consul/internal/catalog/workloadselector/acls.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1

package workloadselector

import (
	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/internal/resource"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

func aclReadHookResourceWithWorkloadSelector(authorizer acl.Authorizer, authzContext *acl.AuthorizerContext, id *pbresource.ID, _ *pbresource.Resource) error {
	return authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.GetName(), authzContext)
}

func aclWriteHookResourceWithWorkloadSelector[T WorkloadSelecting](authorizer acl.Authorizer, authzContext *acl.AuthorizerContext, r *resource.DecodedResource[T]) error {
	// First check service:write on the name.
	err := authorizer.ToAllowAuthorizer().ServiceWriteAllowed(r.GetId().GetName(), authzContext)
	if err != nil {
		return err
	}

	// Then also check whether we're allowed to select a service.
	for _, name := range r.Data.GetWorkloads().GetNames() {
		err = authorizer.ToAllowAuthorizer().ServiceReadAllowed(name, authzContext)
		if err != nil {
			return err
		}
	}

	for _, prefix := range r.Data.GetWorkloads().GetPrefixes() {
		err = authorizer.ToAllowAuthorizer().ServiceReadPrefixAllowed(prefix, authzContext)
		if err != nil {
			return err
		}
	}

	return nil
}

func ACLHooks[T WorkloadSelecting]() *resource.ACLHooks {
	return &resource.ACLHooks{
		Read:  aclReadHookResourceWithWorkloadSelector,
		Write: resource.DecodeAndAuthorizeWrite(aclWriteHookResourceWithWorkloadSelector[T]),
		List:  resource.NoOpACLListHook,
	}
}
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: BUSL-1.1`

Migrate the Endpoints controller to use the controller cache (#20241) * Add cache resource decoding helpers * Implement a common package for workload selection facilities. This includes: * Controller cache Index * ACL hooks * Dependency Mapper to go from workload to list of resources which select it * Dependency Mapper to go from a resource which selects workloads to all the workloads it selects. * Update the endpoints controller to use the cache instead of custom mappers. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> 2024-01-18 22:52:52 +00:00			`package workloadselector`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00
			`import (`
			`"github.com/hashicorp/consul/acl"`
			`"github.com/hashicorp/consul/internal/resource"`
			`"github.com/hashicorp/consul/proto-public/pbresource"`
			`)`

			`func aclReadHookResourceWithWorkloadSelector(authorizer acl.Authorizer, authzContext acl.AuthorizerContext, id pbresource.ID, _ *pbresource.Resource) error {`
			`return authorizer.ToAllowAuthorizer().ServiceReadAllowed(id.GetName(), authzContext)`
			`}`

Resource Hook Pre-Decode Utilities (#18548) Add some generic type hook wrappers to first decode the data There seems to be a pattern for Validation, Mutation and Write Authorization hooks where they first need to decode the Any data before doing the domain specific work. This PR introduces 3 new functions to generate wrappers around the other hooks to pre-decode the data into a DecodedResource and pass that in instead of the original pbresource.Resource. This PR also updates the various catalog data types to use the new hook generators. 2023-10-26 20:39:06 +00:00			`func aclWriteHookResourceWithWorkloadSelector[T WorkloadSelecting](authorizer acl.Authorizer, authzContext acl.AuthorizerContext, r resource.DecodedResource[T]) error {`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00			`// First check service:write on the name.`
Resource Hook Pre-Decode Utilities (#18548) Add some generic type hook wrappers to first decode the data There seems to be a pattern for Validation, Mutation and Write Authorization hooks where they first need to decode the Any data before doing the domain specific work. This PR introduces 3 new functions to generate wrappers around the other hooks to pre-decode the data into a DecodedResource and pass that in instead of the original pbresource.Resource. This PR also updates the various catalog data types to use the new hook generators. 2023-10-26 20:39:06 +00:00			`err := authorizer.ToAllowAuthorizer().ServiceWriteAllowed(r.GetId().GetName(), authzContext)`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00			`if err != nil {`
			`return err`
			`}`

			`// Then also check whether we're allowed to select a service.`
Resource Hook Pre-Decode Utilities (#18548) Add some generic type hook wrappers to first decode the data There seems to be a pattern for Validation, Mutation and Write Authorization hooks where they first need to decode the Any data before doing the domain specific work. This PR introduces 3 new functions to generate wrappers around the other hooks to pre-decode the data into a DecodedResource and pass that in instead of the original pbresource.Resource. This PR also updates the various catalog data types to use the new hook generators. 2023-10-26 20:39:06 +00:00			`for _, name := range r.Data.GetWorkloads().GetNames() {`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00			`err = authorizer.ToAllowAuthorizer().ServiceReadAllowed(name, authzContext)`
			`if err != nil {`
			`return err`
			`}`
			`}`

Resource Hook Pre-Decode Utilities (#18548) Add some generic type hook wrappers to first decode the data There seems to be a pattern for Validation, Mutation and Write Authorization hooks where they first need to decode the Any data before doing the domain specific work. This PR introduces 3 new functions to generate wrappers around the other hooks to pre-decode the data into a DecodedResource and pass that in instead of the original pbresource.Resource. This PR also updates the various catalog data types to use the new hook generators. 2023-10-26 20:39:06 +00:00			`for _, prefix := range r.Data.GetWorkloads().GetPrefixes() {`
acls,catalog,mesh: properly authorize workload selectors on writes (#19260) To properly enforce writes on resources that have workload selectors with prefixes, we need another service authorization rule that allows us to check whether read is allowed within a given prefix. Specifically we need to only allow writes if the policy prefix allows for a wider set of names than the prefix selector on the resource. We should also not allow policies with exact names for prefix matches. Part of [NET-3993] 2023-10-19 17:09:41 +00:00			`err = authorizer.ToAllowAuthorizer().ServiceReadPrefixAllowed(prefix, authzContext)`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00			`if err != nil {`
			`return err`
			`}`
			`}`

			`return nil`
			`}`

Migrate the Endpoints controller to use the controller cache (#20241) * Add cache resource decoding helpers * Implement a common package for workload selection facilities. This includes: * Controller cache Index * ACL hooks * Dependency Mapper to go from workload to list of resources which select it * Dependency Mapper to go from a resource which selects workloads to all the workloads it selects. * Update the endpoints controller to use the cache instead of custom mappers. Co-authored-by: R.B. Boyer <4903+rboyer@users.noreply.github.com> 2024-01-18 22:52:52 +00:00			`func ACLHooks[T WorkloadSelecting]() *resource.ACLHooks {`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00			`return &resource.ACLHooks{`
			`Read: aclReadHookResourceWithWorkloadSelector,`
Resource Hook Pre-Decode Utilities (#18548) Add some generic type hook wrappers to first decode the data There seems to be a pattern for Validation, Mutation and Write Authorization hooks where they first need to decode the Any data before doing the domain specific work. This PR introduces 3 new functions to generate wrappers around the other hooks to pre-decode the data into a DecodedResource and pass that in instead of the original pbresource.Resource. This PR also updates the various catalog data types to use the new hook generators. 2023-10-26 20:39:06 +00:00			`Write: resource.DecodeAndAuthorizeWrite(aclWriteHookResourceWithWorkloadSelector[T]),`
catalog, mesh: implement missing ACL hooks (#19143) This change adds ACL hooks to the remaining catalog and mesh resources, excluding any computed ones. Those will for now continue using the default operator:x permissions. It refactors a lot of the common testing functions so that they can be re-used between resources. There are also some types that we don't yet support (e.g. virtual IPs) that this change adds ACL hooks to for future-proofing. 2023-10-13 23:16:26 +00:00			`List: resource.NoOpACLListHook,`
			`}`
			`}`