2018-02-28 11:36:54 -08:00
|
|
|
package agent
|
|
|
|
|
|
|
|
import (
|
2018-02-28 14:02:00 -08:00
|
|
|
"fmt"
|
2018-02-28 11:36:54 -08:00
|
|
|
"net/http"
|
2018-02-28 15:54:48 -08:00
|
|
|
"strings"
|
2018-02-28 11:36:54 -08:00
|
|
|
|
2022-04-05 14:10:06 -07:00
|
|
|
"github.com/hashicorp/consul/acl"
|
2020-10-08 14:51:53 -05:00
|
|
|
cachetype "github.com/hashicorp/consul/agent/cache-types"
|
2018-02-28 15:54:48 -08:00
|
|
|
"github.com/hashicorp/consul/agent/consul"
|
2018-02-28 11:36:54 -08:00
|
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
|
|
)
|
|
|
|
|
2020-06-26 16:59:15 -05:00
|
|
|
// /v1/connect/intentions
|
2020-09-04 14:42:15 -04:00
|
|
|
func (s *HTTPHandlers) IntentionEndpoint(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2018-02-28 14:02:00 -08:00
|
|
|
switch req.Method {
|
|
|
|
case "GET":
|
|
|
|
return s.IntentionList(resp, req)
|
|
|
|
|
|
|
|
case "POST":
|
|
|
|
return s.IntentionCreate(resp, req)
|
|
|
|
|
|
|
|
default:
|
|
|
|
return nil, MethodNotAllowedError{req.Method, []string{"GET", "POST"}}
|
2018-02-28 11:36:54 -08:00
|
|
|
}
|
2018-02-28 14:02:00 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
// GET /v1/connect/intentions
|
2020-09-04 14:42:15 -04:00
|
|
|
func (s *HTTPHandlers) IntentionList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2018-02-28 14:02:00 -08:00
|
|
|
// Method is tested in IntentionEndpoint
|
2018-02-28 11:36:54 -08:00
|
|
|
|
2020-10-06 13:24:05 -05:00
|
|
|
var args structs.IntentionListRequest
|
2018-02-28 11:36:54 -08:00
|
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2020-06-26 16:59:15 -05:00
|
|
|
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-02-28 11:36:54 -08:00
|
|
|
var reply structs.IndexedIntentions
|
2019-02-19 03:45:36 -08:00
|
|
|
defer setMeta(resp, &reply.QueryMeta)
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.List", &args, &reply); err != nil {
|
2018-02-28 11:36:54 -08:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return reply.Intentions, nil
|
|
|
|
}
|
2018-02-28 14:02:00 -08:00
|
|
|
|
2021-11-23 19:32:18 -05:00
|
|
|
// IntentionCreate is used to create legacy intentions.
|
|
|
|
// Deprecated: use IntentionPutExact.
|
2020-09-04 14:42:15 -04:00
|
|
|
func (s *HTTPHandlers) IntentionCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2018-02-28 14:02:00 -08:00
|
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
|
2022-04-05 14:10:06 -07:00
|
|
|
var entMeta acl.EnterpriseMeta
|
2020-06-26 16:59:15 -05:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-29 13:42:49 -04:00
|
|
|
|
2022-04-05 14:10:06 -07:00
|
|
|
if entMeta.PartitionOrDefault() != acl.PartitionOrDefault("") {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot use a partition with this endpoint"}
|
2021-09-08 11:59:30 -04:00
|
|
|
}
|
2020-06-26 16:59:15 -05:00
|
|
|
|
2018-02-28 14:02:00 -08:00
|
|
|
args := structs.IntentionRequest{
|
|
|
|
Op: structs.IntentionOpCreate,
|
|
|
|
}
|
|
|
|
s.parseDC(req, &args.Datacenter)
|
|
|
|
s.parseToken(req, &args.Token)
|
2019-10-29 11:13:36 -07:00
|
|
|
if err := decodeBody(req.Body, &args.Intention); err != nil {
|
2018-06-05 11:09:45 -07:00
|
|
|
return nil, fmt.Errorf("Failed to decode request body: %s", err)
|
2018-02-28 14:02:00 -08:00
|
|
|
}
|
|
|
|
|
2021-10-01 13:18:57 -04:00
|
|
|
if args.Intention.DestinationPartition != "" && args.Intention.DestinationPartition != "default" {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot specify a destination partition with this endpoint"}
|
2021-10-01 13:18:57 -04:00
|
|
|
}
|
|
|
|
if args.Intention.SourcePartition != "" && args.Intention.SourcePartition != "default" {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot specify a source partition with this endpoint"}
|
2021-10-01 13:18:57 -04:00
|
|
|
}
|
|
|
|
|
2021-09-08 11:59:30 -04:00
|
|
|
args.Intention.FillPartitionAndNamespace(&entMeta, false)
|
2020-06-26 16:59:15 -05:00
|
|
|
|
|
|
|
if err := s.validateEnterpriseIntention(args.Intention); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-02-28 14:02:00 -08:00
|
|
|
var reply string
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Apply", &args, &reply); err != nil {
|
2018-02-28 14:02:00 -08:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return intentionCreateResponse{reply}, nil
|
|
|
|
}
|
|
|
|
|
2020-09-04 14:42:15 -04:00
|
|
|
func (s *HTTPHandlers) validateEnterpriseIntention(ixn *structs.Intention) error {
|
2021-09-08 11:59:30 -04:00
|
|
|
if err := s.validateEnterpriseIntentionPartition("SourcePartition", ixn.SourcePartition); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := s.validateEnterpriseIntentionPartition("DestinationPartition", ixn.DestinationPartition); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2020-06-26 16:59:15 -05:00
|
|
|
if err := s.validateEnterpriseIntentionNamespace("SourceNS", ixn.SourceNS, true); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := s.validateEnterpriseIntentionNamespace("DestinationNS", ixn.DestinationNS, true); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-09-08 11:59:30 -04:00
|
|
|
|
2020-06-26 16:59:15 -05:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-03-02 14:17:21 -08:00
|
|
|
// GET /v1/connect/intentions/match
|
2020-09-04 14:42:15 -04:00
|
|
|
func (s *HTTPHandlers) IntentionMatch(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2018-03-02 14:17:21 -08:00
|
|
|
// Prepare args
|
|
|
|
args := &structs.IntentionQueryRequest{Match: &structs.IntentionQueryMatch{}}
|
|
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2022-04-05 14:10:06 -07:00
|
|
|
var entMeta acl.EnterpriseMeta
|
2020-06-26 16:59:15 -05:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-03-02 14:17:21 -08:00
|
|
|
q := req.URL.Query()
|
|
|
|
|
|
|
|
// Extract the "by" query parameter
|
|
|
|
if by, ok := q["by"]; !ok || len(by) != 1 {
|
|
|
|
return nil, fmt.Errorf("required query parameter 'by' not set")
|
|
|
|
} else {
|
|
|
|
switch v := structs.IntentionMatchType(by[0]); v {
|
|
|
|
case structs.IntentionMatchSource, structs.IntentionMatchDestination:
|
|
|
|
args.Match.Type = v
|
|
|
|
default:
|
|
|
|
return nil, fmt.Errorf("'by' parameter must be one of 'source' or 'destination'")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Extract all the match names
|
|
|
|
names, ok := q["name"]
|
|
|
|
if !ok || len(names) == 0 {
|
|
|
|
return nil, fmt.Errorf("required query parameter 'name' not set")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Build the entries in order. The order matters since that is the
|
|
|
|
// order of the returned responses.
|
|
|
|
args.Match.Entries = make([]structs.IntentionMatchEntry, len(names))
|
|
|
|
for i, n := range names {
|
2022-06-22 16:25:09 -07:00
|
|
|
parsed, err := parseIntentionStringComponent(n, &entMeta, false)
|
2018-03-02 14:17:21 -08:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("name %q is invalid: %s", n, err)
|
|
|
|
}
|
|
|
|
|
2020-10-06 13:24:05 -05:00
|
|
|
args.Match.Entries[i] = structs.IntentionMatchEntry{
|
2022-06-22 16:25:09 -07:00
|
|
|
Partition: parsed.ap,
|
|
|
|
Namespace: parsed.ns,
|
|
|
|
Name: parsed.name,
|
2020-10-06 13:24:05 -05:00
|
|
|
}
|
2018-03-02 14:17:21 -08:00
|
|
|
}
|
|
|
|
|
2020-10-08 14:51:53 -05:00
|
|
|
// Make the RPC request
|
|
|
|
var out structs.IndexedIntentionMatches
|
|
|
|
defer setMeta(resp, &out.QueryMeta)
|
|
|
|
|
|
|
|
if s.agent.config.HTTPUseCache && args.QueryOptions.UseCache {
|
|
|
|
raw, m, err := s.agent.cache.Get(req.Context(), cachetype.IntentionMatchName, args)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
defer setCacheMeta(resp, &m)
|
|
|
|
|
|
|
|
reply, ok := raw.(*structs.IndexedIntentionMatches)
|
|
|
|
if !ok {
|
|
|
|
// This should never happen, but we want to protect against panics
|
|
|
|
return nil, fmt.Errorf("internal error: response type not correct")
|
|
|
|
}
|
|
|
|
out = *reply
|
|
|
|
} else {
|
|
|
|
RETRY_ONCE:
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Match", args, &out); err != nil {
|
2020-10-08 14:51:53 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
if args.QueryOptions.AllowStale && args.MaxStaleDuration > 0 && args.MaxStaleDuration < out.LastContact {
|
|
|
|
args.AllowStale = false
|
|
|
|
args.MaxStaleDuration = 0
|
|
|
|
goto RETRY_ONCE
|
|
|
|
}
|
2018-03-02 14:17:21 -08:00
|
|
|
}
|
2020-10-08 14:51:53 -05:00
|
|
|
out.ConsistencyLevel = args.QueryOptions.ConsistencyLevel()
|
2018-03-02 14:17:21 -08:00
|
|
|
|
|
|
|
// We must have an identical count of matches
|
2020-10-08 14:51:53 -05:00
|
|
|
if len(out.Matches) != len(names) {
|
2018-03-02 14:17:21 -08:00
|
|
|
return nil, fmt.Errorf("internal error: match response count didn't match input count")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Use empty list instead of nil.
|
|
|
|
response := make(map[string]structs.Intentions)
|
2020-10-08 14:51:53 -05:00
|
|
|
for i, ixns := range out.Matches {
|
2018-03-02 14:17:21 -08:00
|
|
|
response[names[i]] = ixns
|
|
|
|
}
|
|
|
|
|
|
|
|
return response, nil
|
|
|
|
}
|
|
|
|
|
2018-05-18 21:03:10 -07:00
|
|
|
// GET /v1/connect/intentions/check
|
2020-09-04 14:42:15 -04:00
|
|
|
func (s *HTTPHandlers) IntentionCheck(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2018-05-10 22:52:57 -07:00
|
|
|
// Prepare args
|
2018-05-11 09:19:22 -07:00
|
|
|
args := &structs.IntentionQueryRequest{Check: &structs.IntentionQueryCheck{}}
|
2018-05-10 22:52:57 -07:00
|
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
2022-04-05 14:10:06 -07:00
|
|
|
var entMeta acl.EnterpriseMeta
|
2020-06-26 16:59:15 -05:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2018-05-10 22:52:57 -07:00
|
|
|
q := req.URL.Query()
|
|
|
|
|
|
|
|
// Set the source type if set
|
2018-05-11 09:19:22 -07:00
|
|
|
args.Check.SourceType = structs.IntentionSourceConsul
|
2018-05-10 22:52:57 -07:00
|
|
|
if sourceType, ok := q["source-type"]; ok && len(sourceType) > 0 {
|
2018-05-11 09:19:22 -07:00
|
|
|
args.Check.SourceType = structs.IntentionSourceType(sourceType[0])
|
2018-05-10 22:52:57 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// Extract the source/destination
|
|
|
|
source, ok := q["source"]
|
|
|
|
if !ok || len(source) != 1 {
|
|
|
|
return nil, fmt.Errorf("required query parameter 'source' not set")
|
|
|
|
}
|
|
|
|
destination, ok := q["destination"]
|
|
|
|
if !ok || len(destination) != 1 {
|
|
|
|
return nil, fmt.Errorf("required query parameter 'destination' not set")
|
|
|
|
}
|
|
|
|
|
2021-10-13 10:47:12 -04:00
|
|
|
// We parse them the same way as matches to extract partition/namespace/name
|
2018-05-11 09:19:22 -07:00
|
|
|
args.Check.SourceName = source[0]
|
|
|
|
if args.Check.SourceType == structs.IntentionSourceConsul {
|
2022-06-22 16:25:09 -07:00
|
|
|
parsed, err := parseIntentionStringComponent(source[0], &entMeta, false)
|
2018-05-10 22:52:57 -07:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
|
|
|
|
}
|
2022-06-22 16:25:09 -07:00
|
|
|
args.Check.SourcePartition = parsed.ap
|
|
|
|
args.Check.SourceNS = parsed.ns
|
|
|
|
args.Check.SourceName = parsed.name
|
2018-05-10 22:52:57 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// The destination is always in the Consul format
|
2022-06-22 16:25:09 -07:00
|
|
|
parsed, err := parseIntentionStringComponent(destination[0], &entMeta, false)
|
2018-05-10 22:52:57 -07:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
|
|
|
|
}
|
2022-06-22 16:25:09 -07:00
|
|
|
args.Check.DestinationPartition = parsed.ap
|
|
|
|
args.Check.DestinationNS = parsed.ns
|
|
|
|
args.Check.DestinationName = parsed.name
|
2018-05-10 22:52:57 -07:00
|
|
|
|
2018-05-11 09:19:22 -07:00
|
|
|
var reply structs.IntentionQueryCheckResponse
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Check", args, &reply); err != nil {
|
2018-05-10 22:52:57 -07:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return &reply, nil
|
|
|
|
}
|
|
|
|
|
2021-11-23 19:32:18 -05:00
|
|
|
// IntentionExact handles the endpoint for /v1/connect/intentions/exact
|
|
|
|
func (s *HTTPHandlers) IntentionExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
switch req.Method {
|
|
|
|
case "GET":
|
|
|
|
return s.IntentionGetExact(resp, req)
|
|
|
|
case "PUT":
|
|
|
|
return s.IntentionPutExact(resp, req)
|
|
|
|
case "DELETE":
|
|
|
|
return s.IntentionDeleteExact(resp, req)
|
|
|
|
default:
|
|
|
|
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-06-26 16:59:15 -05:00
|
|
|
// GET /v1/connect/intentions/exact
|
2020-09-04 14:42:15 -04:00
|
|
|
func (s *HTTPHandlers) IntentionGetExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2022-04-05 14:10:06 -07:00
|
|
|
var entMeta acl.EnterpriseMeta
|
2020-06-26 16:59:15 -05:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
args := structs.IntentionQueryRequest{
|
|
|
|
Exact: &structs.IntentionQueryExact{},
|
|
|
|
}
|
|
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
q := req.URL.Query()
|
|
|
|
|
|
|
|
// Extract the source/destination
|
|
|
|
source, ok := q["source"]
|
|
|
|
if !ok || len(source) != 1 {
|
|
|
|
return nil, fmt.Errorf("required query parameter 'source' not set")
|
|
|
|
}
|
|
|
|
destination, ok := q["destination"]
|
|
|
|
if !ok || len(destination) != 1 {
|
|
|
|
return nil, fmt.Errorf("required query parameter 'destination' not set")
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
2022-06-22 16:25:09 -07:00
|
|
|
parsed, err := parseIntentionStringComponent(source[0], &entMeta, true)
|
2020-06-26 16:59:15 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
|
|
|
|
}
|
2022-06-22 16:25:09 -07:00
|
|
|
|
|
|
|
args.Exact.SourcePeer = parsed.peer
|
|
|
|
args.Exact.SourcePartition = parsed.ap
|
|
|
|
args.Exact.SourceNS = parsed.ns
|
|
|
|
args.Exact.SourceName = parsed.name
|
2020-06-26 16:59:15 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
2022-06-22 16:25:09 -07:00
|
|
|
parsed, err := parseIntentionStringComponent(destination[0], &entMeta, false)
|
2020-06-26 16:59:15 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
|
|
|
|
}
|
2022-06-22 16:25:09 -07:00
|
|
|
args.Exact.DestinationPartition = parsed.ap
|
|
|
|
args.Exact.DestinationNS = parsed.ns
|
|
|
|
args.Exact.DestinationName = parsed.name
|
2020-06-26 16:59:15 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
var reply structs.IndexedIntentions
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Get", &args, &reply); err != nil {
|
2020-06-26 16:59:15 -05:00
|
|
|
// We have to check the string since the RPC sheds the error type
|
2022-05-24 13:21:15 -04:00
|
|
|
if strings.Contains(err.Error(), consul.ErrIntentionNotFound.Error()) {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusNotFound, Reason: err.Error()}
|
2020-06-26 16:59:15 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Not ideal, but there are a number of error scenarios that are not
|
|
|
|
// user error (400). We look for a specific case of invalid UUID
|
|
|
|
// to detect a parameter error and return a 400 response. The error
|
|
|
|
// is not a constant type or message, so we have to use strings.Contains
|
|
|
|
if strings.Contains(err.Error(), "UUID") {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: err.Error()}
|
2020-06-26 16:59:15 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// This shouldn't happen since the called API documents it shouldn't,
|
|
|
|
// but we check since the alternative if it happens is a panic.
|
|
|
|
if len(reply.Intentions) == 0 {
|
|
|
|
resp.WriteHeader(http.StatusNotFound)
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return reply.Intentions[0], nil
|
|
|
|
}
|
|
|
|
|
2020-10-06 13:24:05 -05:00
|
|
|
// PUT /v1/connect/intentions/exact
|
|
|
|
func (s *HTTPHandlers) IntentionPutExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2022-04-05 14:10:06 -07:00
|
|
|
var entMeta acl.EnterpriseMeta
|
2020-10-06 13:24:05 -05:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
exact, err := parseIntentionQueryExact(req, &entMeta)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
args := structs.IntentionRequest{
|
|
|
|
Op: structs.IntentionOpUpsert,
|
|
|
|
}
|
|
|
|
s.parseDC(req, &args.Datacenter)
|
|
|
|
s.parseToken(req, &args.Token)
|
|
|
|
if err := decodeBody(req.Body, &args.Intention); err != nil {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: fmt.Sprintf("Request decode failed: %v", err)}
|
2020-10-06 13:24:05 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Explicitly CLEAR the old legacy ID field
|
|
|
|
args.Intention.ID = ""
|
|
|
|
|
|
|
|
// Use the intention identity from the URL.
|
2021-09-08 11:59:30 -04:00
|
|
|
args.Intention.SourcePartition = exact.SourcePartition
|
2020-10-06 13:24:05 -05:00
|
|
|
args.Intention.SourceNS = exact.SourceNS
|
|
|
|
args.Intention.SourceName = exact.SourceName
|
2021-09-08 11:59:30 -04:00
|
|
|
args.Intention.DestinationPartition = exact.DestinationPartition
|
2020-10-06 13:24:05 -05:00
|
|
|
args.Intention.DestinationNS = exact.DestinationNS
|
|
|
|
args.Intention.DestinationName = exact.DestinationName
|
|
|
|
|
2021-09-08 11:59:30 -04:00
|
|
|
args.Intention.FillPartitionAndNamespace(&entMeta, false)
|
2020-10-06 13:24:05 -05:00
|
|
|
|
|
|
|
var ignored string
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Apply", &args, &ignored); err != nil {
|
2020-10-06 13:24:05 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// DELETE /v1/connect/intentions/exact
|
|
|
|
func (s *HTTPHandlers) IntentionDeleteExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2022-04-05 14:10:06 -07:00
|
|
|
var entMeta acl.EnterpriseMeta
|
2020-10-06 13:24:05 -05:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
exact, err := parseIntentionQueryExact(req, &entMeta)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
args := structs.IntentionRequest{
|
|
|
|
Op: structs.IntentionOpDelete,
|
|
|
|
Intention: &structs.Intention{
|
|
|
|
// NOTE: ID is explicitly empty here
|
2021-09-08 11:59:30 -04:00
|
|
|
SourcePartition: exact.SourcePartition,
|
|
|
|
SourceNS: exact.SourceNS,
|
|
|
|
SourceName: exact.SourceName,
|
|
|
|
DestinationPartition: exact.DestinationPartition,
|
|
|
|
DestinationNS: exact.DestinationNS,
|
|
|
|
DestinationName: exact.DestinationName,
|
2020-10-06 13:24:05 -05:00
|
|
|
},
|
|
|
|
}
|
|
|
|
s.parseDC(req, &args.Datacenter)
|
|
|
|
s.parseToken(req, &args.Token)
|
|
|
|
|
|
|
|
var ignored string
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Apply", &args, &ignored); err != nil {
|
2020-10-06 13:24:05 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return true, nil
|
|
|
|
}
|
|
|
|
|
2018-02-28 14:02:00 -08:00
|
|
|
// intentionCreateResponse is the response structure for creating an intention.
|
|
|
|
type intentionCreateResponse struct{ ID string }
|
2018-03-02 14:17:21 -08:00
|
|
|
|
2022-04-05 14:10:06 -07:00
|
|
|
func parseIntentionQueryExact(req *http.Request, entMeta *acl.EnterpriseMeta) (*structs.IntentionQueryExact, error) {
|
2020-10-06 13:24:05 -05:00
|
|
|
q := req.URL.Query()
|
|
|
|
|
|
|
|
// Extract the source/destination
|
|
|
|
source, ok := q["source"]
|
|
|
|
if !ok || len(source) != 1 || source[0] == "" {
|
|
|
|
return nil, fmt.Errorf("required query parameter 'source' not set")
|
|
|
|
}
|
|
|
|
destination, ok := q["destination"]
|
|
|
|
if !ok || len(destination) != 1 || destination[0] == "" {
|
|
|
|
return nil, fmt.Errorf("required query parameter 'destination' not set")
|
|
|
|
}
|
|
|
|
|
|
|
|
var exact structs.IntentionQueryExact
|
|
|
|
{
|
2022-06-22 16:25:09 -07:00
|
|
|
parsed, err := parseIntentionStringComponent(source[0], entMeta, false)
|
2020-10-06 13:24:05 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
|
|
|
|
}
|
2022-06-22 16:25:09 -07:00
|
|
|
exact.SourcePartition = parsed.ap
|
|
|
|
exact.SourceNS = parsed.ns
|
|
|
|
exact.SourceName = parsed.name
|
2020-10-06 13:24:05 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
{
|
2022-06-22 16:25:09 -07:00
|
|
|
parsed, err := parseIntentionStringComponent(destination[0], entMeta, false)
|
2020-10-06 13:24:05 -05:00
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
|
|
|
|
}
|
2022-06-22 16:25:09 -07:00
|
|
|
exact.DestinationPartition = parsed.ap
|
|
|
|
exact.DestinationNS = parsed.ns
|
|
|
|
exact.DestinationName = parsed.name
|
2020-10-06 13:24:05 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return &exact, nil
|
|
|
|
}
|
2018-03-02 14:17:21 -08:00
|
|
|
|
2022-06-22 16:25:09 -07:00
|
|
|
type parsedIntentionInput struct {
|
|
|
|
peer, ap, ns, name string
|
|
|
|
}
|
|
|
|
|
|
|
|
func parseIntentionStringComponent(input string, entMeta *acl.EnterpriseMeta, allowPeerKeyword bool) (*parsedIntentionInput, error) {
|
|
|
|
if strings.HasPrefix(input, "peer:") && !allowPeerKeyword {
|
|
|
|
return nil, fmt.Errorf("cannot specify a peer here")
|
|
|
|
}
|
|
|
|
|
2021-10-01 12:36:12 -04:00
|
|
|
ss := strings.Split(input, "/")
|
|
|
|
switch len(ss) {
|
|
|
|
case 1: // Name only
|
2022-06-22 16:25:09 -07:00
|
|
|
// need to specify at least the service name too
|
|
|
|
if strings.HasPrefix(ss[0], "peer:") {
|
|
|
|
return nil, fmt.Errorf("need to specify the service name as well")
|
|
|
|
}
|
|
|
|
|
2020-10-06 13:24:05 -05:00
|
|
|
ns := entMeta.NamespaceOrEmpty()
|
2021-10-01 12:36:12 -04:00
|
|
|
ap := entMeta.PartitionOrEmpty()
|
2022-06-22 16:25:09 -07:00
|
|
|
return &parsedIntentionInput{ap: ap, ns: ns, name: ss[0]}, nil
|
|
|
|
case 2: // peer:peer/name OR namespace/name
|
|
|
|
if strings.HasPrefix(ss[0], "peer:") {
|
|
|
|
peerName := strings.TrimPrefix(ss[0], "peer:")
|
|
|
|
ns := entMeta.NamespaceOrEmpty()
|
|
|
|
|
|
|
|
return &parsedIntentionInput{peer: peerName, ns: ns, name: ss[1]}, nil
|
|
|
|
}
|
|
|
|
|
2021-10-01 12:36:12 -04:00
|
|
|
ap := entMeta.PartitionOrEmpty()
|
2022-06-22 16:25:09 -07:00
|
|
|
return &parsedIntentionInput{ap: ap, ns: ss[0], name: ss[1]}, nil
|
|
|
|
case 3: // peer:peer/namespace/name OR partition/namespace/name
|
|
|
|
if strings.HasPrefix(ss[0], "peer:") {
|
|
|
|
peerName := strings.TrimPrefix(ss[0], "peer:")
|
|
|
|
return &parsedIntentionInput{peer: peerName, ns: ss[1], name: ss[2]}, nil
|
|
|
|
} else {
|
|
|
|
return &parsedIntentionInput{ap: ss[0], ns: ss[1], name: ss[2]}, nil
|
|
|
|
}
|
2021-10-01 12:36:12 -04:00
|
|
|
default:
|
2022-06-22 16:25:09 -07:00
|
|
|
return nil, fmt.Errorf("input can contain at most two '/'")
|
2018-03-02 14:17:21 -08:00
|
|
|
}
|
|
|
|
}
|
2021-11-23 19:32:18 -05:00
|
|
|
|
|
|
|
// IntentionSpecific handles the endpoint for /v1/connect/intentions/:id.
|
|
|
|
// Deprecated: use IntentionExact.
|
|
|
|
func (s *HTTPHandlers) IntentionSpecific(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
2022-06-01 13:17:14 -04:00
|
|
|
id := strings.TrimPrefix(req.URL.Path, "/v1/connect/intentions/")
|
2021-11-23 19:32:18 -05:00
|
|
|
|
|
|
|
switch req.Method {
|
|
|
|
case "GET":
|
|
|
|
return s.IntentionSpecificGet(id, resp, req)
|
|
|
|
|
|
|
|
case "PUT":
|
|
|
|
return s.IntentionSpecificUpdate(id, resp, req)
|
|
|
|
|
|
|
|
case "DELETE":
|
|
|
|
return s.IntentionSpecificDelete(id, resp, req)
|
|
|
|
|
|
|
|
default:
|
|
|
|
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Deprecated: use IntentionGetExact.
|
|
|
|
func (s *HTTPHandlers) IntentionSpecificGet(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
|
|
|
|
args := structs.IntentionQueryRequest{
|
|
|
|
IntentionID: id,
|
|
|
|
}
|
|
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
var reply structs.IndexedIntentions
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Get", &args, &reply); err != nil {
|
2021-11-23 19:32:18 -05:00
|
|
|
// We have to check the string since the RPC sheds the error type
|
|
|
|
if err.Error() == consul.ErrIntentionNotFound.Error() {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusNotFound, Reason: err.Error()}
|
2021-11-23 19:32:18 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
// Not ideal, but there are a number of error scenarios that are not
|
|
|
|
// user error (400). We look for a specific case of invalid UUID
|
|
|
|
// to detect a parameter error and return a 400 response. The error
|
|
|
|
// is not a constant type or message, so we have to use strings.Contains
|
|
|
|
if strings.Contains(err.Error(), "UUID") {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: err.Error()}
|
2021-11-23 19:32:18 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// This shouldn't happen since the called API documents it shouldn't,
|
|
|
|
// but we check since the alternative if it happens is a panic.
|
|
|
|
if len(reply.Intentions) == 0 {
|
|
|
|
resp.WriteHeader(http.StatusNotFound)
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return reply.Intentions[0], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Deprecated: use IntentionPutExact.
|
|
|
|
func (s *HTTPHandlers) IntentionSpecificUpdate(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
|
2022-04-05 14:10:06 -07:00
|
|
|
var entMeta acl.EnterpriseMeta
|
2021-11-23 19:32:18 -05:00
|
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2022-04-29 13:42:49 -04:00
|
|
|
|
2022-04-05 14:10:06 -07:00
|
|
|
if entMeta.PartitionOrDefault() != acl.PartitionOrDefault("") {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot use a partition with this endpoint"}
|
2021-11-23 19:32:18 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
args := structs.IntentionRequest{
|
|
|
|
Op: structs.IntentionOpUpdate,
|
|
|
|
}
|
|
|
|
s.parseDC(req, &args.Datacenter)
|
|
|
|
s.parseToken(req, &args.Token)
|
|
|
|
if err := decodeBody(req.Body, &args.Intention); err != nil {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: fmt.Sprintf("Request decode failed: %v", err)}
|
2021-11-23 19:32:18 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
if args.Intention.DestinationPartition != "" && args.Intention.DestinationPartition != "default" {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot specify a destination partition with this endpoint"}
|
2021-11-23 19:32:18 -05:00
|
|
|
}
|
|
|
|
if args.Intention.SourcePartition != "" && args.Intention.SourcePartition != "default" {
|
2022-04-29 13:42:49 -04:00
|
|
|
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Cannot specify a source partition with this endpoint"}
|
2021-11-23 19:32:18 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
args.Intention.FillPartitionAndNamespace(&entMeta, false)
|
|
|
|
|
|
|
|
// Use the ID from the URL
|
|
|
|
args.Intention.ID = id
|
|
|
|
|
|
|
|
var reply string
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Apply", &args, &reply); err != nil {
|
2021-11-23 19:32:18 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// Update uses the same create response
|
|
|
|
return intentionCreateResponse{reply}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// Deprecated: use IntentionDeleteExact.
|
|
|
|
func (s *HTTPHandlers) IntentionSpecificDelete(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
|
|
|
|
args := structs.IntentionRequest{
|
|
|
|
Op: structs.IntentionOpDelete,
|
|
|
|
Intention: &structs.Intention{ID: id},
|
|
|
|
}
|
|
|
|
s.parseDC(req, &args.Datacenter)
|
|
|
|
s.parseToken(req, &args.Token)
|
|
|
|
|
|
|
|
var reply string
|
2022-12-14 09:24:22 -06:00
|
|
|
if err := s.agent.RPC(req.Context(), "Intention.Apply", &args, &reply); err != nil {
|
2021-11-23 19:32:18 -05:00
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return true, nil
|
|
|
|
}
|