status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-10 22:06:20 +00:00
Code Issues Projects Releases Wiki Activity

Add HasExact to topology endpoint (#9010)

Browse Source
This commit is contained in:
Freddy 2020-10-23 10:45:41 -06:00 committed by GitHub
parent 46071cbb03
commit 9c04cbc40f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 57 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
agent/consul/internal_endpoint_test.go
View File

@ -1622,6 +1622,8 @@ func TestInternal_ServiceTopology(t *testing.T) {
// web and web-proxy on node bar - upstream: redis // web and web-proxy on node bar - upstream: redis
// web and web-proxy on node baz - upstream: redis // web and web-proxy on node baz - upstream: redis
// redis and redis-proxy on node zip // redis and redis-proxy on node zip
// wildcard deny intention
// web -> redis exact intentino
registerTestTopologyEntries(t, codec, "") registerTestTopologyEntries(t, codec, "")
var ( var (
@ -1650,6 +1652,9 @@ func TestInternal_ServiceTopology(t *testing.T) {
Allowed: false, Allowed: false,
HasPermissions: false, HasPermissions: false,
ExternalSource: "nomad", ExternalSource: "nomad",
// From wildcard deny
HasExact: false,
}, },
} }
require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions) require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions)
@ -1675,6 +1680,9 @@ func TestInternal_ServiceTopology(t *testing.T) {
Allowed: false, Allowed: false,
HasPermissions: false, HasPermissions: false,
ExternalSource: "nomad", ExternalSource: "nomad",
// From wildcard deny
HasExact: false,
}, },
} }
require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions) require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions)
@ -1686,6 +1694,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
redis.String(): { redis.String(): {
Allowed: false, Allowed: false,
HasPermissions: true, HasPermissions: true,
HasExact: true,
}, },
} }
require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions) require.Equal(r, expectUp, out.ServiceTopology.UpstreamDecisions)
@ -1712,6 +1721,7 @@ func TestInternal_ServiceTopology(t *testing.T) {
web.String(): { web.String(): {
Allowed: false, Allowed: false,
HasPermissions: true, HasPermissions: true,
HasExact: true,
}, },
} }
require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions) require.Equal(r, expectDown, out.ServiceTopology.DownstreamDecisions)

6
agent/consul/state/intention.go
View File

@ -500,6 +500,12 @@ func (s *Store) IntentionDecision(
} }
resp.ExternalSource = ixnMatch.Meta[structs.MetaExternalSource] resp.ExternalSource = ixnMatch.Meta[structs.MetaExternalSource]
// Intentions with wildcard namespaces but specific names are not allowed (*/web -> */api)
// So we don't check namespaces to see if there's an exact intention
if ixnMatch.SourceName != structs.WildcardSpecifier && ixnMatch.DestinationName != structs.WildcardSpecifier {
resp.HasExact = true
}
return resp, nil return resp, nil
} }

23
agent/consul/state/intention_test.go
View File

@ -1132,6 +1132,16 @@ func TestStore_IntentionDecision(t *testing.T) {
}, },
}, },
}, },
&structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "mysql",
Sources: []*structs.SourceIntention{
{
Name: "*",
Action: structs.IntentionActionAllow,
},
},
},
} }
s := testConfigStateStore(t) s := testConfigStateStore(t)
@ -1167,6 +1177,7 @@ func TestStore_IntentionDecision(t *testing.T) {
expect: structs.IntentionDecisionSummary{ expect: structs.IntentionDecisionSummary{
Allowed: false, Allowed: false,
HasPermissions: true, HasPermissions: true,
HasExact: true,
}, },
}, },
{ {
@ -1176,6 +1187,7 @@ func TestStore_IntentionDecision(t *testing.T) {
expect: structs.IntentionDecisionSummary{ expect: structs.IntentionDecisionSummary{
Allowed: false, Allowed: false,
HasPermissions: false, HasPermissions: false,
HasExact: true,
}, },
}, },
{ {
@ -1186,6 +1198,17 @@ func TestStore_IntentionDecision(t *testing.T) {
Allowed: true, Allowed: true,
HasPermissions: false, HasPermissions: false,
ExternalSource: "nomad", ExternalSource: "nomad",
HasExact: true,
},
},
{
name: "allowed by source wildcard not exact",
src: "anything",
dst: "mysql",
expect: structs.IntentionDecisionSummary{
Allowed: true,
HasPermissions: false,
HasExact: false,
}, },
}, },
} }

4
agent/structs/intention.go
View File

@ -645,11 +645,13 @@ type IntentionQueryCheckResponse struct {
// Currently contains: // Currently contains:
// - Whether all actions are allowed // - Whether all actions are allowed
// - Whether the matching intention has L7 permissions attached // - Whether the matching intention has L7 permissions attached
// - Whether the intention is managed by an external source like k8s, // - Whether the intention is managed by an external source like k8s
// - Whether there is an exact, on-wildcard, intention referencing the two services
type IntentionDecisionSummary struct { type IntentionDecisionSummary struct {
Allowed bool Allowed bool
HasPermissions bool HasPermissions bool
ExternalSource string ExternalSource string
HasExact bool
} }
// IntentionQueryExact holds the parameters for performing a lookup of an // IntentionQueryExact holds the parameters for performing a lookup of an

4
agent/ui_endpoint.go
View File

@ -316,8 +316,8 @@ RPC:
downstreams, _ := summarizeServices(out.ServiceTopology.Downstreams.ToServiceDump(), nil, "") downstreams, _ := summarizeServices(out.ServiceTopology.Downstreams.ToServiceDump(), nil, "")
var ( var (
upstreamResp []*ServiceTopologySummary upstreamResp = make([]*ServiceTopologySummary, 0)
downstreamResp []*ServiceTopologySummary downstreamResp = make([]*ServiceTopologySummary, 0)
) )
// Sort and attach intention data for upstreams and downstreams // Sort and attach intention data for upstreams and downstreams

12
agent/ui_endpoint_test.go
View File

@ -1369,9 +1369,11 @@ func TestUIServiceTopology(t *testing.T) {
Intention: structs.IntentionDecisionSummary{ Intention: structs.IntentionDecisionSummary{
Allowed: true, Allowed: true,
HasPermissions: false, HasPermissions: false,
HasExact: true,
}, },
}, },
}, },
Downstreams: []*ServiceTopologySummary{},
FilteredByACLs: false, FilteredByACLs: false,
} }
result := obj.(ServiceTopology) result := obj.(ServiceTopology)
@ -1410,6 +1412,7 @@ func TestUIServiceTopology(t *testing.T) {
Intention: structs.IntentionDecisionSummary{ Intention: structs.IntentionDecisionSummary{
Allowed: true, Allowed: true,
HasPermissions: false, HasPermissions: false,
HasExact: true,
}, },
}, },
}, },
@ -1429,6 +1432,9 @@ func TestUIServiceTopology(t *testing.T) {
Allowed: false, Allowed: false,
HasPermissions: false, HasPermissions: false,
ExternalSource: "nomad", ExternalSource: "nomad",
// From wildcard deny
HasExact: false,
}, },
}, },
}, },
@ -1474,6 +1480,7 @@ func TestUIServiceTopology(t *testing.T) {
Intention: structs.IntentionDecisionSummary{ Intention: structs.IntentionDecisionSummary{
Allowed: false, Allowed: false,
HasPermissions: true, HasPermissions: true,
HasExact: true,
}, },
}, },
}, },
@ -1491,6 +1498,9 @@ func TestUIServiceTopology(t *testing.T) {
Allowed: false, Allowed: false,
HasPermissions: false, HasPermissions: false,
ExternalSource: "nomad", ExternalSource: "nomad",
// From wildcard deny
HasExact: false,
}, },
}, },
}, },
@ -1522,6 +1532,7 @@ func TestUIServiceTopology(t *testing.T) {
expect := ServiceTopology{ expect := ServiceTopology{
Protocol: "http", Protocol: "http",
Upstreams: []*ServiceTopologySummary{},
Downstreams: []*ServiceTopologySummary{ Downstreams: []*ServiceTopologySummary{
{ {
ServiceSummary: ServiceSummary{ ServiceSummary: ServiceSummary{
@ -1537,6 +1548,7 @@ func TestUIServiceTopology(t *testing.T) {
Intention: structs.IntentionDecisionSummary{ Intention: structs.IntentionDecisionSummary{
Allowed: false, Allowed: false,
HasPermissions: true, HasPermissions: true,
HasExact: true,
}, },
}, },
}, },