2018-10-03 18:18:55 +00:00
|
|
|
package xds
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"errors"
|
|
|
|
"fmt"
|
|
|
|
"sync/atomic"
|
2019-01-11 15:43:18 +00:00
|
|
|
"time"
|
2018-10-03 18:18:55 +00:00
|
|
|
|
|
|
|
envoy "github.com/envoyproxy/go-control-plane/envoy/api/v2"
|
2020-07-09 22:04:23 +00:00
|
|
|
envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
|
2019-06-07 12:10:43 +00:00
|
|
|
envoyauthz "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2"
|
|
|
|
envoyauthzalpha "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2alpha"
|
2018-10-03 18:18:55 +00:00
|
|
|
envoydisco "github.com/envoyproxy/go-control-plane/envoy/service/discovery/v2"
|
2020-07-07 21:22:30 +00:00
|
|
|
"github.com/golang/protobuf/proto"
|
2018-10-03 18:18:55 +00:00
|
|
|
"github.com/hashicorp/consul/acl"
|
|
|
|
"github.com/hashicorp/consul/agent/cache"
|
|
|
|
"github.com/hashicorp/consul/agent/connect"
|
|
|
|
"github.com/hashicorp/consul/agent/proxycfg"
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
2020-01-28 23:50:41 +00:00
|
|
|
"github.com/hashicorp/consul/logging"
|
2020-01-22 10:32:17 +00:00
|
|
|
"github.com/hashicorp/consul/tlsutil"
|
2020-01-28 23:50:41 +00:00
|
|
|
"github.com/hashicorp/go-hclog"
|
2020-07-07 21:22:30 +00:00
|
|
|
rpcstatus "google.golang.org/genproto/googleapis/rpc/status"
|
|
|
|
"google.golang.org/grpc"
|
|
|
|
"google.golang.org/grpc/codes"
|
|
|
|
"google.golang.org/grpc/credentials"
|
|
|
|
"google.golang.org/grpc/metadata"
|
|
|
|
"google.golang.org/grpc/status"
|
2018-10-03 18:18:55 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// ADSStream is a shorter way of referring to this thing...
|
|
|
|
type ADSStream = envoydisco.AggregatedDiscoveryService_StreamAggregatedResourcesServer
|
|
|
|
|
|
|
|
const (
|
|
|
|
// Resource types in xDS v2. These are copied from
|
|
|
|
// envoyproxy/go-control-plane/pkg/cache/resource.go since we don't need any of
|
|
|
|
// the rest of that package.
|
|
|
|
typePrefix = "type.googleapis.com/envoy.api.v2."
|
|
|
|
|
|
|
|
// EndpointType is the TypeURL for Endpoint discovery responses.
|
|
|
|
EndpointType = typePrefix + "ClusterLoadAssignment"
|
|
|
|
|
|
|
|
// ClusterType is the TypeURL for Cluster discovery responses.
|
|
|
|
ClusterType = typePrefix + "Cluster"
|
|
|
|
|
|
|
|
// RouteType is the TypeURL for Route discovery responses.
|
|
|
|
RouteType = typePrefix + "RouteConfiguration"
|
|
|
|
|
|
|
|
// ListenerType is the TypeURL for Listener discovery responses.
|
|
|
|
ListenerType = typePrefix + "Listener"
|
|
|
|
|
|
|
|
// PublicListenerName is the name we give the public listener in Envoy config.
|
|
|
|
PublicListenerName = "public_listener"
|
|
|
|
|
|
|
|
// LocalAppClusterName is the name we give the local application "cluster" in
|
2019-04-29 16:27:57 +00:00
|
|
|
// Envoy config. Note that all cluster names may collide with service names
|
|
|
|
// since we want cluster names and service names to match to enable nice
|
|
|
|
// metrics correlation without massaging prefixes on cluster names.
|
|
|
|
//
|
|
|
|
// We should probably make this more unlikely to collide however changing it
|
|
|
|
// potentially breaks upgrade compatibility without restarting all Envoy's as
|
|
|
|
// it will no longer match their existing cluster name. Changing this will
|
|
|
|
// affect metrics output so could break dashboards (for local app traffic).
|
|
|
|
//
|
|
|
|
// We should probably just make it configurable if anyone actually has
|
|
|
|
// services named "local_app" in the future.
|
2018-10-03 18:18:55 +00:00
|
|
|
LocalAppClusterName = "local_app"
|
|
|
|
|
|
|
|
// LocalAgentClusterName is the name we give the local agent "cluster" in
|
2019-04-29 16:27:57 +00:00
|
|
|
// Envoy config. Note that all cluster names may collide with service names
|
|
|
|
// since we want cluster names and service names to match to enable nice
|
|
|
|
// metrics correlation without massaging prefixes on cluster names.
|
|
|
|
//
|
|
|
|
// We should probably make this more unlikely to collied however changing it
|
|
|
|
// potentially breaks upgrade compatibility without restarting all Envoy's as
|
|
|
|
// it will no longer match their existing cluster name. Changing this will
|
|
|
|
// affect metrics output so could break dashboards (for local agent traffic).
|
|
|
|
//
|
|
|
|
// We should probably just make it configurable if anyone actually has
|
|
|
|
// services named "local_agent" in the future.
|
2018-10-03 18:18:55 +00:00
|
|
|
LocalAgentClusterName = "local_agent"
|
2019-01-11 15:43:18 +00:00
|
|
|
|
|
|
|
// DefaultAuthCheckFrequency is the default value for
|
|
|
|
// Server.AuthCheckFrequency to use when the zero value is provided.
|
|
|
|
DefaultAuthCheckFrequency = 5 * time.Minute
|
2018-10-03 18:18:55 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// ACLResolverFunc is a shim to resolve ACLs. Since ACL enforcement is so far
|
|
|
|
// entirely agent-local and all uses private methods this allows a simple shim
|
|
|
|
// to be written in the agent package to allow resolving without tightly
|
|
|
|
// coupling this to the agent.
|
2018-10-19 16:04:07 +00:00
|
|
|
type ACLResolverFunc func(id string) (acl.Authorizer, error)
|
2018-10-03 18:18:55 +00:00
|
|
|
|
|
|
|
// ConnectAuthz is the interface the agent needs to expose to be able to re-use
|
|
|
|
// the authorization logic between both APIs.
|
|
|
|
type ConnectAuthz interface {
|
|
|
|
// ConnectAuthorize is implemented by Agent.ConnectAuthorize
|
|
|
|
ConnectAuthorize(token string, req *structs.ConnectAuthorizeRequest) (authz bool, reason string, m *cache.ResultMeta, err error)
|
|
|
|
}
|
|
|
|
|
2019-09-26 02:55:52 +00:00
|
|
|
// ServiceChecks is the interface the agent needs to expose
|
|
|
|
// for the xDS server to fetch a service's HTTP check definitions
|
|
|
|
type HTTPCheckFetcher interface {
|
2019-12-10 02:26:41 +00:00
|
|
|
ServiceHTTPBasedChecks(serviceID structs.ServiceID) []structs.CheckType
|
2019-09-26 02:55:52 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// ConfigFetcher is the interface the agent needs to expose
|
|
|
|
// for the xDS server to fetch agent config, currently only one field is fetched
|
|
|
|
type ConfigFetcher interface {
|
|
|
|
AdvertiseAddrLAN() string
|
|
|
|
}
|
|
|
|
|
2018-10-03 18:18:55 +00:00
|
|
|
// ConfigManager is the interface xds.Server requires to consume proxy config
|
|
|
|
// updates. It's satisfied normally by the agent's proxycfg.Manager, but allows
|
|
|
|
// easier testing without several layers of mocked cache, local state and
|
|
|
|
// proxycfg.Manager.
|
|
|
|
type ConfigManager interface {
|
2020-01-24 15:04:58 +00:00
|
|
|
Watch(proxyID structs.ServiceID) (<-chan *proxycfg.ConfigSnapshot, proxycfg.CancelFunc)
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Server represents a gRPC server that can handle both XDS and ext_authz
|
|
|
|
// requests from Envoy. All of it's public members must be set before the gRPC
|
|
|
|
// server is started.
|
|
|
|
//
|
|
|
|
// A full description of the XDS protocol can be found at
|
2019-06-03 16:03:05 +00:00
|
|
|
// https://www.envoyproxy.io/docs/envoy/latest/api-docs/xds_protocol
|
2018-10-03 18:18:55 +00:00
|
|
|
type Server struct {
|
2020-01-28 23:50:41 +00:00
|
|
|
Logger hclog.Logger
|
2018-10-03 18:18:55 +00:00
|
|
|
CfgMgr ConfigManager
|
|
|
|
Authz ConnectAuthz
|
|
|
|
ResolveToken ACLResolverFunc
|
2019-01-11 15:43:18 +00:00
|
|
|
// AuthCheckFrequency is how often we should re-check the credentials used
|
|
|
|
// during a long-lived gRPC Stream after it has been initially established.
|
|
|
|
// This is only used during idle periods of stream interactions (i.e. when
|
|
|
|
// there has been no recent DiscoveryRequest).
|
|
|
|
AuthCheckFrequency time.Duration
|
2019-09-26 02:55:52 +00:00
|
|
|
CheckFetcher HTTPCheckFetcher
|
|
|
|
CfgFetcher ConfigFetcher
|
2019-01-11 15:43:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Initialize will finish configuring the Server for first use.
|
|
|
|
func (s *Server) Initialize() {
|
|
|
|
if s.AuthCheckFrequency == 0 {
|
|
|
|
s.AuthCheckFrequency = DefaultAuthCheckFrequency
|
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
s.Logger = s.Logger.Named(logging.Envoy)
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// StreamAggregatedResources implements
|
|
|
|
// envoydisco.AggregatedDiscoveryServiceServer. This is the ADS endpoint which is
|
|
|
|
// the only xDS API we directly support for now.
|
|
|
|
func (s *Server) StreamAggregatedResources(stream ADSStream) error {
|
|
|
|
// a channel for receiving incoming requests
|
|
|
|
reqCh := make(chan *envoy.DiscoveryRequest)
|
|
|
|
reqStop := int32(0)
|
|
|
|
go func() {
|
|
|
|
for {
|
|
|
|
req, err := stream.Recv()
|
|
|
|
if atomic.LoadInt32(&reqStop) != 0 {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if err != nil {
|
|
|
|
close(reqCh)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
reqCh <- req
|
|
|
|
}
|
|
|
|
}()
|
|
|
|
|
|
|
|
err := s.process(stream, reqCh)
|
|
|
|
if err != nil {
|
2020-01-28 23:50:41 +00:00
|
|
|
s.Logger.Debug("Error handling ADS stream", "error", err)
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// prevents writing to a closed channel if send failed on blocked recv
|
|
|
|
atomic.StoreInt32(&reqStop, 1)
|
|
|
|
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
const (
|
|
|
|
stateInit int = iota
|
2019-01-11 15:43:18 +00:00
|
|
|
statePendingInitialConfig
|
2018-10-03 18:18:55 +00:00
|
|
|
stateRunning
|
|
|
|
)
|
|
|
|
|
|
|
|
func (s *Server) process(stream ADSStream, reqCh <-chan *envoy.DiscoveryRequest) error {
|
|
|
|
// xDS requires a unique nonce to correlate response/request pairs
|
|
|
|
var nonce uint64
|
|
|
|
|
|
|
|
// xDS works with versions of configs. Internally we don't have a consistent
|
2020-03-27 20:08:25 +00:00
|
|
|
// version. We could hash the config since versions don't have to be
|
|
|
|
// ordered as far as I can tell, but it is cheaper to increment a counter
|
2018-10-03 18:18:55 +00:00
|
|
|
// every time we observe a new config since the upstream proxycfg package only
|
|
|
|
// delivers updates when there are actual changes.
|
|
|
|
var configVersion uint64
|
|
|
|
|
|
|
|
// Loop state
|
2020-07-09 22:04:23 +00:00
|
|
|
var (
|
|
|
|
cfgSnap *proxycfg.ConfigSnapshot
|
|
|
|
req *envoy.DiscoveryRequest
|
|
|
|
node *envoycore.Node
|
|
|
|
proxyFeatures supportedProxyFeatures
|
|
|
|
ok bool
|
|
|
|
stateCh <-chan *proxycfg.ConfigSnapshot
|
|
|
|
watchCancel func()
|
|
|
|
proxyID structs.ServiceID
|
|
|
|
)
|
2018-10-03 18:18:55 +00:00
|
|
|
|
|
|
|
// need to run a small state machine to get through initial authentication.
|
|
|
|
var state = stateInit
|
|
|
|
|
|
|
|
// Configure handlers for each type of request
|
|
|
|
handlers := map[string]*xDSType{
|
2020-03-27 20:08:25 +00:00
|
|
|
EndpointType: {
|
2018-10-03 18:18:55 +00:00
|
|
|
typeURL: EndpointType,
|
2019-06-18 00:52:01 +00:00
|
|
|
resources: s.endpointsFromSnapshot,
|
2018-10-03 18:18:55 +00:00
|
|
|
stream: stream,
|
|
|
|
},
|
2020-03-27 20:08:25 +00:00
|
|
|
ClusterType: {
|
2018-10-03 18:18:55 +00:00
|
|
|
typeURL: ClusterType,
|
2019-04-29 16:27:57 +00:00
|
|
|
resources: s.clustersFromSnapshot,
|
2018-10-03 18:18:55 +00:00
|
|
|
stream: stream,
|
2019-11-26 21:55:13 +00:00
|
|
|
allowEmptyFn: func(cfgSnap *proxycfg.ConfigSnapshot) bool {
|
2020-05-07 21:19:25 +00:00
|
|
|
// Mesh, Ingress, and Terminating gateways are allowed to inform CDS of
|
|
|
|
// no clusters.
|
|
|
|
return cfgSnap.Kind == structs.ServiceKindMeshGateway ||
|
|
|
|
cfgSnap.Kind == structs.ServiceKindTerminatingGateway ||
|
|
|
|
cfgSnap.Kind == structs.ServiceKindIngressGateway
|
2019-11-26 21:55:13 +00:00
|
|
|
},
|
2018-10-03 18:18:55 +00:00
|
|
|
},
|
2020-03-27 20:08:25 +00:00
|
|
|
RouteType: {
|
2018-10-03 18:18:55 +00:00
|
|
|
typeURL: RouteType,
|
|
|
|
resources: routesFromSnapshot,
|
|
|
|
stream: stream,
|
2020-05-07 21:19:25 +00:00
|
|
|
allowEmptyFn: func(cfgSnap *proxycfg.ConfigSnapshot) bool {
|
|
|
|
return cfgSnap.Kind == structs.ServiceKindIngressGateway
|
|
|
|
},
|
2018-10-03 18:18:55 +00:00
|
|
|
},
|
2020-03-27 20:08:25 +00:00
|
|
|
ListenerType: {
|
2018-10-03 18:18:55 +00:00
|
|
|
typeURL: ListenerType,
|
2019-04-29 16:27:57 +00:00
|
|
|
resources: s.listenersFromSnapshot,
|
2018-10-03 18:18:55 +00:00
|
|
|
stream: stream,
|
2020-05-07 21:19:25 +00:00
|
|
|
allowEmptyFn: func(cfgSnap *proxycfg.ConfigSnapshot) bool {
|
|
|
|
return cfgSnap.Kind == structs.ServiceKindIngressGateway
|
|
|
|
},
|
2018-10-03 18:18:55 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2019-01-11 15:43:18 +00:00
|
|
|
var authTimer <-chan time.Time
|
|
|
|
extendAuthTimer := func() {
|
|
|
|
authTimer = time.After(s.AuthCheckFrequency)
|
|
|
|
}
|
|
|
|
|
|
|
|
checkStreamACLs := func(cfgSnap *proxycfg.ConfigSnapshot) error {
|
|
|
|
if cfgSnap == nil {
|
|
|
|
return status.Errorf(codes.Unauthenticated, "unauthenticated: no config snapshot")
|
|
|
|
}
|
|
|
|
|
2020-03-27 20:08:25 +00:00
|
|
|
rule, err := s.ResolveToken(tokenFromContext(stream.Context()))
|
2019-01-11 15:43:18 +00:00
|
|
|
|
|
|
|
if acl.IsErrNotFound(err) {
|
|
|
|
return status.Errorf(codes.Unauthenticated, "unauthenticated: %v", err)
|
|
|
|
} else if acl.IsErrPermissionDenied(err) {
|
|
|
|
return status.Errorf(codes.PermissionDenied, "permission denied: %v", err)
|
|
|
|
} else if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2020-01-24 15:04:58 +00:00
|
|
|
var authzContext acl.AuthorizerContext
|
2019-06-24 19:05:36 +00:00
|
|
|
switch cfgSnap.Kind {
|
|
|
|
case structs.ServiceKindConnectProxy:
|
2020-01-24 15:04:58 +00:00
|
|
|
cfgSnap.ProxyID.EnterpriseMeta.FillAuthzContext(&authzContext)
|
|
|
|
if rule != nil && rule.ServiceWrite(cfgSnap.Proxy.DestinationServiceName, &authzContext) != acl.Allow {
|
2019-06-24 19:05:36 +00:00
|
|
|
return status.Errorf(codes.PermissionDenied, "permission denied")
|
|
|
|
}
|
2020-04-27 18:00:14 +00:00
|
|
|
case structs.ServiceKindMeshGateway, structs.ServiceKindTerminatingGateway, structs.ServiceKindIngressGateway:
|
2020-04-16 21:00:48 +00:00
|
|
|
cfgSnap.ProxyID.EnterpriseMeta.FillAuthzContext(&authzContext)
|
|
|
|
if rule != nil && rule.ServiceWrite(cfgSnap.Service, &authzContext) != acl.Allow {
|
|
|
|
return status.Errorf(codes.PermissionDenied, "permission denied")
|
|
|
|
}
|
2019-06-24 19:05:36 +00:00
|
|
|
default:
|
|
|
|
return status.Errorf(codes.Internal, "Invalid service kind")
|
2019-01-11 15:43:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Authed OK!
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-10-03 18:18:55 +00:00
|
|
|
for {
|
|
|
|
select {
|
2019-01-11 15:43:18 +00:00
|
|
|
case <-authTimer:
|
|
|
|
// It's been too long since a Discovery{Request,Response} so recheck ACLs.
|
|
|
|
if err := checkStreamACLs(cfgSnap); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
extendAuthTimer()
|
|
|
|
|
2018-10-03 18:18:55 +00:00
|
|
|
case req, ok = <-reqCh:
|
|
|
|
if !ok {
|
|
|
|
// reqCh is closed when stream.Recv errors which is how we detect client
|
2019-03-06 17:13:28 +00:00
|
|
|
// going away. AFAICT the stream.Context() is only canceled once the
|
2018-10-03 18:18:55 +00:00
|
|
|
// RPC method returns which it can't until we return from this one so
|
|
|
|
// there's no point in blocking on that.
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
if req.TypeUrl == "" {
|
|
|
|
return status.Errorf(codes.InvalidArgument, "type URL is required for ADS")
|
|
|
|
}
|
2020-07-09 22:04:23 +00:00
|
|
|
|
|
|
|
if node == nil && req.Node != nil {
|
|
|
|
node = req.Node
|
|
|
|
proxyFeatures = determineSupportedProxyFeatures(req.Node)
|
|
|
|
}
|
|
|
|
|
2018-10-03 18:18:55 +00:00
|
|
|
if handler, ok := handlers[req.TypeUrl]; ok {
|
2020-07-09 22:04:23 +00:00
|
|
|
handler.Recv(req, node, proxyFeatures)
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
case cfgSnap = <-stateCh:
|
|
|
|
// We got a new config, update the version counter
|
|
|
|
configVersion++
|
|
|
|
}
|
|
|
|
|
|
|
|
// Trigger state machine
|
|
|
|
switch state {
|
|
|
|
case stateInit:
|
|
|
|
if req == nil {
|
|
|
|
// This can't happen (tm) since stateCh is nil until after the first req
|
|
|
|
// is received but lets not panic about it.
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
// Start authentication process, we need the proxyID
|
2020-01-24 15:04:58 +00:00
|
|
|
proxyID = structs.NewServiceID(req.Node.Id, parseEnterpriseMeta(req.Node))
|
2018-10-03 18:18:55 +00:00
|
|
|
|
|
|
|
// Start watching config for that proxy
|
|
|
|
stateCh, watchCancel = s.CfgMgr.Watch(proxyID)
|
|
|
|
// Note that in this case we _intend_ the defer to only be triggered when
|
|
|
|
// this whole process method ends (i.e. when streaming RPC aborts) not at
|
|
|
|
// the end of the current loop iteration. We have to do it in the loop
|
|
|
|
// here since we can't start watching until we get to this state in the
|
|
|
|
// state machine.
|
|
|
|
defer watchCancel()
|
|
|
|
|
|
|
|
// Now wait for the config so we can check ACL
|
2019-01-11 15:43:18 +00:00
|
|
|
state = statePendingInitialConfig
|
|
|
|
case statePendingInitialConfig:
|
2018-10-03 18:18:55 +00:00
|
|
|
if cfgSnap == nil {
|
|
|
|
// Nothing we can do until we get the initial config
|
|
|
|
continue
|
|
|
|
}
|
2019-01-11 15:43:18 +00:00
|
|
|
|
|
|
|
// Got config, try to authenticate next.
|
2018-10-03 18:18:55 +00:00
|
|
|
state = stateRunning
|
|
|
|
|
|
|
|
// Lets actually process the config we just got or we'll mis responding
|
|
|
|
fallthrough
|
|
|
|
case stateRunning:
|
2019-01-11 15:43:18 +00:00
|
|
|
// Check ACLs on every Discovery{Request,Response}.
|
|
|
|
if err := checkStreamACLs(cfgSnap); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
// For the first time through the state machine, this is when the
|
|
|
|
// timer is first started.
|
|
|
|
extendAuthTimer()
|
|
|
|
|
2018-10-03 18:18:55 +00:00
|
|
|
// See if any handlers need to have the current (possibly new) config
|
|
|
|
// sent. Note the order here is actually significant so we can't just
|
|
|
|
// range the map which has no determined order. It's important because:
|
|
|
|
//
|
|
|
|
// 1. Envoy needs to see a consistent snapshot to avoid potentially
|
|
|
|
// dropping traffic due to inconsistencies. This is the
|
|
|
|
// main win of ADS after all - we get to control this order.
|
|
|
|
// 2. Non-determinsic order of complex protobuf responses which are
|
|
|
|
// compared for non-exact JSON equivalence makes the tests uber-messy
|
|
|
|
// to handle
|
|
|
|
for _, typeURL := range []string{ClusterType, EndpointType, RouteType, ListenerType} {
|
|
|
|
handler := handlers[typeURL]
|
|
|
|
if err := handler.SendIfNew(cfgSnap, configVersion, &nonce); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
type xDSType struct {
|
2020-07-09 22:04:23 +00:00
|
|
|
typeURL string
|
|
|
|
stream ADSStream
|
|
|
|
req *envoy.DiscoveryRequest
|
|
|
|
node *envoycore.Node
|
|
|
|
proxyFeatures supportedProxyFeatures
|
|
|
|
lastNonce string
|
2018-10-03 18:18:55 +00:00
|
|
|
// lastVersion is the version that was last sent to the proxy. It is needed
|
|
|
|
// because we don't want to send the same version more than once.
|
|
|
|
// req.VersionInfo may be an older version than the most recent once sent in
|
|
|
|
// two cases: 1) if the ACK wasn't received yet and `req` still points to the
|
|
|
|
// previous request we already responded to and 2) if the proxy rejected the
|
|
|
|
// last version we sent with a Nack then req.VersionInfo will be the older
|
|
|
|
// version it's hanging on to.
|
2019-11-26 21:55:13 +00:00
|
|
|
lastVersion uint64
|
2020-07-09 22:04:23 +00:00
|
|
|
resources func(cInfo connectionInfo, cfgSnap *proxycfg.ConfigSnapshot) ([]proto.Message, error)
|
2019-11-26 21:55:13 +00:00
|
|
|
allowEmptyFn func(cfgSnap *proxycfg.ConfigSnapshot) bool
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
|
2020-07-09 22:04:23 +00:00
|
|
|
// connectionInfo represents details specific to this connection
|
|
|
|
type connectionInfo struct {
|
|
|
|
Token string
|
|
|
|
ProxyFeatures supportedProxyFeatures
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *xDSType) Recv(req *envoy.DiscoveryRequest, node *envoycore.Node, proxyFeatures supportedProxyFeatures) {
|
2018-10-03 18:18:55 +00:00
|
|
|
if t.lastNonce == "" || t.lastNonce == req.GetResponseNonce() {
|
|
|
|
t.req = req
|
2020-07-09 22:04:23 +00:00
|
|
|
t.node = node
|
|
|
|
t.proxyFeatures = proxyFeatures
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (t *xDSType) SendIfNew(cfgSnap *proxycfg.ConfigSnapshot, version uint64, nonce *uint64) error {
|
|
|
|
if t.req == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
if t.lastVersion >= version {
|
|
|
|
// Already sent this version
|
|
|
|
return nil
|
|
|
|
}
|
2020-07-09 22:04:23 +00:00
|
|
|
|
|
|
|
cInfo := connectionInfo{
|
|
|
|
Token: tokenFromContext(t.stream.Context()),
|
|
|
|
ProxyFeatures: t.proxyFeatures,
|
|
|
|
}
|
|
|
|
resources, err := t.resources(cInfo, cfgSnap)
|
2018-10-03 18:18:55 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-11-26 21:55:13 +00:00
|
|
|
|
|
|
|
allowEmpty := t.allowEmptyFn != nil && t.allowEmptyFn(cfgSnap)
|
|
|
|
|
2019-03-22 19:37:14 +00:00
|
|
|
// Zero length resource responses should be ignored and are the result of no
|
|
|
|
// data yet. Notice that this caused a bug originally where we had zero
|
|
|
|
// healthy endpoints for an upstream that would cause Envoy to hang waiting
|
|
|
|
// for the EDS response. This is fixed though by ensuring we send an explicit
|
|
|
|
// empty LoadAssignment resource for the cluster rather than allowing junky
|
|
|
|
// empty resources.
|
2019-11-26 21:55:13 +00:00
|
|
|
if len(resources) == 0 && !allowEmpty {
|
2018-10-03 18:18:55 +00:00
|
|
|
// Nothing to send yet
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Note we only increment nonce when we actually send - not important for
|
|
|
|
// correctness but makes tests much simpler when we skip a type like Routes
|
|
|
|
// with nothing to send.
|
|
|
|
*nonce++
|
|
|
|
nonceStr := fmt.Sprintf("%08x", *nonce)
|
|
|
|
versionStr := fmt.Sprintf("%08x", version)
|
|
|
|
|
|
|
|
resp, err := createResponse(t.typeURL, versionStr, nonceStr, resources)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
err = t.stream.Send(resp)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
t.lastVersion = version
|
|
|
|
t.lastNonce = nonceStr
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func tokenFromContext(ctx context.Context) string {
|
|
|
|
md, ok := metadata.FromIncomingContext(ctx)
|
|
|
|
if !ok {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
toks, ok := md["x-consul-token"]
|
|
|
|
if ok && len(toks) > 0 {
|
|
|
|
return toks[0]
|
|
|
|
}
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
2019-06-07 12:10:43 +00:00
|
|
|
// DeltaAggregatedResources implements envoydisco.AggregatedDiscoveryServiceServer
|
|
|
|
func (s *Server) DeltaAggregatedResources(_ envoydisco.AggregatedDiscoveryService_DeltaAggregatedResourcesServer) error {
|
2018-10-03 18:18:55 +00:00
|
|
|
return errors.New("not implemented")
|
|
|
|
}
|
|
|
|
|
|
|
|
func deniedResponse(reason string) (*envoyauthz.CheckResponse, error) {
|
|
|
|
return &envoyauthz.CheckResponse{
|
2020-07-07 21:22:30 +00:00
|
|
|
Status: &rpcstatus.Status{
|
|
|
|
Code: int32(codes.PermissionDenied),
|
2018-10-03 18:18:55 +00:00
|
|
|
Message: "Denied: " + reason,
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check implements envoyauthz.AuthorizationServer.
|
|
|
|
func (s *Server) Check(ctx context.Context, r *envoyauthz.CheckRequest) (*envoyauthz.CheckResponse, error) {
|
|
|
|
// Sanity checks
|
|
|
|
if r.Attributes == nil || r.Attributes.Source == nil || r.Attributes.Destination == nil {
|
|
|
|
return nil, status.Error(codes.InvalidArgument, "source and destination attributes are required")
|
|
|
|
}
|
|
|
|
if r.Attributes.Source.Principal == "" || r.Attributes.Destination.Principal == "" {
|
|
|
|
return nil, status.Error(codes.InvalidArgument, "source and destination Principal are required")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Parse destination to know the target service
|
|
|
|
dest, err := connect.ParseCertURIFromString(r.Attributes.Destination.Principal)
|
|
|
|
if err != nil {
|
2020-01-28 23:50:41 +00:00
|
|
|
s.Logger.Debug("Connect AuthZ DENIED: bad destination URI", "source", r.Attributes.Source.Principal, "destination",
|
|
|
|
r.Attributes.Destination.Principal)
|
2018-10-03 18:18:55 +00:00
|
|
|
// Treat this as an auth error since Envoy has sent something it considers
|
|
|
|
// valid, it's just not an identity we trust.
|
2019-01-18 21:00:54 +00:00
|
|
|
return deniedResponse("Destination Principal is not a valid Connect identity")
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
destID, ok := dest.(*connect.SpiffeIDService)
|
|
|
|
if !ok {
|
2020-01-28 23:50:41 +00:00
|
|
|
s.Logger.Debug("Connect AuthZ DENIED: bad destination service ID", "source", r.Attributes.Source.Principal, "destination",
|
|
|
|
r.Attributes.Destination.Principal)
|
2019-01-18 21:00:54 +00:00
|
|
|
return deniedResponse("Destination Principal is not a valid Service identity")
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// For now we don't validate the trust domain of the _destination_ at all -
|
|
|
|
// the HTTP Authorize endpoint just accepts a target _service_ and it's
|
|
|
|
// implicit that the request is for the correct cluster. We might want to
|
|
|
|
// reconsider this later but plumbing in additional machinery to check the
|
|
|
|
// clusterID here is not really necessary for now unless Envoys are badly
|
|
|
|
// configured. Our threat model _requires_ correctly configured and well
|
|
|
|
// behaved proxies given that they have ACLs to fetch certs and so can do
|
|
|
|
// whatever they want including not authorizing traffic at all or routing it
|
|
|
|
// do a different service than they auth'd against.
|
|
|
|
|
|
|
|
// Create an authz request
|
|
|
|
req := &structs.ConnectAuthorizeRequest{
|
2020-01-29 22:30:38 +00:00
|
|
|
Target: destID.Service,
|
|
|
|
EnterpriseMeta: *destID.GetEnterpriseMeta(),
|
|
|
|
ClientCertURI: r.Attributes.Source.Principal,
|
2018-10-03 18:18:55 +00:00
|
|
|
// TODO(banks): need Envoy to support sending cert serial/hash to enforce
|
|
|
|
// revocation later.
|
|
|
|
}
|
|
|
|
token := tokenFromContext(ctx)
|
|
|
|
authed, reason, _, err := s.Authz.ConnectAuthorize(token, req)
|
|
|
|
if err != nil {
|
|
|
|
if err == acl.ErrPermissionDenied {
|
2020-01-28 23:50:41 +00:00
|
|
|
s.Logger.Debug("Connect AuthZ failed ACL check", "error", err, "source", r.Attributes.Source.Principal,
|
|
|
|
"dest", r.Attributes.Destination.Principal)
|
2018-10-03 18:18:55 +00:00
|
|
|
return nil, status.Error(codes.PermissionDenied, err.Error())
|
|
|
|
}
|
2020-01-28 23:50:41 +00:00
|
|
|
s.Logger.Debug("Connect AuthZ failed", "error", err, "source", r.Attributes.Source.Principal,
|
|
|
|
"destination", r.Attributes.Destination.Principal)
|
2018-10-03 18:18:55 +00:00
|
|
|
return nil, status.Error(codes.Internal, err.Error())
|
|
|
|
}
|
|
|
|
if !authed {
|
2020-01-28 23:50:41 +00:00
|
|
|
s.Logger.Debug("Connect AuthZ DENIED", "source", r.Attributes.Source.Principal,
|
|
|
|
"destination", r.Attributes.Destination.Principal, "reason", reason)
|
2018-10-03 18:18:55 +00:00
|
|
|
return deniedResponse(reason)
|
|
|
|
}
|
|
|
|
|
2020-01-28 23:50:41 +00:00
|
|
|
s.Logger.Debug("Connect AuthZ ALLOWED", "source", r.Attributes.Source.Principal,
|
|
|
|
"destination", r.Attributes.Destination.Principal, "reason", reason)
|
2018-10-03 18:18:55 +00:00
|
|
|
return &envoyauthz.CheckResponse{
|
2020-07-07 21:22:30 +00:00
|
|
|
Status: &rpcstatus.Status{
|
|
|
|
Code: int32(codes.OK),
|
2018-10-03 18:18:55 +00:00
|
|
|
Message: "ALLOWED: " + reason,
|
|
|
|
},
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// GRPCServer returns a server instance that can handle XDS and ext_authz
|
|
|
|
// requests.
|
2020-01-22 10:32:17 +00:00
|
|
|
func (s *Server) GRPCServer(tlsConfigurator *tlsutil.Configurator) (*grpc.Server, error) {
|
2018-10-03 18:18:55 +00:00
|
|
|
opts := []grpc.ServerOption{
|
|
|
|
grpc.MaxConcurrentStreams(2048),
|
|
|
|
}
|
2020-01-22 10:32:17 +00:00
|
|
|
if tlsConfigurator != nil {
|
|
|
|
if tlsConfigurator.Cert() != nil {
|
|
|
|
creds := credentials.NewTLS(tlsConfigurator.IncomingGRPCConfig())
|
|
|
|
opts = append(opts, grpc.Creds(creds))
|
2018-10-03 18:18:55 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
srv := grpc.NewServer(opts...)
|
|
|
|
envoydisco.RegisterAggregatedDiscoveryServiceServer(srv, s)
|
2019-06-07 12:10:43 +00:00
|
|
|
|
|
|
|
// Envoy 1.10 changed the package for ext_authz from v2alpha to v2. We still
|
|
|
|
// need to be compatible with 1.9.1 and earlier which only uses v2alpha. While
|
|
|
|
// there is a deprecated compatibility shim option in 1.10, we want to support
|
|
|
|
// first class. Fortunately they are wire-compatible so we can just register a
|
|
|
|
// single service implementation (using the new v2 package definitions) but
|
|
|
|
// using the old v2alpha regiatration function which just exports it on the
|
|
|
|
// old path as well.
|
2018-10-03 18:18:55 +00:00
|
|
|
envoyauthz.RegisterAuthorizationServer(srv, s)
|
2019-06-07 12:10:43 +00:00
|
|
|
envoyauthzalpha.RegisterAuthorizationServer(srv, s)
|
|
|
|
|
2018-10-03 18:18:55 +00:00
|
|
|
return srv, nil
|
|
|
|
}
|