config: add runtime flags (#5050)

2025-05-18 03:27:16 +02:00 · 2024-04-04 17:51:04 -04:00 · 2024-04-04 17:51:04 -04:00 · e7b3d3b6e9
commit e7b3d3b6e9
parent be9bfd9c3f
11 changed files with 372 additions and 214 deletions
--- a/config/options_test.go
+++ b/config/options_test.go
@ -384,7 +384,7 @@ func Test_Checksum(t *testing.T) {

 func TestOptionsFromViper(t *testing.T) {
 	opts := []cmp.Option{
-		cmpopts.IgnoreFields(Options{}, "CookieSecret", "GRPCInsecure", "GRPCAddr", "DataBrokerURLString", "DataBrokerURLStrings", "AuthorizeURLString", "AuthorizeURLStrings", "DefaultUpstreamTimeout", "CookieExpire", "Services", "Addr", "LogLevel", "KeyFile", "CertFile", "SharedKey", "ReadTimeout", "IdleTimeout", "GRPCClientTimeout", "GRPCClientDNSRoundRobin", "TracingSampleRate", "ProgrammaticRedirectDomainWhitelist"),
+		cmpopts.IgnoreFields(Options{}, "CookieSecret", "GRPCInsecure", "GRPCAddr", "DataBrokerURLString", "DataBrokerURLStrings", "AuthorizeURLString", "AuthorizeURLStrings", "DefaultUpstreamTimeout", "CookieExpire", "Services", "Addr", "LogLevel", "KeyFile", "CertFile", "SharedKey", "ReadTimeout", "IdleTimeout", "GRPCClientTimeout", "GRPCClientDNSRoundRobin", "TracingSampleRate", "ProgrammaticRedirectDomainWhitelist", "RuntimeFlags"),
 		cmpopts.IgnoreFields(Policy{}, "EnvoyOpts"),
 		cmpOptIgnoreUnexported,
 	}
@ -426,6 +426,22 @@ func TestOptionsFromViper(t *testing.T) {
 			},
 			false,
 		},
+		{
+			"good disable header",
+			[]byte(`{"autocert_dir":"","insecure_server":true,"set_response_headers": {"disable":"true"},"policy":[{"from": "https://from.example","to":"https://to.example"}]}`),
+			&Options{
+				Policies:                 []Policy{{From: "https://from.example", To: mustParseWeightedURLs(t, "https://to.example")}},
+				CookieName:               "_pomerium",
+				AuthenticateCallbackPath: "/oauth2/callback",
+				CookieHTTPOnly:           true,
+				InsecureServer:           true,
+				SetResponseHeaders:       map[string]string{"disable": "true"},
+				DataBrokerStorageType:    "memory",
+				EnvoyAdminAccessLogPath:  os.DevNull,
+				EnvoyAdminProfilePath:    os.DevNull,
+			},
+			false,
+		},
 		{"bad url", []byte(`{"policy":[{"from": "https://","to":"https://to.example"}]}`), nil, true},
 		{"bad policy", []byte(`{"policy":[{"allow_public_unauthenticated_access": "dog","to":"https://to.example"}]}`), nil, true},
 		{"bad file", []byte(`{''''}`), nil, true},
@ -1257,6 +1273,33 @@ func TestOptions_RequestParamsFromEnv(t *testing.T) {
 	}
 }

+func TestOptions_RuntimeFlags(t *testing.T) {
+	t.Parallel()
+
+	extra := DefaultRuntimeFlags()
+	extra["another"] = true
+
+	cases := []struct {
+		label    string
+		config   string
+		expected RuntimeFlags
+	}{
+		{"not present", "", DefaultRuntimeFlags()},
+		{"explicitly empty", `{"runtime_flags": {}}`, DefaultRuntimeFlags()},
+		{"all", `{"runtime_flags":{"another":true}}`, extra},
+	}
+	cfg := filepath.Join(t.TempDir(), "config.yaml")
+	for _, c := range cases {
+		t.Run(c.label, func(t *testing.T) {
+			err := os.WriteFile(cfg, []byte(c.config), 0o644)
+			require.NoError(t, err)
+			o, err := newOptionsFromConfig(cfg)
+			require.NoError(t, err)
+			assert.Equal(t, c.expected, o.RuntimeFlags)
+		})
+	}
+}
+
 func encodeCert(cert *tls.Certificate) []byte {
 	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: cert.Certificate[0]})
 }