consul/agent
Michael Zalimeni d9206fc7e2
[NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816)
mesh: add options for HTTP incoming request normalization

Expose global mesh configuration to enforce inbound HTTP request
normalization on mesh traffic via Envoy xDS config.

mesh: enable inbound URL path normalization by default

mesh: add support for L7 header match contains and ignore_case

Enable partial string and case-insensitive matching in L7 intentions
header match rules.

ui: support L7 header match contains and ignore_case

Co-authored-by: Phil Renaud <phil@riotindustries.com>

test: add request normalization integration bats tests

Add both "positive" and "negative" test suites, showing normalization in
action as well as expected results when it is not enabled, for the same
set of test cases.

Also add some alternative service container test helpers for verifying
raw HTTP request paths, which is difficult to do with Fortio.

docs: update security and reference docs for L7 intentions bypass prevention

- Update security docs with best practices for service intentions
  configuration
- Update configuration entry references for mesh and intentions to
  reflect new values and add guidance on usage
2024-10-16 12:23:33 -04:00
..
ae remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
auto-config [NET-6593] agent: check for minimum RSA key size (#20112) 2024-01-10 12:15:36 +00:00
blockingquery NET-9084 - add tests to peering endpoint and blockingquery package to assert blocking works properly. (#21078) 2024-05-09 14:55:13 -04:00
cache xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756) 2023-09-12 12:56:43 -07:00
cache-types xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756) 2023-09-12 12:56:43 -07:00
cacheshim xds controller: setup watches for and compute leaf cert references in ProxyStateTemplate, and wire up leaf cert manager dependency (#18756) 2023-09-12 12:56:43 -07:00
checks security: fix AliasCheck panic (update) (#21510) 2024-07-03 10:48:08 -04:00
config Update raft to 1.7.0 and add configuration for prevote (#21758) 2024-09-20 10:35:48 -04:00
configentry Hash based config entry replication (#19795) 2023-12-12 08:29:13 -05:00
connect remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
consul remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
debug [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
dns NET-10685 - Remove dns v2 code (#21598) 2024-08-13 16:53:48 -06:00
envoyextensions NET-6946 / NET-6941 - Replace usage of deprecated Envoy fields envoy.config.route.v3.HeaderMatcher.safe_regex_match and envoy.type.matcher.v3.RegexMatcher.google_re2 (#20013) 2024-01-03 09:53:39 -07:00
exec Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
grpc-external remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
grpc-internal update go-control-plane envoy dependency to 0.12.0 (#20973) 2024-04-10 01:23:04 +00:00
grpc-middleware security: upgrade google.golang.org/protobuf to 1.33.0 (#20801) 2024-03-06 23:04:42 +00:00
hcp [CC-7411] Fix environment variable precedence when linking to HCP (#20527) 2024-02-13 14:06:18 -06:00
leafcert remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
local bug: prevent go routine leakage due to existing DeferCheck (#18558) 2023-08-23 10:33:07 -04:00
log-drop [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
metadata [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
metrics [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
mock [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
pool [NET-6459] Fix issue with wanfed lan ip conflicts. (#19503) 2023-11-06 08:47:12 -06:00
proxycfg remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
proxycfg-glue NET-5879 - move the filter for non-passing to occur in the health RPC layer rather than the callers of the RPC (#21098) 2024-05-14 07:05:54 -06:00
proxycfg-sources remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
router gossip: refactor some gossip related libraries into a central place (#21036) 2024-05-07 10:30:49 -05:00
routine-leak-checker [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
rpc remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
rpcclient NET-5879 - expose sameness group param on service health endpoint and move sameness group health fallback logic into HealthService RPC layer (#21096) 2024-05-14 13:32:49 +00:00
structs [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816) 2024-10-16 12:23:33 -04:00
submatview [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
systemd [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
token Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
uiserver remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
xds [NET-1151 NET-11228] security: Add request normalization and header match options to prevent L7 intentions bypass (#21816) 2024-10-16 12:23:33 -04:00
acl.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
acl_ce.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
acl_endpoint.go [NET-6249] Add templated policies description (#19735) 2023-11-27 10:34:22 -05:00
acl_endpoint_test.go remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
acl_test.go gossip: refactor some gossip related libraries into a central place (#21036) 2024-05-07 10:30:49 -05:00
agent.go Update raft to 1.7.0 and add configuration for prevote (#21758) 2024-09-20 10:35:48 -04:00
agent_ce.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
agent_ce_test.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
agent_endpoint.go gossip: refactor some gossip related libraries into a central place (#21036) 2024-05-07 10:30:49 -05:00
agent_endpoint_ce.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
agent_endpoint_ce_test.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
agent_endpoint_test.go remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
agent_test.go gossip: refactor some gossip related libraries into a central place (#21036) 2024-05-07 10:30:49 -05:00
apiserver.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
apiserver_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
catalog_endpoint.go NET-7644/NET-7634 - Implement query lookup for tagged addresses on nodes and services including WAN translation. (#20583) 2024-02-12 14:27:25 -05:00
catalog_endpoint_ce.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
catalog_endpoint_test.go remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
check.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
config_endpoint.go NET-5824 Exported services api (#20015) 2024-01-23 10:06:59 +05:30
config_endpoint_test.go remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
connect_ca_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
connect_ca_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
coordinate_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
coordinate_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
delegate_mock_test.go gossip: refactor some gossip related libraries into a central place (#21036) 2024-05-07 10:30:49 -05:00
denylist.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
denylist_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
discovery_chain_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
discovery_chain_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
dns.go NET-10685 - Remove dns v2 code (#21598) 2024-08-13 16:53:48 -06:00
dns_ce.go NET-10685 - Remove dns v2 code (#21598) 2024-08-13 16:53:48 -06:00
dns_ce_test.go NET-10685 - Remove dns v2 code (#21598) 2024-08-13 16:53:48 -06:00
dns_node_lookup_test.go NET-10685 - Remove dns v2 code (#21598) 2024-08-13 16:53:48 -06:00
dns_reverse_lookup_test.go NET-10685 - Remove dns v2 code (#21598) 2024-08-13 16:53:48 -06:00
dns_service_lookup_test.go Fix TestDNS_ServiceLookup_ARecordLimits so that it only creates test agents the minimal amount of time (#21608) 2024-08-15 18:09:09 +00:00
dns_test.go NET-10685 - Remove dns v2 code (#21598) 2024-08-13 16:53:48 -06:00
enterprise_delegate_ce.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
event_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
event_endpoint_test.go Retry lint fixes (#19151) 2023-12-06 12:11:32 -05:00
federation_state_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
health_endpoint.go NET-5879 - expose sameness group param on service health endpoint and move sameness group health fallback logic into HealthService RPC layer (#21096) 2024-05-14 13:32:49 +00:00
health_endpoint_ce_test.go NET-5879 - expose sameness group param on service health endpoint and move sameness group health fallback logic into HealthService RPC layer (#21096) 2024-05-14 13:32:49 +00:00
health_endpoint_test.go remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
http.go [Security] Fix XSS Vulnerability where content-type header wasn't explicitly set (#21704) 2024-09-11 14:23:21 -05:00
http_ce.go Fix audit-log encoding issue (CC-7337) (#20345) 2024-02-06 16:40:07 +05:30
http_ce_test.go OSS -> CE (community edition) changes (#18517) 2023-08-22 09:46:03 -05:00
http_decode_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
http_register.go NET-5824 Exported services api (#20015) 2024-01-23 10:06:59 +05:30
http_test.go [Security] Fix XSS Vulnerability where content-type header wasn't explicitly set (#21704) 2024-09-11 14:23:21 -05:00
intentions_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
intentions_endpoint_ce_test.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
intentions_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
keyring.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
keyring_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
kvs_endpoint.go [Security] Close cross scripting vulnerability (#21342) 2024-06-17 13:54:37 -04:00
kvs_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
metrics.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
metrics_test.go update TestHTTPHandlers_AgentMetrics_LeaderShipMetrics to use 3 servers instead of 2 to allow quorum when leadership flails. (#21239) 2024-06-03 12:10:38 -06:00
nodeid.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
nodeid_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
notify.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
notify_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
operator_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
operator_endpoint_ce.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
operator_endpoint_ce_test.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
operator_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
peering_endpoint.go OSS -> CE (community edition) changes (#18517) 2023-08-22 09:46:03 -05:00
peering_endpoint_ce_test.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
peering_endpoint_test.go NET-9084 - add tests to peering endpoint and blockingquery package to assert blocking works properly. (#21078) 2024-05-09 14:55:13 -04:00
prepared_query_endpoint.go NET-7644/NET-7634 - Implement query lookup for tagged addresses on nodes and services including WAN translation. (#20583) 2024-02-12 14:27:25 -05:00
prepared_query_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
proxycfg_test.go remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
reload.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
remote_exec.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
remote_exec_test.go Retry lint fixes (#19151) 2023-12-06 12:11:32 -05:00
retry_join.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
retry_join_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
service_checks_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
service_manager.go Ensure that upstream configuration is properly normalized. (#19076) 2023-10-06 13:59:47 -05:00
service_manager_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
session_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
session_endpoint_test.go Retry lint fixes (#19151) 2023-12-06 12:11:32 -05:00
setup.go NET-10685 - Remove dns v2 code (#21598) 2024-08-13 16:53:48 -06:00
setup_ce.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
sidecar_service.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
sidecar_service_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
signal_unix.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
signal_windows.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
snapshot_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
snapshot_endpoint_test.go Fix more test flakes (#19533) 2023-11-07 10:15:50 -06:00
status_endpoint.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
status_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
streaming_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
testagent.go remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
testagent_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
translate_addr.go NET-7644/NET-7634 - Implement query lookup for tagged addresses on nodes and services including WAN translation. (#20583) 2024-02-12 14:27:25 -05:00
txn_endpoint.go Add TCP+TLS Healthchecks (#18381) 2023-09-05 13:34:44 -07:00
txn_endpoint_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
ui_endpoint.go [NET-5688] APIGateway UI Topology Fixes (#19657) 2023-11-28 21:27:14 +00:00
ui_endpoint_ce_test.go Remove old build tags (#19128) 2023-10-10 10:58:06 -04:00
ui_endpoint_test.go remove v2 tenancy, catalog, and mesh (#21592) 2024-09-05 08:50:46 -06:00
user_event.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
user_event_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
util.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
util_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
watch_handler.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00
watch_handler_test.go [COMPLIANCE] License changes (#18443) 2023-08-11 09:12:13 -04:00