Merge branch 'main' into kralicky/tracing

config/envoyconfig/filters.go

@@ -47,6 +47,7 @@ func ExtAuthzFilter(grpcClientTimeout *durationpb.Duration) *envoy_extensions_fi
 func HTTPConnectionManagerFilter(
 	httpConnectionManager *envoy_extensions_filters_network_http_connection_manager.HttpConnectionManager,
 ) *envoy_config_listener_v3.Filter {
+	applyGlobalHTTPConnectionManagerOptions(httpConnectionManager)
 	return &envoy_config_listener_v3.Filter{
 		Name: "envoy.filters.network.http_connection_manager",
 		ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{

config/envoyconfig/http_connection_manager.go

@@ -8,6 +8,7 @@ import (
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/httputil"
@@ -120,3 +121,24 @@ func (b *Builder) buildLocalReplyConfig(
 		}},
 	}, nil
 }
+
+func applyGlobalHTTPConnectionManagerOptions(hcm *envoy_http_connection_manager.HttpConnectionManager) {
+	if hcm.InternalAddressConfig == nil {
+		// see doc comment on InternalAddressConfig for details
+		hcm.InternalAddressConfig = &envoy_http_connection_manager.HttpConnectionManager_InternalAddressConfig{
+			CidrRanges: []*envoy_config_core_v3.CidrRange{
+				// localhost
+				{AddressPrefix: "127.0.0.1", PrefixLen: wrapperspb.UInt32(32)},
+				{AddressPrefix: "::1", PrefixLen: wrapperspb.UInt32(128)},
+
+				// RFC1918
+				{AddressPrefix: "10.0.0.0", PrefixLen: wrapperspb.UInt32(8)},
+				{AddressPrefix: "192.168.0.0", PrefixLen: wrapperspb.UInt32(16)},
+				{AddressPrefix: "172.16.0.0", PrefixLen: wrapperspb.UInt32(12)},
+
+				// RFC4193
+				{AddressPrefix: "fd00::", PrefixLen: wrapperspb.UInt32(8)},
+			},
+		}
+	}
+}

config/envoyconfig/outbound.go

@@ -42,7 +42,7 @@ func (b *Builder) buildOutboundListener(cfg *config.Config) (*envoy_config_liste
 func (b *Builder) buildOutboundHTTPConnectionManager() *envoy_config_listener_v3.Filter {
 	rc := b.buildOutboundRouteConfiguration()
 
-	tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{
+	return HTTPConnectionManagerFilter(&envoy_http_connection_manager.HttpConnectionManager{
 		CodecType:  envoy_http_connection_manager.HttpConnectionManager_AUTO,
 		StatPrefix: "grpc_egress",
 		// limit request first byte to last byte time
@@ -56,13 +56,6 @@ func (b *Builder) buildOutboundHTTPConnectionManager() *envoy_config_listener_v3
 			HTTPRouterFilter(),
 		},
 	})
-
-	return &envoy_config_listener_v3.Filter{
-		Name: "envoy.filters.network.http_connection_manager",
-		ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
-			TypedConfig: tc,
-		},
-	}
 }
 
 func (b *Builder) buildOutboundRouteConfiguration() *envoy_config_route_v3.RouteConfiguration {

config/envoyconfig/testdata/main_http_connection_manager_filter.json

@@ -227,6 +227,34 @@
       "spawnUpstreamSpan": true
     },
     "useRemoteAddress": true,
-    "xffNumTrustedHops": 1
+    "xffNumTrustedHops": 1,
+    "internalAddressConfig": {
+      "cidrRanges": [
+        {
+          "addressPrefix": "127.0.0.1",
+          "prefixLen": 32
+        },
+        {
+          "addressPrefix": "::1",
+          "prefixLen": 128
+        },
+        {
+          "addressPrefix": "10.0.0.0",
+          "prefixLen": 8
+        },
+        {
+          "addressPrefix": "192.168.0.0",
+          "prefixLen": 16
+        },
+        {
+          "addressPrefix": "172.16.0.0",
+          "prefixLen": 12
+        },
+        {
+          "addressPrefix": "fd00::",
+          "prefixLen": 8
+        }
+      ]
+    }
   }
 }

config/envoyconfig/testdata/metrics_http_connection_manager.json

@@ -54,7 +54,35 @@
                 }
               ]
             },
-            "statPrefix": "metrics"
+            "statPrefix": "metrics",
+            "internalAddressConfig": {
+              "cidrRanges": [
+                {
+                  "addressPrefix": "127.0.0.1",
+                  "prefixLen": 32
+                },
+                {
+                  "addressPrefix": "::1",
+                  "prefixLen": 128
+                },
+                {
+                  "addressPrefix": "10.0.0.0",
+                  "prefixLen": 8
+                },
+                {
+                  "addressPrefix": "192.168.0.0",
+                  "prefixLen": 16
+                },
+                {
+                  "addressPrefix": "172.16.0.0",
+                  "prefixLen": 12
+                },
+                {
+                  "addressPrefix": "fd00::",
+                  "prefixLen": 8
+                }
+              ]
+            }
           }
         }
       ],

config/options_test.go

@@ -978,17 +978,6 @@ func TestOptions_ApplySettings(t *testing.T) {
 	})
 }
 
-func TestXXX(t *testing.T) {
-	dir, _ := os.MkdirTemp("", "asdf")
-	t.Log(dir)
-	for i := 1; i <= 100; i++ {
-		crt, _ := cryptutil.GenerateCertificate(nil, fmt.Sprintf("route%d.localhost.pomerium.io", i))
-		crtBytes, keyBytes, _ := cryptutil.EncodeCertificate(crt)
-		os.WriteFile(fmt.Sprintf("%s/%d.crt", dir, i), crtBytes, 0o644)
-		os.WriteFile(fmt.Sprintf("%s/%d.key", dir, i), keyBytes, 0o600)
-	}
-}
-
 func TestOptions_GetSetResponseHeaders(t *testing.T) {
 	t.Run("lax", func(t *testing.T) {
 		options := NewDefaultOptions()

config/policy.go

@@ -27,7 +27,10 @@ import (
 
 // Policy contains route specific configuration and access settings.
 type Policy struct {
-	ID string `mapstructure:"-" yaml:"-" json:"-"`
+	ID          string `mapstructure:"-" yaml:"-" json:"-"`
+	Name        string `mapstructure:"-" yaml:"-" json:"-"`
+	Description string `mapstructure:"description" yaml:"description,omitempty" json:"description,omitempty"`
+	LogoURL     string `mapstructure:"logo_url" yaml:"logo_url,omitempty" json:"logo_url,omitempty"`
 
 	From string       `mapstructure:"from" yaml:"from"`
 	To   WeightedURLs `mapstructure:"to" yaml:"to"`
@@ -285,6 +288,7 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 		AllowSPDY:                        pb.GetAllowSpdy(),
 		AllowWebsockets:                  pb.GetAllowWebsockets(),
 		CORSAllowPreflight:               pb.GetCorsAllowPreflight(),
+		Description:                      pb.GetDescription(),
 		EnableGoogleCloudServerlessAuthentication: pb.GetEnableGoogleCloudServerlessAuthentication(),
 		From:                              pb.GetFrom(),
 		HostPathRegexRewritePattern:       pb.GetHostPathRegexRewritePattern(),
@@ -298,6 +302,8 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 		JWTGroupsFilter:                   NewJWTGroupsFilter(pb.JwtGroupsFilter),
 		KubernetesServiceAccountToken:     pb.GetKubernetesServiceAccountToken(),
 		KubernetesServiceAccountTokenFile: pb.GetKubernetesServiceAccountTokenFile(),
+		LogoURL:                           pb.GetLogoUrl(),
+		Name:                              pb.GetName(),
 		PassIdentityHeaders:               pb.PassIdentityHeaders,
 		Path:                              pb.GetPath(),
 		Prefix:                            pb.GetPrefix(),
@@ -438,6 +444,7 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
 		AllowSpdy:                        p.AllowSPDY,
 		AllowWebsockets:                  p.AllowWebsockets,
 		CorsAllowPreflight:               p.CORSAllowPreflight,
+		Description:                      p.Description,
 		EnableGoogleCloudServerlessAuthentication: p.EnableGoogleCloudServerlessAuthentication,
 		EnvoyOpts:                         p.EnvoyOpts,
 		From:                              p.From,
@@ -446,7 +453,8 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
 		JwtGroupsFilter:                   p.JWTGroupsFilter.ToSlice(),
 		KubernetesServiceAccountToken:     p.KubernetesServiceAccountToken,
 		KubernetesServiceAccountTokenFile: p.KubernetesServiceAccountTokenFile,
-		Name:                              fmt.Sprint(p.RouteID()),
+		LogoUrl:                           p.LogoURL,
+		Name:                              p.Name,
 		PassIdentityHeaders:               p.PassIdentityHeaders,
 		Path:                              p.Path,
 		Policies:                          sps,
@@ -476,6 +484,9 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
 		TlsUpstreamAllowRenegotiation:     p.TLSUpstreamAllowRenegotiation,
 		TlsUpstreamServerName:             p.TLSUpstreamServerName,
 	}
+	if pb.Name == "" {
+		pb.Name = fmt.Sprint(p.RouteID())
+	}
 	if p.HostPathRegexRewritePattern != "" {
 		pb.HostPathRegexRewritePattern = proto.String(p.HostPathRegexRewritePattern)
 	}
@@ -869,6 +880,26 @@ func (p *Policy) GetPassIdentityHeaders(options *Options) bool {
 	return false
 }
 
+// GetFrom gets the from URL.
+func (p *Policy) GetFrom() string {
+	return p.From
+}
+
+// GetPath gets the path.
+func (p *Policy) GetPath() string {
+	return p.Path
+}
+
+// GetPrefix gets the prefix.
+func (p *Policy) GetPrefix() string {
+	return p.Prefix
+}
+
+// GetRegex gets the regex.
+func (p *Policy) GetRegex() string {
+	return p.Regex
+}
+
 /*
 SortPolicies sorts policies to match the following SQL order:
 

config/policy_test.go

@@ -218,6 +218,9 @@ func TestPolicy_FromToPb(t *testing.T) {
 
 	t.Run("normal", func(t *testing.T) {
 		p := &Policy{
+			Name:         "ROUTE_NAME",
+			Description:  "DESCRIPTION",
+			LogoURL:      "LOGO_URL",
 			From:         "https://pomerium.io",
 			To:           mustParseWeightedURLs(t, "http://localhost"),
 			AllowedUsers: []string{"foo@bar.com"},
@@ -235,6 +238,9 @@ func TestPolicy_FromToPb(t *testing.T) {
 
 		policyFromPb, err := NewPolicyFromProto(pbPolicy)
 		assert.NoError(t, err)
+		assert.Equal(t, p.Name, policyFromPb.Name)
+		assert.Equal(t, p.Description, policyFromPb.Description)
+		assert.Equal(t, p.LogoURL, policyFromPb.LogoURL)
 		assert.Equal(t, p.From, policyFromPb.From)
 		assert.Equal(t, p.To, policyFromPb.To)
 		assert.Equal(t, p.AllowedUsers, policyFromPb.AllowedUsers)

pkg/grpc/config/config.proto

@@ -45,9 +45,11 @@ enum IssuerFormat {
   IssuerURI = 1;
 }
 
-// Next ID: 67.
+// Next ID: 69.
 message Route {
   string name = 1;
+  string description = 67;
+  string logo_url = 68;
 
   string from = 2;
   repeated string to = 3;

pkg/zero/importutil/namegen.go

@@ -11,7 +11,6 @@ import (
 	"strings"
 
 	"github.com/cespare/xxhash/v2"
-	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 )
 
 func GenerateCertName(cert *x509.Certificate) *string {
@@ -59,18 +58,26 @@ func pickDNSName(names []string) string {
 	return names[0]
 }
 
-func GenerateRouteNames(routes []*configpb.Route) []string {
+type Route interface {
+	comparable
+	GetFrom() string
+	GetPrefix() string
+	GetPath() string
+	GetRegex() string
+}
+
+func GenerateRouteNames[T Route](routes []T) []string {
 	out := make([]string, len(routes))
 	prefixes := make([][]string, len(routes))
-	indexes := map[*configpb.Route]int{}
+	indexes := map[T]int{}
-	trie := newDomainTrie()
+	trie := newDomainTrie[T]()
 	for i, route := range routes {
 		trie.Insert(route)
 		indexes[route] = i
 	}
 	trie.Compact()
 
-	trie.Walk(func(parents []string, node *domainTreeNode) {
+	trie.Walk(func(parents []string, node *domainTreeNode[T]) {
 		for subdomain, child := range node.children {
 			for route, name := range differentiateRoutes(subdomain, child.routes) {
 				idx := indexes[route]
@@ -145,13 +152,13 @@ func trimCommonSubdomains(a, b string) (string, string) {
 	return strings.Join(aParts, "-"), strings.Join(bParts, "-")
 }
 
-func differentiateRoutes(subdomain string, routes []*configpb.Route) iter.Seq2[*configpb.Route, string] {
+func differentiateRoutes[T Route](subdomain string, routes []T) iter.Seq2[T, string] {
-	return func(yield func(*configpb.Route, string) bool) {
+	return func(yield func(T, string) bool) {
 		if len(routes) == 1 {
 			yield(routes[0], subdomain)
 			return
 		}
-		names := map[string][]*configpb.Route{}
+		names := map[string][]T{}
 		replacer := strings.NewReplacer(
 			" ", "_",
 			"/", "-",
@@ -180,14 +187,14 @@ func differentiateRoutes(subdomain string, routes []*configpb.Route) iter.Seq2[*
 			// each route will have the same domain, but a unique prefix/path/regex.
 			var name string
 			switch {
-			case route.Prefix != "":
+			case route.GetPrefix() != "":
-				name = simplePathName(route.Prefix)
+				name = simplePathName(route.GetPrefix())
 				prefixCount++
-			case route.Path != "":
+			case route.GetPath() != "":
-				name = simplePathName(route.Path)
+				name = simplePathName(route.GetPath())
 				pathCount++
-			case route.Regex != "":
+			case route.GetRegex() != "":
-				name = regexName(route.Regex)
+				name = regexName(route.GetRegex())
 			}
 			names[name] = append(names[name], route)
 		}
@@ -229,9 +236,9 @@ func differentiateRoutes(subdomain string, routes []*configpb.Route) iter.Seq2[*
 						b.WriteRune('-')
 						b.WriteString(name)
 					}
-					if route.Prefix != "" {
+					if route.GetPrefix() != "" {
 						b.WriteString(prefixSuffix)
-					} else if route.Path != "" {
+					} else if route.GetPath() != "" {
 						b.WriteString(pathSuffix)
 					}
 
@@ -251,58 +258,58 @@ func differentiateRoutes(subdomain string, routes []*configpb.Route) iter.Seq2[*
 	}
 }
 
-type domainTreeNode struct {
+type domainTreeNode[T Route] struct {
-	parent   *domainTreeNode
+	parent   *domainTreeNode[T]
-	children map[string]*domainTreeNode
+	children map[string]*domainTreeNode[T]
-	routes   []*configpb.Route
+	routes   []T
 }
 
-func (n *domainTreeNode) insert(key string, route *configpb.Route) *domainTreeNode {
+func (n *domainTreeNode[T]) insert(key string, route T) *domainTreeNode[T] {
 	if existing, ok := n.children[key]; ok {
-		if route != nil {
+		var def T
+		if route != def {
 			existing.routes = append(existing.routes, route)
 		}
 		return existing
 	}
-	node := &domainTreeNode{
+	node := &domainTreeNode[T]{
 		parent:   n,
-		children: map[string]*domainTreeNode{},
+		children: map[string]*domainTreeNode[T]{},
 	}
-	if route != nil {
+	var def T
+	if route != def {
 		node.routes = append(node.routes, route)
 	}
 	n.children[key] = node
 	return node
 }
 
-type domainTrie struct {
+type domainTrie[T Route] struct {
-	root *domainTreeNode
+	root *domainTreeNode[T]
 }
 
-func newDomainTrie() *domainTrie {
+func newDomainTrie[T Route]() *domainTrie[T] {
-	t := &domainTrie{
+	t := &domainTrie[T]{
-		root: &domainTreeNode{
+		root: &domainTreeNode[T]{
-			children: map[string]*domainTreeNode{},
+			children: map[string]*domainTreeNode[T]{},
 		},
 	}
 	return t
 }
 
-type walkFn = func(parents []string, node *domainTreeNode)
+func (t *domainTrie[T]) Walk(fn func(parents []string, node *domainTreeNode[T])) {
-
-func (t *domainTrie) Walk(fn walkFn) {
 	t.root.walk(nil, fn)
 }
 
-func (n *domainTreeNode) walk(prefix []string, fn walkFn) {
+func (n *domainTreeNode[T]) walk(prefix []string, fn func(parents []string, node *domainTreeNode[T])) {
 	for key, child := range n.children {
 		fn(append(prefix, key), child)
 		child.walk(append(prefix, key), fn)
 	}
 }
 
-func (t *domainTrie) Insert(route *configpb.Route) {
+func (t *domainTrie[T]) Insert(route T) {
-	u, _ := url.Parse(route.From)
+	u, _ := url.Parse(route.GetFrom())
 	if u == nil {
 		// ignore invalid urls, they will be assigned generic fallback names
 		return
@@ -311,16 +318,17 @@ func (t *domainTrie) Insert(route *configpb.Route) {
 	slices.Reverse(parts)
 	cur := t.root
 	for _, part := range parts[:len(parts)-1] {
-		cur = cur.insert(part, nil)
+		var def T
+		cur = cur.insert(part, def)
 	}
 	cur.insert(parts[len(parts)-1], route)
 }
 
-func (t *domainTrie) Compact() {
+func (t *domainTrie[T]) Compact() {
 	t.root.compact()
 }
 
-func (n *domainTreeNode) compact() {
+func (n *domainTreeNode[T]) compact() {
 	for _, child := range n.children {
 		child.compact()
 	}
@@ -328,7 +336,7 @@ func (n *domainTreeNode) compact() {
 		return
 	}
 	var firstKey string
-	var firstChild *domainTreeNode
+	var firstChild *domainTreeNode[T]
 	for key, child := range n.children {
 		firstKey, firstChild = key, child
 		break
@@ -340,7 +348,7 @@ func (n *domainTreeNode) compact() {
 			if child == n {
 				delete(n.parent.children, key)
 				n.parent.children[fmt.Sprintf("%s.%s", key, firstKey)] = firstChild
-				*n = domainTreeNode{}
+				*n = domainTreeNode[T]{}
 				break
 			}
 		}

pkg/zero/importutil/namegen_test.go

@@ -8,9 +8,11 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/assert"
+
+	"github.com/pomerium/pomerium/config"
 	configpb "github.com/pomerium/pomerium/pkg/grpc/config"
 	"github.com/pomerium/pomerium/pkg/zero/importutil"
-	"github.com/stretchr/testify/assert"
 )
 
 func TestGenerateCertName(t *testing.T) {
@@ -389,6 +391,11 @@ func TestGenerateRouteNames(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			assert.Equal(t, tc.expected, importutil.GenerateRouteNames(tc.input))
+			policies := make([]*config.Policy, len(tc.input))
+			for i := range tc.input {
+				policies[i], _ = config.NewPolicyFromProto(tc.input[i])
+			}
+			assert.Equal(t, tc.expected, importutil.GenerateRouteNames(policies))
 		})
 	}
 }