From 77ead5cca9c92ba0821367ca78252bc1c212f51f Mon Sep 17 00:00:00 2001 From: freddygv Date: Fri, 19 Mar 2021 20:56:02 -0600 Subject: [PATCH] Prevent wildcard destinations for proxies and upstreams --- agent/structs/connect_proxy_config.go | 3 +++ agent/structs/structs.go | 5 +++++ agent/structs/structs_test.go | 28 +++++++++++++++++++++++++++ 3 files changed, 36 insertions(+) diff --git a/agent/structs/connect_proxy_config.go b/agent/structs/connect_proxy_config.go index 98ede38c55..2cf920a743 100644 --- a/agent/structs/connect_proxy_config.go +++ b/agent/structs/connect_proxy_config.go @@ -333,6 +333,9 @@ func (u *Upstream) Validate() error { if u.DestinationName == "" { return fmt.Errorf("upstream destination name cannot be empty") } + if u.DestinationName == WildcardSpecifier && !u.CentrallyConfigured { + return fmt.Errorf("upstream destination name cannot be a wildcard") + } if u.LocalBindPort == 0 && !u.CentrallyConfigured { return fmt.Errorf("upstream local bind port cannot be zero") diff --git a/agent/structs/structs.go b/agent/structs/structs.go index 9c8dee49fb..55f5e68751 100644 --- a/agent/structs/structs.go +++ b/agent/structs/structs.go @@ -1153,6 +1153,11 @@ func (s *NodeService) Validate() error { "Proxy.DestinationServiceName must be non-empty for Connect proxy "+ "services")) } + if strings.TrimSpace(s.Proxy.DestinationServiceName) == WildcardSpecifier { + result = multierror.Append(result, fmt.Errorf( + "Proxy.DestinationServiceName must not be a wildcard for Connect proxy "+ + "services")) + } if s.Port == 0 { result = multierror.Append(result, fmt.Errorf( diff --git a/agent/structs/structs_test.go b/agent/structs/structs_test.go index 05b75f07ea..e340db2c76 100644 --- a/agent/structs/structs_test.go +++ b/agent/structs/structs_test.go @@ -648,6 +648,12 @@ func TestStructs_NodeService_ValidateConnectProxy(t *testing.T) { "Proxy.DestinationServiceName must be", }, + { + "connect-proxy: wildcard Proxy.DestinationServiceName", + func(x *NodeService) { x.Proxy.DestinationServiceName = "*" }, + "Proxy.DestinationServiceName must not be", + }, + { "connect-proxy: valid Proxy.DestinationServiceName", func(x *NodeService) { x.Proxy.DestinationServiceName = "hello" }, @@ -697,6 +703,28 @@ func TestStructs_NodeService_ValidateConnectProxy(t *testing.T) { }, "upstream destination name cannot be empty", }, + { + "connect-proxy: upstream wildcard name", + func(x *NodeService) { + x.Proxy.Upstreams = Upstreams{{ + DestinationType: UpstreamDestTypeService, + DestinationName: WildcardSpecifier, + LocalBindPort: 5000, + }} + }, + "upstream destination name cannot be a wildcard", + }, + { + "connect-proxy: upstream can have wildcard name when centrally configured", + func(x *NodeService) { + x.Proxy.Upstreams = Upstreams{{ + DestinationType: UpstreamDestTypeService, + DestinationName: WildcardSpecifier, + CentrallyConfigured: true, + }} + }, + "", + }, { "connect-proxy: upstream empty bind port", func(x *NodeService) {