From b79039c21c554e90977c3a55b01ad50d7aaaa1ed Mon Sep 17 00:00:00 2001 From: freddygv Date: Tue, 16 Mar 2021 09:49:24 -0600 Subject: [PATCH] Prefix match type vars to match use --- agent/consul/state/intention.go | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/agent/consul/state/intention.go b/agent/consul/state/intention.go index 0537fe500..736091473 100644 --- a/agent/consul/state/intention.go +++ b/agent/consul/state/intention.go @@ -943,15 +943,16 @@ func (s *Store) IntentionTopology(ws memdb.WatchSet, // If querying the upstreams for a service, we first query intentions that apply to the target service as a source. // That way we can check whether intentions from the source allow connections to upstream candidates. - matchType := structs.IntentionMatchSource + // The reverse is true for downstreams. + intentionMatchType := structs.IntentionMatchSource if downstreams { - matchType = structs.IntentionMatchDestination + intentionMatchType = structs.IntentionMatchDestination } entry := structs.IntentionMatchEntry{ Namespace: target.NamespaceOrDefault(), Name: target.Name, } - index, intentions, err := compatIntentionMatchOneTxn(tx, ws, entry, matchType) + index, intentions, err := compatIntentionMatchOneTxn(tx, ws, entry, intentionMatchType) if err != nil { return 0, nil, fmt.Errorf("failed to query intentions for %s", target.String()) } @@ -959,15 +960,6 @@ func (s *Store) IntentionTopology(ws memdb.WatchSet, maxIdx = index } - // Reset the matchType since next it is used for evaluating the upstreams or downstreams against a set of intentions. - // When evaluating upstreams, the match type is now destination because we are evaluating upstream candidates - // as eligible destinations for intentions that have the target service as a source. - // The reverse is true for downstreams. - matchType = structs.IntentionMatchDestination - if downstreams { - matchType = structs.IntentionMatchSource - } - // Check for a wildcard intention (* -> *) since it overrides the default decision from ACLs if len(intentions) > 0 { // Intentions with wildcard source and destination have the lowest precedence, so they are last in the list @@ -1000,9 +992,16 @@ func (s *Store) IntentionTopology(ws memdb.WatchSet, maxIdx = index } + // When checking authorization to upstreams, the match type for the decision is `destination` because we are deciding + // if upstream candidates are covered by intentions that have the target service as a source. + // The reverse is true for downstreams. + decisionMatchType := structs.IntentionMatchDestination + if downstreams { + decisionMatchType = structs.IntentionMatchSource + } result := make(structs.ServiceList, 0, len(allServices)) for _, candidate := range allServices { - decision, err := s.IntentionDecision(candidate.Name, candidate.NamespaceOrDefault(), intentions, matchType, defaultDecision, true) + decision, err := s.IntentionDecision(candidate.Name, candidate.NamespaceOrDefault(), intentions, decisionMatchType, defaultDecision, true) if err != nil { src, dst := target, candidate if downstreams {