From 7db474c14da108a21bb2467834eed8d8d752cec3 Mon Sep 17 00:00:00 2001 From: Marek Smolinski Date: Mon, 11 Apr 2022 09:52:54 +0200 Subject: [PATCH] Fix dynamic app db resource matcher --- lib/services/matchers.go | 17 +++++++------ lib/services/matchers_test.go | 45 +++++++++++++++++++++++++++++++---- 2 files changed, 50 insertions(+), 12 deletions(-) diff --git a/lib/services/matchers.go b/lib/services/matchers.go index b734adfbfb1d8..d393ffe5f9fb2 100644 --- a/lib/services/matchers.go +++ b/lib/services/matchers.go @@ -17,10 +17,10 @@ limitations under the License. package services import ( - "github.com/gravitational/teleport/api/types" "github.com/gravitational/trace" - "github.com/sirupsen/logrus" + + "github.com/gravitational/teleport/api/types" ) // ResourceMatcher matches cluster resources. @@ -39,23 +39,26 @@ type AWSMatcher struct { Tags types.Labels } -// MatchResourceLabels returns true if any of the provided selectors matches the provided database. +// MatchResourceLabels returns true if all of provided ResourceMatchers matches database resource. func MatchResourceLabels(matchers []ResourceMatcher, resource types.ResourceWithLabels) bool { + match := false + var err error for _, matcher := range matchers { if len(matcher.Labels) == 0 { return false } - match, _, err := MatchLabels(matcher.Labels, resource.GetAllLabels()) + match, _, err = MatchLabels(matcher.Labels, resource.GetAllLabels()) if err != nil { logrus.WithError(err).Errorf("Failed to match labels %v: %v.", matcher.Labels, resource) return false } - if match { - return true + + if !match { + return false } } - return false + return match } // MatchResourceByFilters returns true if all filter values given matched against the resource. diff --git a/lib/services/matchers_test.go b/lib/services/matchers_test.go index 1e6edf23f43d9..301643b84b1b9 100644 --- a/lib/services/matchers_test.go +++ b/lib/services/matchers_test.go @@ -19,12 +19,12 @@ package services import ( "testing" - "github.com/gravitational/teleport/api/types" - "github.com/gravitational/teleport/lib/defaults" - "github.com/gravitational/trace" - "github.com/google/uuid" + "github.com/gravitational/trace" "github.com/stretchr/testify/require" + + "github.com/gravitational/teleport/api/types" + "github.com/gravitational/teleport/lib/defaults" ) // TestMatchResourceLabels tests matching a resource against a selector. @@ -115,7 +115,42 @@ func TestMatchResourceLabels(t *testing.T) { {Labels: types.Labels{"cluster": []string{"root"}}}, }, databaseLabels: map[string]string{"cluster": "root"}, - match: true, + match: false, + }, + { + description: "wildcard should match all labels", + selectors: []ResourceMatcher{ + {Labels: types.Labels{types.Wildcard: []string{types.Wildcard}}}, + }, + databaseLabels: map[string]string{ + "cluster": "root", + "account": "acc1", + }, + match: true, + }, + { + description: "all labels should match fail", + selectors: []ResourceMatcher{ + {Labels: types.Labels{"cluster": []string{"dev"}}}, + {Labels: types.Labels{"account": []string{"acc2"}}}, + }, + databaseLabels: map[string]string{ + "cluster": "root", + "account": "acc1", + }, + match: false, + }, + { + description: "all labels should match pass", + selectors: []ResourceMatcher{ + {Labels: types.Labels{"cluster": []string{"dev"}}}, + {Labels: types.Labels{"account": []string{"acc2"}}}, + }, + databaseLabels: map[string]string{ + "cluster": "root", + "account": "acc2", + }, + match: false, }, }