consul/agent/connect/authz.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package connect

import (
	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/agent/structs"
)

// AuthorizeIntentionTarget determines whether the destination is covered by the given intention
// and whether the intention action allows a connection.
// This is a generalized version of the old CertURI.Authorize(), and can be evaluated against sources or destinations.
//
// The return value of `auth` is only valid if the second value `match` is true.
// If `match` is false, then the intention doesn't match this target and any result should be ignored.
func AuthorizeIntentionTarget(
	target, targetNS, targetAP, targetPeer string,
	ixn *structs.Intention,
	matchType structs.IntentionMatchType,
) (bool, bool) {

	match := IntentionMatch(target, targetNS, targetAP, targetPeer, ixn, matchType)

	if match {
		return ixn.Action == structs.IntentionActionAllow, true
	} else {
		return false, false
	}
}

// IntentionMatch determines whether the target is covered by the given intention.
func IntentionMatch(
	target, targetNS, targetAP, targetPeer string,
	ixn *structs.Intention,
	matchType structs.IntentionMatchType,
) bool {

	switch matchType {
	case structs.IntentionMatchDestination:
		if acl.PartitionOrDefault(ixn.DestinationPartition) != acl.PartitionOrDefault(targetAP) {
			return false
		}

		if ixn.DestinationNS != structs.WildcardSpecifier && ixn.DestinationNS != targetNS {
			// Non-matching namespace
			return false
		}

		if ixn.DestinationName != structs.WildcardSpecifier && ixn.DestinationName != target {
			// Non-matching name
			return false
		}

	case structs.IntentionMatchSource:
		if ixn.SourcePeer != targetPeer {
			return false
		}

		if acl.PartitionOrDefault(ixn.SourcePartition) != acl.PartitionOrDefault(targetAP) {
			return false
		}

		if ixn.SourceNS != structs.WildcardSpecifier && ixn.SourceNS != targetNS {
			// Non-matching namespace
			return false
		}

		if ixn.SourceName != structs.WildcardSpecifier && ixn.SourceName != target {
			// Non-matching name
			return false
		}

	default:
		// Reject on any un-recognized match type
		return false
	}

	// The name and namespace match, so the destination is covered
	return true
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
[COMPLIANCE] License changes (#18443) * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at <Blog URL>, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 * Update copyright file headers to BUSL-1.1 --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> 2023-08-11 13:12:13 +00:00			`// SPDX-License-Identifier: BUSL-1.1`
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`package connect`

			`import (`
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2022-04-05 21:10:06 +00:00			`"github.com/hashicorp/consul/acl"`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`"github.com/hashicorp/consul/agent/structs"`
			`)`

			`// AuthorizeIntentionTarget determines whether the destination is covered by the given intention`
			`// and whether the intention action allows a connection.`
			`// This is a generalized version of the old CertURI.Authorize(), and can be evaluated against sources or destinations.`
			`//`
			// The return value of `auth` is only valid if the second value `match` is true.
			// If `match` is false, then the intention doesn't match this target and any result should be ignored.
			`func AuthorizeIntentionTarget(`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`target, targetNS, targetAP, targetPeer string,`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`ixn *structs.Intention,`
			`matchType structs.IntentionMatchType,`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`) (bool, bool) {`

			`match := IntentionMatch(target, targetNS, targetAP, targetPeer, ixn, matchType)`

			`if match {`
			`return ixn.Action == structs.IntentionActionAllow, true`
			`} else {`
			`return false, false`
			`}`
			`}`

			`// IntentionMatch determines whether the target is covered by the given intention.`
			`func IntentionMatch(`
			`target, targetNS, targetAP, targetPeer string,`
			`ixn *structs.Intention,`
			`matchType structs.IntentionMatchType,`
			`) bool {`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00
			`switch matchType {`
			`case structs.IntentionMatchDestination:`
Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2022-04-05 21:10:06 +00:00			`if acl.PartitionOrDefault(ixn.DestinationPartition) != acl.PartitionOrDefault(targetAP) {`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`return false`
Account for partitions in ixn match/decision 2021-09-16 19:31:19 +00:00			`}`

Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`if ixn.DestinationNS != structs.WildcardSpecifier && ixn.DestinationNS != targetNS {`
			`// Non-matching namespace`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`return false`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`}`

			`if ixn.DestinationName != structs.WildcardSpecifier && ixn.DestinationName != target {`
			`// Non-matching name`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`return false`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`}`

			`case structs.IntentionMatchSource:`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`if ixn.SourcePeer != targetPeer {`
			`return false`
			`}`

Fixup acl.EnterpriseMeta Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2022-04-05 21:10:06 +00:00			`if acl.PartitionOrDefault(ixn.SourcePartition) != acl.PartitionOrDefault(targetAP) {`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`return false`
Account for partitions in ixn match/decision 2021-09-16 19:31:19 +00:00			`}`

Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`if ixn.SourceNS != structs.WildcardSpecifier && ixn.SourceNS != targetNS {`
			`// Non-matching namespace`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`return false`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`}`

			`if ixn.SourceName != structs.WildcardSpecifier && ixn.SourceName != target {`
			`// Non-matching name`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`return false`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`}`

			`default:`
			`// Reject on any un-recognized match type`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`return false`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`}`

			`// The name and namespace match, so the destination is covered`
Add sameness groups to service intentions. (#17064) 2023-04-20 16:16:04 +00:00			`return true`
Replace CertURI.Authorize() calls. AuthorizeIntentionTarget is a generalized version of the old function, and can be evaluated against sources or destinations. 2021-03-16 00:06:04 +00:00			`}`