Replace whitelist/blacklist terminology with allowlist/denylist (#7971)

* Replace whitelist/blacklist terminology with allowlist/denylist
This commit is contained in:
Jono Sosulska 2020-05-29 14:19:16 -04:00 committed by GitHub
parent b4f2874d89
commit c554ba9e10
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 80 additions and 80 deletions

View File

@ -24,7 +24,7 @@ var (
// StaticAuthorizer is used to implement a base ACL policy. It either
// allows or denies all requests. This can be used as a parent
// ACL to act in a blacklist or whitelist mode.
// ACL to act in a denylist or allowlist mode.
type staticAuthorizer struct {
allowManage bool
defaultAllow bool

View File

@ -903,10 +903,10 @@ func (a *Agent) listenHTTP() ([]*HTTPServer, error) {
Addr: l.Addr().String(),
TLSConfig: tlscfg,
},
ln: l,
agent: a,
blacklist: NewBlacklist(a.config.HTTPBlockEndpoints),
proto: proto,
ln: l,
agent: a,
denylist: NewDenylist(a.config.HTTPBlockEndpoints),
proto: proto,
}
srv.Server.Handler = srv.handler(a.config.EnableDebug)

View File

@ -1,27 +0,0 @@
package agent
import (
"github.com/armon/go-radix"
)
// Blacklist implements an HTTP endpoint blacklist based on a list of endpoint
// prefixes which should be blocked.
type Blacklist struct {
tree *radix.Tree
}
// NewBlacklist returns a blacklist for the given list of prefixes.
func NewBlacklist(prefixes []string) *Blacklist {
tree := radix.New()
for _, prefix := range prefixes {
tree.Insert(prefix, nil)
}
return &Blacklist{tree}
}
// Block will return true if the given path is included among any of the
// blocked prefixes.
func (b *Blacklist) Block(path string) bool {
_, _, blocked := b.tree.LongestPrefix(path)
return blocked
}

View File

@ -41,7 +41,7 @@ func (id *SpiffeIDSigning) Authorize(ixn *structs.Intention) (bool, bool) {
// I choose to make this a fixed centralized method here for now rather than a
// method on CertURI interface since we don't intend this to be extensible
// outside and it's easier to reason about the security properties when they are
// all in one place with "whitelist" semantics.
// all in one place with "allowlist" semantics.
func (id *SpiffeIDSigning) CanSign(cu CertURI) bool {
switch other := cu.(type) {
case *SpiffeIDSigning:

View File

@ -66,7 +66,7 @@ func StartTestAPIServer(t testing.T) *TestAPIServer {
return s
}
// AuthorizeJWT whitelists the given JWT as able to use the API server.
// AuthorizeJWT allowlists the given JWT as able to use the API server.
func (s *TestAPIServer) AuthorizeJWT(jwt string) {
s.mu.Lock()
defer s.mu.Unlock()

View File

@ -398,7 +398,7 @@ func (s *ConnectCA) Roots(
}
// The API response must NEVER contain the secret information
// such as keys and so on. We use a whitelist below to copy the
// such as keys and so on. We use an allowlist below to copy the
// specific fields we want to expose.
for i, r := range reply.Roots {
// IMPORTANT: r must NEVER be modified, since it is a pointer

View File

@ -1334,7 +1334,7 @@ func TestIntentionCheck_defaultNoACL(t *testing.T) {
require.True(resp.Allowed)
}
// Test the Check method defaults to deny with whitelist ACLs.
// Test the Check method defaults to deny with allowlist ACLs.
func TestIntentionCheck_defaultACLDeny(t *testing.T) {
t.Parallel()
@ -1369,7 +1369,7 @@ func TestIntentionCheck_defaultACLDeny(t *testing.T) {
require.False(resp.Allowed)
}
// Test the Check method defaults to deny with blacklist ACLs.
// Test the Check method defaults to deny with denylist ACLs.
func TestIntentionCheck_defaultACLAllow(t *testing.T) {
t.Parallel()

27
agent/denylist.go Normal file
View File

@ -0,0 +1,27 @@
package agent
import (
"github.com/armon/go-radix"
)
// Denylist implements an HTTP endpoint denylist based on a list of endpoint
// prefixes which should be blocked.
type Denylist struct {
tree *radix.Tree
}
// NewDenylist returns a denylist for the given list of prefixes.
func NewDenylist(prefixes []string) *Denylist {
tree := radix.New()
for _, prefix := range prefixes {
tree.Insert(prefix, nil)
}
return &Denylist{tree}
}
// Block will return true if the given path is included among any of the
// blocked prefixes.
func (d *Denylist) Block(path string) bool {
_, _, blocked := d.tree.LongestPrefix(path)
return blocked
}

View File

@ -4,7 +4,7 @@ import (
"testing"
)
func TestBlacklist(t *testing.T) {
func TestDenylist(t *testing.T) {
t.Parallel()
complex := []string{
@ -30,8 +30,8 @@ func TestBlacklist(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.desc, func(t *testing.T) {
blacklist := NewBlacklist(tt.prefixes)
if got, want := blacklist.Block(tt.path), tt.block; got != want {
denylist := NewDenylist(tt.prefixes)
if got, want := denylist.Block(tt.path), tt.block; got != want {
t.Fatalf("got %v want %v", got, want)
}
})

View File

@ -82,9 +82,9 @@ func (e ForbiddenError) Error() string {
// HTTPServer provides an HTTP api for an agent.
type HTTPServer struct {
*http.Server
ln net.Listener
agent *Agent
blacklist *Blacklist
ln net.Listener
agent *Agent
denylist *Denylist
// proto is filled by the agent to "http" or "https".
proto string
@ -426,7 +426,7 @@ func (s *HTTPServer) wrap(handler endpoint, methods []string) http.HandlerFunc {
}
logURL = aclEndpointRE.ReplaceAllString(logURL, "$1<hidden>$4")
if s.blacklist.Block(req.URL.Path) {
if s.denylist.Block(req.URL.Path) {
errMsg := "Endpoint is blocked by agent configuration"
httpLogger.Error("Request error",
"method", req.Method,

View File

@ -52,7 +52,7 @@ type Intention struct {
// SourceType is the type of the value for the source.
SourceType IntentionSourceType
// Action is whether this is a whitelist or blacklist intention.
// Action is whether this is an allowlist or denylist intention.
Action IntentionAction
// DefaultAddr, DefaultPort of the local listening proxy (if any) to
@ -349,7 +349,7 @@ func (x *Intention) EstimateSize() int {
}
// IntentionAction is the action that the intention represents. This
// can be "allow" or "deny" to whitelist or blacklist intentions.
// can be "allow" or "deny".
type IntentionAction string
const (

View File

@ -1328,7 +1328,7 @@ func TestStructs_ValidateServiceAndNodeMetadata(t *testing.T) {
"",
"",
},
"reserved key prefix allowed via whitelist just for gateway - " + MetaWANFederationKey: {
"reserved key prefix allowed via an allowlist just for gateway - " + MetaWANFederationKey: {
map[string]string{
MetaWANFederationKey: "value1",
},
@ -1394,9 +1394,9 @@ func TestStructs_validateMetaPair(t *testing.T) {
{metaKeyReservedPrefix + "key", "value", "reserved for internal use", false, nil},
// reserved prefix, allowed
{metaKeyReservedPrefix + "key", "value", "", true, nil},
// reserved prefix, not allowed via whitelist
// reserved prefix, not allowed via an allowlist
{metaKeyReservedPrefix + "bad", "value", "reserved for internal use", false, map[string]struct{}{metaKeyReservedPrefix + "good": struct{}{}}},
// reserved prefix, allowed via whitelist
// reserved prefix, allowed via an allowlist
{metaKeyReservedPrefix + "good", "value", "", true, map[string]struct{}{metaKeyReservedPrefix + "good": struct{}{}}},
// value too long
{"key", longValue, "Value is too long", false, nil},

View File

@ -33,7 +33,7 @@ type Intention struct {
// SourceType is the type of the value for the source.
SourceType IntentionSourceType
// Action is whether this is a whitelist or blacklist intention.
// Action is whether this is an allowlist or denylist intention.
Action IntentionAction
// DefaultAddr, DefaultPort of the local listening proxy (if any) to
@ -99,7 +99,7 @@ func (i *Intention) partString(ns, n string) string {
const IntentionDefaultNamespace = "default"
// IntentionAction is the action that the intention represents. This
// can be "allow" or "deny" to whitelist or blacklist intentions.
// can be "allow" or "deny" to allowlist or denylist intentions.
type IntentionAction string
const (

View File

@ -458,14 +458,14 @@ function find_git_remote {
return ${ret}
}
function git_remote_not_blacklisted {
function git_remote_not_denylisted {
# Arguments:
# $1 - path to the repo
# $2 - the remote name
#
# Returns:
# 0 - not blacklisted
# * - blacklisted
# 0 - not denylisted
# * - denylisted
return 0
}

View File

@ -399,9 +399,9 @@ function publish_release {
status_stage "==> Confirming Git Changes"
confirm_git_push_changes "$1" || return 1
status_stage "==> Checking for blacklisted Git Remote"
status_stage "==> Checking for denylisted Git Remote"
local remote=$(find_git_remote "${sdir}") || return 1
git_remote_not_blacklisted "${sdir}" "${remote}" || return 1
git_remote_not_denylisted "${sdir}" "${remote}" || return 1
status_stage "==> Confirming Git Remote"
confirm_git_remote "${sdir}" "${remote}" || return 1

View File

@ -249,7 +249,7 @@ Usage: consul intention create [options] -file FILE...
$ echo "{ ... }" | consul intention create -file -
An "allow" intention is created by default (whitelist). To create a
An "allow" intention is created by default (allowlist). To create a
"deny" intention, the "-deny" flag should be specified.
If a conflicting intention is found, creation will fail. To replace any

View File

@ -127,11 +127,11 @@ token are automatically applied. The anonymous token is managed using the
#### ACL Rules and Scope
Tokens are bound to a set of rules that control which Consul resources the token
has access to. Policies can be defined in either a whitelist or blacklist mode
has access to. Policies can be defined in either an allowlist or denylist mode
depending on the configuration of
[`acl_default_policy`](/docs/agent/options#acl_default_policy). If the default
policy is to "deny" all actions, then token rules can be set to whitelist specific
actions. In the inverse, the "allow" all default behavior is a blacklist where rules
policy is to "deny" all actions, then token rules can be set to allowlist specific
actions. In the inverse, the "allow" all default behavior is a denylist where rules
are used to prohibit actions. By default, Consul will allow all actions.
The following table summarizes the ACL policies that are available for constructing
@ -199,7 +199,7 @@ as to whether they are set on servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose |
| --------------------------------------------------------------------- | ---------- | ---------- | ----------------------------------------------------------------------------------------- |
| [`acl_datacenter`](/docs/agent/options#acl_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines whitelist or blacklist mode |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl_down_policy`](/docs/agent/options#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline |
| [`acl_ttl`](/docs/agent/options#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs |
@ -275,9 +275,9 @@ datacenter. In this example, we are configuring the following:
1. An ACL datacenter of "dc1", which is where these servers are
2. An ACL master token of "b1gs33cr3t"; see below for an alternative using the [/v1/acl/bootstrap API](/api/acl/acl#bootstrap-acls)
3. A default policy of "deny" which means we are in whitelist mode
4. A down policy of "extend-cache" which means that we will ignore token TTLs during an
outage
3. A default policy of "deny" which means we are in allowlist mode
4. A down policy of "extend-cache" which means that we will ignore token TTLs
during an outage
Here's the corresponding JSON configuration file:

View File

@ -189,10 +189,10 @@ token will be used.
#### ACL Rules and Scope
The rules from all policies, roles, and service identities linked with a token are combined to form that token's
effective rule set. Policy rules can be defined in either a whitelist or blacklist
effective rule set. Policy rules can be defined in either an allowlist or denylist
mode depending on the configuration of [`acl_default_policy`](/docs/agent/options#acl_default_policy).
If the default policy is to "deny" access to all resources, then policy rules can be set to
whitelist access to specific resources. Conversely, if the default policy is “allow” then policy rules can
allowlist access to specific resources. Conversely, if the default policy is “allow” then policy rules can
be used to explicitly deny access to resources.
The following table summarizes the ACL resources that are available for constructing
@ -240,7 +240,7 @@ as to whether they are set on servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose |
| -------------------------------------------------------------- | ---------- | ---------- | ---------------------------------------------------------------------- |
| [`acl.enabled`](/docs/agent/options#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled |
| [`acl.default_policy`](/docs/agent/options#acl_default_policy) | `OPTIONAL` | `N/A` | Determines whitelist or blacklist mode |
| [`acl.default_policy`](/docs/agent/options#acl_default_policy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl.down_policy`](/docs/agent/options#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails |
| [`acl.role_ttl`](/docs/agent/options#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles |
| [`acl.policy_ttl`](/docs/agent/options#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies |

View File

@ -622,9 +622,9 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
- `default_policy` ((#acl_default_policy)) - Either "allow" or "deny";
defaults to "allow" but this will be changed in a future major release. The default
policy controls the behavior of a token when there is no matching rule. In "allow"
mode, ACLs are a blacklist: any operation not specifically prohibited is allowed.
In "deny" mode, ACLs are a whitelist: any operation not specifically allowed
is blocked. **Note**: this will not take effect until you've enabled ACLs.
mode, ACLs are a denylist: any operation not specifically prohibited is allowed.
In "deny" mode, ACLs are an allowlist: any operation not specifically
allowed is blocked. **Note**: this will not take effect until you'veenabled ACLs.
- `enable_key_list_policy` ((#acl_enable_key_list_policy)) - Either "enabled"
or "disabled", defaults to "disabled". When enabled, the `list` permission will
@ -702,8 +702,8 @@ Valid time units are 'ns', 'us' (or 'µs'), 'ms', 's', 'm', 'h'."
- `acl_default_policy` ((#acl_default_policy_legacy)) - **Deprecated in Consul 1.4.0. See the [`acl.default_policy`](#acl_default_policy) field instead.**
Either "allow" or "deny"; defaults to "allow". The default policy controls the
behavior of a token when there is no matching rule. In "allow" mode, ACLs are a
blacklist: any operation not specifically prohibited is allowed. In "deny" mode,
ACLs are a whitelist: any operation not specifically allowed is blocked. **Note**:
denylist: any operation not specifically prohibited is allowed. In "deny" mode,
ACLs are an allowlist: any operation not specifically allowed is blocked. **Note**:
this will not take effect until you've set `primary_datacenter` to enable ACL support.
- `acl_down_policy` ((#acl_down_policy_legacy)) - **Deprecated in Consul

View File

@ -34,7 +34,7 @@ of Consul.
Consul must be configured to use ACLs with a default deny policy. This forces
all requests to have explicit anonymous access or provide an ACL token. The
configuration also forces all service-to-service communication to be explicitly
whitelisted via an allow [intention](/docs/connect/intentions).
allowed via an allow [intention](/docs/connect/intentions).
To learn how to enable ACLs, please see the
[guide on ACLs](https://learn.hashicorp.com/consul/security-networking/production-acls).

View File

@ -115,11 +115,11 @@ token are automatically applied. The anonymous token is managed using the
#### ACL Rules and Scope
Tokens are bound to a set of rules that control which Consul resources the token
has access to. Policies can be defined in either a whitelist or blacklist mode
has access to. Policies can be defined in either an allowlist or denylist mode
depending on the configuration of
[`acl_default_policy`](/docs/agent/options#acl_default_policy). If the default
policy is to "deny" all actions, then token rules can be set to whitelist specific
actions. In the inverse, the "allow" all default behavior is a blacklist where rules
policy is to "deny" all actions, then token rules can be set to allowlist specific
actions. In the inverse, the "allow" all default behavior is a denylist where rules
are used to prohibit actions. By default, Consul will allow all actions.
The following table summarizes the ACL policies that are available for constructing
@ -187,7 +187,7 @@ as to whether they are set on servers, clients, or both.
| Configuration Option | Servers | Clients | Purpose |
| --------------------------------------------------------------------- | ---------- | ---------- | ----------------------------------------------------------------------------------------- |
| [`primary_datacenter`](/docs/agent/options#primary_datacenter) | `REQUIRED` | `REQUIRED` | Master control that enables ACLs by defining the authoritative Consul datacenter for ACLs |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines whitelist or blacklist mode |
| [`acl_default_policy`](/docs/agent/options#acl_default_policy_legacy) | `OPTIONAL` | `N/A` | Determines allowlist or denylist mode |
| [`acl_down_policy`](/docs/agent/options#acl_down_policy_legacy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the ACL datacenter is offline |
| [`acl_ttl`](/docs/agent/options#acl_ttl_legacy) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACLs |
@ -263,7 +263,7 @@ datacenter. In this example, we are configuring the following:
1. An ACL datacenter of "dc1", which is where these servers are
2. An ACL master token of "b1gs33cr3t"; see below for an alternative using the [/v1/acl/bootstrap API](/api/acl/acl#bootstrap-acls)
3. A default policy of "deny" which means we are in whitelist mode
3. A default policy of "deny" which means we are in allowlist mode
4. A down policy of "extend-cache" which means that we will ignore token TTLs during an
outage

View File

@ -54,7 +54,7 @@ on them when you apply the token.
of Consul, you cannot persist tokens when using the HTTP API.
In this example, you configured the default policy of "deny", which means you
are in whitelist mode. You also enabled token persistence when using the HTTP
are in allowlist mode. You also enabled token persistence when using the HTTP
API. With persistence enabled, tokens will be persisted to disk and
reloaded when an agent restarts

View File

@ -54,7 +54,7 @@ items outside of Consul's threat model as noted in sections below.
- Secure against unprivileged users becoming root
- **ACLs enabled with default deny.** Consul must be configured to use ACLs with
a whitelist (default deny) approach. This forces all requests to have explicit
an allowlist (default deny) approach. This forces all requests to have explicit
anonymous access or provide an ACL token.
- **Encryption enabled.** TCP and UDP encryption must be enabled and configured