Update spiffe ID patterns used for RBAC

This commit is contained in:
freddygv 2021-09-09 18:24:43 -06:00
parent 5e54f253d7
commit d90e30f009
1 changed files with 35 additions and 14 deletions

View File

@ -13,6 +13,7 @@ import (
envoy_network_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3" envoy_network_rbac_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3"
envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3" envoy_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs" "github.com/hashicorp/consul/agent/structs"
) )
@ -564,7 +565,7 @@ func notPrincipal(id *envoy_rbac_v3.Principal) *envoy_rbac_v3.Principal {
} }
func idPrincipal(src structs.ServiceName) *envoy_rbac_v3.Principal { func idPrincipal(src structs.ServiceName) *envoy_rbac_v3.Principal {
pattern := makeSpiffePattern(src.NamespaceOrDefault(), src.Name) pattern := makeSpiffePattern(src.PartitionOrDefault(), src.NamespaceOrDefault(), src.Name)
return &envoy_rbac_v3.Principal{ return &envoy_rbac_v3.Principal{
Identifier: &envoy_rbac_v3.Principal_Authenticated_{ Identifier: &envoy_rbac_v3.Principal_Authenticated_{
@ -578,21 +579,41 @@ func idPrincipal(src structs.ServiceName) *envoy_rbac_v3.Principal {
}, },
} }
} }
func makeSpiffePattern(sourceNS, sourceName string) string {
const ( func makeSpiffePattern(sourceAP, sourceNS, sourceName string) string {
anyPath = `[^/]+` if sourceNS == structs.WildcardSpecifier && sourceName != structs.WildcardSpecifier {
spiffeTemplate = `^spiffe://%s/ns/%s/dc/%s/svc/%s$`
)
switch {
case sourceNS != structs.WildcardSpecifier && sourceName != structs.WildcardSpecifier:
return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, sourceName)
case sourceNS != structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier:
return fmt.Sprintf(spiffeTemplate, anyPath, sourceNS, anyPath, anyPath)
case sourceNS == structs.WildcardSpecifier && sourceName == structs.WildcardSpecifier:
return fmt.Sprintf(spiffeTemplate, anyPath, anyPath, anyPath, anyPath)
default:
panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact service %q", sourceNS, sourceName)) panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact service %q", sourceNS, sourceName))
} }
if sourceAP == structs.WildcardSpecifier {
panic("not possible to have a wildcarded source partition")
}
const anyPath = `[^/]+`
// Match on any namespace or service if it is a wildcard, or on a specific value otherwise.
ns := sourceNS
if sourceNS == structs.WildcardSpecifier {
ns = anyPath
}
svc := sourceName
if sourceName == structs.WildcardSpecifier {
svc = anyPath
}
id := connect.SpiffeIDService{
Namespace: ns,
Service: svc,
// Trust domain and datacenter are not verified by RBAC, so we match on any value.
Host: anyPath,
Datacenter: anyPath,
// Partition can only ever be an exact value.
Partition: sourceAP,
}
return fmt.Sprintf(`^%s://%s%s$`, id.URI().Scheme, id.Host, id.URI().Path)
} }
func anyPermission() *envoy_rbac_v3.Permission { func anyPermission() *envoy_rbac_v3.Permission {