From 8f998b05f7206e6d41abc3c43573aadd9ced55ec Mon Sep 17 00:00:00 2001 From: Johan Siebens Date: Wed, 24 Jan 2024 07:59:16 +0100 Subject: [PATCH] feat: acl grants --- internal/domain/acl.go | 249 ++------------------ internal/domain/acl_filter_rules.go | 346 ++++++++++++++++++++++++++++ internal/domain/acl_test.go | 90 +++++++- pkg/gen/ionscale/v1/acl.pb.go | 251 ++++++++++++++------ proto/ionscale/v1/acl.proto | 8 + 5 files changed, 647 insertions(+), 297 deletions(-) create mode 100644 internal/domain/acl_filter_rules.go diff --git a/internal/domain/acl.go b/internal/domain/acl.go index 1246839..d468166 100644 --- a/internal/domain/acl.go +++ b/internal/domain/acl.go @@ -8,6 +8,7 @@ import ( "gorm.io/gorm" "gorm.io/gorm/schema" "net/netip" + "slices" "sort" "strconv" "strings" @@ -35,6 +36,7 @@ type ACLPolicy struct { AutoApprovers *AutoApprovers `json:"autoApprovers,omitempty"` SSHRules []SSHRule `json:"ssh,omitempty"` NodeAttrs []NodeAttr `json:"nodeAttrs,omitempty"` + Grants []Grant `json:"grants,omitempty"` } type ACL struct { @@ -57,6 +59,13 @@ type NodeAttr struct { Attr []string `json:"attr"` } +type Grant struct { + Src []string `json:"src"` + Dst []string `json:"dst"` + IP []tailcfg.ProtoPortRange `json:"ip"` + App tailcfg.PeerCapMap `json:"app"` +} + func DefaultACLPolicy() ACLPolicy { return ACLPolicy{ ACLs: []ACL{ @@ -109,7 +118,7 @@ func (a ACLPolicy) FindAutoApprovedIPs(routableIPs []netip.Prefix, tags []string return false } - autoApprovedIPs := []netip.Prefix{} + var autoApprovedIPs []netip.Prefix for route, autoApprovers := range a.AutoApprovers.Routes { candidate, err := netip.ParsePrefix(route) if err != nil { @@ -121,7 +130,7 @@ func (a ACLPolicy) FindAutoApprovedIPs(routableIPs []netip.Prefix, tags []string } } - result := []netip.Prefix{} + var result []netip.Prefix for _, c := range routableIPs { if c.Bits() == 0 && matches(a.AutoApprovers.ExitNode) { result = append(result, c) @@ -134,15 +143,6 @@ func (a ACLPolicy) FindAutoApprovedIPs(routableIPs []netip.Prefix, tags []string return result } -func (a ACLPolicy) IsTagOwner(tags []string, p *User) bool { - for _, t := range tags { - if a.isTagOwner(t, p) { - return true - } - } - return false -} - func (a ACLPolicy) CheckTagOwners(tags []string, p *User) error { var result *multierror.Error for _, t := range tags { @@ -158,53 +158,18 @@ func (a ACLPolicy) isTagOwner(tag string, p *User) bool { return true } if tagOwners, ok := a.TagOwners[tag]; ok { - return a.validateTagOwners(tagOwners, p) - } - return false -} - -func (a ACLPolicy) validateTagOwners(tagOwners []string, p *User) bool { - for _, alias := range tagOwners { - if strings.HasPrefix(alias, "group:") { - if group, ok := a.Groups[alias]; ok { - for _, groupMember := range group { - if groupMember == p.Name { - return true - } + for _, alias := range tagOwners { + if strings.HasPrefix(alias, "group:") { + if group, ok := a.Groups[alias]; ok { + return slices.Contains(group, p.Name) } - } - } else { - if alias == p.Name { - return true - } - } - } - return false -} - -func (a ACLPolicy) IsValidPeer(src *Machine, dest *Machine) bool { - if !src.HasTags() && !dest.HasTags() && dest.HasUser(src.User.Name) { - return true - } - - for _, acl := range a.ACLs { - selfDestPorts, allDestPorts := a.expandMachineToDstPorts(dest, acl.Dst) - if len(selfDestPorts) != 0 { - for _, alias := range acl.Src { - if len(a.expandMachineAlias(src, alias, true, &dest.User)) != 0 { - return true - } - } - } - if len(allDestPorts) != 0 { - for _, alias := range acl.Src { - if len(a.expandMachineAlias(src, alias, true, nil)) != 0 { + } else { + if alias == p.Name { return true } } } } - return false } @@ -252,182 +217,12 @@ func (a ACLPolicy) NodeCapabilities(m *Machine) []tailcfg.NodeCapability { return caps } -func (a ACLPolicy) BuildFilterRules(srcs []Machine, dst *Machine) []tailcfg.FilterRule { - var rules = make([]tailcfg.FilterRule, 0) - - appendRules := func(rules []tailcfg.FilterRule, proto string, src []string, destPorts []tailcfg.NetPortRange, u *User) []tailcfg.FilterRule { - var allSrcIPsSet = &StringSet{} - for _, alias := range src { - for _, src := range srcs { - srcIPs := a.expandMachineAlias(&src, alias, true, u) - allSrcIPsSet.Add(srcIPs...) - } - } - - allSrcIPs := allSrcIPsSet.Items() - - if len(allSrcIPs) == 0 { - return rules - } - - return append(rules, tailcfg.FilterRule{ - SrcIPs: allSrcIPs, - DstPorts: destPorts, - IPProto: parseProtocol(proto), - }) - } - - for _, acl := range a.ACLs { - selfDestPorts, allDestPorts := a.expandMachineToDstPorts(dst, acl.Dst) - if len(selfDestPorts) != 0 { - rules = appendRules(rules, acl.Proto, acl.Src, selfDestPorts, &dst.User) - } - if len(allDestPorts) != 0 { - rules = appendRules(rules, acl.Proto, acl.Src, allDestPorts, nil) - } - } - - return rules -} - -func (a ACLPolicy) expandMachineToDstPorts(m *Machine, ports []string) ([]tailcfg.NetPortRange, []tailcfg.NetPortRange) { - selfDestRanges := []tailcfg.NetPortRange{} - otherDestRanges := []tailcfg.NetPortRange{} - for _, d := range ports { - self, ranges := a.expandMachineDestToNetPortRanges(m, d) - if self { - selfDestRanges = append(selfDestRanges, ranges...) - } else { - otherDestRanges = append(otherDestRanges, ranges...) - } - } - return selfDestRanges, otherDestRanges -} - -func (a ACLPolicy) expandMachineDestToNetPortRanges(m *Machine, dest string) (bool, []tailcfg.NetPortRange) { - lastInd := strings.LastIndex(dest, ":") - if lastInd == -1 { - return false, nil - } - - alias := dest[:lastInd] - portRange := dest[lastInd+1:] - - ports, err := a.expandValuePortToPortRange(portRange) - if err != nil { - return false, nil - } - - ips := a.expandMachineAlias(m, alias, false, nil) - if len(ips) == 0 { - return false, nil - } - - var netPortRanges []tailcfg.NetPortRange - for _, d := range ips { - for _, p := range ports { - pr := tailcfg.NetPortRange{ - IP: d, - Ports: p, - } - netPortRanges = append(netPortRanges, pr) - } - } - - return alias == AutoGroupSelf, netPortRanges -} - -func (a ACLPolicy) expandMachineAlias(m *Machine, alias string, src bool, u *User) []string { - if u != nil && m.HasTags() { - return []string{} - } - - if u != nil && !m.HasUser(u.Name) { - return []string{} - } - - if alias == "*" && u != nil { - return m.IPs() - } - - if alias == "*" { - return []string{"*"} - } - - if alias == AutoGroupMember || alias == AutoGroupMembers || alias == AutoGroupSelf { - if !m.HasTags() { - return m.IPs() - } else { - return []string{} - } - } - - if alias == AutoGroupTagged { - if m.HasTags() { - return m.IPs() - } else { - return []string{} - } - } - - if alias == AutoGroupInternet && m.IsExitNode() { - return autogroupInternetRanges() - } - - if strings.Contains(alias, "@") && !m.HasTags() && m.HasUser(alias) { - return m.IPs() - } - - if strings.HasPrefix(alias, "group:") && !m.HasTags() { - users, ok := a.Groups[alias] - - if !ok { - return []string{} - } - - for _, u := range users { - if m.HasUser(u) { - return m.IPs() - } - } - - return []string{} - } - - if strings.HasPrefix(alias, "tag:") && m.HasTag(alias) { - return m.IPs() - } - - if h, ok := a.Hosts[alias]; ok { - alias = h - } - - if src { - ip, err := netip.ParseAddr(alias) - if err == nil && m.HasIP(ip) { - return []string{ip.String()} - } - } else { - ip, err := netip.ParseAddr(alias) - if err == nil && m.IsAllowedIP(ip) { - return []string{ip.String()} - } - - prefix, err := netip.ParsePrefix(alias) - if err == nil && m.IsAllowedIPPrefix(prefix) { - return []string{prefix.String()} - } - } - - return []string{} -} - -func (a ACLPolicy) expandValuePortToPortRange(s string) ([]tailcfg.PortRange, error) { +func (a ACLPolicy) parsePortRanges(s string) ([]tailcfg.PortRange, error) { if s == "*" { - return []tailcfg.PortRange{{First: 0, Last: 65535}}, nil + return []tailcfg.PortRange{tailcfg.PortRangeAny}, nil } - ports := []tailcfg.PortRange{} + var ports []tailcfg.PortRange for _, p := range strings.Split(s, ",") { rang := strings.Split(p, "-") if len(rang) == 1 { @@ -582,6 +377,10 @@ func (s *StringSet) Items() []string { return items } +func (s *StringSet) Empty() bool { + return len(s.items) == 0 +} + func autogroupInternetRanges() []string { return []string{ "0.0.0.0/5", diff --git a/internal/domain/acl_filter_rules.go b/internal/domain/acl_filter_rules.go new file mode 100644 index 0000000..d23251a --- /dev/null +++ b/internal/domain/acl_filter_rules.go @@ -0,0 +1,346 @@ +package domain + +import ( + "net/netip" + "strings" + "tailscale.com/tailcfg" +) + +func (a ACLPolicy) IsValidPeer(src *Machine, dest *Machine) bool { + if !src.HasTags() && !dest.HasTags() && dest.HasUser(src.User.Name) { + return true + } + + for _, acl := range a.ACLs { + selfDestPorts, allDestPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Dst, dest) + if len(selfDestPorts) != 0 { + for _, alias := range acl.Src { + if len(a.translateSourceAliasToMachineIPs(alias, src, &dest.User)) != 0 { + return true + } + } + } + if len(allDestPorts) != 0 { + for _, alias := range acl.Src { + if len(a.translateSourceAliasToMachineIPs(alias, src, nil)) != 0 { + return true + } + } + } + } + + for _, grant := range a.Grants { + selfIps, otherIps := a.translateDestinationAliasesToMachineIPs(grant.Dst, dest) + if len(selfIps) != 0 { + for _, alias := range grant.Src { + if len(a.translateSourceAliasToMachineIPs(alias, src, &dest.User)) != 0 { + return true + } + } + } + if len(otherIps) != 0 { + for _, alias := range grant.Src { + if len(a.translateSourceAliasToMachineIPs(alias, src, nil)) != 0 { + return true + } + } + } + } + + return false +} + +func (a ACLPolicy) BuildFilterRules(peers []Machine, dst *Machine) []tailcfg.FilterRule { + var rules = make([]tailcfg.FilterRule, 0) + + matchSourceAndAppendRule := func(rules []tailcfg.FilterRule, aliases []string, preparedRules []tailcfg.FilterRule, u *User) []tailcfg.FilterRule { + if len(preparedRules) == 0 { + return rules + } + + var allSrcIPsSet = &StringSet{} + for _, alias := range aliases { + for _, peer := range peers { + allSrcIPsSet.Add(a.translateSourceAliasToMachineIPs(alias, &peer, u)...) + } + } + + if allSrcIPsSet.Empty() { + return rules + } + + allSrcIPs := allSrcIPsSet.Items() + + if len(allSrcIPs) == 0 { + return rules + } + + for _, pr := range preparedRules { + rules = append(rules, tailcfg.FilterRule{ + SrcIPs: allSrcIPs, + DstPorts: pr.DstPorts, + IPProto: pr.IPProto, + CapGrant: pr.CapGrant, + }) + } + + return rules + } + + for _, acl := range a.ACLs { + self, other := a.prepareFilterRulesFromACL(dst, acl) + rules = matchSourceAndAppendRule(rules, acl.Src, self, &dst.User) + rules = matchSourceAndAppendRule(rules, acl.Src, other, nil) + } + + for _, acl := range a.Grants { + self, other := a.prepareFilterRulesFromGrant(dst, acl) + rules = matchSourceAndAppendRule(rules, acl.Src, self, &dst.User) + rules = matchSourceAndAppendRule(rules, acl.Src, other, nil) + } + + return rules +} + +func (a ACLPolicy) prepareFilterRulesFromACL(candidate *Machine, acl ACL) ([]tailcfg.FilterRule, []tailcfg.FilterRule) { + proto := parseProtocol(acl.Proto) + + selfDstPorts, otherDstPorts := a.translateDestinationAliasesToMachineNetPortRanges(acl.Dst, candidate) + + var selfFilterRules []tailcfg.FilterRule + var otherFilterRules []tailcfg.FilterRule + + if len(selfDstPorts) != 0 { + selfFilterRules = append(selfFilterRules, tailcfg.FilterRule{IPProto: proto, DstPorts: selfDstPorts}) + } + + if len(otherDstPorts) != 0 { + otherFilterRules = append(otherFilterRules, tailcfg.FilterRule{IPProto: proto, DstPorts: otherDstPorts}) + } + + return selfFilterRules, otherFilterRules +} + +func (a ACLPolicy) prepareFilterRulesFromGrant(candidate *Machine, grant Grant) ([]tailcfg.FilterRule, []tailcfg.FilterRule) { + selfIPs, otherIPs := a.translateDestinationAliasesToMachineIPs(grant.Dst, candidate) + + var selfFilterRules []tailcfg.FilterRule + var otherFilterRules []tailcfg.FilterRule + + for _, ip := range grant.IP { + if len(selfIPs) != 0 { + ranges := make([]tailcfg.NetPortRange, len(selfIPs)) + for i, s := range selfIPs { + ranges[i] = tailcfg.NetPortRange{IP: s, Ports: ip.Ports} + } + + rule := tailcfg.FilterRule{DstPorts: ranges} + if ip.Proto != 0 { + rule.IPProto = []int{ip.Proto} + } + + selfFilterRules = append(selfFilterRules, rule) + } + + if len(otherIPs) != 0 { + ranges := make([]tailcfg.NetPortRange, len(otherIPs)) + for i, s := range otherIPs { + ranges[i] = tailcfg.NetPortRange{IP: s, Ports: ip.Ports} + } + + rule := tailcfg.FilterRule{DstPorts: ranges} + if ip.Proto != 0 { + rule.IPProto = []int{ip.Proto} + } + + otherFilterRules = append(otherFilterRules, rule) + } + } + + if len(grant.App) != 0 { + selfPrefixes, otherPrefixes := appGrantDstIpsToPrefixes(candidate, selfIPs, otherIPs) + if len(selfPrefixes) != 0 { + rule := tailcfg.FilterRule{CapGrant: []tailcfg.CapGrant{{Dsts: selfPrefixes, CapMap: grant.App}}} + selfFilterRules = append(selfFilterRules, rule) + } + + if len(otherPrefixes) != 0 { + rule := tailcfg.FilterRule{CapGrant: []tailcfg.CapGrant{{Dsts: otherPrefixes, CapMap: grant.App}}} + otherFilterRules = append(otherFilterRules, rule) + } + } + + return selfFilterRules, otherFilterRules +} + +func appGrantDstIpsToPrefixes(m *Machine, self []string, other []string) ([]netip.Prefix, []netip.Prefix) { + translate := func(ips []string) []netip.Prefix { + var prefixes []netip.Prefix + for _, ip := range ips { + if ip == "*" { + prefixes = append(prefixes, netip.PrefixFrom(*m.IPv4.Addr, 32)) + prefixes = append(prefixes, netip.PrefixFrom(*m.IPv6.Addr, 128)) + } else { + addr, err := netip.ParseAddr(ip) + if err == nil && m.HasIP(addr) { + if addr.Is4() { + prefixes = append(prefixes, netip.PrefixFrom(addr, 32)) + } else { + prefixes = append(prefixes, netip.PrefixFrom(addr, 128)) + } + } + } + } + return prefixes + } + + return translate(self), translate(other) +} + +func (a ACLPolicy) translateDestinationAliasesToMachineIPs(aliases []string, m *Machine) ([]string, []string) { + var self = &StringSet{} + var other = &StringSet{} + for _, alias := range aliases { + ips := a.translateDestinationAliasToMachineIPs(alias, m) + if alias == AutoGroupSelf { + self.Add(ips...) + } else { + other.Add(ips...) + } + } + return self.Items(), other.Items() +} + +func (a ACLPolicy) translateDestinationAliasesToMachineNetPortRanges(aliases []string, m *Machine) ([]tailcfg.NetPortRange, []tailcfg.NetPortRange) { + var self []tailcfg.NetPortRange + var other []tailcfg.NetPortRange + for _, alias := range aliases { + ranges := a.translationDestinationAliasToMachineNetPortRanges(alias, m) + if strings.HasPrefix(alias, AutoGroupSelf) { + self = append(self, ranges...) + } else { + other = append(other, ranges...) + } + } + return self, other +} + +func (a ACLPolicy) translationDestinationAliasToMachineNetPortRanges(alias string, m *Machine) []tailcfg.NetPortRange { + lastInd := strings.LastIndex(alias, ":") + if lastInd == -1 { + return nil + } + + ports := alias[lastInd+1:] + alias = alias[:lastInd] + + portRanges, err := a.parsePortRanges(ports) + if err != nil { + return nil + } + + ips := a.translateDestinationAliasToMachineIPs(alias, m) + if len(ips) == 0 { + return nil + } + + var netPortRanges []tailcfg.NetPortRange + for _, d := range ips { + for _, p := range portRanges { + pr := tailcfg.NetPortRange{ + IP: d, + Ports: p, + } + netPortRanges = append(netPortRanges, pr) + } + } + + return netPortRanges +} + +func (a ACLPolicy) translateDestinationAliasToMachineIPs(alias string, m *Machine) []string { + f := func(alias string, m *Machine) []string { + ip, err := netip.ParseAddr(alias) + if err == nil && m.IsAllowedIP(ip) { + return []string{ip.String()} + } + + prefix, err := netip.ParsePrefix(alias) + if err == nil && m.IsAllowedIPPrefix(prefix) { + return []string{prefix.String()} + } + + return make([]string, 0) + } + + return a.translateAliasToMachineIPs(alias, m, nil, f) +} + +func (a ACLPolicy) translateSourceAliasToMachineIPs(alias string, m *Machine, u *User) []string { + f := func(alias string, m *Machine) []string { + ip, err := netip.ParseAddr(alias) + if err == nil && m.HasIP(ip) { + return []string{ip.String()} + } + + return make([]string, 0) + } + + return a.translateAliasToMachineIPs(alias, m, u, f) +} + +func (a ACLPolicy) translateAliasToMachineIPs(alias string, m *Machine, u *User, f func(string, *Machine) []string) []string { + if u != nil && m.HasTags() { + return []string{} + } + + if u != nil && !m.HasUser(u.Name) { + return []string{} + } + + if alias == "*" && u != nil { + return m.IPs() + } + + if alias == "*" { + return []string{"*"} + } + + if alias == AutoGroupMember || alias == AutoGroupMembers || alias == AutoGroupSelf { + if !m.HasTags() { + return m.IPs() + } else { + return []string{} + } + } + + if alias == AutoGroupTagged { + if m.HasTags() { + return m.IPs() + } else { + return []string{} + } + } + + if alias == AutoGroupInternet && m.IsExitNode() { + return autogroupInternetRanges() + } + + if strings.Contains(alias, "@") && !m.HasTags() && m.HasUser(alias) { + return m.IPs() + } + + if strings.HasPrefix(alias, "group:") && !m.HasTags() && a.isGroupMember(alias, m) { + return m.IPs() + } + + if strings.HasPrefix(alias, "tag:") && m.HasTag(alias) { + return m.IPs() + } + + if h, ok := a.Hosts[alias]; ok { + alias = h + } + + return f(alias, m) +} diff --git a/internal/domain/acl_test.go b/internal/domain/acl_test.go index caa6c2a..c753b82 100644 --- a/internal/domain/acl_test.go +++ b/internal/domain/acl_test.go @@ -1,8 +1,10 @@ package domain import ( + "encoding/json" "github.com/jsiebens/ionscale/internal/addr" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "net/netip" "sort" "tailscale.com/tailcfg" @@ -841,7 +843,7 @@ func TestACLPolicy_FindAutoApprovedIPs(t *testing.T) { name: "no match", userName: "nick@example.com", routableIPs: []netip.Prefix{route1, route2, route3}, - expected: []netip.Prefix{}, + expected: nil, }, { name: "exit", @@ -853,7 +855,7 @@ func TestACLPolicy_FindAutoApprovedIPs(t *testing.T) { name: "exit no match", userName: "john@example.com", routableIPs: []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0")}, - expected: []netip.Prefix{}, + expected: nil, }, } @@ -900,3 +902,87 @@ func TestACLPolicy_BuildFilterRulesWithAdvertisedRoutes(t *testing.T) { assert.Equal(t, expectedRules, actualRules) } + +func TestACLPolicy_BuildFilterRulesWildcardGrants(t *testing.T) { + ranges, err := tailcfg.ParseProtoPortRanges([]string{"*"}) + require.NoError(t, err) + + p1 := createMachine("john@example.com") + p2 := createMachine("jane@example.com") + + policy := ACLPolicy{ + Grants: []Grant{ + { + Src: []string{"*"}, + Dst: []string{"*"}, + IP: ranges, + }, + }, + } + + dst := createMachine("john@example.com") + + actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst) + expectedRules := []tailcfg.FilterRule{ + { + SrcIPs: []string{"*"}, + DstPorts: []tailcfg.NetPortRange{ + { + IP: "*", + Ports: tailcfg.PortRange{ + First: 0, + Last: 65535, + }, + }, + }, + }, + } + + assert.Equal(t, expectedRules, actualRules) +} + +func TestACLPolicy_BuildFilterRulesWithAppGrants(t *testing.T) { + p1 := createMachine("john@example.com") + p2 := createMachine("jane@example.com") + + dst := createMachine("john@example.com") + + mycap := map[string]interface{}{ + "channel": "alpha", + "ids": []string{"1", "2", "3"}, + } + + marshal, _ := json.Marshal(mycap) + + policy := ACLPolicy{ + Grants: []Grant{ + { + Src: []string{"*"}, + Dst: []string{"*"}, + App: map[tailcfg.PeerCapability][]tailcfg.RawMessage{ + tailcfg.PeerCapability("localtest.me/cap/test"): {tailcfg.RawMessage(marshal)}, + }, + }, + }, + } + + actualRules := policy.BuildFilterRules([]Machine{*p1, *p2}, dst) + expectedRules := []tailcfg.FilterRule{ + { + SrcIPs: []string{"*"}, + CapGrant: []tailcfg.CapGrant{ + { + Dsts: []netip.Prefix{ + netip.PrefixFrom(*dst.IPv4.Addr, 32), + netip.PrefixFrom(*dst.IPv6.Addr, 128), + }, + CapMap: map[tailcfg.PeerCapability][]tailcfg.RawMessage{ + tailcfg.PeerCapability("localtest.me/cap/test"): {tailcfg.RawMessage(marshal)}, + }, + }, + }, + }, + } + + assert.Equal(t, expectedRules, actualRules) +} diff --git a/pkg/gen/ionscale/v1/acl.pb.go b/pkg/gen/ionscale/v1/acl.pb.go index 1c547f4..0e05ec0 100644 --- a/pkg/gen/ionscale/v1/acl.pb.go +++ b/pkg/gen/ionscale/v1/acl.pb.go @@ -220,6 +220,7 @@ type ACLPolicy struct { Autoapprovers *AutoApprovers `protobuf:"bytes,5,opt,name=autoapprovers,proto3,oneof" json:"autoapprovers,omitempty"` Ssh []*SSHRule `protobuf:"bytes,6,rep,name=ssh,proto3" json:"ssh,omitempty"` Nodeattrs []*NodeAttr `protobuf:"bytes,7,rep,name=nodeattrs,proto3" json:"nodeattrs,omitempty"` + Grants []*ACLGrant `protobuf:"bytes,8,rep,name=grants,proto3" json:"grants,omitempty"` } func (x *ACLPolicy) Reset() { @@ -303,6 +304,13 @@ func (x *ACLPolicy) GetNodeattrs() []*NodeAttr { return nil } +func (x *ACLPolicy) GetGrants() []*ACLGrant { + if x != nil { + return x.Grants + } + return nil +} + type ACL struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -563,6 +571,77 @@ func (x *NodeAttr) GetAttr() []string { return nil } +type ACLGrant struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + Src []string `protobuf:"bytes,1,rep,name=src,proto3" json:"src,omitempty"` + Dst []string `protobuf:"bytes,2,rep,name=dst,proto3" json:"dst,omitempty"` + Ip []string `protobuf:"bytes,3,rep,name=ip,proto3" json:"ip,omitempty"` + App map[string]*structpb.ListValue `protobuf:"bytes,4,rep,name=app,proto3" json:"app,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` +} + +func (x *ACLGrant) Reset() { + *x = ACLGrant{} + if protoimpl.UnsafeEnabled { + mi := &file_ionscale_v1_acl_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *ACLGrant) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ACLGrant) ProtoMessage() {} + +func (x *ACLGrant) ProtoReflect() protoreflect.Message { + mi := &file_ionscale_v1_acl_proto_msgTypes[9] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ACLGrant.ProtoReflect.Descriptor instead. +func (*ACLGrant) Descriptor() ([]byte, []int) { + return file_ionscale_v1_acl_proto_rawDescGZIP(), []int{9} +} + +func (x *ACLGrant) GetSrc() []string { + if x != nil { + return x.Src + } + return nil +} + +func (x *ACLGrant) GetDst() []string { + if x != nil { + return x.Dst + } + return nil +} + +func (x *ACLGrant) GetIp() []string { + if x != nil { + return x.Ip + } + return nil +} + +func (x *ACLGrant) GetApp() map[string]*structpb.ListValue { + if x != nil { + return x.App + } + return nil +} + var File_ionscale_v1_acl_proto protoreflect.FileDescriptor var file_ionscale_v1_acl_proto_rawDesc = []byte{ @@ -585,7 +664,7 @@ var file_ionscale_v1_acl_proto_rawDesc = []byte{ 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x06, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x22, 0x16, 0x0a, 0x14, 0x53, 0x65, 0x74, 0x41, 0x43, 0x4c, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x8c, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0xbb, 0x05, 0x0a, 0x09, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x37, 0x0a, 0x05, 0x68, 0x6f, 0x73, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, 0x4c, 0x50, 0x6f, 0x6c, @@ -611,56 +690,71 @@ var file_ionscale_v1_acl_proto_rawDesc = []byte{ 0x6f, 0x64, 0x65, 0x61, 0x74, 0x74, 0x72, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x41, 0x74, 0x74, 0x72, 0x52, 0x09, 0x6e, 0x6f, 0x64, 0x65, 0x61, 0x74, 0x74, 0x72, 0x73, - 0x1a, 0x38, 0x0a, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, - 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, - 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x55, 0x0a, 0x0b, 0x47, 0x72, - 0x6f, 0x75, 0x70, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, - 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, - 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, - 0x01, 0x1a, 0x58, 0x0a, 0x0e, 0x54, 0x61, 0x67, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x73, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, - 0x61, 0x75, 0x74, 0x6f, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x22, 0x57, 0x0a, - 0x03, 0x41, 0x43, 0x4c, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a, 0x03, - 0x73, 0x72, 0x63, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, 0x12, 0x10, - 0x0a, 0x03, 0x64, 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, 0x73, 0x74, - 0x12, 0x14, 0x0a, 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc2, 0x01, 0x0a, 0x0d, 0x41, 0x75, 0x74, 0x6f, 0x41, - 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x12, 0x3e, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, - 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, - 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, 0x70, 0x72, 0x6f, - 0x76, 0x65, 0x72, 0x73, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, - 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x65, 0x78, 0x69, 0x74, - 0x6e, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x65, 0x78, 0x69, 0x74, - 0x6e, 0x6f, 0x64, 0x65, 0x1a, 0x55, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x7d, 0x0a, 0x07, 0x53, - 0x53, 0x48, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, - 0x0a, 0x03, 0x73, 0x72, 0x63, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, - 0x12, 0x10, 0x0a, 0x03, 0x64, 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, - 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, - 0x09, 0x52, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x68, 0x65, 0x63, - 0x6b, 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, - 0x68, 0x65, 0x63, 0x6b, 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x22, 0x36, 0x0a, 0x08, 0x4e, 0x6f, - 0x64, 0x65, 0x41, 0x74, 0x74, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, - 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x12, - 0x0a, 0x04, 0x61, 0x74, 0x74, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x61, 0x74, - 0x74, 0x72, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, - 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, - 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, - 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x2d, 0x0a, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x15, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, + 0x43, 0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x52, 0x06, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x73, 0x1a, + 0x38, 0x0a, 0x0a, 0x48, 0x6f, 0x73, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, + 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, + 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, + 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x55, 0x0a, 0x0b, 0x47, 0x72, 0x6f, + 0x75, 0x70, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, + 0x1a, 0x58, 0x0a, 0x0e, 0x54, 0x61, 0x67, 0x6f, 0x77, 0x6e, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, + 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, + 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x61, + 0x75, 0x74, 0x6f, 0x61, 0x70, 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x22, 0x57, 0x0a, 0x03, + 0x41, 0x43, 0x4c, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a, 0x03, 0x73, + 0x72, 0x63, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, 0x12, 0x10, 0x0a, + 0x03, 0x64, 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, 0x73, 0x74, 0x12, + 0x14, 0x0a, 0x05, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xc2, 0x01, 0x0a, 0x0d, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, + 0x70, 0x72, 0x6f, 0x76, 0x65, 0x72, 0x73, 0x12, 0x3e, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, + 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, + 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x75, 0x74, 0x6f, 0x41, 0x70, 0x70, 0x72, 0x6f, 0x76, + 0x65, 0x72, 0x73, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, + 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1a, 0x0a, 0x08, 0x65, 0x78, 0x69, 0x74, 0x6e, + 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x08, 0x65, 0x78, 0x69, 0x74, 0x6e, + 0x6f, 0x64, 0x65, 0x1a, 0x55, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, + 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x03, 0x6b, 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, + 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x7d, 0x0a, 0x07, 0x53, 0x53, + 0x48, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x61, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x10, 0x0a, + 0x03, 0x73, 0x72, 0x63, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, 0x12, + 0x10, 0x0a, 0x03, 0x64, 0x73, 0x74, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, 0x73, + 0x74, 0x12, 0x14, 0x0a, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, + 0x52, 0x05, 0x75, 0x73, 0x65, 0x72, 0x73, 0x12, 0x20, 0x0a, 0x0b, 0x63, 0x68, 0x65, 0x63, 0x6b, + 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x63, 0x68, + 0x65, 0x63, 0x6b, 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x22, 0x36, 0x0a, 0x08, 0x4e, 0x6f, 0x64, + 0x65, 0x41, 0x74, 0x74, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x18, + 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x12, 0x12, 0x0a, + 0x04, 0x61, 0x74, 0x74, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x04, 0x61, 0x74, 0x74, + 0x72, 0x22, 0xc4, 0x01, 0x0a, 0x08, 0x41, 0x43, 0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x12, 0x10, + 0x0a, 0x03, 0x73, 0x72, 0x63, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x73, 0x72, 0x63, + 0x12, 0x10, 0x0a, 0x03, 0x64, 0x73, 0x74, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x03, 0x64, + 0x73, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x70, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x02, + 0x69, 0x70, 0x12, 0x30, 0x0a, 0x03, 0x61, 0x70, 0x70, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, + 0x1e, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x43, + 0x4c, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x2e, 0x41, 0x70, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, + 0x03, 0x61, 0x70, 0x70, 0x1a, 0x52, 0x0a, 0x08, 0x41, 0x70, 0x70, 0x45, 0x6e, 0x74, 0x72, 0x79, + 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, + 0x65, 0x79, 0x12, 0x30, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, 0x76, + 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, + 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, + 0x2f, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, + 0x73, 0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -675,7 +769,7 @@ func file_ionscale_v1_acl_proto_rawDescGZIP() []byte { return file_ionscale_v1_acl_proto_rawDescData } -var file_ionscale_v1_acl_proto_msgTypes = make([]protoimpl.MessageInfo, 13) +var file_ionscale_v1_acl_proto_msgTypes = make([]protoimpl.MessageInfo, 15) var file_ionscale_v1_acl_proto_goTypes = []interface{}{ (*GetACLPolicyRequest)(nil), // 0: ionscale.v1.GetACLPolicyRequest (*GetACLPolicyResponse)(nil), // 1: ionscale.v1.GetACLPolicyResponse @@ -686,31 +780,36 @@ var file_ionscale_v1_acl_proto_goTypes = []interface{}{ (*AutoApprovers)(nil), // 6: ionscale.v1.AutoApprovers (*SSHRule)(nil), // 7: ionscale.v1.SSHRule (*NodeAttr)(nil), // 8: ionscale.v1.NodeAttr - nil, // 9: ionscale.v1.ACLPolicy.HostsEntry - nil, // 10: ionscale.v1.ACLPolicy.GroupsEntry - nil, // 11: ionscale.v1.ACLPolicy.TagownersEntry - nil, // 12: ionscale.v1.AutoApprovers.RoutesEntry - (*structpb.ListValue)(nil), // 13: google.protobuf.ListValue + (*ACLGrant)(nil), // 9: ionscale.v1.ACLGrant + nil, // 10: ionscale.v1.ACLPolicy.HostsEntry + nil, // 11: ionscale.v1.ACLPolicy.GroupsEntry + nil, // 12: ionscale.v1.ACLPolicy.TagownersEntry + nil, // 13: ionscale.v1.AutoApprovers.RoutesEntry + nil, // 14: ionscale.v1.ACLGrant.AppEntry + (*structpb.ListValue)(nil), // 15: google.protobuf.ListValue } var file_ionscale_v1_acl_proto_depIdxs = []int32{ 4, // 0: ionscale.v1.GetACLPolicyResponse.policy:type_name -> ionscale.v1.ACLPolicy 4, // 1: ionscale.v1.SetACLPolicyRequest.policy:type_name -> ionscale.v1.ACLPolicy - 9, // 2: ionscale.v1.ACLPolicy.hosts:type_name -> ionscale.v1.ACLPolicy.HostsEntry - 10, // 3: ionscale.v1.ACLPolicy.groups:type_name -> ionscale.v1.ACLPolicy.GroupsEntry + 10, // 2: ionscale.v1.ACLPolicy.hosts:type_name -> ionscale.v1.ACLPolicy.HostsEntry + 11, // 3: ionscale.v1.ACLPolicy.groups:type_name -> ionscale.v1.ACLPolicy.GroupsEntry 5, // 4: ionscale.v1.ACLPolicy.acls:type_name -> ionscale.v1.ACL - 11, // 5: ionscale.v1.ACLPolicy.tagowners:type_name -> ionscale.v1.ACLPolicy.TagownersEntry + 12, // 5: ionscale.v1.ACLPolicy.tagowners:type_name -> ionscale.v1.ACLPolicy.TagownersEntry 6, // 6: ionscale.v1.ACLPolicy.autoapprovers:type_name -> ionscale.v1.AutoApprovers 7, // 7: ionscale.v1.ACLPolicy.ssh:type_name -> ionscale.v1.SSHRule 8, // 8: ionscale.v1.ACLPolicy.nodeattrs:type_name -> ionscale.v1.NodeAttr - 12, // 9: ionscale.v1.AutoApprovers.routes:type_name -> ionscale.v1.AutoApprovers.RoutesEntry - 13, // 10: ionscale.v1.ACLPolicy.GroupsEntry.value:type_name -> google.protobuf.ListValue - 13, // 11: ionscale.v1.ACLPolicy.TagownersEntry.value:type_name -> google.protobuf.ListValue - 13, // 12: ionscale.v1.AutoApprovers.RoutesEntry.value:type_name -> google.protobuf.ListValue - 13, // [13:13] is the sub-list for method output_type - 13, // [13:13] is the sub-list for method input_type - 13, // [13:13] is the sub-list for extension type_name - 13, // [13:13] is the sub-list for extension extendee - 0, // [0:13] is the sub-list for field type_name + 9, // 9: ionscale.v1.ACLPolicy.grants:type_name -> ionscale.v1.ACLGrant + 13, // 10: ionscale.v1.AutoApprovers.routes:type_name -> ionscale.v1.AutoApprovers.RoutesEntry + 14, // 11: ionscale.v1.ACLGrant.app:type_name -> ionscale.v1.ACLGrant.AppEntry + 15, // 12: ionscale.v1.ACLPolicy.GroupsEntry.value:type_name -> google.protobuf.ListValue + 15, // 13: ionscale.v1.ACLPolicy.TagownersEntry.value:type_name -> google.protobuf.ListValue + 15, // 14: ionscale.v1.AutoApprovers.RoutesEntry.value:type_name -> google.protobuf.ListValue + 15, // 15: ionscale.v1.ACLGrant.AppEntry.value:type_name -> google.protobuf.ListValue + 16, // [16:16] is the sub-list for method output_type + 16, // [16:16] is the sub-list for method input_type + 16, // [16:16] is the sub-list for extension type_name + 16, // [16:16] is the sub-list for extension extendee + 0, // [0:16] is the sub-list for field type_name } func init() { file_ionscale_v1_acl_proto_init() } @@ -827,6 +926,18 @@ func file_ionscale_v1_acl_proto_init() { return nil } } + file_ionscale_v1_acl_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*ACLGrant); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } } file_ionscale_v1_acl_proto_msgTypes[4].OneofWrappers = []interface{}{} type x struct{} @@ -835,7 +946,7 @@ func file_ionscale_v1_acl_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_ionscale_v1_acl_proto_rawDesc, NumEnums: 0, - NumMessages: 13, + NumMessages: 15, NumExtensions: 0, NumServices: 0, }, diff --git a/proto/ionscale/v1/acl.proto b/proto/ionscale/v1/acl.proto index cad3014..a6164a3 100644 --- a/proto/ionscale/v1/acl.proto +++ b/proto/ionscale/v1/acl.proto @@ -29,6 +29,7 @@ message ACLPolicy { optional AutoApprovers autoapprovers = 5; repeated SSHRule ssh = 6; repeated NodeAttr nodeattrs = 7; + repeated ACLGrant grants = 8; } message ACL { @@ -54,4 +55,11 @@ message SSHRule { message NodeAttr { repeated string target = 1; repeated string attr = 2; +} + +message ACLGrant { + repeated string src = 1; + repeated string dst = 2; + repeated string ip = 3; + map app = 4; } \ No newline at end of file