mirror of https://github.com/status-im/consul.git
Update spiffe ID patterns used for RBAC
This commit is contained in:
parent
5e54f253d7
commit
d90e30f009
|
@ -13,6 +13,7 @@ import (
|
||||||
envoy_network_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3"
|
envoy_network_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3"
|
||||||
envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
|
envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
|
||||||
|
|
||||||
|
"github.com/hashicorp/consul/agent/connect"
|
||||||
"github.com/hashicorp/consul/agent/structs"
|
"github.com/hashicorp/consul/agent/structs"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -564,7 +565,7 @@ func notPrincipal(id *envoy_rbac_v3.Principal) *envoy_rbac_v3.Principal {
|
||||||
}
|
}
|
||||||
|
|
||||||
func idPrincipal(src structs.ServiceName) *envoy_rbac_v3.Principal {
|
func idPrincipal(src structs.ServiceName) *envoy_rbac_v3.Principal {
|
||||||
pattern := makeSpiffePattern(src.NamespaceOrDefault(), src.Name)
|
pattern := makeSpiffePattern(src.PartitionOrDefault(), src.NamespaceOrDefault(), src.Name)
|
||||||
|
|
||||||
return &envoy_rbac_v3.Principal{
|
return &envoy_rbac_v3.Principal{
|
||||||
Identifier: &envoy_rbac_v3.Principal_Authenticated_{
|
Identifier: &envoy_rbac_v3.Principal_Authenticated_{
|
||||||
|
@ -578,21 +579,41 @@ func idPrincipal(src structs.ServiceName) *envoy_rbac_v3.Principal {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
func makeSpiffePattern(sourceNS, sourceName string) string {
|
|
||||||
const (
|
func makeSpiffePattern(sourceAP, sourceNS, sourceName string) string {
|
||||||
anyPath = `[^/]+`
|
if sourceNS == structs.WildcardSpecifier && sourceName != structs.WildcardSpecifier {
|
||||||
spiffeTemplate = `^spiffe://%s/ns/%s/dc/%s/svc/%s$`
|
|
||||||
)
|
|
||||||
switch {
|
|
||||||
case sourceNS != structs.WildcardSpecifier && sourceName != structs.WildcardSpecifier:
|
|
||||||
return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, sourceName)
|
|
||||||
case sourceNS != structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier:
|
|
||||||
return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, anyPath)
|
|
||||||
case sourceNS == structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier:
|
|
||||||
return fmt.Sprintf(spiffeTemplate, anyPath, anyPath, anyPath, anyPath)
|
|
||||||
default:
|
|
||||||
panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact service %q", sourceNS, sourceName))
|
panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact service %q", sourceNS, sourceName))
|
||||||
}
|
}
|
||||||
|
if sourceAP == structs.WildcardSpecifier {
|
||||||
|
panic("not possible to have a wildcarded source partition")
|
||||||
|
}
|
||||||
|
|
||||||
|
const anyPath = `[^/]+`
|
||||||
|
|
||||||
|
// Match on any namespace or service if it is a wildcard, or on a specific value otherwise.
|
||||||
|
ns := sourceNS
|
||||||
|
if sourceNS == structs.WildcardSpecifier {
|
||||||
|
ns = anyPath
|
||||||
|
}
|
||||||
|
|
||||||
|
svc := sourceName
|
||||||
|
if sourceName == structs.WildcardSpecifier {
|
||||||
|
svc = anyPath
|
||||||
|
}
|
||||||
|
|
||||||
|
id := connect.SpiffeIDService{
|
||||||
|
Namespace: ns,
|
||||||
|
Service: svc,
|
||||||
|
|
||||||
|
// Trust domain and datacenter are not verified by RBAC, so we match on any value.
|
||||||
|
Host: anyPath,
|
||||||
|
Datacenter: anyPath,
|
||||||
|
|
||||||
|
// Partition can only ever be an exact value.
|
||||||
|
Partition: sourceAP,
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Sprintf(`^%s://%s%s$`, id.URI().Scheme, id.Host, id.URI().Path)
|
||||||
}
|
}
|
||||||
|
|
||||||
func anyPermission() *envoy_rbac_v3.Permission {
|
func anyPermission() *envoy_rbac_v3.Permission {
|
||||||
|
|
Loading…
Reference in New Issue