open-consul/agent/grpc-external/utils.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package external

import (
	"github.com/hashicorp/go-uuid"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/status"

	"github.com/hashicorp/consul/acl"
	"github.com/hashicorp/consul/acl/resolver"
)

// We tag logs with a unique identifier to ease debugging. In the future this
// should probably be a real Open Telemetry trace ID.
func TraceID() string {
	id, err := uuid.GenerateUUID()
	if err != nil {
		return ""
	}
	return id
}

type ACLResolver interface {
	ResolveTokenAndDefaultMeta(string, *acl.EnterpriseMeta, *acl.AuthorizerContext) (resolver.Result, error)
}

// RequireAnyValidACLToken checks that the caller provided a valid ACL token
// without requiring any specific permissions. This is useful for endpoints
// that are used by all/most consumers of our API, such as those called by the
// consul-server-connection-manager library when establishing a new connection.
//
// Note: no token is required if ACLs are disabled.
func RequireAnyValidACLToken(resolver ACLResolver, token string) error {
	authz, err := resolver.ResolveTokenAndDefaultMeta(token, nil, nil)
	if err != nil {
		return status.Error(codes.Unauthenticated, err.Error())
	}

	if id := authz.ACLIdentity; id != nil && id.ID() == acl.AnonymousTokenID {
		return status.Error(codes.Unauthenticated, "An ACL token must be provided (via the `x-consul-token` metadata field) to call this endpoint")
	}

	return nil
}
copyright headers for agent folder (#16704) * copyright headers for agent folder * Ignore test data files * fix proto files and remove headers in agent/uiserver folder * ignore deep-copy files 2023-03-28 18:39:22 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

grpc: rename public/private directories to external/internal (#13721) Previously, public referred to gRPC services that are both exposed on the dedicated gRPC port and have their definitions in the proto-public directory (so were considered usable by 3rd parties). Whereas private referred to services on the multiplexed server port that are only usable by agents and other servers. Now, we're splitting these definitions, such that external/internal refers to the port and public/private refers to whether they can be used by 3rd parties. This is necessary because the peering replication API needs to be exposed on the dedicated port, but is not (yet) suitable for use by 3rd parties. 2022-07-13 15:33:48 +00:00			`package external`
[OSS] gRPC call to get envoy bootstrap params (#12825) Adds a new gRPC endpoint to get envoy bootstrap params. The new consul-dataplane service will use this endpoint to generate an envoy bootstrap configuration. 2022-04-20 00:24:21 +00:00
grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			`import (`
			`"github.com/hashicorp/go-uuid"`
			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/status"`

			`"github.com/hashicorp/consul/acl"`
			`"github.com/hashicorp/consul/acl/resolver"`
			`)`
[OSS] gRPC call to get envoy bootstrap params (#12825) Adds a new gRPC endpoint to get envoy bootstrap params. The new consul-dataplane service will use this endpoint to generate an envoy bootstrap configuration. 2022-04-20 00:24:21 +00:00
			`// We tag logs with a unique identifier to ease debugging. In the future this`
			`// should probably be a real Open Telemetry trace ID.`
			`func TraceID() string {`
			`id, err := uuid.GenerateUUID()`
			`if err != nil {`
			`return ""`
			`}`
			`return id`
			`}`
grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00
			`type ACLResolver interface {`
			`ResolveTokenAndDefaultMeta(string, acl.EnterpriseMeta, acl.AuthorizerContext) (resolver.Result, error)`
			`}`

			`// RequireAnyValidACLToken checks that the caller provided a valid ACL token`
			`// without requiring any specific permissions. This is useful for endpoints`
			`// that are used by all/most consumers of our API, such as those called by the`
			`// consul-server-connection-manager library when establishing a new connection.`
			`//`
			`// Note: no token is required if ACLs are disabled.`
			`func RequireAnyValidACLToken(resolver ACLResolver, token string) error {`
			`authz, err := resolver.ResolveTokenAndDefaultMeta(token, nil, nil)`
			`if err != nil {`
			`return status.Error(codes.Unauthenticated, err.Error())`
			`}`

Output user-friendly name for anonymous token (#15884) 2023-01-09 18:28:53 +00:00			`if id := authz.ACLIdentity; id != nil && id.ID() == acl.AnonymousTokenID {`
grpc/acl: relax permissions required for "core" endpoints (#15346) Previously, these endpoints required `service:write` permission on _any_ service as a sort of proxy for "is the caller allowed to participate in the mesh?". Now, they're called as part of the process of establishing a server connection by any consumer of the consul-server-connection-manager library, which will include non-mesh workloads (e.g. Consul KV as a storage backend for Vault) as well as ancillary components such as consul-k8s' acl-init process, which likely won't have `service:write` permission. So this commit relaxes those requirements to accept any valid ACL token on the following gRPC endpoints: - `hashicorp.consul.dataplane.DataplaneService/GetSupportedDataplaneFeatures` - `hashicorp.consul.serverdiscovery.ServerDiscoveryService/WatchServers` - `hashicorp.consul.connectca.ConnectCAService/WatchRoots` 2023-01-04 12:40:34 +00:00			return status.Error(codes.Unauthenticated, "An ACL token must be provided (via the `x-consul-token` metadata field) to call this endpoint")
			`}`

			`return nil`
			`}`