status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-10 13:55:55 +00:00
Code Issues Projects Releases Wiki Activity

Prevent wildcard destinations for proxies and upstreams

Browse Source
This commit is contained in:
freddygv 2021-03-19 20:56:02 -06:00
parent 24ee8a0488
commit 77ead5cca9
3 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
agent/structs/connect_proxy_config.go
View File

@ -333,6 +333,9 @@ func (u *Upstream) Validate() error {
if u.DestinationName == "" { if u.DestinationName == "" {
return fmt.Errorf("upstream destination name cannot be empty") return fmt.Errorf("upstream destination name cannot be empty")
} }
if u.DestinationName == WildcardSpecifier && !u.CentrallyConfigured {
return fmt.Errorf("upstream destination name cannot be a wildcard")
}
if u.LocalBindPort == 0 && !u.CentrallyConfigured { if u.LocalBindPort == 0 && !u.CentrallyConfigured {
return fmt.Errorf("upstream local bind port cannot be zero") return fmt.Errorf("upstream local bind port cannot be zero")

5
agent/structs/structs.go
View File

@ -1153,6 +1153,11 @@ func (s *NodeService) Validate() error {
"Proxy.DestinationServiceName must be non-empty for Connect proxy "+ "Proxy.DestinationServiceName must be non-empty for Connect proxy "+
"services")) "services"))
} }
if strings.TrimSpace(s.Proxy.DestinationServiceName) == WildcardSpecifier {
result = multierror.Append(result, fmt.Errorf(
"Proxy.DestinationServiceName must not be a wildcard for Connect proxy "+
"services"))
}
if s.Port == 0 { if s.Port == 0 {
result = multierror.Append(result, fmt.Errorf( result = multierror.Append(result, fmt.Errorf(

28
agent/structs/structs_test.go
View File

@ -648,6 +648,12 @@ func TestStructs_NodeService_ValidateConnectProxy(t *testing.T) {
"Proxy.DestinationServiceName must be", "Proxy.DestinationServiceName must be",
}, },
{
"connect-proxy: wildcard Proxy.DestinationServiceName",
func(x *NodeService) { x.Proxy.DestinationServiceName = "*" },
"Proxy.DestinationServiceName must not be",
},
{ {
"connect-proxy: valid Proxy.DestinationServiceName", "connect-proxy: valid Proxy.DestinationServiceName",
func(x *NodeService) { x.Proxy.DestinationServiceName = "hello" }, func(x *NodeService) { x.Proxy.DestinationServiceName = "hello" },
@ -697,6 +703,28 @@ func TestStructs_NodeService_ValidateConnectProxy(t *testing.T) {
}, },
"upstream destination name cannot be empty", "upstream destination name cannot be empty",
}, },
{
"connect-proxy: upstream wildcard name",
func(x *NodeService) {
x.Proxy.Upstreams = Upstreams{{
DestinationType: UpstreamDestTypeService,
DestinationName: WildcardSpecifier,
LocalBindPort: 5000,
}}
},
"upstream destination name cannot be a wildcard",
},
{
"connect-proxy: upstream can have wildcard name when centrally configured",
func(x *NodeService) {
x.Proxy.Upstreams = Upstreams{{
DestinationType: UpstreamDestTypeService,
DestinationName: WildcardSpecifier,
CentrallyConfigured: true,
}}
},
"",
},
{ {
"connect-proxy: upstream empty bind port", "connect-proxy: upstream empty bind port",
func(x *NodeService) { func(x *NodeService) {