open-consul/agent/consul/state/intention_test.go
Daniel Nephin 33621706ac state: rename table name constants to use pattern
the 'table' prefix is shorter, and also reads better in queries.
2021-02-05 12:12:19 -05:00

1850 lines
50 KiB
Go

package state
import (
"testing"
"time"
"github.com/hashicorp/go-memdb"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/acl"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/agent/structs"
"github.com/hashicorp/consul/sdk/testutil"
)
var (
testLocation = time.FixedZone("UTC-8", -8*60*60)
testTimeA = time.Date(1955, 11, 5, 6, 15, 0, 0, testLocation)
testTimeB = time.Date(1985, 10, 26, 1, 35, 0, 0, testLocation)
testTimeC = time.Date(2015, 10, 21, 16, 29, 0, 0, testLocation)
)
func testBothIntentionFormats(t *testing.T, f func(t *testing.T, s *Store, legacy bool)) {
t.Helper()
// Within the body of the callback, only use Legacy CRUD functions to edit
// data (pivoting on the legacy flag), and exclusively use the generic
// functions that flip-flop between tables to read it.
t.Run("legacy", func(t *testing.T) {
// NOTE: This one tests that the old state machine functions still do
// what we expect. No newly initiated user edits should go through
// these paths, just lingering raft log entries from before the upgrade
// to 1.9.0.
s := testStateStore(t)
f(t, s, true)
})
t.Run("config-entries", func(t *testing.T) {
s := testConfigStateStore(t)
f(t, s, false)
})
}
func TestStore_IntentionGet_none(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
assert := assert.New(t)
// Querying with no results returns nil.
ws := memdb.NewWatchSet()
idx, _, res, err := s.IntentionGet(ws, testUUID())
assert.Equal(uint64(1), idx)
assert.Nil(res)
assert.Nil(err)
})
}
func TestStore_IntentionSetGet_basic(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
lastIndex := uint64(1)
// Call Get to populate the watch set
ws := memdb.NewWatchSet()
_, _, _, err := s.IntentionGet(ws, testUUID())
require.Nil(t, err)
// Build a valid intention
var (
legacyIxn *structs.Intention
configEntry *structs.ServiceIntentionsConfigEntry
expected *structs.Intention
)
if legacy {
legacyIxn = &structs.Intention{
ID: testUUID(),
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "web",
Meta: map[string]string{},
CreatedAt: testTimeA,
UpdatedAt: testTimeA,
}
// Inserting a with empty ID is disallowed.
lastIndex++
require.NoError(t, s.LegacyIntentionSet(lastIndex, legacyIxn))
// Make sure the right index got updated.
require.Equal(t, lastIndex, s.maxIndex(tableConnectIntentions))
require.Equal(t, uint64(0), s.maxIndex(tableConfigEntries))
expected = &structs.Intention{
ID: legacyIxn.ID,
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "web",
Meta: map[string]string{},
CreatedAt: testTimeA,
UpdatedAt: testTimeA,
RaftIndex: structs.RaftIndex{
CreateIndex: lastIndex,
ModifyIndex: lastIndex,
},
}
//nolint:staticcheck
expected.UpdatePrecedence()
} else {
srcID := testUUID()
configEntry = &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "web",
Sources: []*structs.SourceIntention{
{
LegacyID: srcID,
Name: "*",
Action: structs.IntentionActionAllow,
LegacyMeta: map[string]string{},
LegacyCreateTime: &testTimeA,
LegacyUpdateTime: &testTimeA,
},
},
}
lastIndex++
require.NoError(t, configEntry.LegacyNormalize())
require.NoError(t, configEntry.LegacyValidate())
require.NoError(t, s.EnsureConfigEntry(lastIndex, configEntry.Clone(), nil))
// Make sure the config entry index got updated instead of the old intentions one
require.Equal(t, lastIndex, s.maxIndex(tableConfigEntries))
require.Equal(t, uint64(0), s.maxIndex(tableConnectIntentions))
expected = &structs.Intention{
ID: srcID,
SourceNS: "default",
SourceName: "*",
SourceType: structs.IntentionSourceConsul,
DestinationNS: "default",
DestinationName: "web",
Meta: map[string]string{},
Action: structs.IntentionActionAllow,
RaftIndex: structs.RaftIndex{
CreateIndex: lastIndex,
ModifyIndex: lastIndex,
},
CreatedAt: *configEntry.Sources[0].LegacyCreateTime,
UpdatedAt: *configEntry.Sources[0].LegacyUpdateTime,
}
//nolint:staticcheck
expected.UpdatePrecedence()
//nolint:staticcheck
expected.SetHash()
}
require.True(t, watchFired(ws), "watch fired")
// Read it back out and verify it.
ws = memdb.NewWatchSet()
idx, _, actual, err := s.IntentionGet(ws, expected.ID)
require.NoError(t, err)
require.Equal(t, expected.CreateIndex, idx)
require.Equal(t, expected, actual)
if legacy {
// Change a value and test updating
legacyIxn.SourceNS = "foo"
lastIndex++
require.NoError(t, s.LegacyIntentionSet(lastIndex, legacyIxn))
// Change a value that isn't in the unique 4 tuple and check we don't
// incorrectly consider this a duplicate when updating.
legacyIxn.Action = structs.IntentionActionDeny
lastIndex++
require.NoError(t, s.LegacyIntentionSet(lastIndex, legacyIxn))
// Make sure the index got updated.
require.Equal(t, lastIndex, s.maxIndex(tableConnectIntentions))
require.Equal(t, uint64(0), s.maxIndex(tableConfigEntries))
expected.SourceNS = legacyIxn.SourceNS
expected.Action = structs.IntentionActionDeny
expected.ModifyIndex = lastIndex
} else {
// Change a value and test updating
configEntry.Sources[0].Description = "test-desc1"
lastIndex++
require.NoError(t, configEntry.LegacyNormalize())
require.NoError(t, configEntry.LegacyValidate())
require.NoError(t, s.EnsureConfigEntry(lastIndex, configEntry.Clone(), nil))
// Change a value that isn't in the unique 4 tuple and check we don't
// incorrectly consider this a duplicate when updating.
configEntry.Sources[0].Action = structs.IntentionActionDeny
lastIndex++
require.NoError(t, configEntry.LegacyNormalize())
require.NoError(t, configEntry.LegacyValidate())
require.NoError(t, s.EnsureConfigEntry(lastIndex, configEntry.Clone(), nil))
// Make sure the config entry index got updated instead of the old intentions one
require.Equal(t, lastIndex, s.maxIndex(tableConfigEntries))
require.Equal(t, uint64(0), s.maxIndex(tableConnectIntentions))
expected.Description = configEntry.Sources[0].Description
expected.Action = structs.IntentionActionDeny
expected.UpdatedAt = *configEntry.Sources[0].LegacyUpdateTime
expected.ModifyIndex = lastIndex
//nolint:staticcheck
expected.UpdatePrecedence()
//nolint:staticcheck
expected.SetHash()
}
require.True(t, watchFired(ws), "watch fired")
// Read it back and verify the data was updated
ws = memdb.NewWatchSet()
idx, _, actual, err = s.IntentionGet(ws, expected.ID)
require.NoError(t, err)
require.Equal(t, expected.ModifyIndex, idx)
require.Equal(t, expected, actual)
if legacy {
// Attempt to insert another intention with duplicate 4-tuple
legacyIxn = &structs.Intention{
ID: testUUID(),
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "web",
Meta: map[string]string{},
}
// Duplicate 4-tuple should cause an error
ws = memdb.NewWatchSet()
lastIndex++
require.Error(t, s.LegacyIntentionSet(lastIndex, legacyIxn))
// Make sure the index did NOT get updated.
require.Equal(t, lastIndex-1, s.maxIndex(tableConnectIntentions))
require.Equal(t, uint64(0), s.maxIndex(tableConfigEntries))
require.False(t, watchFired(ws), "watch not fired")
}
})
}
func TestStore_LegacyIntentionSet_failsAfterUpgrade(t *testing.T) {
// note: special case test doesn't need variants
s := testConfigStateStore(t)
ixn := structs.Intention{
ID: testUUID(),
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "web",
Action: structs.IntentionActionAllow,
Meta: map[string]string{},
}
err := s.LegacyIntentionSet(1, &ixn)
testutil.RequireErrorContains(t, err, ErrLegacyIntentionsAreDisabled.Error())
}
func TestStore_LegacyIntentionDelete_failsAfterUpgrade(t *testing.T) {
// note: special case test doesn't need variants
s := testConfigStateStore(t)
err := s.LegacyIntentionDelete(1, testUUID())
testutil.RequireErrorContains(t, err, ErrLegacyIntentionsAreDisabled.Error())
}
func TestStore_IntentionMutation(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
if legacy {
mut := &structs.IntentionMutation{}
err := s.IntentionMutation(1, structs.IntentionOpCreate, mut)
testutil.RequireErrorContains(t, err, "state: IntentionMutation() is not allowed when intentions are not stored in config entries")
} else {
testStore_IntentionMutation(t, s)
}
})
}
func testStore_IntentionMutation(t *testing.T, s *Store) {
lastIndex := uint64(1)
defaultEntMeta := structs.DefaultEnterpriseMeta()
var (
id1 = testUUID()
id2 = testUUID()
id3 = testUUID()
)
eqEntry := func(t *testing.T, expect, got *structs.ServiceIntentionsConfigEntry) {
t.Helper()
// Zero out some fields for comparison.
got = got.Clone()
got.RaftIndex = structs.RaftIndex{}
for _, src := range got.Sources {
src.LegacyCreateTime = nil
src.LegacyUpdateTime = nil
if len(src.LegacyMeta) == 0 {
src.LegacyMeta = nil
}
}
require.Equal(t, expect, got)
}
// Try to create an intention without an ID to prove that LegacyValidate is being called.
testutil.RequireErrorContains(t, s.IntentionMutation(lastIndex, structs.IntentionOpCreate, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
LegacyCreateTime: &testTimeA,
LegacyUpdateTime: &testTimeA,
},
}), `Sources[0].LegacyID must be set`)
// Create intention and create config entry
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpCreate, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
LegacyID: id1,
LegacyCreateTime: &testTimeA,
LegacyUpdateTime: &testTimeA,
},
}))
// Ensure it's there now.
idx, entry, ixn, err := s.IntentionGet(nil, id1)
require.NoError(t, err)
require.NotNil(t, entry)
require.NotNil(t, ixn)
require.Equal(t, lastIndex, idx)
eqEntry(t, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
LegacyID: id1,
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
Precedence: 9,
Type: structs.IntentionSourceConsul,
},
},
}, entry)
// only one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Len(t, entries, 1)
lastIndex++
}
// Try to create a duplicate intention.
{
testutil.RequireErrorContains(t, s.IntentionMutation(lastIndex, structs.IntentionOpCreate, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
LegacyID: id2,
LegacyCreateTime: &testTimeB,
LegacyUpdateTime: &testTimeB,
},
}), `more than once`)
}
// Create intention with existing config entry
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpCreate, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "debug",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
LegacyID: id2,
LegacyCreateTime: &testTimeB,
LegacyUpdateTime: &testTimeB,
},
}))
// Ensure it's there now.
idx, entry, ixn, err := s.IntentionGet(nil, id2)
require.NoError(t, err)
require.NotNil(t, entry)
require.NotNil(t, ixn)
require.Equal(t, lastIndex, idx)
eqEntry(t, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
LegacyID: id1,
Precedence: 9,
Type: structs.IntentionSourceConsul,
},
{
Name: "debug",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
LegacyID: id2,
Precedence: 9,
Type: structs.IntentionSourceConsul,
},
},
}, entry)
// only one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Len(t, entries, 1)
lastIndex++
}
// Try to update an intention without specifying an ID
testutil.RequireErrorContains(t, s.IntentionMutation(lastIndex, structs.IntentionOpUpdate, &structs.IntentionMutation{
ID: "",
Destination: structs.NewServiceName("api", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
},
}), `failed config entry lookup: index error: UUID must be 36 characters`)
// Try to update a non-existent intention
testutil.RequireErrorContains(t, s.IntentionMutation(lastIndex, structs.IntentionOpUpdate, &structs.IntentionMutation{
ID: id3,
Destination: structs.NewServiceName("api", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
},
}), `Cannot modify non-existent intention`)
// Update an existing intention by ID
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpUpdate, &structs.IntentionMutation{
ID: id2,
Destination: structs.NewServiceName("api", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "debug",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
LegacyID: id2,
LegacyCreateTime: &testTimeB,
LegacyUpdateTime: &testTimeC,
Description: "op update",
},
}))
// Ensure it's there now.
idx, entry, ixn, err := s.IntentionGet(nil, id2)
require.NoError(t, err)
require.NotNil(t, entry)
require.NotNil(t, ixn)
require.Equal(t, lastIndex, idx)
eqEntry(t, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
LegacyID: id1,
Precedence: 9,
Type: structs.IntentionSourceConsul,
},
{
Name: "debug",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
LegacyID: id2,
Precedence: 9,
Type: structs.IntentionSourceConsul,
Description: "op update",
},
},
}, entry)
// only one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Len(t, entries, 1)
lastIndex++
}
// Try to delete a non-existent intention
testutil.RequireErrorContains(t, s.IntentionMutation(lastIndex, structs.IntentionOpDelete, &structs.IntentionMutation{
ID: id3,
}), `Cannot delete non-existent intention`)
// delete by id
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpDelete, &structs.IntentionMutation{
ID: id1,
}))
// only one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Len(t, entries, 1)
eqEntry(t, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
Name: "debug",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
LegacyID: id2,
Precedence: 9,
Type: structs.IntentionSourceConsul,
Description: "op update",
},
},
}, entries[0].(*structs.ServiceIntentionsConfigEntry))
lastIndex++
}
// delete last one by id
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpDelete, &structs.IntentionMutation{
ID: id2,
}))
// none one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Empty(t, entries)
lastIndex++
}
// upsert intention for first time
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpUpsert, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
},
}))
// Ensure it's there now.
idx, entry, ixn, err := s.IntentionGetExact(nil, &structs.IntentionQueryExact{
SourceNS: "default",
SourceName: "web",
DestinationNS: "default",
DestinationName: "api",
})
require.NoError(t, err)
require.NotNil(t, entry)
require.NotNil(t, ixn)
require.Equal(t, lastIndex, idx)
eqEntry(t, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
Precedence: 9,
Type: structs.IntentionSourceConsul,
},
},
}, entry)
// only one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Len(t, entries, 1)
lastIndex++
}
// upsert over itself (REPLACE)
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpUpsert, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Source: structs.NewServiceName("web", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
Description: "upserted over",
},
}))
// Ensure it's there now.
idx, entry, ixn, err := s.IntentionGetExact(nil, &structs.IntentionQueryExact{
SourceNS: "default",
SourceName: "web",
DestinationNS: "default",
DestinationName: "api",
})
require.NoError(t, err)
require.NotNil(t, entry)
require.NotNil(t, ixn)
require.Equal(t, lastIndex, idx)
require.Equal(t, "upserted over", ixn.Description)
eqEntry(t, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
Precedence: 9,
Type: structs.IntentionSourceConsul,
Description: "upserted over",
},
},
}, entry)
// only one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Len(t, entries, 1)
lastIndex++
}
// upsert into existing config entry (APPEND)
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpUpsert, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Source: structs.NewServiceName("debug", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "debug",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
},
}))
// Ensure it's there now.
idx, entry, ixn, err := s.IntentionGetExact(nil, &structs.IntentionQueryExact{
SourceNS: "default",
SourceName: "debug",
DestinationNS: "default",
DestinationName: "api",
})
require.NoError(t, err)
require.NotNil(t, entry)
require.NotNil(t, ixn)
require.Equal(t, lastIndex, idx)
eqEntry(t, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
Precedence: 9,
Type: structs.IntentionSourceConsul,
Description: "upserted over",
},
{
Name: "debug",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
Precedence: 9,
Type: structs.IntentionSourceConsul,
},
},
}, entry)
// only one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Len(t, entries, 1)
lastIndex++
}
// Try to delete a non-existent intention by name
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpDelete, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Source: structs.NewServiceName("blurb", defaultEntMeta),
}))
// delete by name
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpDelete, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Source: structs.NewServiceName("web", defaultEntMeta),
}))
// only one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Len(t, entries, 1)
eqEntry(t, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
Name: "debug",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionDeny,
Precedence: 9,
Type: structs.IntentionSourceConsul,
},
},
}, entries[0].(*structs.ServiceIntentionsConfigEntry))
lastIndex++
}
// delete last one by name
{
require.NoError(t, s.IntentionMutation(lastIndex, structs.IntentionOpDelete, &structs.IntentionMutation{
Destination: structs.NewServiceName("api", defaultEntMeta),
Source: structs.NewServiceName("debug", defaultEntMeta),
}))
// none one
_, entries, err := s.ConfigEntries(nil, nil)
require.NoError(t, err)
require.Empty(t, entries)
lastIndex++
}
// Try to update an intention with an ID on a non-legacy config entry.
{
idFake := testUUID()
require.NoError(t, s.EnsureConfigEntry(lastIndex, &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "new",
EnterpriseMeta: *defaultEntMeta,
Sources: []*structs.SourceIntention{
{
Name: "web",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
Precedence: 9,
Type: structs.IntentionSourceConsul,
},
},
}, nil))
lastIndex++
// ...via create
testutil.RequireErrorContains(t, s.IntentionMutation(lastIndex, structs.IntentionOpCreate, &structs.IntentionMutation{
Destination: structs.NewServiceName("new", defaultEntMeta),
Value: &structs.SourceIntention{
Name: "old",
EnterpriseMeta: *defaultEntMeta,
Action: structs.IntentionActionAllow,
LegacyID: idFake,
},
}), `cannot use legacy intention API to edit intentions with a destination`)
}
}
func TestStore_LegacyIntentionSet_emptyId(t *testing.T) {
// note: irrelevant test for config entries variant
s := testStateStore(t)
ws := memdb.NewWatchSet()
_, _, _, err := s.IntentionGet(ws, testUUID())
require.NoError(t, err)
// Inserting a with empty ID is disallowed.
err = s.LegacyIntentionSet(1, &structs.Intention{})
require.Error(t, err)
require.Contains(t, err.Error(), ErrMissingIntentionID.Error())
// Index is not updated if nothing is saved.
require.Equal(t, s.maxIndex(tableConnectIntentions), uint64(0))
require.Equal(t, uint64(0), s.maxIndex(tableConfigEntries))
require.False(t, watchFired(ws), "watch fired")
}
func TestStore_IntentionSet_updateCreatedAt(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
// Build a valid intention
var (
id = testUUID()
)
if legacy {
ixn := structs.Intention{
ID: id,
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "web",
Action: structs.IntentionActionAllow,
CreatedAt: testTimeA,
UpdatedAt: testTimeA,
}
// Insert
require.NoError(t, s.LegacyIntentionSet(1, &ixn))
// Change a value and test updating
ixnUpdate := ixn
ixnUpdate.CreatedAt = testTimeB
require.NoError(t, s.LegacyIntentionSet(2, &ixnUpdate))
id = ixn.ID
} else {
conf := &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "web",
Sources: []*structs.SourceIntention{
{
LegacyID: id,
Name: "*",
Action: structs.IntentionActionAllow,
LegacyMeta: map[string]string{},
LegacyCreateTime: &testTimeA,
LegacyUpdateTime: &testTimeA,
},
},
}
require.NoError(t, conf.LegacyNormalize())
require.NoError(t, conf.LegacyValidate())
require.NoError(t, s.EnsureConfigEntry(1, conf.Clone(), nil))
}
// Read it back and verify
_, _, actual, err := s.IntentionGet(nil, id)
require.NoError(t, err)
require.NotNil(t, actual)
require.Equal(t, testTimeA, actual.CreatedAt)
})
}
func TestStore_IntentionSet_metaNil(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
id := testUUID()
if legacy {
// Build a valid intention
ixn := &structs.Intention{
ID: id,
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "web",
Action: structs.IntentionActionAllow,
CreatedAt: testTimeA,
UpdatedAt: testTimeA,
}
// Insert
require.NoError(t, s.LegacyIntentionSet(1, ixn))
} else {
// Build a valid intention
conf := &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "web",
Sources: []*structs.SourceIntention{
{
LegacyID: id,
Name: "*",
Action: structs.IntentionActionAllow,
LegacyCreateTime: &testTimeA,
LegacyUpdateTime: &testTimeA,
},
},
}
// Insert
require.NoError(t, conf.LegacyNormalize())
require.NoError(t, conf.LegacyValidate())
require.NoError(t, s.EnsureConfigEntry(1, conf.Clone(), nil))
}
// Read it back and verify
_, _, actual, err := s.IntentionGet(nil, id)
require.NoError(t, err)
require.NotNil(t, actual.Meta)
})
}
func TestStore_IntentionSet_metaSet(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
var (
id = testUUID()
expectMeta = map[string]string{"foo": "bar"}
)
if legacy {
// Build a valid intention
ixn := structs.Intention{
ID: id,
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "web",
Action: structs.IntentionActionAllow,
CreatedAt: testTimeA,
UpdatedAt: testTimeA,
Meta: expectMeta,
}
// Insert
require.NoError(t, s.LegacyIntentionSet(1, &ixn))
} else {
// Build a valid intention
conf := &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "web",
Sources: []*structs.SourceIntention{
{
LegacyID: id,
Name: "*",
Action: structs.IntentionActionAllow,
LegacyCreateTime: &testTimeA,
LegacyUpdateTime: &testTimeA,
LegacyMeta: expectMeta,
},
},
}
// Insert
require.NoError(t, conf.LegacyNormalize())
require.NoError(t, conf.LegacyValidate())
require.NoError(t, s.EnsureConfigEntry(1, conf.Clone(), nil))
}
// Read it back and verify
_, _, actual, err := s.IntentionGet(nil, id)
require.NoError(t, err)
require.Equal(t, expectMeta, actual.Meta)
})
}
func TestStore_IntentionDelete(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
lastIndex := uint64(1)
// Call Get to populate the watch set
ws := memdb.NewWatchSet()
_, _, _, err := s.IntentionGet(ws, testUUID())
require.NoError(t, err)
id := testUUID()
// Create
if legacy {
ixn := &structs.Intention{
ID: id,
SourceNS: "default",
SourceName: "*",
DestinationNS: "default",
DestinationName: "web",
Action: structs.IntentionActionAllow,
CreatedAt: testTimeA,
UpdatedAt: testTimeA,
}
lastIndex++
require.NoError(t, s.LegacyIntentionSet(lastIndex, ixn))
// Make sure the index got updated.
require.Equal(t, s.maxIndex(tableConnectIntentions), lastIndex)
require.Equal(t, uint64(0), s.maxIndex(tableConfigEntries))
} else {
conf := &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "web",
Sources: []*structs.SourceIntention{
{
LegacyID: id,
Name: "*",
Action: structs.IntentionActionAllow,
LegacyCreateTime: &testTimeA,
LegacyUpdateTime: &testTimeA,
},
},
}
// Insert
require.NoError(t, conf.LegacyNormalize())
require.NoError(t, conf.LegacyValidate())
require.NoError(t, s.EnsureConfigEntry(1, conf.Clone(), nil))
// Make sure the index got updated.
require.Equal(t, s.maxIndex(tableConfigEntries), lastIndex)
require.Equal(t, uint64(0), s.maxIndex(tableConnectIntentions))
}
require.True(t, watchFired(ws), "watch fired")
// Sanity check to make sure it's there.
idx, _, actual, err := s.IntentionGet(nil, id)
require.NoError(t, err)
require.Equal(t, idx, lastIndex)
require.NotNil(t, actual)
// Delete
if legacy {
lastIndex++
require.NoError(t, s.LegacyIntentionDelete(lastIndex, id))
// Make sure the index got updated.
require.Equal(t, s.maxIndex(tableConnectIntentions), lastIndex)
require.Equal(t, uint64(0), s.maxIndex(tableConfigEntries))
} else {
lastIndex++
require.NoError(t, s.DeleteConfigEntry(lastIndex, structs.ServiceIntentions, "web", nil))
// Make sure the index got updated.
require.Equal(t, s.maxIndex(tableConfigEntries), lastIndex)
require.Equal(t, uint64(0), s.maxIndex(tableConnectIntentions))
}
require.True(t, watchFired(ws), "watch fired")
// Sanity check to make sure it's not there.
idx, _, actual, err = s.IntentionGet(nil, id)
require.NoError(t, err)
require.Equal(t, idx, lastIndex)
require.Nil(t, actual)
})
}
func TestStore_IntentionsList(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
lastIndex := uint64(0)
if legacy {
lastIndex = 1 // minor state machine implementation difference
}
entMeta := structs.WildcardEnterpriseMeta()
// Querying with no results returns nil.
ws := memdb.NewWatchSet()
idx, res, fromConfig, err := s.Intentions(ws, entMeta)
require.NoError(t, err)
require.Equal(t, !legacy, fromConfig)
require.Nil(t, res)
require.Equal(t, lastIndex, idx)
testIntention := func(src, dst string) *structs.Intention {
return &structs.Intention{
ID: testUUID(),
SourceNS: "default",
SourceName: src,
DestinationNS: "default",
DestinationName: dst,
SourceType: structs.IntentionSourceConsul,
Action: structs.IntentionActionAllow,
Meta: map[string]string{},
CreatedAt: testTimeA,
UpdatedAt: testTimeA,
}
}
testConfigEntry := func(dst string, srcs ...string) *structs.ServiceIntentionsConfigEntry {
conf := &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: dst,
}
id := testUUID()
for _, src := range srcs {
conf.Sources = append(conf.Sources, &structs.SourceIntention{
LegacyID: id,
Name: src,
Action: structs.IntentionActionAllow,
LegacyCreateTime: &testTimeA,
LegacyUpdateTime: &testTimeA,
})
}
return conf
}
clearIrrelevantFields := func(ixns ...*structs.Intention) {
// Clear fields irrelevant for comparison.
for _, ixn := range ixns {
ixn.Hash = nil
ixn.CreateIndex = 0
ixn.ModifyIndex = 0
ixn.CreatedAt = time.Time{}
ixn.UpdatedAt = time.Time{}
}
}
cmpIntention := func(ixn *structs.Intention, id string) *structs.Intention {
ixn2 := ixn.Clone()
ixn2.ID = id
clearIrrelevantFields(ixn2)
//nolint:staticcheck
ixn2.UpdatePrecedence()
return ixn2
}
var (
expectIDs []string
)
// Create some intentions
if legacy {
ixns := structs.Intentions{
testIntention("foo", "bar"),
testIntention("*", "bar"),
testIntention("foo", "*"),
testIntention("*", "*"),
}
for _, ixn := range ixns {
expectIDs = append(expectIDs, ixn.ID)
lastIndex++
require.NoError(t, s.LegacyIntentionSet(lastIndex, ixn))
}
} else {
confs := []*structs.ServiceIntentionsConfigEntry{
testConfigEntry("bar", "foo", "*"),
testConfigEntry("*", "foo", "*"),
}
for _, conf := range confs {
require.NoError(t, conf.LegacyNormalize())
require.NoError(t, conf.LegacyValidate())
lastIndex++
require.NoError(t, s.EnsureConfigEntry(lastIndex, conf, nil))
}
expectIDs = []string{
confs[0].Sources[0].LegacyID, // foo->bar
confs[0].Sources[1].LegacyID, // *->bar
confs[1].Sources[0].LegacyID, // foo->*
confs[1].Sources[1].LegacyID, // *->*
}
}
require.True(t, watchFired(ws), "watch fired")
// Read it back and verify.
expected := structs.Intentions{
cmpIntention(testIntention("foo", "bar"), expectIDs[0]),
cmpIntention(testIntention("*", "bar"), expectIDs[1]),
cmpIntention(testIntention("foo", "*"), expectIDs[2]),
cmpIntention(testIntention("*", "*"), expectIDs[3]),
}
idx, actual, fromConfig, err := s.Intentions(nil, entMeta)
require.NoError(t, err)
require.Equal(t, !legacy, fromConfig)
require.Equal(t, lastIndex, idx)
clearIrrelevantFields(actual...)
require.Equal(t, expected, actual)
})
}
// Test the matrix of match logic.
//
// Note that this doesn't need to test the intention sort logic exhaustively
// since this is tested in their sort implementation in the structs.
func TestStore_IntentionMatch_table(t *testing.T) {
type testCase struct {
Name string
Insert [][]string // List of intentions to insert
Query [][]string // List of intentions to match
Expected [][][]string // List of matches, where each match is a list of intentions
}
cases := []testCase{
{
"single exact name",
[][]string{
{"bar", "example"},
{"baz", "example"}, // shouldn't match
{"*", "example"},
},
[][]string{
{"bar"},
},
[][][]string{
{
{"bar", "example"},
{"*", "example"},
},
},
},
{
"multiple exact name",
[][]string{
{"bar", "example"},
{"baz", "example"}, // shouldn't match
{"*", "example"},
},
[][]string{
{"bar"},
{"baz"},
},
[][][]string{
{
{"bar", "example"},
{"*", "example"},
},
{
{"baz", "example"},
{"*", "example"},
},
},
},
{
"single exact name with duplicate destinations",
[][]string{
// 2-tuple specifies src and destination to test duplicate destinations
// with different sources. We flip them around to test in both
// directions. The first pair are the ones searched on in both cases so
// the duplicates need to be there.
{"bar", "*"},
{"*", "*"},
},
[][]string{
{"bar"},
},
[][][]string{
{
{"bar", "*"},
{"*", "*"},
},
},
},
}
// testRunner implements the test for a single case, but can be
// parameterized to run for both source and destination so we can
// test both cases.
testRunner := func(t *testing.T, s *Store, legacy bool, tc testCase, typ structs.IntentionMatchType) {
lastIndex := uint64(0)
if legacy {
lastIndex = 1 // minor state machine implementation difference
}
// Insert the set
var ixns []*structs.Intention
for _, v := range tc.Insert {
if len(v) != 2 {
panic("invalid input")
}
ixn := &structs.Intention{
ID: testUUID(),
Action: structs.IntentionActionAllow,
}
switch typ {
case structs.IntentionMatchDestination:
ixn.DestinationNS = "default"
ixn.DestinationName = v[0]
ixn.SourceNS = "default"
ixn.SourceName = v[1]
case structs.IntentionMatchSource:
ixn.SourceNS = "default"
ixn.SourceName = v[0]
ixn.DestinationNS = "default"
ixn.DestinationName = v[1]
default:
panic("unexpected")
}
ixns = append(ixns, ixn)
}
if legacy {
for _, ixn := range ixns {
lastIndex++
require.NoError(t, s.LegacyIntentionSet(lastIndex, ixn))
}
} else {
entries := structs.MigrateIntentions(ixns)
for _, conf := range entries {
require.NoError(t, conf.LegacyNormalize())
require.NoError(t, conf.LegacyValidate())
lastIndex++
require.NoError(t, s.EnsureConfigEntry(lastIndex, conf, &conf.EnterpriseMeta))
}
}
// Build the arguments
args := &structs.IntentionQueryMatch{Type: typ}
for _, q := range tc.Query {
if len(q) != 1 {
panic("wrong length")
}
args.Entries = append(args.Entries, structs.IntentionMatchEntry{
Namespace: "default",
Name: q[0],
})
}
// Match
_, matches, err := s.IntentionMatch(nil, args)
require.NoError(t, err)
// Should have equal lengths
require.Len(t, matches, len(tc.Expected))
// Verify matches
for i, expected := range tc.Expected {
for _, exp := range expected {
if len(exp) != 2 {
panic("invalid input")
}
}
var actual [][]string
for _, ixn := range matches[i] {
switch typ {
case structs.IntentionMatchDestination:
actual = append(actual, []string{
ixn.DestinationName,
ixn.SourceName,
})
case structs.IntentionMatchSource:
actual = append(actual, []string{
ixn.SourceName,
ixn.DestinationName,
})
default:
panic("unexpected")
}
}
require.Equal(t, expected, actual)
}
}
for _, tc := range cases {
t.Run(tc.Name+" (destination)", func(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
testRunner(t, s, legacy, tc, structs.IntentionMatchDestination)
})
})
t.Run(tc.Name+" (source)", func(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
testRunner(t, s, legacy, tc, structs.IntentionMatchSource)
})
})
}
}
// Equivalent to TestStore_IntentionMatch_table but for IntentionMatchOne which
// matches a single service
func TestStore_IntentionMatchOne_table(t *testing.T) {
type testCase struct {
Name string
Insert [][]string // List of intentions to insert
Query []string // List of intentions to match
Expected [][][]string // List of matches, where each match is a list of intentions
}
cases := []testCase{
{
"stress test the intention-source index on config entries",
[][]string{
{"foo", "bar"},
{"foo", "baz"},
{"foo", "zab"},
{"oof", "bar"},
{"oof", "baz"},
{"oof", "zab"},
},
[]string{
"foo",
"oof",
},
[][][]string{
{
{"foo", "bar"},
{"foo", "baz"},
{"foo", "zab"},
},
{
{"oof", "bar"},
{"oof", "baz"},
{"oof", "zab"},
},
},
},
{
"single exact name",
[][]string{
{"bar", "example"},
{"baz", "example"}, // shouldn't match
{"*", "example"},
},
[]string{
"bar",
},
[][][]string{
{
{"bar", "example"},
{"*", "example"},
},
},
},
{
"single exact name with duplicate destinations",
[][]string{
// 2-tuple specifies src and destination to test duplicate destinations
// with different sources. We flip them around to test in both
// directions. The first pair are the ones searched on in both cases so
// the duplicates need to be there.
{"bar", "*"},
{"*", "*"},
},
[]string{
"bar",
},
[][][]string{
{
{"bar", "*"},
{"*", "*"},
},
},
},
}
testRunner := func(t *testing.T, s *Store, legacy bool, tc testCase, typ structs.IntentionMatchType) {
lastIndex := uint64(0)
if legacy {
lastIndex = 1 // minor state machine implementation difference
}
// Insert the set
var ixns []*structs.Intention
for _, v := range tc.Insert {
if len(v) != 2 {
panic("invalid input")
}
ixn := &structs.Intention{
ID: testUUID(),
Action: structs.IntentionActionAllow,
}
switch typ {
case structs.IntentionMatchSource:
ixn.SourceNS = "default"
ixn.SourceName = v[0]
ixn.DestinationNS = "default"
ixn.DestinationName = v[1]
case structs.IntentionMatchDestination:
ixn.DestinationNS = "default"
ixn.DestinationName = v[0]
ixn.SourceNS = "default"
ixn.SourceName = v[1]
default:
panic("unexpected")
}
ixns = append(ixns, ixn)
}
if legacy {
for _, ixn := range ixns {
lastIndex++
require.NoError(t, s.LegacyIntentionSet(lastIndex, ixn))
}
} else {
entries := structs.MigrateIntentions(ixns)
for _, conf := range entries {
require.NoError(t, conf.LegacyNormalize())
require.NoError(t, conf.LegacyValidate())
lastIndex++
require.NoError(t, s.EnsureConfigEntry(lastIndex, conf, &conf.EnterpriseMeta))
}
}
if len(tc.Expected) != len(tc.Query) {
panic("invalid input")
}
for i, query := range tc.Query {
expected := tc.Expected[i]
for _, exp := range expected {
if len(exp) != 2 {
panic("invalid input")
}
}
t.Run("query: "+query, func(t *testing.T) {
// Build the arguments and match
entry := structs.IntentionMatchEntry{
Namespace: "default",
Name: query,
}
_, matches, err := s.IntentionMatchOne(nil, entry, typ)
require.NoError(t, err)
// Verify matches
var actual [][]string
for _, ixn := range matches {
switch typ {
case structs.IntentionMatchDestination:
actual = append(actual, []string{
ixn.DestinationName,
ixn.SourceName,
})
case structs.IntentionMatchSource:
actual = append(actual, []string{
ixn.SourceName,
ixn.DestinationName,
})
}
}
require.Equal(t, expected, actual)
})
}
}
for _, tc := range cases {
t.Run(tc.Name+" (destination)", func(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
testRunner(t, s, legacy, tc, structs.IntentionMatchDestination)
})
})
t.Run(tc.Name+" (source)", func(t *testing.T) {
testBothIntentionFormats(t, func(t *testing.T, s *Store, legacy bool) {
testRunner(t, s, legacy, tc, structs.IntentionMatchSource)
})
})
}
}
func TestStore_IntentionMatch_WatchesDuringUpgrade(t *testing.T) {
s := testStateStore(t)
args := structs.IntentionQueryMatch{
Type: structs.IntentionMatchDestination,
Entries: []structs.IntentionMatchEntry{
{Namespace: "default", Name: "api"},
},
}
// Start with an empty, un-upgraded database and do a watch.
ws := memdb.NewWatchSet()
_, matches, err := s.IntentionMatch(ws, &args)
require.NoError(t, err)
require.Len(t, matches, 1) // one request gets one response
require.Len(t, matches[0], 0) // but no intentions
disableLegacyIntentions(s)
conf := &structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "api",
Sources: []*structs.SourceIntention{
{Name: "web", Action: structs.IntentionActionAllow},
},
}
require.NoError(t, s.EnsureConfigEntry(1, conf, &conf.EnterpriseMeta))
require.True(t, watchFired(ws))
}
func TestStore_LegacyIntention_Snapshot_Restore(t *testing.T) {
// note: irrelevant test for config entries variant
s := testStateStore(t)
// Create some intentions.
ixns := structs.Intentions{
&structs.Intention{
DestinationName: "foo",
},
&structs.Intention{
DestinationName: "bar",
},
&structs.Intention{
DestinationName: "baz",
},
}
// Force the sort order of the UUIDs before we create them so the
// order is deterministic.
id := testUUID()
ixns[0].ID = "a" + id[1:]
ixns[1].ID = "b" + id[1:]
ixns[2].ID = "c" + id[1:]
// Now create
for i, ixn := range ixns {
require.NoError(t, s.LegacyIntentionSet(uint64(4+i), ixn))
}
// Snapshot the queries.
snap := s.Snapshot()
defer snap.Close()
// Alter the real state store.
require.NoError(t, s.LegacyIntentionDelete(7, ixns[0].ID))
// Verify the snapshot.
require.Equal(t, snap.LastIndex(), uint64(6))
// Expect them sorted in insertion order
expected := structs.Intentions{
&structs.Intention{
ID: ixns[0].ID,
DestinationName: "foo",
Meta: map[string]string{},
RaftIndex: structs.RaftIndex{
CreateIndex: 4,
ModifyIndex: 4,
},
},
&structs.Intention{
ID: ixns[1].ID,
DestinationName: "bar",
Meta: map[string]string{},
RaftIndex: structs.RaftIndex{
CreateIndex: 5,
ModifyIndex: 5,
},
},
&structs.Intention{
ID: ixns[2].ID,
DestinationName: "baz",
Meta: map[string]string{},
RaftIndex: structs.RaftIndex{
CreateIndex: 6,
ModifyIndex: 6,
},
},
}
for i := range expected {
//nolint:staticcheck
expected[i].UpdatePrecedence() // to match what is returned...
}
dump, err := snap.LegacyIntentions()
require.NoError(t, err)
require.Equal(t, expected, dump)
// Restore the values into a new state store.
func() {
s := testStateStore(t)
restore := s.Restore()
for _, ixn := range dump {
require.NoError(t, restore.LegacyIntention(ixn))
}
restore.Commit()
// Read the restored values back out and verify that they match. Note that
// Intentions are returned precedence sorted unlike the snapshot so we need
// to rearrange the expected slice some.
expected[0], expected[1], expected[2] = expected[1], expected[2], expected[0]
entMeta := structs.WildcardEnterpriseMeta()
idx, actual, fromConfig, err := s.Intentions(nil, entMeta)
require.NoError(t, err)
require.Equal(t, idx, uint64(6))
require.False(t, fromConfig)
require.Equal(t, expected, actual)
}()
}
// Note: This test does not have an equivalent with legacy intentions as an input.
// That's because the config vs legacy split is handled by store.IntentionMatch
// which has its own tests
func TestStore_IntentionDecision(t *testing.T) {
// web to redis allowed and with permissions
// api to redis denied and without perms (so redis has multiple matches as destination)
// api to web without permissions and with meta
entries := []structs.ConfigEntry{
&structs.ProxyConfigEntry{
Kind: structs.ProxyDefaults,
Name: structs.ProxyConfigGlobal,
Config: map[string]interface{}{
"protocol": "http",
},
},
&structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "redis",
Sources: []*structs.SourceIntention{
{
Name: "web",
Permissions: []*structs.IntentionPermission{
{
Action: structs.IntentionActionAllow,
HTTP: &structs.IntentionHTTPPermission{
Methods: []string{"GET"},
},
},
},
},
{
Name: "api",
Action: structs.IntentionActionDeny,
},
},
},
&structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "web",
Meta: map[string]string{structs.MetaExternalSource: "nomad"},
Sources: []*structs.SourceIntention{
{
Name: "api",
Action: structs.IntentionActionAllow,
},
},
},
&structs.ServiceIntentionsConfigEntry{
Kind: structs.ServiceIntentions,
Name: "mysql",
Sources: []*structs.SourceIntention{
{
Name: "*",
Action: structs.IntentionActionAllow,
},
},
},
}
s := testConfigStateStore(t)
for _, entry := range entries {
require.NoError(t, s.EnsureConfigEntry(1, entry, nil))
}
tt := []struct {
name string
src string
dst string
defaultDecision acl.EnforcementDecision
expect structs.IntentionDecisionSummary
}{
{
name: "no matching intention and default deny",
src: "does-not-exist",
dst: "ditto",
defaultDecision: acl.Deny,
expect: structs.IntentionDecisionSummary{Allowed: false},
},
{
name: "no matching intention and default allow",
src: "does-not-exist",
dst: "ditto",
defaultDecision: acl.Allow,
expect: structs.IntentionDecisionSummary{Allowed: true},
},
{
name: "denied with permissions",
src: "web",
dst: "redis",
expect: structs.IntentionDecisionSummary{
Allowed: false,
HasPermissions: true,
HasExact: true,
},
},
{
name: "denied without permissions",
src: "api",
dst: "redis",
expect: structs.IntentionDecisionSummary{
Allowed: false,
HasPermissions: false,
HasExact: true,
},
},
{
name: "allowed from external source",
src: "api",
dst: "web",
expect: structs.IntentionDecisionSummary{
Allowed: true,
HasPermissions: false,
ExternalSource: "nomad",
HasExact: true,
},
},
{
name: "allowed by source wildcard not exact",
src: "anything",
dst: "mysql",
expect: structs.IntentionDecisionSummary{
Allowed: true,
HasPermissions: false,
HasExact: false,
},
},
}
for _, tc := range tt {
t.Run(tc.name, func(t *testing.T) {
uri := connect.SpiffeIDService{
Service: tc.src,
Namespace: structs.IntentionDefaultNamespace,
}
decision, err := s.IntentionDecision(&uri, tc.dst, structs.IntentionDefaultNamespace, tc.defaultDecision)
require.NoError(t, err)
require.Equal(t, tc.expect, decision)
})
}
}
func disableLegacyIntentions(s *Store) error {
return s.SystemMetadataSet(1, &structs.SystemMetadataEntry{
Key: structs.SystemMetadataIntentionFormatKey,
Value: structs.SystemMetadataIntentionFormatConfigValue,
})
}
func testConfigStateStore(t *testing.T) *Store {
s := testStateStore(t)
disableLegacyIntentions(s)
return s
}