From 20feb42d3a663e72cb46cda6c08c0588f5bbf3b4 Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" <4903+rboyer@users.noreply.github.com> Date: Thu, 15 Jul 2021 10:09:00 -0500 Subject: [PATCH] xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10619) --- .changelog/10619.txt | 3 + agent/xds/rbac.go | 29 +- agent/xds/rbac_test.go | 469 +++++++++++++++++- ...deny-all-and-path-allow--httpfilter.golden | 52 ++ ...and-path-allow--httpfilter.v2compat.golden | 52 ++ ...fault-allow-deny-all-and-path-allow.golden | 65 +++ ...ow-deny-all-and-path-allow.v2compat.golden | 65 +++ ...-deny-all-and-path-deny--httpfilter.golden | 77 +++ ...-and-path-deny--httpfilter.v2compat.golden | 77 +++ ...efault-allow-deny-all-and-path-deny.golden | 65 +++ ...low-deny-all-and-path-deny.v2compat.golden | 65 +++ ...efault-allow-path-allow--httpfilter.golden | 9 + ...low-path-allow--httpfilter.v2compat.golden | 9 + .../rbac/default-allow-path-allow.golden | 33 ++ .../default-allow-path-allow.v2compat.golden | 33 ++ ...default-allow-path-deny--httpfilter.golden | 36 ++ ...llow-path-deny--httpfilter.v2compat.golden | 36 ++ .../rbac/default-allow-path-deny.golden | 33 ++ .../default-allow-path-deny.v2compat.golden | 33 ++ ...deny-all-and-path-allow--httpfilter.golden | 35 ++ ...and-path-allow--httpfilter.v2compat.golden | 35 ++ ...efault-deny-deny-all-and-path-allow.golden | 10 + ...ny-deny-all-and-path-allow.v2compat.golden | 10 + ...-deny-all-and-path-deny--httpfilter.golden | 9 + ...-and-path-deny--httpfilter.v2compat.golden | 9 + ...default-deny-deny-all-and-path-deny.golden | 10 + ...eny-deny-all-and-path-deny.v2compat.golden | 10 + ...default-deny-path-allow--httpfilter.golden | 35 ++ ...eny-path-allow--httpfilter.v2compat.golden | 35 ++ .../rbac/default-deny-path-allow.golden | 10 + .../default-deny-path-allow.v2compat.golden | 10 + .../default-deny-path-deny--httpfilter.golden | 9 + ...deny-path-deny--httpfilter.v2compat.golden | 9 + .../rbac/default-deny-path-deny.golden | 10 + .../default-deny-path-deny.v2compat.golden | 10 + 35 files changed, 1493 insertions(+), 4 deletions(-) create mode 100644 .changelog/10619.txt create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-allow.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-allow.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-deny.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-deny.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-allow.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-allow.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.v2compat.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-deny.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-deny.v2compat.golden diff --git a/.changelog/10619.txt b/.changelog/10619.txt new file mode 100644 index 0000000000..b781033f79 --- /dev/null +++ b/.changelog/10619.txt @@ -0,0 +1,3 @@ +```release-note:security +xds: ensure single L7 deny intention with default deny policy does not result in allow action [CVE-2021-36213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36213) +``` diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go index 4a05c96a09..3a81784aae 100644 --- a/agent/xds/rbac.go +++ b/agent/xds/rbac.go @@ -110,13 +110,34 @@ func removeIntentionPrecedence(rbacIxns []*rbacIntention, intentionDefaultAction // between any two intentions. rbacIxns = removeSourcePrecedence(rbacIxns, intentionDefaultAction) + numRetained := 0 for _, rbacIxn := range rbacIxns { // Remove permission precedence. After this completes precedence // doesn't matter between any two permissions on this intention. rbacIxn.Permissions = removePermissionPrecedence(rbacIxn.Permissions, intentionDefaultAction) + if rbacIxn.Action == intentionActionLayer7 && len(rbacIxn.Permissions) == 0 { + // All of the permissions must have had the default action type and + // were removed. Mark this for removal below. + rbacIxn.Skip = true + } else { + numRetained++ + } } - return rbacIxns + if numRetained == len(rbacIxns) { + return rbacIxns + } + + // We previously used the absence of permissions (above) as a signal to + // mark the entire intention for removal. Now do the deletions. + out := make([]*rbacIntention, 0, numRetained) + for _, rixn := range rbacIxns { + if !rixn.Skip { + out = append(out, rixn) + } + } + + return out } func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction intentionAction) []*rbacPermission { @@ -401,10 +422,14 @@ func makeRBACRules(intentions structs.Intentions, intentionDefaultAllow bool, is var principalsL4 []*envoy_rbac_v3.Principal for i, rbacIxn := range rbacIxns { - if len(rbacIxn.Permissions) > 0 { + if rbacIxn.Action == intentionActionLayer7 { + if len(rbacIxn.Permissions) == 0 { + panic("invalid state: L7 intention has no permissions") + } if !isHTTP { panic("invalid state: L7 permissions present for TCP service") } + // For L7: we should generate one Policy per Principal and list all of the Permissions policy := &envoy_rbac_v3.Policy{ Principals: []*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal}, diff --git a/agent/xds/rbac_test.go b/agent/xds/rbac_test.go index 2e91857ac5..44fac77334 100644 --- a/agent/xds/rbac_test.go +++ b/agent/xds/rbac_test.go @@ -6,12 +6,381 @@ import ( "sort" "testing" + envoy_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3" + envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "github.com/hashicorp/consul/agent/structs" ) +func TestRemoveIntentionPrecedence(t *testing.T) { + testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention { + t.Helper() + ixn := structs.TestIntention(t) + ixn.SourceName = src + ixn.DestinationName = dst + ixn.Action = action + //nolint:staticcheck + ixn.UpdatePrecedence() + return ixn + } + testSourceIntention := func(src string, action structs.IntentionAction) *structs.Intention { + return testIntention(t, src, "api", action) + } + testSourcePermIntention := func(src string, perms ...*structs.IntentionPermission) *structs.Intention { + ixn := testIntention(t, src, "api", "") + ixn.Permissions = perms + return ixn + } + sorted := func(ixns ...*structs.Intention) structs.Intentions { + sort.SliceStable(ixns, func(i, j int) bool { + return ixns[j].Precedence < ixns[i].Precedence + }) + return structs.Intentions(ixns) + } + + var ( + nameWild = structs.NewServiceName("*", nil) + nameWeb = structs.NewServiceName("web", nil) + permSlashPrefix = &structs.IntentionPermission{ + Action: structs.IntentionActionAllow, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + } + permDenySlashPrefix = &structs.IntentionPermission{ + Action: structs.IntentionActionDeny, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + } + xdsPermSlashPrefix = &envoy_rbac_v3.Permission{ + Rule: &envoy_rbac_v3.Permission_UrlPath{ + UrlPath: &envoy_matcher_v3.PathMatcher{ + Rule: &envoy_matcher_v3.PathMatcher_Path{ + Path: &envoy_matcher_v3.StringMatcher{ + MatchPattern: &envoy_matcher_v3.StringMatcher_Prefix{ + Prefix: "/", + }, + }, + }, + }, + }, + } + ) + + // NOTE: these default=(allow|deny) wild=(allow|deny) path=(allow|deny) + // tests below are meant to verify some of the behaviors work as expected + // when the default acl mode changes for the system + tests := map[string]struct { + intentionDefaultAllow bool + http bool + intentions structs.Intentions + expect []*rbacIntention + }{ + "default-allow-path-allow": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + ), + expect: []*rbacIntention{}, // EMPTY, just use the defaults + }, + "default-deny-path-allow": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permSlashPrefix, + Action: intentionActionAllow, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + }, + }, + "default-allow-path-deny": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permDenySlashPrefix, + Action: intentionActionDeny, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + }, + }, + "default-deny-path-deny": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + ), + expect: []*rbacIntention{}, + }, + // ======================== + "default-allow-deny-all-and-path-allow": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + testSourceIntention("*", structs.IntentionActionDeny), + ), + expect: []*rbacIntention{ + { + Source: nameWild, + NotSources: []structs.ServiceName{ + nameWeb, + }, + Action: intentionActionDeny, + Permissions: nil, + Precedence: 8, + Skip: false, + ComputedPrincipal: andPrincipals( + []*envoy_rbac_v3.Principal{ + idPrincipal(nameWild), + notPrincipal( + idPrincipal(nameWeb), + ), + }, + ), + }, + }, + }, + "default-deny-deny-all-and-path-allow": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + testSourceIntention("*", structs.IntentionActionDeny), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permSlashPrefix, + Action: intentionActionAllow, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + }, + }, + "default-allow-deny-all-and-path-deny": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + testSourceIntention("*", structs.IntentionActionDeny), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permDenySlashPrefix, + Action: intentionActionDeny, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + { + Source: nameWild, + NotSources: []structs.ServiceName{ + nameWeb, + }, + Action: intentionActionDeny, + Permissions: nil, + Precedence: 8, + Skip: false, + ComputedPrincipal: andPrincipals( + []*envoy_rbac_v3.Principal{ + idPrincipal(nameWild), + notPrincipal( + idPrincipal(nameWeb), + ), + }, + ), + }, + }, + }, + "default-deny-deny-all-and-path-deny": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + testSourceIntention("*", structs.IntentionActionDeny), + ), + expect: []*rbacIntention{}, + }, + // ======================== + "default-allow-allow-all-and-path-allow": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + testSourceIntention("*", structs.IntentionActionAllow), + ), + expect: []*rbacIntention{}, + }, + "default-deny-allow-all-and-path-allow": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + testSourceIntention("*", structs.IntentionActionAllow), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permSlashPrefix, + Action: intentionActionAllow, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + { + Source: nameWild, + NotSources: []structs.ServiceName{ + nameWeb, + }, + Action: intentionActionAllow, + Permissions: nil, + Precedence: 8, + Skip: false, + ComputedPrincipal: andPrincipals( + []*envoy_rbac_v3.Principal{ + idPrincipal(nameWild), + notPrincipal( + idPrincipal(nameWeb), + ), + }, + ), + }, + }, + }, + "default-allow-allow-all-and-path-deny": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + testSourceIntention("*", structs.IntentionActionAllow), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permDenySlashPrefix, + Action: intentionActionDeny, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + }, + }, + "default-deny-allow-all-and-path-deny": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + testSourceIntention("*", structs.IntentionActionAllow), + ), + expect: []*rbacIntention{ + { + Source: nameWild, + NotSources: []structs.ServiceName{ + nameWeb, + }, + Action: intentionActionAllow, + Permissions: nil, + Precedence: 8, + Skip: false, + ComputedPrincipal: andPrincipals( + []*envoy_rbac_v3.Principal{ + idPrincipal(nameWild), + notPrincipal( + idPrincipal(nameWeb), + ), + }, + ), + }, + }, + }, + } + + for name, tt := range tests { + t.Run(name, func(t *testing.T) { + rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, tt.http) + intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow) + rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction) + + require.Equal(t, tt.expect, rbacIxns) + }) + } +} + func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention { t.Helper() @@ -38,6 +407,21 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { return structs.Intentions(ixns) } + var ( + permSlashPrefix = &structs.IntentionPermission{ + Action: structs.IntentionActionAllow, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + } + permDenySlashPrefix = &structs.IntentionPermission{ + Action: structs.IntentionActionDeny, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + } + ) + tests := map[string]struct { intentionDefaultAllow bool intentions structs.Intentions @@ -88,7 +472,6 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testSourceIntention("web", structs.IntentionActionAllow), testSourceIntention("unsafe", structs.IntentionActionDeny), testSourceIntention("cron", structs.IntentionActionAllow), - // and we invert the default-ness of the whole thing testSourceIntention("*", structs.IntentionActionAllow), ), }, @@ -99,10 +482,92 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testSourceIntention("web", structs.IntentionActionDeny), testSourceIntention("unsafe", structs.IntentionActionAllow), testSourceIntention("cron", structs.IntentionActionDeny), - // and we invert the default-ness of the whole thing testSourceIntention("*", structs.IntentionActionDeny), ), }, + // ======================== + "default-allow-path-allow": { + intentionDefaultAllow: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + ), + }, + "default-deny-path-allow": { + intentionDefaultAllow: false, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + ), + }, + "default-allow-path-deny": { + intentionDefaultAllow: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + ), + }, + "default-deny-path-deny": { + intentionDefaultAllow: false, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + ), + }, + // ======================== + "default-allow-deny-all-and-path-allow": { + intentionDefaultAllow: true, + intentions: sorted( + testSourcePermIntention("web", + &structs.IntentionPermission{ + Action: structs.IntentionActionAllow, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + }, + ), + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + "default-deny-deny-all-and-path-allow": { + intentionDefaultAllow: false, + intentions: sorted( + testSourcePermIntention("web", + &structs.IntentionPermission{ + Action: structs.IntentionActionAllow, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + }, + ), + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + "default-allow-deny-all-and-path-deny": { + intentionDefaultAllow: true, + intentions: sorted( + testSourcePermIntention("web", + &structs.IntentionPermission{ + Action: structs.IntentionActionDeny, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + }, + ), + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + "default-deny-deny-all-and-path-deny": { + intentionDefaultAllow: false, + intentions: sorted( + testSourcePermIntention("web", + &structs.IntentionPermission{ + Action: structs.IntentionActionDeny, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + }, + ), + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + // ======================== "default-deny-two-path-deny-and-path-allow": { intentionDefaultAllow: false, intentions: sorted( diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden new file mode 100644 index 0000000000..b44899f2ad --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden @@ -0,0 +1,52 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "andIds": { + "ids": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "notId": { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.v2compat.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.v2compat.golden new file mode 100644 index 0000000000..8bb354a88f --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.v2compat.golden @@ -0,0 +1,52 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "andIds": { + "ids": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "notId": { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden new file mode 100644 index 0000000000..0926767763 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden @@ -0,0 +1,65 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + }, + { + "andIds": { + "ids": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "notId": { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.v2compat.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.v2compat.golden new file mode 100644 index 0000000000..b2bb0adccd --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.v2compat.golden @@ -0,0 +1,65 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + }, + { + "andIds": { + "ids": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "notId": { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden new file mode 100644 index 0000000000..806b19c593 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden @@ -0,0 +1,77 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "andIds": { + "ids": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "notId": { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + }, + "consul-intentions-layer7-0": { + "permissions": [ + { + "urlPath": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.v2compat.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.v2compat.golden new file mode 100644 index 0000000000..c1edc78606 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.v2compat.golden @@ -0,0 +1,77 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "andIds": { + "ids": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "notId": { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + }, + "consul-intentions-layer7-0": { + "permissions": [ + { + "urlPath": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden new file mode 100644 index 0000000000..0926767763 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden @@ -0,0 +1,65 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + }, + { + "andIds": { + "ids": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "notId": { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.v2compat.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.v2compat.golden new file mode 100644 index 0000000000..b2bb0adccd --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.v2compat.golden @@ -0,0 +1,65 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + }, + { + "andIds": { + "ids": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "notId": { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.golden new file mode 100644 index 0000000000..e9a5280d75 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.golden @@ -0,0 +1,9 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": { + "action": "DENY" + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.v2compat.golden b/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.v2compat.golden new file mode 100644 index 0000000000..11307dcf51 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.v2compat.golden @@ -0,0 +1,9 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC", + "rules": { + "action": "DENY" + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-allow.golden b/agent/xds/testdata/rbac/default-allow-path-allow.golden new file mode 100644 index 0000000000..05dca90f83 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-allow.golden @@ -0,0 +1,33 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-allow.v2compat.golden b/agent/xds/testdata/rbac/default-allow-path-allow.v2compat.golden new file mode 100644 index 0000000000..73e3dae6e8 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-allow.v2compat.golden @@ -0,0 +1,33 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden new file mode 100644 index 0000000000..4f64c27346 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden @@ -0,0 +1,36 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "urlPath": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.v2compat.golden b/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.v2compat.golden new file mode 100644 index 0000000000..93b485722c --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.v2compat.golden @@ -0,0 +1,36 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "urlPath": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-deny.golden b/agent/xds/testdata/rbac/default-allow-path-deny.golden new file mode 100644 index 0000000000..05dca90f83 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-deny.golden @@ -0,0 +1,33 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-deny.v2compat.golden b/agent/xds/testdata/rbac/default-allow-path-deny.v2compat.golden new file mode 100644 index 0000000000..73e3dae6e8 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-deny.v2compat.golden @@ -0,0 +1,33 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden new file mode 100644 index 0000000000..323526f484 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden @@ -0,0 +1,35 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": { + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "urlPath": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.v2compat.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.v2compat.golden new file mode 100644 index 0000000000..3b1061c974 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.v2compat.golden @@ -0,0 +1,35 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC", + "rules": { + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "urlPath": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.golden new file mode 100644 index 0000000000..92c7f921ad --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.golden @@ -0,0 +1,10 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.v2compat.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.v2compat.golden new file mode 100644 index 0000000000..84dfa0c7f0 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.v2compat.golden @@ -0,0 +1,10 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.golden new file mode 100644 index 0000000000..4ccd189bc0 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.golden @@ -0,0 +1,9 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": { + + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.v2compat.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.v2compat.golden new file mode 100644 index 0000000000..f3fa3127c5 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.v2compat.golden @@ -0,0 +1,9 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC", + "rules": { + + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.golden new file mode 100644 index 0000000000..92c7f921ad --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.golden @@ -0,0 +1,10 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.v2compat.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.v2compat.golden new file mode 100644 index 0000000000..84dfa0c7f0 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.v2compat.golden @@ -0,0 +1,10 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden new file mode 100644 index 0000000000..323526f484 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden @@ -0,0 +1,35 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": { + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "urlPath": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.v2compat.golden b/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.v2compat.golden new file mode 100644 index 0000000000..3b1061c974 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.v2compat.golden @@ -0,0 +1,35 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC", + "rules": { + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "urlPath": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principalName": { + "safeRegex": { + "googleRe2": { + + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-allow.golden b/agent/xds/testdata/rbac/default-deny-path-allow.golden new file mode 100644 index 0000000000..92c7f921ad --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-allow.golden @@ -0,0 +1,10 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-allow.v2compat.golden b/agent/xds/testdata/rbac/default-deny-path-allow.v2compat.golden new file mode 100644 index 0000000000..84dfa0c7f0 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-allow.v2compat.golden @@ -0,0 +1,10 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.golden new file mode 100644 index 0000000000..4ccd189bc0 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.golden @@ -0,0 +1,9 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", + "rules": { + + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.v2compat.golden b/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.v2compat.golden new file mode 100644 index 0000000000..f3fa3127c5 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.v2compat.golden @@ -0,0 +1,9 @@ +{ + "name": "envoy.filters.http.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBAC", + "rules": { + + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-deny.golden b/agent/xds/testdata/rbac/default-deny-path-deny.golden new file mode 100644 index 0000000000..92c7f921ad --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-deny.golden @@ -0,0 +1,10 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-deny.v2compat.golden b/agent/xds/testdata/rbac/default-deny-path-deny.v2compat.golden new file mode 100644 index 0000000000..84dfa0c7f0 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-deny.v2compat.golden @@ -0,0 +1,10 @@ +{ + "name": "envoy.filters.network.rbac", + "typedConfig": { + "@type": "type.googleapis.com/envoy.config.filter.network.rbac.v2.RBAC", + "rules": { + + }, + "statPrefix": "connect_authz" + } +} \ No newline at end of file