mirror of https://github.com/status-im/consul.git
temporarily disallow L7 traffic permissions (#19322)
This commit is contained in:
parent
bb3d5a16c5
commit
896d8f5ec5
|
@ -12,4 +12,5 @@ var (
|
||||||
errSourceExcludes = errors.New("must be defined on wildcard sources")
|
errSourceExcludes = errors.New("must be defined on wildcard sources")
|
||||||
errInvalidPrefixValues = errors.New("prefix values, regex values, and explicit names must not combined")
|
errInvalidPrefixValues = errors.New("prefix values, regex values, and explicit names must not combined")
|
||||||
ErrWildcardNotSupported = errors.New("traffic permissions without explicit destinations are not yet supported")
|
ErrWildcardNotSupported = errors.New("traffic permissions without explicit destinations are not yet supported")
|
||||||
|
ErrL7NotSupported = errors.New("traffic permissions with L7 rules are not yet supported")
|
||||||
)
|
)
|
||||||
|
|
|
@ -217,6 +217,13 @@ func validatePermission(p *pbauth.Permission, wrapErr func(error) error) error {
|
||||||
Wrapped: err,
|
Wrapped: err,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
// TODO: remove this when L7 traffic permissions are implemented
|
||||||
|
if len(dest.PathExact) > 0 || len(dest.PathPrefix) > 0 || len(dest.PathRegex) > 0 || len(dest.Methods) > 0 || dest.Header != nil {
|
||||||
|
merr = multierror.Append(merr, wrapDestRuleErr(resource.ErrInvalidListElement{
|
||||||
|
Name: "destination_rule",
|
||||||
|
Wrapped: ErrL7NotSupported,
|
||||||
|
}))
|
||||||
|
}
|
||||||
if (len(dest.PathExact) > 0 && len(dest.PathPrefix) > 0) ||
|
if (len(dest.PathExact) > 0 && len(dest.PathPrefix) > 0) ||
|
||||||
(len(dest.PathRegex) > 0 && len(dest.PathExact) > 0) ||
|
(len(dest.PathRegex) > 0 && len(dest.PathExact) > 0) ||
|
||||||
(len(dest.PathRegex) > 0 && len(dest.PathPrefix) > 0) {
|
(len(dest.PathRegex) > 0 && len(dest.PathPrefix) > 0) {
|
||||||
|
@ -234,6 +241,13 @@ func validatePermission(p *pbauth.Permission, wrapErr func(error) error) error {
|
||||||
Wrapped: err,
|
Wrapped: err,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
// TODO: remove this when L7 traffic permissions are implemented
|
||||||
|
if len(excl.PathExact) > 0 || len(excl.PathPrefix) > 0 || len(excl.PathRegex) > 0 || len(excl.Methods) > 0 || excl.Header != nil {
|
||||||
|
merr = multierror.Append(merr, wrapDestRuleErr(resource.ErrInvalidListElement{
|
||||||
|
Name: "exclude_permission_rules",
|
||||||
|
Wrapped: ErrL7NotSupported,
|
||||||
|
}))
|
||||||
|
}
|
||||||
if (len(excl.PathExact) > 0 && len(excl.PathPrefix) > 0) ||
|
if (len(excl.PathExact) > 0 && len(excl.PathPrefix) > 0) ||
|
||||||
(len(excl.PathRegex) > 0 && len(excl.PathExact) > 0) ||
|
(len(excl.PathRegex) > 0 && len(excl.PathExact) > 0) ||
|
||||||
(len(excl.PathRegex) > 0 && len(excl.PathPrefix) > 0) {
|
(len(excl.PathRegex) > 0 && len(excl.PathPrefix) > 0) {
|
||||||
|
|
|
@ -66,16 +66,7 @@ func TestValidateTrafficPermissions(t *testing.T) {
|
||||||
"no-destination": {
|
"no-destination": {
|
||||||
tp: &pbauth.TrafficPermissions{
|
tp: &pbauth.TrafficPermissions{
|
||||||
Action: pbauth.Action_ACTION_ALLOW,
|
Action: pbauth.Action_ACTION_ALLOW,
|
||||||
Permissions: []*pbauth.Permission{
|
Permissions: nil,
|
||||||
{
|
|
||||||
Sources: nil,
|
|
||||||
DestinationRules: []*pbauth.DestinationRule{
|
|
||||||
{
|
|
||||||
PathExact: "wi2",
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
expectErr: `invalid "data.destination" field: cannot be empty`,
|
expectErr: `invalid "data.destination" field: cannot be empty`,
|
||||||
},
|
},
|
||||||
|
@ -100,6 +91,76 @@ func TestValidateTrafficPermissions(t *testing.T) {
|
||||||
},
|
},
|
||||||
expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "sources": invalid element at index 0 of list "source": permissions sources may not specify partitions, peers, and sameness_groups together`,
|
expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "sources": invalid element at index 0 of list "source": permissions sources may not specify partitions, peers, and sameness_groups together`,
|
||||||
},
|
},
|
||||||
|
// TODO: remove when L7 traffic permissions are implemented
|
||||||
|
"l7-fields-path": {
|
||||||
|
tp: &pbauth.TrafficPermissions{
|
||||||
|
Destination: &pbauth.Destination{
|
||||||
|
IdentityName: "w1",
|
||||||
|
},
|
||||||
|
Action: pbauth.Action_ACTION_ALLOW,
|
||||||
|
Permissions: []*pbauth.Permission{
|
||||||
|
{
|
||||||
|
Sources: []*pbauth.Source{
|
||||||
|
{
|
||||||
|
Partition: "ap1",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
DestinationRules: []*pbauth.DestinationRule{
|
||||||
|
{
|
||||||
|
PathExact: "wi2",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "destination_rules": invalid element at index 0 of list "destination_rule": traffic permissions with L7 rules are not yet supported`,
|
||||||
|
},
|
||||||
|
"l7-fields-methods": {
|
||||||
|
tp: &pbauth.TrafficPermissions{
|
||||||
|
Destination: &pbauth.Destination{
|
||||||
|
IdentityName: "w1",
|
||||||
|
},
|
||||||
|
Action: pbauth.Action_ACTION_ALLOW,
|
||||||
|
Permissions: []*pbauth.Permission{
|
||||||
|
{
|
||||||
|
Sources: []*pbauth.Source{
|
||||||
|
{
|
||||||
|
Partition: "ap1",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
DestinationRules: []*pbauth.DestinationRule{
|
||||||
|
{
|
||||||
|
Methods: []string{"PUT"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "destination_rules": invalid element at index 0 of list "destination_rule": traffic permissions with L7 rules are not yet supported`,
|
||||||
|
},
|
||||||
|
"l7-fields-header": {
|
||||||
|
tp: &pbauth.TrafficPermissions{
|
||||||
|
Destination: &pbauth.Destination{
|
||||||
|
IdentityName: "w1",
|
||||||
|
},
|
||||||
|
Action: pbauth.Action_ACTION_ALLOW,
|
||||||
|
Permissions: []*pbauth.Permission{
|
||||||
|
{
|
||||||
|
Sources: []*pbauth.Source{
|
||||||
|
{
|
||||||
|
Partition: "ap1",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
DestinationRules: []*pbauth.DestinationRule{
|
||||||
|
{
|
||||||
|
Header: &pbauth.DestinationRuleHeader{Name: "foo"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectErr: `invalid element at index 0 of list "permissions": invalid element at index 0 of list "destination_rules": invalid element at index 0 of list "destination_rule": traffic permissions with L7 rules are not yet supported`,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for n, tc := range cases {
|
for n, tc := range cases {
|
||||||
|
|
Loading…
Reference in New Issue