go/mirko: add GetRemoteHTTPClient

Change-Id: Icf1ec5c28ea487e62a23590069042c5b9edad846
This commit is contained in:
q3k 2021-05-22 19:10:13 +00:00
parent e17f7edde0
commit 13c90f0fe6
3 changed files with 150 additions and 1 deletions

View file

@ -1,10 +1,11 @@
load("@io_bazel_rules_go//go:def.bzl", "go_library")
load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
go_library(
name = "go_default_library",
srcs = [
"kubernetes.go",
"mirko.go",
"revproxy.go",
"sql.go",
"sql_migrations.go",
"trace.go",
@ -24,3 +25,10 @@ go_library(
"@org_golang_x_net//trace:go_default_library",
],
)
go_test(
name = "go_default_test",
srcs = ["revproxy_test.go"],
embed = [":go_default_library"],
deps = ["@io_k8s_client_go//kubernetes:go_default_library"],
)

66
go/mirko/revproxy.go Normal file
View file

@ -0,0 +1,66 @@
package mirko
import (
"fmt"
"net"
"net/http"
"strconv"
"strings"
)
// parsePort parses a string as a port number from 1 to 65535.
func parsePort(s string) (uint16, error) {
port, err := strconv.ParseUint(s, 10, 16)
if err != nil {
return 0, fmt.Errorf("could not parse port %q: %v", s, err)
}
if port < 1 || port > 65535 {
return 0, fmt.Errorf("port %d out of range", port)
}
return uint16(port), nil
}
// GetHTTPRemoteClient returns the IP address and source port of the client
// initiating the given HTTP request. This will either interpret the remote
// side of the HTTP connection if not running within a cluster, or the source
// IP/port as reported by the cluster reverse proxy (nginx-ingress-controller).
// An error will be returned if the request is unparseable for this data. In
// this case, the caller should assume that the environment is misconfigured,
// and that the client source cannot be deduced.
func GetHTTPRemoteClient(r *http.Request) (net.IP, uint16, error) {
if KubernetesClient() == nil {
// We're not running inside a cluster (we're probably running on a dev
// machine), so just return whatever net/http says.
host, portStr, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
return nil, 0, fmt.Errorf("could not split hostport: %v", err)
}
ip := net.ParseIP(host)
if ip == nil {
return nil, 0, fmt.Errorf("could not parse host %q to IP address", host)
}
port, err := parsePort(portStr)
if err != nil {
return nil, 0, err
}
return ip, uint16(port), nil
}
// We are running in a cluster, so we can expect Hscloud-* headers.
// These are configured in the nginx-ingress-controller, //cluster/kube/lib/nginx.libsonnet.
nsip := strings.TrimSpace(r.Header.Get("Hscloud-Nic-Source-IP"))
nsport := strings.TrimSpace(r.Header.Get("Hscloud-Nic-Source-Port"))
if nsip == "" || nsport == "" {
return nil, 0, fmt.Errorf("Hscloud-Nic-* headers not set")
}
ip := net.ParseIP(nsip)
if ip == nil {
return nil, 0, fmt.Errorf("Invalid Hscloud-Nix-Source-IP %q", nsip)
}
port, err := parsePort(nsport)
if err != nil {
return nil, 0, fmt.Errorf("Invalid Hscloud-Nix-Source-Port: %v", err)
}
return ip, port, nil
}

75
go/mirko/revproxy_test.go Normal file
View file

@ -0,0 +1,75 @@
package mirko
import (
"net"
"net/http"
"testing"
"k8s.io/client-go/kubernetes"
)
// TestHTTPRemoteClient exercises GetHTTPRemoteClient.
func TestHTTPRemoteClient(t *testing.T) {
for i, te := range []struct {
// k8s is whether GetHTTPRemoteClient should see itself as running in
// production.
k8s bool
r *http.Request
wantIP net.IP
wantPort uint16
}{
// 0: No headers set, outside cluseter - should work as expected.
{false, &http.Request{RemoteAddr: "1.2.3.4:1234", Header: map[string][]string{}}, net.IPv4(1, 2, 3, 4), 1234},
// 1: No headers set, in cluseter - should fail.
{true, &http.Request{RemoteAddr: "1.2.3.4:1234", Header: map[string][]string{}}, nil, 0},
// 2: Headers set, outside cluster - should parse request, not headers.
{false, &http.Request{RemoteAddr: "1.2.3.4:1234", Header: map[string][]string{
"Hscloud-Nic-Source-Ip": []string{"2.3.4.5"},
"Hscloud-Nic-Source-Port": []string{"2345"},
}}, net.IPv4(1, 2, 3, 4), 1234},
// 3: Headers set, in cluster - should parse headers, not request.
{true, &http.Request{RemoteAddr: "1.2.3.4:1234", Header: map[string][]string{
"Hscloud-Nic-Source-Ip": []string{"2.3.4.5"},
"Hscloud-Nic-Source-Port": []string{"2345"},
}}, net.IPv4(2, 3, 4, 5), 2345},
// 4: Test IPv6 parsing.
{false, &http.Request{RemoteAddr: "[2a0d:eb00::42]:1234", Header: map[string][]string{}},
net.IP([]byte{0x2a, 0x0d, 0xeb, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x42}), 1234},
// 5: Test broken IPv6.
{false, &http.Request{RemoteAddr: "2a0d:eb00::42:1234", Header: map[string][]string{}}, nil, 0},
// 6: Test broken IPv6.
{false, &http.Request{RemoteAddr: "2a0d:eb00::42", Header: map[string][]string{}}, nil, 0},
// 7: Test broken IPv6.
{false, &http.Request{RemoteAddr: "2a0d:80", Header: map[string][]string{}}, nil, 0},
// 8: Test broken port.
{false, &http.Request{RemoteAddr: "1.2.3.4", Header: map[string][]string{}}, nil, 0},
// 9: Test broken port.
{false, &http.Request{RemoteAddr: "1.2.3.4:0", Header: map[string][]string{}}, nil, 0},
} {
kubernetesCSMu.Lock()
if te.k8s {
kubernetesCS = &kubernetes.Clientset{}
} else {
kubernetesCS = nil
}
kubernetesCSValid = true
kubernetesCSMu.Unlock()
gotIP, gotPort, err := GetHTTPRemoteClient(te.r)
if err == nil {
if want, got := te.wantIP, gotIP; !want.Equal(got) {
t.Errorf("%d: wanted IP %v, got %v", i, want, got)
}
if want, got := te.wantPort, gotPort; want != got {
t.Errorf("%d: wanted port %d, got %d", i, want, got)
}
} else {
if te.wantIP != nil || te.wantPort != 0 {
t.Errorf("%d: wanted %v %d, got failure", te.wantIP, te.wantPort)
}
}
}
}