotSourceSlice(t *testing.T) {
tests := map[string]struct {
in []string
expect []string
}{
"empty": {},
"one": {
[]string{"bar"},
[]string{"bar"},
},
"two with no match": {
[]string{"foo", "bar"},
[]string{"foo", "bar"},
},
"two with match": {
[]string{"*", "bar"},
[]string{"*"},
},
"three with two matches down to one": {
[]string{"*", "foo", "bar"},
[]string{"*"},
},
}
for name, tc := range tests {
tc := tc
t.Run(name, func(t *testing.T) {
got := simplifyNotSourceSlice(makeServiceNameSlice(tc.in))
require.Equal(t, makeServiceNameSlice(tc.expect), got)
})
}
}
func TestIxnSourceMatches(t *testing.T) {
tests := []struct {
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
tester string
testerPeer string
against string
againstPeer string
matches bool
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}{
// identical precedence
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
{"web", "", "api", "", false},
{"*", "", "*", "", false},
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
// backwards precedence
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
{"*", "", "web", "", false},
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
// name wildcards
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
{"web", "", "*", "", true},
// peered cmp peered
{"web", "peer1", "api", "peer1", false},
{"*", "peer1", "*", "peer1", false},
// no match if peer is different
{"web", "peer1", "web", "", false},
{"*", "peer1", "*", "peer2", false},
// name wildcards with peer
{"web", "peer1", "*", "peer1", true},
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}
for _, tc := range tests {
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
t.Run(fmt.Sprintf("%s%s cmp %s%s", tc.testerPeer, tc.tester, tc.againstPeer, tc.against), func(t *testing.T) {
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
matches := ixnSourceMatches(
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
rbacService{ServiceName: structs.ServiceNameFromString(tc.tester), Peer: tc.testerPeer},
rbacService{ServiceName: structs.ServiceNameFromString(tc.against), Peer: tc.againstPeer},
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
)
assert.Equal(t, tc.matches, matches)
})
}
}
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
func makeServiceNameSlice(slice []string) []rbacService {
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
if len(slice) == 0 {
return nil
}
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
var out []rbacService
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
for _, src := range slice {
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain.
2022-06-10 21:15:22 +00:00
out = append(out, rbacService{ServiceName: structs.ServiceNameFromString(src)})
xds: use envoy's rbac filter to handle intentions entirely within envoy (#8569)
2020-08-27 17:20:58 +00:00
}
return out
}
Add the Lua Envoy extension (#15906)
2023-01-06 17:13:40 +00:00
func TestSpiffeMatcher(t *testing.T) {
cases := map[string]struct {
xfcc string
trustDomain string
namespace string
partition string
datacenter string
service string
}{
"between admin partitions": {
xfcc: `By=spiffe://70c72965-291c-d138-e5a6-cfd8a66b395e.consul/ap/ap1/ns/default/dc/primary/svc/s2;Hash=377330adafa619abe52672246b7be7410d74b7497e9d88a8396d641fd6f82ad2;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICGTCCAb%2BgAwIBAgIBCzAKBggqhkjOPQQDAjAwMS4wLAYDVQQDEyVwcmktMTJj%0AOWtvbS5jb25zdWwuY2EuNzBjNzI5NjUuY29uc3VsMB4XDTIyMTIyMjE0MjE1NVoX%0ADTIyMTIyNTE0MjE1NVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPuJbVdQ%0AYsT8RnvMLT%2FpsuZwltWbCkwxzBR03%2FEC4f7TyLy1Mfe6gm%2Fz5K8Tc29d7W16PBT0%0AR%2B1XPfpigopVanyjgfkwgfYwDgYDVR0PAQH%2FBAQDAgO4MB0GA1UdJQQWMBQGCCsG%0AAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBBxpy1QXfp%0AS4V8QFH%2BEfF39VP51Qbhlj75N5gbUSxGajArBgNVHSMEJDAigCCjWP%2BlGhzd4jbD%0A2QI66cvAAgIkLqG0lz0PyzTz76QoOzBfBgNVHREBAf8EVTBThlFzcGlmZmU6Ly83%0AMGM3Mjk2NS0yOTFjLWQxMzgtZTVhNi1jZmQ4YTY2YjM5NWUuY29uc3VsL25zL2Rl%0AZmF1bHQvZGMvcHJpbWFyeS9zdmMvczEwCgYIKoZIzj0EAwIDSAAwRQIhAJxWHplX%0Aqgmd4cRDMllJsCtOmTZ3v%2B6qDnc545tm%2Bg%2FzAiBwWOqqTZ81BtAtzzWpip1XmUFR%0Afv2SYupWQueXYrOjhw%3D%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICGTCCAb%2BgAwIBAgIBCzAKBggqhkjOPQQDAjAwMS4wLAYDVQQDEyVwcmktMTJj%0AOWtvbS5jb25zdWwuY2EuNzBjNzI5NjUuY29uc3VsMB4XDTIyMTIyMjE0MjE1NVoX%0ADTIyMTIyNTE0MjE1NVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPuJbVdQ%0AYsT8RnvMLT%2FpsuZwltWbCkwxzBR03%2FEC4f7TyLy1Mfe6gm%2Fz5K8Tc29d7W16PBT0%0AR%2B1XPfpigopVanyjgfkwgfYwDgYDVR0PAQH%2FBAQDAgO4MB0GA1UdJQQWMBQGCCsG%0AAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMCkGA1UdDgQiBCBBxpy1QXfp%0AS4V8QFH%2BEfF39VP51Qbhlj75N5gbUSxGajArBgNVHSMEJDAigCCjWP%2BlGhzd4jbD%0A2QI66cvAAgIkLqG0lz0PyzTz76QoOzBfBgNVHREBAf8EVTBThlFzcGlmZmU6Ly83%0AMGM3Mjk2NS0yOTFjLWQxMzgtZTVhNi1jZmQ4YTY2YjM5NWUuY29uc3VsL25zL2Rl%0AZmF1bHQvZGMvcHJpbWFyeS9zdmMvczEwCgYIKoZIzj0EAwIDSAAwRQIhAJxWHplX%0Aqgmd4cRDMllJsCtOmTZ3v%2B6qDnc545tm%2Bg%2FzAiBwWOqqTZ81BtAtzzWpip1XmUFR%0Afv2SYupWQueXYrOjhw%3D%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://70c72965-291c-d138-e5a6-cfd8a66b395e.consul/ap/ap9/ns/default/dc/primary/svc/s1`,
trustDomain: "70c72965-291c-d138-e5a6-cfd8a66b395e.consul",
namespace: "default",
partition: "ap9",
datacenter: "primary",
service: "s1",
},
"between services": {
xfcc: `By=spiffe://f1efe25e-a9b1-1ae1-b580-98000b84a935.consul/ns/default/dc/primary/svc/s2;Hash=c552ee3990fd6e9bb38b1a8bdd28e8358c339d282e6bb92fc86d04915407f47d;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICGjCCAcCgAwIBAgIBCzAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktOGFt%0AMjNueXouY29uc3VsLmNhLmYxZWZlMjVlLmNvbnN1bDAeFw0yMjEyMjIxNTIxMDVa%0AFw0yMjEyMjUxNTIxMDVaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrChLh%0AelrBB5e8X78fSvbKxD8yieadFg4XUeJtZh2xwdWckCGDEtT984ihgM8Hu4E%2FGpgD%0AJcExohFnS4H%2BG3uco4H5MIH2MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQghpyuV%2F4g%0Ac6x%2B5jC9uOZQMY4Km2YZwAnSmmTydjjn7qwwKwYDVR0jBCQwIoAgdO0jdTJzfKYq%0ARCYrWbHr7q%2Bq66ispOnMs6HsEwlxV%2F8wXwYDVR0RAQH%2FBFUwU4ZRc3BpZmZlOi8v%0AZjFlZmUyNWUtYTliMS0xYWUxLWI1ODAtOTgwMDBiODRhOTM1LmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL3ByaW1hcnkvc3ZjL3MxMAoGCCqGSM49BAMCA0gAMEUCIQDTNsze%0AXCj16YvFsX0PUeUBcX4Hh0nmIkMOHCQiPkXTiAIgKJKf038s6muFJw9UQJJ5SSg%2F%0A3RL1wIWXRhsqy1Y89JQ%3D%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICGjCCAcCgAwIBAgIBCzAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktOGFt%0AMjNueXouY29uc3VsLmNhLmYxZWZlMjVlLmNvbnN1bDAeFw0yMjEyMjIxNTIxMDVa%0AFw0yMjEyMjUxNTIxMDVaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrChLh%0AelrBB5e8X78fSvbKxD8yieadFg4XUeJtZh2xwdWckCGDEtT984ihgM8Hu4E%2FGpgD%0AJcExohFnS4H%2BG3uco4H5MIH2MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQghpyuV%2F4g%0Ac6x%2B5jC9uOZQMY4Km2YZwAnSmmTydjjn7qwwKwYDVR0jBCQwIoAgdO0jdTJzfKYq%0ARCYrWbHr7q%2Bq66ispOnMs6HsEwlxV%2F8wXwYDVR0RAQH%2FBFUwU4ZRc3BpZmZlOi8v%0AZjFlZmUyNWUtYTliMS0xYWUxLWI1ODAtOTgwMDBiODRhOTM1LmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL3ByaW1hcnkvc3ZjL3MxMAoGCCqGSM49BAMCA0gAMEUCIQDTNsze%0AXCj16YvFsX0PUeUBcX4Hh0nmIkMOHCQiPkXTiAIgKJKf038s6muFJw9UQJJ5SSg%2F%0A3RL1wIWXRhsqy1Y89JQ%3D%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://f1efe25e-a9b1-1ae1-b580-98000b84a935.consul/ns/default/dc/primary/svc/s1`,
trustDomain: "f1efe25e-a9b1-1ae1-b580-98000b84a935.consul",
namespace: "default",
datacenter: "primary",
service: "s1",
},
"between peers": {
xfcc: `By=spiffe://ca9857da-71aa-c5be-ec8f-abcd90cae693.consul/gateway/mesh/dc/alpha;Hash=419c850ddc7a32edc752d73bb0f0c6e4c2f5b40feae7cf0cdeeb6f3dd759ed1f;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICGzCCAcCgAwIBAgIBCzAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktcTgw%0AdmcxMXQuY29uc3VsLmNhLmZjOWEwOGVmLmNvbnN1bDAeFw0yMjEyMjIxNTIyNTBa%0AFw0yMjEyMjUxNTIyNTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQnQtQ6%0AFS%2FqjpopxZIaJtYL3pOx%2BgrzoLtKStCS0SUtGbTBmxmTeIX5l5HHD4yqCWk4M1Iv%0AXNflWvKcpw5KS1tLo4H5MIH2MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQg%2B8FyVm2p%0AdpzfijuCYeByJQH5mUkqY6%2FciCC2yScNusQwKwYDVR0jBCQwIoAgy0MyubT%2BMNQv%0A%2BuZGeBqa1yU9Fx9641epfbY%2BuSs7cbowXwYDVR0RAQH%2FBFUwU4ZRc3BpZmZlOi8v%0AZmM5YTA4ZWYtZWZiNC1iYmM5LWIzZWMtYjkzZTc2OGFiZmMyLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL3ByaW1hcnkvc3ZjL3MxMAoGCCqGSM49BAMCA0kAMEYCIQDp7hX0%0AJ%2FjrAP71jDt2w3uKQJnfZ93d%2FRub2t%2FRwQfsVAIhAL4VUbk5XUvBzwabuEfMCf4O%0AT5rjXDbCWYNN2m4xZFtt%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICGzCCAcCgAwIBAgIBCzAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktcTgw%0AdmcxMXQuY29uc3VsLmNhLmZjOWEwOGVmLmNvbnN1bDAeFw0yMjEyMjIxNTIyNTBa%0AFw0yMjEyMjUxNTIyNTBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQnQtQ6%0AFS%2FqjpopxZIaJtYL3pOx%2BgrzoLtKStCS0SUtGbTBmxmTeIX5l5HHD4yqCWk4M1Iv%0AXNflWvKcpw5KS1tLo4H5MIH2MA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQg%2B8FyVm2p%0AdpzfijuCYeByJQH5mUkqY6%2FciCC2yScNusQwKwYDVR0jBCQwIoAgy0MyubT%2BMNQv%0A%2BuZGeBqa1yU9Fx9641epfbY%2BuSs7cbowXwYDVR0RAQH%2FBFUwU4ZRc3BpZmZlOi8v%0AZmM5YTA4ZWYtZWZiNC1iYmM5LWIzZWMtYjkzZTc2OGFiZmMyLmNvbnN1bC9ucy9k%0AZWZhdWx0L2RjL3ByaW1hcnkvc3ZjL3MxMAoGCCqGSM49BAMCA0kAMEYCIQDp7hX0%0AJ%2FjrAP71jDt2w3uKQJnfZ93d%2FRub2t%2FRwQfsVAIhAL4VUbk5XUvBzwabuEfMCf4O%0AT5rjXDbCWYNN2m4xZFtt%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://fc9a08ef-efb4-bbc9-b3ec-b93e768abfc2.consul/ns/default/dc/primary/svc/s1,By=spiffe://ca9857da-71aa-c5be-ec8f-abcd90cae693.consul/ns/default/dc/alpha/svc/s2;Hash=1db4ea1e68df1ea0cec7d7ba882ca734d3e1a29a0fe64e73275b6ab796234295;Cert="-----BEGIN%20CERTIFICATE-----%0AMIICEjCCAbmgAwIBAgIBDDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMXky%0AZXVpbHkuY29uc3VsLmNhLmNhOTg1N2RhLmNvbnN1bDAeFw0yMjEyMjIxNTIzMDVa%0AFw0yMjEyMjUxNTIzMDVaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAROaLaT%0A%2BzyYZKfujWX4vOde%2BnnsGP3z0xaEGQFbgi%2BGU%2BrFfMdadzYF1oXDItS%2FpuBADuha%0Ao0iH2i2aRPUbTm4Ko4HyMIHvMA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgWTznn%2BPz%0A4eNoiwdO%2FID3uqbyiBJBFbZFAGs7m5KnoCkwKwYDVR0jBCQwIoAgAdVe5N4m4Qlv%0Afgp9tvw0MGq7puWWuLfiw7qghdr1VDIwWAYDVR0RAQH%2FBE4wTIZKc3BpZmZlOi8v%0AY2E5ODU3ZGEtNzFhYS1jNWJlLWVjOGYtYWJjZDkwY2FlNjkzLmNvbnN1bC9nYXRl%0Ad2F5L21lc2gvZGMvYWxwaGEwCgYIKoZIzj0EAwIDRwAwRAIgJu5Z6O10nQe9HAzk%0ARonRMODgENawDHbErpkQ1q91ZTYCIEHccGIEp3OybkvkmIB9s%2Bu%2FbguUjJ4ZKAiD%0AV0dKf1Ao%0A-----END%20CERTIFICATE-----%0A";Chain="-----BEGIN%20CERTIFICATE-----%0AMIICEjCCAbmgAwIBAgIBDDAKBggqhkjOPQQDAjAxMS8wLQYDVQQDEyZwcmktMXky%0AZXVpbHkuY29uc3VsLmNhLmNhOTg1N2RhLmNvbnN1bDAeFw0yMjEyMjIxNTIzMDVa%0AFw0yMjEyMjUxNTIzMDVaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAROaLaT%0A%2BzyYZKfujWX4vOde%2BnnsGP3z0xaEGQFbgi%2BGU%2BrFfMdadzYF1oXDItS%2FpuBADuha%0Ao0iH2i2aRPUbTm4Ko4HyMIHvMA4GA1UdDwEB%2FwQEAwIDuDAdBgNVHSUEFjAUBggr%0ABgEFBQcDAgYIKwYBBQUHAwEwDAYDVR0TAQH%2FBAIwADApBgNVHQ4EIgQgWTznn%2BPz%0A4eNoiwdO%2FID3uqbyiBJBFbZFAGs7m5KnoCkwKwYDVR0jBCQwIoAgAdVe5N4m4Qlv%0Afgp9tvw0MGq7puWWuLfiw7qghdr1VDIwWAYDVR0RAQH%2FBE4wTIZKc3BpZmZlOi8v%0AY2E5ODU3ZGEtNzFhYS1jNWJlLWVjOGYtYWJjZDkwY2FlNjkzLmNvbnN1bC9nYXRl%0Ad2F5L21lc2gvZGMvYWxwaGEwCgYIKoZIzj0EAwIDRwAwRAIgJu5Z6O10nQe9HAzk%0ARonRMODgENawDHbErpkQ1q91ZTYCIEHccGIEp3OybkvkmIB9s%2Bu%2FbguUjJ4ZKAiD%0AV0dKf1Ao%0A-----END%20CERTIFICATE-----%0A";Subject="";URI=spiffe://ca9857da-71aa-c5be-ec8f-abcd90cae693.consul/gateway/mesh/dc/alpha`,
trustDomain: "fc9a08ef-efb4-bbc9-b3ec-b93e768abfc2.consul",
namespace: "default",
datacenter: "primary",
service: "s1",
},
}
re := regexp.MustCompile(downstreamServiceIdentityMatcher)
for n, c := range cases {
t.Run(n, func(t *testing.T) {
matches := re.FindAllStringSubmatch(c.xfcc, -1)
require.Len(t, matches, 1)
m := matches[0]
require.Equal(t, c.trustDomain, m[1])
require.Equal(t, c.partition, m[2])
require.Equal(t, c.namespace, m[3])
require.Equal(t, c.datacenter, m[4])
require.Equal(t, c.service, m[5])
})
}
}
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
func TestPathToSegments(t *testing.T) {
tests := map[string]struct {
key string
paths []string
expected []*envoy_matcher_v3.MetadataMatcher_PathSegment
}{
"single-path": {
key: "jwt_payload_okta",
paths: []string{"perms"},
expected: []*envoy_matcher_v3.MetadataMatcher_PathSegment{
{
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "jwt_payload_okta"},
},
{
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "perms"},
},
},
},
"multi-paths": {
key: "jwt_payload_okta",
paths: []string{"perms", "roles"},
expected: []*envoy_matcher_v3.MetadataMatcher_PathSegment{
{
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "jwt_payload_okta"},
},
{
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "perms"},
},
{
Segment: &envoy_matcher_v3.MetadataMatcher_PathSegment_Key{Key: "roles"},
},
},
},
}
for name, tt := range tests {
tt := tt
t.Run(name, func(t *testing.T) {
segments := pathToSegments(tt.paths, tt.key)
require.ElementsMatch(t, segments, tt.expected)
})
}
}
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
func TestJWTClaimsToPrincipals(t *testing.T) {
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
var (
firstClaim = structs.IntentionJWTClaimVerification{
Path: []string{"perms"},
Value: "admin",
}
secondClaim = structs.IntentionJWTClaimVerification{
Path: []string{"passage"},
Value: "secret",
}
payloadKey = "dummy-key"
firstPrincipal = envoy_rbac_v3.Principal{
Identifier: &envoy_rbac_v3.Principal_Metadata{
Metadata: &envoy_matcher_v3.MetadataMatcher{
Filter: jwtEnvoyFilter,
Path: pathToSegments(firstClaim.Path, payloadKey),
Value: &envoy_matcher_v3.ValueMatcher{
MatchPattern: &envoy_matcher_v3.ValueMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
Exact: firstClaim.Value,
},
},
},
},
},
},
}
secondPrincipal = envoy_rbac_v3.Principal{
Identifier: &envoy_rbac_v3.Principal_Metadata{
Metadata: &envoy_matcher_v3.MetadataMatcher{
Filter: jwtEnvoyFilter,
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
Path: pathToSegments(secondClaim.Path, payloadKey),
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
Value: &envoy_matcher_v3.ValueMatcher{
MatchPattern: &envoy_matcher_v3.ValueMatcher_StringMatch{
StringMatch: &envoy_matcher_v3.StringMatcher{
MatchPattern: &envoy_matcher_v3.StringMatcher_Exact{
Exact: secondClaim.Value,
},
},
},
},
},
},
}
)
tests := map[string]struct {
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
claims []*structs.IntentionJWTClaimVerification
metadataPayloadKey string
expected *envoy_rbac_v3.Principal
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
}{
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
"single-claim": {
claims: []*structs.IntentionJWTClaimVerification{&firstClaim},
metadataPayloadKey: payloadKey,
expected: &firstPrincipal,
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
},
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
"multiple-claims": {
claims: []*structs.IntentionJWTClaimVerification{&firstClaim, &secondClaim},
metadataPayloadKey: payloadKey,
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
expected: &envoy_rbac_v3.Principal{
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
Identifier: &envoy_rbac_v3.Principal_AndIds{
AndIds: &envoy_rbac_v3.Principal_Set{
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
Ids: []*envoy_rbac_v3.Principal{&firstPrincipal, &secondPrincipal},
},
},
},
},
}
for name, tt := range tests {
tt := tt
t.Run(name, func(t *testing.T) {
Use JWT-auth filter in metadata mode & Delegate validation to RBAC filter (#18062) ### Description <!-- Please describe why you're making this change, in plain English. --> - Currently the jwt-auth filter doesn't take into account the service identity when validating jwt-auth, it only takes into account the path and jwt provider during validation. This causes issues when multiple source intentions restrict access to an endpoint with different JWT providers. - To fix these issues, rather than use the JWT auth filter for validation, we use it in metadata mode and allow it to forward the successful validated JWT token payload to the RBAC filter which will make the decisions. This PR ensures requests with and without JWT tokens successfully go through the jwt-authn filter. The filter however only forwards the data for successful/valid tokens. On the RBAC filter level, we check the payload for claims and token issuer + existing rbac rules. ### Testing & Reproduction steps <!-- * In the case of bugs, describe how to replicate * If any manual tests were done, document the steps and the conditions to replicate * Call out any important/ relevant unit tests, e2e tests or integration tests you have added or are adding --> - This test covers a multi level jwt requirements (requirements at top level and permissions level). It also assumes you have envoy running, you have a redis and a sidecar proxy service registered, and have a way to generate jwks with jwt. I mostly use: https://www.scottbrady91.com/tools/jwt for this. - first write your proxy defaults ``` Kind = "proxy-defaults" name = "global" config { protocol = "http" } ``` - Create two providers ``` Kind = "jwt-provider" Name = "auth0" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjog....." } } ``` ``` Kind = "jwt-provider" Name = "okta" Issuer = "https://ronald.local" JSONWebKeySet = { Local = { JWKS = "eyJrZXlzIjogW3...." } } ``` - add a service intention ``` Kind = "service-intentions" Name = "redis" JWT = { Providers = [ { Name = "okta" }, ] } Sources = [ { Name = "*" Permissions = [{ Action = "allow" HTTP = { PathPrefix = "/workspace" } JWT = { Providers = [ { Name = "okta" VerifyClaims = [ { Path = ["aud"] Value = "my_client_app" }, { Path = ["sub"] Value = "5be86359073c434bad2da3932222dabe" } ] }, ] } }, { Action = "allow" HTTP = { PathPrefix = "/" } JWT = { Providers = [ { Name = "auth0" }, ] } }] } ] ``` - generate 3 jwt tokens: 1 from auth0 jwks, 1 from okta jwks with different claims than `/workspace` expects and 1 with correct claims - connect to your envoy (change service and address as needed) to view logs and potential errors. You can add: `-- --log-level debug` to see what data is being forwarded ``` consul connect envoy -sidecar-for redis1 -grpc-addr 127.0.0.1:8502 ``` - Make the following requests: ``` curl -s -H "Authorization: Bearer $Auth0_TOKEN" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_wrong_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v RBAC filter denied curl -s -H "Authorization: Bearer $Okta_TOKEN_with_correct_claims" --insecure --cert leaf.cert --key leaf.key --cacert connect-ca.pem https://localhost:20000/workspace -v Successful request ``` ### TODO * [x] Update test coverage * [ ] update integration tests (follow-up PR) * [x] appropriate backport labels added
2023-07-17 15:32:49 +00:00
principal := jwtClaimsToPrincipals(tt.claims, tt.metadataPayloadKey)
[NET-3092] JWT Verify claims handling (#17452) * [NET-3092] JWT Verify claims handling
2023-05-30 17:38:33 +00:00
require.Equal(t, principal, tt.expected)
})
}
}