move jwtinfos to flatten fn

hashicorp · Jul 14, 2023 · f06cbe6 · f06cbe6
1 parent 0d087be
commit f06cbe6
Showing 1 changed file with 28 additions and 33 deletions.
diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go
@@ -364,26 +364,32 @@ type rbacIntention struct {
 }
 
 func (r *rbacIntention) FlattenPrincipal(localInfo rbacLocalInfo) *envoy_rbac_v3.Principal {
+	var principal *envoy_rbac_v3.Principal
 	if !localInfo.expectXFCC {
-		return r.flattenPrincipalFromCert()
-
+		principal = r.flattenPrincipalFromCert()
 	} else if r.Source.Peer == "" {
 		// NOTE: ixnSourceMatches should enforce that all of Source and NotSources
 		// are peered or not-peered, so we only need to look at the Source element.
-		return r.flattenPrincipalFromCert() // intention is not relevant to peering
-	}
+		principal = r.flattenPrincipalFromCert() // intention is not relevant to peering
+	} else {
+		// If this intention is an L7 peered one, then it is exclusively resolvable
+		// using XFCC, rather than the TLS SAN field.
+		fromXFCC := r.flattenPrincipalFromXFCC()
 
-	// If this intention is an L7 peered one, then it is exclusively resolvable
-	// using XFCC, rather than the TLS SAN field.
-	fromXFCC := r.flattenPrincipalFromXFCC()
+		// Use of the XFCC one is gated on coming directly from our own gateways.
+		gwIDPattern := makeSpiffeMeshGatewayPattern(localInfo.trustDomain, localInfo.partition)
 
-	// Use of the XFCC one is gated on coming directly from our own gateways.
-	gwIDPattern := makeSpiffeMeshGatewayPattern(localInfo.trustDomain, localInfo.partition)
+		principal = andPrincipals([]*envoy_rbac_v3.Principal{
+			authenticatedPatternPrincipal(gwIDPattern),
+			fromXFCC,
+		})
+	}
 
-	return andPrincipals([]*envoy_rbac_v3.Principal{
-		authenticatedPatternPrincipal(gwIDPattern),
-		fromXFCC,
-	})
+	if len(r.jwtInfos) == 0 {
+		return principal
+	}
+
+	return addJWTPrincipal(principal, r.jwtInfos)
 }
 
 func (r *rbacIntention) flattenPrincipalFromCert() *envoy_rbac_v3.Principal {
@@ -631,10 +637,6 @@ func makeRBACRules(
 
 	var principalsL4 []*envoy_rbac_v3.Principal
 	for i, rbacIxn := range rbacIxns {
-		var infos []*JWTInfo
-		if isHTTP {
-			infos = rbacIxn.jwtInfos
-		}
 		if rbacIxn.Action == intentionActionLayer7 {
 			if len(rbacIxn.Permissions) == 0 {
 				panic("invalid state: L7 intention has no permissions")
@@ -644,7 +646,6 @@ func makeRBACRules(
 			}
 
 			rbacPrincipals := optimizePrincipals([]*envoy_rbac_v3.Principal{rbacIxn.ComputedPrincipal})
-			rbacPrincipals = addJWTPrincipals(rbacPrincipals, infos)
 			// For L7: we should generate one Policy per Principal and list all of the Permissions
 			policy := &envoy_rbac_v3.Policy{
 				Principals:  rbacPrincipals,
@@ -657,8 +658,6 @@ func makeRBACRules(
 		} else {
 			// For L4: we should generate one big Policy listing all Principals
 			principalsL4 = append(principalsL4, rbacIxn.ComputedPrincipal)
-			// Append JWT principals to list of principals
-			principalsL4 = addJWTPrincipals(principalsL4, infos)
 		}
 	}
 	if len(principalsL4) > 0 {
@@ -674,18 +673,18 @@ func makeRBACRules(
 	return rbac, nil
 }
 
-// addJWTPrincipals ensure each RBAC/Network principal is associated with
+// addJWTPrincipal ensure the passed RBAC/Network principal is associated with
 // a JWT principal when JWTs validation is required.
 //
 // For each jwtInfo, this builds a first principal that validates that the jwt has the right issuer (`iss`).
 // It collects all the claims principal and combines them into a single principal using jwtClaimsToPrincipals.
 // It then combines the issuer principal and the claims principal into a single principal.
 //
-// After generating a single principal per info, it combines all the info principals into a single OrPrincipal.
-// This orPrincipal is then attached to each of the RBAC/NETWORK principal for jwt payload validation.
-func addJWTPrincipals(principals []*envoy_rbac_v3.Principal, infos []*JWTInfo) []*envoy_rbac_v3.Principal {
+// After generating a single principal per info, it combines all the info principals into a single jwt OrPrincipal.
+// This orPrincipal is then attached to the RBAC/NETWORK principal for jwt payload validation.
+func addJWTPrincipal(principal *envoy_rbac_v3.Principal, infos []*JWTInfo) *envoy_rbac_v3.Principal {
 	if len(infos) == 0 {
-		return principals
+		return principal
 	}
 	jwtPrincipals := make([]*envoy_rbac_v3.Principal, 0, len(infos))
 	for _, info := range infos {
@@ -705,15 +704,11 @@ func addJWTPrincipals(principals []*envoy_rbac_v3.Principal, infos []*JWTInfo) [
 	// make jwt principals into 1 single principal
 	jwtFinalPrincipal := orPrincipals(jwtPrincipals)
 
-	// add the big jwt principal to each rbac/network principal
-	res := make([]*envoy_rbac_v3.Principal, 0)
-	for _, principal := range principals {
-		if principal != nil && jwtFinalPrincipal != nil {
-			p := andPrincipals([]*envoy_rbac_v3.Principal{principal, jwtFinalPrincipal})
-			res = append(res, p)
-		}
+	if principal == nil {
+		return jwtFinalPrincipal
 	}
-	return res
+
+	return andPrincipals([]*envoy_rbac_v3.Principal{principal, jwtFinalPrincipal})
 }
 
 func jwtClaimsToPrincipals(claims []*structs.IntentionJWTClaimVerification, payloadkey string) *envoy_rbac_v3.Principal {