Merge branch 'main' into fix-issuer-growing-list-maybe-from-vault

.changelog/14132.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+raft: add an operator api endpoint and a command to initiate raft leadership transfer.
+```

.changelog/15083.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: fixed bug where endpoint updates for new xDS clusters could block for 15s before being sent to Envoy.
+```

.changelog/15186.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: Fix issue where mesh-gateway settings were not properly inherited from configuration entries.
+```

.changelog/15272.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+proxycfg(mesh-gateway): Fix issue where deregistered services are not removed from mesh-gateway clusters.
+```

.changelog/15297.txt

@@ -0,0 +1,7 @@
+```release-note:improvement
+api: updated the go module directive to 1.18.
+```
+
+```release-note:improvement
+sdk: updated the go module directive to 1.18.
+```

.changelog/15302.txt

@@ -0,0 +1,7 @@
+```release-note:breaking-change
+config: update 1.14 config defaults: Enable `peering` and `connect` by default.
+```
+
+```release-note:breaking-change
+config: update 1.14 config defaults: Set gRPC TLS port default value to 8503
+```

.changelog/15317.txt

@@ -0,0 +1,3 @@
+```release-note:improvements
+acl: Allow reading imported services and nodes from cluster peers with read all permissions
+```

.changelog/15320.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+connect: strip port from DNS SANs for ingress gateway leaf certificate to avoid an invalid hostname error when using the Vault provider.
+```

.changelog/14294.txt → .changelog/15339.txt

@@ -2,5 +2,5 @@
 config: Add new `ports.grpc_tls` configuration option.
 Introduce a new port to better separate TLS config from the existing `ports.grpc` config.
 The new `ports.grpc_tls` only supports TLS encrypted communication.
-The existing `ports.grpc` currently supports both plain-text and tls communication, but tls support will be removed in a future release.
+The existing `ports.grpc` now only supports plain-text communication.
 ```

.changelog/15356.txt

@@ -0,0 +1,3 @@
+```release-note:security
+Ensure that data imported from peers is filtered by ACLs at the UI Nodes/Services endpoints [CVE-2022-3920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3920)
+```

.changelog/15370.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+auto-config: Relax the validation on auto-config JWT authorization to allow non-whitespace, non-quote characters in node names.
+```

.changelog/_3550.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+namespace: **(Enterprise Only)** Fixed a bug where a client may incorrectly log that namespaces were not enabled in the local datacenter 
+```

.changelog/_3557.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+dns/peering: **(Enterprise Only)** Support addresses in the formats <servicename>.virtual.<namespace>.ns.<partition>.ap.<peername>.peer.consul and <servicename>.virtual.<partition>.ap.<peername>.peer.consul. This longer form address that allows specifying `.peer` would need to be used for tproxy DNS requests made within non-default partitions for imported services.
+```

.golangci.yml

@@ -83,6 +83,7 @@ linters-settings:
   forbidigo:
     # Forbid the following identifiers (list of regexp).
     forbid:
+      - '\bioutil\b(# Use io and os packages instead of ioutil)?'
       - '\brequire\.New\b(# Use package-level functions with explicit TestingT)?'
       - '\bassert\.New\b(# Use package-level functions with explicit TestingT)?'
     # Exclude godoc examples from forbidigo checks.

LICENSE

@@ -1,3 +1,5 @@
+Copyright (c) 2013 HashiCorp, Inc.
+
 Mozilla Public License, version 2.0
 
 1. Definitions

acl/MockAuthorizer.go

@@ -0,0 +1,223 @@
+package acl
+
+import "github.com/stretchr/testify/mock"
+
+type MockAuthorizer struct {
+	mock.Mock
+}
+
+var _ Authorizer = (*MockAuthorizer)(nil)
+
+// ACLRead checks for permission to list all the ACLs
+func (m *MockAuthorizer) ACLRead(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// ACLWrite checks for permission to manipulate ACLs
+func (m *MockAuthorizer) ACLWrite(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// AgentRead checks for permission to read from agent endpoints for a
+// given node.
+func (m *MockAuthorizer) AgentRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// AgentWrite checks for permission to make changes via agent endpoints
+// for a given node.
+func (m *MockAuthorizer) AgentWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// EventRead determines if a specific event can be queried.
+func (m *MockAuthorizer) EventRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// EventWrite determines if a specific event may be fired.
+func (m *MockAuthorizer) EventWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// IntentionDefaultAllow determines the default authorized behavior
+// when no intentions match a Connect request.
+func (m *MockAuthorizer) IntentionDefaultAllow(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// IntentionRead determines if a specific intention can be read.
+func (m *MockAuthorizer) IntentionRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// IntentionWrite determines if a specific intention can be
+// created, modified, or deleted.
+func (m *MockAuthorizer) IntentionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// KeyList checks for permission to list keys under a prefix
+func (m *MockAuthorizer) KeyList(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// KeyRead checks for permission to read a given key
+func (m *MockAuthorizer) KeyRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// KeyWrite checks for permission to write a given key
+func (m *MockAuthorizer) KeyWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// KeyWritePrefix checks for permission to write to an
+// entire key prefix. This means there must be no sub-policies
+// that deny a write.
+func (m *MockAuthorizer) KeyWritePrefix(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// KeyringRead determines if the encryption keyring used in
+// the gossip layer can be read.
+func (m *MockAuthorizer) KeyringRead(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// KeyringWrite determines if the keyring can be manipulated
+func (m *MockAuthorizer) KeyringWrite(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// NodeRead checks for permission to read (discover) a given node.
+func (m *MockAuthorizer) NodeRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+func (m *MockAuthorizer) NodeReadAll(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// NodeWrite checks for permission to create or update (register) a
+// given node.
+func (m *MockAuthorizer) NodeWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+func (m *MockAuthorizer) MeshRead(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+func (m *MockAuthorizer) MeshWrite(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// PeeringRead determines if the read-only Consul peering functions
+// can be used.
+func (m *MockAuthorizer) PeeringRead(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// PeeringWrite determines if the state-changing Consul peering
+// functions can be used.
+func (m *MockAuthorizer) PeeringWrite(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// OperatorRead determines if the read-only Consul operator functions
+// can be used.	ret := m.Called(segment, ctx)
+func (m *MockAuthorizer) OperatorRead(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// OperatorWrite determines if the state-changing Consul operator
+// functions can be used.
+func (m *MockAuthorizer) OperatorWrite(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// PreparedQueryRead determines if a specific prepared query can be read
+// to show its contents (this is not used for execution).
+func (m *MockAuthorizer) PreparedQueryRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// PreparedQueryWrite determines if a specific prepared query can be
+// created, modified, or deleted.
+func (m *MockAuthorizer) PreparedQueryWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// ServiceRead checks for permission to read a given service
+func (m *MockAuthorizer) ServiceRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+func (m *MockAuthorizer) ServiceReadAll(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// ServiceWrite checks for permission to create or update a given
+// service
+func (m *MockAuthorizer) ServiceWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// ServiceWriteAny checks for service:write on any service
+func (m *MockAuthorizer) ServiceWriteAny(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// SessionRead checks for permission to read sessions for a given node.
+func (m *MockAuthorizer) SessionRead(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// SessionWrite checks for permission to create sessions for a given
+// node.
+func (m *MockAuthorizer) SessionWrite(segment string, ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(segment, ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+// Snapshot checks for permission to take and restore snapshots.
+func (m *MockAuthorizer) Snapshot(ctx *AuthorizerContext) EnforcementDecision {
+	ret := m.Called(ctx)
+	return ret.Get(0).(EnforcementDecision)
+}
+
+func (p *MockAuthorizer) ToAllowAuthorizer() AllowAuthorizer {
+	return AllowAuthorizer{Authorizer: p}
+}

acl/acl.go

@@ -20,6 +20,10 @@ type ExportFetcher interface {
 }
 
 type ExportedServices struct {
+	// Data is a map of [namespace] -> [service] -> [list of partitions the service is exported to]
+	// This includes both the names of typical service instances and their corresponding sidecar proxy
+	// instance names. Meaning that if "web" is exported, "web-sidecar-proxy" instances will also be
+	// shown as exported.
 	Data map[string]map[string][]string
 }
 

acl/authorizer_oss.go

@@ -3,8 +3,19 @@
 
 package acl
 
-// AuthorizerContext stub
-type AuthorizerContext struct{}
+// AuthorizerContext contains extra information that can be
+// used in the determination of an ACL enforcement decision.
+type AuthorizerContext struct {
+	// Peer is the name of the peer that the resource was imported from.
+	Peer string
+}
+
+func (c *AuthorizerContext) PeerOrEmpty() string {
+	if c == nil {
+		return ""
+	}
+	return c.Peer
+}
 
 // enterpriseAuthorizer stub interface
 type enterpriseAuthorizer interface{}