From bd4ddb372017d4edf6d64337d8f21ab4f571e21c Mon Sep 17 00:00:00 2001 From: alex <8968914+acpana@users.noreply.github.com> Date: Thu, 16 Jun 2022 12:07:28 -0700 Subject: [PATCH] peering: block Intention.Apply ops (#13451) Signed-off-by: acpana <8968914+acpana@users.noreply.github.com> --- agent/consul/intention_endpoint.go | 4 +++ agent/consul/intention_endpoint_test.go | 35 +++++++++++++++++++++++++ 2 files changed, 39 insertions(+) diff --git a/agent/consul/intention_endpoint.go b/agent/consul/intention_endpoint.go index 2298ec1946..a5e99f366a 100644 --- a/agent/consul/intention_endpoint.go +++ b/agent/consul/intention_endpoint.go @@ -77,6 +77,10 @@ func (s *Intention) Apply(args *structs.IntentionRequest, reply *string) error { return ErrConnectNotEnabled } + if args.Intention != nil && args.Intention.SourcePeer != "" { + return fmt.Errorf("SourcePeer field is not supported on this endpoint. Use config entries instead") + } + // Ensure that all service-intentions config entry writes go to the primary // datacenter. These will then be replicated to all the other datacenters. args.Datacenter = s.srv.config.PrimaryDatacenter diff --git a/agent/consul/intention_endpoint_test.go b/agent/consul/intention_endpoint_test.go index 0807662a32..199f3ede49 100644 --- a/agent/consul/intention_endpoint_test.go +++ b/agent/consul/intention_endpoint_test.go @@ -273,6 +273,41 @@ func TestIntentionApply_updateGood(t *testing.T) { } } +// TestIntentionApply_NoSourcePeer makes sure that no intention is created with a SourcePeer since this is not supported +func TestIntentionApply_NoSourcePeer(t *testing.T) { + if testing.Short() { + t.Skip("too slow for testing.Short") + } + + t.Parallel() + + _, s1 := testServer(t) + codec := rpcClient(t, s1) + + waitForLeaderEstablishment(t, s1) + + // Setup a basic record to create + ixn := structs.IntentionRequest{ + Datacenter: "dc1", + Op: structs.IntentionOpCreate, + Intention: &structs.Intention{ + SourceNS: structs.IntentionDefaultNamespace, + SourceName: "test", + SourcePeer: "peer1", + DestinationNS: structs.IntentionDefaultNamespace, + DestinationName: "test", + Action: structs.IntentionActionAllow, + SourceType: structs.IntentionSourceConsul, + Meta: map[string]string{}, + }, + } + var reply string + err := msgpackrpc.CallWithCodec(codec, "Intention.Apply", &ixn, &reply) + require.Error(t, err) + require.Contains(t, err, "SourcePeer field is not supported on this endpoint. Use config entries instead") + require.Empty(t, reply) +} + // Shouldn't be able to update a non-existent intention func TestIntentionApply_updateNonExist(t *testing.T) { if testing.Short() {