open-consul/agent/grpc-external/services/resource/watch.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package resource

import (
	"errors"

	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/internal/storage"
	"github.com/hashicorp/consul/proto-public/pbresource"
)

func (s *Server) WatchList(req *pbresource.WatchListRequest, stream pbresource.ResourceService_WatchListServer) error {
	if err := validateWatchListRequest(req); err != nil {
		return err
	}

	// check type exists
	reg, err := s.resolveType(req.Type)
	if err != nil {
		return err
	}

	authz, err := s.getAuthorizer(tokenFromContext(stream.Context()))
	if err != nil {
		return err
	}

	// check acls
	err = reg.ACLs.List(authz, req.Tenancy)
	switch {
	case acl.IsErrPermissionDenied(err):
		return status.Error(codes.PermissionDenied, err.Error())
	case err != nil:
		return status.Errorf(codes.Internal, "failed list acl: %v", err)
	}

	unversionedType := storage.UnversionedTypeFrom(req.Type)
	watch, err := s.Backend.WatchList(
		stream.Context(),
		unversionedType,
		req.Tenancy,
		req.NamePrefix,
	)
	if err != nil {
		return err
	}
	defer watch.Close()

	for {
		event, err := watch.Next(stream.Context())
		switch {
		case errors.Is(err, storage.ErrWatchClosed):
			return status.Error(codes.Aborted, "watch closed by the storage backend (possibly due to snapshot restoration)")
		case err != nil:
			return status.Errorf(codes.Internal, "failed next: %v", err)
		}

		// drop group versions that don't match
		if event.Resource.Id.Type.GroupVersion != req.Type.GroupVersion {
			continue
		}

		// filter out items that don't pass read ACLs
		err = reg.ACLs.Read(authz, event.Resource.Id)
		switch {
		case acl.IsErrPermissionDenied(err):
			continue
		case err != nil:
			return status.Errorf(codes.Internal, "failed read acl: %v", err)
		}

		if err = stream.Send(event); err != nil {
			return err
		}
	}
}

func validateWatchListRequest(req *pbresource.WatchListRequest) error {
	var field string
	switch {
	case req.Type == nil:
		field = "type"
	case req.Tenancy == nil:
		field = "tenancy"
	default:
		return nil
	}
	return status.Errorf(codes.InvalidArgument, "%s is required", field)
}
Copyright headers for missing files/folders (#16708) * copyright headers for agent folder 2023-03-28 22:48:58 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`package resource`

			`import (`
resource: handle `ErrWatchClosed` in `WatchList` endpoint (#17289) 2023-05-15 11:35:10 +00:00			`"errors"`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/status"`

			`"github.com/hashicorp/consul/acl"`
WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`"github.com/hashicorp/consul/internal/storage"`
			`"github.com/hashicorp/consul/proto-public/pbresource"`
			`)`

			`func (s Server) WatchList(req pbresource.WatchListRequest, stream pbresource.ResourceService_WatchListServer) error {`
resource: add missing validation to the `List` and `WatchList` endpoints (#17213) 2023-05-10 09:38:48 +00:00			`if err := validateWatchListRequest(req); err != nil {`
			`return err`
			`}`

WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`// check type exists`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`reg, err := s.resolveType(req.Type)`
			`if err != nil {`
			`return err`
			`}`

			`authz, err := s.getAuthorizer(tokenFromContext(stream.Context()))`
			`if err != nil {`
WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`return err`
			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`// check acls`
			`err = reg.ACLs.List(authz, req.Tenancy)`
			`switch {`
			`case acl.IsErrPermissionDenied(err):`
			`return status.Error(codes.PermissionDenied, err.Error())`
			`case err != nil:`
			`return status.Errorf(codes.Internal, "failed list acl: %v", err)`
			`}`

WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`unversionedType := storage.UnversionedTypeFrom(req.Type)`
Raft storage backend (#16619) 2023-04-04 16:30:06 +00:00			`watch, err := s.Backend.WatchList(`
WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`stream.Context(),`
			`unversionedType,`
			`req.Tenancy,`
			`req.NamePrefix,`
			`)`
			`if err != nil {`
			`return err`
			`}`
storage: fix resource leak in Watch (#16817) 2023-03-31 12:24:19 +00:00			`defer watch.Close()`
WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00
			`for {`
			`event, err := watch.Next(stream.Context())`
resource: handle `ErrWatchClosed` in `WatchList` endpoint (#17289) 2023-05-15 11:35:10 +00:00			`switch {`
			`case errors.Is(err, storage.ErrWatchClosed):`
			`return status.Error(codes.Aborted, "watch closed by the storage backend (possibly due to snapshot restoration)")`
			`case err != nil:`
Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`return status.Errorf(codes.Internal, "failed next: %v", err)`
WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`// drop group versions that don't match`
WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`if event.Resource.Id.Type.GroupVersion != req.Type.GroupVersion {`
			`continue`
			`}`

Check acls on resource `Read`, `List`, and `WatchList` (#16842) 2023-04-11 11:10:14 +00:00			`// filter out items that don't pass read ACLs`
			`err = reg.ACLs.Read(authz, event.Resource.Id)`
			`switch {`
			`case acl.IsErrPermissionDenied(err):`
			`continue`
			`case err != nil:`
			`return status.Errorf(codes.Internal, "failed read acl: %v", err)`
			`}`

WatchList(..) endpoint for the resource service (#16726) 2023-03-27 19:37:54 +00:00			`if err = stream.Send(event); err != nil {`
			`return err`
			`}`
			`}`
			`}`
resource: add missing validation to the `List` and `WatchList` endpoints (#17213) 2023-05-10 09:38:48 +00:00
			`func validateWatchListRequest(req *pbresource.WatchListRequest) error {`
			`var field string`
			`switch {`
			`case req.Type == nil:`
			`field = "type"`
			`case req.Tenancy == nil:`
			`field = "tenancy"`
			`default:`
			`return nil`
			`}`
			`return status.Errorf(codes.InvalidArgument, "%s is required", field)`
			`}`