3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-01 07:50:26 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: only allow embedding (#2368)

Browse source
This commit is contained in:
Caleb Doxsey 2021-07-19 08:32:48 -06:00 committed by GitHub
parent 2a5dcc2848
commit 1123de07a6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

3
internal/envoy/embed.go
View file

@ -20,6 +20,9 @@ const (
embeddedDirectoryPermissions fs.FileMode = 0o755 embeddedDirectoryPermissions fs.FileMode = 0o755
) )
// OverrideEnvoyPath is an override for using an envoy path instead of the embedded envoy path.
var OverrideEnvoyPath = ""
var ( var (
embeddedFilesBaseDirectory = filepath.Join(os.TempDir(), "pomerium-embedded-files") embeddedFilesBaseDirectory = filepath.Join(os.TempDir(), "pomerium-embedded-files")
extractEmbeddedEnvoyOnce sync.Once extractEmbeddedEnvoyOnce sync.Once

41
internal/envoy/envoy.go
View file

@ -70,31 +70,28 @@ func NewServer(ctx context.Context, src config.Source, grpcPort, httpPort string
return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err) return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err)
} }
envoyPath, err := extractEmbeddedEnvoy(ctx) envoyPath := OverrideEnvoyPath
if err != nil { if envoyPath == "" {
log.Warn(ctx).Err(err).Send() envoyPath, err = extractEmbeddedEnvoy(ctx)
envoyPath = "envoy"
}
fullEnvoyPath, err := exec.LookPath(envoyPath)
if err != nil {
return nil, fmt.Errorf("no envoy binary found: %w", err)
}
// Checksum is written at build time, if it's not empty we verify the binary
if files.Checksum() != "" {
bs, err := ioutil.ReadFile(fullEnvoyPath)
if err != nil { if err != nil {
return nil, fmt.Errorf("error reading envoy binary for checksum verification: %w", err) return nil, fmt.Errorf("error extracting embedded envoy binary: %w", err)
} }
h := sha256.New()
h.Write(bs) // Checksum is written at build time, if it's not empty we verify the binary
s := hex.EncodeToString(h.Sum(nil)) if files.Checksum() != "" {
if files.Checksum() != s { bs, err := ioutil.ReadFile(envoyPath)
return nil, fmt.Errorf("invalid envoy binary, expected %s but got %s", files.Checksum(), s) if err != nil {
return nil, fmt.Errorf("error reading envoy binary for checksum verification: %w", err)
}
h := sha256.New()
h.Write(bs)
s := hex.EncodeToString(h.Sum(nil))
if files.Checksum() != s {
return nil, fmt.Errorf("invalid envoy binary, expected %s but got %s", files.Checksum(), s)
}
} else {
log.Info(ctx).Msg("no checksum defined, envoy binary will not be verified!")
} }
} else {
log.Info(ctx).Msg("no checksum defined, envoy binary will not be verified!")
} }
srv := &Server{ srv := &Server{