NET-5147: Added placeholder structs for JWT functionality (#18575)

* Added placeholder structs for JWT functionality

* Added watches for CE vs ENT

* Add license header

* Undo plumbing work

* Add context arg
This commit is contained in:
John Maguire 2023-08-24 15:07:14 -04:00 committed by GitHub
parent 067a0112e2
commit 59ab57f350
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 82 additions and 7 deletions

View File

@ -0,0 +1,17 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
//go:build !consulent
// +build !consulent
package proxycfg
import "context"
func watchJWTProviders(cxt context.Context, h *handlerAPIGateway) error {
return nil
}
func setJWTProvider(u UpdateEvent, snap *ConfigSnapshot) error {
return nil
}

View File

@ -0,0 +1,24 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
//go:build !consulent
// +build !consulent
package xds
import (
envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
"google.golang.org/protobuf/types/known/anypb"
"github.com/hashicorp/consul/agent/structs"
)
type perRouteFilterBuilder struct {
providerMap map[string]*structs.JWTProviderConfigEntry
listener *structs.APIGatewayListener
route *structs.HTTPRouteConfigEntry
}
func (p perRouteFilterBuilder) buildFilter(match *envoy_route_v3.RouteMatch) (map[string]*anypb.Any, error) {
return nil, nil
}

25
agent/xds/jwt_authn_ce.go Normal file
View File

@ -0,0 +1,25 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
//go:build !consulent
// +build !consulent
package xds
import (
envoy_http_jwt_authn_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3"
envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
"github.com/hashicorp/consul/agent/structs"
)
type GatewayAuthFilterBuilder struct {
listener structs.APIGatewayListener
route *structs.HTTPRouteConfigEntry
providers map[string]*structs.JWTProviderConfigEntry
envoyProviders map[string]*envoy_http_jwt_authn_v3.JwtProvider
}
func (g *GatewayAuthFilterBuilder) makeGatewayAuthFilters() ([]*envoy_http_v3.HttpFilter, error) {
return nil, nil
}

View File

@ -23,6 +23,11 @@ import (
"github.com/hashicorp/consul/proto/private/pbpeering" "github.com/hashicorp/consul/proto/private/pbpeering"
) )
const (
envoyHTTPRBACFilterKey = "envoy.filters.http.rbac"
envoyNetworkRBACFilterKey = "envoy.filters.network.rbac"
)
func makeRBACNetworkFilter( func makeRBACNetworkFilter(
intentions structs.SimplifiedIntentions, intentions structs.SimplifiedIntentions,
intentionDefaultAllow bool, intentionDefaultAllow bool,
@ -38,7 +43,7 @@ func makeRBACNetworkFilter(
StatPrefix: "connect_authz", StatPrefix: "connect_authz",
Rules: rules, Rules: rules,
} }
return makeFilter("envoy.filters.network.rbac", cfg) return makeFilter(envoyNetworkRBACFilterKey, cfg)
} }
func makeRBACHTTPFilter( func makeRBACHTTPFilter(
@ -56,7 +61,7 @@ func makeRBACHTTPFilter(
cfg := &envoy_http_rbac_v3.RBAC{ cfg := &envoy_http_rbac_v3.RBAC{
Rules: rules, Rules: rules,
} }
return makeEnvoyHTTPFilter("envoy.filters.http.rbac", cfg) return makeEnvoyHTTPFilter(envoyHTTPRBACFilterKey, cfg)
} }
func intentionListToIntermediateRBACForm( func intentionListToIntermediateRBACForm(
@ -326,6 +331,7 @@ func intentionActionFromBool(v bool) intentionAction {
return intentionActionDeny return intentionActionDeny
} }
} }
func intentionActionFromString(s structs.IntentionAction) intentionAction { func intentionActionFromString(s structs.IntentionAction) intentionAction {
if s == structs.IntentionActionAllow { if s == structs.IntentionActionAllow {
return intentionActionAllow return intentionActionAllow
@ -809,7 +815,6 @@ func segmentToPermission(segments []*envoy_matcher_v3.MetadataMatcher_PathSegmen
// }, // },
// }, // },
func pathToSegments(paths []string, payloadKey string) []*envoy_matcher_v3.MetadataMatcher_PathSegment { func pathToSegments(paths []string, payloadKey string) []*envoy_matcher_v3.MetadataMatcher_PathSegment {
segments := make([]*envoy_matcher_v3.MetadataMatcher_PathSegment, 0, len(paths)) segments := make([]*envoy_matcher_v3.MetadataMatcher_PathSegment, 0, len(paths))
segments = append(segments, makeSegment(payloadKey)) segments = append(segments, makeSegment(payloadKey))
@ -1029,8 +1034,10 @@ func xfccPrincipal(src rbacService) *envoy_rbac_v3.Principal {
} }
} }
const anyPath = `[^/]+` const (
const trustDomain = anyPath + "." + anyPath anyPath = `[^/]+`
trustDomain = anyPath + "." + anyPath
)
// downstreamServiceIdentityMatcher needs to match XFCC headers in two cases: // downstreamServiceIdentityMatcher needs to match XFCC headers in two cases:
// 1. Requests to cluster peered services through a mesh gateway. In this case, the XFCC header looks like the following (I added a new line after each ; for readability) // 1. Requests to cluster peered services through a mesh gateway. In this case, the XFCC header looks like the following (I added a new line after each ; for readability)

View File

@ -6,6 +6,8 @@
package xds package xds
func getEnterpriseGoldenTestCases() []goldenTestCase { import "testing"
func getEnterpriseGoldenTestCases(t *testing.T) []goldenTestCase {
return nil return nil
} }

View File

@ -193,7 +193,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) {
tests = append(tests, getConnectProxyTransparentProxyGoldenTestCases()...) tests = append(tests, getConnectProxyTransparentProxyGoldenTestCases()...)
tests = append(tests, getMeshGatewayPeeringGoldenTestCases()...) tests = append(tests, getMeshGatewayPeeringGoldenTestCases()...)
tests = append(tests, getTrafficControlPeeringGoldenTestCases(false)...) tests = append(tests, getTrafficControlPeeringGoldenTestCases(false)...)
tests = append(tests, getEnterpriseGoldenTestCases()...) tests = append(tests, getEnterpriseGoldenTestCases(t)...)
tests = append(tests, getAPIGatewayGoldenTestCases(t)...) tests = append(tests, getAPIGatewayGoldenTestCases(t)...)
latestEnvoyVersion := xdscommon.EnvoyVersions[0] latestEnvoyVersion := xdscommon.EnvoyVersions[0]