Prevent wildcard destinations for proxies and upstreams

4 years ago · 77ead5cca9
3 changed files with 36 additions and 0 deletions
--- a/agent/structs/connect_proxy_config.go
+++ b/agent/structs/connect_proxy_config.go
@ -333,6 +333,9 @@ func (u *Upstream) Validate() error {
 	if u.DestinationName == "" {
 		return fmt.Errorf("upstream destination name cannot be empty")
 	}
+	if u.DestinationName == WildcardSpecifier && !u.CentrallyConfigured {
+		return fmt.Errorf("upstream destination name cannot be a wildcard")
+	}

 	if u.LocalBindPort == 0 && !u.CentrallyConfigured {
 		return fmt.Errorf("upstream local bind port cannot be zero")
--- a/agent/structs/structs.go
+++ b/agent/structs/structs.go
@ -1153,6 +1153,11 @@ func (s *NodeService) Validate() error {
 				"Proxy.DestinationServiceName must be non-empty for Connect proxy "+
 					"services"))
 		}
+		if strings.TrimSpace(s.Proxy.DestinationServiceName) == WildcardSpecifier {
+			result = multierror.Append(result, fmt.Errorf(
+				"Proxy.DestinationServiceName must not be a wildcard for Connect proxy "+
+					"services"))
+		}

 		if s.Port == 0 {
 			result = multierror.Append(result, fmt.Errorf(
--- a/agent/structs/structs_test.go
+++ b/agent/structs/structs_test.go
@ -648,6 +648,12 @@ func TestStructs_NodeService_ValidateConnectProxy(t *testing.T) {
 			"Proxy.DestinationServiceName must be",
 		},

+		{
+			"connect-proxy: wildcard Proxy.DestinationServiceName",
+			func(x *NodeService) { x.Proxy.DestinationServiceName = "*" },
+			"Proxy.DestinationServiceName must not be",
+		},
+
 		{
 			"connect-proxy: valid Proxy.DestinationServiceName",
 			func(x *NodeService) { x.Proxy.DestinationServiceName = "hello" },
@ -697,6 +703,28 @@ func TestStructs_NodeService_ValidateConnectProxy(t *testing.T) {
 			},
 			"upstream destination name cannot be empty",
 		},
+		{
+			"connect-proxy: upstream wildcard name",
+			func(x *NodeService) {
+				x.Proxy.Upstreams = Upstreams{{
+					DestinationType: UpstreamDestTypeService,
+					DestinationName: WildcardSpecifier,
+					LocalBindPort:   5000,
+				}}
+			},
+			"upstream destination name cannot be a wildcard",
+		},
+		{
+			"connect-proxy: upstream can have wildcard name when centrally configured",
+			func(x *NodeService) {
+				x.Proxy.Upstreams = Upstreams{{
+					DestinationType:     UpstreamDestTypeService,
+					DestinationName:     WildcardSpecifier,
+					CentrallyConfigured: true,
+				}}
+			},
+			"",
+		},
 		{
 			"connect-proxy: upstream empty bind port",
 			func(x *NodeService) {