From 72308dd9f2a17db4c7c8ea7eabb55db3adadaa91 Mon Sep 17 00:00:00 2001 From: Ronald Ekambi Date: Tue, 27 Jun 2023 10:49:50 -0400 Subject: [PATCH 1/3] Allow service identity tokens the ability to read jwt-providers --- agent/structs/config_entry_jwt_provider.go | 9 +++++++++ agent/structs/config_entry_jwt_provider_test.go | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/agent/structs/config_entry_jwt_provider.go b/agent/structs/config_entry_jwt_provider.go index a1e9120ea08e..fc0c73950b76 100644 --- a/agent/structs/config_entry_jwt_provider.go +++ b/agent/structs/config_entry_jwt_provider.go @@ -316,6 +316,15 @@ func (e *JWTProviderConfigEntry) GetRaftIndex() *RaftIndex { retur func (e *JWTProviderConfigEntry) CanRead(authz acl.Authorizer) error { var authzContext acl.AuthorizerContext e.FillAuthzContext(&authzContext) + + // allow service-identity tokens the ability to read jwt-providers + // this is a workaround to allow sidecar proxies to read the jwt-providers + // see issue: https://github.com/hashicorp/consul/issues/17886 for more details + err := authz.ToAllowAuthorizer().ServiceWriteAnyAllowed(&authzContext) + if err == nil { + return err + } + return authz.ToAllowAuthorizer().MeshReadAllowed(&authzContext) } diff --git a/agent/structs/config_entry_jwt_provider_test.go b/agent/structs/config_entry_jwt_provider_test.go index 814a15257378..f2664a53dc15 100644 --- a/agent/structs/config_entry_jwt_provider_test.go +++ b/agent/structs/config_entry_jwt_provider_test.go @@ -338,6 +338,12 @@ func TestJWTProviderConfigEntry_ACLs(t *testing.T) { canRead: false, canWrite: false, }, + { + name: "jwt-provider: service write", + authorizer: newTestAuthz(t, `service "" { policy = "write" }`), + canRead: true, + canWrite: false, + }, { name: "jwt-provider: mesh read", authorizer: newTestAuthz(t, `mesh = "read"`), From bf5d1ec2ec68fd7428027244a094baeee49d4396 Mon Sep 17 00:00:00 2001 From: Ronald Ekambi Date: Tue, 27 Jun 2023 11:19:58 -0400 Subject: [PATCH 2/3] more tests --- agent/structs/config_entry_jwt_provider_test.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/agent/structs/config_entry_jwt_provider_test.go b/agent/structs/config_entry_jwt_provider_test.go index f2664a53dc15..48e965c7955c 100644 --- a/agent/structs/config_entry_jwt_provider_test.go +++ b/agent/structs/config_entry_jwt_provider_test.go @@ -339,11 +339,17 @@ func TestJWTProviderConfigEntry_ACLs(t *testing.T) { canWrite: false, }, { - name: "jwt-provider: service write", + name: "jwt-provider: any service write", authorizer: newTestAuthz(t, `service "" { policy = "write" }`), canRead: true, canWrite: false, }, + { + name: "jwt-provider: specific service write", + authorizer: newTestAuthz(t, `service "web" { policy = "write" }`), + canRead: true, + canWrite: false, + }, { name: "jwt-provider: mesh read", authorizer: newTestAuthz(t, `mesh = "read"`), From 4ca2e4be490655948f7480cbc182c6cca7cec0a9 Mon Sep 17 00:00:00 2001 From: Ronald Ekambi Date: Tue, 27 Jun 2023 11:21:27 -0400 Subject: [PATCH 3/3] service_prefix tests --- agent/structs/config_entry_jwt_provider_test.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/agent/structs/config_entry_jwt_provider_test.go b/agent/structs/config_entry_jwt_provider_test.go index 48e965c7955c..c02becc2a13d 100644 --- a/agent/structs/config_entry_jwt_provider_test.go +++ b/agent/structs/config_entry_jwt_provider_test.go @@ -350,6 +350,12 @@ func TestJWTProviderConfigEntry_ACLs(t *testing.T) { canRead: true, canWrite: false, }, + { + name: "jwt-provider: any service prefix write", + authorizer: newTestAuthz(t, `service_prefix "" { policy = "write" }`), + canRead: true, + canWrite: false, + }, { name: "jwt-provider: mesh read", authorizer: newTestAuthz(t, `mesh = "read"`),