oss: peering, http: get peer service intentions (#2098)

Signed-off-by: acpana <8968914+acpana@users.noreply.github.com>
This commit is contained in:
acpana 2022-06-22 16:25:09 -07:00
parent e00ebbb87d
commit 99c2e11328
No known key found for this signature in database
GPG Key ID: 21CC0F2B42CEA01D
2 changed files with 146 additions and 39 deletions

View File

@ -145,15 +145,15 @@ func (s *HTTPHandlers) IntentionMatch(resp http.ResponseWriter, req *http.Reques
// order of the returned responses. // order of the returned responses.
args.Match.Entries = make([]structs.IntentionMatchEntry, len(names)) args.Match.Entries = make([]structs.IntentionMatchEntry, len(names))
for i, n := range names { for i, n := range names {
ap, ns, name, err := parseIntentionStringComponent(n, &entMeta) parsed, err := parseIntentionStringComponent(n, &entMeta, false)
if err != nil { if err != nil {
return nil, fmt.Errorf("name %q is invalid: %s", n, err) return nil, fmt.Errorf("name %q is invalid: %s", n, err)
} }
args.Match.Entries[i] = structs.IntentionMatchEntry{ args.Match.Entries[i] = structs.IntentionMatchEntry{
Partition: ap, Partition: parsed.ap,
Namespace: ns, Namespace: parsed.ns,
Name: name, Name: parsed.name,
} }
} }
@ -235,23 +235,23 @@ func (s *HTTPHandlers) IntentionCheck(resp http.ResponseWriter, req *http.Reques
// We parse them the same way as matches to extract partition/namespace/name // We parse them the same way as matches to extract partition/namespace/name
args.Check.SourceName = source[0] args.Check.SourceName = source[0]
if args.Check.SourceType == structs.IntentionSourceConsul { if args.Check.SourceType == structs.IntentionSourceConsul {
ap, ns, name, err := parseIntentionStringComponent(source[0], &entMeta) parsed, err := parseIntentionStringComponent(source[0], &entMeta, false)
if err != nil { if err != nil {
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err) return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
} }
args.Check.SourcePartition = ap args.Check.SourcePartition = parsed.ap
args.Check.SourceNS = ns args.Check.SourceNS = parsed.ns
args.Check.SourceName = name args.Check.SourceName = parsed.name
} }
// The destination is always in the Consul format // The destination is always in the Consul format
ap, ns, name, err := parseIntentionStringComponent(destination[0], &entMeta) parsed, err := parseIntentionStringComponent(destination[0], &entMeta, false)
if err != nil { if err != nil {
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err) return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
} }
args.Check.DestinationPartition = ap args.Check.DestinationPartition = parsed.ap
args.Check.DestinationNS = ns args.Check.DestinationNS = parsed.ns
args.Check.DestinationName = name args.Check.DestinationName = parsed.name
var reply structs.IntentionQueryCheckResponse var reply structs.IntentionQueryCheckResponse
if err := s.agent.RPC("Intention.Check", args, &reply); err != nil { if err := s.agent.RPC("Intention.Check", args, &reply); err != nil {
@ -302,23 +302,25 @@ func (s *HTTPHandlers) IntentionGetExact(resp http.ResponseWriter, req *http.Req
} }
{ {
ap, ns, name, err := parseIntentionStringComponent(source[0], &entMeta) parsed, err := parseIntentionStringComponent(source[0], &entMeta, true)
if err != nil { if err != nil {
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err) return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
} }
args.Exact.SourcePartition = ap
args.Exact.SourceNS = ns args.Exact.SourcePeer = parsed.peer
args.Exact.SourceName = name args.Exact.SourcePartition = parsed.ap
args.Exact.SourceNS = parsed.ns
args.Exact.SourceName = parsed.name
} }
{ {
ap, ns, name, err := parseIntentionStringComponent(destination[0], &entMeta) parsed, err := parseIntentionStringComponent(destination[0], &entMeta, false)
if err != nil { if err != nil {
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err) return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
} }
args.Exact.DestinationPartition = ap args.Exact.DestinationPartition = parsed.ap
args.Exact.DestinationNS = ns args.Exact.DestinationNS = parsed.ns
args.Exact.DestinationName = name args.Exact.DestinationName = parsed.name
} }
var reply structs.IndexedIntentions var reply structs.IndexedIntentions
@ -444,42 +446,67 @@ func parseIntentionQueryExact(req *http.Request, entMeta *acl.EnterpriseMeta) (*
var exact structs.IntentionQueryExact var exact structs.IntentionQueryExact
{ {
ap, ns, name, err := parseIntentionStringComponent(source[0], entMeta) parsed, err := parseIntentionStringComponent(source[0], entMeta, false)
if err != nil { if err != nil {
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err) return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
} }
exact.SourcePartition = ap exact.SourcePartition = parsed.ap
exact.SourceNS = ns exact.SourceNS = parsed.ns
exact.SourceName = name exact.SourceName = parsed.name
} }
{ {
ap, ns, name, err := parseIntentionStringComponent(destination[0], entMeta) parsed, err := parseIntentionStringComponent(destination[0], entMeta, false)
if err != nil { if err != nil {
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err) return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
} }
exact.DestinationPartition = ap exact.DestinationPartition = parsed.ap
exact.DestinationNS = ns exact.DestinationNS = parsed.ns
exact.DestinationName = name exact.DestinationName = parsed.name
} }
return &exact, nil return &exact, nil
} }
func parseIntentionStringComponent(input string, entMeta *acl.EnterpriseMeta) (string, string, string, error) { type parsedIntentionInput struct {
peer, ap, ns, name string
}
func parseIntentionStringComponent(input string, entMeta *acl.EnterpriseMeta, allowPeerKeyword bool) (*parsedIntentionInput, error) {
if strings.HasPrefix(input, "peer:") && !allowPeerKeyword {
return nil, fmt.Errorf("cannot specify a peer here")
}
ss := strings.Split(input, "/") ss := strings.Split(input, "/")
switch len(ss) { switch len(ss) {
case 1: // Name only case 1: // Name only
// need to specify at least the service name too
if strings.HasPrefix(ss[0], "peer:") {
return nil, fmt.Errorf("need to specify the service name as well")
}
ns := entMeta.NamespaceOrEmpty() ns := entMeta.NamespaceOrEmpty()
ap := entMeta.PartitionOrEmpty() ap := entMeta.PartitionOrEmpty()
return ap, ns, ss[0], nil return &parsedIntentionInput{ap: ap, ns: ns, name: ss[0]}, nil
case 2: // namespace/name case 2: // peer:peer/name OR namespace/name
if strings.HasPrefix(ss[0], "peer:") {
peerName := strings.TrimPrefix(ss[0], "peer:")
ns := entMeta.NamespaceOrEmpty()
return &parsedIntentionInput{peer: peerName, ns: ns, name: ss[1]}, nil
}
ap := entMeta.PartitionOrEmpty() ap := entMeta.PartitionOrEmpty()
return ap, ss[0], ss[1], nil return &parsedIntentionInput{ap: ap, ns: ss[0], name: ss[1]}, nil
case 3: // partition/namespace/name case 3: // peer:peer/namespace/name OR partition/namespace/name
return ss[0], ss[1], ss[2], nil if strings.HasPrefix(ss[0], "peer:") {
peerName := strings.TrimPrefix(ss[0], "peer:")
return &parsedIntentionInput{peer: peerName, ns: ss[1], name: ss[2]}, nil
} else {
return &parsedIntentionInput{ap: ss[0], ns: ss[1], name: ss[2]}, nil
}
default: default:
return "", "", "", fmt.Errorf("input can contain at most two '/'") return nil, fmt.Errorf("input can contain at most two '/'")
} }
} }

View File

@ -349,6 +349,57 @@ func TestIntentionCheck(t *testing.T) {
}) })
} }
func TestIntentionGetExact_PeerIntentions(t *testing.T) {
if testing.Short() {
t.Skip("too slow for testing.Short")
}
t.Parallel()
a := NewTestAgent(t, "")
testrpc.WaitForTestAgent(t, a.RPC, "dc1")
testutil.RunStep(t, "create a peer intentions", func(t *testing.T) {
configEntryIntention := structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "bar",
Sources: []*structs.SourceIntention{
{
Name: "foo",
Peer: "peer1",
Action: structs.IntentionActionAllow,
},
},
}
req, err := http.NewRequest("PUT", "/v1/config", jsonReader(configEntryIntention))
require.NoError(t, err)
resp := httptest.NewRecorder()
obj, err := a.srv.ConfigApply(resp, req)
require.NoError(t, err)
applied, ok := obj.(bool)
require.True(t, ok)
require.True(t, applied)
})
t.Run("get peer intention", func(t *testing.T) {
req, err := http.NewRequest("GET", "/v1/connect/intentions/exact?source=peer:peer1/foo&destination=bar", nil)
require.NoError(t, err)
resp := httptest.NewRecorder()
obj, err := a.srv.IntentionExact(resp, req)
require.NoError(t, err)
require.NotNil(t, obj)
value, ok := obj.(*structs.Intention)
require.True(t, ok)
require.Equal(t, "peer1", value.SourcePeer)
require.Equal(t, "foo", value.SourceName)
require.Equal(t, "bar", value.DestinationName)
})
}
func TestIntentionGetExact(t *testing.T) { func TestIntentionGetExact(t *testing.T) {
if testing.Short() { if testing.Short() {
t.Skip("too slow for testing.Short") t.Skip("too slow for testing.Short")
@ -828,6 +879,8 @@ func TestParseIntentionStringComponent(t *testing.T) {
cases := []struct { cases := []struct {
TestName string TestName string
Input string Input string
AllowsPeers bool
ExpectedPeer string
ExpectedAP string ExpectedAP string
ExpectedNS string ExpectedNS string
ExpectedName string ExpectedName string
@ -866,20 +919,47 @@ func TestParseIntentionStringComponent(t *testing.T) {
Input: "uhoh/blah/foo/bar", Input: "uhoh/blah/foo/bar",
Err: true, Err: true,
}, },
{
TestName: "peered without namespace",
Input: "peer:peer1/service_name",
AllowsPeers: true,
ExpectedPeer: "peer1",
ExpectedAP: "",
ExpectedNS: "",
ExpectedName: "service_name",
},
{
TestName: "need to specify at least a service",
Input: "peer:peer1",
Err: true,
},
{
TestName: "peered not allowed error",
Input: "peer:peer1/service_name",
AllowsPeers: false,
Err: true,
},
} }
for _, tc := range cases { for _, tc := range cases {
t.Run(tc.TestName, func(t *testing.T) { t.Run(tc.TestName, func(t *testing.T) {
var entMeta acl.EnterpriseMeta var entMeta acl.EnterpriseMeta
ap, ns, name, err := parseIntentionStringComponent(tc.Input, &entMeta) parsed, err := parseIntentionStringComponent(tc.Input, &entMeta, tc.AllowsPeers)
if tc.Err { if tc.Err {
require.Error(t, err) require.Error(t, err)
} else { } else {
require.NoError(t, err) require.NoError(t, err)
assert.Equal(t, tc.ExpectedAP, ap) if tc.AllowsPeers {
assert.Equal(t, tc.ExpectedNS, ns) assert.Equal(t, tc.ExpectedPeer, parsed.peer)
assert.Equal(t, tc.ExpectedName, name) assert.Equal(t, "", parsed.ap)
} else {
assert.Equal(t, tc.ExpectedAP, parsed.ap)
assert.Equal(t, "", parsed.peer)
}
assert.Equal(t, tc.ExpectedNS, parsed.ns)
assert.Equal(t, tc.ExpectedName, parsed.name)
} }
}) })
} }