Add support for username / password auth in URLs to external CONNECT …

…proxies (#222) * Add support for UN / PW Auth for External CONNECT Proxies * Fixed naming of log line * PR feedback * Debug commit * Removing modifications of vendor-ed code * Removed debug * Removed missed cruft * Fixed bug with env var proxy arg * Add failure kind * update goproxy version to master commit
stripe · Jul 11, 2024 · 85c4c64 · 85c4c64
1 parent eb1ac09
commit 85c4c64
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 13 deletions.
diff --git a/go.mod b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/rs/xid v1.2.1
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.8.0
-	github.com/stripe/goproxy v0.0.0-20231206175114-560c3ba6a2a1
+	github.com/stripe/goproxy v0.0.0-20240711170433-75b93c00dfb0
 	golang.org/x/net v0.17.0
 	gopkg.in/urfave/cli.v1 v1.20.0
 	gopkg.in/yaml.v2 v2.4.0

diff --git a/go.sum b/go.sum
@@ -218,6 +218,12 @@ github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PK
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stripe/goproxy v0.0.0-20231206175114-560c3ba6a2a1 h1:kA8wVCrTI7UE2Z8oj24W75/J+IUA/fFn8vYYXs/sJeE=
 github.com/stripe/goproxy v0.0.0-20231206175114-560c3ba6a2a1/go.mod h1:hF2CVgH4++5ijZiy9grGVP8Fsi4u+SMOtbnIKYbMUjY=
+github.com/stripe/goproxy v0.0.0-20240702223215-529f11a6f861 h1:dlR0X8/38L9ip1ydDazfTRyPe0iW6cepmIcaygH2r5Q=
+github.com/stripe/goproxy v0.0.0-20240702223215-529f11a6f861/go.mod h1:hF2CVgH4++5ijZiy9grGVP8Fsi4u+SMOtbnIKYbMUjY=
+github.com/stripe/goproxy v0.0.0-20240702232545-72d7dbc6d4fe h1:RzjmXDVOjWq9sPRc/rn6a9g1N3C+q9LzP8pI7aPEzPQ=
+github.com/stripe/goproxy v0.0.0-20240702232545-72d7dbc6d4fe/go.mod h1:hF2CVgH4++5ijZiy9grGVP8Fsi4u+SMOtbnIKYbMUjY=
+github.com/stripe/goproxy v0.0.0-20240711170433-75b93c00dfb0 h1:1xKgjoLWAosf0yoKocNN4mel1++AKqJw9axpJyz1JRw=
+github.com/stripe/goproxy v0.0.0-20240711170433-75b93c00dfb0/go.mod h1:hF2CVgH4++5ijZiy9grGVP8Fsi4u+SMOtbnIKYbMUjY=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=

diff --git a/pkg/smokescreen/acl/v1/yaml_loader.go b/pkg/smokescreen/acl/v1/yaml_loader.go
@@ -98,9 +98,10 @@ func (cfg *YAMLConfig) Load() (*ACL, error) {
 		}
 
 		acl.DefaultRule = &Rule{
-			Project:     cfg.Default.Project,
-			Policy:      p,
-			DomainGlobs: cfg.Default.AllowedHosts,
+			Project:            cfg.Default.Project,
+			Policy:             p,
+			DomainGlobs:        cfg.Default.AllowedHosts,
+			ExternalProxyGlobs: cfg.Default.AllowedExternalProxyHosts,
 		}
 	}
 

diff --git a/pkg/smokescreen/smokescreen.go b/pkg/smokescreen/smokescreen.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"os/signal"
 	"strings"
@@ -938,6 +939,25 @@ func checkACLsForRequest(config *Config, req *http.Request, destination hostport
 	// which is the behavior we want here.
 	connectProxyHost := req.Header.Get("X-Upstream-Https-Proxy")
 
+	if connectProxyHost != "" {
+		connectProxyUrl, err := url.Parse(connectProxyHost)
+
+		if err != nil {
+			config.Log.WithFields(logrus.Fields{
+				"error":               err,
+				"role":                role,
+				"upstream_proxy_name": req.Header.Get("X-Upstream-Https-Proxy"),
+				"destination_host":    destination.Host,
+				"kind":                "parse_failure",
+			}).Error("Unable to parse X-Upstream-Https-Proxy header.")
+
+			config.MetricsClient.Incr("acl.upstream_proxy_parse_error", 1)
+			return decision
+		}
+
+		connectProxyHost = connectProxyUrl.Hostname()
+	}
+
 	ACLDecision, err := config.EgressACL.Decide(role, destination.Host, connectProxyHost)
 	decision.project = ACLDecision.Project
 	decision.reason = ACLDecision.Reason

diff --git a/pkg/smokescreen/smokescreen_test.go b/pkg/smokescreen/smokescreen_test.go
@@ -1292,7 +1292,12 @@ func TestCONNECTProxyACLs(t *testing.T) {
 		externalProxy.StartTLS()
 
 		remote := httptest.NewTLSServer(h)
-		client, err := proxyClientWithConnectHeaders(proxy.URL, http.Header{"X-Upstream-Https-Proxy": []string{"myproxy.com"}})
+		client, err := proxyClientWithConnectHeaders(
+			proxy.URL,
+			http.Header{
+				"X-Upstream-Https-Proxy": []string{"https://param1_username-param2-param3:[email protected]:12345"},
+			},
+		)
 		r.NoError(err)
 
 		req, err := http.NewRequest("GET", remote.URL, nil)

diff --git a/vendor/github.com/stripe/goproxy/https.go b/vendor/github.com/stripe/goproxy/https.go
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -69,7 +69,7 @@ github.com/sirupsen/logrus/hooks/test
 ## explicit; go 1.13
 github.com/stretchr/testify/assert
 github.com/stretchr/testify/require
-# github.com/stripe/goproxy v0.0.0-20231206175114-560c3ba6a2a1
+# github.com/stripe/goproxy v0.0.0-20240711170433-75b93c00dfb0
 ## explicit; go 1.13
 github.com/stripe/goproxy
 # golang.org/x/mod v0.8.0