2023-03-28 23:48:58 +01:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 09:12:13 -04:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 23:48:58 +01:00
|
|
|
|
2023-03-27 14:37:54 -05:00
|
|
|
package resource
|
|
|
|
|
|
|
|
import (
|
2023-05-15 12:35:10 +01:00
|
|
|
"errors"
|
|
|
|
|
2023-04-11 06:10:14 -05:00
|
|
|
"google.golang.org/grpc/codes"
|
|
|
|
"google.golang.org/grpc/status"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/acl"
|
2023-08-21 15:02:23 -05:00
|
|
|
"github.com/hashicorp/consul/internal/resource"
|
2023-03-27 14:37:54 -05:00
|
|
|
"github.com/hashicorp/consul/internal/storage"
|
|
|
|
"github.com/hashicorp/consul/proto-public/pbresource"
|
|
|
|
)
|
|
|
|
|
|
|
|
func (s *Server) WatchList(req *pbresource.WatchListRequest, stream pbresource.ResourceService_WatchListServer) error {
|
2023-11-03 16:03:07 -04:00
|
|
|
reg, err := s.ensureWatchListRequestValid(req)
|
2023-04-11 06:10:14 -05:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-08-21 15:02:23 -05:00
|
|
|
// v1 ACL subsystem is "wildcard" aware so just pass on through.
|
|
|
|
entMeta := v2TenancyToV1EntMeta(req.Tenancy)
|
|
|
|
token := tokenFromContext(stream.Context())
|
|
|
|
authz, authzContext, err := s.getAuthorizer(token, entMeta)
|
2023-04-11 06:10:14 -05:00
|
|
|
if err != nil {
|
2023-03-27 14:37:54 -05:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-08-21 15:02:23 -05:00
|
|
|
// Check list ACL.
|
2023-08-15 16:57:59 -05:00
|
|
|
err = reg.ACLs.List(authz, authzContext)
|
2023-04-11 06:10:14 -05:00
|
|
|
switch {
|
|
|
|
case acl.IsErrPermissionDenied(err):
|
|
|
|
return status.Error(codes.PermissionDenied, err.Error())
|
|
|
|
case err != nil:
|
|
|
|
return status.Errorf(codes.Internal, "failed list acl: %v", err)
|
|
|
|
}
|
|
|
|
|
2023-08-21 15:02:23 -05:00
|
|
|
// Ensure we're defaulting correctly when request tenancy units are empty.
|
|
|
|
v1EntMetaToV2Tenancy(reg, entMeta, req.Tenancy)
|
|
|
|
|
2023-03-27 14:37:54 -05:00
|
|
|
unversionedType := storage.UnversionedTypeFrom(req.Type)
|
2023-04-04 17:30:06 +01:00
|
|
|
watch, err := s.Backend.WatchList(
|
2023-03-27 14:37:54 -05:00
|
|
|
stream.Context(),
|
|
|
|
unversionedType,
|
|
|
|
req.Tenancy,
|
|
|
|
req.NamePrefix,
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2023-03-31 13:24:19 +01:00
|
|
|
defer watch.Close()
|
2023-03-27 14:37:54 -05:00
|
|
|
|
|
|
|
for {
|
|
|
|
event, err := watch.Next(stream.Context())
|
2023-05-15 12:35:10 +01:00
|
|
|
switch {
|
|
|
|
case errors.Is(err, storage.ErrWatchClosed):
|
|
|
|
return status.Error(codes.Aborted, "watch closed by the storage backend (possibly due to snapshot restoration)")
|
|
|
|
case err != nil:
|
2023-04-11 06:10:14 -05:00
|
|
|
return status.Errorf(codes.Internal, "failed next: %v", err)
|
2023-03-27 14:37:54 -05:00
|
|
|
}
|
|
|
|
|
2023-04-11 06:10:14 -05:00
|
|
|
// drop group versions that don't match
|
2023-03-27 14:37:54 -05:00
|
|
|
if event.Resource.Id.Type.GroupVersion != req.Type.GroupVersion {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2023-08-21 15:02:23 -05:00
|
|
|
// Need to rebuild authorizer per resource since wildcard inputs may
|
|
|
|
// result in different tenancies. Consider caching per tenancy if this
|
|
|
|
// is deemed expensive.
|
|
|
|
entMeta = v2TenancyToV1EntMeta(event.Resource.Id.Tenancy)
|
|
|
|
authz, authzContext, err = s.getAuthorizer(token, entMeta)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-04-11 06:10:14 -05:00
|
|
|
// filter out items that don't pass read ACLs
|
2023-09-22 09:53:55 -05:00
|
|
|
err = reg.ACLs.Read(authz, authzContext, event.Resource.Id, event.Resource)
|
2023-04-11 06:10:14 -05:00
|
|
|
switch {
|
|
|
|
case acl.IsErrPermissionDenied(err):
|
|
|
|
continue
|
|
|
|
case err != nil:
|
|
|
|
return status.Errorf(codes.Internal, "failed read acl: %v", err)
|
|
|
|
}
|
|
|
|
|
2023-03-27 14:37:54 -05:00
|
|
|
if err = stream.Send(event); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-05-10 10:38:48 +01:00
|
|
|
|
2023-11-03 16:03:07 -04:00
|
|
|
func (s *Server) ensureWatchListRequestValid(req *pbresource.WatchListRequest) (*resource.Registration, error) {
|
|
|
|
if req.Type == nil {
|
|
|
|
return nil, status.Errorf(codes.InvalidArgument, "type is required")
|
2023-08-21 15:02:23 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check type exists.
|
|
|
|
reg, err := s.resolveType(req.Type)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2023-11-03 16:03:07 -04:00
|
|
|
// if no tenancy is passed defaults to wildcard
|
|
|
|
if req.Tenancy == nil {
|
|
|
|
req.Tenancy = wildcardTenancyFor(reg.Scope)
|
|
|
|
}
|
|
|
|
|
2023-10-27 08:55:02 -05:00
|
|
|
if err = checkV2Tenancy(s.UseV2Tenancy, req.Type); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2023-10-16 12:55:30 -05:00
|
|
|
if err := validateWildcardTenancy(req.Tenancy, req.NamePrefix); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2023-08-21 15:02:23 -05:00
|
|
|
|
2023-11-03 16:03:07 -04:00
|
|
|
// Check scope
|
2023-12-13 10:06:39 -05:00
|
|
|
if err = validateScopedTenancy(reg.Scope, req.Type, req.Tenancy, true); err != nil {
|
2023-11-03 16:03:07 -04:00
|
|
|
return nil, err
|
2023-08-21 15:02:23 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return reg, nil
|
2023-05-10 10:38:48 +01:00
|
|
|
}
|
2023-11-03 16:03:07 -04:00
|
|
|
|
|
|
|
func wildcardTenancyFor(scope resource.Scope) *pbresource.Tenancy {
|
|
|
|
var defaultTenancy *pbresource.Tenancy
|
|
|
|
|
|
|
|
switch scope {
|
|
|
|
case resource.ScopeCluster:
|
|
|
|
defaultTenancy = &pbresource.Tenancy{
|
|
|
|
PeerName: storage.Wildcard,
|
|
|
|
}
|
|
|
|
case resource.ScopePartition:
|
|
|
|
defaultTenancy = &pbresource.Tenancy{
|
|
|
|
Partition: storage.Wildcard,
|
|
|
|
PeerName: storage.Wildcard,
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
defaultTenancy = &pbresource.Tenancy{
|
|
|
|
Partition: storage.Wildcard,
|
|
|
|
PeerName: storage.Wildcard,
|
|
|
|
Namespace: storage.Wildcard,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return defaultTenancy
|
|
|
|
}
|