Merge branch 'main' into doc-fix-missing-step-partition

.github/workflows/frontend.yml

@@ -5,10 +5,8 @@ name: frontend
 
 on:
   push:
-    branches:
-      - main
+    paths:
       - ui/**
-      - backport/ui/**
 
 permissions:
   contents: read

.github/workflows/reusable-unit-split.yml

@@ -129,8 +129,7 @@ jobs:
           --rerun-fails-report=/tmp/gotestsum-rerun-fails \
           --packages="$PACKAGE_NAMES" \
           --junitfile ${{env.TEST_RESULTS}}/gotestsum-report.xml -- \
-          -tags="${{env.GOTAGS}}" -p 2 \
-          ${GO_TEST_FLAGS-} \
+          -tags="${{env.GOTAGS}}" \
           -cover -coverprofile=coverage.txt
 
       # NOTE: ENT specific step as we store secrets in Vault.

.github/workflows/test-integrations.yml

@@ -436,8 +436,6 @@ jobs:
               --rerun-fails=3 \
               -- \
               go test \
-              -p=6 \
-              -parallel=4 \
               -tags "${{ env.GOTAGS }}" \
               -timeout=30m \
               -json \

agent/consul/leader_connect_ca.go

@@ -1456,7 +1456,10 @@ func (c *CAManager) AuthorizeAndSignCertificate(csr *x509.CertificateRequest, au
 				"we are %s", v.Datacenter, dc)
 		}
 	case *connect.SpiffeIDWorkloadIdentity:
-		// TODO: Check for identity:write on the token when identity permissions are supported.
+		v.GetEnterpriseMeta().FillAuthzContext(&authzContext)
+		if err := allow.IdentityWriteAllowed(v.WorkloadIdentity, &authzContext); err != nil {
+			return nil, err
+		}
 	case *connect.SpiffeIDAgent:
 		v.GetEnterpriseMeta().FillAuthzContext(&authzContext)
 		if err := allow.NodeWriteAllowed(v.Agent, &authzContext); err != nil {

agent/consul/leader_connect_ca_test.go

@@ -1317,6 +1317,12 @@ func TestCAManager_AuthorizeAndSignCertificate(t *testing.T) {
 		Host:       "test-host",
 		Partition:  "test-partition",
 	}.URI()
+	identityURL := connect.SpiffeIDWorkloadIdentity{
+		TrustDomain:      "test-trust-domain",
+		Partition:        "test-partition",
+		Namespace:        "test-namespace",
+		WorkloadIdentity: "test-workload-identity",
+	}.URI()
 
 	tests := []struct {
 		name      string
@@ -1412,6 +1418,15 @@ func TestCAManager_AuthorizeAndSignCertificate(t *testing.T) {
 				}
 			},
 		},
+		{
+			name:      "err_identity_write_not_allowed",
+			expectErr: "Permission denied",
+			getCSR: func() *x509.CertificateRequest {
+				return &x509.CertificateRequest{
+					URIs: []*url.URL{identityURL},
+				}
+			},
+		},
 	}
 
 	for _, tc := range tests {

agent/grpc-external/services/dataplane/get_envoy_bootstrap_params.go

@@ -80,7 +80,10 @@ func (s *Server) GetEnvoyBootstrapParams(ctx context.Context, req *pbdataplane.G
 			return nil, status.Errorf(codes.InvalidArgument, "workload %q doesn't have identity associated with it", req.ProxyId)
 		}
 
-		// todo (ishustava): ACL enforcement ensuring there's identity:write permissions.
+		// verify identity:write is allowed.  if not, give permission denied error.
+		if err := authz.ToAllowAuthorizer().IdentityWriteAllowed(workload.Identity, &authzContext); err != nil {
+			return nil, err
+		}
 
 		// Get all proxy configurations for this workload. Currently we're only looking
 		// for proxy configurations in the same tenancy as the workload.

agent/grpc-external/services/dataplane/get_envoy_bootstrap_params_test.go

@@ -34,6 +34,7 @@ import (
 )
 
 const (
+	testIdentity     = "test-identity"
 	testToken        = "acl-token-get-envoy-bootstrap-params"
 	testServiceName  = "web"
 	proxyServiceID   = "web-proxy"
@@ -308,7 +309,23 @@ func TestGetEnvoyBootstrapParams_Success_EnableV2(t *testing.T) {
 		}
 
 		aclResolver.On("ResolveTokenAndDefaultMeta", testToken, mock.Anything, mock.Anything).
-			Return(testutils.ACLServiceRead(t, workloadResource.Id.Name), nil)
+			Return(testutils.ACLUseProvidedPolicy(t,
+				&acl.Policy{
+					PolicyRules: acl.PolicyRules{
+						Services: []*acl.ServiceRule{
+							{
+								Name:   workloadResource.Id.Name,
+								Policy: acl.PolicyRead,
+							},
+						},
+						Identities: []*acl.IdentityRule{
+							{
+								Name:   testIdentity,
+								Policy: acl.PolicyWrite,
+							},
+						},
+					},
+				}), nil)
 
 		resp, err := client.GetEnvoyBootstrapParams(ctx, req)
 		require.NoError(t, err)
@@ -328,22 +345,22 @@ func TestGetEnvoyBootstrapParams_Success_EnableV2(t *testing.T) {
 		{
 			name: "workload without node",
 			workloadData: &pbcatalog.Workload{
-				Identity: "test-identity",
+				Identity: testIdentity,
 			},
 			expBootstrapCfg: &pbmesh.BootstrapConfig{},
 		},
 		{
 			name: "workload with node",
 			workloadData: &pbcatalog.Workload{
-				Identity: "test-identity",
+				Identity: testIdentity,
 				NodeName: "test-node",
 			},
 			expBootstrapCfg: &pbmesh.BootstrapConfig{},
 		},
 		{
 			name: "single proxy configuration",
 			workloadData: &pbcatalog.Workload{
-				Identity: "test-identity",
+				Identity: testIdentity,
 			},
 			proxyCfgs: []*pbmesh.ProxyConfiguration{
 				{
@@ -360,7 +377,7 @@ func TestGetEnvoyBootstrapParams_Success_EnableV2(t *testing.T) {
 		{
 			name: "multiple proxy configurations",
 			workloadData: &pbcatalog.Workload{
-				Identity: "test-identity",
+				Identity: testIdentity,
 			},
 			proxyCfgs: []*pbmesh.ProxyConfiguration{
 				{

agent/grpc-external/testutils/acl.go

@@ -84,6 +84,18 @@ func ACLServiceRead(t *testing.T, serviceName string) resolver.Result {
 	}
 }
 
+func ACLUseProvidedPolicy(t *testing.T, aclPolicy *acl.Policy) resolver.Result {
+	t.Helper()
+
+	authz, err := acl.NewPolicyAuthorizerWithDefaults(acl.DenyAll(), []*acl.Policy{aclPolicy}, nil)
+	require.NoError(t, err)
+
+	return resolver.Result{
+		Authorizer:  authz,
+		ACLIdentity: randomACLIdentity(t),
+	}
+}
+
 func ACLOperatorRead(t *testing.T) resolver.Result {
 	t.Helper()
 

agent/testagent.go

@@ -17,9 +17,9 @@ import (
 	"text/template"
 	"time"
 
-	metrics "github.com/armon/go-metrics"
+	"github.com/armon/go-metrics"
 	"github.com/hashicorp/go-hclog"
-	uuid "github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/go-uuid"
 
 	"github.com/hashicorp/consul/acl"
 	"github.com/hashicorp/consul/agent/config"
@@ -414,12 +414,12 @@ func (a *TestAgent) consulConfig() *consul.Config {
 // Instead of relying on one set of ports to be sufficient we retry
 // starting the agent with different ports on port conflict.
 func randomPortsSource(t *testing.T, useHTTPS bool) string {
-	ports := freeport.GetN(t, 8)
+	ports := freeport.GetN(t, 7)
 
 	var http, https int
 	if useHTTPS {
 		http = -1
-		https = ports[2]
+		https = ports[1]
 	} else {
 		http = ports[1]
 		https = -1
@@ -430,11 +430,11 @@ func randomPortsSource(t *testing.T, useHTTPS bool) string {
 			dns = ` + strconv.Itoa(ports[0]) + `
 			http = ` + strconv.Itoa(http) + `
 			https = ` + strconv.Itoa(https) + `
-			serf_lan = ` + strconv.Itoa(ports[3]) + `
-			serf_wan = ` + strconv.Itoa(ports[4]) + `
-			server = ` + strconv.Itoa(ports[5]) + `
-			grpc = ` + strconv.Itoa(ports[6]) + `
-			grpc_tls = ` + strconv.Itoa(ports[7]) + `
+			serf_lan = ` + strconv.Itoa(ports[2]) + `
+			serf_wan = ` + strconv.Itoa(ports[3]) + `
+			server = ` + strconv.Itoa(ports[4]) + `
+			grpc = ` + strconv.Itoa(ports[5]) + `
+			grpc_tls = ` + strconv.Itoa(ports[6]) + `
 		}
 	`
 }

agent/xds/listeners_apigateway.go

@@ -276,9 +276,11 @@ func getReadyListeners(cfgSnap *proxycfg.ConfigSnapshot) map[string]readyListene
 				continue
 			}
 
+			routeKey := l.Name + routeRef.String()
+
 			for _, upstream := range routeUpstreamsForListener {
 				// Insert or update readyListener for the listener to include this upstream
-				r, ok := ready[l.Name]
+				r, ok := ready[routeKey]
 				if !ok {
 					r = readyListener{
 						listenerKey:      listenerKey,
@@ -288,7 +290,7 @@ func getReadyListeners(cfgSnap *proxycfg.ConfigSnapshot) map[string]readyListene
 					}
 				}
 				r.upstreams = append(r.upstreams, upstream)
-				ready[l.Name] = r
+				ready[routeKey] = r
 			}
 		}
 	}

agent/xds/rbac_test.go

@@ -739,44 +739,18 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
 			intentionDefaultAllow:  true,
 			v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{},
 		},
-		"v2-default-allow-one-allow": {
-			intentionDefaultAllow: true,
-			v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
-				AllowPermissions: []*pbproxystate.Permission{
-					{
-						Principals: []*pbproxystate.Principal{
-							{
-								Spiffe: makeSpiffe("web", nil),
-							},
-						},
-					},
-				},
-			},
-		},
-		// In v2, having a single permission turns on default deny.
-		"v2-default-allow-one-deny": {
-			intentionDefaultAllow: true,
-			v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
-				DenyPermissions: []*pbproxystate.Permission{
-					{
-						Principals: []*pbproxystate.Principal{
-							{
-								Spiffe: makeSpiffe("web", nil),
-							},
-						},
-					},
-				},
-			},
-		},
 		// This validates that we don't send xDS messages to Envoy that will fail validation.
 		// Traffic permissions validations prevent this from being written to the IR, so the thing
 		// that matters is that the snapshot is valid to Envoy.
 		"v2-ignore-empty-permissions": {
-			intentionDefaultAllow: true,
+			intentionDefaultAllow: false,
 			v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
 				DenyPermissions: []*pbproxystate.Permission{
 					{},
 				},
+				AllowPermissions: []*pbproxystate.Permission{
+					{},
+				},
 			},
 		},
 		"default-allow-kitchen-sink": {
@@ -1109,7 +1083,9 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
 						return
 					}
 
-					filters, err := xdsv2.MakeL4RBAC(tt.intentionDefaultAllow, tt.v2L4TrafficPermissions)
+					tt.v2L4TrafficPermissions.DefaultAllow = tt.intentionDefaultAllow
+
+					filters, err := xdsv2.MakeL4RBAC(tt.v2L4TrafficPermissions)
 					require.NoError(t, err)
 
 					var gotJSON string

agent/xdsv2/listener_resources.go

@@ -308,7 +308,7 @@ func (pr *ProxyResources) makeEnvoyResourcesForL4Destination(l4 *pbproxystate.Ro
 	if err != nil {
 		return nil, err
 	}
-	envoyFilters, err := makeL4Filters(pr.proxyState.TrafficPermissionDefaultAllow, l4.L4)
+	envoyFilters, err := makeL4Filters(l4.L4)
 	return envoyFilters, err
 }
 
@@ -333,10 +333,10 @@ func getAlpnProtocols(protocol pbproxystate.L7Protocol) []string {
 	return alpnProtocols
 }
 
-func makeL4Filters(defaultAllow bool, l4 *pbproxystate.L4Destination) ([]*envoy_listener_v3.Filter, error) {
+func makeL4Filters(l4 *pbproxystate.L4Destination) ([]*envoy_listener_v3.Filter, error) {
 	var envoyFilters []*envoy_listener_v3.Filter
 	if l4 != nil {
-		rbacFilters, err := MakeL4RBAC(defaultAllow, l4.TrafficPermissions)
+		rbacFilters, err := MakeL4RBAC(l4.TrafficPermissions)
 		if err != nil {
 			return nil, err
 		}