NET-5147: Added placeholder structs for JWT functionality (#18575)

* Added placeholder structs for JWT functionality * Added watches for CE vs ENT * Add license header * Undo plumbing work * Add context arg
2023-08-24 15:07:14 -04:00 · 2023-08-24 15:07:14 -04:00 · 59ab57f350
parent 067a0112e2
commit 59ab57f350
6 changed files with 82 additions and 7 deletions
--- a/agent/proxycfg/api_gateway_ce.go
+++ b/agent/proxycfg/api_gateway_ce.go
@ -0,0 +1,17 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !consulent
+// +build !consulent
+
+package proxycfg
+
+import "context"
+
+func watchJWTProviders(cxt context.Context, h *handlerAPIGateway) error {
+	return nil
+}
+
+func setJWTProvider(u UpdateEvent, snap *ConfigSnapshot) error {
+	return nil
+}
--- a/agent/xds/gw_per_route_filters_ce.go
+++ b/agent/xds/gw_per_route_filters_ce.go
@ -0,0 +1,24 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !consulent
+// +build !consulent
+
+package xds
+
+import (
+	envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
+	"google.golang.org/protobuf/types/known/anypb"
+
+	"github.com/hashicorp/consul/agent/structs"
+)
+
+type perRouteFilterBuilder struct {
+	providerMap map[string]*structs.JWTProviderConfigEntry
+	listener    *structs.APIGatewayListener
+	route       *structs.HTTPRouteConfigEntry
+}
+
+func (p perRouteFilterBuilder) buildFilter(match *envoy_route_v3.RouteMatch) (map[string]*anypb.Any, error) {
+	return nil, nil
+}
--- a/agent/xds/jwt_authn_ce.go
+++ b/agent/xds/jwt_authn_ce.go
@ -0,0 +1,25 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !consulent
+// +build !consulent
+
+package xds
+
+import (
+	envoy_http_jwt_authn_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3"
+	envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+
+	"github.com/hashicorp/consul/agent/structs"
+)
+
+type GatewayAuthFilterBuilder struct {
+	listener       structs.APIGatewayListener
+	route          *structs.HTTPRouteConfigEntry
+	providers      map[string]*structs.JWTProviderConfigEntry
+	envoyProviders map[string]*envoy_http_jwt_authn_v3.JwtProvider
+}
+
+func (g *GatewayAuthFilterBuilder) makeGatewayAuthFilters() ([]*envoy_http_v3.HttpFilter, error) {
+	return nil, nil
+}
--- a/agent/xds/rbac.go
+++ b/agent/xds/rbac.go
@ -23,6 +23,11 @@ import (
 	"github.com/hashicorp/consul/proto/private/pbpeering"
 )

+const (
+	envoyHTTPRBACFilterKey    = "envoy.filters.http.rbac"
+	envoyNetworkRBACFilterKey = "envoy.filters.network.rbac"
+)
+
 func makeRBACNetworkFilter(
 	intentions structs.SimplifiedIntentions,
 	intentionDefaultAllow bool,
@ -38,7 +43,7 @@ func makeRBACNetworkFilter(
 		StatPrefix: "connect_authz",
 		Rules:      rules,
 	}
-	return makeFilter("envoy.filters.network.rbac", cfg)
+	return makeFilter(envoyNetworkRBACFilterKey, cfg)
 }

 func makeRBACHTTPFilter(
@ -56,7 +61,7 @@ func makeRBACHTTPFilter(
 	cfg := &envoy_http_rbac_v3.RBAC{
 		Rules: rules,
 	}
-	return makeEnvoyHTTPFilter("envoy.filters.http.rbac", cfg)
+	return makeEnvoyHTTPFilter(envoyHTTPRBACFilterKey, cfg)
 }

 func intentionListToIntermediateRBACForm(
@ -326,6 +331,7 @@ func intentionActionFromBool(v bool) intentionAction {
 		return intentionActionDeny
 	}
 }
+
 func intentionActionFromString(s structs.IntentionAction) intentionAction {
 	if s == structs.IntentionActionAllow {
 		return intentionActionAllow
@ -809,7 +815,6 @@ func segmentToPermission(segments []*envoy_matcher_v3.MetadataMatcher_PathSegmen
 //		},
 //	},
 func pathToSegments(paths []string, payloadKey string) []*envoy_matcher_v3.MetadataMatcher_PathSegment {
-
 	segments := make([]*envoy_matcher_v3.MetadataMatcher_PathSegment, 0, len(paths))
 	segments = append(segments, makeSegment(payloadKey))

@ -1029,8 +1034,10 @@ func xfccPrincipal(src rbacService) *envoy_rbac_v3.Principal {
 	}
 }

-const anyPath = `[^/]+`
-const trustDomain = anyPath + "." + anyPath
+const (
+	anyPath     = `[^/]+`
+	trustDomain = anyPath + "." + anyPath
+)

 // downstreamServiceIdentityMatcher needs to match XFCC headers in two cases:
 // 1. Requests to cluster peered services through a mesh gateway. In this case, the XFCC header looks like the following (I added a new line after each ; for readability)
--- a/agent/xds/resources_ce_test.go
+++ b/agent/xds/resources_ce_test.go
@ -6,6 +6,8 @@

 package xds

-func getEnterpriseGoldenTestCases() []goldenTestCase {
+import "testing"
+
+func getEnterpriseGoldenTestCases(t *testing.T) []goldenTestCase {
 	return nil
 }
--- a/agent/xds/resources_test.go
+++ b/agent/xds/resources_test.go
@ -193,7 +193,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) {
 	tests = append(tests, getConnectProxyTransparentProxyGoldenTestCases()...)
 	tests = append(tests, getMeshGatewayPeeringGoldenTestCases()...)
 	tests = append(tests, getTrafficControlPeeringGoldenTestCases(false)...)
-	tests = append(tests, getEnterpriseGoldenTestCases()...)
+	tests = append(tests, getEnterpriseGoldenTestCases(t)...)
 	tests = append(tests, getAPIGatewayGoldenTestCases(t)...)

 	latestEnvoyVersion := xdscommon.EnvoyVersions[0]