fixup! Add support for TCP traffic permissions

hashicorp · Sep 12, 2023 · b16a591 · b16a591
1 parent 29a4aa2
commit b16a591
Show file tree

Hide file tree

Showing 15 changed files with 356 additions and 437 deletions.
diff --git a/agent/xds/proxystateconverter/listeners.go b/agent/xds/proxystateconverter/listeners.go
@@ -1009,7 +1009,6 @@ func (s *Converter) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot, name s
 		if l7Dest == nil {
 			return nil, fmt.Errorf("l7 destination on inbound listener should not be empty")
 		}
-		l7Dest.AddEmptyIntention = true
 
 		// TODO(proxystate): L7 Intentions and JWT Auth will be added in the future.
 		//jwtFilter, jwtFilterErr := makeJWTAuthFilter(cfgSnap.JWTProviders, cfgSnap.ConnectProxy.Intentions)
@@ -1053,13 +1052,7 @@ func (s *Converter) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot, name s
 			l4Dest.MaxInboundConnections = uint64(cfg.MaxInboundConnections)
 		}
 
-		defaultAction := pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_DENY
-		if cfgSnap.IntentionDefaultAllow {
-			defaultAction = pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_ALLOW
-		}
-		l4Dest.TrafficPermissions = &pbproxystate.L4TrafficPermissions{
-			DefaultAction: defaultAction,
-		}
+		l4Dest.TrafficPermissions = &pbproxystate.L4TrafficPermissions{}
 	}
 	l.Routers = append(l.Routers, localAppRouter)
 

diff --git a/agent/xds/rbac_test.go b/agent/xds/rbac_test.go
@@ -617,17 +617,6 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
 			v1Intentions: sorted(
 				testSourceIntention("*", structs.IntentionActionDeny),
 			),
-			v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
-				DenyPermissions: []*pbproxystate.L4Permission{
-					{
-						Principals: []*pbproxystate.L4Principal{
-							{
-								SpiffeRegex: makeL4Spiffe("*", nil),
-							},
-						},
-					},
-				},
-			},
 		},
 		"default-deny-one-allow": {
 			intentionDefaultAllow: false,
@@ -651,17 +640,6 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
 			v1Intentions: sorted(
 				testSourceIntention("web", structs.IntentionActionDeny),
 			),
-			v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
-				DenyPermissions: []*pbproxystate.L4Permission{
-					{
-						Principals: []*pbproxystate.L4Principal{
-							{
-								SpiffeRegex: makeL4Spiffe("web", nil),
-							},
-						},
-					},
-				},
-			},
 		},
 		"default-deny-allow-deny": {
 			intentionDefaultAllow: false,
@@ -775,38 +753,31 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
 				},
 			},
 		},
-		"default-allow-kitchen-sink": {
+		// In v2, having a single permission turns on default deny.
+		"v2-default-allow-one-deny": {
 			intentionDefaultAllow: true,
-			v1Intentions: sorted(
-				// (double exact)
-				testSourceIntention("web", structs.IntentionActionDeny),
-				testSourceIntention("unsafe", structs.IntentionActionAllow),
-				testSourceIntention("cron", structs.IntentionActionDeny),
-				testSourceIntention("*", structs.IntentionActionDeny),
-			),
 			v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
 				DenyPermissions: []*pbproxystate.L4Permission{
 					{
 						Principals: []*pbproxystate.L4Principal{
-							{
-								SpiffeRegex: makeL4Spiffe("cron", nil),
-							},
 							{
 								SpiffeRegex: makeL4Spiffe("web", nil),
 							},
-							{
-								SpiffeRegex: makeL4Spiffe("*", nil),
-								ExcludeSpiffeRegexes: []string{
-									makeL4Spiffe("web", nil),
-									makeL4Spiffe("unsafe", nil),
-									makeL4Spiffe("cron", nil),
-								},
-							},
 						},
 					},
 				},
 			},
 		},
+		"default-allow-kitchen-sink": {
+			intentionDefaultAllow: true,
+			v1Intentions: sorted(
+				// (double exact)
+				testSourceIntention("web", structs.IntentionActionDeny),
+				testSourceIntention("unsafe", structs.IntentionActionAllow),
+				testSourceIntention("cron", structs.IntentionActionDeny),
+				testSourceIntention("*", structs.IntentionActionDeny),
+			),
+		},
 		"default-deny-peered-kitchen-sink": {
 			intentionDefaultAllow: false,
 			v1Intentions: sorted(
@@ -1126,12 +1097,8 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
 					if tt.v2L4TrafficPermissions == nil {
 						return
 					}
-					tt.v2L4TrafficPermissions.DefaultAction = pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_DENY
-					if tt.intentionDefaultAllow {
-						tt.v2L4TrafficPermissions.DefaultAction = pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_ALLOW
-					}
 
-					filters, err := xdsv2.MakeL4RBAC(tt.v2L4TrafficPermissions)
+					filters, err := xdsv2.MakeL4RBAC(tt.intentionDefaultAllow, tt.v2L4TrafficPermissions)
 					require.NoError(t, err)
 
 					var gotJSON string

diff --git a/agent/xds/testdata/rbac/v2-default-allow-one-allow.golden b/agent/xds/testdata/rbac/v2-default-allow-one-allow.golden
@@ -1 +1,30 @@
-{}
+{
+  "name": "envoy.filters.network.rbac",
+  "typedConfig": {
+    "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+    "rules": {
+      "policies": {
+        "consul-intentions-layer4": {
+          "permissions": [
+            {
+              "any": true
+            }
+          ],
+          "principals": [
+            {
+              "authenticated": {
+                "principalName": {
+                  "safeRegex": {
+                    "googleRe2": {},
+                    "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
+                  }
+                }
+              }
+            }
+          ]
+        }
+      }
+    },
+    "statPrefix": "connect_authz"
+  }
+}
diff --git a/agent/xds/testdata/rbac/v2-default-allow-one-deny.golden b/agent/xds/testdata/rbac/v2-default-allow-one-deny.golden
@@ -0,0 +1,43 @@
+{
+  "filters": [
+    {
+      "name": "envoy.filters.network.rbac",
+      "typedConfig": {
+        "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+        "rules": {
+          "action": "DENY",
+          "policies": {
+            "consul-intentions-layer4": {
+              "permissions": [
+                {
+                  "any": true
+                }
+              ],
+              "principals": [
+                {
+                  "authenticated": {
+                    "principalName": {
+                      "safeRegex": {
+                        "googleRe2": {},
+                        "regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
+                      }
+                    }
+                  }
+                }
+              ]
+            }
+          }
+        },
+        "statPrefix": "connect_authz"
+      }
+    },
+    {
+      "name": "envoy.filters.network.rbac",
+      "typedConfig": {
+        "@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+        "rules": {},
+        "statPrefix": "connect_authz"
+      }
+    }
+  ]
+}
diff --git a/agent/xds/testdata/rbac/v2-kitchen-sink.golden b/agent/xds/testdata/rbac/v2-kitchen-sink.golden
@@ -1,5 +1,46 @@
 {
   "filters":  [
+    {
+      "name":  "envoy.filters.network.rbac",
+      "typedConfig":  {
+        "@type":  "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
+        "rules":  {
+          "action":  "DENY",
+          "policies":  {
+            "consul-intentions-layer4":  {
+              "permissions":  [
+                {
+                  "any":  true
+                }
+              ],
+              "principals":  [
+                {
+                  "authenticated":  {
+                    "principalName":  {
+                      "safeRegex":  {
+                        "googleRe2":  {},
+                        "regex":  "^spiffe://test.consul/ns/default/dc/[^/]+/svc/db$"
+                      }
+                    }
+                  }
+                },
+                {
+                  "authenticated":  {
+                    "principalName":  {
+                      "safeRegex":  {
+                        "googleRe2":  {},
+                        "regex":  "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
+                      }
+                    }
+                  }
+                }
+              ]
+            }
+          }
+        },
+        "statPrefix":  "connect_authz"
+      }
+    },
     {
       "name":  "envoy.filters.network.rbac",
       "typedConfig":  {
@@ -76,47 +117,6 @@
         },
         "statPrefix":  "connect_authz"
       }
-    },
-    {
-      "name":  "envoy.filters.network.rbac",
-      "typedConfig":  {
-        "@type":  "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
-        "rules":  {
-          "action":  "DENY",
-          "policies":  {
-            "consul-intentions-layer4":  {
-              "permissions":  [
-                {
-                  "any":  true
-                }
-              ],
-              "principals":  [
-                {
-                  "authenticated":  {
-                    "principalName":  {
-                      "safeRegex":  {
-                        "googleRe2":  {},
-                        "regex":  "^spiffe://test.consul/ns/default/dc/[^/]+/svc/db$"
-                      }
-                    }
-                  }
-                },
-                {
-                  "authenticated":  {
-                    "principalName":  {
-                      "safeRegex":  {
-                        "googleRe2":  {},
-                        "regex":  "^spiffe://test.consul/ns/default/dc/[^/]+/svc/cron$"
-                      }
-                    }
-                  }
-                }
-              ]
-            }
-          }
-        },
-        "statPrefix":  "connect_authz"
-      }
     }
   ]
 }
diff --git a/agent/xdsv2/listener_resources.go b/agent/xdsv2/listener_resources.go
@@ -308,7 +308,7 @@ func (pr *ProxyResources) makeEnvoyResourcesForL4Destination(l4 *pbproxystate.Ro
 	if err != nil {
 		return nil, err
 	}
-	envoyFilters, err := makeL4Filters(l4.L4)
+	envoyFilters, err := makeL4Filters(pr.proxyState.TrafficPermissionDefaultAllow, l4.L4)
 	return envoyFilters, err
 }
 
@@ -333,10 +333,10 @@ func getAlpnProtocols(protocol pbproxystate.L7Protocol) []string {
 	return alpnProtocols
 }
 
-func makeL4Filters(l4 *pbproxystate.L4Destination) ([]*envoy_listener_v3.Filter, error) {
+func makeL4Filters(defaultAllow bool, l4 *pbproxystate.L4Destination) ([]*envoy_listener_v3.Filter, error) {
 	var envoyFilters []*envoy_listener_v3.Filter
 	if l4 != nil {
-		rbacFilters, err := MakeL4RBAC(l4.TrafficPermissions)
+		rbacFilters, err := MakeL4RBAC(defaultAllow, l4.TrafficPermissions)
 		if err != nil {
 			return nil, err
 		}