From 3ca24425ef7ad223077269a42041622f269ef5d0 Mon Sep 17 00:00:00 2001 From: "R.B. Boyer" <4903+rboyer@users.noreply.github.com> Date: Thu, 15 Jul 2021 10:10:03 -0500 Subject: [PATCH] (1.9.x) xds: ensure single L7 deny intention with default deny policy does not result in allow action (CVE-2021-36213) (#10620) Backport of #10619 to 1.9.x --- .changelog/10619.txt | 3 + agent/xds/rbac.go | 30 +- agent/xds/rbac_test.go | 472 +++++++++++++++++- ...deny-all-and-path-allow--httpfilter.golden | 49 ++ ...fault-allow-deny-all-and-path-allow.golden | 61 +++ ...-deny-all-and-path-deny--httpfilter.golden | 73 +++ ...efault-allow-deny-all-and-path-deny.golden | 61 +++ ...efault-allow-path-allow--httpfilter.golden | 8 + .../rbac/default-allow-path-allow.golden | 31 ++ ...default-allow-path-deny--httpfilter.golden | 34 ++ .../rbac/default-allow-path-deny.golden | 31 ++ ...deny-all-and-path-allow--httpfilter.golden | 33 ++ ...efault-deny-deny-all-and-path-allow.golden | 8 + ...-deny-all-and-path-deny--httpfilter.golden | 7 + ...default-deny-deny-all-and-path-deny.golden | 8 + ...default-deny-path-allow--httpfilter.golden | 33 ++ .../rbac/default-deny-path-allow.golden | 8 + .../default-deny-path-deny--httpfilter.golden | 7 + .../rbac/default-deny-path-deny.golden | 8 + 19 files changed, 960 insertions(+), 5 deletions(-) create mode 100644 .changelog/10619.txt create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-allow.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-allow-path-deny.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-allow.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.golden create mode 100644 agent/xds/testdata/rbac/default-deny-path-deny.golden diff --git a/.changelog/10619.txt b/.changelog/10619.txt new file mode 100644 index 000000000000..b781033f7911 --- /dev/null +++ b/.changelog/10619.txt @@ -0,0 +1,3 @@ +```release-note:security +xds: ensure single L7 deny intention with default deny policy does not result in allow action [CVE-2021-36213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36213) +``` diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go index 19927c1c6d9d..1bea8a3954d9 100644 --- a/agent/xds/rbac.go +++ b/agent/xds/rbac.go @@ -12,6 +12,7 @@ import ( envoynetrbac "github.com/envoyproxy/go-control-plane/envoy/config/filter/network/rbac/v2" envoyrbac "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2" envoymatcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" + "github.com/hashicorp/consul/agent/structs" ) @@ -109,13 +110,34 @@ func removeIntentionPrecedence(rbacIxns []*rbacIntention, intentionDefaultAction // between any two intentions. rbacIxns = removeSourcePrecedence(rbacIxns, intentionDefaultAction) + numRetained := 0 for _, rbacIxn := range rbacIxns { // Remove permission precedence. After this completes precedence // doesn't matter between any two permissions on this intention. rbacIxn.Permissions = removePermissionPrecedence(rbacIxn.Permissions, intentionDefaultAction) + if rbacIxn.Action == intentionActionLayer7 && len(rbacIxn.Permissions) == 0 { + // All of the permissions must have had the default action type and + // were removed. Mark this for removal below. + rbacIxn.Skip = true + } else { + numRetained++ + } } - return rbacIxns + if numRetained == len(rbacIxns) { + return rbacIxns + } + + // We previously used the absence of permissions (above) as a signal to + // mark the entire intention for removal. Now do the deletions. + out := make([]*rbacIntention, 0, numRetained) + for _, rixn := range rbacIxns { + if !rixn.Skip { + out = append(out, rixn) + } + } + + return out } func removePermissionPrecedence(perms []*rbacPermission, intentionDefaultAction intentionAction) []*rbacPermission { @@ -400,10 +422,14 @@ func makeRBACRules(intentions structs.Intentions, intentionDefaultAllow bool, is var principalsL4 []*envoyrbac.Principal for i, rbacIxn := range rbacIxns { - if len(rbacIxn.Permissions) > 0 { + if rbacIxn.Action == intentionActionLayer7 { + if len(rbacIxn.Permissions) == 0 { + panic("invalid state: L7 intention has no permissions") + } if !isHTTP { panic("invalid state: L7 permissions present for TCP service") } + // For L7: we should generate one Policy per Principal and list all of the Permissions policy := &envoyrbac.Policy{ Principals: []*envoyrbac.Principal{rbacIxn.ComputedPrincipal}, diff --git a/agent/xds/rbac_test.go b/agent/xds/rbac_test.go index 87a36586a002..ee18c7747c70 100644 --- a/agent/xds/rbac_test.go +++ b/agent/xds/rbac_test.go @@ -6,11 +6,381 @@ import ( "sort" "testing" - "github.com/hashicorp/consul/agent/structs" + envoyrbac "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v2" + envoymatcher "github.com/envoyproxy/go-control-plane/envoy/type/matcher" + "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" + + "github.com/hashicorp/consul/agent/structs" ) +func TestRemoveIntentionPrecedence(t *testing.T) { + testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention { + t.Helper() + ixn := structs.TestIntention(t) + ixn.SourceName = src + ixn.DestinationName = dst + ixn.Action = action + //nolint:staticcheck + ixn.UpdatePrecedence() + return ixn + } + testSourceIntention := func(src string, action structs.IntentionAction) *structs.Intention { + return testIntention(t, src, "api", action) + } + testSourcePermIntention := func(src string, perms ...*structs.IntentionPermission) *structs.Intention { + ixn := testIntention(t, src, "api", "") + ixn.Permissions = perms + return ixn + } + sorted := func(ixns ...*structs.Intention) structs.Intentions { + sort.SliceStable(ixns, func(i, j int) bool { + return ixns[j].Precedence < ixns[i].Precedence + }) + return structs.Intentions(ixns) + } + + var ( + nameWild = structs.NewServiceName("*", nil) + nameWeb = structs.NewServiceName("web", nil) + permSlashPrefix = &structs.IntentionPermission{ + Action: structs.IntentionActionAllow, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + } + permDenySlashPrefix = &structs.IntentionPermission{ + Action: structs.IntentionActionDeny, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + } + xdsPermSlashPrefix = &envoyrbac.Permission{ + Rule: &envoyrbac.Permission_UrlPath{ + UrlPath: &envoymatcher.PathMatcher{ + Rule: &envoymatcher.PathMatcher_Path{ + Path: &envoymatcher.StringMatcher{ + MatchPattern: &envoymatcher.StringMatcher_Prefix{ + Prefix: "/", + }, + }, + }, + }, + }, + } + ) + + // NOTE: these default=(allow|deny) wild=(allow|deny) path=(allow|deny) + // tests below are meant to verify some of the behaviors work as expected + // when the default acl mode changes for the system + tests := map[string]struct { + intentionDefaultAllow bool + http bool + intentions structs.Intentions + expect []*rbacIntention + }{ + "default-allow-path-allow": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + ), + expect: []*rbacIntention{}, // EMPTY, just use the defaults + }, + "default-deny-path-allow": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permSlashPrefix, + Action: intentionActionAllow, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + }, + }, + "default-allow-path-deny": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permDenySlashPrefix, + Action: intentionActionDeny, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + }, + }, + "default-deny-path-deny": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + ), + expect: []*rbacIntention{}, + }, + // ======================== + "default-allow-deny-all-and-path-allow": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + testSourceIntention("*", structs.IntentionActionDeny), + ), + expect: []*rbacIntention{ + { + Source: nameWild, + NotSources: []structs.ServiceName{ + nameWeb, + }, + Action: intentionActionDeny, + Permissions: nil, + Precedence: 8, + Skip: false, + ComputedPrincipal: andPrincipals( + []*envoyrbac.Principal{ + idPrincipal(nameWild), + notPrincipal( + idPrincipal(nameWeb), + ), + }, + ), + }, + }, + }, + "default-deny-deny-all-and-path-allow": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + testSourceIntention("*", structs.IntentionActionDeny), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permSlashPrefix, + Action: intentionActionAllow, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + }, + }, + "default-allow-deny-all-and-path-deny": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + testSourceIntention("*", structs.IntentionActionDeny), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permDenySlashPrefix, + Action: intentionActionDeny, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + { + Source: nameWild, + NotSources: []structs.ServiceName{ + nameWeb, + }, + Action: intentionActionDeny, + Permissions: nil, + Precedence: 8, + Skip: false, + ComputedPrincipal: andPrincipals( + []*envoyrbac.Principal{ + idPrincipal(nameWild), + notPrincipal( + idPrincipal(nameWeb), + ), + }, + ), + }, + }, + }, + "default-deny-deny-all-and-path-deny": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + testSourceIntention("*", structs.IntentionActionDeny), + ), + expect: []*rbacIntention{}, + }, + // ======================== + "default-allow-allow-all-and-path-allow": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + testSourceIntention("*", structs.IntentionActionAllow), + ), + expect: []*rbacIntention{}, + }, + "default-deny-allow-all-and-path-allow": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + testSourceIntention("*", structs.IntentionActionAllow), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permSlashPrefix, + Action: intentionActionAllow, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + { + Source: nameWild, + NotSources: []structs.ServiceName{ + nameWeb, + }, + Action: intentionActionAllow, + Permissions: nil, + Precedence: 8, + Skip: false, + ComputedPrincipal: andPrincipals( + []*envoyrbac.Principal{ + idPrincipal(nameWild), + notPrincipal( + idPrincipal(nameWeb), + ), + }, + ), + }, + }, + }, + "default-allow-allow-all-and-path-deny": { + intentionDefaultAllow: true, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + testSourceIntention("*", structs.IntentionActionAllow), + ), + expect: []*rbacIntention{ + { + Source: nameWeb, + Action: intentionActionLayer7, + Permissions: []*rbacPermission{ + { + Definition: permDenySlashPrefix, + Action: intentionActionDeny, + Perm: xdsPermSlashPrefix, + NotPerms: nil, + Skip: false, + ComputedPermission: xdsPermSlashPrefix, + }, + }, + Precedence: 9, + Skip: false, + ComputedPrincipal: idPrincipal(nameWeb), + }, + }, + }, + "default-deny-allow-all-and-path-deny": { + intentionDefaultAllow: false, + http: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + testSourceIntention("*", structs.IntentionActionAllow), + ), + expect: []*rbacIntention{ + { + Source: nameWild, + NotSources: []structs.ServiceName{ + nameWeb, + }, + Action: intentionActionAllow, + Permissions: nil, + Precedence: 8, + Skip: false, + ComputedPrincipal: andPrincipals( + []*envoyrbac.Principal{ + idPrincipal(nameWild), + notPrincipal( + idPrincipal(nameWeb), + ), + }, + ), + }, + }, + }, + } + + for name, tt := range tests { + t.Run(name, func(t *testing.T) { + rbacIxns := intentionListToIntermediateRBACForm(tt.intentions, tt.http) + intentionDefaultAction := intentionActionFromBool(tt.intentionDefaultAllow) + rbacIxns = removeIntentionPrecedence(rbacIxns, intentionDefaultAction) + + require.Equal(t, tt.expect, rbacIxns) + }) + } +} + func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testIntention := func(t *testing.T, src, dst string, action structs.IntentionAction) *structs.Intention { t.Helper() @@ -37,6 +407,21 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { return structs.Intentions(ixns) } + var ( + permSlashPrefix = &structs.IntentionPermission{ + Action: structs.IntentionActionAllow, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + } + permDenySlashPrefix = &structs.IntentionPermission{ + Action: structs.IntentionActionDeny, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + } + ) + tests := map[string]struct { intentionDefaultAllow bool intentions structs.Intentions @@ -87,7 +472,6 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testSourceIntention("web", structs.IntentionActionAllow), testSourceIntention("unsafe", structs.IntentionActionDeny), testSourceIntention("cron", structs.IntentionActionAllow), - // and we invert the default-ness of the whole thing testSourceIntention("*", structs.IntentionActionAllow), ), }, @@ -98,10 +482,92 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testSourceIntention("web", structs.IntentionActionDeny), testSourceIntention("unsafe", structs.IntentionActionAllow), testSourceIntention("cron", structs.IntentionActionDeny), - // and we invert the default-ness of the whole thing testSourceIntention("*", structs.IntentionActionDeny), ), }, + // ======================== + "default-allow-path-allow": { + intentionDefaultAllow: true, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + ), + }, + "default-deny-path-allow": { + intentionDefaultAllow: false, + intentions: sorted( + testSourcePermIntention("web", permSlashPrefix), + ), + }, + "default-allow-path-deny": { + intentionDefaultAllow: true, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + ), + }, + "default-deny-path-deny": { + intentionDefaultAllow: false, + intentions: sorted( + testSourcePermIntention("web", permDenySlashPrefix), + ), + }, + // ======================== + "default-allow-deny-all-and-path-allow": { + intentionDefaultAllow: true, + intentions: sorted( + testSourcePermIntention("web", + &structs.IntentionPermission{ + Action: structs.IntentionActionAllow, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + }, + ), + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + "default-deny-deny-all-and-path-allow": { + intentionDefaultAllow: false, + intentions: sorted( + testSourcePermIntention("web", + &structs.IntentionPermission{ + Action: structs.IntentionActionAllow, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + }, + ), + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + "default-allow-deny-all-and-path-deny": { + intentionDefaultAllow: true, + intentions: sorted( + testSourcePermIntention("web", + &structs.IntentionPermission{ + Action: structs.IntentionActionDeny, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + }, + ), + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + "default-deny-deny-all-and-path-deny": { + intentionDefaultAllow: false, + intentions: sorted( + testSourcePermIntention("web", + &structs.IntentionPermission{ + Action: structs.IntentionActionDeny, + HTTP: &structs.IntentionHTTPPermission{ + PathPrefix: "/", + }, + }, + ), + testSourceIntention("*", structs.IntentionActionDeny), + ), + }, + // ======================== "default-deny-two-path-deny-and-path-allow": { intentionDefaultAllow: false, intentions: sorted( diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden new file mode 100644 index 000000000000..9583399e2279 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow--httpfilter.golden @@ -0,0 +1,49 @@ +{ + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "and_ids": { + "ids": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "not_id": { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden new file mode 100644 index 000000000000..d8ed3e18b39f --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-allow.golden @@ -0,0 +1,61 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + }, + { + "and_ids": { + "ids": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "not_id": { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden new file mode 100644 index 000000000000..b366a051a62c --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny--httpfilter.golden @@ -0,0 +1,73 @@ +{ + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "and_ids": { + "ids": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "not_id": { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + }, + "consul-intentions-layer7-0": { + "permissions": [ + { + "url_path": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden new file mode 100644 index 000000000000..d8ed3e18b39f --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-deny-all-and-path-deny.golden @@ -0,0 +1,61 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + }, + { + "and_ids": { + "ids": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/[^/]+$" + } + } + } + }, + { + "not_id": { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + } + ] + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.golden new file mode 100644 index 000000000000..fc4055d903a4 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-allow--httpfilter.golden @@ -0,0 +1,8 @@ +{ + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + "action": "DENY" + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-allow.golden b/agent/xds/testdata/rbac/default-allow-path-allow.golden new file mode 100644 index 000000000000..619f65122cd1 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-allow.golden @@ -0,0 +1,31 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden new file mode 100644 index 000000000000..4214231553af --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-deny--httpfilter.golden @@ -0,0 +1,34 @@ +{ + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "url_path": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-allow-path-deny.golden b/agent/xds/testdata/rbac/default-allow-path-deny.golden new file mode 100644 index 000000000000..619f65122cd1 --- /dev/null +++ b/agent/xds/testdata/rbac/default-allow-path-deny.golden @@ -0,0 +1,31 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + "action": "DENY", + "policies": { + "consul-intentions-layer4": { + "permissions": [ + { + "any": true + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden new file mode 100644 index 000000000000..a6e837f21308 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow--httpfilter.golden @@ -0,0 +1,33 @@ +{ + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "url_path": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.golden new file mode 100644 index 000000000000..ae6aeaee7a1f --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-allow.golden @@ -0,0 +1,8 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.golden new file mode 100644 index 000000000000..11354a3fa273 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny--httpfilter.golden @@ -0,0 +1,7 @@ +{ + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.golden b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.golden new file mode 100644 index 000000000000..ae6aeaee7a1f --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-deny-all-and-path-deny.golden @@ -0,0 +1,8 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden new file mode 100644 index 000000000000..a6e837f21308 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-allow--httpfilter.golden @@ -0,0 +1,33 @@ +{ + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + "policies": { + "consul-intentions-layer7-0": { + "permissions": [ + { + "url_path": { + "path": { + "prefix": "/" + } + } + } + ], + "principals": [ + { + "authenticated": { + "principal_name": { + "safe_regex": { + "google_re2": { + }, + "regex": "^spiffe://[^/]+/ns/default/dc/[^/]+/svc/web$" + } + } + } + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-allow.golden b/agent/xds/testdata/rbac/default-deny-path-allow.golden new file mode 100644 index 000000000000..ae6aeaee7a1f --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-allow.golden @@ -0,0 +1,8 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.golden b/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.golden new file mode 100644 index 000000000000..11354a3fa273 --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-deny--httpfilter.golden @@ -0,0 +1,7 @@ +{ + "name": "envoy.filters.http.rbac", + "config": { + "rules": { + } + } +} \ No newline at end of file diff --git a/agent/xds/testdata/rbac/default-deny-path-deny.golden b/agent/xds/testdata/rbac/default-deny-path-deny.golden new file mode 100644 index 000000000000..ae6aeaee7a1f --- /dev/null +++ b/agent/xds/testdata/rbac/default-deny-path-deny.golden @@ -0,0 +1,8 @@ +{ + "name": "envoy.filters.network.rbac", + "config": { + "rules": { + }, + "stat_prefix": "connect_authz" + } +} \ No newline at end of file