diff --git a/agent/consul/intention_endpoint.go b/agent/consul/intention_endpoint.go index 378565241..a0d88352f 100644 --- a/agent/consul/intention_endpoint.go +++ b/agent/consul/intention_endpoint.go @@ -254,24 +254,24 @@ func (s *Intention) Match( ) } -// Test tests a source/destination and returns whether it would be allowed +// Check tests a source/destination and returns whether it would be allowed // or denied based on the current ACL configuration. // // Note: Whenever the logic for this method is changed, you should take // a look at the agent authorize endpoint (agent/agent_endpoint.go) since // the logic there is similar. -func (s *Intention) Test( +func (s *Intention) Check( args *structs.IntentionQueryRequest, - reply *structs.IntentionQueryTestResponse) error { + reply *structs.IntentionQueryCheckResponse) error { // Forward maybe - if done, err := s.srv.forward("Intention.Test", args, args, reply); done { + if done, err := s.srv.forward("Intention.Check", args, args, reply); done { return err } // Get the test args, and defensively guard against nil - query := args.Test + query := args.Check if query == nil { - return errors.New("Test must be specified on args") + return errors.New("Check must be specified on args") } // Build the URI @@ -322,7 +322,7 @@ func (s *Intention) Test( return errors.New("internal error loading matches") } - // Test the authorization for each match + // Check the authorization for each match for _, ixn := range matches[0] { if auth, ok := uri.Authorize(ixn); ok { reply.Allowed = auth diff --git a/agent/consul/intention_endpoint_test.go b/agent/consul/intention_endpoint_test.go index b1f51a714..29db41f44 100644 --- a/agent/consul/intention_endpoint_test.go +++ b/agent/consul/intention_endpoint_test.go @@ -1009,8 +1009,8 @@ service "bar" { } } -// Test the Test method defaults to allow with no ACL set. -func TestIntentionTest_defaultNoACL(t *testing.T) { +// Test the Check method defaults to allow with no ACL set. +func TestIntentionCheck_defaultNoACL(t *testing.T) { t.Parallel() require := require.New(t) @@ -1025,7 +1025,7 @@ func TestIntentionTest_defaultNoACL(t *testing.T) { // Test req := &structs.IntentionQueryRequest{ Datacenter: "dc1", - Test: &structs.IntentionQueryTest{ + Check: &structs.IntentionQueryCheck{ SourceNS: "foo", SourceName: "bar", DestinationNS: "foo", @@ -1033,13 +1033,13 @@ func TestIntentionTest_defaultNoACL(t *testing.T) { SourceType: structs.IntentionSourceConsul, }, } - var resp structs.IntentionQueryTestResponse - require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Test", req, &resp)) + var resp structs.IntentionQueryCheckResponse + require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp)) require.True(resp.Allowed) } -// Test the Test method defaults to deny with whitelist ACLs. -func TestIntentionTest_defaultACLDeny(t *testing.T) { +// Test the Check method defaults to deny with whitelist ACLs. +func TestIntentionCheck_defaultACLDeny(t *testing.T) { t.Parallel() require := require.New(t) @@ -1055,10 +1055,10 @@ func TestIntentionTest_defaultACLDeny(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1") - // Test + // Check req := &structs.IntentionQueryRequest{ Datacenter: "dc1", - Test: &structs.IntentionQueryTest{ + Check: &structs.IntentionQueryCheck{ SourceNS: "foo", SourceName: "bar", DestinationNS: "foo", @@ -1067,13 +1067,13 @@ func TestIntentionTest_defaultACLDeny(t *testing.T) { }, } req.Token = "root" - var resp structs.IntentionQueryTestResponse - require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Test", req, &resp)) + var resp structs.IntentionQueryCheckResponse + require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp)) require.False(resp.Allowed) } -// Test the Test method defaults to deny with blacklist ACLs. -func TestIntentionTest_defaultACLAllow(t *testing.T) { +// Test the Check method defaults to deny with blacklist ACLs. +func TestIntentionCheck_defaultACLAllow(t *testing.T) { t.Parallel() require := require.New(t) @@ -1089,10 +1089,10 @@ func TestIntentionTest_defaultACLAllow(t *testing.T) { testrpc.WaitForLeader(t, s1.RPC, "dc1") - // Test + // Check req := &structs.IntentionQueryRequest{ Datacenter: "dc1", - Test: &structs.IntentionQueryTest{ + Check: &structs.IntentionQueryCheck{ SourceNS: "foo", SourceName: "bar", DestinationNS: "foo", @@ -1101,13 +1101,13 @@ func TestIntentionTest_defaultACLAllow(t *testing.T) { }, } req.Token = "root" - var resp structs.IntentionQueryTestResponse - require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Test", req, &resp)) + var resp structs.IntentionQueryCheckResponse + require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp)) require.True(resp.Allowed) } -// Test the Test method requires service:read permission. -func TestIntentionTest_aclDeny(t *testing.T) { +// Test the Check method requires service:read permission. +func TestIntentionCheck_aclDeny(t *testing.T) { t.Parallel() require := require.New(t) @@ -1144,10 +1144,10 @@ service "bar" { require.Nil(msgpackrpc.CallWithCodec(codec, "ACL.Apply", &req, &token)) } - // Test + // Check req := &structs.IntentionQueryRequest{ Datacenter: "dc1", - Test: &structs.IntentionQueryTest{ + Check: &structs.IntentionQueryCheck{ SourceNS: "foo", SourceName: "qux", DestinationNS: "foo", @@ -1156,13 +1156,13 @@ service "bar" { }, } req.Token = token - var resp structs.IntentionQueryTestResponse - err := msgpackrpc.CallWithCodec(codec, "Intention.Test", req, &resp) + var resp structs.IntentionQueryCheckResponse + err := msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp) require.True(acl.IsErrPermissionDenied(err)) } -// Test the Test method returns allow/deny properly. -func TestIntentionTest_match(t *testing.T) { +// Test the Check method returns allow/deny properly. +func TestIntentionCheck_match(t *testing.T) { t.Parallel() require := require.New(t) @@ -1227,10 +1227,10 @@ service "bar" { } } - // Test + // Check req := &structs.IntentionQueryRequest{ Datacenter: "dc1", - Test: &structs.IntentionQueryTest{ + Check: &structs.IntentionQueryCheck{ SourceNS: "foo", SourceName: "qux", DestinationNS: "foo", @@ -1239,15 +1239,15 @@ service "bar" { }, } req.Token = token - var resp structs.IntentionQueryTestResponse - require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Test", req, &resp)) + var resp structs.IntentionQueryCheckResponse + require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp)) require.True(resp.Allowed) // Test no match for sanity { req := &structs.IntentionQueryRequest{ Datacenter: "dc1", - Test: &structs.IntentionQueryTest{ + Check: &structs.IntentionQueryCheck{ SourceNS: "baz", SourceName: "qux", DestinationNS: "foo", @@ -1256,8 +1256,8 @@ service "bar" { }, } req.Token = token - var resp structs.IntentionQueryTestResponse - require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Test", req, &resp)) + var resp structs.IntentionQueryCheckResponse + require.Nil(msgpackrpc.CallWithCodec(codec, "Intention.Check", req, &resp)) require.False(resp.Allowed) } } diff --git a/agent/http_oss.go b/agent/http_oss.go index 92c7bf4c0..ac5eff335 100644 --- a/agent/http_oss.go +++ b/agent/http_oss.go @@ -48,7 +48,7 @@ func init() { registerEndpoint("/v1/connect/ca/roots", []string{"GET"}, (*HTTPServer).ConnectCARoots) registerEndpoint("/v1/connect/intentions", []string{"GET", "POST"}, (*HTTPServer).IntentionEndpoint) registerEndpoint("/v1/connect/intentions/match", []string{"GET"}, (*HTTPServer).IntentionMatch) - registerEndpoint("/v1/connect/intentions/test", []string{"GET"}, (*HTTPServer).IntentionTest) + registerEndpoint("/v1/connect/intentions/check", []string{"GET"}, (*HTTPServer).IntentionCheck) registerEndpoint("/v1/connect/intentions/", []string{"GET", "PUT", "DELETE"}, (*HTTPServer).IntentionSpecific) registerEndpoint("/v1/coordinate/datacenters", []string{"GET"}, (*HTTPServer).CoordinateDatacenters) registerEndpoint("/v1/coordinate/nodes", []string{"GET"}, (*HTTPServer).CoordinateNodes) diff --git a/agent/intentions_endpoint.go b/agent/intentions_endpoint.go index cb846bc19..80ddedf24 100644 --- a/agent/intentions_endpoint.go +++ b/agent/intentions_endpoint.go @@ -123,9 +123,9 @@ func (s *HTTPServer) IntentionMatch(resp http.ResponseWriter, req *http.Request) } // GET /v1/connect/intentions/test -func (s *HTTPServer) IntentionTest(resp http.ResponseWriter, req *http.Request) (interface{}, error) { +func (s *HTTPServer) IntentionCheck(resp http.ResponseWriter, req *http.Request) (interface{}, error) { // Prepare args - args := &structs.IntentionQueryRequest{Test: &structs.IntentionQueryTest{}} + args := &structs.IntentionQueryRequest{Check: &structs.IntentionQueryCheck{}} if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done { return nil, nil } @@ -133,9 +133,9 @@ func (s *HTTPServer) IntentionTest(resp http.ResponseWriter, req *http.Request) q := req.URL.Query() // Set the source type if set - args.Test.SourceType = structs.IntentionSourceConsul + args.Check.SourceType = structs.IntentionSourceConsul if sourceType, ok := q["source-type"]; ok && len(sourceType) > 0 { - args.Test.SourceType = structs.IntentionSourceType(sourceType[0]) + args.Check.SourceType = structs.IntentionSourceType(sourceType[0]) } // Extract the source/destination @@ -149,14 +149,14 @@ func (s *HTTPServer) IntentionTest(resp http.ResponseWriter, req *http.Request) } // We parse them the same way as matches to extract namespace/name - args.Test.SourceName = source[0] - if args.Test.SourceType == structs.IntentionSourceConsul { + args.Check.SourceName = source[0] + if args.Check.SourceType == structs.IntentionSourceConsul { entry, err := parseIntentionMatchEntry(source[0]) if err != nil { return nil, fmt.Errorf("source %q is invalid: %s", source[0], err) } - args.Test.SourceNS = entry.Namespace - args.Test.SourceName = entry.Name + args.Check.SourceNS = entry.Namespace + args.Check.SourceName = entry.Name } // The destination is always in the Consul format @@ -164,11 +164,11 @@ func (s *HTTPServer) IntentionTest(resp http.ResponseWriter, req *http.Request) if err != nil { return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err) } - args.Test.DestinationNS = entry.Namespace - args.Test.DestinationName = entry.Name + args.Check.DestinationNS = entry.Namespace + args.Check.DestinationName = entry.Name - var reply structs.IntentionQueryTestResponse - if err := s.agent.RPC("Intention.Test", args, &reply); err != nil { + var reply structs.IntentionQueryCheckResponse + if err := s.agent.RPC("Intention.Check", args, &reply); err != nil { return nil, err } diff --git a/agent/intentions_endpoint_test.go b/agent/intentions_endpoint_test.go index e669bcf5f..991ab9017 100644 --- a/agent/intentions_endpoint_test.go +++ b/agent/intentions_endpoint_test.go @@ -181,7 +181,7 @@ func TestIntentionsMatch_noName(t *testing.T) { assert.Nil(obj) } -func TestIntentionsTest_basic(t *testing.T) { +func TestIntentionsCheck_basic(t *testing.T) { t.Parallel() require := require.New(t) @@ -219,9 +219,9 @@ func TestIntentionsTest_basic(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/connect/intentions/test?source=foo/bar&destination=foo/baz", nil) resp := httptest.NewRecorder() - obj, err := a.srv.IntentionTest(resp, req) + obj, err := a.srv.IntentionCheck(resp, req) require.Nil(err) - value := obj.(*structs.IntentionQueryTestResponse) + value := obj.(*structs.IntentionQueryCheckResponse) require.False(value.Allowed) } @@ -230,14 +230,14 @@ func TestIntentionsTest_basic(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/connect/intentions/test?source=foo/bar&destination=bar/qux", nil) resp := httptest.NewRecorder() - obj, err := a.srv.IntentionTest(resp, req) + obj, err := a.srv.IntentionCheck(resp, req) require.Nil(err) - value := obj.(*structs.IntentionQueryTestResponse) + value := obj.(*structs.IntentionQueryCheckResponse) require.True(value.Allowed) } } -func TestIntentionsTest_noSource(t *testing.T) { +func TestIntentionsCheck_noSource(t *testing.T) { t.Parallel() require := require.New(t) @@ -248,13 +248,13 @@ func TestIntentionsTest_noSource(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/connect/intentions/test?destination=B", nil) resp := httptest.NewRecorder() - obj, err := a.srv.IntentionTest(resp, req) + obj, err := a.srv.IntentionCheck(resp, req) require.NotNil(err) require.Contains(err.Error(), "'source' not set") require.Nil(obj) } -func TestIntentionsTest_noDestination(t *testing.T) { +func TestIntentionsCheck_noDestination(t *testing.T) { t.Parallel() require := require.New(t) @@ -265,7 +265,7 @@ func TestIntentionsTest_noDestination(t *testing.T) { req, _ := http.NewRequest("GET", "/v1/connect/intentions/test?source=B", nil) resp := httptest.NewRecorder() - obj, err := a.srv.IntentionTest(resp, req) + obj, err := a.srv.IntentionCheck(resp, req) require.NotNil(err) require.Contains(err.Error(), "'destination' not set") require.Nil(obj) diff --git a/agent/structs/intention.go b/agent/structs/intention.go index 34d15d997..19a6402ab 100644 --- a/agent/structs/intention.go +++ b/agent/structs/intention.go @@ -261,9 +261,9 @@ type IntentionQueryRequest struct { // resolving wildcards. Match *IntentionQueryMatch - // Test is non-nil if we're performing a test query. A test will + // Check is non-nil if we're performing a test query. A test will // return allowed/deny based on an exact match. - Test *IntentionQueryTest + Check *IntentionQueryCheck // Options for queries QueryOptions @@ -317,8 +317,8 @@ type IntentionMatchEntry struct { Name string } -// IntentionQueryTest are the parameters for performing a test request. -type IntentionQueryTest struct { +// IntentionQueryCheck are the parameters for performing a test request. +type IntentionQueryCheck struct { // SourceNS, SourceName, DestinationNS, and DestinationName are the // source and namespace, respectively, for the test. These must be // exact values. @@ -332,12 +332,12 @@ type IntentionQueryTest struct { // GetACLPrefix returns the prefix to look up the ACL policy for this // request, and a boolean noting whether the prefix is valid to check // or not. You must check the ok value before using the prefix. -func (q *IntentionQueryTest) GetACLPrefix() (string, bool) { +func (q *IntentionQueryCheck) GetACLPrefix() (string, bool) { return q.DestinationName, q.DestinationName != "" } -// IntentionQueryTestResponse is the response for a test request. -type IntentionQueryTestResponse struct { +// IntentionQueryCheckResponse is the response for a test request. +type IntentionQueryCheckResponse struct { Allowed bool }