databroker: add support for config settings (#1253)

config/options.go

@@ -25,6 +25,7 @@ import (
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
+	"github.com/pomerium/pomerium/pkg/grpc/config"
 )
 
 // DisableHeaderKey is the key used to check whether to disable setting header
@@ -715,6 +716,198 @@ func (o *Options) Checksum() uint64 {
 	return hash
 }
 
+// ApplySettings modifies the config options using the given protobuf settings.
+func (o *Options) ApplySettings(settings *config.Settings) {
+	if settings == nil {
+		return
+	}
+
+	if settings.Debug != nil {
+		o.Debug = settings.GetDebug()
+	}
+	if settings.LogLevel != nil {
+		o.LogLevel = settings.GetLogLevel()
+	}
+	if settings.ProxyLogLevel != nil {
+		o.ProxyLogLevel = settings.GetProxyLogLevel()
+	}
+	if settings.SharedSecret != nil {
+		o.SharedKey = settings.GetSharedSecret()
+	}
+	if settings.Services != nil {
+		o.Services = settings.GetServices()
+	}
+	if settings.Address != nil {
+		o.Addr = settings.GetAddress()
+	}
+	if settings.InsecureServer != nil {
+		o.InsecureServer = settings.GetInsecureServer()
+	}
+	for _, c := range settings.Certificates {
+		cfp := certificateFilePair{
+			CertFile: c.CertFile,
+			KeyFile:  c.KeyFile,
+		}
+		if cfp.CertFile == "" {
+			cfp.CertFile = base64.StdEncoding.EncodeToString(c.CertBytes)
+		}
+		if cfp.KeyFile == "" {
+			cfp.KeyFile = base64.StdEncoding.EncodeToString(c.KeyBytes)
+		}
+		o.CertificateFiles = append(o.CertificateFiles, cfp)
+	}
+	if settings.HttpRedirectAddr != nil {
+		o.HTTPRedirectAddr = settings.GetHttpRedirectAddr()
+	}
+	if settings.TimeoutRead != nil {
+		o.ReadTimeout = settings.GetTimeoutRead().AsDuration()
+	}
+	if settings.TimeoutWrite != nil {
+		o.WriteTimeout = settings.GetTimeoutWrite().AsDuration()
+	}
+	if settings.TimeoutIdle != nil {
+		o.IdleTimeout = settings.GetTimeoutIdle().AsDuration()
+	}
+	if settings.AuthenticateServiceUrl != nil {
+		o.AuthenticateURLString = settings.GetAuthenticateServiceUrl()
+	}
+	if settings.AuthenticateCallbackPath != nil {
+		o.AuthenticateCallbackPath = settings.GetAuthenticateCallbackPath()
+	}
+	if settings.CookieName != nil {
+		o.CookieName = settings.GetCookieName()
+	}
+	if settings.CookieSecret != nil {
+		o.CookieSecret = settings.GetCookieSecret()
+	}
+	if settings.CookieDomain != nil {
+		o.CookieDomain = settings.GetCookieDomain()
+	}
+	if settings.CookieSecure != nil {
+		o.CookieSecure = settings.GetCookieSecure()
+	}
+	if settings.CookieHttpOnly != nil {
+		o.CookieHTTPOnly = settings.GetCookieHttpOnly()
+	}
+	if settings.CookieExpire != nil {
+		o.CookieExpire = settings.GetCookieExpire().AsDuration()
+	}
+	if settings.IdpClientId != nil {
+		o.ClientID = settings.GetIdpClientId()
+	}
+	if settings.IdpClientSecret != nil {
+		o.ClientSecret = settings.GetIdpClientSecret()
+	}
+	if settings.IdpProvider != nil {
+		o.Provider = settings.GetIdpProvider()
+	}
+	if settings.IdpProviderUrl != nil {
+		o.ProviderURL = settings.GetIdpProviderUrl()
+	}
+	if len(settings.Scopes) > 0 {
+		o.Scopes = settings.Scopes
+	}
+	if settings.IdpServiceAccount != nil {
+		o.ServiceAccount = settings.GetIdpServiceAccount()
+	}
+	if settings.IdpRefreshDirectoryTimeout != nil {
+		o.RefreshDirectoryTimeout = settings.GetIdpRefreshDirectoryTimeout().AsDuration()
+	}
+	if settings.IdpRefreshDirectoryInterval != nil {
+		o.RefreshDirectoryInterval = settings.GetIdpRefreshDirectoryInterval().AsDuration()
+	}
+	if settings.RequestParams != nil && len(settings.RequestParams) > 0 {
+		o.RequestParams = settings.RequestParams
+	}
+	if len(settings.Administrators) > 0 {
+		o.Administrators = settings.Administrators
+	}
+	if settings.AuthorizeServiceUrl != nil {
+		o.AuthorizeURLString = settings.GetAuthorizeServiceUrl()
+	}
+	if settings.OverrideCertificateName != nil {
+		o.OverrideCertificateName = settings.GetOverrideCertificateName()
+	}
+	if settings.CertificateAuthority != nil {
+		o.CA = settings.GetCertificateAuthority()
+	}
+	if settings.CertificateAuthorityFile != nil {
+		o.CAFile = settings.GetCertificateAuthorityFile()
+	}
+	if settings.SigningKey != nil {
+		o.SigningKey = settings.GetSigningKey()
+	}
+	if len(settings.JwtClaimsHeaders) > 0 {
+		o.JWTClaimsHeaders = settings.GetJwtClaimsHeaders()
+	}
+	if settings.RefreshCooldown != nil {
+		o.RefreshCooldown = settings.GetRefreshCooldown().AsDuration()
+	}
+	if settings.DefaultUpstreamTimeout != nil {
+		o.DefaultUpstreamTimeout = settings.GetDefaultUpstreamTimeout().AsDuration()
+	}
+	if settings.MetricsAddress != nil {
+		o.MetricsAddr = settings.GetMetricsAddress()
+	}
+	if settings.TracingProvider != nil {
+		o.TracingProvider = settings.GetTracingProvider()
+	}
+	if settings.TracingSampleRate != nil {
+		o.TracingSampleRate = settings.GetTracingSampleRate()
+	}
+	if settings.TracingJaegerCollectorEndpoint != nil {
+		o.TracingJaegerCollectorEndpoint = settings.GetTracingJaegerCollectorEndpoint()
+	}
+	if settings.TracingJaegerAgentEndpoint != nil {
+		o.TracingJaegerAgentEndpoint = settings.GetTracingJaegerAgentEndpoint()
+	}
+	if settings.TracingZipkinEndpoint != nil {
+		o.ZipkinEndpoint = settings.GetTracingZipkinEndpoint()
+	}
+	if settings.GrpcAddress != nil {
+		o.GRPCAddr = settings.GetGrpcAddress()
+	}
+	if settings.GrpcInsecure != nil {
+		o.GRPCInsecure = settings.GetGrpcInsecure()
+	}
+	if settings.GrpcServerMaxConnectionAge != nil {
+		o.GRPCServerMaxConnectionAge = settings.GetGrpcServerMaxConnectionAge().AsDuration()
+	}
+	if settings.GrpcServerMaxConnectionAgeGrace != nil {
+		o.GRPCServerMaxConnectionAgeGrace = settings.GetGrpcServerMaxConnectionAgeGrace().AsDuration()
+	}
+	if settings.ForwardAuthUrl != nil {
+		o.ForwardAuthURLString = settings.GetForwardAuthUrl()
+	}
+	if settings.CacheServiceUrl != nil {
+		o.CacheURLString = settings.GetCacheServiceUrl()
+	}
+	if settings.DatabrokerServiceUrl != nil {
+		o.DataBrokerURLString = settings.GetDatabrokerServiceUrl()
+	}
+	if settings.ClientCa != nil {
+		o.ClientCA = settings.GetClientCa()
+	}
+	if settings.ClientCaFile != nil {
+		o.ClientCAFile = settings.GetClientCaFile()
+	}
+	if settings.GoogleCloudServerlessAuthenticationServiceAccount != nil {
+		o.GoogleCloudServerlessAuthenticationServiceAccount = settings.GetGoogleCloudServerlessAuthenticationServiceAccount()
+	}
+	if settings.Autocert != nil {
+		o.AutocertOptions.Enable = settings.GetAutocert()
+	}
+	if settings.AutocertUseStaging != nil {
+		o.AutocertOptions.UseStaging = settings.GetAutocertUseStaging()
+	}
+	if settings.AutocertMustStaple != nil {
+		o.AutocertOptions.MustStaple = settings.GetAutocertMustStaple()
+	}
+	if settings.AutocertDir != nil {
+		o.AutocertOptions.Folder = settings.GetAutocertDir()
+	}
+}
+
 // handleConfigUpdate takes configuration file, an existing options struct, and
 // returns new options if any change is detected. If no change was detected, the
 // existing option will be returned.

go.sum

@@ -752,6 +752,7 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=

internal/databroker/config_source.go

@@ -91,6 +91,8 @@ func (src *ConfigSource) rebuild(firstTime bool) {
 
 	// add all the config policies to the list
 	for _, cfgpb := range src.dbConfigs {
+		cfg.Options.ApplySettings(cfgpb.Settings)
+
 		for _, routepb := range cfgpb.GetRoutes() {
 			policy, err := config.NewPolicyFromProto(routepb)
 			if err != nil {

pkg/grpc/audit/audit.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.25.0
-// 	protoc        v3.12.3
+// 	protoc        v4.0.0
 // source: audit.proto
 
 package audit

pkg/grpc/config/config.proto

@@ -4,10 +4,12 @@ package pomerium.config;
 option go_package = "github.com/pomerium/pomerium/pkg/grpc/config";
 
 import "google/protobuf/duration.proto";
+import "google/protobuf/timestamp.proto";
 
 message Config {
   string name = 1;
   repeated Route routes = 2;
+  Settings settings = 3;
 }
 
 message Route {
@@ -16,9 +18,9 @@ message Route {
   string from = 2;
   string to = 3;
 
-  repeated string allowed_users = 4 [deprecated = true];
-  repeated string allowed_groups = 5 [deprecated = true];
-  repeated string allowed_domains = 6 [deprecated = true];
+  repeated string allowed_users = 4 [ deprecated = true ];
+  repeated string allowed_groups = 5 [ deprecated = true ];
+  repeated string allowed_domains = 6 [ deprecated = true ];
 
   string prefix = 7;
   string path = 8;
@@ -59,3 +61,71 @@ message Policy {
   repeated string allowed_domains = 5;
   repeated string rego = 6;
 }
+
+message Settings {
+  message Certificate {
+    string cert_file = 1;
+    string key_file = 2;
+    bytes cert_bytes = 3;
+    bytes key_bytes = 4;
+  }
+
+  optional bool debug = 2;
+  optional string log_level = 3;
+  optional string proxy_log_level = 4;
+  optional string shared_secret = 5;
+  optional string services = 6;
+  optional string address = 7;
+  optional bool insecure_server = 8;
+  repeated Certificate certificates = 9;
+  optional string http_redirect_addr = 10;
+  optional google.protobuf.Duration timeout_read = 11;
+  optional google.protobuf.Duration timeout_write = 12;
+  optional google.protobuf.Duration timeout_idle = 13;
+  optional string authenticate_service_url = 14;
+  optional string authenticate_callback_path = 15;
+  optional string cookie_name = 16;
+  optional string cookie_secret = 17;
+  optional string cookie_domain = 18;
+  optional bool cookie_secure = 19;
+  optional bool cookie_http_only = 20;
+  optional google.protobuf.Duration cookie_expire = 21;
+  optional string idp_client_id = 22;
+  optional string idp_client_secret = 23;
+  optional string idp_provider = 24;
+  optional string idp_provider_url = 25;
+  repeated string scopes = 26;
+  optional string idp_service_account = 27;
+  optional google.protobuf.Duration idp_refresh_directory_timeout = 28;
+  optional google.protobuf.Duration idp_refresh_directory_interval = 29;
+  map<string, string> request_params = 30;
+  repeated string administrators = 31;
+  optional string authorize_service_url = 32;
+  optional string override_certificate_name = 33;
+  optional string certificate_authority = 34;
+  optional string certificate_authority_file = 35;
+  optional string signing_key = 36;
+  repeated string jwt_claims_headers = 37;
+  optional google.protobuf.Duration refresh_cooldown = 38;
+  optional google.protobuf.Duration default_upstream_timeout = 39;
+  optional string metrics_address = 40;
+  optional string tracing_provider = 41;
+  optional double tracing_sample_rate = 42;
+  optional string tracing_jaeger_collector_endpoint = 43;
+  optional string tracing_jaeger_agent_endpoint = 44;
+  optional string tracing_zipkin_endpoint = 45;
+  optional string grpc_address = 46;
+  optional bool grpc_insecure = 47;
+  google.protobuf.Duration grpc_server_max_connection_age = 48;
+  google.protobuf.Duration grpc_server_max_connection_age_grace = 49;
+  optional string forward_auth_url = 50;
+  optional string cache_service_url = 51;
+  optional string databroker_service_url = 52;
+  optional string client_ca = 53;
+  optional string client_ca_file = 54;
+  optional string google_cloud_serverless_authentication_service_account = 55;
+  optional bool autocert = 56;
+  optional bool autocert_use_staging = 57;
+  optional bool autocert_must_staple = 58;
+  optional string autocert_dir = 59;
+}

pkg/grpc/databroker/databroker.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.25.0
-// 	protoc        v3.12.3
+// 	protoc        v4.0.0
 // source: databroker.proto
 
 package databroker

pkg/grpc/directory/directory.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.25.0
-// 	protoc        v3.12.3
+// 	protoc        v4.0.0
 // source: directory.proto
 
 package directory

pkg/grpc/session/session.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.25.0
-// 	protoc        v3.12.3
+// 	protoc        v4.0.0
 // source: session.proto
 
 package session

pkg/grpc/user/user.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.25.0
-// 	protoc        v3.12.3
+// 	protoc        v4.0.0
 // source: user.proto
 
 package user

scripts/protoc

@@ -2,7 +2,8 @@
 set -euo pipefail
 
 _dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
-_protoc_version="3.12.3"
+_protoc_version="4.0.0-rc2"
+_protoc_version_filename="4.0.0-rc-2"
 _protoc_path="/tmp/pomerium-protoc/protoc-$_protoc_version"
 _os="linux"
 if [ "$(uname -s)" == "Darwin" ]; then
@@ -14,9 +15,12 @@ if [ ! -f "$_protoc_path/bin/protoc" ]; then
   echo "downloading protoc"
   curl -L \
     -o protoc.zip \
-    "https://github.com/protocolbuffers/protobuf/releases/download/v$_protoc_version/protoc-$_protoc_version-$_os-x86_64.zip"
+    "https://github.com/protocolbuffers/protobuf/releases/download/v$_protoc_version/protoc-$_protoc_version_filename-$_os-x86_64.zip"
   unzip -o -d "$_protoc_path" protoc.zip
   rm protoc.zip
 fi
-
-exec "$_protoc_path/bin/protoc" --plugin="protoc-gen-go=$_dir/protoc-gen-go" "$@"
+exec "$_protoc_path/bin/protoc" \
+  --experimental_allow_proto3_optional \
+  --plugin="protoc-gen-go=$_dir/protoc-gen-go" \
+  --plugin="protoc-gen-grpc-web=$_dir/protoc-gen-grpc-web" \
+  "$@"