add MATCH_SUPERSET and MATCH_ANY to SPIRE Server entry endpoints (#2467)

Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

go.mod

@@ -56,7 +56,7 @@ require (
 	github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4 // indirect
 	github.com/sirupsen/logrus v1.4.2
 	github.com/spiffe/go-spiffe/v2 v2.0.0-beta.6
-	github.com/spiffe/spire-api-sdk v1.0.0
+	github.com/spiffe/spire-api-sdk v1.0.2-0.20210816212232-782cd5a6b660
 	github.com/spiffe/spire-plugin-sdk v1.0.0
 	github.com/stretchr/testify v1.7.0
 	github.com/uber-go/tally v3.3.12+incompatible

go.sum

@@ -700,8 +700,8 @@ github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DM
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spiffe/go-spiffe/v2 v2.0.0-beta.6 h1:3DOMziVxNur7Gq7JkfJg5sLZbbtfkBi13SlDfByV9YI=
 github.com/spiffe/go-spiffe/v2 v2.0.0-beta.6/go.mod h1:TEfgrEcyFhuSuvqohJt6IxENUNeHfndWCCV1EX7UaVk=
-github.com/spiffe/spire-api-sdk v1.0.0 h1:swo8bFdEPNmXjpX72eudbyboq1wMrp/oPH7GCMjOaSY=
-github.com/spiffe/spire-api-sdk v1.0.0/go.mod h1:2wSTZ6oEnKqI3uBST05Mmm751+yoHEvgxomYKYOQ6Ko=
+github.com/spiffe/spire-api-sdk v1.0.2-0.20210816212232-782cd5a6b660 h1:/QgMFt0sZRzYoa07t6vmvlTShI46p2ZCe64VnM3yD3Q=
+github.com/spiffe/spire-api-sdk v1.0.2-0.20210816212232-782cd5a6b660/go.mod h1:2wSTZ6oEnKqI3uBST05Mmm751+yoHEvgxomYKYOQ6Ko=
 github.com/spiffe/spire-plugin-sdk v1.0.0 h1:Y5oWPvWS2S+BT9pIKP6fjPXIFLFfARqbIcxp0gjyYls=
 github.com/spiffe/spire-plugin-sdk v1.0.0/go.mod h1:fzNSP83Z848jZtPQYeZ9qPWZkbSPwmd/JFNux1gxsbM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

pkg/server/api/entry/v1/service_test.go

@@ -435,6 +435,59 @@ func TestListEntries(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:            "filter by selectors match any",
+			expectedEntries: []*types.Entry{expectedChild},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "unix", Value: "gid:1000"},
+						},
+						Match: types.SelectorMatch_MATCH_ANY,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:          "success",
+						telemetry.Type:            "audit",
+						telemetry.BySelectorMatch: "MATCH_ANY",
+						telemetry.BySelectors:     "unix:gid:1000",
+					},
+				},
+			},
+		},
+		{
+			name:            "filter by selectors superset",
+			expectedEntries: []*types.Entry{expectedChild},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					BySelectors: &types.SelectorMatch{
+						Selectors: []*types.Selector{
+							{Type: "unix", Value: "gid:1000"},
+							{Type: "unix", Value: "uid:1000"},
+						},
+						Match: types.SelectorMatch_MATCH_SUPERSET,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:          "success",
+						telemetry.Type:            "audit",
+						telemetry.BySelectorMatch: "MATCH_SUPERSET",
+						telemetry.BySelectors:     "unix:gid:1000,unix:uid:1000",
+					},
+				},
+			},
+		},
 		{
 			name:            "filter by federates with exact match (no subset)",
 			expectedEntries: []*types.Entry{expectedSecondChild},
@@ -654,6 +707,225 @@ func TestListEntries(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:            "filter by federates with match any (no subset)",
+			expectedEntries: []*types.Entry{expectedChild, expectedSecondChild},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{
+							// Both formats should work
+							federatedTd.IDString(),
+							secondFederatedTd.String(),
+						},
+						Match: types.FederatesWithMatch_MATCH_ANY,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:             "success",
+						telemetry.Type:               "audit",
+						telemetry.FederatesWithMatch: "MATCH_ANY",
+						telemetry.FederatesWith:      "spiffe://domain1.org,domain2.org",
+					},
+				},
+			},
+		},
+		{
+			name:            "filter by federates with match any (no superset)",
+			expectedEntries: []*types.Entry{expectedSecondChild},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{
+							secondFederatedTd.IDString(),
+						},
+						Match: types.FederatesWithMatch_MATCH_ANY,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:             "success",
+						telemetry.Type:               "audit",
+						telemetry.FederatesWithMatch: "MATCH_ANY",
+						telemetry.FederatesWith:      "spiffe://domain2.org",
+					},
+				},
+			},
+		},
+		{
+			name:            "filter by federates with match any (with repeated tds)",
+			expectedEntries: []*types.Entry{expectedChild, expectedSecondChild},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{
+							// Both formats should work
+							federatedTd.IDString(),
+							secondFederatedTd.IDString(),
+							secondFederatedTd.String(), // repeated td
+						},
+						Match: types.FederatesWithMatch_MATCH_ANY,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:             "success",
+						telemetry.Type:               "audit",
+						telemetry.FederatesWithMatch: "MATCH_ANY",
+						telemetry.FederatesWith:      "spiffe://domain1.org,spiffe://domain2.org,domain2.org",
+					},
+				},
+			},
+		},
+		{
+			name:            "filter by federates with match any (not federated)",
+			expectedEntries: []*types.Entry{},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{
+							notFederatedTd.String(),
+						},
+						Match: types.FederatesWithMatch_MATCH_ANY,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:             "success",
+						telemetry.Type:               "audit",
+						telemetry.FederatesWithMatch: "MATCH_ANY",
+						telemetry.FederatesWith:      "domain3.org",
+					},
+				},
+			},
+		},
+		{
+			name:            "filter by federates with superset match",
+			expectedEntries: []*types.Entry{expectedSecondChild},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{
+							// Both formats should work
+							federatedTd.IDString(),
+							secondFederatedTd.String(),
+						},
+						Match: types.FederatesWithMatch_MATCH_SUPERSET,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:             "success",
+						telemetry.Type:               "audit",
+						telemetry.FederatesWithMatch: "MATCH_SUPERSET",
+						telemetry.FederatesWith:      "spiffe://domain1.org,domain2.org",
+					},
+				},
+			},
+		},
+		{
+			name:            "filter by federates with subset match (superset)",
+			expectedEntries: []*types.Entry{expectedChild, expectedSecondChild},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{
+							federatedTd.IDString(),
+						},
+						Match: types.FederatesWithMatch_MATCH_SUPERSET,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:             "success",
+						telemetry.Type:               "audit",
+						telemetry.FederatesWithMatch: "MATCH_SUPERSET",
+						telemetry.FederatesWith:      "spiffe://domain1.org",
+					},
+				},
+			},
+		},
+		{
+			name:            "filter by federates with subset match (with repeated tds)",
+			expectedEntries: []*types.Entry{expectedSecondChild},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{
+							// Both formats should work
+							federatedTd.IDString(),
+							secondFederatedTd.IDString(),
+							secondFederatedTd.String(), // repeated td
+						},
+						Match: types.FederatesWithMatch_MATCH_SUPERSET,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:             "success",
+						telemetry.Type:               "audit",
+						telemetry.FederatesWithMatch: "MATCH_SUPERSET",
+						telemetry.FederatesWith:      "spiffe://domain1.org,spiffe://domain2.org,domain2.org",
+					},
+				},
+			},
+		},
+		{
+			name:            "filter by federates with subset match (no matchs)",
+			expectedEntries: []*types.Entry{},
+			request: &entryv1.ListEntriesRequest{
+				Filter: &entryv1.ListEntriesRequest_Filter{
+					ByFederatesWith: &types.FederatesWithMatch{
+						TrustDomains: []string{
+							// Both formats should work
+							notFederatedTd.IDString(),
+						},
+						Match: types.FederatesWithMatch_MATCH_SUPERSET,
+					},
+				},
+			},
+			expectLogs: []spiretest.LogEntry{
+				{
+					Level:   logrus.InfoLevel,
+					Message: "API accessed",
+					Data: logrus.Fields{
+						telemetry.Status:             "success",
+						telemetry.Type:               "audit",
+						telemetry.FederatesWithMatch: "MATCH_SUPERSET",
+						telemetry.FederatesWith:      "spiffe://domain3.org",
+					},
+				},
+			},
+		},
 		{
 			name:                  "page",
 			expectedEntries:       []*types.Entry{expectedChild},