From 59ab57f350df6cf7a7c0a8671441c501d8027344 Mon Sep 17 00:00:00 2001 From: John Maguire Date: Thu, 24 Aug 2023 15:07:14 -0400 Subject: [PATCH] NET-5147: Added placeholder structs for JWT functionality (#18575) * Added placeholder structs for JWT functionality * Added watches for CE vs ENT * Add license header * Undo plumbing work * Add context arg --- agent/proxycfg/api_gateway_ce.go | 17 +++++++++++++++++ agent/xds/gw_per_route_filters_ce.go | 24 ++++++++++++++++++++++++ agent/xds/jwt_authn_ce.go | 25 +++++++++++++++++++++++++ agent/xds/rbac.go | 17 ++++++++++++----- agent/xds/resources_ce_test.go | 4 +++- agent/xds/resources_test.go | 2 +- 6 files changed, 82 insertions(+), 7 deletions(-) create mode 100644 agent/proxycfg/api_gateway_ce.go create mode 100644 agent/xds/gw_per_route_filters_ce.go create mode 100644 agent/xds/jwt_authn_ce.go diff --git a/agent/proxycfg/api_gateway_ce.go b/agent/proxycfg/api_gateway_ce.go new file mode 100644 index 0000000000..e2a3b375cd --- /dev/null +++ b/agent/proxycfg/api_gateway_ce.go @@ -0,0 +1,17 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +//go:build !consulent +// +build !consulent + +package proxycfg + +import "context" + +func watchJWTProviders(cxt context.Context, h *handlerAPIGateway) error { + return nil +} + +func setJWTProvider(u UpdateEvent, snap *ConfigSnapshot) error { + return nil +} diff --git a/agent/xds/gw_per_route_filters_ce.go b/agent/xds/gw_per_route_filters_ce.go new file mode 100644 index 0000000000..cbf406cd07 --- /dev/null +++ b/agent/xds/gw_per_route_filters_ce.go @@ -0,0 +1,24 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +//go:build !consulent +// +build !consulent + +package xds + +import ( + envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + "google.golang.org/protobuf/types/known/anypb" + + "github.com/hashicorp/consul/agent/structs" +) + +type perRouteFilterBuilder struct { + providerMap map[string]*structs.JWTProviderConfigEntry + listener *structs.APIGatewayListener + route *structs.HTTPRouteConfigEntry +} + +func (p perRouteFilterBuilder) buildFilter(match *envoy_route_v3.RouteMatch) (map[string]*anypb.Any, error) { + return nil, nil +} diff --git a/agent/xds/jwt_authn_ce.go b/agent/xds/jwt_authn_ce.go new file mode 100644 index 0000000000..ac6d0a31d7 --- /dev/null +++ b/agent/xds/jwt_authn_ce.go @@ -0,0 +1,25 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +//go:build !consulent +// +build !consulent + +package xds + +import ( + envoy_http_jwt_authn_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3" + envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" + + "github.com/hashicorp/consul/agent/structs" +) + +type GatewayAuthFilterBuilder struct { + listener structs.APIGatewayListener + route *structs.HTTPRouteConfigEntry + providers map[string]*structs.JWTProviderConfigEntry + envoyProviders map[string]*envoy_http_jwt_authn_v3.JwtProvider +} + +func (g *GatewayAuthFilterBuilder) makeGatewayAuthFilters() ([]*envoy_http_v3.HttpFilter, error) { + return nil, nil +} diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go index 0c00cb92cb..68e91d2945 100644 --- a/agent/xds/rbac.go +++ b/agent/xds/rbac.go @@ -23,6 +23,11 @@ import ( "github.com/hashicorp/consul/proto/private/pbpeering" ) +const ( + envoyHTTPRBACFilterKey = "envoy.filters.http.rbac" + envoyNetworkRBACFilterKey = "envoy.filters.network.rbac" +) + func makeRBACNetworkFilter( intentions structs.SimplifiedIntentions, intentionDefaultAllow bool, @@ -38,7 +43,7 @@ func makeRBACNetworkFilter( StatPrefix: "connect_authz", Rules: rules, } - return makeFilter("envoy.filters.network.rbac", cfg) + return makeFilter(envoyNetworkRBACFilterKey, cfg) } func makeRBACHTTPFilter( @@ -56,7 +61,7 @@ func makeRBACHTTPFilter( cfg := &envoy_http_rbac_v3.RBAC{ Rules: rules, } - return makeEnvoyHTTPFilter("envoy.filters.http.rbac", cfg) + return makeEnvoyHTTPFilter(envoyHTTPRBACFilterKey, cfg) } func intentionListToIntermediateRBACForm( @@ -326,6 +331,7 @@ func intentionActionFromBool(v bool) intentionAction { return intentionActionDeny } } + func intentionActionFromString(s structs.IntentionAction) intentionAction { if s == structs.IntentionActionAllow { return intentionActionAllow @@ -809,7 +815,6 @@ func segmentToPermission(segments []*envoy_matcher_v3.MetadataMatcher_PathSegmen // }, // }, func pathToSegments(paths []string, payloadKey string) []*envoy_matcher_v3.MetadataMatcher_PathSegment { - segments := make([]*envoy_matcher_v3.MetadataMatcher_PathSegment, 0, len(paths)) segments = append(segments, makeSegment(payloadKey)) @@ -1029,8 +1034,10 @@ func xfccPrincipal(src rbacService) *envoy_rbac_v3.Principal { } } -const anyPath = `[^/]+` -const trustDomain = anyPath + "." + anyPath +const ( + anyPath = `[^/]+` + trustDomain = anyPath + "." + anyPath +) // downstreamServiceIdentityMatcher needs to match XFCC headers in two cases: // 1. Requests to cluster peered services through a mesh gateway. In this case, the XFCC header looks like the following (I added a new line after each ; for readability) diff --git a/agent/xds/resources_ce_test.go b/agent/xds/resources_ce_test.go index fa71348172..14d5a35253 100644 --- a/agent/xds/resources_ce_test.go +++ b/agent/xds/resources_ce_test.go @@ -6,6 +6,8 @@ package xds -func getEnterpriseGoldenTestCases() []goldenTestCase { +import "testing" + +func getEnterpriseGoldenTestCases(t *testing.T) []goldenTestCase { return nil } diff --git a/agent/xds/resources_test.go b/agent/xds/resources_test.go index 926c44fab8..69a704386b 100644 --- a/agent/xds/resources_test.go +++ b/agent/xds/resources_test.go @@ -193,7 +193,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) { tests = append(tests, getConnectProxyTransparentProxyGoldenTestCases()...) tests = append(tests, getMeshGatewayPeeringGoldenTestCases()...) tests = append(tests, getTrafficControlPeeringGoldenTestCases(false)...) - tests = append(tests, getEnterpriseGoldenTestCases()...) + tests = append(tests, getEnterpriseGoldenTestCases(t)...) tests = append(tests, getAPIGatewayGoldenTestCases(t)...) latestEnvoyVersion := xdscommon.EnvoyVersions[0]