status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-10 13:55:55 +00:00
Code Issues Projects Releases Wiki Activity
8,857 Commits 445 Branches 179 Tags 489 MiB
Commit Graph

104 Commits

Author SHA1 Message Date
Matt Keeler
870a6ad6a8
Handle resolving proxy tokens when parsing HTTP requests (#4453) 
Fixes: #4441

This fixes the issue with Connect Managed Proxies + ACLs being broken.

The underlying problem was that the token parsed for most http endpoints was sent untouched to the servers via the RPC request. These changes make it so that at the HTTP endpoint when parsing the token we additionally attempt to convert potential proxy tokens into regular tokens before sending to the RPC endpoint. Proxy tokens are only valid on the agent with the managed proxy so the resolution has to happen before it gets forwarded anywhere.
 2018-07-30 09:11:51 -04:00
Matt Keeler
3fe5f566f2 Persist proxies from config files 
Also change how loadProxies works. Now it will load all persisted proxies into a map, then when loading config file proxies will look up the previous proxy token in that map.
 2018-07-18 17:04:35 -04:00
Paul Banks
17789d4fe3 register TCP check for managed proxies 2018-06-25 12:25:40 -07:00
Paul Banks
420ae3df69 Limit proxy telemetry config to only be visible with authenticated with a proxy token 2018-06-25 12:25:39 -07:00
Paul Banks
c6ef6a61c9 Refactor to use embedded struct. 2018-06-25 12:25:39 -07:00
Paul Banks
38405bd4a9 Allow user override of proxy telemetry config 2018-06-25 12:25:38 -07:00
Paul Banks
7649d630c6 Basic proxy telemetry working; not sure if it's too ugly; need to instrument things we care about 2018-06-25 12:25:38 -07:00
Paul Banks
d83f2e8e21 Expose telemetry config from RuntimeConfig to proxy config endpoint 2018-06-25 12:25:38 -07:00
Paul Banks
43b48bc06b Get agent cache tests passing without global hit count (which is racy). 
Few other fixes in here just to get a clean run locally - they are all also fixed in other PRs but shouldn't conflict.

This should be robust to timing between goroutines now.
 2018-06-25 12:25:37 -07:00
Mitchell Hashimoto
e9e6514c9b agent: disallow deregistering a managed proxy directly 2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
66a573e496 agent: deregister service deregisters the proxy along with it 2018-06-25 12:25:12 -07:00
Mitchell Hashimoto
0d6dcbd2f1 agent: disallow API registration with managed proxy if not enabled 2018-06-25 12:25:11 -07:00
Paul Banks
e21723a891 Persist proxy state through agent restart 2018-06-25 12:24:08 -07:00
Mitchell Hashimoto
eb2a6952ba
address comment feedback 2018-06-14 09:42:22 -07:00
Mitchell Hashimoto
cd39f09693
agent: leaf endpoint accepts name, not service ID 
This change is important so that requests can made representing a
service that may not be registered with the same local agent.
 2018-06-14 09:42:20 -07:00
Mitchell Hashimoto
1906fe1c0d
agent: address feedback 2018-06-14 09:42:20 -07:00
Mitchell Hashimoto
54ac5adb08
agent: comments to point to differing logic 2018-06-14 09:42:17 -07:00
Paul Banks
c58d47ba59
Fix broken api test for service Meta (logical conflict rom OSS). Add test that would make this much easier to catch in future. 2018-06-14 09:42:17 -07:00
Paul Banks
4aeab3897c
Fixed many tests after rebase. Some still failing and seem unrelated to any connect changes. 2018-06-14 09:42:16 -07:00
Paul Banks
1722734313
Verify trust domain on /authorize calls 2018-06-14 09:42:16 -07:00
Mitchell Hashimoto
e54e69d11f
agent: verify local proxy tokens for CA leaf + tests 2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
a099c27b07
agent: verify proxy token for ProxyConfig endpoint + tests 2018-06-14 09:42:14 -07:00
Mitchell Hashimoto
171bf8d599
agent: clean up defaulting of proxy configuration 
This cleans up and unifies how proxy settings defaults are applied.
 2018-06-14 09:42:10 -07:00
Mitchell Hashimoto
3d3eee2f6e
agent: resolve some conflicts and fix tests 2018-06-14 09:42:10 -07:00
Paul Banks
e0e12e165b
TLS watching integrated into Service with some basic tests. 
There are also a lot of small bug fixes found when testing lots of things end-to-end for the first time and some cleanup now it's integrated with real CA code.
 2018-06-14 09:42:07 -07:00
Paul Banks
90c574ebaa
Wire up agent leaf endpoint to cache framework to support blocking. 2018-06-14 09:42:07 -07:00
Paul Banks
cd88b2a351
Basic watch support for connect proxy config and certificate endpoints. 
- Includes some bug fixes for previous `api` work and `agent` that weren't tested
 - Needed somewhat pervasive changes to support hash based blocking - some TODOs left in our watch toolchain that will explicitly fail on hash-based watches.
 - Integration into `connect` is partially done here but still WIP
 2018-06-14 09:42:05 -07:00
Mitchell Hashimoto
6c01e402e0
agent: augment /v1/connect/authorize to cache intentions 2018-06-14 09:42:02 -07:00
Mitchell Hashimoto
6902d721d6
agent: initialize the cache and cache the CA roots 2018-06-14 09:42:00 -07:00
Paul Banks
36dbd878c9
Adds api client code and tests for new Proxy Config endpoint, registering with proxy and seeing proxy config in /agent/services list. 2018-06-14 09:41:58 -07:00
Paul Banks
730da74369
Fix various test failures and vet warnings. 
Intention de-duplication in previously merged PR actualy failed some tests that were not caught be me or CI. I ran the test files for state changes but they happened not to trigger this case so I made sure they did first and then fixed. That fixed some upstream intention endpoint tests that I'd not run as part of testing the previous fix.
 2018-06-14 09:41:58 -07:00
Paul Banks
1e72ad66f5
Refactor localBlockingQuery to use memdb.WatchSet. Much simpler and correct as a bonus! 2018-06-14 09:41:58 -07:00
Paul Banks
d73f079d0f
Add X-Consul-ContentHash header; implement removing all proxies; add load/unload test. 2018-06-14 09:41:57 -07:00
Paul Banks
2a69663448
Agent Connect Proxy config endpoint with hash-based blocking 2018-06-14 09:41:57 -07:00
Paul Banks
3e3f0e1f31
HTTP agent registration allows proxy to be defined. 2018-06-14 09:41:57 -07:00
Mitchell Hashimoto
95da20ffd7
agent: rename authorize param ClientID to ClientCertURI 2018-06-14 09:41:56 -07:00
Mitchell Hashimoto
6e57233913
agent: add TODO for verification 2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
5a47a53c70
acl: IntentionDefault => IntentionDefaultAllow 2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
ac72a0c5fd
agent: ACL checks for authorize, default behavior 2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
6dc2db94ea
agent/structs: String format for Intention, used for logging 2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
fb7bccc690
agent: bolster commenting for clearer understandability 2018-06-14 09:41:55 -07:00
Mitchell Hashimoto
9a987d6452
agent: default deny on connect authorize endpoint 2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
86a8ce45b9
agent: /v1/agent/connect/authorize is functional, with tests 2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
70d1d5bf06
agent: get rid of method checks since they're done in the http layer 2018-06-14 09:41:54 -07:00
Mitchell Hashimoto
d28ee70a56
agent: implement an always-200 authorize endpoint 2018-06-14 09:41:53 -07:00
Mitchell Hashimoto
c2588262b7
agent: /v1/connect/ca/leaf/:service_id 2018-06-14 09:41:52 -07:00
Mitchell Hashimoto
578db06600
agent/consul: tests for CA endpoints 2018-06-14 09:41:51 -07:00
Mitchell Hashimoto
e7536e5485
agent: /v1/connect/ca/roots 2018-06-14 09:41:50 -07:00
Mitchell Hashimoto
714026dfb7
agent: validate service entry on register 2018-06-14 09:41:48 -07:00
Paul Banks
c8db140ff7
Merge pull request #4047 from pierresouchay/added_missing_meta_in_service_definition 
[BUGFIX] Added Service Meta support in configuration files
 2018-04-25 13:08:53 +01:00