consul/agent/connect/uri_service.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package connect

import (
	"fmt"
	"net/url"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

// SpiffeIDService is the structure to represent the SPIFFE ID for a service.
type SpiffeIDService struct {
	Host       string
	Partition  string
	Namespace  string
	Datacenter string
	Service    string
}

func (id SpiffeIDService) NamespaceOrDefault() string {
	return acl.NamespaceOrDefault(id.Namespace)
}

func (id SpiffeIDService) MatchesPartition(partition string) bool {
	return id.PartitionOrDefault() == acl.PartitionOrDefault(partition)
}

// URI returns the *url.URL for this SPIFFE ID.
func (id SpiffeIDService) URI() *url.URL {
	var result url.URL
	result.Scheme = "spiffe"
	result.Host = id.Host
	result.Path = id.uriPath()
	return &result
}

func (id SpiffeIDService) uriPath() string {
	path := fmt.Sprintf("/ns/%s/dc/%s/svc/%s",
		id.NamespaceOrDefault(),
		id.Datacenter,
		id.Service,
	)

	// Although CE has no support for partitions, it still needs to be able to
	// handle exportedPartition from peered Consul Enterprise clusters in order
	// to generate the correct SpiffeID.
	// We intentionally avoid using pbpartition.DefaultName here to be CE friendly.
	if ap := id.PartitionOrDefault(); ap != "" && ap != "default" {
		return "/ap/" + ap + path
	}
	return path
}

// SpiffeIDFromIdentityRef creates the SPIFFE ID from a workload identity.
// TODO (ishustava): make sure ref type is workload identity.
func SpiffeIDFromIdentityRef(trustDomain string, ref *pbresource.Reference) string {
	return SpiffeIDWorkloadIdentity{
		TrustDomain:      trustDomain,
		Partition:        ref.Tenancy.Partition,
		Namespace:        ref.Tenancy.Namespace,
		WorkloadIdentity: ref.Name,
	}.URI().String()
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00
agent/connect: Authorize for CertURI 2018-03-26 00:39:18 +00:00			`package connect`

			`import (`
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain. 2022-06-10 21:15:22 +00:00			`"fmt"`
agent/connect: Authorize for CertURI 2018-03-26 00:39:18 +00:00			`"net/url"`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2022-04-05 21:10:06 +00:00			`"github.com/hashicorp/consul/acl"`
sidecar-proxy controller: L4 controller with explicit upstreams (NET-3988) (#18352) * This controller generates and saves ProxyStateTemplate for sidecar proxies. * It currently supports single-port L4 ports only. * It keeps a cache of all destinations to make it easier to compute and retrieve destinations. * It will update the status of the pbmesh.Upstreams resource if anything is invalid. * This commit also changes service endpoints to include workload identity. This made the implementation a bit easier as we don't need to look up as many workloads and instead rely on endpoints data. 2023-09-07 15:37:15 +00:00			`"github.com/hashicorp/consul/proto-public/pbresource"`
agent/connect: Authorize for CertURI 2018-03-26 00:39:18 +00:00			`)`

			`// SpiffeIDService is the structure to represent the SPIFFE ID for a service.`
			`type SpiffeIDService struct {`
			`Host string`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`Partition string`
agent/connect: Authorize for CertURI 2018-03-26 00:39:18 +00:00			`Namespace string`
			`Datacenter string`
			`Service string`
			`}`

connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`func (id SpiffeIDService) NamespaceOrDefault() string {`
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2022-04-05 21:10:06 +00:00			`return acl.NamespaceOrDefault(id.Namespace)`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`}`

			`func (id SpiffeIDService) MatchesPartition(partition string) bool {`
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2022-04-05 21:10:06 +00:00			`return id.PartitionOrDefault() == acl.PartitionOrDefault(partition)`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`}`

agent/connect: Authorize for CertURI 2018-03-26 00:39:18 +00:00			`// URI returns the *url.URL for this SPIFFE ID.`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`func (id SpiffeIDService) URI() *url.URL {`
agent/connect: Authorize for CertURI 2018-03-26 00:39:18 +00:00			`var result url.URL`
			`result.Scheme = "spiffe"`
			`result.Host = id.Host`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`result.Path = id.uriPath()`
agent/connect: Authorize for CertURI 2018-03-26 00:39:18 +00:00			`return &result`
			`}`
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain. 2022-06-10 21:15:22 +00:00
			`func (id SpiffeIDService) uriPath() string {`
			`path := fmt.Sprintf("/ns/%s/dc/%s/svc/%s",`
			`id.NamespaceOrDefault(),`
			`id.Datacenter,`
			`id.Service,`
			`)`

OSS -> CE (community edition) changes (#18517) 2023-08-22 14:46:03 +00:00			`// Although CE has no support for partitions, it still needs to be able to`
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain. 2022-06-10 21:15:22 +00:00			`// handle exportedPartition from peered Consul Enterprise clusters in order`
			`// to generate the correct SpiffeID.`
OSS -> CE (community edition) changes (#18517) 2023-08-22 14:46:03 +00:00			`// We intentionally avoid using pbpartition.DefaultName here to be CE friendly.`
Update RBAC to handle imported services (#13404) When converting from Consul intentions to xds RBAC rules, services imported from other peers must encode additional data like partition (from the remote cluster) and trust domain. This PR updates the PeeringTrustBundle to hold the sending side's local partition as ExportedPartition. It also updates RBAC code to encode SpiffeIDs of imported services with the ExportedPartition and TrustDomain. 2022-06-10 21:15:22 +00:00			`if ap := id.PartitionOrDefault(); ap != "" && ap != "default" {`
			`return "/ap/" + ap + path`
			`}`
			`return path`
			`}`
sidecar-proxy controller: L4 controller with explicit upstreams (NET-3988) (#18352) * This controller generates and saves ProxyStateTemplate for sidecar proxies. * It currently supports single-port L4 ports only. * It keeps a cache of all destinations to make it easier to compute and retrieve destinations. * It will update the status of the pbmesh.Upstreams resource if anything is invalid. * This commit also changes service endpoints to include workload identity. This made the implementation a bit easier as we don't need to look up as many workloads and instead rely on endpoints data. 2023-09-07 15:37:15 +00:00
			`// SpiffeIDFromIdentityRef creates the SPIFFE ID from a workload identity.`
			`// TODO (ishustava): make sure ref type is workload identity.`
			`func SpiffeIDFromIdentityRef(trustDomain string, ref *pbresource.Reference) string {`
			`return SpiffeIDWorkloadIdentity{`
xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756) * Refactors the leafcert package to not have a dependency on agent/consul and agent/cache to avoid import cycles. This way the xds controller can just import the leafcert package to use the leafcert manager. The leaf cert logic in the controller: * Sets up watches for leaf certs that are referenced in the ProxyStateTemplate (which generates the leaf certs too). * Gets the leaf cert from the leaf cert cache * Stores the leaf cert in the ProxyState that's pushed to xds * For the cert watches, this PR also uses a bimapper + a thin wrapper to map leaf cert events to related ProxyStateTemplates Since bimapper uses a resource.Reference or resource.ID to map between two resource types, I've created an internal type for a leaf certificate to use for the resource.Reference, since it's not a v2 resource. The wrapper allows mapping events to resources (as opposed to mapping resources to resources) The controller tests: Unit: Ensure that we resolve leaf cert references Lifecycle: Ensure that when the CA is updated, the leaf cert is as well Also adds a new spiffe id type, and adds workload identity and workload identity URI to leaf certs. This is so certs are generated with the new workload identity based SPIFFE id. * Pulls out some leaf cert test helpers into a helpers file so it can be used in the xds controller tests. * Wires up leaf cert manager dependency * Support getting token from proxytracker * Add workload identity spiffe id type to the authorize and sign functions --------- Co-authored-by: John Murret <john.murret@hashicorp.com> 2023-09-12 19:56:43 +00:00			`TrustDomain: trustDomain,`
			`Partition: ref.Tenancy.Partition,`
			`Namespace: ref.Tenancy.Namespace,`
			`WorkloadIdentity: ref.Name,`
sidecar-proxy controller: L4 controller with explicit upstreams (NET-3988) (#18352) * This controller generates and saves ProxyStateTemplate for sidecar proxies. * It currently supports single-port L4 ports only. * It keeps a cache of all destinations to make it easier to compute and retrieve destinations. * It will update the status of the pbmesh.Upstreams resource if anything is invalid. * This commit also changes service endpoints to include workload identity. This made the implementation a bit easier as we don't need to look up as many workloads and instead rely on endpoints data. 2023-09-07 15:37:15 +00:00			`}.URI().String()`
			`}`