A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that operators with `operator:read` ACL permissions are able to read the Consul Connect CA configuration when explicitly configured with the `/v1/connect/ca/configuration` endpoint, including the private key. This allows the user to effectively privilege escalate by enabling the ability to mint certificates for any Consul Connect services. This would potentially allow them to masquerade (receive/send traffic) as any service in the mesh.
--
This PR increases the permissions required to read the Connect CA's private key when it was configured via the `/connect/ca/configuration` endpoint. They are now `operator:write`.
* ui: Ensure search is enabled for child items in the ACLs area
* Refactor comparators to reuse some utility functions
* Add search and sorting to the ACLs child selector
* Add tests for searching within child selectors
* Allow sorting by CreateIndex
* ui: Fixup service instance healthcheck list not to show ghost check
If the proxy is undefined, then an undefined vaule is appended to the
list of checks
* There are only 6 checks in the mocks so only expect 6
Previously the listener was being passed to a closure in a loop without
capturing the loop variable. The result is only the last listener is
used, so the http/https servers only listen on one address.
This problem is fixed by capturing the variable by passing it into a
function.
This PR updates the tags that we generate for Envoy stats.
Several of these come with breaking changes, since we can't keep two stats prefixes for a filter.
* ui: Add functionality to metrics mocks:
1. More randomness during blocking queries
2. NaN and undefined values that come from prometheus
3. General trivial amends to bring things closer to the style of the
project
* Provider should always provide data as a string or undefined
* Use a placeholder `-` if the metrics endpoint responds with undefined data
* ci: stop building darwin/386 binaries
Go 1.15 drops support for 32-bit binaries on Darwin https://golang.org/doc/go1.15#darwin
* tls: ConnectionState::NegotiatedProtocolIsMutual is deprecated in Go 1.15, this value is always true
* correct error messages that changed slightly
* Completely regenerate some TLS test data
Co-authored-by: R.B. Boyer <rb@hashicorp.com>
* Pass down nspace and dc from Service model down to prometheus request
* Reviewing notes fix-ups
* Fix on dc/nspace to send from upstream/downstream card
The Intention.Apply RPC is quite large, so this PR attempts to break it down into smaller functions and dissolves the pre-config-entry approach to the breakdown as it only confused things.
* ui: Add predicate, comparator and necessary files for the search/sort
* Implement search and sort for upstream instance list
* ui: Tweak CSS so its all part of the component
* Remove the old proxy test attribute
* Refactor grid styling for Topology page
* Crate TopologyMetrics Button component and move styling
* Create intention ID
* fixup button styling
* Return a link to the create intention page
* Rename Button to Popover component
* Fixup serializer test
* ui: Inline Topology Intention Actions (#9153)
* Add arrow and dot to/from metrics back in
* Add addional space to have metrics wrap and show in smaller screens
* Move logic for finding positioning
* Use color variables
Co-authored-by: John Cowen <johncowen@users.noreply.github.com>
* Remove Proxy Info and create Upstreams and Exposed Paths tabs
* Update routes formatting
* Update typo for Expose.Checks
* Remove, update, and add tests
* Make consul-upstream-instance-list into a glimmer component
* Create styling for upstream-instance-list component
Header is: X-Consul-Default-ACL-Policy=<allow|deny>
This is of particular utility when fetching matching intentions, as the
fallthrough for a request that doesn't match any intentions is to
enforce using the default acl policy.