open-consul/agent
Matt Keeler baa89c7c65
Intentions ACL enforcement updates (#7028)
* Renamed structs.IntentionWildcard to structs.WildcardSpecifier

* Refactor ACL Config

Get rid of remnants of enterprise only renaming.

Add a WildcardName field for specifying what string should be used to indicate a wildcard.

* Add wildcard support in the ACL package

For read operations they can call anyAllowed to determine if any read access to the given resource would be granted.

For write operations they can call allAllowed to ensure that write access is granted to everything.

* Make v1/agent/connect/authorize namespace aware

* Update intention ACL enforcement

This also changes how intention:read is granted. Before the Intention.List RPC would allow viewing an intention if the token had intention:read on the destination. However Intention.Match allowed viewing if access was allowed for either the source or dest side. Now Intention.List and Intention.Get fall in line with Intention.Matches previous behavior.

Due to this being done a few different places ACL enforcement for a singular intention is now done with the CanRead and CanWrite methods on the intention itself.

* Refactor Intention.Apply to make things easier to follow.
2020-01-13 15:51:40 -05:00
..
ae Add -sidecar-for and new /agent/service/:service_id endpoint (#4691) 2018-10-10 16:55:34 +01:00
agentpb Updates to allow for Namespacing ACL resources in Consul Enterp… (#6675) 2019-10-24 14:38:09 -04:00
cache agent: cache notifications work after error if the underlying RPC returns index=1 (#6547) 2019-09-26 10:42:17 -05:00
cache-types Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
checks OSS changes for implementing token based namespace inferencing 2019-12-18 14:07:08 -05:00
config OSS changes to allow for parsing the enterprise DNS config prop… (#6959) 2019-12-18 10:16:35 -05:00
connect Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
consul Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
debug fix comment typos (#4890) 2018-11-02 12:00:39 -05:00
exec
local Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
metadata New ACLs (#4791) 2018-10-19 12:04:07 -04:00
mock Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
pool Add note about RPC multiplexing and TLS content type mutual exc… (#6698) 2019-10-30 09:24:30 -04:00
proxycfg Move where the service-resolver watch is done so that it happen… (#7025) 2020-01-10 10:30:13 -05:00
router Do not surface left servers (#6420) 2019-10-08 22:16:00 -05:00
structs Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
systemd
token acl: use constant time comparing to check token (#6943) 2019-12-16 21:54:52 +01:00
xds Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
acl.go OSS changes for implementing token based namespace inferencing 2019-12-18 14:07:08 -05:00
acl_endpoint.go Add Namespace support to the API module and the CLI commands (#6874) 2019-12-06 11:14:56 -05:00
acl_endpoint_legacy.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
acl_endpoint_legacy_test.go Pass a testing.T into NewTestAgent and TestAgent.Start (#5342) 2019-02-14 10:59:14 -05:00
acl_endpoint_test.go [Feature] API: Add a internal endpoint to query for ACL authori… (#6888) 2019-12-06 09:25:26 -05:00
acl_test.go OSS changes for implementing token based namespace inferencing 2019-12-18 14:07:08 -05:00
agent.go OSS changes for implementing token based namespace inferencing 2019-12-18 14:07:08 -05:00
agent_endpoint.go Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
agent_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
agent_oss.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
agent_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
bindata_assetfs.go update bindata_assetfs.go 2019-12-20 17:16:51 +00:00
blacklist.go
blacklist_test.go
catalog_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
catalog_endpoint_test.go test: unflake TestCatalogServiceNodes_DistanceSort 2019-11-18 16:21:01 -06:00
check.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
config.go Make a few config entry endpoints return 404s and allow for snake_case and lowercase key names. (#5748) 2019-04-30 18:19:19 -04:00
config_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
config_endpoint_test.go Expose HTTP-based paths through Connect proxy (#6446) 2019-09-25 20:55:52 -06:00
connect_auth.go Intentions ACL enforcement updates (#7028) 2020-01-13 15:51:40 -05:00
connect_ca_endpoint.go connect: Add AWS PCA provider (#6795) 2019-11-21 17:40:29 +00:00
connect_ca_endpoint_test.go connect: Add AWS PCA provider (#6795) 2019-11-21 17:40:29 +00:00
coordinate_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
coordinate_endpoint_test.go test: add additional http status code assertions in coordinate HTTP API tests (#6410) 2019-08-29 09:55:05 -05:00
discovery_chain_endpoint.go Add Namespace support to the API module and the CLI commands (#6874) 2019-12-06 11:14:56 -05:00
discovery_chain_endpoint_test.go connect: generate the full SNI names for discovery targets in the compiler rather than in the xds package (#6340) 2019-08-19 13:03:03 -05:00
dns.go dns: fix memoryleak by upgrading outdated miekg/dns (#6748) 2019-12-16 22:31:27 +01:00
dns_oss.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
dns_test.go dns: fix memoryleak by upgrading outdated miekg/dns (#6748) 2019-12-16 22:31:27 +01:00
enterprise_delegate_oss.go Update to use a consulent build tag instead of just ent (#5759) 2019-05-01 11:11:27 -04:00
event_endpoint.go ACL Authorizer overhaul (#6620) 2019-10-15 16:58:50 -04:00
event_endpoint_test.go Move internal/ to sdk/ (#5568) 2019-03-27 08:54:56 -04:00
health_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
health_endpoint_test.go test: unflake two TestHealthServiceNode_* tests 2019-11-18 16:21:01 -06:00
http.go ui: feature support templating for index.html (#6921) 2019-12-13 14:50:07 -05:00
http_decode_test.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
http_oss.go ui: feature support templating for index.html (#6921) 2019-12-13 14:50:07 -05:00
http_oss_test.go Pass a testing.T into NewTestAgent and TestAgent.Start (#5342) 2019-02-14 10:59:14 -05:00
http_register.go [Feature] API: Add a internal endpoint to query for ACL authori… (#6888) 2019-12-06 09:25:26 -05:00
http_test.go tests: increase TLSHandshakeTimeout to help slow tests (#6864) 2019-12-05 13:20:07 +01:00
intentions_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
intentions_endpoint_test.go Pass a testing.T into NewTestAgent and TestAgent.Start (#5342) 2019-02-14 10:59:14 -05:00
keyring.go add flag to allow /operator/keyring requests to only hit local servers (#6279) 2019-08-12 11:11:11 -07:00
keyring_test.go test: ensure all TestAgent constructions use a constructor (#6443) 2019-09-05 10:24:36 -07:00
kvs_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
kvs_endpoint_test.go Pass a testing.T into NewTestAgent and TestAgent.Start (#5342) 2019-02-14 10:59:14 -05:00
notify.go
notify_test.go
operator_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
operator_endpoint_test.go add flag to allow /operator/keyring requests to only hit local servers (#6279) 2019-08-12 11:11:11 -07:00
prepared_query_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
prepared_query_endpoint_test.go Add tagged addresses for services (#5965) 2019-06-17 10:51:50 -04:00
remote_exec.go
remote_exec_test.go Update retries that weren't using retry.R (#6146) 2019-07-16 14:47:45 -06:00
retry_join.go tls: auto_encrypt enables automatic RPC cert provisioning for consul clients (#5597) 2019-06-27 22:22:07 +02:00
retry_join_test.go Bump go-discover to support EC2 Metadata Service v2 (#6865) 2019-12-04 11:59:16 -05:00
service_checks_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
service_manager.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
service_manager_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
session_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
session_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
sidecar_service.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
sidecar_service_test.go test: don't leak agent goroutines in TestAgent_sidecarServiceFromNodeService (#6396) 2019-08-26 15:19:59 -05:00
signal_unix.go cli: forward SIGTERM to child process of 'lock' and 'watch' subcommands (#4737) 2018-10-02 15:57:21 -05:00
signal_windows.go cli: forward SIGTERM to child process of 'lock' and 'watch' subcommands (#4737) 2018-10-02 15:57:21 -05:00
snapshot_endpoint.go
snapshot_endpoint_test.go add wait to TestSnapshot 2019-02-22 17:34:45 -05:00
status_endpoint.go Allow forwarding of some status RPCs (#6198) 2019-07-25 14:26:22 -04:00
status_endpoint_test.go Fix flaky tests (#6229) 2019-07-29 15:07:25 -04:00
testagent.go Miscellaneous Fixes (#6896) 2019-12-06 14:01:34 -05:00
testagent_test.go
translate_addr.go Add tagged addresses for services (#5965) 2019-06-17 10:51:50 -04:00
txn_endpoint.go Use encoding/json as JSON decoder instead of mapstructure (#6680) 2019-10-29 11:13:36 -07:00
txn_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
ui_endpoint.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
ui_endpoint_test.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
user_event.go Sync of OSS changes to support namespaces (#6909) 2019-12-09 21:26:41 -05:00
user_event_test.go Move internal/ to sdk/ (#5568) 2019-03-27 08:54:56 -04:00
util.go cli: forward SIGTERM to child process of 'lock' and 'watch' subcommands (#4737) 2018-10-02 15:57:21 -05:00
util_test.go Move internal/ to sdk/ (#5568) 2019-03-27 08:54:56 -04:00
watch_handler.go Move the watch package into the api module (#5664) 2019-04-26 12:33:01 -04:00
watch_handler_test.go Move the watch package into the api module (#5664) 2019-04-26 12:33:01 -04:00