Skip to content

Commit

Permalink
NET-6251 API gateway templated policy (#19728)
Browse files Browse the repository at this point in the history
  • Loading branch information
roncodingenthusiast authored Nov 24, 2023
1 parent 78f918a commit c1dbf00
Show file tree
Hide file tree
Showing 9 changed files with 75 additions and 7 deletions.
3 changes: 3 additions & 0 deletions .changelog/19728.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
acl: add api-gateway templated policy
```
2 changes: 1 addition & 1 deletion agent/acl_endpoint_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1407,7 +1407,7 @@ func TestACL_HTTP(t *testing.T) {

var list map[string]api.ACLTemplatedPolicyResponse
require.NoError(t, json.NewDecoder(resp.Body).Decode(&list))
require.Len(t, list, 5)
require.Len(t, list, 6)

require.Equal(t, api.ACLTemplatedPolicyResponse{
TemplateName: api.ACLTemplatedPolicyServiceName,
Expand Down
10 changes: 10 additions & 0 deletions agent/structs/acl_templated_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ var ACLTemplatedPolicyServiceSchema string
//go:embed acltemplatedpolicy/schemas/workload-identity.json
var ACLTemplatedPolicyWorkloadIdentitySchema string

//go:embed acltemplatedpolicy/schemas/api-gateway.json
var ACLTemplatedPolicyAPIGatewaySchema string

type ACLTemplatedPolicies []*ACLTemplatedPolicy

const (
Expand All @@ -37,6 +40,7 @@ const (
ACLTemplatedPolicyDNSID = "00000000-0000-0000-0000-000000000005"
ACLTemplatedPolicyNomadServerID = "00000000-0000-0000-0000-000000000006"
ACLTemplatedPolicyWorkloadIdentityID = "00000000-0000-0000-0000-000000000007"
ACLTemplatedPolicyAPIGatewayID = "00000000-0000-0000-0000-000000000008"

ACLTemplatedPolicyNoRequiredVariablesSchema = "" // catch-all schema for all templated policy that don't require a schema
)
Expand Down Expand Up @@ -84,6 +88,12 @@ var (
Schema: ACLTemplatedPolicyWorkloadIdentitySchema,
Template: ACLTemplatedPolicyWorkloadIdentity,
},
api.ACLTemplatedPolicyAPIGatewayName: {
TemplateID: ACLTemplatedPolicyAPIGatewayID,
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
Schema: ACLTemplatedPolicyAPIGatewaySchema,
Template: ACLTemplatedPolicyAPIGateway,
},
}
)

Expand Down
3 changes: 3 additions & 0 deletions agent/structs/acl_templated_policy_ce.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ var ACLTemplatedPolicyNomadServer string
//go:embed acltemplatedpolicy/policies/ce/workload-identity.hcl
var ACLTemplatedPolicyWorkloadIdentity string

//go:embed acltemplatedpolicy/policies/ce/api-gateway.hcl
var ACLTemplatedPolicyAPIGateway string

func (t *ACLToken) TemplatedPolicyList() []*ACLTemplatedPolicy {
if len(t.TemplatedPolicies) == 0 {
return nil
Expand Down
22 changes: 22 additions & 0 deletions agent/structs/acl_templated_policy_ce_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,28 @@ query_prefix "" {
Description: "synthetic policy generated from templated policy: builtin/workload-identity",
Rules: `identity "api" {
policy = "write"
}`,
},
},
"api-gateway-template": {
templatedPolicy: &ACLTemplatedPolicy{
TemplateID: ACLTemplatedPolicyAPIGatewayID,
TemplateName: api.ACLTemplatedPolicyAPIGatewayName,
TemplateVariables: &ACLTemplatedPolicyVariables{
Name: "api-gateway",
},
},
expectedPolicy: &ACLPolicy{
Description: "synthetic policy generated from templated policy: builtin/api-gateway",
Rules: `mesh = "read"
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
service "api-gateway" {
policy = "write"
}`,
},
},
Expand Down
10 changes: 10 additions & 0 deletions agent/structs/acltemplatedpolicy/policies/ce/api-gateway.hcl
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
mesh = "read"
node_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
service "{{.Name}}" {
policy = "write"
}
13 changes: 13 additions & 0 deletions agent/structs/acltemplatedpolicy/schemas/api-gateway.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"type": "object",
"properties": {
"name": { "type": "string", "$ref": "#/definitions/min-length-one" }
},
"required": ["name"],
"definitions": {
"min-length-one": {
"type": "string",
"minLength": 1
}
}
}
1 change: 1 addition & 0 deletions api/acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ const (
ACLTemplatedPolicyDNSName = "builtin/dns"
ACLTemplatedPolicyNomadServerName = "builtin/nomad-server"
ACLTemplatedPolicyWorkloadIdentityName = "builtin/workload-identity"
ACLTemplatedPolicyAPIGatewayName = "builtin/api-gateway"
)

type ACLLink struct {
Expand Down
18 changes: 12 additions & 6 deletions command/acl/templatedpolicy/formatter.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,13 +69,13 @@ func (f *prettyFormatter) FormatTemplatedPolicy(templatedPolicy api.ACLTemplated
buffer.WriteString("Input variables:")
switch templatedPolicy.TemplateName {
case api.ACLTemplatedPolicyServiceName:
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - The name of the service.\n", WhitespaceIndent))
buffer.WriteString("Example usage:\n")
buffer.WriteString(WhitespaceIndent + "consul acl token create -templated-policy builtin/service -var name:api\n")
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The name of the service", "api")
case api.ACLTemplatedPolicyNodeName:
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - The node name.\n", WhitespaceIndent))
buffer.WriteString("Example usage:\n")
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy builtin/node -var name:node-1\n", WhitespaceIndent))
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The node name", "node-1")
case api.ACLTemplatedPolicyWorkloadIdentityName:
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The workload name", "api")
case api.ACLTemplatedPolicyAPIGatewayName:
nameRequiredVariableOutput(&buffer, templatedPolicy.TemplateName, "The api gateway service name", "api-gateway")
case api.ACLTemplatedPolicyDNSName, api.ACLTemplatedPolicyNomadServerName:
noRequiredVariablesOutput(&buffer, templatedPolicy.TemplateName)
default:
Expand All @@ -98,6 +98,12 @@ func noRequiredVariablesOutput(buffer *bytes.Buffer, templateName string) {
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy %s\n", WhitespaceIndent, templateName))
}

func nameRequiredVariableOutput(buffer *bytes.Buffer, templateName, description, exampleName string) {
buffer.WriteString(fmt.Sprintf("\n%sName: String - Required - %s.\n", WhitespaceIndent, description))
buffer.WriteString("Example usage:\n")
buffer.WriteString(fmt.Sprintf("%sconsul acl token create -templated-policy %s -var name:%s\n", WhitespaceIndent, templateName, exampleName))
}

func (f *prettyFormatter) FormatTemplatedPolicyList(policies map[string]api.ACLTemplatedPolicyResponse) (string, error) {
var buffer bytes.Buffer

Expand Down

0 comments on commit c1dbf00

Please # to comment.