Add support for Smokescreen -> HTTPS CONNECT Proxy ACLs #213
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Pull Request Test Coverage Report for Build 7925606600Details
💛 - Coveralls |
pspieker-stripe
force-pushed
the
pspieker-add-proxy-acl-support
branch
4 times, most recently
from
eac5e8e to
d5c4b68
Compare
pspieker-stripe
changed the title
pspieker-stripe
assigned pspieker-stripe, cds2-stripe and jjiang-stripe and unassigned pspieker-stripe
pspieker-stripe
commented
Feb 14, 2024
cds2-stripe
previously requested changes
Feb 14, 2024
| allowed_domains: | ||
| - 127.0.0.1 | ||
| allowed_external_proxies: | ||
| - myproxy.com |
There was a problem hiding this comment.
Could we add multiple external proxies to make sure the glob gets constructed correctly?
There was a problem hiding this comment.
This role is just used for the non-allowed proxies list; do you mean adding localhost here? How are you thinking of testing glob construction? Is just adding some different possible URL shapes helpful here, or is there something in particular you'd like us to assert against?
There was a problem hiding this comment.
All of the addresses here construct a glob which should match any allowed_external_proxies specific in the header. My thought was to add something like myproxy2.com to the end of the this and then verify it is still allowed as an external proxy in one of your tests.
| @@ -1236,6 +1236,77 @@ func TestCustomRequestHandler(t *testing.T) { | |||
| }) | |||
| } | |||
|
|
|||
| func TestCONNECTProxyACLs(t *testing.T) { | |||
There was a problem hiding this comment.
Thanks for adding this!
|
Not sure why Edit: fixed now - lemurheavy/coveralls-public#1716 |
Add gitignore debug changes WIP Basic concept working WIP Cleaned up some things prereview fixed tests Removed extraneous yaml file Add correctly failing test tmp WIP WIP WIP WIP WIP WIP
pspieker-stripe
force-pushed
the
pspieker-add-proxy-acl-support
branch
from
31190ca to
fff9e77
Compare
pspieker-stripe
force-pushed
the
pspieker-add-proxy-acl-support
branch
from
fff9e77 to
995a427
Compare
cds2-stripe
approved these changes
Feb 16, 2024
amber-higgins
added a commit
to intercom/smokescreen
that referenced
this pull request
Jan 27, 2025
* add a custom interface for the resolver instead of forcing *net.Resolver (stripe#187) * feature/add prometheus metrics (stripe#179) * STORY-25143 - Add prometheus metrics to smokescreen * STORY-25143 - Cleanup * STORY-25143 - Fix tests to compare new metric labels * STORY-25143 - Host prometheus endpoint on separate port * STORY-25143 - Use value provided via command line flag * STORY-25143 - Add prometheus timing metrics * STORY-25143 - Fix nil map assignment and prometheus metric name sanitisation * STORY-25143 - Cleanup comments * STORY-25143 - Remove some repetition + add further unit testing * STORY-25143 - Document new prometheus features in README + add port flag to prometheus config * STORY-25143 - Make PR requested changes: * Don't export metrics list * Follow project sytlistic choices * STORY-25143 - Rename only one receiver * STORY-25143 - Add new `--expose-prometheus-metrics` flag to CLI to toggle exposing prometheus metrics * Small cleanup of timer metrics * Fix go module vendoring * Use ElementsMatch to ignore order * Just use require * Move the custom request handler call after the main acl check * Use local server instead of httpbin (stripe#192) * Do not return a denyError for DNS resolution failures (stripe#194) * dont return denial errors for dns resolution failures * fix test * move DNSError check into net.Error assertion, extend test * fix integration test * add AcceptResponseHandler to modify accepted responses (stripe#196) * add AcceptResponseHandler to modify accepted responses * customer->custom * Update docs to clarify global_deny_list (stripe#197) * update docs to clarify global_deny_list behavior * consistent example domain * be more concise * Use AcceptResponseHandler in goproxy https CONNECT hook (stripe#199) * pipe AcceptResponseHandler into new goproxy hook * update comment * go mod vendor * unit test * use smokescreenctx in acceptresponsehandler * fix unit tests * Export SmokescreenContext type (stripe#200) * export SmokescreenContext type * also export AclDecision * ResolvedAddr too * consistent caps * Update pkg/smokescreen/smokescreen.go Co-authored-by: jjiang-stripe <55402658+jjiang-stripe@users.noreply.github.com> * export Decision --------- Co-authored-by: jjiang-stripe <55402658+jjiang-stripe@users.noreply.github.com> * generate new test pki (stripe#206) * allow listen address specification for prom (stripe#203) * Bump golang.org/x/net from 0.7.0 to 0.17.0 (stripe#204) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.17.0. - [Commits](golang/net@v0.7.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * bump go versions (stripe#207) * update dependency * configure addr in smokescreen and add unit test * use fmt * try this workaround * variable name change * Update docs to disambiguate ACL vs --deny-address behavior (stripe#210) * update docs to clarify how IP filtering works * fix fields bug * remove extra field setting * trigger build * Add support for Smokescreen -> HTTPS CONNECT Proxy ACLs (stripe#213) * Introduce CONNECT Proxy URL ACL Support Add gitignore debug changes WIP Basic concept working WIP Cleaned up some things prereview fixed tests Removed extraneous yaml file Add correctly failing test tmp WIP WIP WIP WIP WIP WIP * WIP * WIP * PR feedback 1 * Fixed tests * testing again * WIP * Added extra test * Bump goproxy version to incorporate CONNECT proxy header changes * WIP * Bump google.golang.org/protobuf from 1.28.1 to 1.33.0 (stripe#216) Bumps google.golang.org/protobuf from 1.28.1 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add support for username / password auth in URLs to external CONNECT proxies (stripe#222) * Add support for UN / PW Auth for External CONNECT Proxies * Fixed naming of log line * PR feedback * Debug commit * Removing modifications of vendor-ed code * Removed debug * Removed missed cruft * Fixed bug with env var proxy arg * Add failure kind * update goproxy version to master commit * Ensure proxy passed in X-Upstream-Https-Proxy is parsable * Update Github build workflows (stripe#228) Co-authored-by: Harold Simpson <harold@stripe.com> * Use goveralls parallel build * go get -d github.com/stripe/goproxy@latest && go mod vendor * Add MITM support to Smokescreen * Use MitmTLSConfig in the config instead of MitmCa * PR feedback + remove CloseIdleConnections * Refactor allowed_domains_mitm to mitm_domains * Rename ValidateRule * Add Support for Reject Handler with Context * Update comment * Block smokescreen init incase of invalid config * fix: fix slice init length * Remove duplicate validation * Make SmokeScreen Fields Public * Revert Role fixes * Revert Role fixes * Update goproxy version to v0.0.0-20241017101008-e12ef0653f22 (stripe#235) * Adding [allow|deny]_addresses settings to yaml config file * Update goproxy version to v0.0.0-20241022131412-58117846327a (stripe#238) * Ignore goveralls --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: JulesD <JulesDT@users.noreply.github.com> Co-authored-by: Josh McConnell <josh.mcconnell465@gmail.com> Co-authored-by: Kevin Vincent <kevinv@stripe.com> Co-authored-by: kevinv-stripe <102822342+kevinv-stripe@users.noreply.github.com> Co-authored-by: Sergey Rud <sergeyrud@stripe.com> Co-authored-by: cmoresco-stripe <106690468+cmoresco-stripe@users.noreply.github.com> Co-authored-by: Craig Shannon <cds@stripe.com> Co-authored-by: jjiang-stripe <55402658+jjiang-stripe@users.noreply.github.com> Co-authored-by: Timofey Bakunin <36561672+ne-bknn@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Yuxi Xie <xieyuxi@stripe.com> Co-authored-by: xieyuxi-stripe <141708814+xieyuxi-stripe@users.noreply.github.com> Co-authored-by: Jessica Jiang <jjiang@stripe.com> Co-authored-by: pspieker-stripe <40726826+pspieker-stripe@users.noreply.github.com> Co-authored-by: Patrick Spieker <pspieker@stripe.com> Co-authored-by: Gautham Warrier <gauthamw@stripe.com> Co-authored-by: gauthamw-stripe <109298754+gauthamw-stripe@users.noreply.github.com> Co-authored-by: harold-stripe <49162741+harold-stripe@users.noreply.github.com> Co-authored-by: Harold Simpson <harold@stripe.com> Co-authored-by: Saurabh Bhatia <saurabhbhatia@stripe.com> Co-authored-by: cui fliter <imcusg@gmail.com> Co-authored-by: Bryan Eastes <eastebry@users.noreply.github.com>
amber-higgins
added a commit
to intercom/smokescreen
that referenced
this pull request
Jan 27, 2025
* add a custom interface for the resolver instead of forcing *net.Resolver (stripe#187) * feature/add prometheus metrics (stripe#179) * STORY-25143 - Add prometheus metrics to smokescreen * STORY-25143 - Cleanup * STORY-25143 - Fix tests to compare new metric labels * STORY-25143 - Host prometheus endpoint on separate port * STORY-25143 - Use value provided via command line flag * STORY-25143 - Add prometheus timing metrics * STORY-25143 - Fix nil map assignment and prometheus metric name sanitisation * STORY-25143 - Cleanup comments * STORY-25143 - Remove some repetition + add further unit testing * STORY-25143 - Document new prometheus features in README + add port flag to prometheus config * STORY-25143 - Make PR requested changes: * Don't export metrics list * Follow project sytlistic choices * STORY-25143 - Rename only one receiver * STORY-25143 - Add new `--expose-prometheus-metrics` flag to CLI to toggle exposing prometheus metrics * Small cleanup of timer metrics * Fix go module vendoring * Use ElementsMatch to ignore order * Just use require * Move the custom request handler call after the main acl check * Use local server instead of httpbin (stripe#192) * Do not return a denyError for DNS resolution failures (stripe#194) * dont return denial errors for dns resolution failures * fix test * move DNSError check into net.Error assertion, extend test * fix integration test * add AcceptResponseHandler to modify accepted responses (stripe#196) * add AcceptResponseHandler to modify accepted responses * customer->custom * Update docs to clarify global_deny_list (stripe#197) * update docs to clarify global_deny_list behavior * consistent example domain * be more concise * Use AcceptResponseHandler in goproxy https CONNECT hook (stripe#199) * pipe AcceptResponseHandler into new goproxy hook * update comment * go mod vendor * unit test * use smokescreenctx in acceptresponsehandler * fix unit tests * Export SmokescreenContext type (stripe#200) * export SmokescreenContext type * also export AclDecision * ResolvedAddr too * consistent caps * Update pkg/smokescreen/smokescreen.go Co-authored-by: jjiang-stripe <55402658+jjiang-stripe@users.noreply.github.com> * export Decision --------- Co-authored-by: jjiang-stripe <55402658+jjiang-stripe@users.noreply.github.com> * generate new test pki (stripe#206) * allow listen address specification for prom (stripe#203) * Bump golang.org/x/net from 0.7.0 to 0.17.0 (stripe#204) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.7.0 to 0.17.0. - [Commits](golang/net@v0.7.0...v0.17.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * bump go versions (stripe#207) * update dependency * configure addr in smokescreen and add unit test * use fmt * try this workaround * variable name change * Update docs to disambiguate ACL vs --deny-address behavior (stripe#210) * update docs to clarify how IP filtering works * fix fields bug * remove extra field setting * trigger build * Add support for Smokescreen -> HTTPS CONNECT Proxy ACLs (stripe#213) * Introduce CONNECT Proxy URL ACL Support Add gitignore debug changes WIP Basic concept working WIP Cleaned up some things prereview fixed tests Removed extraneous yaml file Add correctly failing test tmp WIP WIP WIP WIP WIP WIP * WIP * WIP * PR feedback 1 * Fixed tests * testing again * WIP * Added extra test * Bump goproxy version to incorporate CONNECT proxy header changes * WIP * Bump google.golang.org/protobuf from 1.28.1 to 1.33.0 (stripe#216) Bumps google.golang.org/protobuf from 1.28.1 to 1.33.0. --- updated-dependencies: - dependency-name: google.golang.org/protobuf dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add support for username / password auth in URLs to external CONNECT proxies (stripe#222) * Add support for UN / PW Auth for External CONNECT Proxies * Fixed naming of log line * PR feedback * Debug commit * Removing modifications of vendor-ed code * Removed debug * Removed missed cruft * Fixed bug with env var proxy arg * Add failure kind * update goproxy version to master commit * Ensure proxy passed in X-Upstream-Https-Proxy is parsable * Update Github build workflows (stripe#228) Co-authored-by: Harold Simpson <harold@stripe.com> * Use goveralls parallel build * go get -d github.com/stripe/goproxy@latest && go mod vendor * Add MITM support to Smokescreen * Use MitmTLSConfig in the config instead of MitmCa * PR feedback + remove CloseIdleConnections * Refactor allowed_domains_mitm to mitm_domains * Rename ValidateRule * Add Support for Reject Handler with Context * Update comment * Block smokescreen init incase of invalid config * fix: fix slice init length * Remove duplicate validation * Make SmokeScreen Fields Public * Revert Role fixes * Revert Role fixes * Update goproxy version to v0.0.0-20241017101008-e12ef0653f22 (stripe#235) * Adding [allow|deny]_addresses settings to yaml config file * Update goproxy version to v0.0.0-20241022131412-58117846327a (stripe#238) --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: JulesD <JulesDT@users.noreply.github.com> Co-authored-by: Josh McConnell <josh.mcconnell465@gmail.com> Co-authored-by: Kevin Vincent <kevinv@stripe.com> Co-authored-by: kevinv-stripe <102822342+kevinv-stripe@users.noreply.github.com> Co-authored-by: Sergey Rud <sergeyrud@stripe.com> Co-authored-by: cmoresco-stripe <106690468+cmoresco-stripe@users.noreply.github.com> Co-authored-by: Craig Shannon <cds@stripe.com> Co-authored-by: jjiang-stripe <55402658+jjiang-stripe@users.noreply.github.com> Co-authored-by: Timofey Bakunin <36561672+ne-bknn@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Yuxi Xie <xieyuxi@stripe.com> Co-authored-by: xieyuxi-stripe <141708814+xieyuxi-stripe@users.noreply.github.com> Co-authored-by: Jessica Jiang <jjiang@stripe.com> Co-authored-by: pspieker-stripe <40726826+pspieker-stripe@users.noreply.github.com> Co-authored-by: Patrick Spieker <pspieker@stripe.com> Co-authored-by: Gautham Warrier <gauthamw@stripe.com> Co-authored-by: gauthamw-stripe <109298754+gauthamw-stripe@users.noreply.github.com> Co-authored-by: harold-stripe <49162741+harold-stripe@users.noreply.github.com> Co-authored-by: Harold Simpson <harold@stripe.com> Co-authored-by: Saurabh Bhatia <saurabhbhatia@stripe.com> Co-authored-by: cui fliter <imcusg@gmail.com> Co-authored-by: Bryan Eastes <eastebry@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We want to be able to talk to an external-to-Stripe HTTPS CONNECT proxy. We'd also like to default block traffic going to any external-to-Stripe HTTPS CONNECT proxy, unless it's on a given allow list (basically a CONNECT proxy URL ACL).
This PR adds support for such an allow list in smokescreen.
Testing via: