Fixed tests

stripe · Feb 15, 2024 · aa6d697 · aa6d697
1 parent 5530680
commit aa6d697
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/pkg/smokescreen/acl/v1/acl.go b/pkg/smokescreen/acl/v1/acl.go
@@ -40,6 +40,7 @@ func New(logger *logrus.Logger, loader Loader, disabledActions []string) (*ACL,
 	if err != nil {
 		return nil, err
 	}
+
 	err = acl.DisablePolicies(disabledActions)
 	if err != nil {
 		return nil, err

diff --git a/pkg/smokescreen/smokescreen.go b/pkg/smokescreen/smokescreen.go
@@ -937,10 +937,9 @@ func checkACLsForRequest(config *Config, req *http.Request, destination hostport
 	// a _subsequent_ proxy to use for the CONNECT request. This is used to allow traffic
 	// flow as in: client -(TLS)-> smokescreen -(TLS)-> external proxy -(TLS)-> destination.
 	// Without this header, there's no way for the client to specify a subsequent proxy.
-	var connectProxyHost string
-	if connectProxyHostSlice := req.Header.Get("X-Upstream-Https-Proxy"); len(connectProxyHostSlice) > 0 {
-		connectProxyHost = string(connectProxyHostSlice[0])
-	}
+	// Also note - Get returns the first value for a given header, or the empty string,
+	// which is the behavior we want here.
+	connectProxyHost := req.Header.Get("X-Upstream-Https-Proxy")
 
 	ACLDecision, err := config.EgressACL.Decide(role, destination.Host, connectProxyHost)
 	decision.project = ACLDecision.Project

diff --git a/pkg/smokescreen/testdata/acl.yaml b/pkg/smokescreen/testdata/acl.yaml
@@ -22,13 +22,15 @@ services:
       - 127.0.0.1
     allowed_external_proxies:
       - myproxy.com
+      - otherproxy.org
   - name: test-external-connect-proxy-allowed-srv
     project: security
     action: enforce
     allowed_domains:
       - 127.0.0.1
     allowed_external_proxies:
       - localhost 
+      - thisisaproxy.com
 
 global_deny_list:
   - stripe.com