package agent import ( "fmt" "net/http" "strings" "github.com/hashicorp/consul/agent/consul" "github.com/hashicorp/consul/agent/structs" ) // /v1/connect/intentions func (s *HTTPHandlers) IntentionEndpoint(resp http.ResponseWriter, req *http.Request) (interface{}, error) { switch req.Method { case "GET": return s.IntentionList(resp, req) case "POST": return s.IntentionCreate(resp, req) default: return nil, MethodNotAllowedError{req.Method, []string{"GET", "POST"}} } } // GET /v1/connect/intentions func (s *HTTPHandlers) IntentionList(resp http.ResponseWriter, req *http.Request) (interface{}, error) { // Method is tested in IntentionEndpoint var args structs.DCSpecificRequest if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done { return nil, nil } if err := s.parseEntMeta(req, &args.EnterpriseMeta); err != nil { return nil, err } var reply structs.IndexedIntentions defer setMeta(resp, &reply.QueryMeta) if err := s.agent.RPC("Intention.List", &args, &reply); err != nil { return nil, err } return reply.Intentions, nil } // POST /v1/connect/intentions func (s *HTTPHandlers) IntentionCreate(resp http.ResponseWriter, req *http.Request) (interface{}, error) { // Method is tested in IntentionEndpoint var entMeta structs.EnterpriseMeta if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil { return nil, err } args := structs.IntentionRequest{ Op: structs.IntentionOpCreate, } s.parseDC(req, &args.Datacenter) s.parseToken(req, &args.Token) if err := decodeBody(req.Body, &args.Intention); err != nil { return nil, fmt.Errorf("Failed to decode request body: %s", err) } args.Intention.FillNonDefaultNamespaces(&entMeta) if err := s.validateEnterpriseIntention(args.Intention); err != nil { return nil, err } var reply string if err := s.agent.RPC("Intention.Apply", &args, &reply); err != nil { return nil, err } return intentionCreateResponse{reply}, nil } func (s *HTTPHandlers) validateEnterpriseIntention(ixn *structs.Intention) error { if err := s.validateEnterpriseIntentionNamespace("SourceNS", ixn.SourceNS, true); err != nil { return err } if err := s.validateEnterpriseIntentionNamespace("DestinationNS", ixn.DestinationNS, true); err != nil { return err } return nil } // GET /v1/connect/intentions/match func (s *HTTPHandlers) IntentionMatch(resp http.ResponseWriter, req *http.Request) (interface{}, error) { // Prepare args args := &structs.IntentionQueryRequest{Match: &structs.IntentionQueryMatch{}} if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done { return nil, nil } var entMeta structs.EnterpriseMeta if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil { return nil, err } q := req.URL.Query() // Extract the "by" query parameter if by, ok := q["by"]; !ok || len(by) != 1 { return nil, fmt.Errorf("required query parameter 'by' not set") } else { switch v := structs.IntentionMatchType(by[0]); v { case structs.IntentionMatchSource, structs.IntentionMatchDestination: args.Match.Type = v default: return nil, fmt.Errorf("'by' parameter must be one of 'source' or 'destination'") } } // Extract all the match names names, ok := q["name"] if !ok || len(names) == 0 { return nil, fmt.Errorf("required query parameter 'name' not set") } // Build the entries in order. The order matters since that is the // order of the returned responses. args.Match.Entries = make([]structs.IntentionMatchEntry, len(names)) for i, n := range names { entry, err := parseIntentionMatchEntry(n, &entMeta) if err != nil { return nil, fmt.Errorf("name %q is invalid: %s", n, err) } args.Match.Entries[i] = entry } var reply structs.IndexedIntentionMatches if err := s.agent.RPC("Intention.Match", args, &reply); err != nil { return nil, err } // We must have an identical count of matches if len(reply.Matches) != len(names) { return nil, fmt.Errorf("internal error: match response count didn't match input count") } // Use empty list instead of nil. response := make(map[string]structs.Intentions) for i, ixns := range reply.Matches { response[names[i]] = ixns } return response, nil } // GET /v1/connect/intentions/check func (s *HTTPHandlers) IntentionCheck(resp http.ResponseWriter, req *http.Request) (interface{}, error) { // Prepare args args := &structs.IntentionQueryRequest{Check: &structs.IntentionQueryCheck{}} if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done { return nil, nil } var entMeta structs.EnterpriseMeta if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil { return nil, err } q := req.URL.Query() // Set the source type if set args.Check.SourceType = structs.IntentionSourceConsul if sourceType, ok := q["source-type"]; ok && len(sourceType) > 0 { args.Check.SourceType = structs.IntentionSourceType(sourceType[0]) } // Extract the source/destination source, ok := q["source"] if !ok || len(source) != 1 { return nil, fmt.Errorf("required query parameter 'source' not set") } destination, ok := q["destination"] if !ok || len(destination) != 1 { return nil, fmt.Errorf("required query parameter 'destination' not set") } // We parse them the same way as matches to extract namespace/name args.Check.SourceName = source[0] if args.Check.SourceType == structs.IntentionSourceConsul { entry, err := parseIntentionMatchEntry(source[0], &entMeta) if err != nil { return nil, fmt.Errorf("source %q is invalid: %s", source[0], err) } args.Check.SourceNS = entry.Namespace args.Check.SourceName = entry.Name } // The destination is always in the Consul format entry, err := parseIntentionMatchEntry(destination[0], &entMeta) if err != nil { return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err) } args.Check.DestinationNS = entry.Namespace args.Check.DestinationName = entry.Name var reply structs.IntentionQueryCheckResponse if err := s.agent.RPC("Intention.Check", args, &reply); err != nil { return nil, err } return &reply, nil } // GET /v1/connect/intentions/exact func (s *HTTPHandlers) IntentionGetExact(resp http.ResponseWriter, req *http.Request) (interface{}, error) { var entMeta structs.EnterpriseMeta if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil { return nil, err } args := structs.IntentionQueryRequest{ Exact: &structs.IntentionQueryExact{}, } if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done { return nil, nil } q := req.URL.Query() // Extract the source/destination source, ok := q["source"] if !ok || len(source) != 1 { return nil, fmt.Errorf("required query parameter 'source' not set") } destination, ok := q["destination"] if !ok || len(destination) != 1 { return nil, fmt.Errorf("required query parameter 'destination' not set") } { entry, err := parseIntentionMatchEntry(source[0], &entMeta) if err != nil { return nil, fmt.Errorf("source %q is invalid: %s", source[0], err) } args.Exact.SourceNS = entry.Namespace args.Exact.SourceName = entry.Name } { entry, err := parseIntentionMatchEntry(destination[0], &entMeta) if err != nil { return nil, fmt.Errorf("destination %q is invalid: %s", destination[0], err) } args.Exact.DestinationNS = entry.Namespace args.Exact.DestinationName = entry.Name } var reply structs.IndexedIntentions if err := s.agent.RPC("Intention.Get", &args, &reply); err != nil { // We have to check the string since the RPC sheds the error type if err.Error() == consul.ErrIntentionNotFound.Error() { resp.WriteHeader(http.StatusNotFound) fmt.Fprint(resp, err.Error()) return nil, nil } // Not ideal, but there are a number of error scenarios that are not // user error (400). We look for a specific case of invalid UUID // to detect a parameter error and return a 400 response. The error // is not a constant type or message, so we have to use strings.Contains if strings.Contains(err.Error(), "UUID") { return nil, BadRequestError{Reason: err.Error()} } return nil, err } // This shouldn't happen since the called API documents it shouldn't, // but we check since the alternative if it happens is a panic. if len(reply.Intentions) == 0 { resp.WriteHeader(http.StatusNotFound) return nil, nil } return reply.Intentions[0], nil } // IntentionSpecific handles the endpoint for /v1/connect/intentions/:id func (s *HTTPHandlers) IntentionSpecific(resp http.ResponseWriter, req *http.Request) (interface{}, error) { id := strings.TrimPrefix(req.URL.Path, "/v1/connect/intentions/") switch req.Method { case "GET": return s.IntentionSpecificGet(id, resp, req) case "PUT": return s.IntentionSpecificUpdate(id, resp, req) case "DELETE": return s.IntentionSpecificDelete(id, resp, req) default: return nil, MethodNotAllowedError{req.Method, []string{"GET", "PUT", "DELETE"}} } } // GET /v1/connect/intentions/:id func (s *HTTPHandlers) IntentionSpecificGet(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) { // Method is tested in IntentionEndpoint args := structs.IntentionQueryRequest{ IntentionID: id, } if done := s.parse(resp, req, &args.Datacenter, &args.QueryOptions); done { return nil, nil } var reply structs.IndexedIntentions if err := s.agent.RPC("Intention.Get", &args, &reply); err != nil { // We have to check the string since the RPC sheds the error type if err.Error() == consul.ErrIntentionNotFound.Error() { resp.WriteHeader(http.StatusNotFound) fmt.Fprint(resp, err.Error()) return nil, nil } // Not ideal, but there are a number of error scenarios that are not // user error (400). We look for a specific case of invalid UUID // to detect a parameter error and return a 400 response. The error // is not a constant type or message, so we have to use strings.Contains if strings.Contains(err.Error(), "UUID") { return nil, BadRequestError{Reason: err.Error()} } return nil, err } // This shouldn't happen since the called API documents it shouldn't, // but we check since the alternative if it happens is a panic. if len(reply.Intentions) == 0 { resp.WriteHeader(http.StatusNotFound) return nil, nil } return reply.Intentions[0], nil } // PUT /v1/connect/intentions/:id func (s *HTTPHandlers) IntentionSpecificUpdate(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) { // Method is tested in IntentionEndpoint var entMeta structs.EnterpriseMeta if err := s.parseEntMetaNoWildcard(req, &entMeta); err != nil { return nil, err } args := structs.IntentionRequest{ Op: structs.IntentionOpUpdate, } s.parseDC(req, &args.Datacenter) s.parseToken(req, &args.Token) if err := decodeBody(req.Body, &args.Intention); err != nil { return nil, BadRequestError{Reason: fmt.Sprintf("Request decode failed: %v", err)} } args.Intention.FillNonDefaultNamespaces(&entMeta) // Use the ID from the URL args.Intention.ID = id var reply string if err := s.agent.RPC("Intention.Apply", &args, &reply); err != nil { return nil, err } // Update uses the same create response return intentionCreateResponse{reply}, nil } // DELETE /v1/connect/intentions/:id func (s *HTTPHandlers) IntentionSpecificDelete(id string, resp http.ResponseWriter, req *http.Request) (interface{}, error) { // Method is tested in IntentionEndpoint args := structs.IntentionRequest{ Op: structs.IntentionOpDelete, Intention: &structs.Intention{ID: id}, } s.parseDC(req, &args.Datacenter) s.parseToken(req, &args.Token) var reply string if err := s.agent.RPC("Intention.Apply", &args, &reply); err != nil { return nil, err } return true, nil } // intentionCreateResponse is the response structure for creating an intention. type intentionCreateResponse struct{ ID string } // parseIntentionMatchEntry parses the query parameter for an intention // match query entry. func parseIntentionMatchEntry(input string, entMeta *structs.EnterpriseMeta) (structs.IntentionMatchEntry, error) { var result structs.IntentionMatchEntry result.Namespace = entMeta.NamespaceOrEmpty() // Get the index to the '/'. If it doesn't exist, we have just a name // so just set that and return. idx := strings.IndexByte(input, '/') if idx == -1 { result.Name = input return result, nil } result.Namespace = input[:idx] result.Name = input[idx+1:] if strings.IndexByte(result.Name, '/') != -1 { return result, fmt.Errorf("input can contain at most one '/'") } return result, nil }