backport of commit 7b98a41

.github/scripts/license_checker.sh

@@ -2,15 +2,19 @@
 # Copyright (c) HashiCorp, Inc.
 # SPDX-License-Identifier: BUSL-1.1
 
+if [[ ${GITHUB_BASE_REF} == release/1.14.* ]] || [[ ${GITHUB_BASE_REF} == release/1.15.* ]] || [[ ${GITHUB_BASE_REF} == release/1.16.* ]]; then
+    busl_files=$(grep -r 'SPDX-License-Identifier: BUSL' . --exclude-dir .github)
 
-busl_files=$(grep -r 'SPDX-License-Identifier: BUSL' . --exclude-dir .github)
-
-# If we do not find a file in .changelog/, we fail the check
-if [ -n "$busl_files" ]; then
-    echo "Found BUSL occurrences in the PR branch! (See NET-5258 for details)"
-    echo -n "$busl_files"
-    exit 1
+    if [ -n "$busl_files" ]; then
+        echo "Found BUSL occurrences in the PR branch! (See NET-5258 for details)"
+        echo -n "$busl_files"
+        exit 1
+    else
+        echo "Did not find any occurrences of BUSL in the PR branch"
+        exit 0
+    fi
+    echo "The variable starts with release/1.14, release/1.15, or release/1.17."
 else
-    echo "Did not find any occurrences of BUSL in the PR branch"
+    echo "Skipping BUSL check since ${GITHUB_BASE_REF} not one of release/1.14.*, release/1.15.*, or release/1.16.*."
     exit 0
-fi
+fi

.github/workflows/license-checker.yml

@@ -7,11 +7,8 @@ name: License Checker
 
 on:
   pull_request:
+    # Logic to only apply check 1.1[4,5,6].x branches is in license_checker.sh
     types: [opened, synchronize]
-    branches:
-      - release/1.14.*
-      - release/1.15.*
-      - release/1.16.*
 
 jobs:
   # checks that the diff does not contain any reference to

Makefile

@@ -438,6 +438,9 @@ codegen: codegen-tools ## Deep copy
 	@$(SHELL) $(CURDIR)/agent/consul/state/deep-copy.sh
 	@$(SHELL) $(CURDIR)/agent/config/deep-copy.sh
 	copywrite headers
+	# Special case for MPL headers in /api and /sdk
+	cd api && $(CURDIR)/build-support/scripts/copywrite-exceptions.sh
+	cd sdk && $(CURDIR)/build-support/scripts/copywrite-exceptions.sh
 
 print-%  : ; @echo $($*) ## utility to echo a makefile variable (i.e. 'make print-GOPATH')
 

agent/agent_endpoint.go

@@ -22,6 +22,7 @@ import (
 
 	"github.com/hashicorp/consul/acl"
 	cachetype "github.com/hashicorp/consul/agent/cache-types"
+	"github.com/hashicorp/consul/agent/connect"
 	"github.com/hashicorp/consul/agent/consul"
 	"github.com/hashicorp/consul/agent/debug"
 	"github.com/hashicorp/consul/agent/leafcert"
@@ -1656,14 +1657,108 @@ func (s *HTTPHandlers) AgentConnectAuthorize(resp http.ResponseWriter, req *http
 		return nil, nil
 	}
 
-	authz, reason, cacheMeta, err := s.agent.ConnectAuthorize(token, &authReq)
+	// We need to have a target to check intentions
+	if authReq.Target == "" {
+		return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Target service must be specified"}
+	}
+
+	// Parse the certificate URI from the client ID
+	uri, err := connect.ParseCertURIFromString(authReq.ClientCertURI)
+	if err != nil {
+		return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "ClientCertURI not a valid Connect identifier"}
+	}
+
+	uriService, ok := uri.(*connect.SpiffeIDService)
+	if !ok {
+		return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "ClientCertURI not a valid Service identifier"}
+	}
+
+	// We need to verify service:write permissions for the given token.
+	// We do this manually here since the RPC request below only verifies
+	// service:read.
+	var authzContext acl.AuthorizerContext
+	authz, err := s.agent.delegate.ResolveTokenAndDefaultMeta(token, &authReq.EnterpriseMeta, &authzContext)
 	if err != nil {
+		return nil, fmt.Errorf("Could not resolve token to authorizer: %w", err)
+	}
+
+	if err := authz.ToAllowAuthorizer().ServiceWriteAllowed(authReq.Target, &authzContext); err != nil {
 		return nil, err
 	}
-	setCacheMeta(resp, cacheMeta)
+
+	if !uriService.MatchesPartition(authReq.TargetPartition()) {
+		return nil, HTTPError{
+			StatusCode: http.StatusBadRequest,
+			Reason: fmt.Sprintf("Mismatched partitions: %q != %q",
+				uriService.PartitionOrDefault(),
+				acl.PartitionOrDefault(authReq.TargetPartition())),
+		}
+	}
+
+	// Get the intentions for this target service.
+	args := &structs.IntentionQueryRequest{
+		Datacenter: s.agent.config.Datacenter,
+		Match: &structs.IntentionQueryMatch{
+			Type: structs.IntentionMatchDestination,
+			Entries: []structs.IntentionMatchEntry{
+				{
+					Namespace: authReq.TargetNamespace(),
+					Partition: authReq.TargetPartition(),
+					Name:      authReq.Target,
+				},
+			},
+		},
+		QueryOptions: structs.QueryOptions{Token: token},
+	}
+
+	raw, meta, err := s.agent.cache.Get(req.Context(), cachetype.IntentionMatchName, args)
+	if err != nil {
+		return nil, fmt.Errorf("failed getting intention match: %w", err)
+	}
+
+	reply, ok := raw.(*structs.IndexedIntentionMatches)
+	if !ok {
+		return nil, fmt.Errorf("internal error: response type not correct")
+	}
+	if len(reply.Matches) != 1 {
+		return nil, fmt.Errorf("Internal error loading matches")
+	}
+
+	// Figure out which source matches this request.
+	var ixnMatch *structs.Intention
+	for _, ixn := range reply.Matches[0] {
+		// We match on the intention source because the uriService is the source of the connection to authorize.
+		if _, ok := connect.AuthorizeIntentionTarget(
+			uriService.Service, uriService.Namespace, uriService.Partition, "", ixn, structs.IntentionMatchSource); ok {
+			ixnMatch = ixn
+			break
+		}
+	}
+
+	var (
+		authorized bool
+		reason     string
+	)
+
+	if ixnMatch != nil {
+		if len(ixnMatch.Permissions) == 0 {
+			// This is an L4 intention.
+			reason = fmt.Sprintf("Matched L4 intention: %s", ixnMatch.String())
+			authorized = ixnMatch.Action == structs.IntentionActionAllow
+		} else {
+			reason = fmt.Sprintf("Matched L7 intention: %s", ixnMatch.String())
+			// This is an L7 intention, so DENY.
+			authorized = false
+		}
+	} else {
+		reason = "Default behavior configured by ACLs"
+		authorized = authz.IntentionDefaultAllow(nil) == acl.Allow
+	}
+
+	setCacheMeta(resp, &meta)
 
 	return &connectAuthorizeResp{
-		Authorized: authz,
+		Authorized: authorized,
 		Reason:     reason,
 	}, nil
 }

agent/agent_endpoint_test.go

@@ -90,6 +90,18 @@ func TestAgentEndpointsFailInV2(t *testing.T) {
 		})
 	}
 
+	t.Run("agent-self-with-params", func(t *testing.T) {
+		req, err := http.NewRequest("GET", "/v1/agent/self?dc=dc1", nil)
+		require.NoError(t, err)
+
+		resp := httptest.NewRecorder()
+		a.srv.h.ServeHTTP(resp, req)
+		require.Equal(t, http.StatusOK, resp.Code)
+
+		_, err = io.ReadAll(resp.Body)
+		require.NoError(t, err)
+	})
+
 	checkRequest("PUT", "/v1/agent/maintenance")
 	checkRequest("GET", "/v1/agent/services")
 	checkRequest("GET", "/v1/agent/service/web")