3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 20:06:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: upgrade to v1.17.1 (#1993)

Browse source
This commit is contained in:
Caleb Doxsey 2021-03-17 19:32:58 -06:00 committed by GitHub
parent 4530a0832b
commit eddabc46c7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 213 additions and 274 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
authorize/check_response.go
View file

@ -7,9 +7,9 @@ import (
"sort" "sort"
"strings" "strings"
envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
envoy_type "github.com/envoyproxy/go-control-plane/envoy/type" envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
"github.com/golang/protobuf/ptypes/wrappers" "github.com/golang/protobuf/ptypes/wrappers"
"google.golang.org/genproto/googleapis/rpc/status" "google.golang.org/genproto/googleapis/rpc/status"
"google.golang.org/grpc/codes" "google.golang.org/grpc/codes"
@ -20,8 +20,8 @@ import (
"github.com/pomerium/pomerium/internal/urlutil" "github.com/pomerium/pomerium/internal/urlutil"
) )
func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.CheckResponse { func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v3.CheckResponse {
var requestHeaders []*envoy_api_v2_core.HeaderValueOption var requestHeaders []*envoy_config_core_v3.HeaderValueOption
for k, v := range reply.Headers { for k, v := range reply.Headers {
requestHeaders = append(requestHeaders, mkHeader(k, v, false)) requestHeaders = append(requestHeaders, mkHeader(k, v, false))
} }
@ -29,10 +29,10 @@ func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.C
sort.Slice(requestHeaders, func(i, j int) bool { sort.Slice(requestHeaders, func(i, j int) bool {
return requestHeaders[i].Header.Key < requestHeaders[j].Header.Value return requestHeaders[i].Header.Key < requestHeaders[j].Header.Value
}) })
return &envoy_service_auth_v2.CheckResponse{ return &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: int32(codes.OK), Message: reply.Message}, Status: &status.Status{Code: int32(codes.OK), Message: reply.Message},
HttpResponse: &envoy_service_auth_v2.CheckResponse_OkResponse{ HttpResponse: &envoy_service_auth_v3.CheckResponse_OkResponse{
OkResponse: &envoy_service_auth_v2.OkHttpResponse{ OkResponse: &envoy_service_auth_v3.OkHttpResponse{
Headers: requestHeaders, Headers: requestHeaders,
}, },
}, },
@ -40,9 +40,9 @@ func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.C
} }
func (a *Authorize) deniedResponse( func (a *Authorize) deniedResponse(
in *envoy_service_auth_v2.CheckRequest, in *envoy_service_auth_v3.CheckRequest,
code int32, reason string, headers map[string]string, code int32, reason string, headers map[string]string,
) (*envoy_service_auth_v2.CheckResponse, error) { ) (*envoy_service_auth_v3.CheckResponse, error) {
returnHTMLError := true returnHTMLError := true
inHeaders := in.GetAttributes().GetRequest().GetHttp().GetHeaders() inHeaders := in.GetAttributes().GetRequest().GetHttp().GetHeaders()
if inHeaders != nil { if inHeaders != nil {
@ -56,9 +56,9 @@ func (a *Authorize) deniedResponse(
} }
func (a *Authorize) htmlDeniedResponse( func (a *Authorize) htmlDeniedResponse(
in *envoy_service_auth_v2.CheckRequest, in *envoy_service_auth_v3.CheckRequest,
code int32, reason string, headers map[string]string, code int32, reason string, headers map[string]string,
) (*envoy_service_auth_v2.CheckResponse, error) { ) (*envoy_service_auth_v3.CheckResponse, error) {
opts := a.currentOptions.Load() opts := a.currentOptions.Load()
authenticateURL, err := opts.GetAuthenticateURL() authenticateURL, err := opts.GetAuthenticateURL()
if err != nil { if err != nil {
@ -106,19 +106,19 @@ func (a *Authorize) htmlDeniedResponse(
log.Error().Err(err).Msg("error executing error template") log.Error().Err(err).Msg("error executing error template")
} }
envoyHeaders := []*envoy_api_v2_core.HeaderValueOption{ envoyHeaders := []*envoy_config_core_v3.HeaderValueOption{
mkHeader("Content-Type", "text/html", false), mkHeader("Content-Type", "text/html", false),
} }
for k, v := range headers { for k, v := range headers {
envoyHeaders = append(envoyHeaders, mkHeader(k, v, false)) envoyHeaders = append(envoyHeaders, mkHeader(k, v, false))
} }
return &envoy_service_auth_v2.CheckResponse{ return &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{
Status: &envoy_type.HttpStatus{ Status: &envoy_type_v3.HttpStatus{
Code: envoy_type.StatusCode(code), Code: envoy_type_v3.StatusCode(code),
}, },
Headers: envoyHeaders, Headers: envoyHeaders,
Body: buf.String(), Body: buf.String(),
@ -127,20 +127,20 @@ func (a *Authorize) htmlDeniedResponse(
}, nil }, nil
} }
func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v2.CheckResponse { func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v3.CheckResponse {
envoyHeaders := []*envoy_api_v2_core.HeaderValueOption{ envoyHeaders := []*envoy_config_core_v3.HeaderValueOption{
mkHeader("Content-Type", "text/plain", false), mkHeader("Content-Type", "text/plain", false),
} }
for k, v := range headers { for k, v := range headers {
envoyHeaders = append(envoyHeaders, mkHeader(k, v, false)) envoyHeaders = append(envoyHeaders, mkHeader(k, v, false))
} }
return &envoy_service_auth_v2.CheckResponse{ return &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{
Status: &envoy_type.HttpStatus{ Status: &envoy_type_v3.HttpStatus{
Code: envoy_type.StatusCode(code), Code: envoy_type_v3.StatusCode(code),
}, },
Headers: envoyHeaders, Headers: envoyHeaders,
Body: reason, Body: reason,
@ -149,7 +149,7 @@ func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers m
} }
} }
func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) (*envoy_service_auth_v2.CheckResponse, error) { func (a *Authorize) redirectResponse(in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
opts := a.currentOptions.Load() opts := a.currentOptions.Load()
authenticateURL, err := opts.GetAuthenticateURL() authenticateURL, err := opts.GetAuthenticateURL()
if err != nil { if err != nil {
@ -174,9 +174,9 @@ func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) (*e
}) })
} }
func mkHeader(k, v string, shouldAppend bool) *envoy_api_v2_core.HeaderValueOption { func mkHeader(k, v string, shouldAppend bool) *envoy_config_core_v3.HeaderValueOption {
return &envoy_api_v2_core.HeaderValueOption{ return &envoy_config_core_v3.HeaderValueOption{
Header: &envoy_api_v2_core.HeaderValue{ Header: &envoy_config_core_v3.HeaderValue{
Key: k, Key: k,
Value: v, Value: v,
}, },

52
authorize/check_response_test.go
View file

@ -6,9 +6,9 @@ import (
"net/url" "net/url"
"testing" "testing"
envoy_api_v2_core "github.com/envoyproxy/go-control-plane/envoy/api/v2/core" envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
envoy_type "github.com/envoyproxy/go-control-plane/envoy/type" envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"google.golang.org/genproto/googleapis/rpc/status" "google.golang.org/genproto/googleapis/rpc/status"
@ -57,12 +57,12 @@ func TestAuthorize_okResponse(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
reply *evaluator.Result reply *evaluator.Result
want *envoy_service_auth_v2.CheckResponse want *envoy_service_auth_v3.CheckResponse
}{ }{
{ {
"ok reply", "ok reply",
&evaluator.Result{Status: 0, Message: "ok"}, &evaluator.Result{Status: 0, Message: "ok"},
&envoy_service_auth_v2.CheckResponse{ &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"}, Status: &status.Status{Code: 0, Message: "ok"},
}, },
}, },
@ -75,7 +75,7 @@ func TestAuthorize_okResponse(t *testing.T) {
KubernetesServiceAccountToken: "k8s-svc-account", KubernetesServiceAccountToken: "k8s-svc-account",
}, },
}, },
&envoy_service_auth_v2.CheckResponse{ &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"}, Status: &status.Status{Code: 0, Message: "ok"},
}, },
}, },
@ -88,7 +88,7 @@ func TestAuthorize_okResponse(t *testing.T) {
KubernetesServiceAccountToken: "k8s-svc-account", KubernetesServiceAccountToken: "k8s-svc-account",
}, },
}, },
&envoy_service_auth_v2.CheckResponse{ &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"}, Status: &status.Status{Code: 0, Message: "ok"},
}, },
}, },
@ -98,7 +98,7 @@ func TestAuthorize_okResponse(t *testing.T) {
Status: 0, Status: 0,
Message: "ok", Message: "ok",
}, },
&envoy_service_auth_v2.CheckResponse{ &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 0, Message: "ok"}, Status: &status.Status{Code: 0, Message: "ok"},
}, },
}, },
@ -131,11 +131,11 @@ func TestAuthorize_deniedResponse(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
in *envoy_service_auth_v2.CheckRequest in *envoy_service_auth_v3.CheckRequest
code int32 code int32
reason string reason string
headers map[string]string headers map[string]string
want *envoy_service_auth_v2.CheckResponse want *envoy_service_auth_v3.CheckResponse
}{ }{
{ {
"html denied", "html denied",
@ -143,14 +143,14 @@ func TestAuthorize_deniedResponse(t *testing.T) {
http.StatusBadRequest, http.StatusBadRequest,
"Access Denied", "Access Denied",
nil, nil,
&envoy_service_auth_v2.CheckResponse{ &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{
Status: &envoy_type.HttpStatus{ Status: &envoy_type_v3.HttpStatus{
Code: envoy_type.StatusCode(codes.InvalidArgument), Code: envoy_type_v3.StatusCode(codes.InvalidArgument),
}, },
Headers: []*envoy_api_v2_core.HeaderValueOption{ Headers: []*envoy_config_core_v3.HeaderValueOption{
mkHeader("Content-Type", "text/html", false), mkHeader("Content-Type", "text/html", false),
}, },
Body: "Access Denied", Body: "Access Denied",
@ -160,10 +160,10 @@ func TestAuthorize_deniedResponse(t *testing.T) {
}, },
{ {
"plain text denied", "plain text denied",
&envoy_service_auth_v2.CheckRequest{ &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Headers: map[string]string{}, Headers: map[string]string{},
}, },
}, },
@ -172,14 +172,14 @@ func TestAuthorize_deniedResponse(t *testing.T) {
http.StatusBadRequest, http.StatusBadRequest,
"Access Denied", "Access Denied",
map[string]string{}, map[string]string{},
&envoy_service_auth_v2.CheckResponse{ &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"}, Status: &status.Status{Code: int32(codes.PermissionDenied), Message: "Access Denied"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{ DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{
Status: &envoy_type.HttpStatus{ Status: &envoy_type_v3.HttpStatus{
Code: envoy_type.StatusCode(codes.InvalidArgument), Code: envoy_type_v3.StatusCode(codes.InvalidArgument),
}, },
Headers: []*envoy_api_v2_core.HeaderValueOption{ Headers: []*envoy_config_core_v3.HeaderValueOption{
mkHeader("Content-Type", "text/plain", false), mkHeader("Content-Type", "text/plain", false),
}, },
Body: "Access Denied", Body: "Access Denied",

18
authorize/grpc.go
View file

@ -24,11 +24,11 @@ import (
"github.com/pomerium/pomerium/pkg/grpc/user" "github.com/pomerium/pomerium/pkg/grpc/user"
"github.com/pomerium/pomerium/pkg/grpcutil" "github.com/pomerium/pomerium/pkg/grpcutil"
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
) )
// Check implements the envoy auth server gRPC endpoint. // Check implements the envoy auth server gRPC endpoint.
func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v2.CheckRequest) (*envoy_service_auth_v2.CheckResponse, error) { func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRequest) (*envoy_service_auth_v3.CheckResponse, error) {
ctx, span := trace.StartSpan(ctx, "authorize.grpc.Check") ctx, span := trace.StartSpan(ctx, "authorize.grpc.Check")
defer span.End() defer span.End()
@ -179,7 +179,7 @@ func getForwardAuthURL(r *http.Request) *url.URL {
} }
// isForwardAuth returns if the current request is a forward auth route. // isForwardAuth returns if the current request is a forward auth route.
func (a *Authorize) isForwardAuth(req *envoy_service_auth_v2.CheckRequest) bool { func (a *Authorize) isForwardAuth(req *envoy_service_auth_v3.CheckRequest) bool {
opts := a.currentOptions.Load() opts := a.currentOptions.Load()
if opts.ForwardAuthURL == nil { if opts.ForwardAuthURL == nil {
@ -197,7 +197,7 @@ func (a *Authorize) isForwardAuth(req *envoy_service_auth_v2.CheckRequest) bool
} }
func (a *Authorize) getEvaluatorRequestFromCheckRequest( func (a *Authorize) getEvaluatorRequestFromCheckRequest(
in *envoy_service_auth_v2.CheckRequest, in *envoy_service_auth_v3.CheckRequest,
sessionState *sessions.State, sessionState *sessions.State,
) (*evaluator.Request, error) { ) (*evaluator.Request, error) {
requestURL := getCheckRequestURL(in) requestURL := getCheckRequestURL(in)
@ -261,7 +261,7 @@ func (a *Authorize) getMatchingPolicy(requestURL url.URL) *config.Policy {
return nil return nil
} }
func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v2.CheckRequest) *http.Request { func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v3.CheckRequest) *http.Request {
hattrs := req.GetAttributes().GetRequest().GetHttp() hattrs := req.GetAttributes().GetRequest().GetHttp()
u := getCheckRequestURL(req) u := getCheckRequestURL(req)
hreq := &http.Request{ hreq := &http.Request{
@ -278,7 +278,7 @@ func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v2.CheckRequest) *ht
return hreq return hreq
} }
func getCheckRequestHeaders(req *envoy_service_auth_v2.CheckRequest) map[string]string { func getCheckRequestHeaders(req *envoy_service_auth_v3.CheckRequest) map[string]string {
hdrs := make(map[string]string) hdrs := make(map[string]string)
ch := req.GetAttributes().GetRequest().GetHttp().GetHeaders() ch := req.GetAttributes().GetRequest().GetHttp().GetHeaders()
for k, v := range ch { for k, v := range ch {
@ -287,7 +287,7 @@ func getCheckRequestHeaders(req *envoy_service_auth_v2.CheckRequest) map[string]
return hdrs return hdrs
} }
func getCheckRequestURL(req *envoy_service_auth_v2.CheckRequest) url.URL { func getCheckRequestURL(req *envoy_service_auth_v3.CheckRequest) url.URL {
h := req.GetAttributes().GetRequest().GetHttp() h := req.GetAttributes().GetRequest().GetHttp()
u := url.URL{ u := url.URL{
Scheme: h.GetScheme(), Scheme: h.GetScheme(),
@ -305,7 +305,7 @@ func getCheckRequestURL(req *envoy_service_auth_v2.CheckRequest) url.URL {
} }
// getPeerCertificate gets the PEM-encoded peer certificate from the check request // getPeerCertificate gets the PEM-encoded peer certificate from the check request
func getPeerCertificate(in *envoy_service_auth_v2.CheckRequest) string { func getPeerCertificate(in *envoy_service_auth_v3.CheckRequest) string {
// ignore the error as we will just return the empty string in that case // ignore the error as we will just return the empty string in that case
cert, _ := url.QueryUnescape(in.GetAttributes().GetSource().GetCertificate()) cert, _ := url.QueryUnescape(in.GetAttributes().GetSource().GetCertificate())
return cert return cert
@ -313,7 +313,7 @@ func getPeerCertificate(in *envoy_service_auth_v2.CheckRequest) string {
func logAuthorizeCheck( func logAuthorizeCheck(
ctx context.Context, ctx context.Context,
in *envoy_service_auth_v2.CheckRequest, in *envoy_service_auth_v3.CheckRequest,
reply *evaluator.Result, reply *evaluator.Result,
u *user.User, u *user.User,
) { ) {

124
authorize/grpc_test.go
View file

@ -6,7 +6,7 @@ import (
"net/url" "net/url"
"testing" "testing"
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
"github.com/golang/protobuf/ptypes" "github.com/golang/protobuf/ptypes"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts" "github.com/google/go-cmp/cmp/cmpopts"
@ -63,13 +63,13 @@ func Test_getEvaluatorRequest(t *testing.T) {
}) })
actual, err := a.getEvaluatorRequestFromCheckRequest( actual, err := a.getEvaluatorRequestFromCheckRequest(
&envoy_service_auth_v2.CheckRequest{ &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Id: "id-1234", Id: "id-1234",
Method: "GET", Method: "GET",
Headers: map[string]string{ Headers: map[string]string{
@ -110,19 +110,19 @@ func Test_getEvaluatorRequest(t *testing.T) {
func Test_handleForwardAuth(t *testing.T) { func Test_handleForwardAuth(t *testing.T) {
tests := []struct { tests := []struct {
name string name string
checkReq *envoy_service_auth_v2.CheckRequest checkReq *envoy_service_auth_v3.CheckRequest
forwardAuthURL string forwardAuthURL string
want bool want bool
}{ }{
{ {
name: "enabled", name: "enabled",
checkReq: &envoy_service_auth_v2.CheckRequest{ checkReq: &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Method: "GET", Method: "GET",
Path: "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"), Path: "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"),
Host: "forward-auth.example.com", Host: "forward-auth.example.com",
@ -142,13 +142,13 @@ func Test_handleForwardAuth(t *testing.T) {
}, },
{ {
name: "honor x-forwarded-uri set", name: "honor x-forwarded-uri set",
checkReq: &envoy_service_auth_v2.CheckRequest{ checkReq: &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Method: "GET", Method: "GET",
Path: "/", Path: "/",
Host: "forward-auth.example.com", Host: "forward-auth.example.com",
@ -167,13 +167,13 @@ func Test_handleForwardAuth(t *testing.T) {
}, },
{ {
name: "request with invalid forward auth url", name: "request with invalid forward auth url",
checkReq: &envoy_service_auth_v2.CheckRequest{ checkReq: &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Method: "GET", Method: "GET",
Path: "/verify?uri=" + url.QueryEscape("https://example.com?q=foo"), Path: "/verify?uri=" + url.QueryEscape("https://example.com?q=foo"),
Host: "fake-forward-auth.example.com", Host: "fake-forward-auth.example.com",
@ -187,13 +187,13 @@ func Test_handleForwardAuth(t *testing.T) {
}, },
{ {
name: "request with invalid path", name: "request with invalid path",
checkReq: &envoy_service_auth_v2.CheckRequest{ checkReq: &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Method: "GET", Method: "GET",
Path: "/foo?uri=" + url.QueryEscape("https://example.com?q=foo"), Path: "/foo?uri=" + url.QueryEscape("https://example.com?q=foo"),
Host: "forward-auth.example.com", Host: "forward-auth.example.com",
@ -207,13 +207,13 @@ func Test_handleForwardAuth(t *testing.T) {
}, },
{ {
name: "request with empty uri", name: "request with empty uri",
checkReq: &envoy_service_auth_v2.CheckRequest{ checkReq: &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Method: "GET", Method: "GET",
Path: "/verify?uri=", Path: "/verify?uri=",
Host: "forward-auth.example.com", Host: "forward-auth.example.com",
@ -227,13 +227,13 @@ func Test_handleForwardAuth(t *testing.T) {
}, },
{ {
name: "request with invalid uri", name: "request with invalid uri",
checkReq: &envoy_service_auth_v2.CheckRequest{ checkReq: &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Method: "GET", Method: "GET",
Path: "/verify?uri= http://example.com/foo", Path: "/verify?uri= http://example.com/foo",
Host: "forward-auth.example.com", Host: "forward-auth.example.com",
@ -279,13 +279,13 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
}}, }},
}) })
actual, err := a.getEvaluatorRequestFromCheckRequest(&envoy_service_auth_v2.CheckRequest{ actual, err := a.getEvaluatorRequestFromCheckRequest(&envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Id: "id-1234", Id: "id-1234",
Method: "GET", Method: "GET",
Headers: map[string]string{ Headers: map[string]string{
@ -473,25 +473,25 @@ func TestAuthorize_Check(t *testing.T) {
a.currentOptions.Store(&config.Options{ForwardAuthURL: mustParseURL("https://forward-auth.example.com")}) a.currentOptions.Store(&config.Options{ForwardAuthURL: mustParseURL("https://forward-auth.example.com")})
cmpOpts := []cmp.Option{ cmpOpts := []cmp.Option{
cmpopts.IgnoreUnexported(envoy_service_auth_v2.CheckResponse{}), cmpopts.IgnoreUnexported(envoy_service_auth_v3.CheckResponse{}),
cmpopts.IgnoreUnexported(status.Status{}), cmpopts.IgnoreUnexported(status.Status{}),
cmpopts.IgnoreTypes(envoy_service_auth_v2.DeniedHttpResponse{}), cmpopts.IgnoreTypes(envoy_service_auth_v3.DeniedHttpResponse{}),
} }
tests := []struct { tests := []struct {
name string name string
in *envoy_service_auth_v2.CheckRequest in *envoy_service_auth_v3.CheckRequest
want *envoy_service_auth_v2.CheckResponse want *envoy_service_auth_v3.CheckResponse
wantErr bool wantErr bool
}{ }{
{ {
"basic deny", "basic deny",
&envoy_service_auth_v2.CheckRequest{ &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Id: "id-1234", Id: "id-1234",
Method: "GET", Method: "GET",
Headers: map[string]string{ Headers: map[string]string{
@ -506,23 +506,23 @@ func TestAuthorize_Check(t *testing.T) {
}, },
}, },
}, },
&envoy_service_auth_v2.CheckResponse{ &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 7, Message: "Access Denied"}, Status: &status.Status{Code: 7, Message: "Access Denied"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{}, DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{},
}, },
}, },
false, false,
}, },
{ {
"basic forward-auth deny", "basic forward-auth deny",
&envoy_service_auth_v2.CheckRequest{ &envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Source: &envoy_service_auth_v2.AttributeContext_Peer{ Source: &envoy_service_auth_v3.AttributeContext_Peer{
Certificate: url.QueryEscape(certPEM), Certificate: url.QueryEscape(certPEM),
}, },
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Method: "GET", Method: "GET",
Path: "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"), Path: "/verify?uri=" + url.QueryEscape("https://example.com/some/path?qs=1"),
Host: "forward-auth.example.com", Host: "forward-auth.example.com",
@ -531,10 +531,10 @@ func TestAuthorize_Check(t *testing.T) {
}, },
}, },
}, },
&envoy_service_auth_v2.CheckResponse{ &envoy_service_auth_v3.CheckResponse{
Status: &status.Status{Code: 7, Message: "Access Denied"}, Status: &status.Status{Code: 7, Message: "Access Denied"},
HttpResponse: &envoy_service_auth_v2.CheckResponse_DeniedResponse{ HttpResponse: &envoy_service_auth_v3.CheckResponse_DeniedResponse{
DeniedResponse: &envoy_service_auth_v2.DeniedHttpResponse{}, DeniedResponse: &envoy_service_auth_v3.DeniedHttpResponse{},
}, },
}, },
false, false,

16
authorize/session_test.go
View file

@ -5,7 +5,7 @@ import (
"regexp" "regexp"
"testing" "testing"
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
@ -25,10 +25,10 @@ func TestLoadSession(t *testing.T) {
return return
} }
load := func(t *testing.T, hattrs *envoy_service_auth_v2.AttributeContext_HttpRequest) (*sessions.State, error) { load := func(t *testing.T, hattrs *envoy_service_auth_v3.AttributeContext_HttpRequest) (*sessions.State, error) {
req := getHTTPRequestFromCheckRequest(&envoy_service_auth_v2.CheckRequest{ req := getHTTPRequestFromCheckRequest(&envoy_service_auth_v3.CheckRequest{
Attributes: &envoy_service_auth_v2.AttributeContext{ Attributes: &envoy_service_auth_v3.AttributeContext{
Request: &envoy_service_auth_v2.AttributeContext_Request{ Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: hattrs, Http: hattrs,
}, },
}, },
@ -56,7 +56,7 @@ func TestLoadSession(t *testing.T) {
} }
cookie := regexp.MustCompile(`^([^;]+)(;.*)?$`).ReplaceAllString(hdrs["Set-Cookie"], "$1") cookie := regexp.MustCompile(`^([^;]+)(;.*)?$`).ReplaceAllString(hdrs["Set-Cookie"], "$1")
hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{ hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{
Id: "req-1", Id: "req-1",
Method: "GET", Method: "GET",
Headers: map[string]string{ Headers: map[string]string{
@ -71,7 +71,7 @@ func TestLoadSession(t *testing.T) {
assert.NotNil(t, sess) assert.NotNil(t, sess)
}) })
t.Run("header", func(t *testing.T) { t.Run("header", func(t *testing.T) {
hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{ hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{
Id: "req-1", Id: "req-1",
Method: "GET", Method: "GET",
Headers: map[string]string{ Headers: map[string]string{
@ -86,7 +86,7 @@ func TestLoadSession(t *testing.T) {
assert.NotNil(t, sess) assert.NotNil(t, sess)
}) })
t.Run("query param", func(t *testing.T) { t.Run("query param", func(t *testing.T) {
hattrs := &envoy_service_auth_v2.AttributeContext_HttpRequest{ hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{
Id: "req-1", Id: "req-1",
Method: "GET", Method: "GET",
Path: "/hello/world?" + url.Values{ Path: "/hello/world?" + url.Values{

1
go.mod
View file

@ -36,7 +36,6 @@ require (
github.com/mitchellh/hashstructure/v2 v2.0.1 github.com/mitchellh/hashstructure/v2 v2.0.1
github.com/mitchellh/mapstructure v1.4.1 github.com/mitchellh/mapstructure v1.4.1
github.com/natefinch/atomic v0.0.0-20200526193002-18c0533a5b09 github.com/natefinch/atomic v0.0.0-20200526193002-18c0533a5b09
github.com/nsf/jsondiff v0.0.0-20210303162244-6ea32392771e
github.com/onsi/gocleanup v0.0.0-20140331211545-c1a5478700b5 github.com/onsi/gocleanup v0.0.0-20140331211545-c1a5478700b5
github.com/open-policy-agent/opa v0.27.1 github.com/open-policy-agent/opa v0.27.1
github.com/openzipkin/zipkin-go v0.2.5 github.com/openzipkin/zipkin-go v0.2.5

2
go.sum
View file

@ -431,8 +431,6 @@ github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzE
github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.0/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w= github.com/nats-io/nkeys v0.1.3/go.mod h1:xpnFELMwJABBLVhffcfd1MZx6VsNRFpEugbxziKVo7w=
github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c=
github.com/nsf/jsondiff v0.0.0-20210303162244-6ea32392771e h1:S+/ptYdZtpK/MDstwCyt+ZHdXEpz86RJZ5gyZU4txJY=
github.com/nsf/jsondiff v0.0.0-20210303162244-6ea32392771e/go.mod h1:uFMI8w+ref4v2r9jz+c9i1IfIttS/OkmLfrk1jne5hs=
github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78= github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs= github.com/oklog/oklog v0.3.2/go.mod h1:FCV+B7mhrz4o+ueLpx+KqkyXRGMWOYEvfiXtdGtbWGs=

4
internal/cmd/pomerium/pomerium.go
View file

@ -11,7 +11,7 @@ import (
"os/signal" "os/signal"
"syscall" "syscall"
envoy_service_auth_v2 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v2" envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
"golang.org/x/sync/errgroup" "golang.org/x/sync/errgroup"
"github.com/pomerium/pomerium/authenticate" "github.com/pomerium/pomerium/authenticate"
@ -189,7 +189,7 @@ func setupAuthorize(src config.Source, controlPlane *controlplane.Server) (*auth
if err != nil { if err != nil {
return nil, fmt.Errorf("error creating authorize service: %w", err) return nil, fmt.Errorf("error creating authorize service: %w", err)
} }
envoy_service_auth_v2.RegisterAuthorizationServer(controlPlane.GRPCServer, svc) envoy_service_auth_v3.RegisterAuthorizationServer(controlPlane.GRPCServer, svc)
log.Info().Msg("enabled authorize service") log.Info().Msg("enabled authorize service")
src.OnConfigChange(svc.OnConfigChange) src.OnConfigChange(svc.OnConfigChange)

6
internal/controlplane/grpc_accesslog.go
View file

@ -3,7 +3,7 @@ package controlplane
import ( import (
"strings" "strings"
envoy_service_accesslog_v2 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v2" envoy_service_accesslog_v3 "github.com/envoyproxy/go-control-plane/envoy/service/accesslog/v3"
"github.com/golang/protobuf/ptypes" "github.com/golang/protobuf/ptypes"
"github.com/rs/zerolog" "github.com/rs/zerolog"
@ -11,11 +11,11 @@ import (
) )
func (srv *Server) registerAccessLogHandlers() { func (srv *Server) registerAccessLogHandlers() {
envoy_service_accesslog_v2.RegisterAccessLogServiceServer(srv.GRPCServer, srv) envoy_service_accesslog_v3.RegisterAccessLogServiceServer(srv.GRPCServer, srv)
} }
// StreamAccessLogs receives logs from envoy and prints them to stdout. // StreamAccessLogs receives logs from envoy and prints them to stdout.
func (srv *Server) StreamAccessLogs(stream envoy_service_accesslog_v2.AccessLogService_StreamAccessLogsServer) error { func (srv *Server) StreamAccessLogs(stream envoy_service_accesslog_v3.AccessLogService_StreamAccessLogsServer) error {
for { for {
msg, err := stream.Recv() msg, err := stream.Recv()
if err != nil { if err != nil {

1
internal/controlplane/xds.go
View file

@ -89,6 +89,7 @@ func buildAccessLogs(options *config.Options) []*envoy_config_accesslog_v3.Acces
}, },
}, },
}, },
TransportApiVersion: envoy_config_core_v3.ApiVersion_V3,
}, },
}) })
return []*envoy_config_accesslog_v3.AccessLog{{ return []*envoy_config_accesslog_v3.AccessLog{{

6
internal/controlplane/xds_listeners.go
View file

@ -362,6 +362,7 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter(
}, },
}, },
IncludePeerCertificate: true, IncludePeerCertificate: true,
TransportApiVersion: envoy_config_core_v3.ApiVersion_V3,
}) })
extAuthzSetCookieLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{ extAuthzSetCookieLua := marshalAny(&envoy_extensions_filters_http_lua_v3.Lua{
@ -433,6 +434,10 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter(
if err != nil { if err != nil {
return nil, err return nil, err
} }
tracingProvider, err := srv.buildTracingProvider(options)
if err != nil {
return nil, err
}
tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{ tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{
CodecType: envoy_http_connection_manager.HttpConnectionManager_AUTO, CodecType: envoy_http_connection_manager.HttpConnectionManager_AUTO,
StatPrefix: "ingress", StatPrefix: "ingress",
@ -448,6 +453,7 @@ func (srv *Server) buildMainHTTPConnectionManagerFilter(
RequestTimeout: ptypes.DurationProto(options.ReadTimeout), RequestTimeout: ptypes.DurationProto(options.ReadTimeout),
Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{ Tracing: &envoy_http_connection_manager.HttpConnectionManager_Tracing{
RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100}, RandomSampling: &envoy_type_v3.Percent{Value: options.TracingSampleRate * 100},
Provider: tracingProvider,
}, },
// See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for // See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
UseRemoteAddress: &wrappers.BoolValue{Value: true}, UseRemoteAddress: &wrappers.BoolValue{Value: true},

6
internal/controlplane/xds_listeners_test.go
View file

@ -128,7 +128,8 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"clusterName": "pomerium-control-plane-grpc" "clusterName": "pomerium-control-plane-grpc"
} }
}, },
"logName": "ingress-http" "logName": "ingress-http",
"transportApiVersion": "V3"
} }
} }
}], }],
@ -156,7 +157,8 @@ func Test_buildMainHTTPConnectionManagerFilter(t *testing.T) {
"includePeerCertificate": true, "includePeerCertificate": true,
"statusOnError": { "statusOnError": {
"code": "InternalServerError" "code": "InternalServerError"
} },
"transportApiVersion": "V3"
} }
}, },
{ {

62
internal/controlplane/xds_tracing.go Normal file
View file

@ -0,0 +1,62 @@
package controlplane
import (
"fmt"
envoy_config_trace_v3 "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3"
"google.golang.org/protobuf/types/known/anypb"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/telemetry/trace"
)
func (srv *Server) buildTracingProvider(options *config.Options) (*envoy_config_trace_v3.Tracing_Http, error) {
tracingOptions, err := config.NewTracingOptions(options)
if err != nil {
return nil, fmt.Errorf("invalid tracing config: %w", err)
}
switch tracingOptions.Provider {
case trace.DatadogTracingProviderName:
tracingTC, _ := anypb.New(&envoy_config_trace_v3.DatadogConfig{
CollectorCluster: "datadog-apm",
ServiceName: tracingOptions.Service,
})
return &envoy_config_trace_v3.Tracing_Http{
Name: "envoy.tracers.datadog",
ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{
TypedConfig: tracingTC,
},
}, nil
case trace.ZipkinTracingProviderName:
if tracingOptions.ZipkinEndpoint.String() == "" {
return nil, fmt.Errorf("missing zipkin url")
}
tracingTC, _ := anypb.New(
&envoy_config_trace_v3.OpenCensusConfig{
ZipkinExporterEnabled: true,
ZipkinUrl: tracingOptions.ZipkinEndpoint.String(),
IncomingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{
envoy_config_trace_v3.OpenCensusConfig_B3,
envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT,
envoy_config_trace_v3.OpenCensusConfig_CLOUD_TRACE_CONTEXT,
envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN,
},
OutgoingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{
envoy_config_trace_v3.OpenCensusConfig_B3,
envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT,
envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN,
},
},
)
return &envoy_config_trace_v3.Tracing_Http{
Name: "envoy.tracers.opencensus",
ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{
TypedConfig: tracingTC,
},
}, nil
default:
return nil, nil
}
}

63
internal/envoy/envoy.go
View file

@ -28,14 +28,12 @@ import (
envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" envoy_config_endpoint_v3 "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3"
envoy_config_metrics_v3 "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3" envoy_config_metrics_v3 "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3"
envoy_config_trace_v3 "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3"
"github.com/golang/protobuf/proto" "github.com/golang/protobuf/proto"
"github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp"
"github.com/natefinch/atomic" "github.com/natefinch/atomic"
"github.com/rs/zerolog" "github.com/rs/zerolog"
"go.opencensus.io/stats/view" "go.opencensus.io/stats/view"
"google.golang.org/protobuf/encoding/protojson" "google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/durationpb" "google.golang.org/protobuf/types/known/durationpb"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
@ -393,10 +391,6 @@ func (srv *Server) buildBootstrapConfig(cfg *config.Config) ([]byte, error) {
StatsConfig: srv.buildStatsConfig(), StatsConfig: srv.buildStatsConfig(),
} }
if err := srv.addTraceConfig(bcfg); err != nil {
return nil, fmt.Errorf("failed to add tracing config: %w", err)
}
jsonBytes, err := protojson.Marshal(proto.MessageV2(bcfg)) jsonBytes, err := protojson.Marshal(proto.MessageV2(bcfg))
if err != nil { if err != nil {
return nil, err return nil, err
@ -418,63 +412,6 @@ func (srv *Server) buildStatsConfig() *envoy_config_metrics_v3.StatsConfig {
return cfg return cfg
} }
func (srv *Server) addTraceConfig(bootCfg *envoy_config_bootstrap_v3.Bootstrap) error {
if !srv.options.tracingOptions.Enabled() {
return nil
}
switch srv.options.tracingOptions.Provider {
default:
return nil
case trace.DatadogTracingProviderName:
tracingTC, _ := anypb.New(&envoy_config_trace_v3.DatadogConfig{
CollectorCluster: "datadog-apm",
ServiceName: srv.options.tracingOptions.Service,
})
bootCfg.Tracing = &envoy_config_trace_v3.Tracing{
Http: &envoy_config_trace_v3.Tracing_Http{
Name: "envoy.tracers.datadog",
ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{
TypedConfig: tracingTC,
},
},
}
case trace.ZipkinTracingProviderName:
if srv.options.tracingOptions.ZipkinEndpoint.String() == "" {
return fmt.Errorf("missing zipkin url")
}
// TODO the outbound header list should be configurable when this moves to
// HTTPConnectionManager filters
tracingTC, _ := anypb.New(
&envoy_config_trace_v3.OpenCensusConfig{
ZipkinExporterEnabled: true,
ZipkinUrl: srv.options.tracingOptions.ZipkinEndpoint.String(),
IncomingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{
envoy_config_trace_v3.OpenCensusConfig_B3,
envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT,
envoy_config_trace_v3.OpenCensusConfig_CLOUD_TRACE_CONTEXT,
envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN,
},
OutgoingTraceContext: []envoy_config_trace_v3.OpenCensusConfig_TraceContext{
envoy_config_trace_v3.OpenCensusConfig_B3,
envoy_config_trace_v3.OpenCensusConfig_TRACE_CONTEXT,
envoy_config_trace_v3.OpenCensusConfig_GRPC_TRACE_BIN,
},
},
)
bootCfg.Tracing = &envoy_config_trace_v3.Tracing{
Http: &envoy_config_trace_v3.Tracing_Http{
Name: "envoy.tracers.opencensus",
ConfigType: &envoy_config_trace_v3.Tracing_Http_TypedConfig{
TypedConfig: tracingTC,
},
},
}
}
return nil
}
var fileNameAndNumberRE = regexp.MustCompile(`^(\[[a-zA-Z0-9/-_.]+:[0-9]+])\s(.*)$`) var fileNameAndNumberRE = regexp.MustCompile(`^(\[[a-zA-Z0-9/-_.]+:[0-9]+])\s(.*)$`)
func (srv *Server) parseLog(line string) (name string, logLevel string, msg string) { func (srv *Server) parseLog(line string) (name string, logLevel string, msg string) {

66
internal/envoy/envoy_test.go
View file

@ -1,83 +1,17 @@
package envoy package envoy
import ( import (
"fmt"
"io/ioutil" "io/ioutil"
"net/url"
"regexp" "regexp"
"strings" "strings"
"testing" "testing"
envoy_config_bootstrap_v3 "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3"
"github.com/golang/protobuf/proto"
"github.com/nsf/jsondiff"
"github.com/rs/zerolog" "github.com/rs/zerolog"
"github.com/stretchr/testify/assert"
"google.golang.org/protobuf/encoding/protojson"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/telemetry/trace"
"github.com/pomerium/pomerium/internal/testutil" "github.com/pomerium/pomerium/internal/testutil"
) )
func jsonDump(t *testing.T, m proto.GeneratedMessage) []byte {
t.Helper()
jsonBytes, err := protojson.Marshal(proto.MessageV2(m))
if err != nil {
t.Fatalf("failed to marshal json: %s", err)
}
return jsonBytes
}
func Test_addTraceConfig(t *testing.T) {
t.Parallel()
tests := []struct {
name string
opts *config.TracingOptions
want string
wantErr bool
}{
{
"good zipkin",
&config.TracingOptions{Provider: trace.ZipkinTracingProviderName, ZipkinEndpoint: &url.URL{Host: "localhost:9411"}},
`{"tracing":{"http":{"name":"envoy.tracers.opencensus","typedConfig":{"@type":"type.googleapis.com/envoy.config.trace.v3.OpenCensusConfig","zipkinExporterEnabled":true,"zipkinUrl":"//localhost:9411","incomingTraceContext":["B3","TRACE_CONTEXT","CLOUD_TRACE_CONTEXT","GRPC_TRACE_BIN"],"outgoingTraceContext":["B3","TRACE_CONTEXT","GRPC_TRACE_BIN"]}}}}`,
false,
},
{
"good jaeger",
&config.TracingOptions{Provider: trace.JaegerTracingProviderName},
`{}`,
false,
},
{
"bad zipkin",
&config.TracingOptions{Provider: trace.ZipkinTracingProviderName, ZipkinEndpoint: &url.URL{}},
`{}`,
true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
srv := &Server{
options: serverOptions{
tracingOptions: *tt.opts,
},
}
baseCfg := &envoy_config_bootstrap_v3.Bootstrap{}
err := srv.addTraceConfig(baseCfg)
assert.Equal(t, tt.wantErr, err != nil, "unexpected error state")
diff, diffStr := jsondiff.Compare([]byte(tt.want), jsonDump(t, baseCfg), &jsondiff.Options{})
assert.Equal(t, jsondiff.FullMatch, diff, fmt.Sprintf("%s: differences: %s", diff.String(), diffStr))
})
}
}
func Test_buildStatsConfig(t *testing.T) { func Test_buildStatsConfig(t *testing.T) {
tests := []struct { tests := []struct {
name string name string

2
scripts/get-envoy.bash
View file

@ -4,7 +4,7 @@ set -euo pipefail
PATH="$PATH:$(go env GOPATH)/bin" PATH="$PATH:$(go env GOPATH)/bin"
export PATH export PATH
_envoy_version=1.16.2 _envoy_version=1.17.1
_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/../bin" _dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/../bin"
_target="${TARGET:-"$(go env GOOS)_$(go env GOARCH)"}" _target="${TARGET:-"$(go env GOOS)_$(go env GOARCH)"}"