35c4efd220
Extend Consul’s intentions model to allow for request-based access control enforcement for HTTP-like protocols in addition to the existing connection-based enforcement for unspecified protocols (e.g. tcp).
130 lines
3.4 KiB
Go
130 lines
3.4 KiB
Go
package xds
|
|
|
|
import (
|
|
"fmt"
|
|
"regexp"
|
|
|
|
envoycore "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"
|
|
"github.com/hashicorp/go-version"
|
|
)
|
|
|
|
var (
|
|
// minSupportedVersion is the oldest mainline version we support. This should always be
|
|
// the zero'th point release of the last element of proxysupport.EnvoyVersions.
|
|
minSupportedVersion = version.Must(version.NewVersion("1.12.0"))
|
|
|
|
specificUnsupportedVersions = []unsupportedVersion{
|
|
{
|
|
Version: version.Must(version.NewVersion("1.12.0")),
|
|
UpgradeTo: "1.12.3+",
|
|
Why: "does not support RBAC rules using url_path",
|
|
},
|
|
{
|
|
Version: version.Must(version.NewVersion("1.12.1")),
|
|
UpgradeTo: "1.12.3+",
|
|
Why: "does not support RBAC rules using url_path",
|
|
},
|
|
{
|
|
Version: version.Must(version.NewVersion("1.12.2")),
|
|
UpgradeTo: "1.12.3+",
|
|
Why: "does not support RBAC rules using url_path",
|
|
},
|
|
{
|
|
Version: version.Must(version.NewVersion("1.13.0")),
|
|
UpgradeTo: "1.13.1+",
|
|
Why: "does not support RBAC rules using url_path",
|
|
},
|
|
}
|
|
)
|
|
|
|
type unsupportedVersion struct {
|
|
Version *version.Version
|
|
UpgradeTo string
|
|
Why string
|
|
}
|
|
|
|
type supportedProxyFeatures struct {
|
|
// add version dependent feature flags here
|
|
}
|
|
|
|
func determineSupportedProxyFeatures(node *envoycore.Node) (supportedProxyFeatures, error) {
|
|
version := determineEnvoyVersionFromNode(node)
|
|
return determineSupportedProxyFeaturesFromVersion(version)
|
|
}
|
|
|
|
func determineSupportedProxyFeaturesFromString(vs string) (supportedProxyFeatures, error) {
|
|
version := version.Must(version.NewVersion(vs))
|
|
return determineSupportedProxyFeaturesFromVersion(version)
|
|
}
|
|
|
|
func determineSupportedProxyFeaturesFromVersion(version *version.Version) (supportedProxyFeatures, error) {
|
|
if version == nil {
|
|
// This would happen on either extremely old builds OR perhaps on
|
|
// custom builds. Should we error?
|
|
return supportedProxyFeatures{}, nil
|
|
}
|
|
|
|
if version.LessThan(minSupportedVersion) {
|
|
return supportedProxyFeatures{}, fmt.Errorf("Envoy %s is too old and is not supported by Consul", version)
|
|
}
|
|
|
|
for _, uv := range specificUnsupportedVersions {
|
|
if version.Equal(uv.Version) {
|
|
return supportedProxyFeatures{}, fmt.Errorf(
|
|
"Envoy %s is too old of a point release and is not supported by Consul because it %s. "+
|
|
"Please upgrade to version %s.",
|
|
version,
|
|
uv.Why,
|
|
uv.UpgradeTo,
|
|
)
|
|
}
|
|
}
|
|
|
|
return supportedProxyFeatures{}, nil
|
|
}
|
|
|
|
// example: 1580db37e9a97c37e410bad0e1507ae1a0fd9e77/1.12.4/Clean/RELEASE/BoringSSL
|
|
var buildVersionPattern = regexp.MustCompile(`^[a-f0-9]{40}/([^/]+)/Clean/RELEASE/BoringSSL$`)
|
|
|
|
func determineEnvoyVersionFromNode(node *envoycore.Node) *version.Version {
|
|
if node == nil {
|
|
return nil
|
|
}
|
|
|
|
if node.UserAgentVersionType == nil {
|
|
if node.BuildVersion == "" {
|
|
return nil
|
|
}
|
|
|
|
// Must be an older pre-1.13 envoy
|
|
m := buildVersionPattern.FindStringSubmatch(node.BuildVersion)
|
|
if m == nil {
|
|
return nil
|
|
}
|
|
|
|
return version.Must(version.NewVersion(m[1]))
|
|
}
|
|
|
|
if node.UserAgentName != "envoy" {
|
|
return nil
|
|
}
|
|
|
|
bv, ok := node.UserAgentVersionType.(*envoycore.Node_UserAgentBuildVersion)
|
|
if !ok {
|
|
// NOTE: we could sniff for *envoycore.Node_UserAgentVersion and do more regex but official builds don't have this problem.
|
|
return nil
|
|
}
|
|
if bv.UserAgentBuildVersion == nil {
|
|
return nil
|
|
}
|
|
v := bv.UserAgentBuildVersion.Version
|
|
|
|
return version.Must(version.NewVersion(
|
|
fmt.Sprintf("%d.%d.%d",
|
|
v.GetMajorNumber(),
|
|
v.GetMinorNumber(),
|
|
v.GetPatch(),
|
|
),
|
|
))
|
|
}
|