consul/agent/grpc-external/services/resource/write_status.go

209 lines
6.1 KiB
Go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package resource
import (
"context"
"errors"
"fmt"
"github.com/oklog/ulid/v2"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/internal/resource"
"github.com/hashicorp/consul/internal/storage"
"github.com/hashicorp/consul/proto-public/pbresource"
)
func (s *Server) WriteStatus(ctx context.Context, req *pbresource.WriteStatusRequest) (*pbresource.WriteStatusResponse, error) {
reg, err := s.validateWriteStatusRequest(req)
if err != nil {
return nil, err
}
entMeta := v2TenancyToV1EntMeta(req.Id.Tenancy)
authz, authzContext, err := s.getAuthorizer(tokenFromContext(ctx), entMeta)
if err != nil {
return nil, err
}
// Apply defaults when tenancy units empty.
v1EntMetaToV2Tenancy(reg, entMeta, req.Id.Tenancy)
// Check tenancy exists for the V2 resource. Ignore "marked for deletion" since status updates
// should still work regardless.
if err = tenancyExists(reg, s.TenancyBridge, req.Id.Tenancy, codes.InvalidArgument); err != nil {
return nil, err
}
// Retrieve resource since ACL hook requires it.
existing, err := s.Backend.Read(ctx, storage.EventualConsistency, req.Id)
switch {
case errors.Is(err, storage.ErrNotFound):
return nil, status.Errorf(codes.NotFound, err.Error())
case err != nil:
return nil, status.Errorf(codes.Internal, "failed read: %v", err)
}
// Check write ACL.
err = reg.ACLs.Write(authz, authzContext, existing)
switch {
case acl.IsErrPermissionDenied(err):
return nil, status.Error(codes.PermissionDenied, err.Error())
case err != nil:
return nil, status.Errorf(codes.Internal, "failed operator:write allowed acl: %v", err)
}
// At the storage backend layer, all writes are CAS operations.
//
// See comment in write.go for more information.
//
// Most controllers *won't* do an explicit CAS write of the status because it
// doesn't provide much value, and conflicts are fairly likely in the flurry
// of activity after a resource is updated.
//
// Here's why that's okay:
//
// - Controllers should only update their own status (identified by its key)
// and updating separate statuses is commutative.
//
// - Controllers that make writes should be leader-elected singletons (i.e.
// there should only be one instance of the controller running) so we don't
// need to worry about multiple instances racing with each other.
//
// - Only controllers are supposed to write statuses, so you should never be
// racing with a user's write of the same status.
var result *pbresource.Resource
err = s.retryCAS(ctx, req.Version, func() error {
resource, err := s.Backend.Read(ctx, storage.EventualConsistency, req.Id)
if err != nil {
return err
}
if req.Version != "" && req.Version != resource.Version {
return storage.ErrCASFailure
}
resource = clone(resource)
if resource.Status == nil {
resource.Status = make(map[string]*pbresource.Status)
}
status := clone(req.Status)
status.UpdatedAt = timestamppb.Now()
resource.Status[req.Key] = status
result, err = s.Backend.WriteCAS(ctx, resource)
return err
})
switch {
case errors.Is(err, storage.ErrNotFound):
return nil, status.Error(codes.NotFound, err.Error())
case errors.Is(err, storage.ErrCASFailure):
return nil, status.Error(codes.Aborted, err.Error())
case err != nil:
return nil, status.Errorf(codes.Internal, "failed to write resource: %v", err.Error())
}
return &pbresource.WriteStatusResponse{Resource: result}, nil
}
func (s *Server) validateWriteStatusRequest(req *pbresource.WriteStatusRequest) (*resource.Registration, error) {
var field string
switch {
case req.Id == nil:
field = "id"
case req.Id.Type == nil:
field = "id.type"
case req.Id.Name == "":
field = "id.name"
case req.Id.Uid == "":
// We require Uid because only controllers should write statuses and
// controllers should *always* refer to a specific incarnation of a
// resource using its Uid.
field = "id.uid"
case req.Key == "":
field = "key"
case req.Status == nil:
field = "status"
case req.Status.ObservedGeneration == "":
field = "status.observed_generation"
default:
for i, condition := range req.Status.Conditions {
if condition.Type == "" {
field = fmt.Sprintf("status.conditions[%d].type", i)
break
}
if condition.Resource != nil {
switch {
case condition.Resource.Type == nil:
field = fmt.Sprintf("status.conditions[%d].resource.type", i)
break
case condition.Resource.Tenancy == nil:
field = fmt.Sprintf("status.conditions[%d].resource.tenancy", i)
break
case condition.Resource.Name == "":
field = fmt.Sprintf("status.conditions[%d].resource.name", i)
break
}
}
}
}
if field != "" {
return nil, status.Errorf(codes.InvalidArgument, "%s is required", field)
}
if req.Status.UpdatedAt != nil {
return nil, status.Error(codes.InvalidArgument, "status.updated_at is automatically set and cannot be provided")
}
if _, err := ulid.ParseStrict(req.Status.ObservedGeneration); err != nil {
return nil, status.Error(codes.InvalidArgument, "status.observed_generation is not valid")
}
// Better UX: Allow callers to pass in nil tenancy. Defaulting and inheritance of tenancy
// from the request token will take place further down in the call flow.
if req.Id.Tenancy == nil {
req.Id.Tenancy = &pbresource.Tenancy{
Partition: "",
Namespace: "",
}
}
if err := validateId(req.Id, "id"); err != nil {
return nil, err
}
for i, condition := range req.Status.Conditions {
if condition.Resource != nil {
if err := validateRef(condition.Resource, fmt.Sprintf("status.conditions[%d].resource", i)); err != nil {
return nil, err
}
}
}
// Check type exists.
reg, err := s.resolveType(req.Id.Type)
if err != nil {
return nil, err
}
// Check scope.
if reg.Scope == resource.ScopePartition && req.Id.Tenancy.Namespace != "" {
return nil, status.Errorf(
codes.InvalidArgument,
"partition scoped resource %s cannot have a namespace. got: %s",
resource.ToGVK(req.Id.Type),
req.Id.Tenancy.Namespace,
)
}
return reg, nil
}