open-consul/agent
Matt Keeler baa89c7c65
Intentions ACL enforcement updates (#7028)
* Renamed structs.IntentionWildcard to structs.WildcardSpecifier

* Refactor ACL Config

Get rid of remnants of enterprise only renaming.

Add a WildcardName field for specifying what string should be used to indicate a wildcard.

* Add wildcard support in the ACL package

For read operations they can call anyAllowed to determine if any read access to the given resource would be granted.

For write operations they can call allAllowed to ensure that write access is granted to everything.

* Make v1/agent/connect/authorize namespace aware

* Update intention ACL enforcement

This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior.

Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself.

* Refactor Intention.Apply to make things easier to follow.
2020-01-13 15:51:40 -05:00
..
ae
agentpb Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675) 2019-10-24 14:38:09 -04:00
cache agent: cache notifications work after error if the underlying RPC returns index=1 (#6547) 2019-09-26 10:42:17 -05:00
cache-types Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
checks OSS changes for implementing token based namespace inferencing 2019-12-18 14:07:08 -05:00
config OSS changes to allow for parsing the enterprise DNS config prop… (#6959) 2019-12-18 10:16:35 -05:00
connect Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
consul Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
debug
exec
local Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
metadata
mock Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
pool Add note about RPC multiplexing and TLS content type mutual exc… (#6698) 2019-10-30 09:24:30 -04:00
proxycfg Move where the service-resolver watch is done so that it happen… (#7025) 2020-01-10 10:30:13 -05:00
router Do not surface left servers (#6420) 2019-10-08 22:16:00 -05:00
structs Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
systemd
token acl: use constant time comparing to check token (#6943) 2019-12-16 21:54:52 +01:00
xds Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
acl.go OSS changes for implementing token based namespace inferencing 2019-12-18 14:07:08 -05:00
acl_endpoint.go Add Namespace support to the API module and the CLI commands (#6874) 2019-12-06 11:14:56 -05:00
acl_endpoint_legacy.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
acl_endpoint_legacy_test.go
acl_endpoint_test.go [Feature] API: Add a internal endpoint to query for ACL authori… (#6888) 2019-12-06 09:25:26 -05:00
acl_test.go OSS changes for implementing token based namespace inferencing 2019-12-18 14:07:08 -05:00
agent.go OSS changes for implementing token based namespace inferencing 2019-12-18 14:07:08 -05:00
agent_endpoint.go Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
agent_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
agent_oss.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
agent_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
bindata_assetfs.go update bindata_assetfs.go 2019-12-20 17:16:51 +00:00
blacklist.go
blacklist_test.go
catalog_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
catalog_endpoint_test.go test: unflake TestCatalogServiceNodes_DistanceSort 2019-11-18 16:21:01 -06:00
check.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
config.go
config_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
config_endpoint_test.go Expose HTTP-based paths through Connect proxy (#6446) 2019-09-25 20:55:52 -06:00
connect_auth.go Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
connect_ca_endpoint.go connect: Add AWS PCA provider (#6795) 2019-11-21 17:40:29 +00:00
connect_ca_endpoint_test.go connect: Add AWS PCA provider (#6795) 2019-11-21 17:40:29 +00:00
coordinate_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
coordinate_endpoint_test.go
discovery_chain_endpoint.go Add Namespace support to the API module and the CLI commands (#6874) 2019-12-06 11:14:56 -05:00
discovery_chain_endpoint_test.go
dns.go dns: fix memoryleak by upgrading outdated miekg/dns (#6748) 2019-12-16 22:31:27 +01:00
dns_oss.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
dns_test.go dns: fix memoryleak by upgrading outdated miekg/dns (#6748) 2019-12-16 22:31:27 +01:00
enterprise_delegate_oss.go
event_endpoint.go ACL Authorizer overhaul (#6620) 2019-10-15 16:58:50 -04:00
event_endpoint_test.go
health_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
health_endpoint_test.go test: unflake two TestHealthServiceNode_* tests 2019-11-18 16:21:01 -06:00
http.go ui: feature support templating for index.html (#6921) 2019-12-13 14:50:07 -05:00
http_decode_test.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
http_oss.go ui: feature support templating for index.html (#6921) 2019-12-13 14:50:07 -05:00
http_oss_test.go
http_register.go [Feature] API: Add a internal endpoint to query for ACL authori… (#6888) 2019-12-06 09:25:26 -05:00
http_test.go tests: increase TLSHandshakeTimeout to help slow tests (#6864) 2019-12-05 13:20:07 +01:00
intentions_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
intentions_endpoint_test.go
keyring.go
keyring_test.go
kvs_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
kvs_endpoint_test.go
notify.go
notify_test.go
operator_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
operator_endpoint_test.go
prepared_query_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
prepared_query_endpoint_test.go
remote_exec.go
remote_exec_test.go
retry_join.go
retry_join_test.go Bump go-discover to support EC2 Metadata Service v2 (#6865) 2019-12-04 11:59:16 -05:00
service_checks_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
service_manager.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
service_manager_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
session_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
session_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
sidecar_service.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
sidecar_service_test.go
signal_unix.go
signal_windows.go
snapshot_endpoint.go
snapshot_endpoint_test.go
status_endpoint.go
status_endpoint_test.go
testagent.go Miscellaneous Fixes (#6896) 2019-12-06 14:01:34 -05:00
testagent_test.go
translate_addr.go
txn_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
txn_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
ui_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
ui_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
user_event.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
user_event_test.go
util.go
util_test.go
watch_handler.go
watch_handler_test.go