status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-02-02 17:03:31 +00:00
Code Issues Projects Releases Wiki Activity

Account for partition when matching src intentions

Browse Source
This commit is contained in:
freddygv 2021-09-02 10:43:56 -06:00
parent 1f9479603c
commit beab0cd962
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
agent/xds/rbac.go
View File

@ -493,6 +493,7 @@ func removeSameSourceIntentions(intentions structs.Intentions) structs.Intention
// - (web, *) => true, because "all services" includes "web" // - (web, *) => true, because "all services" includes "web"
// - (default/web, default/*) => true, because "all services in the default NS" includes "default/web" // - (default/web, default/*) => true, because "all services in the default NS" includes "default/web"
// - (default/*, */*) => true, "any service in any NS" includes "all services in the default NS" // - (default/*, */*) => true, "any service in any NS" includes "all services in the default NS"
// - (default/default/*, other/*/*) => false, "any service in "other" partition" does NOT include services in the default partition"
func ixnSourceMatches(tester, against structs.ServiceName) bool { func ixnSourceMatches(tester, against structs.ServiceName) bool {
// We assume that we can't have the same intention twice before arriving // We assume that we can't have the same intention twice before arriving
// here. // here.
@ -505,13 +506,19 @@ func ixnSourceMatches(tester, against structs.ServiceName) bool {
return false return false
} }
matchesAP := tester.PartitionOrDefault() == against.PartitionOrDefault() || against.PartitionOrDefault() == structs.WildcardSpecifier
matchesNS := tester.NamespaceOrDefault() == against.NamespaceOrDefault() || against.NamespaceOrDefault() == structs.WildcardSpecifier matchesNS := tester.NamespaceOrDefault() == against.NamespaceOrDefault() || against.NamespaceOrDefault() == structs.WildcardSpecifier
matchesName := tester.Name == against.Name || against.Name == structs.WildcardSpecifier matchesName := tester.Name == against.Name || against.Name == structs.WildcardSpecifier
return matchesNS && matchesName return matchesAP && matchesNS && matchesName
} }
// countWild counts the number of wildcard values in the given namespace and name. // countWild counts the number of wildcard values in the given namespace and name.
func countWild(src structs.ServiceName) int { func countWild(src structs.ServiceName) int {
// If Partition is wildcard, panic because it's not supported
if src.PartitionOrDefault() == structs.WildcardSpecifier {
panic("invalid state: intention references wildcard partition")
}
// If NS is wildcard, it must be 2 since wildcards only follow exact // If NS is wildcard, it must be 2 since wildcards only follow exact
if src.NamespaceOrDefault() == structs.WildcardSpecifier { if src.NamespaceOrDefault() == structs.WildcardSpecifier {
return 2 return 2