2018-03-25 14:39:18 -10:00
|
|
|
package connect
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net/url"
|
|
|
|
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
)
|
|
|
|
|
|
|
|
// SpiffeIDService is the structure to represent the SPIFFE ID for a service.
|
|
|
|
type SpiffeIDService struct {
|
|
|
|
Host string
|
|
|
|
Namespace string
|
|
|
|
Datacenter string
|
|
|
|
Service string
|
|
|
|
}
|
|
|
|
|
|
|
|
// URI returns the *url.URL for this SPIFFE ID.
|
|
|
|
func (id *SpiffeIDService) URI() *url.URL {
|
|
|
|
var result url.URL
|
|
|
|
result.Scheme = "spiffe"
|
|
|
|
result.Host = id.Host
|
|
|
|
result.Path = fmt.Sprintf("/ns/%s/dc/%s/svc/%s",
|
|
|
|
id.Namespace, id.Datacenter, id.Service)
|
|
|
|
return &result
|
|
|
|
}
|
|
|
|
|
|
|
|
// CertURI impl.
|
|
|
|
func (id *SpiffeIDService) Authorize(ixn *structs.Intention) (bool, bool) {
|
2020-01-13 15:51:40 -05:00
|
|
|
if ixn.SourceNS != structs.WildcardSpecifier && ixn.SourceNS != id.Namespace {
|
2018-03-25 14:39:18 -10:00
|
|
|
// Non-matching namespace
|
|
|
|
return false, false
|
|
|
|
}
|
|
|
|
|
2020-01-13 15:51:40 -05:00
|
|
|
if ixn.SourceName != structs.WildcardSpecifier && ixn.SourceName != id.Service {
|
2018-03-25 14:39:18 -10:00
|
|
|
// Non-matching name
|
|
|
|
return false, false
|
|
|
|
}
|
|
|
|
|
|
|
|
// Match, return allow value
|
|
|
|
return ixn.Action == structs.IntentionActionAllow, true
|
|
|
|
}
|
2020-07-14 15:05:03 -04:00
|
|
|
|
|
|
|
func (id *SpiffeIDService) CommonName() string {
|
|
|
|
return ServiceCN(id.Service, id.Namespace, id.Host)
|
|
|
|
}
|