mirror of
https://github.com/status-im/consul.git
synced 2025-03-03 14:50:50 +00:00
d9206fc7e2
mesh: add options for HTTP incoming request normalization Expose global mesh configuration to enforce inbound HTTP request normalization on mesh traffic via Envoy xDS config. mesh: enable inbound URL path normalization by default mesh: add support for L7 header match contains and ignore_case Enable partial string and case-insensitive matching in L7 intentions header match rules. ui: support L7 header match contains and ignore_case Co-authored-by: Phil Renaud <phil@riotindustries.com> test: add request normalization integration bats tests Add both "positive" and "negative" test suites, showing normalization in action as well as expected results when it is not enabled, for the same set of test cases. Also add some alternative service container test helpers for verifying raw HTTP request paths, which is difficult to do with Fortio. docs: update security and reference docs for L7 intentions bypass prevention - Update security docs with best practices for service intentions configuration - Update configuration entry references for mesh and intentions to reflect new values and add guidance on usage
103 lines
3.6 KiB
Go
103 lines
3.6 KiB
Go
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
package api
|
|
|
|
import "time"
|
|
|
|
type ServiceIntentionsConfigEntry struct {
|
|
Kind string
|
|
Name string
|
|
Partition string `json:",omitempty"`
|
|
Namespace string `json:",omitempty"`
|
|
|
|
Sources []*SourceIntention
|
|
JWT *IntentionJWTRequirement `json:",omitempty"`
|
|
|
|
Meta map[string]string `json:",omitempty"`
|
|
|
|
CreateIndex uint64
|
|
ModifyIndex uint64
|
|
}
|
|
|
|
type SourceIntention struct {
|
|
Name string
|
|
Peer string `json:",omitempty"`
|
|
Partition string `json:",omitempty"`
|
|
Namespace string `json:",omitempty"`
|
|
SamenessGroup string `json:",omitempty" alias:"sameness_group"`
|
|
Action IntentionAction `json:",omitempty"`
|
|
Permissions []*IntentionPermission `json:",omitempty"`
|
|
Precedence int
|
|
Type IntentionSourceType
|
|
Description string `json:",omitempty"`
|
|
|
|
LegacyID string `json:",omitempty" alias:"legacy_id"`
|
|
LegacyMeta map[string]string `json:",omitempty" alias:"legacy_meta"`
|
|
LegacyCreateTime *time.Time `json:",omitempty" alias:"legacy_create_time"`
|
|
LegacyUpdateTime *time.Time `json:",omitempty" alias:"legacy_update_time"`
|
|
}
|
|
|
|
func (e *ServiceIntentionsConfigEntry) GetKind() string { return e.Kind }
|
|
func (e *ServiceIntentionsConfigEntry) GetName() string { return e.Name }
|
|
func (e *ServiceIntentionsConfigEntry) GetPartition() string { return e.Partition }
|
|
func (e *ServiceIntentionsConfigEntry) GetNamespace() string { return e.Namespace }
|
|
func (e *ServiceIntentionsConfigEntry) GetMeta() map[string]string { return e.Meta }
|
|
func (e *ServiceIntentionsConfigEntry) GetCreateIndex() uint64 { return e.CreateIndex }
|
|
func (e *ServiceIntentionsConfigEntry) GetModifyIndex() uint64 { return e.ModifyIndex }
|
|
|
|
type IntentionPermission struct {
|
|
Action IntentionAction
|
|
HTTP *IntentionHTTPPermission `json:",omitempty"`
|
|
JWT *IntentionJWTRequirement `json:",omitempty"`
|
|
}
|
|
|
|
type IntentionHTTPPermission struct {
|
|
PathExact string `json:",omitempty" alias:"path_exact"`
|
|
PathPrefix string `json:",omitempty" alias:"path_prefix"`
|
|
PathRegex string `json:",omitempty" alias:"path_regex"`
|
|
|
|
Header []IntentionHTTPHeaderPermission `json:",omitempty"`
|
|
|
|
Methods []string `json:",omitempty"`
|
|
}
|
|
|
|
type IntentionHTTPHeaderPermission struct {
|
|
Name string
|
|
Present bool `json:",omitempty"`
|
|
Exact string `json:",omitempty"`
|
|
Prefix string `json:",omitempty"`
|
|
Suffix string `json:",omitempty"`
|
|
Contains string `json:",omitempty"`
|
|
Regex string `json:",omitempty"`
|
|
Invert bool `json:",omitempty"`
|
|
IgnoreCase bool `json:",omitempty" alias:"ignore_case"`
|
|
}
|
|
|
|
type IntentionJWTRequirement struct {
|
|
// Providers is a list of providers to consider when verifying a JWT.
|
|
Providers []*IntentionJWTProvider `json:",omitempty"`
|
|
}
|
|
|
|
type IntentionJWTProvider struct {
|
|
// Name is the name of the JWT provider. There MUST be a corresponding
|
|
// "jwt-provider" config entry with this name.
|
|
Name string `json:",omitempty"`
|
|
|
|
// VerifyClaims is a list of additional claims to verify in a JWT's payload.
|
|
VerifyClaims []*IntentionJWTClaimVerification `json:",omitempty" alias:"verify_claims"`
|
|
}
|
|
|
|
type IntentionJWTClaimVerification struct {
|
|
// Path is the path to the claim in the token JSON.
|
|
Path []string `json:",omitempty"`
|
|
|
|
// Value is the expected value at the given path:
|
|
// - If the type at the path is a list then we verify
|
|
// that this value is contained in the list.
|
|
//
|
|
// - If the type at the path is a string then we verify
|
|
// that this value matches.
|
|
Value string `json:",omitempty"`
|
|
}
|