mirror of
https://github.com/status-im/consul.git
synced 2025-01-24 20:51:10 +00:00
a2a8e9c783
- Upgrade the ConfigEntry.ListAll RPC to be kind-aware so that older copies of consul will not see new config entries it doesn't understand replicate down. - Add shim conversion code so that the old API/CLI method of interacting with intentions will continue to work so long as none of these are edited via config entry endpoints. Almost all of the read-only APIs will continue to function indefinitely. - Add new APIs that operate on individual intentions without IDs so that the UI doesn't need to implement CAS operations. - Add a new serf feature flag indicating support for intentions-as-config-entries. - The old line-item intentions way of interacting with the state store will transparently flip between the legacy memdb table and the config entry representations so that readers will never see a hiccup during migration where the results are incomplete. It uses a piece of system metadata to control the flip. - The primary datacenter will begin migrating intentions into config entries on startup once all servers in the datacenter are on a version of Consul with the intentions-as-config-entries feature flag. When it is complete the old state store representations will be cleared. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up. - The secondary datacenters continue to run the old intentions replicator until all servers in the secondary DC and primary DC support intentions-as-config-entries (via serf flag). Once this condition it met the old intentions replicator ceases. - The secondary datacenters replicate the new config entries as they are migrated in the primary. When they detect that the primary has zeroed it's old state store table it waits until all config entries up to that point are replicated and then zeroes its own copy of the old state store table. We also record a piece of system metadata indicating this has occurred. We use this metadata to skip ALL of this code the next time the leader starts up.
543 lines
16 KiB
Go
543 lines
16 KiB
Go
package agent
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/hashicorp/consul/agent/consul"
|
|
"github.com/hashicorp/consul/agent/structs"
|
|
)
|
|
|
|
// /v1/connect/intentions
|
|
func (s *HTTPHandlers) IntentionEndpoint(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
switch req.Method {
|
|
case "GET":
|
|
return s.IntentionList(resp, req)
|
|
|
|
case "POST":
|
|
return s.IntentionCreate(resp, req)
|
|
|
|
default:
|
|
return nil, MethodNotAllowedError{req.Method, []string{"GET", "POST"}}
|
|
}
|
|
}
|
|
|
|
// GET /v1/connect/intentions
|
|
func (s *HTTPHandlers) IntentionList(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
var args structs.IntentionListRequest
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
return nil, nil
|
|
}
|
|
|
|
if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var reply structs.IndexedIntentions
|
|
defer setMeta(resp, &reply.QueryMeta)
|
|
if err := s.agent.RPC("Intention.List", &args, &reply); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return reply.Intentions, nil
|
|
}
|
|
|
|
// POST /v1/connect/intentions
|
|
func (s *HTTPHandlers) IntentionCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
var entMeta structs.EnterpriseMeta
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
args := structs.IntentionRequest{
|
|
Op: structs.IntentionOpCreate,
|
|
}
|
|
s.parseDC(req, &args.Datacenter)
|
|
s.parseToken(req, &args.Token)
|
|
if err := decodeBody(req.Body, &args.Intention); err != nil {
|
|
return nil, fmt.Errorf("Failed to decode request body: %s", err)
|
|
}
|
|
|
|
args.Intention.FillNonDefaultNamespaces(&entMeta)
|
|
|
|
if err := s.validateEnterpriseIntention(args.Intention); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var reply string
|
|
if err := s.agent.RPC("Intention.Apply", &args, &reply); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return intentionCreateResponse{reply}, nil
|
|
}
|
|
|
|
func (s *HTTPHandlers) validateEnterpriseIntention(ixn *structs.Intention) error {
|
|
if err := s.validateEnterpriseIntentionNamespace("SourceNS", ixn.SourceNS, true); err != nil {
|
|
return err
|
|
}
|
|
if err := s.validateEnterpriseIntentionNamespace("DestinationNS", ixn.DestinationNS, true); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// GET /v1/connect/intentions/match
|
|
func (s *HTTPHandlers) IntentionMatch(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
// Prepare args
|
|
args := &structs.IntentionQueryRequest{Match: &structs.IntentionQueryMatch{}}
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
return nil, nil
|
|
}
|
|
|
|
var entMeta structs.EnterpriseMeta
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
q := req.URL.Query()
|
|
|
|
// Extract the "by" query parameter
|
|
if by, ok := q["by"]; !ok || len(by) != 1 {
|
|
return nil, fmt.Errorf("required query parameter 'by' not set")
|
|
} else {
|
|
switch v := structs.IntentionMatchType(by[0]); v {
|
|
case structs.IntentionMatchSource, structs.IntentionMatchDestination:
|
|
args.Match.Type = v
|
|
default:
|
|
return nil, fmt.Errorf("'by' parameter must be one of 'source' or 'destination'")
|
|
}
|
|
}
|
|
|
|
// Extract all the match names
|
|
names, ok := q["name"]
|
|
if !ok || len(names) == 0 {
|
|
return nil, fmt.Errorf("required query parameter 'name' not set")
|
|
}
|
|
|
|
// Build the entries in order. The order matters since that is the
|
|
// order of the returned responses.
|
|
args.Match.Entries = make([]structs.IntentionMatchEntry, len(names))
|
|
for i, n := range names {
|
|
ns, name, err := parseIntentionStringComponent(n, &entMeta)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("name %q is invalid: %s", n, err)
|
|
}
|
|
|
|
args.Match.Entries[i] = structs.IntentionMatchEntry{
|
|
Namespace: ns,
|
|
Name: name,
|
|
}
|
|
}
|
|
|
|
var reply structs.IndexedIntentionMatches
|
|
if err := s.agent.RPC("Intention.Match", args, &reply); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// We must have an identical count of matches
|
|
if len(reply.Matches) != len(names) {
|
|
return nil, fmt.Errorf("internal error: match response count didn't match input count")
|
|
}
|
|
|
|
// Use empty list instead of nil.
|
|
response := make(map[string]structs.Intentions)
|
|
for i, ixns := range reply.Matches {
|
|
response[names[i]] = ixns
|
|
}
|
|
|
|
return response, nil
|
|
}
|
|
|
|
// GET /v1/connect/intentions/check
|
|
func (s *HTTPHandlers) IntentionCheck(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
// Prepare args
|
|
args := &structs.IntentionQueryRequest{Check: &structs.IntentionQueryCheck{}}
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
return nil, nil
|
|
}
|
|
|
|
var entMeta structs.EnterpriseMeta
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
q := req.URL.Query()
|
|
|
|
// Set the source type if set
|
|
args.Check.SourceType = structs.IntentionSourceConsul
|
|
if sourceType, ok := q["source-type"]; ok && len(sourceType) > 0 {
|
|
args.Check.SourceType = structs.IntentionSourceType(sourceType[0])
|
|
}
|
|
|
|
// Extract the source/destination
|
|
source, ok := q["source"]
|
|
if !ok || len(source) != 1 {
|
|
return nil, fmt.Errorf("required query parameter 'source' not set")
|
|
}
|
|
destination, ok := q["destination"]
|
|
if !ok || len(destination) != 1 {
|
|
return nil, fmt.Errorf("required query parameter 'destination' not set")
|
|
}
|
|
|
|
// We parse them the same way as matches to extract namespace/name
|
|
args.Check.SourceName = source[0]
|
|
if args.Check.SourceType == structs.IntentionSourceConsul {
|
|
ns, name, err := parseIntentionStringComponent(source[0], &entMeta)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
|
|
}
|
|
args.Check.SourceNS = ns
|
|
args.Check.SourceName = name
|
|
}
|
|
|
|
// The destination is always in the Consul format
|
|
ns, name, err := parseIntentionStringComponent(destination[0], &entMeta)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
|
|
}
|
|
args.Check.DestinationNS = ns
|
|
args.Check.DestinationName = name
|
|
|
|
var reply structs.IntentionQueryCheckResponse
|
|
if err := s.agent.RPC("Intention.Check", args, &reply); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &reply, nil
|
|
}
|
|
|
|
// GET /v1/connect/intentions/exact
|
|
func (s *HTTPHandlers) IntentionGetExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
var entMeta structs.EnterpriseMeta
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
args := structs.IntentionQueryRequest{
|
|
Exact: &structs.IntentionQueryExact{},
|
|
}
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
return nil, nil
|
|
}
|
|
|
|
q := req.URL.Query()
|
|
|
|
// Extract the source/destination
|
|
source, ok := q["source"]
|
|
if !ok || len(source) != 1 {
|
|
return nil, fmt.Errorf("required query parameter 'source' not set")
|
|
}
|
|
destination, ok := q["destination"]
|
|
if !ok || len(destination) != 1 {
|
|
return nil, fmt.Errorf("required query parameter 'destination' not set")
|
|
}
|
|
|
|
{
|
|
ns, name, err := parseIntentionStringComponent(source[0], &entMeta)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
|
|
}
|
|
args.Exact.SourceNS = ns
|
|
args.Exact.SourceName = name
|
|
}
|
|
|
|
{
|
|
ns, name, err := parseIntentionStringComponent(destination[0], &entMeta)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
|
|
}
|
|
args.Exact.DestinationNS = ns
|
|
args.Exact.DestinationName = name
|
|
}
|
|
|
|
var reply structs.IndexedIntentions
|
|
if err := s.agent.RPC("Intention.Get", &args, &reply); err != nil {
|
|
// We have to check the string since the RPC sheds the error type
|
|
if err.Error() == consul.ErrIntentionNotFound.Error() {
|
|
resp.WriteHeader(http.StatusNotFound)
|
|
fmt.Fprint(resp, err.Error())
|
|
return nil, nil
|
|
}
|
|
|
|
// Not ideal, but there are a number of error scenarios that are not
|
|
// user error (400). We look for a specific case of invalid UUID
|
|
// to detect a parameter error and return a 400 response. The error
|
|
// is not a constant type or message, so we have to use strings.Contains
|
|
if strings.Contains(err.Error(), "UUID") {
|
|
return nil, BadRequestError{Reason: err.Error()}
|
|
}
|
|
|
|
return nil, err
|
|
}
|
|
|
|
// This shouldn't happen since the called API documents it shouldn't,
|
|
// but we check since the alternative if it happens is a panic.
|
|
if len(reply.Intentions) == 0 {
|
|
resp.WriteHeader(http.StatusNotFound)
|
|
return nil, nil
|
|
}
|
|
|
|
return reply.Intentions[0], nil
|
|
}
|
|
|
|
// IntentionExact handles the endpoint for /v1/connect/intentions/exact
|
|
func (s *HTTPHandlers) IntentionExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
switch req.Method {
|
|
case "GET":
|
|
return s.IntentionGetExact(resp, req)
|
|
case "PUT":
|
|
return s.IntentionPutExact(resp, req)
|
|
case "DELETE":
|
|
return s.IntentionDeleteExact(resp, req)
|
|
default:
|
|
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
|
}
|
|
}
|
|
|
|
// IntentionSpecific handles the endpoint for /v1/connect/intentions/:id
|
|
func (s *HTTPHandlers) IntentionSpecific(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
id := strings.TrimPrefix(req.URL.Path, "/v1/connect/intentions/")
|
|
|
|
switch req.Method {
|
|
case "GET":
|
|
return s.IntentionSpecificGet(id, resp, req)
|
|
|
|
case "PUT":
|
|
return s.IntentionSpecificUpdate(id, resp, req)
|
|
|
|
case "DELETE":
|
|
return s.IntentionSpecificDelete(id, resp, req)
|
|
|
|
default:
|
|
return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}}
|
|
}
|
|
}
|
|
|
|
// GET /v1/connect/intentions/:id
|
|
func (s *HTTPHandlers) IntentionSpecificGet(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
args := structs.IntentionQueryRequest{
|
|
IntentionID: id,
|
|
}
|
|
if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done {
|
|
return nil, nil
|
|
}
|
|
|
|
var reply structs.IndexedIntentions
|
|
if err := s.agent.RPC("Intention.Get", &args, &reply); err != nil {
|
|
// We have to check the string since the RPC sheds the error type
|
|
if err.Error() == consul.ErrIntentionNotFound.Error() {
|
|
resp.WriteHeader(http.StatusNotFound)
|
|
fmt.Fprint(resp, err.Error())
|
|
return nil, nil
|
|
}
|
|
|
|
// Not ideal, but there are a number of error scenarios that are not
|
|
// user error (400). We look for a specific case of invalid UUID
|
|
// to detect a parameter error and return a 400 response. The error
|
|
// is not a constant type or message, so we have to use strings.Contains
|
|
if strings.Contains(err.Error(), "UUID") {
|
|
return nil, BadRequestError{Reason: err.Error()}
|
|
}
|
|
|
|
return nil, err
|
|
}
|
|
|
|
// This shouldn't happen since the called API documents it shouldn't,
|
|
// but we check since the alternative if it happens is a panic.
|
|
if len(reply.Intentions) == 0 {
|
|
resp.WriteHeader(http.StatusNotFound)
|
|
return nil, nil
|
|
}
|
|
|
|
return reply.Intentions[0], nil
|
|
}
|
|
|
|
// PUT /v1/connect/intentions/:id
|
|
func (s *HTTPHandlers) IntentionSpecificUpdate(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
var entMeta structs.EnterpriseMeta
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
args := structs.IntentionRequest{
|
|
Op: structs.IntentionOpUpdate,
|
|
}
|
|
s.parseDC(req, &args.Datacenter)
|
|
s.parseToken(req, &args.Token)
|
|
if err := decodeBody(req.Body, &args.Intention); err != nil {
|
|
return nil, BadRequestError{Reason: fmt.Sprintf("Request decode failed: %v", err)}
|
|
}
|
|
|
|
args.Intention.FillNonDefaultNamespaces(&entMeta)
|
|
|
|
// Use the ID from the URL
|
|
args.Intention.ID = id
|
|
|
|
var reply string
|
|
if err := s.agent.RPC("Intention.Apply", &args, &reply); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Update uses the same create response
|
|
return intentionCreateResponse{reply}, nil
|
|
|
|
}
|
|
|
|
// PUT /v1/connect/intentions/exact
|
|
func (s *HTTPHandlers) IntentionPutExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
var entMeta structs.EnterpriseMeta
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
exact, err := parseIntentionQueryExact(req, &entMeta)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
args := structs.IntentionRequest{
|
|
Op: structs.IntentionOpUpsert,
|
|
}
|
|
s.parseDC(req, &args.Datacenter)
|
|
s.parseToken(req, &args.Token)
|
|
if err := decodeBody(req.Body, &args.Intention); err != nil {
|
|
return nil, BadRequestError{Reason: fmt.Sprintf("Request decode failed: %v", err)}
|
|
}
|
|
|
|
// Explicitly CLEAR the old legacy ID field
|
|
args.Intention.ID = ""
|
|
|
|
// Use the intention identity from the URL.
|
|
args.Intention.SourceNS = exact.SourceNS
|
|
args.Intention.SourceName = exact.SourceName
|
|
args.Intention.DestinationNS = exact.DestinationNS
|
|
args.Intention.DestinationName = exact.DestinationName
|
|
|
|
args.Intention.FillNonDefaultNamespaces(&entMeta)
|
|
|
|
var ignored string
|
|
if err := s.agent.RPC("Intention.Apply", &args, &ignored); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// DELETE /v1/connect/intentions/:id
|
|
func (s *HTTPHandlers) IntentionSpecificDelete(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
// Method is tested in IntentionEndpoint
|
|
|
|
args := structs.IntentionRequest{
|
|
Op: structs.IntentionOpDelete,
|
|
Intention: &structs.Intention{ID: id},
|
|
}
|
|
s.parseDC(req, &args.Datacenter)
|
|
s.parseToken(req, &args.Token)
|
|
|
|
var reply string
|
|
if err := s.agent.RPC("Intention.Apply", &args, &reply); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// DELETE /v1/connect/intentions/exact
|
|
func (s *HTTPHandlers) IntentionDeleteExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
|
|
var entMeta structs.EnterpriseMeta
|
|
if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
exact, err := parseIntentionQueryExact(req, &entMeta)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
args := structs.IntentionRequest{
|
|
Op: structs.IntentionOpDelete,
|
|
Intention: &structs.Intention{
|
|
// NOTE: ID is explicitly empty here
|
|
SourceNS: exact.SourceNS,
|
|
SourceName: exact.SourceName,
|
|
DestinationNS: exact.DestinationNS,
|
|
DestinationName: exact.DestinationName,
|
|
},
|
|
}
|
|
s.parseDC(req, &args.Datacenter)
|
|
s.parseToken(req, &args.Token)
|
|
|
|
var ignored string
|
|
if err := s.agent.RPC("Intention.Apply", &args, &ignored); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return true, nil
|
|
}
|
|
|
|
// intentionCreateResponse is the response structure for creating an intention.
|
|
type intentionCreateResponse struct{ ID string }
|
|
|
|
func parseIntentionQueryExact(req *http.Request, entMeta *structs.EnterpriseMeta) (*structs.IntentionQueryExact, error) {
|
|
q := req.URL.Query()
|
|
|
|
// Extract the source/destination
|
|
source, ok := q["source"]
|
|
if !ok || len(source) != 1 || source[0] == "" {
|
|
return nil, fmt.Errorf("required query parameter 'source' not set")
|
|
}
|
|
destination, ok := q["destination"]
|
|
if !ok || len(destination) != 1 || destination[0] == "" {
|
|
return nil, fmt.Errorf("required query parameter 'destination' not set")
|
|
}
|
|
|
|
var exact structs.IntentionQueryExact
|
|
{
|
|
ns, name, err := parseIntentionStringComponent(source[0], entMeta)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("source %q is invalid: %s", source[0], err)
|
|
}
|
|
exact.SourceNS = ns
|
|
exact.SourceName = name
|
|
}
|
|
|
|
{
|
|
ns, name, err := parseIntentionStringComponent(destination[0], entMeta)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err)
|
|
}
|
|
exact.DestinationNS = ns
|
|
exact.DestinationName = name
|
|
}
|
|
|
|
return &exact, nil
|
|
}
|
|
|
|
func parseIntentionStringComponent(input string, entMeta *structs.EnterpriseMeta) (string, string, error) {
|
|
// Get the index to the '/'. If it doesn't exist, we have just a name
|
|
// so just set that and return.
|
|
idx := strings.IndexByte(input, '/')
|
|
if idx == -1 {
|
|
ns := entMeta.NamespaceOrEmpty()
|
|
return ns, input, nil
|
|
}
|
|
|
|
ns, name := input[:idx], input[idx+1:]
|
|
|
|
if strings.IndexByte(name, '/') != -1 {
|
|
return "", "", fmt.Errorf("input can contain at most one '/'")
|
|
}
|
|
|
|
return ns, name, nil
|
|
}
|