Disk Loader: Scope filtering (dapr#7616)

* Disk Loader: Scope filtering

Adds scope filtering to the disk manifest loader.

Though this doesn't have any security benefits, it does mean manifests
are filtered much sooner in the runtime when running in self-hosted mode
and prevents logging/errors downstream in modules like the hot reloading
reconciler.

Signed-off-by: joshvanl <[email protected]>

* Update internal disk loader unit test with Options param

Signed-off-by: joshvanl <[email protected]>

* Pass appID to hotreload disk loader for scope filtering

Signed-off-by: joshvanl <[email protected]>

---------

Signed-off-by: joshvanl <[email protected]>
Signed-off-by: Elena Kolevska <[email protected]>

Author: JoshVanL

pkg/internal/loader/disk/components.go

@@ -18,6 +18,6 @@ import (
 	"github.com/dapr/dapr/pkg/internal/loader"
 )
 
-func NewComponents(paths ...string) loader.Loader[compapi.Component] {
-	return new[compapi.Component](paths...)
+func NewComponents(opts Options) loader.Loader[compapi.Component] {
+	return new[compapi.Component](opts)
 }

pkg/internal/loader/disk/disk.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/dapr/dapr/pkg/runtime/meta"
 	"github.com/dapr/dapr/pkg/security"
+	"github.com/dapr/dapr/utils"
 )
 
 // disk loads a specific manifest kind from a folder.
@@ -29,16 +30,23 @@ type disk[T meta.Resource] struct {
 	apiVersion string
 	dirs       []string
 	namespace  string
+	appID      string
+}
+
+type Options struct {
+	AppID string
+	Paths []string
 }
 
 // new creates a new manifest loader for the given paths and kind.
-func new[T meta.Resource](dirs ...string) *disk[T] {
+func new[T meta.Resource](opts Options) *disk[T] {
 	var zero T
 	return &disk[T]{
-		dirs:       dirs,
+		dirs:       opts.Paths,
 		kind:       zero.Kind(),
 		apiVersion: zero.APIVersion(),
 		namespace:  security.CurrentNamespace(),
+		appID:      opts.AppID,
 	}
 }
 
@@ -52,7 +60,7 @@ func (d *disk[T]) Load(context.Context) ([]T, error) {
 	nsDefined := len(os.Getenv("NAMESPACE")) != 0
 
 	names := make(map[string]string)
-	goodManifests := make([]T, 0)
+	filteredManifests := make([]T, 0)
 	var errs []error
 	for i := range set.ts {
 		// If the process or manifest namespace are not defined, ignore the
@@ -70,15 +78,21 @@ func (d *disk[T]) Load(context.Context) ([]T, error) {
 			continue
 		}
 
+		// Skip manifests which are not in scope
+		scopes := set.ts[i].GetScopes()
+		if !(len(scopes) == 0 || utils.Contains(scopes, d.appID)) {
+			continue
+		}
+
 		names[set.ts[i].GetName()] = set.ts[i].LogName()
-		goodManifests = append(goodManifests, set.ts[i])
+		filteredManifests = append(filteredManifests, set.ts[i])
 	}
 
 	if len(errs) > 0 {
 		return nil, errors.Join(errs...)
 	}
 
-	return goodManifests, nil
+	return filteredManifests, nil
 }
 
 func (d *disk[T]) loadWithOrder() (*manifestSet[T], error) {

pkg/internal/loader/disk/disk_test.go

@@ -26,14 +26,17 @@ import (
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/dapr/dapr/pkg/apis/common"
 	compapi "github.com/dapr/dapr/pkg/apis/components/v1alpha1"
 	"github.com/dapr/kit/ptr"
 )
 
 func TestLoad(t *testing.T) {
 	t.Run("valid yaml content", func(t *testing.T) {
 		tmp := t.TempDir()
-		request := NewComponents(tmp)
+		request := NewComponents(Options{
+			Paths: []string{tmp},
+		})
 		filename := "test-component-valid.yaml"
 		yaml := `
 apiVersion: dapr.io/v1alpha1
@@ -56,7 +59,9 @@ spec:
 
 	t.Run("invalid yaml head", func(t *testing.T) {
 		tmp := t.TempDir()
-		request := NewComponents(tmp)
+		request := NewComponents(Options{
+			Paths: []string{tmp},
+		})
 
 		filename := "test-component-invalid.yaml"
 		yaml := `
@@ -72,23 +77,29 @@ name: statestore`
 	})
 
 	t.Run("load components file not exist", func(t *testing.T) {
-		request := NewComponents("test-path-no-exists")
+		request := NewComponents(Options{
+			Paths: []string{"test-path-no-exists"},
+		})
 
 		components, err := request.Load(context.Background())
 		require.Error(t, err)
 		assert.Empty(t, components)
 	})
 
 	t.Run("error and namespace", func(t *testing.T) {
-		buildComp := func(name string, namespace *string) string {
+		buildComp := func(name string, namespace *string, scopes ...string) string {
 			var ns string
 			if namespace != nil {
 				ns = fmt.Sprintf("\n namespace: %s\n", *namespace)
 			}
+			var scopeS string
+			if len(scopes) > 0 {
+				scopeS = fmt.Sprintf("\nscopes:\n- %s", strings.Join(scopes, "\n- "))
+			}
 			return fmt.Sprintf(`apiVersion: dapr.io/v1alpha1
 kind: Component
 metadata:
- name: %s%s`, name, ns)
+ name: %s%s%s`, name, ns, scopeS)
 		}
 
 		tests := map[string]struct {
@@ -183,6 +194,26 @@ metadata:
 				},
 				expErr: false,
 			},
+			"only return manifests in scope": {
+				comps: []string{
+					buildComp("comp1", nil, "myappid"),
+					buildComp("comp2", nil, "myappid", "anotherappid"),
+					buildComp("comp3", nil, "anotherappid"),
+				},
+				namespace: ptr.Of("foo"),
+				expComps: []compapi.Component{
+					{
+						TypeMeta:   metav1.TypeMeta{APIVersion: "dapr.io/v1alpha1", Kind: "Component"},
+						ObjectMeta: metav1.ObjectMeta{Name: "comp1", Namespace: ""},
+						Scoped:     common.Scoped{Scopes: []string{"myappid"}},
+					},
+					{
+						TypeMeta:   metav1.TypeMeta{APIVersion: "dapr.io/v1alpha1", Kind: "Component"},
+						ObjectMeta: metav1.ObjectMeta{Name: "comp2", Namespace: ""},
+						Scoped:     common.Scoped{Scopes: []string{"myappid", "anotherappid"}},
+					},
+				},
+			},
 		}
 
 		for name, test := range tests {
@@ -195,7 +226,10 @@ metadata:
 				if test.namespace != nil {
 					t.Setenv("NAMESPACE", *test.namespace)
 				}
-				loader := NewComponents(tmp)
+				loader := NewComponents(Options{
+					Paths: []string{tmp},
+					AppID: "myappid",
+				})
 				components, err := loader.Load(context.Background())
 				assert.Equal(t, test.expErr, err != nil, "%v", err)
 				assert.Equal(t, test.expComps, components)
@@ -207,7 +241,7 @@ metadata:
 func Test_loadWithOrder(t *testing.T) {
 	t.Run("no file should return empty set", func(t *testing.T) {
 		tmp := t.TempDir()
-		d := NewComponents(tmp).(*disk[compapi.Component])
+		d := NewComponents(Options{Paths: []string{tmp}}).(*disk[compapi.Component])
 		set, err := d.loadWithOrder()
 		require.NoError(t, err)
 		assert.Empty(t, set.order)
@@ -225,7 +259,7 @@ spec:
   type: state.couchbase
 `), fs.FileMode(0o600)))
 
-		d := NewComponents(tmp).(*disk[compapi.Component])
+		d := NewComponents(Options{Paths: []string{tmp}}).(*disk[compapi.Component])
 		set, err := d.loadWithOrder()
 		require.NoError(t, err)
 		assert.Equal(t, []manifestOrder{
@@ -259,7 +293,7 @@ spec:
   type: state.couchbase
 `), fs.FileMode(0o600)))
 
-		d := NewComponents(tmp).(*disk[compapi.Component])
+		d := NewComponents(Options{Paths: []string{tmp}}).(*disk[compapi.Component])
 		set, err := d.loadWithOrder()
 		require.NoError(t, err)
 		assert.Equal(t, []manifestOrder{
@@ -300,7 +334,9 @@ spec:
 			}
 		}
 
-		d := NewComponents(tmp1, tmp2, tmp3).(*disk[compapi.Component])
+		d := NewComponents(Options{
+			Paths: []string{tmp1, tmp2, tmp3},
+		}).(*disk[compapi.Component])
 		set, err := d.loadWithOrder()
 		require.NoError(t, err)
 		assert.Equal(t, []manifestOrder{

pkg/internal/loader/disk/httpendpoints.go

@@ -18,6 +18,6 @@ import (
 	"github.com/dapr/dapr/pkg/internal/loader"
 )
 
-func NewHTTPEndpoints(paths ...string) loader.Loader[endpointapi.HTTPEndpoint] {
-	return new[endpointapi.HTTPEndpoint](paths...)
+func NewHTTPEndpoints(opts Options) loader.Loader[endpointapi.HTTPEndpoint] {
+	return new[endpointapi.HTTPEndpoint](opts)
 }

pkg/internal/loader/disk/subscriptions.go

@@ -27,10 +27,10 @@ type subscriptions struct {
 	v2 *disk[v2alpha1.Subscription]
 }
 
-func NewSubscriptions(paths ...string) loader.Loader[v2alpha1.Subscription] {
+func NewSubscriptions(opts Options) loader.Loader[v2alpha1.Subscription] {
 	return &subscriptions{
-		v1: new[v1alpha1.Subscription](paths...),
-		v2: new[v2alpha1.Subscription](paths...),
+		v1: new[v1alpha1.Subscription](opts),
+		v2: new[v2alpha1.Subscription](opts),
 	}
 }
 

pkg/runtime/hotreload/hotreload.go

@@ -35,6 +35,7 @@ var log = logger.NewLogger("dapr.runtime.hotreload")
 
 type OptionsReloaderDisk struct {
 	Config         *config.Configuration
+	AppID          string
 	Dirs           []string
 	ComponentStore *compstore.ComponentStore
 	Authorizer     *authorizer.Authorizer
@@ -60,6 +61,7 @@ type Reloader struct {
 
 func NewDisk(opts OptionsReloaderDisk) (*Reloader, error) {
 	loader, err := disk.New(disk.Options{
+		AppID:          opts.AppID,
 		Dirs:           opts.Dirs,
 		ComponentStore: opts.ComponentStore,
 	})

pkg/runtime/hotreload/loader/disk/disk.go

@@ -35,6 +35,7 @@ import (
 var log = logger.NewLogger("dapr.runtime.hotreload.loader.disk")
 
 type Options struct {
+	AppID          string
 	Dirs           []string
 	ComponentStore *compstore.ComponentStore
 }
@@ -63,14 +64,20 @@ func New(opts Options) (loader.Interface, error) {
 		fs: fs,
 		components: newResource[compapi.Component](
 			resourceOptions[compapi.Component]{
-				loader:  loaderdisk.NewComponents(opts.Dirs...),
+				loader: loaderdisk.NewComponents(loaderdisk.Options{
+					AppID: opts.AppID,
+					Paths: opts.Dirs,
+				}),
 				store:   store.NewComponents(opts.ComponentStore),
 				batcher: batcher,
 			},
 		),
 		subscriptions: newResource[subapi.Subscription](
 			resourceOptions[subapi.Subscription]{
-				loader:  loaderdisk.NewSubscriptions(opts.Dirs...),
+				loader: loaderdisk.NewSubscriptions(loaderdisk.Options{
+					AppID: opts.AppID,
+					Paths: opts.Dirs,
+				}),
 				store:   store.NewSubscriptions(opts.ComponentStore),
 				batcher: batcher,
 			},

pkg/runtime/hotreload/loader/disk/resource_test.go

@@ -148,7 +148,9 @@ func Test_Stream(t *testing.T) {
 		r := newResource[componentsapi.Component](resourceOptions[componentsapi.Component]{
 			store:   loadercompstore.NewComponents(store),
 			batcher: batcher,
-			loader:  loaderdisk.NewComponents(dir),
+			loader: loaderdisk.NewComponents(loaderdisk.Options{
+				Paths: []string{dir},
+			}),
 		})
 
 		errCh := make(chan error)
@@ -229,7 +231,9 @@ func Test_Stream(t *testing.T) {
 		r := newResource[componentsapi.Component](resourceOptions[componentsapi.Component]{
 			store:   loadercompstore.NewComponents(store),
 			batcher: batcher,
-			loader:  loaderdisk.NewComponents(dir),
+			loader: loaderdisk.NewComponents(loaderdisk.Options{
+				Paths: []string{dir},
+			}),
 		})
 
 		errCh := make(chan error)
@@ -311,7 +315,9 @@ func Test_Stream(t *testing.T) {
 		r := newResource[componentsapi.Component](resourceOptions[componentsapi.Component]{
 			store:   loadercompstore.NewComponents(store),
 			batcher: batcher,
-			loader:  loaderdisk.NewComponents(dir),
+			loader: loaderdisk.NewComponents(loaderdisk.Options{
+				Paths: []string{dir},
+			}),
 		})
 
 		errCh := make(chan error)

pkg/runtime/runtime.go

@@ -218,6 +218,7 @@ func newDaprRuntime(ctx context.Context,
 			ComponentStore: compStore,
 			Authorizer:     authz,
 			Processor:      processor,
+			AppID:          runtimeConfig.id,
 		})
 		if err != nil {
 			return nil, err
@@ -1005,7 +1006,10 @@ func (a *DaprRuntime) loadComponents(ctx context.Context) error {
 			PodName:   a.podName,
 		})
 	case modes.StandaloneMode:
-		loader = disk.NewComponents(a.runtimeConfig.standalone.ResourcesPath...)
+		loader = disk.NewComponents(disk.Options{
+			AppID: a.runtimeConfig.id,
+			Paths: a.runtimeConfig.standalone.ResourcesPath,
+		})
 	default:
 		return nil
 	}
@@ -1052,7 +1056,10 @@ func (a *DaprRuntime) loadDeclarativeSubscriptions(ctx context.Context) error {
 			PodName:   a.podName,
 		})
 	case modes.StandaloneMode:
-		loader = disk.NewSubscriptions(a.runtimeConfig.standalone.ResourcesPath...)
+		loader = disk.NewSubscriptions(disk.Options{
+			AppID: a.runtimeConfig.id,
+			Paths: a.runtimeConfig.standalone.ResourcesPath,
+		})
 	default:
 		return nil
 	}
@@ -1100,7 +1107,10 @@ func (a *DaprRuntime) loadHTTPEndpoints(ctx context.Context) error {
 			PodName:   a.podName,
 		})
 	case modes.StandaloneMode:
-		loader = disk.NewHTTPEndpoints(a.runtimeConfig.standalone.ResourcesPath...)
+		loader = disk.NewHTTPEndpoints(disk.Options{
+			AppID: a.runtimeConfig.id,
+			Paths: a.runtimeConfig.standalone.ResourcesPath,
+		})
 	default:
 		return nil
 	}