consul/agent/connect/uri.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package connect

import (
	"fmt"
	"net/url"
	"regexp"
	"strings"
)

// CertURI represents a Connect-valid URI value for a TLS certificate.
// The user should type switch on the various implementations in this
// package to determine the type of URI and the data encoded within it.
//
// Note that the current implementations of this are all also SPIFFE IDs.
// However, we anticipate that we may accept URIs that are also not SPIFFE
// compliant and therefore the interface is named as such.
type CertURI interface {
	// URI is the valid URI value used in the cert.
	URI() *url.URL
}

var (
	spiffeIDServiceRegexp = regexp.MustCompile(
		`^(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/]+)$`)
	spiffeIDAgentRegexp = regexp.MustCompile(
		`^(?:/ap/([^/]+))?/agent/client/dc/([^/]+)/id/([^/]+)$`)
	spiffeIDServerRegexp = regexp.MustCompile(
		`^/agent/server/dc/([^/]+)$`)
	spiffeIDMeshGatewayRegexp = regexp.MustCompile(
		`^(?:/ap/([^/]+))?/gateway/mesh/dc/([^/]+)$`)
)

// ParseCertURIFromString attempts to parse a string representation of a
// certificate URI as a convenience helper around ParseCertURI.
func ParseCertURIFromString(input string) (CertURI, error) {
	// Parse the certificate URI from the string
	uriRaw, err := url.Parse(input)
	if err != nil {
		return nil, err
	}
	return ParseCertURI(uriRaw)
}

// ParseCertURI parses a the URI value from a TLS certificate.
func ParseCertURI(input *url.URL) (CertURI, error) {
	if input.Scheme != "spiffe" {
		return nil, fmt.Errorf("SPIFFE ID must have 'spiffe' scheme")
	}

	// Path is the raw value of the path without url decoding values.
	// RawPath is empty if there were no encoded values so we must
	// check both.
	path := input.Path
	if input.RawPath != "" {
		path = input.RawPath
	}

	// Test for service IDs
	if v := spiffeIDServiceRegexp.FindStringSubmatch(path); v != nil {
		// Determine the values. We assume they're reasonable to save cycles,
		// but if the raw path is not empty that means that something is
		// URL encoded so we go to the slow path.
		ap := v[1]
		ns := v[2]
		dc := v[3]
		service := v[4]
		if input.RawPath != "" {
			var err error
			if ap, err = url.PathUnescape(v[1]); err != nil {
				return nil, fmt.Errorf("Invalid admin partition: %s", err)
			}
			if ns, err = url.PathUnescape(v[2]); err != nil {
				return nil, fmt.Errorf("Invalid namespace: %s", err)
			}
			if dc, err = url.PathUnescape(v[3]); err != nil {
				return nil, fmt.Errorf("Invalid datacenter: %s", err)
			}
			if service, err = url.PathUnescape(v[4]); err != nil {
				return nil, fmt.Errorf("Invalid service: %s", err)
			}
		}

		if ap == "" {
			ap = "default"
		}

		return &SpiffeIDService{
			Host:       input.Host,
			Partition:  ap,
			Namespace:  ns,
			Datacenter: dc,
			Service:    service,
		}, nil
	} else if v := spiffeIDAgentRegexp.FindStringSubmatch(path); v != nil {
		// Determine the values. We assume they're reasonable to save cycles,
		// but if the raw path is not empty that means that something is
		// URL encoded so we go to the slow path.
		ap := v[1]
		dc := v[2]
		agent := v[3]
		if input.RawPath != "" {
			var err error
			if ap, err = url.PathUnescape(v[1]); err != nil {
				return nil, fmt.Errorf("Invalid admin partition: %s", err)
			}
			if dc, err = url.PathUnescape(v[2]); err != nil {
				return nil, fmt.Errorf("Invalid datacenter: %s", err)
			}
			if agent, err = url.PathUnescape(v[3]); err != nil {
				return nil, fmt.Errorf("Invalid node: %s", err)
			}
		}

		if ap == "" {
			ap = "default"
		}

		return &SpiffeIDAgent{
			Host:       input.Host,
			Partition:  ap,
			Datacenter: dc,
			Agent:      agent,
		}, nil
	} else if v := spiffeIDMeshGatewayRegexp.FindStringSubmatch(path); v != nil {
		// Determine the values. We assume they're reasonable to save cycles,
		// but if the raw path is not empty that means that something is
		// URL encoded so we go to the slow path.
		ap := v[1]
		dc := v[2]
		if input.RawPath != "" {
			var err error
			if ap, err = url.PathUnescape(v[1]); err != nil {
				return nil, fmt.Errorf("Invalid admin partition: %s", err)
			}
			if dc, err = url.PathUnescape(v[2]); err != nil {
				return nil, fmt.Errorf("Invalid datacenter: %s", err)
			}
		}

		if ap == "" {
			ap = "default"
		}

		return &SpiffeIDMeshGateway{
			Host:       input.Host,
			Partition:  ap,
			Datacenter: dc,
		}, nil
	} else if v := spiffeIDServerRegexp.FindStringSubmatch(path); v != nil {
		dc := v[1]
		if input.RawPath != "" {
			var err error
			if dc, err = url.PathUnescape(v[1]); err != nil {
				return nil, fmt.Errorf("Invalid datacenter: %s", err)
			}
		}

		return &SpiffeIDServer{
			Host:       input.Host,
			Datacenter: dc,
		}, nil
	}

	// Test for signing ID
	if input.Path == "" {
		idx := strings.Index(input.Host, ".")
		if idx > 0 {
			return &SpiffeIDSigning{
				ClusterID: input.Host[:idx],
				Domain:    input.Host[idx+1:],
			}, nil
		}
	}

	return nil, fmt.Errorf("SPIFFE ID is not in the expected format: %s", input.String())
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00
agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`package connect`

			`import (`
			`"fmt"`
			`"net/url"`
			`"regexp"`
agent/connect: support SpiffeIDSigning 2018-03-24 18:46:12 +00:00			`"strings"`
agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`)`

agent/connect: rename SpiffeID to CertURI 2018-03-24 18:39:43 +00:00			`// CertURI represents a Connect-valid URI value for a TLS certificate.`
			`// The user should type switch on the various implementations in this`
			`// package to determine the type of URI and the data encoded within it.`
			`//`
			`// Note that the current implementations of this are all also SPIFFE IDs.`
			`// However, we anticipate that we may accept URIs that are also not SPIFFE`
			`// compliant and therefore the interface is named as such.`
			`type CertURI interface {`
agent/connect: Authorize for CertURI 2018-03-26 00:39:18 +00:00			`// URI is the valid URI value used in the cert.`
agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`URI() *url.URL`
			`}`

			`var (`
			`spiffeIDServiceRegexp = regexp.MustCompile(`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`^(?:/ap/([^/]+))?/ns/([^/]+)/dc/([^/]+)/svc/([^/]+)$`)
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`spiffeIDAgentRegexp = regexp.MustCompile(`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`^(?:/ap/([^/]+))?/agent/client/dc/([^/]+)/id/([^/]+)$`)
Add SpiffeID for Consul server agents (#14485) Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> By adding a SpiffeID for server agents, servers can now request a leaf certificate from the Connect CA. This new Spiffe ID has a key property: servers are identified by their datacenter name and trust domain. All servers that share these attributes will share a ServerURI. The aim is to use these certificates to verify the server name of ANY server in a Consul datacenter. 2022-09-06 23:58:13 +00:00			`spiffeIDServerRegexp = regexp.MustCompile(`
			`^/agent/server/dc/([^/]+)$`)
xds: mesh gateways now have their own leaf certificate when involved in a peering (#13460) This is only configured in xDS when a service with an L7 protocol is exported. They also load any relevant trust bundles for the peered services to eventually use for L7 SPIFFE validation during mTLS termination. 2022-06-15 19:36:18 +00:00			`spiffeIDMeshGatewayRegexp = regexp.MustCompile(`
			`^(?:/ap/([^/]+))?/gateway/mesh/dc/([^/]+)$`)
agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`)`

xDS Server Implementation (#4731) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos 2018-10-03 18:18:55 +00:00			`// ParseCertURIFromString attempts to parse a string representation of a`
fix typos reported by golangci-lint:misspell (#5434) 2019-03-06 17:13:28 +00:00			`// certificate URI as a convenience helper around ParseCertURI.`
xDS Server Implementation (#4731) * Vendor updates for gRPC and xDS server * xDS server implementation for serving Envoy as a Connect proxy * Address initial review comments * consistent envoy package aliases; typos fixed; override TLS and authz for custom listeners * Moar Typos * Moar typos 2018-10-03 18:18:55 +00:00			`func ParseCertURIFromString(input string) (CertURI, error) {`
			`// Parse the certificate URI from the string`
			`uriRaw, err := url.Parse(input)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return ParseCertURI(uriRaw)`
			`}`

agent/connect: rename SpiffeID to CertURI 2018-03-24 18:39:43 +00:00			`// ParseCertURI parses a the URI value from a TLS certificate.`
			`func ParseCertURI(input *url.URL) (CertURI, error) {`
agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`if input.Scheme != "spiffe" {`
			`return nil, fmt.Errorf("SPIFFE ID must have 'spiffe' scheme")`
			`}`

agent/connect: support any values in the URL 2018-03-27 03:31:17 +00:00			`// Path is the raw value of the path without url decoding values.`
			`// RawPath is empty if there were no encoded values so we must`
			`// check both.`
			`path := input.Path`
			`if input.RawPath != "" {`
			`path = input.RawPath`
			`}`

agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`// Test for service IDs`
agent/connect: support any values in the URL 2018-03-27 03:31:17 +00:00			`if v := spiffeIDServiceRegexp.FindStringSubmatch(path); v != nil {`
Replace use of 'sane' where appropriate HashiCorp voice, style, and language guidelines recommend avoiding ableist language unless its reference to ability is accurate in a particular use. 2021-07-02 16:18:46 +00:00			`// Determine the values. We assume they're reasonable to save cycles,`
agent/connect: support any values in the URL 2018-03-27 03:31:17 +00:00			`// but if the raw path is not empty that means that something is`
			`// URL encoded so we go to the slow path.`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`ap := v[1]`
			`ns := v[2]`
			`dc := v[3]`
			`service := v[4]`
agent/connect: support any values in the URL 2018-03-27 03:31:17 +00:00			`if input.RawPath != "" {`
			`var err error`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`if ap, err = url.PathUnescape(v[1]); err != nil {`
			`return nil, fmt.Errorf("Invalid admin partition: %s", err)`
			`}`
			`if ns, err = url.PathUnescape(v[2]); err != nil {`
agent/connect: support any values in the URL 2018-03-27 03:31:17 +00:00			`return nil, fmt.Errorf("Invalid namespace: %s", err)`
			`}`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`if dc, err = url.PathUnescape(v[3]); err != nil {`
agent/connect: support any values in the URL 2018-03-27 03:31:17 +00:00			`return nil, fmt.Errorf("Invalid datacenter: %s", err)`
			`}`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`if service, err = url.PathUnescape(v[4]); err != nil {`
agent/connect: support any values in the URL 2018-03-27 03:31:17 +00:00			`return nil, fmt.Errorf("Invalid service: %s", err)`
			`}`
			`}`

auto-config: ensure the feature works properly with partitions (#11699) 2021-12-01 19:32:34 +00:00			`if ap == "" {`
			`ap = "default"`
			`}`

agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`return &SpiffeIDService{`
			`Host: input.Host,`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`Partition: ap,`
agent/connect: support any values in the URL 2018-03-27 03:31:17 +00:00			`Namespace: ns,`
			`Datacenter: dc,`
			`Service: service,`
agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`}, nil`
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`} else if v := spiffeIDAgentRegexp.FindStringSubmatch(path); v != nil {`
Replace use of 'sane' where appropriate HashiCorp voice, style, and language guidelines recommend avoiding ableist language unless its reference to ability is accurate in a particular use. 2021-07-02 16:18:46 +00:00			`// Determine the values. We assume they're reasonable to save cycles,`
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`// but if the raw path is not empty that means that something is`
			`// URL encoded so we go to the slow path.`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`ap := v[1]`
			`dc := v[2]`
			`agent := v[3]`
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`if input.RawPath != "" {`
			`var err error`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`if ap, err = url.PathUnescape(v[1]); err != nil {`
			`return nil, fmt.Errorf("Invalid admin partition: %s", err)`
			`}`
			`if dc, err = url.PathUnescape(v[2]); err != nil {`
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`return nil, fmt.Errorf("Invalid datacenter: %s", err)`
			`}`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`if agent, err = url.PathUnescape(v[3]); err != nil {`
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`return nil, fmt.Errorf("Invalid node: %s", err)`
			`}`
			`}`

auto-config: ensure the feature works properly with partitions (#11699) 2021-12-01 19:32:34 +00:00			`if ap == "" {`
			`ap = "default"`
			`}`

tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`return &SpiffeIDAgent{`
			`Host: input.Host,`
connect: include optional partition prefixes in SPIFFE identifiers (#10507) NOTE: this does not include any intentions enforcement changes yet 2021-06-25 21:47:47 +00:00			`Partition: ap,`
tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`Datacenter: dc,`
			`Agent: agent,`
			`}, nil`
xds: mesh gateways now have their own leaf certificate when involved in a peering (#13460) This is only configured in xDS when a service with an L7 protocol is exported. They also load any relevant trust bundles for the peered services to eventually use for L7 SPIFFE validation during mTLS termination. 2022-06-15 19:36:18 +00:00			`} else if v := spiffeIDMeshGatewayRegexp.FindStringSubmatch(path); v != nil {`
			`// Determine the values. We assume they're reasonable to save cycles,`
			`// but if the raw path is not empty that means that something is`
			`// URL encoded so we go to the slow path.`
			`ap := v[1]`
			`dc := v[2]`
			`if input.RawPath != "" {`
			`var err error`
			`if ap, err = url.PathUnescape(v[1]); err != nil {`
			`return nil, fmt.Errorf("Invalid admin partition: %s", err)`
			`}`
			`if dc, err = url.PathUnescape(v[2]); err != nil {`
			`return nil, fmt.Errorf("Invalid datacenter: %s", err)`
			`}`
			`}`

			`if ap == "" {`
			`ap = "default"`
			`}`

			`return &SpiffeIDMeshGateway{`
			`Host: input.Host,`
			`Partition: ap,`
			`Datacenter: dc,`
			`}, nil`
Add SpiffeID for Consul server agents (#14485) Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com> By adding a SpiffeID for server agents, servers can now request a leaf certificate from the Connect CA. This new Spiffe ID has a key property: servers are identified by their datacenter name and trust domain. All servers that share these attributes will share a ServerURI. The aim is to use these certificates to verify the server name of ANY server in a Consul datacenter. 2022-09-06 23:58:13 +00:00			`} else if v := spiffeIDServerRegexp.FindStringSubmatch(path); v != nil {`
			`dc := v[1]`
			`if input.RawPath != "" {`
			`var err error`
			`if dc, err = url.PathUnescape(v[1]); err != nil {`
			`return nil, fmt.Errorf("Invalid datacenter: %s", err)`
			`}`
			`}`

			`return &SpiffeIDServer{`
			`Host: input.Host,`
			`Datacenter: dc,`
			`}, nil`
agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`}`

agent/connect: support SpiffeIDSigning 2018-03-24 18:46:12 +00:00			`// Test for signing ID`
			`if input.Path == "" {`
			`idx := strings.Index(input.Host, ".")`
			`if idx > 0 {`
			`return &SpiffeIDSigning{`
			`ClusterID: input.Host[:idx],`
			`Domain: input.Host[idx+1:],`
			`}, nil`
			`}`
			`}`

tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 20:22:07 +00:00			`return nil, fmt.Errorf("SPIFFE ID is not in the expected format: %s", input.String())`
agent/connect: package for agent-related Connect, parse SPIFFE IDs 2018-03-19 20:53:57 +00:00			`}`