From ab3c6cf1e592bb988cdf0692ada61b39b68091bd Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Tue, 13 Feb 2024 12:27:24 -0500 Subject: [PATCH] Add BoundReferences to ComputedTrafficPermissions (#20593) --- .../controllers/trafficpermissions/builder.go | 10 +- .../trafficpermissions/controller.go | 62 ++++++----- .../trafficpermissions/controller_test.go | 98 ++++++++++++++++- .../controllers/trafficpermissions/index.go | 43 ++++++++ .../computed_traffic_permissions.pb.go | 101 +++++++++++------- .../computed_traffic_permissions.proto | 5 + 6 files changed, 240 insertions(+), 79 deletions(-) create mode 100644 internal/auth/internal/controllers/trafficpermissions/index.go diff --git a/internal/auth/internal/controllers/trafficpermissions/builder.go b/internal/auth/internal/controllers/trafficpermissions/builder.go index 88018c20f0..cf3e42a711 100644 --- a/internal/auth/internal/controllers/trafficpermissions/builder.go +++ b/internal/auth/internal/controllers/trafficpermissions/builder.go @@ -21,6 +21,7 @@ type trafficPermissionsBuilder struct { denyPermissions []*pbauth.Permission sgExpander expander.SamenessGroupExpander sgMap map[string][]*pbmulticluster.SamenessGroupMember + brc *resource.BoundReferenceCollector } type missingSamenessGroupReferences struct { @@ -28,7 +29,10 @@ type missingSamenessGroupReferences struct { samenessGroups []string } -func newTrafficPermissionsBuilder(expander expander.SamenessGroupExpander, sgMap map[string][]*pbmulticluster.SamenessGroupMember) *trafficPermissionsBuilder { +func newTrafficPermissionsBuilder( + expander expander.SamenessGroupExpander, + sgMap map[string][]*pbmulticluster.SamenessGroupMember, + brc *resource.BoundReferenceCollector) *trafficPermissionsBuilder { return &trafficPermissionsBuilder{ sgMap: sgMap, missing: make(map[resource.ReferenceKey]missingSamenessGroupReferences), @@ -36,11 +40,14 @@ func newTrafficPermissionsBuilder(expander expander.SamenessGroupExpander, sgMap sgExpander: expander, allowedPermissions: make([]*pbauth.Permission, 0), denyPermissions: make([]*pbauth.Permission, 0), + brc: brc, } } // track will use all associated XTrafficPermissions to create new ComputedTrafficPermissions samenessGroupsForTrafficPermission func track[S types.XTrafficPermissions](tpb *trafficPermissionsBuilder, xtp *resource.DecodedResource[S]) { + tpb.brc.AddRefOrID(xtp.Id) + permissions, missingSamenessGroups := tpb.sgExpander.Expand(xtp.Data, tpb.sgMap) if len(missingSamenessGroups) > 0 { @@ -64,6 +71,7 @@ func (tpb *trafficPermissionsBuilder) build() (*pbauth.ComputedTrafficPermission AllowPermissions: tpb.allowedPermissions, DenyPermissions: tpb.denyPermissions, IsDefault: tpb.isDefault, + BoundReferences: tpb.brc.List(), }, tpb.missing } diff --git a/internal/auth/internal/controllers/trafficpermissions/controller.go b/internal/auth/internal/controllers/trafficpermissions/controller.go index 23662612d1..8e3056de91 100644 --- a/internal/auth/internal/controllers/trafficpermissions/controller.go +++ b/internal/auth/internal/controllers/trafficpermissions/controller.go @@ -10,21 +10,15 @@ import ( "google.golang.org/protobuf/types/known/anypb" "github.com/hashicorp/consul/internal/auth/internal/controllers/trafficpermissions/expander" - "github.com/hashicorp/consul/internal/auth/internal/types" "github.com/hashicorp/consul/internal/controller" "github.com/hashicorp/consul/internal/controller/cache" "github.com/hashicorp/consul/internal/controller/cache/index" - "github.com/hashicorp/consul/internal/controller/cache/indexers" "github.com/hashicorp/consul/internal/controller/dependency" "github.com/hashicorp/consul/internal/resource" pbauth "github.com/hashicorp/consul/proto-public/pbauth/v2beta1" "github.com/hashicorp/consul/proto-public/pbresource" ) -const ( - TenancyIndexName = "tenancy" -) - // TrafficPermissionsMapper is used to map a watch event for a TrafficPermissions resource and translate // it to a ComputedTrafficPermissions resource which contains the effective permissions // from all referencing TrafficPermissions resources. @@ -52,6 +46,8 @@ func Controller(mapper TrafficPermissionsMapper, sgExpander expander.SamenessGro samenessGroupIndex := GetSamenessGroupIndex() + boundRefsMapper := dependency.CacheListMapper(pbauth.ComputedTrafficPermissionsType, BoundRefsIndexName) + // Maps incoming PartitionTrafficPermissions to ComputedTrafficPermissions requests by prefix searching // the CTP's tenancy. ptpToCtpMapper := func(ctx context.Context, rt controller.Runtime, res *pbresource.Resource) ([]controller.Request, error) { @@ -91,29 +87,20 @@ func Controller(mapper TrafficPermissionsMapper, sgExpander expander.SamenessGro return reqs, nil } - ctrl := controller.NewController(StatusKey, pbauth.ComputedTrafficPermissionsType). - WithWatch(pbauth.WorkloadIdentityType, dependency.ReplaceType(pbauth.ComputedTrafficPermissionsType)). - WithWatch(pbauth.TrafficPermissionsType, mapper.MapTrafficPermissions, samenessGroupIndex). - WithWatch(pbauth.PartitionTrafficPermissionsType, ptpToCtpMapper, - indexers.DecodedSingleIndexer( - TenancyIndexName, - index.SingleValueFromArgs(func(t *pbresource.Tenancy) ([]byte, error) { - return index.IndexFromTenancy(t), nil - }), - func(r *types.DecodedPartitionTrafficPermissions) (bool, []byte, error) { - return true, index.IndexFromTenancy(r.Id.Tenancy), nil - }, - )). - WithWatch(pbauth.NamespaceTrafficPermissionsType, ntpToCtpMapper, - indexers.DecodedSingleIndexer( - TenancyIndexName, - index.SingleValueFromArgs(func(t *pbresource.Tenancy) ([]byte, error) { - return index.IndexFromTenancy(t), nil - }), - func(r *types.DecodedNamespaceTrafficPermissions) (bool, []byte, error) { - return true, index.IndexFromTenancy(r.Id.Tenancy), nil - }, - )). + ctrl := controller.NewController(StatusKey, + pbauth.ComputedTrafficPermissionsType, + boundRefsIndex). + WithWatch(pbauth.WorkloadIdentityType, + dependency.ReplaceType(pbauth.ComputedTrafficPermissionsType)). + WithWatch(pbauth.TrafficPermissionsType, + dependency.MultiMapper(boundRefsMapper, mapper.MapTrafficPermissions), + samenessGroupIndex). + WithWatch(pbauth.PartitionTrafficPermissionsType, + dependency.MultiMapper(boundRefsMapper, ptpToCtpMapper), + indexPtpByTenancy()). + WithWatch(pbauth.NamespaceTrafficPermissionsType, + dependency.MultiMapper(boundRefsMapper, ntpToCtpMapper), + indexNtpByTenancy()). WithReconciler(&reconciler{mapper: mapper, sgExpander: sgExpander}) return registerEnterpriseControllerWatchers(ctrl) @@ -124,11 +111,23 @@ type reconciler struct { sgExpander expander.SamenessGroupExpander } -// Reconcile will reconcile one ComputedTrafficPermission (CTP) in response to some event. +// Reconcile will reconcile one ComputedTrafficPermissions (CTP) in response to some event. // Events include adding, modifying or deleting a WorkloadIdentity or TrafficPermission or SamenessGroupType. func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req controller.Request) error { rt.Logger = rt.Logger.With("resource-id", req.ID, "controller", StatusKey) + // The bound reference collector is supposed to aggregate all + // references to resources that influence the production of + // a ComputedTrafficPermissions resource. + // + // We only add a reference to the collector if the following are ALL true: + // + // - We load the resource for some reason. + // - The resource is found. + // - We decided to use the information in that resource to produce + // ComputedTrafficPermissions. + brc := resource.NewBoundReferenceCollector() + ctpID := req.ID oldCTPData, err := resource.GetDecodedResource[*pbauth.ComputedTrafficPermissions](ctx, rt.Client, ctpID) if err != nil { @@ -171,13 +170,12 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c } sgMap, err := r.sgExpander.List(ctx, rt, req) - if err != nil { rt.Logger.Error("error retrieving sameness groups", err.Error()) return err } - trafficPermissionBuilder := newTrafficPermissionsBuilder(r.sgExpander, sgMap) + trafficPermissionBuilder := newTrafficPermissionsBuilder(r.sgExpander, sgMap, brc) var tpResources []*pbresource.Resource // Part 2: Recompute a CTP from TP create / modify / delete, or create a new CTP from existing TPs: diff --git a/internal/auth/internal/controllers/trafficpermissions/controller_test.go b/internal/auth/internal/controllers/trafficpermissions/controller_test.go index c5a05def9d..b7a751353e 100644 --- a/internal/auth/internal/controllers/trafficpermissions/controller_test.go +++ b/internal/auth/internal/controllers/trafficpermissions/controller_test.go @@ -11,11 +11,11 @@ import ( "github.com/stretchr/testify/require" "github.com/stretchr/testify/suite" - svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing" "github.com/hashicorp/consul/internal/auth/internal/controllers/trafficpermissions/expander" "github.com/hashicorp/consul/internal/auth/internal/mappers/trafficpermissionsmapper" "github.com/hashicorp/consul/internal/auth/internal/types" "github.com/hashicorp/consul/internal/controller" + "github.com/hashicorp/consul/internal/controller/controllertest" "github.com/hashicorp/consul/internal/multicluster" "github.com/hashicorp/consul/internal/resource" "github.com/hashicorp/consul/internal/resource/resourcetest" @@ -52,13 +52,16 @@ func (suite *controllerSuite) SetupTest() { suite.isEnterprise = versiontest.IsEnterprise() suite.tenancies = resourcetest.TestTenancies() suite.ctx = testutil.TestContext(suite.T()) - client := svctest.NewResourceServiceBuilder(). - WithRegisterFns(types.Register, multicluster.RegisterTypes). - WithTenancies(append(suite.tenancies, suite.bazTenancy)...). - Run(suite.T()) + // TODO: a lot of the fields below should be consolidated to controller only suite.mapper = trafficpermissionsmapper.New() suite.sgExpander = expander.GetSamenessGroupExpander() + client := controllertest.NewControllerTestBuilder(). + WithResourceRegisterFns(types.Register, multicluster.RegisterTypes). + WithTenancies(append(suite.tenancies, suite.bazTenancy)...). + WithControllerRegisterFns(func(mgr *controller.Manager) { + mgr.Register(Controller(suite.mapper, suite.sgExpander)) + }).Run(suite.T()) suite.ctl = controller.NewTestController( Controller(suite.mapper, suite.sgExpander), client, @@ -710,6 +713,91 @@ func (suite *controllerSuite) TestReconcile_TrafficPermissionsDelete_Destination }) } +// 1. Create ALLOW traffic permission granting foo -> bar +// 2. Observe reconciler write CTP for bar listing source foo +// 3. User updates TP from step 1 to instead grant foo -> baz +// 4. Observe reconciler update CTP for bar to list source baz +// 5. (must) Observe reconciler update CTP for bar to default (no permissions) +func TestController_OrphanedTrafficPermissions(t *testing.T) { + client := rtest.NewClient( + controllertest.NewControllerTestBuilder(). + WithTenancies(resourcetest.TestTenancies()...). + WithResourceRegisterFns(types.Register). + WithControllerRegisterFns(func(mgr *controller.Manager) { + mgr.Register(Controller(trafficpermissionsmapper.New(), expander.GetSamenessGroupExpander())) + }). + Run(t), + ) + + for _, tenancy := range resourcetest.TestTenancies() { + t.Run(fmt.Sprintf("%s_Namespace_%s_Partition", tenancy.Namespace, tenancy.Partition), func(t *testing.T) { + // Create the workload identities + foo := rtest.Resource(pbauth.WorkloadIdentityType, "foo").WithTenancy(tenancy).Write(t, client) + bar := rtest.Resource(pbauth.WorkloadIdentityType, "bar").WithTenancy(tenancy).Write(t, client) + baz := rtest.Resource(pbauth.WorkloadIdentityType, "baz").WithTenancy(tenancy).Write(t, client) + + // Make the CTP IDs for reference + fooCTPID := resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, foo.Id) + barCTPID := resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, bar.Id) + bazCTPID := resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, baz.Id) + + // Create foo -> bar traffic permissions + fooToBarData := &pbauth.TrafficPermissions{ + Destination: &pbauth.Destination{ + IdentityName: "bar", + }, + Action: pbauth.Action_ACTION_ALLOW, + Permissions: []*pbauth.Permission{ + { + Sources: []*pbauth.Source{ + { + IdentityName: "foo", + Namespace: tenancy.Namespace, + Partition: tenancy.Partition, + }, + }, + }, + }, + } + _ = rtest.Resource(pbauth.TrafficPermissionsType, "tp"). + WithTenancy(tenancy). + WithData(t, fooToBarData). + Write(t, client) + + // Check that CTP for foo exists + _ = client.WaitForResourceExists(t, fooCTPID) + + // CTP for bar should list source foo and therefore is not default + barCTP := client.WaitForResourceExists(t, barCTPID) + decodedBarCTP := resourcetest.MustDecode[*pbauth.ComputedTrafficPermissions](t, barCTP) + require.False(t, decodedBarCTP.Data.IsDefault) + + // CTP for baz should be default + bazCTP := client.WaitForResourceExists(t, bazCTPID) + decodedBazCTP := resourcetest.MustDecode[*pbauth.ComputedTrafficPermissions](t, bazCTP) + require.True(t, decodedBazCTP.Data.IsDefault) + + // Mutate fooToBar to change destination from bar to baz. + // The CTP for bar no longer has references and should be reset on reconcile. + fooToBarData.Destination.IdentityName = "baz" + _ = rtest.Resource(pbauth.TrafficPermissionsType, "tp"). + WithTenancy(tenancy). + WithData(t, fooToBarData). + Write(t, client) + + // Ensure that the CTP for bar is reverted to default + barCTP = client.WaitForNewVersion(t, barCTPID, barCTP.Version) + decodedBarCTP = resourcetest.MustDecode[*pbauth.ComputedTrafficPermissions](t, barCTP) + require.True(t, decodedBarCTP.Data.IsDefault) + + // Ensure that the CTP for baz is no longer default + bazCTP = client.WaitForNewVersion(t, bazCTPID, bazCTP.Version) + decodedBazCTP = resourcetest.MustDecode[*pbauth.ComputedTrafficPermissions](t, bazCTP) + require.False(t, decodedBazCTP.Data.IsDefault) + }) + } +} + func (suite *controllerSuite) TestControllerBasic() { // TODO: refactor this // In this test we check basic operations for a workload identity and referencing traffic permission diff --git a/internal/auth/internal/controllers/trafficpermissions/index.go b/internal/auth/internal/controllers/trafficpermissions/index.go new file mode 100644 index 0000000000..358073ecc5 --- /dev/null +++ b/internal/auth/internal/controllers/trafficpermissions/index.go @@ -0,0 +1,43 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package trafficpermissions + +import ( + "github.com/hashicorp/consul/internal/auth/internal/types" + "github.com/hashicorp/consul/internal/controller/cache/index" + "github.com/hashicorp/consul/internal/controller/cache/indexers" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v2beta1" + "github.com/hashicorp/consul/proto-public/pbresource" +) + +const ( + TenancyIndexName = "tenancy" + BoundRefsIndexName = "bound-references" +) + +func indexNtpByTenancy() *index.Index { + return indexers.DecodedSingleIndexer( + TenancyIndexName, + index.SingleValueFromArgs(func(t *pbresource.Tenancy) ([]byte, error) { + return index.IndexFromTenancy(t), nil + }), + func(r *types.DecodedNamespaceTrafficPermissions) (bool, []byte, error) { + return true, index.IndexFromTenancy(r.Id.Tenancy), nil + }, + ) +} + +func indexPtpByTenancy() *index.Index { + return indexers.DecodedSingleIndexer( + TenancyIndexName, + index.SingleValueFromArgs(func(t *pbresource.Tenancy) ([]byte, error) { + return index.IndexFromTenancy(t), nil + }), + func(r *types.DecodedPartitionTrafficPermissions) (bool, []byte, error) { + return true, index.IndexFromTenancy(r.Id.Tenancy), nil + }, + ) +} + +var boundRefsIndex = indexers.BoundRefsIndex[*pbauth.ComputedTrafficPermissions](BoundRefsIndexName) diff --git a/proto-public/pbauth/v2beta1/computed_traffic_permissions.pb.go b/proto-public/pbauth/v2beta1/computed_traffic_permissions.pb.go index 7bdd8bec2f..19998c1d47 100644 --- a/proto-public/pbauth/v2beta1/computed_traffic_permissions.pb.go +++ b/proto-public/pbauth/v2beta1/computed_traffic_permissions.pb.go @@ -10,7 +10,7 @@ package authv2beta1 import ( - _ "github.com/hashicorp/consul/proto-public/pbresource" + pbresource "github.com/hashicorp/consul/proto-public/pbresource" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" reflect "reflect" @@ -32,6 +32,9 @@ type ComputedTrafficPermissions struct { AllowPermissions []*Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"` DenyPermissions []*Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"` IsDefault bool `protobuf:"varint,3,opt,name=is_default,json=isDefault,proto3" json:"is_default,omitempty"` + // BoundReferences is a slice of mixed type references of resources that were + // involved in the formulation of this resource. + BoundReferences []*pbresource.Reference `protobuf:"bytes,4,rep,name=bound_references,json=boundReferences,proto3" json:"bound_references,omitempty"` } func (x *ComputedTrafficPermissions) Reset() { @@ -87,6 +90,13 @@ func (x *ComputedTrafficPermissions) GetIsDefault() bool { return false } +func (x *ComputedTrafficPermissions) GetBoundReferences() []*pbresource.Reference { + if x != nil { + return x.BoundReferences + } + return nil +} + var File_pbauth_v2beta1_computed_traffic_permissions_proto protoreflect.FileDescriptor var file_pbauth_v2beta1_computed_traffic_permissions_proto_rawDesc = []byte{ @@ -99,41 +109,48 @@ var file_pbauth_v2beta1_computed_traffic_permissions_proto_rawDesc = []byte{ 0x61, 0x31, 0x2f, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x70, 0x62, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf1, 0x01, 0x0a, 0x1a, 0x43, - 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, - 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x56, 0x0a, 0x11, 0x61, 0x6c, 0x6c, - 0x6f, 0x77, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, - 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, - 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, - 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, - 0x10, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, - 0x73, 0x12, 0x54, 0x0a, 0x10, 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, - 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x68, 0x61, - 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, - 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, - 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, - 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, 0x64, 0x65, - 0x66, 0x61, 0x75, 0x6c, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44, - 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x3a, 0x06, 0xa2, 0x93, 0x04, 0x02, 0x08, 0x03, 0x42, 0xa0, - 0x02, 0x0a, 0x21, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, - 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, - 0x65, 0x74, 0x61, 0x31, 0x42, 0x1f, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72, - 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, - 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, - 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, - 0x63, 0x2f, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, - 0x3b, 0x61, 0x75, 0x74, 0x68, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48, - 0x43, 0x41, 0xaa, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, - 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74, - 0x61, 0x31, 0xca, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, - 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, - 0x61, 0x31, 0xe2, 0x02, 0x29, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, - 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, - 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, - 0x20, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, - 0x75, 0x6c, 0x3a, 0x3a, 0x41, 0x75, 0x74, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, - 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x70, 0x62, 0x72, 0x65, + 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc2, 0x02, 0x0a, 0x1a, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, + 0x65, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, + 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x56, 0x0a, 0x11, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x70, 0x65, + 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x29, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, + 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, + 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x10, 0x61, 0x6c, 0x6c, 0x6f, + 0x77, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x54, 0x0a, 0x10, + 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, + 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, + 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, + 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, + 0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, + 0x6e, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, + 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, + 0x74, 0x12, 0x4f, 0x0a, 0x10, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x72, 0x65, 0x66, 0x65, 0x72, + 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x68, 0x61, + 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x72, + 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, + 0x65, 0x52, 0x0f, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, + 0x65, 0x73, 0x3a, 0x06, 0xa2, 0x93, 0x04, 0x02, 0x08, 0x03, 0x42, 0xa0, 0x02, 0x0a, 0x21, 0x63, + 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, + 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, + 0x42, 0x1f, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, + 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x50, 0x72, 0x6f, 0x74, + 0x6f, 0x50, 0x01, 0x5a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, + 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, + 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x61, 0x75, 0x74, + 0x68, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48, 0x43, 0x41, 0xaa, 0x02, + 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, + 0x6c, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, + 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, + 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xe2, 0x02, + 0x29, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, + 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x47, + 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x20, 0x48, 0x61, 0x73, + 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, + 0x41, 0x75, 0x74, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -152,15 +169,17 @@ var file_pbauth_v2beta1_computed_traffic_permissions_proto_msgTypes = make([]pro var file_pbauth_v2beta1_computed_traffic_permissions_proto_goTypes = []interface{}{ (*ComputedTrafficPermissions)(nil), // 0: hashicorp.consul.auth.v2beta1.ComputedTrafficPermissions (*Permission)(nil), // 1: hashicorp.consul.auth.v2beta1.Permission + (*pbresource.Reference)(nil), // 2: hashicorp.consul.resource.Reference } var file_pbauth_v2beta1_computed_traffic_permissions_proto_depIdxs = []int32{ 1, // 0: hashicorp.consul.auth.v2beta1.ComputedTrafficPermissions.allow_permissions:type_name -> hashicorp.consul.auth.v2beta1.Permission 1, // 1: hashicorp.consul.auth.v2beta1.ComputedTrafficPermissions.deny_permissions:type_name -> hashicorp.consul.auth.v2beta1.Permission - 2, // [2:2] is the sub-list for method output_type - 2, // [2:2] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 2, // 2: hashicorp.consul.auth.v2beta1.ComputedTrafficPermissions.bound_references:type_name -> hashicorp.consul.resource.Reference + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_pbauth_v2beta1_computed_traffic_permissions_proto_init() } diff --git a/proto-public/pbauth/v2beta1/computed_traffic_permissions.proto b/proto-public/pbauth/v2beta1/computed_traffic_permissions.proto index 83af04df7f..fc8db0d8db 100644 --- a/proto-public/pbauth/v2beta1/computed_traffic_permissions.proto +++ b/proto-public/pbauth/v2beta1/computed_traffic_permissions.proto @@ -7,6 +7,7 @@ package hashicorp.consul.auth.v2beta1; import "pbauth/v2beta1/traffic_permissions.proto"; import "pbresource/annotations.proto"; +import "pbresource/resource.proto"; message ComputedTrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; @@ -14,4 +15,8 @@ message ComputedTrafficPermissions { repeated Permission allow_permissions = 1; repeated Permission deny_permissions = 2; bool is_default = 3; + + // BoundReferences is a slice of mixed type references of resources that were + // involved in the formulation of this resource. + repeated hashicorp.consul.resource.Reference bound_references = 4; }