NET-5147: Added placeholder structs for JWT functionality (#18575)

* Added placeholder structs for JWT functionality * Added watches for CE vs ENT * Add license header * Undo plumbing work * Add context arg
2023-08-24 15:07:14 -04:00 · 2023-08-24 15:07:14 -04:00 · 59ab57f350
parent 067a0112e2
commit 59ab57f350
6 changed files with 82 additions and 7 deletions
--- a/agent/proxycfg/api_gateway_ce.go
+++ b/agent/proxycfg/api_gateway_ce.go
@ -0,0 +1,17 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 //go:build !consulent
 // +build !consulent
 package proxycfg
 import "context"
 func watchJWTProviders(cxt context.Context, h *handlerAPIGateway) error {
 	return nil
 }
 func setJWTProvider(u UpdateEvent, snap *ConfigSnapshot) error {
 	return nil
 }
--- a/agent/xds/gw_per_route_filters_ce.go
+++ b/agent/xds/gw_per_route_filters_ce.go
@ -0,0 +1,24 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 //go:build !consulent
 // +build !consulent
 package xds
 import (
 	envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	"google.golang.org/protobuf/types/known/anypb"
 	"github.com/hashicorp/consul/agent/structs"
 )
 type perRouteFilterBuilder struct {
 	providerMap map[string]*structs.JWTProviderConfigEntry
 	listener    *structs.APIGatewayListener
 	route       *structs.HTTPRouteConfigEntry
 }
 func (p perRouteFilterBuilder) buildFilter(match *envoy_route_v3.RouteMatch) (map[string]*anypb.Any, error) {
 	return nil, nil
 }
--- a/agent/xds/jwt_authn_ce.go
+++ b/agent/xds/jwt_authn_ce.go
@ -0,0 +1,25 @@
 // Copyright (c) HashiCorp, Inc.
 // SPDX-License-Identifier: BUSL-1.1
 //go:build !consulent
 // +build !consulent
 package xds
 import (
 	envoy_http_jwt_authn_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3"
 	envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	"github.com/hashicorp/consul/agent/structs"
 )
 type GatewayAuthFilterBuilder struct {
 	listener       structs.APIGatewayListener
 	route          *structs.HTTPRouteConfigEntry
 	providers      map[string]*structs.JWTProviderConfigEntry
 	envoyProviders map[string]*envoy_http_jwt_authn_v3.JwtProvider
 }
 func (g *GatewayAuthFilterBuilder) makeGatewayAuthFilters() ([]*envoy_http_v3.HttpFilter, error) {
 	return nil, nil
 }
--- a/agent/xds/rbac.go
+++ b/agent/xds/rbac.go
@ -23,6 +23,11 @@ import (
 	"github.com/hashicorp/consul/proto/private/pbpeering"
 )
 const (
 	envoyHTTPRBACFilterKey    = "envoy.filters.http.rbac"
 	envoyNetworkRBACFilterKey = "envoy.filters.network.rbac"
 )
 func makeRBACNetworkFilter(
 	intentions structs.SimplifiedIntentions,
 	intentionDefaultAllow bool,
@ -38,7 +43,7 @@ func makeRBACNetworkFilter(
 		StatPrefix: "connect_authz",
 		Rules:      rules,
 	}
-	return makeFilter("envoy.filters.network.rbac", cfg)
+	return makeFilter(envoyNetworkRBACFilterKey, cfg)
 }
 func makeRBACHTTPFilter(
@ -56,7 +61,7 @@ func makeRBACHTTPFilter(
 	cfg := &envoy_http_rbac_v3.RBAC{
 		Rules: rules,
 	}
-	return makeEnvoyHTTPFilter("envoy.filters.http.rbac", cfg)
+	return makeEnvoyHTTPFilter(envoyHTTPRBACFilterKey, cfg)
 }
 func intentionListToIntermediateRBACForm(
@ -326,6 +331,7 @@ func intentionActionFromBool(v bool) intentionAction {
 		return intentionActionDeny
 	}
 }
 func intentionActionFromString(s structs.IntentionAction) intentionAction {
 	if s == structs.IntentionActionAllow {
 		return intentionActionAllow
@ -809,7 +815,6 @@ func segmentToPermission(segments []*envoy_matcher_v3.MetadataMatcher_PathSegmen
 //		},
 //	},
 func pathToSegments(paths []string, payloadKey string) []*envoy_matcher_v3.MetadataMatcher_PathSegment {
 	segments := make([]*envoy_matcher_v3.MetadataMatcher_PathSegment, 0, len(paths))
 	segments = append(segments, makeSegment(payloadKey))
@ -1029,8 +1034,10 @@ func xfccPrincipal(src rbacService) *envoy_rbac_v3.Principal {
 	}
 }
-const anyPath = `[^/]+`
+const (
-const trustDomain = anyPath + "." + anyPath
+	anyPath     = `[^/]+`
 	trustDomain = anyPath + "." + anyPath
 )
 // downstreamServiceIdentityMatcher needs to match XFCC headers in two cases:
 // 1. Requests to cluster peered services through a mesh gateway. In this case, the XFCC header looks like the following (I added a new line after each ; for readability)
--- a/agent/xds/resources_ce_test.go
+++ b/agent/xds/resources_ce_test.go
@ -6,6 +6,8 @@
 package xds
-func getEnterpriseGoldenTestCases() []goldenTestCase {
+import "testing"
 func getEnterpriseGoldenTestCases(t *testing.T) []goldenTestCase {
 	return nil
 }
--- a/agent/xds/resources_test.go
+++ b/agent/xds/resources_test.go
@ -193,7 +193,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) {
 	tests = append(tests, getConnectProxyTransparentProxyGoldenTestCases()...)
 	tests = append(tests, getMeshGatewayPeeringGoldenTestCases()...)
 	tests = append(tests, getTrafficControlPeeringGoldenTestCases(false)...)
-	tests = append(tests, getEnterpriseGoldenTestCases()...)
+	tests = append(tests, getEnterpriseGoldenTestCases(t)...)
 	tests = append(tests, getAPIGatewayGoldenTestCases(t)...)
 	latestEnvoyVersion := xdscommon.EnvoyVersions[0]