Daniel Nephin
fbaeac9ecf
acl: remove authz == nil checks
...
These case are already impossible conditions, because most of these functions already start
with a check for ACLs being disabled. So the code path being removed could never be reached.
The one other case (ConnectAuthorized) was already changed in a previous commit. This commit
removes an impossible branch because authz == nil can never be true.
2021-07-30 13:58:35 -04:00
Daniel Nephin
b6d9d0d9f7
acl: remove many instances of authz == nil
2021-07-30 13:58:35 -04:00
Daniel Nephin
bbc05ae869
agent: remove unused agent methods
...
These methods are no longer used. Remove the methods, and update the
tests to use actual method used by production code.
Also removes the 'authz == nil' check is no longer a possible code path
now that we are returning a non-nil acl.Authorizer when ACLs are disabled.
2021-07-30 13:58:35 -04:00
Daniel Nephin
2503f27a36
acl: remove rule == nil checks
2021-07-30 13:58:35 -04:00
hc-github-team-consul-core
701d4ffef0
auto-updated agent/uiserver/bindata_assetfs.go from commit 2ee501be8
2021-07-30 17:58:27 +00:00
Daniel Nephin
475fec5670
Merge pull request #10632 from hashicorp/pairing/acl-authorizer-when-acl-disabled
...
acls: Update ACL authorizer to return meaningful permission when ACLs are disabled
2021-07-30 13:22:55 -04:00
Evan Culver
241b6429c3
Fix intention endpoint test
2021-07-30 12:58:45 -04:00
Daniel Nephin
9b41e7287f
acl: use acl.ManangeAll when ACLs are disabled
...
Instead of returning nil and checking for nilness
Removes a bunch of nil checks, and fixes one test failures.
2021-07-30 12:58:24 -04:00
Blake Covarrubias
f97e843c61
Add OSS changes for specifying audit log permission mode
2021-07-30 09:58:11 -07:00
Daniel Nephin
f2f5aba1bf
Merge pull request #10707 from hashicorp/dnephin/streaming-setup-default-timeout
...
streaming: set default query timeout
2021-07-28 18:29:28 -04:00
Daniel Nephin
057e8320f9
streaming: set a default timeout
...
The blocking query backend sets the default value on the server side.
The streaming backend does not using blocking queries, so we must set the timeout on
the client.
2021-07-28 17:50:00 -04:00
hc-github-team-consul-core
f39d36d346
auto-updated agent/uiserver/bindata_assetfs.go from commit eb5512fb7
2021-07-27 21:39:22 +00:00
Chris S. Kim
33d7d48767
sync enterprise files with oss ( #10705 )
2021-07-27 17:09:59 -04:00
Daniel Nephin
cfc829275c
http: don't log an error if the request is cancelled
...
Now that we have at least one endpoint that uses context for cancellation we can
encounter this scenario where the returned error is a context.Cancelled or
context.DeadlineExceeded.
If the request.Context().Err() is not nil, then we know the request itself was cancelled, so
we can log a different message at Info level, instad of the error.
2021-07-27 17:06:59 -04:00
Daniel Nephin
bad2c4ef67
Merge pull request #10399 from hashicorp/dnephin/debug-stream-metrics
...
debug: use the new metrics stream in debug command
2021-07-27 13:23:15 -04:00
Daniel Nephin
7d24564ff0
http: add tests for AgentMetricsStream
2021-07-26 17:53:33 -04:00
Daniel Nephin
cf2e25c6bb
http: emit indented JSON in the metrics stream endpoint
...
To remove the need to decode and re-encode in the CLI
2021-07-26 17:53:33 -04:00
Daniel Nephin
d716f709fd
debug: use the new metrics stream in debug command
2021-07-26 17:53:32 -04:00
Freddy
b136b1795a
Reset root prune interval after TestLeader_CARootPruning completes
...
#10645
Co-authored-by: Daniel Nephin <dnephin@hashicorp.com>
2021-07-26 15:43:40 -06:00
Chris S. Kim
6341183a84
agent: update proxy upstreams to inherit namespace from service ( #10688 )
2021-07-26 17:12:29 -04:00
Freddy
57ca0ed480
Log the correlation ID when blocking queries fire ( #10689 )
...
Knowing that blocking queries are firing does not provide much
information on its own. If we know the correlation IDs we can
piece together which parts of the snapshot have been populated.
Some of these responses might be empty from the blocking
query timing out. But if they're returning quickly I think we
can reasonably assume they contain data.
2021-07-23 16:36:17 -06:00
R.B. Boyer
c271976445
state: refactor some node/coordinate state store functions to take an EnterpriseMeta ( #10687 )
...
Note the field is not used yet.
2021-07-23 13:42:23 -05:00
R.B. Boyer
b2facb35a9
replumbing a bunch of api and agent structs for partitions ( #10681 )
2021-07-22 14:33:22 -05:00
R.B. Boyer
254557a1f6
sync changes to oss files made in enterprise ( #10670 )
2021-07-22 13:58:08 -05:00
R.B. Boyer
62ac98b564
agent/structs: add a bunch more EnterpriseMeta helper functions to help with partitioning ( #10669 )
2021-07-22 13:20:45 -05:00
Dhia Ayachi
b725605fe4
config raft apply silent error ( #10657 )
...
* return an error when the index is not valid
* check response as bool when applying `CAOpSetConfig`
* remove check for bool response
* fix error message and add check to test
* fix comment
* add changelog
2021-07-22 10:32:27 -04:00
Freddy
7d48383041
Avoid panic on concurrent writes to cached service config map ( #10647 )
...
If multiple instances of a service are co-located on the same node then
their proxies will all share a cache entry for their resolved service
configuration. This is because the cache key contains the name of the
watched service but does not take into account the ID of the watching
proxies.
This means that there will be multiple agent service manager watches
that can wake up on the same cache update. These watchers then
concurrently modify the value in the cache when merging the resolved
config into the local proxy definitions.
To avoid this concurrent map write we will only delete the key from
opaque config in the local proxy definition after the merge, rather
than from the cached value before the merge.
2021-07-20 10:09:29 -06:00
hc-github-team-consul-core
aa97ed5ac6
auto-updated agent/uiserver/bindata_assetfs.go from commit 1eb7a83ee
2021-07-20 15:15:10 +00:00
Blake Covarrubias
441a6c9969
Add DNS recursor strategy option ( #10611 )
...
This change adds a new `dns_config.recursor_strategy` option which
controls how Consul queries DNS resolvers listed in the `recursors`
config option. The supported options are `sequential` (default), and
`random`.
Closes #8807
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
Co-authored-by: Priyanka Sengupta <psengupta@flatiron.com>
2021-07-19 15:22:51 -07:00
Daniel Nephin
901a5cdd8c
Merge pull request #10396 from hashicorp/dnephin/fix-more-data-races
...
Fix some data races
2021-07-16 18:21:58 -04:00
Daniel Nephin
23dfb8e9ad
Merge pull request #10009 from hashicorp/dnephin/trim-dns-response-with-edns
...
dns: properly trim response when EDNS is used
2021-07-16 18:09:25 -04:00
Daniel Nephin
db29c51cd2
acl: use SetHash consistently in testPolicyForID
...
A previous commit used SetHash on two of the cases to fix a data race. This commit applies
that change to all cases. Using SetHash in this test helper should ensure that the
test helper behaves closer to production.
2021-07-16 17:59:56 -04:00
Daniel Nephin
63772f7ac4
dns: improve naming of error to match DNS terminology
...
Co-authored-by: Blake Covarrubias <blake@covarrubi.as>
2021-07-16 12:40:24 -04:00
Dhia Ayachi
079decdabd
fix truncate when NS is set
...
Also: fix test to catch the issue
2021-07-16 12:40:11 -04:00
Evan Culver
521c423075
acls: Show AuthMethodNamespace
when reading/listing ACL token meta ( #10598 )
2021-07-15 10:38:52 -07:00
Daniel Nephin
b4ab87111c
Merge pull request #10567 from hashicorp/dnephin/config-unexport-build
...
config: unexport the remaining builder methods
2021-07-15 12:05:19 -04:00
Freddy
a942a2e025
Merge pull request #10621 from hashicorp/vuln/validate-sans
2021-07-15 09:43:55 -06:00
Daniel Nephin
f286ea0922
Fix godoc comment
...
Co-authored-by: Freddy <freddygv@users.noreply.github.com>
2021-07-15 11:22:46 -04:00
R.B. Boyer
e018d8a10b
xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) ( #10619 )
2021-07-15 10:09:00 -05:00
hc-github-team-consul-core
6bf7c98227
auto-updated agent/uiserver/bindata_assetfs.go from commit 0762da3a6
2021-07-15 11:23:49 +00:00
freddygv
b6b42c34dc
Add TODOs about partition handling
2021-07-14 22:21:55 -06:00
freddygv
3d4fa44c22
Update golden files
2021-07-14 22:21:55 -06:00
freddygv
a7de87e95b
Validate SANs for passthrough clusters and failovers
2021-07-14 22:21:55 -06:00
freddygv
a6f7d806f6
Update golden files to account for SAN validation
2021-07-14 22:21:55 -06:00
freddygv
3f11449363
Validate Subject Alternative Name for upstreams
...
These changes ensure that the identity of services dialed is
cryptographically verified.
For all upstreams we validate against SPIFFE IDs in the format used by
Consul's service mesh:
spiffe://<trust-domain>/ns/<namespace>/dc/<datacenter>/svc/<service>
2021-07-14 22:20:27 -06:00
Daniel Nephin
27871498f0
Fix a data race in TestACLResolver_Client
...
By setting the hash when we create the policy.
```
WARNING: DATA RACE
Read at 0x00c0028b4b10 by goroutine 1182:
github.com/hashicorp/consul/agent/structs.(*ACLPolicy).SetHash()
/home/daniel/pers/code/consul/agent/structs/acl.go:701 +0x40d
github.com/hashicorp/consul/agent/structs.ACLPolicies.resolveWithCache()
/home/daniel/pers/code/consul/agent/structs/acl.go:779 +0xfe
github.com/hashicorp/consul/agent/structs.ACLPolicies.Compile()
/home/daniel/pers/code/consul/agent/structs/acl.go:809 +0xf1
github.com/hashicorp/consul/agent/consul.(*ACLResolver).ResolveTokenToIdentityAndAuthorizer()
/home/daniel/pers/code/consul/agent/consul/acl.go:1226 +0x6ef
github.com/hashicorp/consul/agent/consul.resolveTokenAsync()
/home/daniel/pers/code/consul/agent/consul/acl_test.go:66 +0x5c
Previous write at 0x00c0028b4b10 by goroutine 1509:
github.com/hashicorp/consul/agent/structs.(*ACLPolicy).SetHash()
/home/daniel/pers/code/consul/agent/structs/acl.go:730 +0x3a8
github.com/hashicorp/consul/agent/structs.ACLPolicies.resolveWithCache()
/home/daniel/pers/code/consul/agent/structs/acl.go:779 +0xfe
github.com/hashicorp/consul/agent/structs.ACLPolicies.Compile()
/home/daniel/pers/code/consul/agent/structs/acl.go:809 +0xf1
github.com/hashicorp/consul/agent/consul.(*ACLResolver).ResolveTokenToIdentityAndAuthorizer()
/home/daniel/pers/code/consul/agent/consul/acl.go:1226 +0x6ef
github.com/hashicorp/consul/agent/consul.resolveTokenAsync()
/home/daniel/pers/code/consul/agent/consul/acl_test.go:66 +0x5c
Goroutine 1182 (running) created at:
github.com/hashicorp/consul/agent/consul.TestACLResolver_Client.func4()
/home/daniel/pers/code/consul/agent/consul/acl_test.go:1669 +0x459
testing.tRunner()
/usr/lib/go/src/testing/testing.go:1193 +0x202
Goroutine 1509 (running) created at:
github.com/hashicorp/consul/agent/consul.TestACLResolver_Client.func4()
/home/daniel/pers/code/consul/agent/consul/acl_test.go:1668 +0x415
testing.tRunner()
/usr/lib/go/src/testing/testing.go:1193 +0x202
```
2021-07-14 18:58:16 -04:00
Daniel Nephin
c3c8058fd7
agent: remove deprecated call in a test
2021-07-14 18:58:16 -04:00
Daniel Nephin
9d471269d8
agent: fix a data race in a test
...
The test was modifying a pointer to a struct that had been passed to
another goroutine. Instead create a new struct to modify.
```
WARNING: DATA RACE
Write at 0x00c01407c3c0 by goroutine 832:
github.com/hashicorp/consul/agent.TestServiceManager_PersistService_API()
/home/daniel/pers/code/consul/agent/service_manager_test.go:446 +0x1d86
testing.tRunner()
/usr/lib/go/src/testing/testing.go:1193 +0x202
Previous read at 0x00c01407c3c0 by goroutine 938:
reflect.typedmemmove()
/usr/lib/go/src/runtime/mbarrier.go:177 +0x0
reflect.Value.Set()
/usr/lib/go/src/reflect/value.go:1569 +0x13b
github.com/mitchellh/copystructure.(*walker).Primitive()
/home/daniel/go/pkg/mod/github.com/mitchellh/copystructure@v1.0.0/copystructure.go:289 +0x190
github.com/mitchellh/reflectwalk.walkPrimitive()
/home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:252 +0x31b
github.com/mitchellh/reflectwalk.walk()
/home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:179 +0x24d
github.com/mitchellh/reflectwalk.walkStruct()
/home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:386 +0x4ec
github.com/mitchellh/reflectwalk.walk()
/home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:188 +0x656
github.com/mitchellh/reflectwalk.walkStruct()
/home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:386 +0x4ec
github.com/mitchellh/reflectwalk.walk()
/home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:188 +0x656
github.com/mitchellh/reflectwalk.Walk()
/home/daniel/go/pkg/mod/github.com/mitchellh/reflectwalk@v1.0.1/reflectwalk.go:92 +0x164
github.com/mitchellh/copystructure.Config.Copy()
/home/daniel/go/pkg/mod/github.com/mitchellh/copystructure@v1.0.0/copystructure.go:69 +0xe7
github.com/mitchellh/copystructure.Copy()
/home/daniel/go/pkg/mod/github.com/mitchellh/copystructure@v1.0.0/copystructure.go:13 +0x84
github.com/hashicorp/consul/agent.mergeServiceConfig()
/home/daniel/pers/code/consul/agent/service_manager.go:362 +0x56
github.com/hashicorp/consul/agent.(*serviceConfigWatch).handleUpdate()
/home/daniel/pers/code/consul/agent/service_manager.go:279 +0x250
github.com/hashicorp/consul/agent.(*serviceConfigWatch).runWatch()
/home/daniel/pers/code/consul/agent/service_manager.go:246 +0x2d4
Goroutine 832 (running) created at:
testing.(*T).Run()
/usr/lib/go/src/testing/testing.go:1238 +0x5d7
testing.runTests.func1()
/usr/lib/go/src/testing/testing.go:1511 +0xa6
testing.tRunner()
/usr/lib/go/src/testing/testing.go:1193 +0x202
testing.runTests()
/usr/lib/go/src/testing/testing.go:1509 +0x612
testing.(*M).Run()
/usr/lib/go/src/testing/testing.go:1417 +0x3b3
main.main()
_testmain.go:1181 +0x236
Goroutine 938 (running) created at:
github.com/hashicorp/consul/agent.(*serviceConfigWatch).start()
/home/daniel/pers/code/consul/agent/service_manager.go:223 +0x4e4
github.com/hashicorp/consul/agent.(*ServiceManager).AddService()
/home/daniel/pers/code/consul/agent/service_manager.go:98 +0x344
github.com/hashicorp/consul/agent.(*Agent).addServiceLocked()
/home/daniel/pers/code/consul/agent/agent.go:1942 +0x2e4
github.com/hashicorp/consul/agent.(*Agent).AddService()
/home/daniel/pers/code/consul/agent/agent.go:1929 +0x337
github.com/hashicorp/consul/agent.TestServiceManager_PersistService_API()
/home/daniel/pers/code/consul/agent/service_manager_test.go:400 +0x17c4
testing.tRunner()
/usr/lib/go/src/testing/testing.go:1193 +0x202
```
2021-07-14 18:58:16 -04:00
Daniel Nephin
6703787740
agent: fix a data race in DNS tests
...
The dnsConfig pulled from the atomic.Value is a pointer, so modifying it in place
creates a data race. Use the exported ReloadConfig interface instead.
2021-07-14 18:58:16 -04:00
Daniel Nephin
2946e42a9e
agent: fix two data race in agent tests
...
The LogOutput io.Writer used by TestAgent must allow concurrent reads and writes, and a
bytes.Buffer does not allow this. The bytes.Buffer must be wrapped with a lock to make this safe.
2021-07-14 18:58:16 -04:00