mirror of
https://github.com/status-im/consul.git
synced 2025-02-08 11:54:12 +00:00
Augment intention decision summary with DefaultAllow mode
This commit is contained in:
freddygv
parent
18decbba9d
commit
932fbddd27
@ -1721,6 +1721,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
|||||||
|
|
||||||
expectUp := map[string]structs.IntentionDecisionSummary{
|
expectUp := map[string]structs.IntentionDecisionSummary{
|
||||||
web.String(): {
|
web.String(): {
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
@ -1749,6 +1750,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
|||||||
|
|
||||||
expectDown := map[string]structs.IntentionDecisionSummary{
|
expectDown := map[string]structs.IntentionDecisionSummary{
|
||||||
api.String(): {
|
api.String(): {
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
@ -1764,6 +1766,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
|||||||
|
|
||||||
expectUp := map[string]structs.IntentionDecisionSummary{
|
expectUp := map[string]structs.IntentionDecisionSummary{
|
||||||
redis.String(): {
|
redis.String(): {
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
HasExact: true,
|
HasExact: true,
|
||||||
@ -1791,6 +1794,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
|
|||||||
|
|
||||||
expectDown := map[string]structs.IntentionDecisionSummary{
|
expectDown := map[string]structs.IntentionDecisionSummary{
|
||||||
web.String(): {
|
web.String(): {
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
HasExact: true,
|
HasExact: true,
|
||||||
|
|||||||
@ -750,10 +750,12 @@ func (s *Store) IntentionDecision(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var resp structs.IntentionDecisionSummary
|
resp := structs.IntentionDecisionSummary{
|
||||||
|
DefaultAllow: defaultDecision == acl.Allow,
|
||||||
|
}
|
||||||
if ixnMatch == nil {
|
if ixnMatch == nil {
|
||||||
// No intention found, fall back to default
|
// No intention found, fall back to default
|
||||||
resp.Allowed = defaultDecision == acl.Allow
|
resp.Allowed = resp.DefaultAllow
|
||||||
return resp, nil
|
return resp, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -1774,7 +1774,10 @@ func TestStore_IntentionDecision(t *testing.T) {
|
|||||||
dst: "ditto",
|
dst: "ditto",
|
||||||
matchType: structs.IntentionMatchDestination,
|
matchType: structs.IntentionMatchDestination,
|
||||||
defaultDecision: acl.Deny,
|
defaultDecision: acl.Deny,
|
||||||
expect: structs.IntentionDecisionSummary{Allowed: false},
|
expect: structs.IntentionDecisionSummary{
|
||||||
|
Allowed: false,
|
||||||
|
DefaultAllow: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "no matching intention and default allow",
|
name: "no matching intention and default allow",
|
||||||
@ -1782,7 +1785,10 @@ func TestStore_IntentionDecision(t *testing.T) {
|
|||||||
dst: "ditto",
|
dst: "ditto",
|
||||||
matchType: structs.IntentionMatchDestination,
|
matchType: structs.IntentionMatchDestination,
|
||||||
defaultDecision: acl.Allow,
|
defaultDecision: acl.Allow,
|
||||||
expect: structs.IntentionDecisionSummary{Allowed: true},
|
expect: structs.IntentionDecisionSummary{
|
||||||
|
Allowed: true,
|
||||||
|
DefaultAllow: true,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "denied with permissions",
|
name: "denied with permissions",
|
||||||
|
|||||||
@ -666,12 +666,14 @@ type IntentionQueryCheckResponse struct {
|
|||||||
// - Whether all actions are allowed
|
// - Whether all actions are allowed
|
||||||
// - Whether the matching intention has L7 permissions attached
|
// - Whether the matching intention has L7 permissions attached
|
||||||
// - Whether the intention is managed by an external source like k8s
|
// - Whether the intention is managed by an external source like k8s
|
||||||
// - Whether there is an exact, on-wildcard, intention referencing the two services
|
// - Whether there is an exact, or wildcard, intention referencing the two services
|
||||||
|
// - Whether ACLs are in DefaultAllow mode
|
||||||
type IntentionDecisionSummary struct {
|
type IntentionDecisionSummary struct {
|
||||||
Allowed bool
|
Allowed bool
|
||||||
HasPermissions bool
|
HasPermissions bool
|
||||||
ExternalSource string
|
ExternalSource string
|
||||||
HasExact bool
|
HasExact bool
|
||||||
|
DefaultAllow bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// IntentionQueryExact holds the parameters for performing a lookup of an
|
// IntentionQueryExact holds the parameters for performing a lookup of an
|
||||||
|
|||||||
@ -1431,6 +1431,7 @@ func TestUIServiceTopology(t *testing.T) {
|
|||||||
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
||||||
},
|
},
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
HasExact: true,
|
HasExact: true,
|
||||||
@ -1474,6 +1475,7 @@ func TestUIServiceTopology(t *testing.T) {
|
|||||||
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
||||||
},
|
},
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: true,
|
Allowed: true,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
HasExact: true,
|
HasExact: true,
|
||||||
@ -1493,6 +1495,7 @@ func TestUIServiceTopology(t *testing.T) {
|
|||||||
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
||||||
},
|
},
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
@ -1542,6 +1545,7 @@ func TestUIServiceTopology(t *testing.T) {
|
|||||||
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
||||||
},
|
},
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
HasExact: true,
|
HasExact: true,
|
||||||
@ -1559,6 +1563,7 @@ func TestUIServiceTopology(t *testing.T) {
|
|||||||
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
||||||
},
|
},
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: false,
|
HasPermissions: false,
|
||||||
ExternalSource: "nomad",
|
ExternalSource: "nomad",
|
||||||
@ -1610,6 +1615,7 @@ func TestUIServiceTopology(t *testing.T) {
|
|||||||
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
EnterpriseMeta: *structs.DefaultEnterpriseMeta(),
|
||||||
},
|
},
|
||||||
Intention: structs.IntentionDecisionSummary{
|
Intention: structs.IntentionDecisionSummary{
|
||||||
|
DefaultAllow: true,
|
||||||
Allowed: false,
|
Allowed: false,
|
||||||
HasPermissions: true,
|
HasPermissions: true,
|
||||||
HasExact: true,
|
HasExact: true,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user