diff --git a/agent/proxycfg/api_gateway_ce.go b/agent/proxycfg/api_gateway_ce.go new file mode 100644 index 00000000000..e2a3b375cd1 --- /dev/null +++ b/agent/proxycfg/api_gateway_ce.go @@ -0,0 +1,17 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +//go:build !consulent +// +build !consulent + +package proxycfg + +import "context" + +func watchJWTProviders(cxt context.Context, h *handlerAPIGateway) error { + return nil +} + +func setJWTProvider(u UpdateEvent, snap *ConfigSnapshot) error { + return nil +} diff --git a/agent/xds/gw_per_route_filters_ce.go b/agent/xds/gw_per_route_filters_ce.go new file mode 100644 index 00000000000..cbf406cd07a --- /dev/null +++ b/agent/xds/gw_per_route_filters_ce.go @@ -0,0 +1,24 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +//go:build !consulent +// +build !consulent + +package xds + +import ( + envoy_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" + "google.golang.org/protobuf/types/known/anypb" + + "github.com/hashicorp/consul/agent/structs" +) + +type perRouteFilterBuilder struct { + providerMap map[string]*structs.JWTProviderConfigEntry + listener *structs.APIGatewayListener + route *structs.HTTPRouteConfigEntry +} + +func (p perRouteFilterBuilder) buildFilter(match *envoy_route_v3.RouteMatch) (map[string]*anypb.Any, error) { + return nil, nil +} diff --git a/agent/xds/jwt_authn_ce.go b/agent/xds/jwt_authn_ce.go new file mode 100644 index 00000000000..ac6d0a31d79 --- /dev/null +++ b/agent/xds/jwt_authn_ce.go @@ -0,0 +1,25 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +//go:build !consulent +// +build !consulent + +package xds + +import ( + envoy_http_jwt_authn_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3" + envoy_http_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" + + "github.com/hashicorp/consul/agent/structs" +) + +type GatewayAuthFilterBuilder struct { + listener structs.APIGatewayListener + route *structs.HTTPRouteConfigEntry + providers map[string]*structs.JWTProviderConfigEntry + envoyProviders map[string]*envoy_http_jwt_authn_v3.JwtProvider +} + +func (g *GatewayAuthFilterBuilder) makeGatewayAuthFilters() ([]*envoy_http_v3.HttpFilter, error) { + return nil, nil +} diff --git a/agent/xds/rbac.go b/agent/xds/rbac.go index 0c00cb92cb0..68e91d2945a 100644 --- a/agent/xds/rbac.go +++ b/agent/xds/rbac.go @@ -23,6 +23,11 @@ import ( "github.com/hashicorp/consul/proto/private/pbpeering" ) +const ( + envoyHTTPRBACFilterKey = "envoy.filters.http.rbac" + envoyNetworkRBACFilterKey = "envoy.filters.network.rbac" +) + func makeRBACNetworkFilter( intentions structs.SimplifiedIntentions, intentionDefaultAllow bool, @@ -38,7 +43,7 @@ func makeRBACNetworkFilter( StatPrefix: "connect_authz", Rules: rules, } - return makeFilter("envoy.filters.network.rbac", cfg) + return makeFilter(envoyNetworkRBACFilterKey, cfg) } func makeRBACHTTPFilter( @@ -56,7 +61,7 @@ func makeRBACHTTPFilter( cfg := &envoy_http_rbac_v3.RBAC{ Rules: rules, } - return makeEnvoyHTTPFilter("envoy.filters.http.rbac", cfg) + return makeEnvoyHTTPFilter(envoyHTTPRBACFilterKey, cfg) } func intentionListToIntermediateRBACForm( @@ -326,6 +331,7 @@ func intentionActionFromBool(v bool) intentionAction { return intentionActionDeny } } + func intentionActionFromString(s structs.IntentionAction) intentionAction { if s == structs.IntentionActionAllow { return intentionActionAllow @@ -809,7 +815,6 @@ func segmentToPermission(segments []*envoy_matcher_v3.MetadataMatcher_PathSegmen // }, // }, func pathToSegments(paths []string, payloadKey string) []*envoy_matcher_v3.MetadataMatcher_PathSegment { - segments := make([]*envoy_matcher_v3.MetadataMatcher_PathSegment, 0, len(paths)) segments = append(segments, makeSegment(payloadKey)) @@ -1029,8 +1034,10 @@ func xfccPrincipal(src rbacService) *envoy_rbac_v3.Principal { } } -const anyPath = `[^/]+` -const trustDomain = anyPath + "." + anyPath +const ( + anyPath = `[^/]+` + trustDomain = anyPath + "." + anyPath +) // downstreamServiceIdentityMatcher needs to match XFCC headers in two cases: // 1. Requests to cluster peered services through a mesh gateway. In this case, the XFCC header looks like the following (I added a new line after each ; for readability) diff --git a/agent/xds/resources_ce_test.go b/agent/xds/resources_ce_test.go index fa713481723..14d5a35253a 100644 --- a/agent/xds/resources_ce_test.go +++ b/agent/xds/resources_ce_test.go @@ -6,6 +6,8 @@ package xds -func getEnterpriseGoldenTestCases() []goldenTestCase { +import "testing" + +func getEnterpriseGoldenTestCases(t *testing.T) []goldenTestCase { return nil } diff --git a/agent/xds/resources_test.go b/agent/xds/resources_test.go index 926c44fab86..69a704386b5 100644 --- a/agent/xds/resources_test.go +++ b/agent/xds/resources_test.go @@ -193,7 +193,7 @@ func TestAllResourcesFromSnapshot(t *testing.T) { tests = append(tests, getConnectProxyTransparentProxyGoldenTestCases()...) tests = append(tests, getMeshGatewayPeeringGoldenTestCases()...) tests = append(tests, getTrafficControlPeeringGoldenTestCases(false)...) - tests = append(tests, getEnterpriseGoldenTestCases()...) + tests = append(tests, getEnterpriseGoldenTestCases(t)...) tests = append(tests, getAPIGatewayGoldenTestCases(t)...) latestEnvoyVersion := xdscommon.EnvoyVersions[0]