Fix dynamic app db resource matcher

gravitational · Apr 11, 2022 · 7db474c · 7db474c
1 parent cc2e1ad
commit 7db474c
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 12 deletions.
diff --git a/lib/services/matchers.go b/lib/services/matchers.go
@@ -17,10 +17,10 @@ limitations under the License.
 package services
 
 import (
-	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/trace"
-
 	"github.com/sirupsen/logrus"
+
+	"github.com/gravitational/teleport/api/types"
 )
 
 // ResourceMatcher matches cluster resources.
@@ -39,23 +39,26 @@ type AWSMatcher struct {
 	Tags types.Labels
 }
 
-// MatchResourceLabels returns true if any of the provided selectors matches the provided database.
+// MatchResourceLabels returns true if all of provided ResourceMatchers matches database resource.
 func MatchResourceLabels(matchers []ResourceMatcher, resource types.ResourceWithLabels) bool {
+	match := false
+	var err error
 	for _, matcher := range matchers {
 		if len(matcher.Labels) == 0 {
 			return false
 		}
-		match, _, err := MatchLabels(matcher.Labels, resource.GetAllLabels())
+		match, _, err = MatchLabels(matcher.Labels, resource.GetAllLabels())
 		if err != nil {
 			logrus.WithError(err).Errorf("Failed to match labels %v: %v.",
 				matcher.Labels, resource)
 			return false
 		}
-		if match {
-			return true
+
+		if !match {
+			return false
 		}
 	}
-	return false
+	return match
 }
 
 // MatchResourceByFilters returns true if all filter values given matched against the resource.

diff --git a/lib/services/matchers_test.go b/lib/services/matchers_test.go
@@ -19,12 +19,12 @@ package services
 import (
 	"testing"
 
-	"github.com/gravitational/teleport/api/types"
-	"github.com/gravitational/teleport/lib/defaults"
-	"github.com/gravitational/trace"
-
 	"github.com/google/uuid"
+	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/api/types"
+	"github.com/gravitational/teleport/lib/defaults"
 )
 
 // TestMatchResourceLabels tests matching a resource against a selector.
@@ -115,7 +115,42 @@ func TestMatchResourceLabels(t *testing.T) {
 				{Labels: types.Labels{"cluster": []string{"root"}}},
 			},
 			databaseLabels: map[string]string{"cluster": "root"},
-			match:          true,
+			match:          false,
+		},
+		{
+			description: "wildcard should match all labels",
+			selectors: []ResourceMatcher{
+				{Labels: types.Labels{types.Wildcard: []string{types.Wildcard}}},
+			},
+			databaseLabels: map[string]string{
+				"cluster": "root",
+				"account": "acc1",
+			},
+			match: true,
+		},
+		{
+			description: "all labels should match fail",
+			selectors: []ResourceMatcher{
+				{Labels: types.Labels{"cluster": []string{"dev"}}},
+				{Labels: types.Labels{"account": []string{"acc2"}}},
+			},
+			databaseLabels: map[string]string{
+				"cluster": "root",
+				"account": "acc1",
+			},
+			match: false,
+		},
+		{
+			description: "all labels should match pass",
+			selectors: []ResourceMatcher{
+				{Labels: types.Labels{"cluster": []string{"dev"}}},
+				{Labels: types.Labels{"account": []string{"acc2"}}},
+			},
+			databaseLabels: map[string]string{
+				"cluster": "root",
+				"account": "acc2",
+			},
+			match: false,
 		},
 	}