2023-03-28 18:39:22 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-11 13:12:13 +00:00
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
2023-03-28 18:39:22 +00:00
|
|
|
|
2021-03-16 00:06:04 +00:00
|
|
|
package connect
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"testing"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestAuthorizeIntentionTarget(t *testing.T) {
|
|
|
|
cases := []struct {
|
2023-04-20 16:16:04 +00:00
|
|
|
name string
|
|
|
|
target string
|
|
|
|
targetNS string
|
|
|
|
targetAP string
|
|
|
|
targetPeer string
|
|
|
|
ixn *structs.Intention
|
|
|
|
matchType structs.IntentionMatchType
|
|
|
|
auth bool
|
|
|
|
match bool
|
2021-03-16 00:06:04 +00:00
|
|
|
}{
|
|
|
|
// Source match type
|
2021-09-16 19:31:19 +00:00
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match exact source, not matching name",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
SourceName: "db",
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchSource,
|
|
|
|
auth: false,
|
|
|
|
match: false,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match exact source, allow",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
SourceName: "web",
|
|
|
|
Action: structs.IntentionActionAllow,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchSource,
|
|
|
|
auth: true,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match exact source, deny",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
SourceName: "web",
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchSource,
|
|
|
|
auth: false,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match wildcard service, deny",
|
2021-03-16 00:06:04 +00:00
|
|
|
target: "web",
|
|
|
|
targetNS: structs.IntentionDefaultNamespace,
|
|
|
|
ixn: &structs.Intention{
|
|
|
|
SourceName: structs.WildcardSpecifier,
|
|
|
|
SourceNS: structs.IntentionDefaultNamespace,
|
|
|
|
Action: structs.IntentionActionDeny,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchSource,
|
|
|
|
auth: false,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match wildcard service, allow",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
SourceName: structs.WildcardSpecifier,
|
|
|
|
Action: structs.IntentionActionAllow,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchSource,
|
|
|
|
auth: true,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
|
|
|
|
// Destination match type
|
2021-09-16 19:31:19 +00:00
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match exact destination, not matching name",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
DestinationName: "db",
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchDestination,
|
|
|
|
auth: false,
|
|
|
|
match: false,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match exact destination, allow",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
DestinationName: "web",
|
|
|
|
Action: structs.IntentionActionAllow,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchDestination,
|
|
|
|
auth: true,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match exact destination, deny",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
DestinationName: "web",
|
|
|
|
Action: structs.IntentionActionDeny,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchDestination,
|
|
|
|
auth: false,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match wildcard service, deny",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
DestinationName: structs.WildcardSpecifier,
|
|
|
|
Action: structs.IntentionActionDeny,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchDestination,
|
|
|
|
auth: false,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "match wildcard service, allow",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
DestinationName: structs.WildcardSpecifier,
|
|
|
|
Action: structs.IntentionActionAllow,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchDestination,
|
|
|
|
auth: true,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
{
|
2021-09-16 20:53:28 +00:00
|
|
|
name: "unknown match type",
|
|
|
|
target: "web",
|
2021-03-16 00:06:04 +00:00
|
|
|
ixn: &structs.Intention{
|
|
|
|
DestinationName: structs.WildcardSpecifier,
|
|
|
|
Action: structs.IntentionActionAllow,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchType("unknown"),
|
|
|
|
auth: false,
|
|
|
|
match: false,
|
|
|
|
},
|
2023-04-20 16:16:04 +00:00
|
|
|
{
|
|
|
|
name: "match peer",
|
|
|
|
target: "web",
|
|
|
|
targetNS: structs.IntentionDefaultNamespace,
|
|
|
|
targetPeer: "cluster-01",
|
|
|
|
ixn: &structs.Intention{
|
|
|
|
SourceName: "web",
|
|
|
|
SourceNS: structs.IntentionDefaultNamespace,
|
|
|
|
SourcePeer: "cluster-01",
|
|
|
|
Action: structs.IntentionActionAllow,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchSource,
|
|
|
|
auth: true,
|
|
|
|
match: true,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "no peer match",
|
|
|
|
target: "web",
|
|
|
|
targetNS: structs.IntentionDefaultNamespace,
|
|
|
|
targetPeer: "cluster-02",
|
|
|
|
ixn: &structs.Intention{
|
|
|
|
SourceName: "web",
|
|
|
|
SourceNS: structs.IntentionDefaultNamespace,
|
|
|
|
SourcePeer: "cluster-01",
|
|
|
|
Action: structs.IntentionActionAllow,
|
|
|
|
},
|
|
|
|
matchType: structs.IntentionMatchSource,
|
|
|
|
auth: false,
|
|
|
|
match: false,
|
|
|
|
},
|
2021-03-16 00:06:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, tc := range cases {
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
2023-04-20 16:16:04 +00:00
|
|
|
auth, match := AuthorizeIntentionTarget(tc.target, tc.targetNS, tc.targetAP, tc.targetPeer, tc.ixn, tc.matchType)
|
2021-03-16 00:06:04 +00:00
|
|
|
assert.Equal(t, tc.auth, auth)
|
|
|
|
assert.Equal(t, tc.match, match)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|