Skip to content
This repository has been archived by the owner on Jan 27, 2025. It is now read-only.

Sync with upstream #10

Merged
merged 62 commits into from
Jan 27, 2025
Merged
Changes from 1 commit
Commits
Show all changes
62 commits
Select commit Hold shift + click to select a range
7c83eff
add a custom interface for the resolver instead of forcing *net.Resol…
JulesDT Apr 14, 2023
65b5bdb
feature/add prometheus metrics (#179)
jmcconnell26 May 19, 2023
aa75ca1
Use ElementsMatch to ignore order
kevinv-stripe May 24, 2023
31f4a3c
Just use require
kevinv-stripe May 24, 2023
c227b0d
Merge pull request #190 from stripe/kevinv/fix-test-map-keys
kevinv-stripe May 24, 2023
445d0d6
Move the custom request handler call after the main acl check
sergeyrud-stripe May 24, 2023
8dd3072
Merge pull request #189 from stripe/sergeyrud-move-custom-request-han…
kevinv-stripe May 31, 2023
604044b
Use local server instead of httpbin (#192)
cmoresco-stripe Jun 23, 2023
81a59fd
Do not return a denyError for DNS resolution failures (#194)
cds2-stripe Jul 13, 2023
6f13b30
add AcceptResponseHandler to modify accepted responses (#196)
cmoresco-stripe Jul 26, 2023
14a7af2
Update docs to clarify global_deny_list (#197)
cmoresco-stripe Jul 27, 2023
48069eb
Use AcceptResponseHandler in goproxy https CONNECT hook (#199)
cmoresco-stripe Aug 3, 2023
c86310d
Export SmokescreenContext type (#200)
cmoresco-stripe Aug 4, 2023
4bc8d89
generate new test pki (#206)
cds2-stripe Nov 7, 2023
d4766a6
allow listen address specification for prom (#203)
ne-bknn Nov 8, 2023
8cceb4f
Bump golang.org/x/net from 0.7.0 to 0.17.0 (#204)
dependabot[bot] Nov 8, 2023
997578a
bump go versions (#207)
cds2-stripe Nov 8, 2023
1a9dea7
update dependency
xieyuxi-stripe Nov 13, 2023
df2fa89
configure addr in smokescreen and add unit test
xieyuxi-stripe Nov 13, 2023
3f8bcc3
use fmt
xieyuxi-stripe Nov 14, 2023
413045a
try this workaround
xieyuxi-stripe Nov 14, 2023
892f9cb
variable name change
xieyuxi-stripe Nov 14, 2023
4cae3b1
Merge pull request #208 from stripe/xieyuxi-configurable-proxy-addrs
xieyuxi-stripe Nov 15, 2023
8c0fa26
Update docs to disambiguate ACL vs --deny-address behavior (#210)
cmoresco-stripe Dec 1, 2023
2457d2f
fix fields bug
jjiang-stripe Aug 4, 2023
bc280e3
remove extra field setting
jjiang-stripe Aug 4, 2023
24ee0c8
trigger build
jjiang-stripe Feb 15, 2024
fbd1ea7
Merge pull request #201 from stripe/jjiang/fix-logging-addrs
jjiang-stripe Feb 15, 2024
5c3d435
Add support for Smokescreen -> HTTPS CONNECT Proxy ACLs (#213)
pspieker-stripe Feb 16, 2024
3e74045
Bump goproxy version to incorporate CONNECT proxy header changes
pspieker-stripe Feb 16, 2024
44dbbfa
WIP
pspieker-stripe Feb 16, 2024
065ad0e
Merge pull request #215 from stripe/bump-gp-version
pspieker-stripe Feb 16, 2024
eb1ac09
Bump google.golang.org/protobuf from 1.28.1 to 1.33.0 (#216)
dependabot[bot] Apr 23, 2024
85c4c64
Add support for username / password auth in URLs to external CONNECT …
pspieker-stripe Jul 11, 2024
d593d0e
Ensure proxy passed in X-Upstream-Https-Proxy is parsable
gauthamw-stripe Sep 4, 2024
149b19d
Merge pull request #224 from stripe/gauthamw/https-proxy
gauthamw-stripe Sep 4, 2024
ac11203
Update Github build workflows (#228)
harold-stripe Sep 17, 2024
1477610
Use goveralls parallel build
harold-s Sep 17, 2024
735a6e8
Merge pull request #229 from stripe/harold/goveralls-build
harold-stripe Sep 17, 2024
506e362
go get -d github.com/stripe/goproxy@latest && go mod vendor
harold-s Sep 9, 2024
734c343
Add MITM support to Smokescreen
harold-s Sep 10, 2024
4e1b3e2
Use MitmTLSConfig in the config instead of MitmCa
harold-s Sep 12, 2024
ddde90f
PR feedback + remove CloseIdleConnections
harold-s Sep 13, 2024
92537ef
Refactor allowed_domains_mitm to mitm_domains
harold-s Sep 17, 2024
4cf6e0b
Rename ValidateRule
harold-s Sep 17, 2024
dab4bde
Merge pull request #225 from stripe/harold/mitm_support
harold-stripe Sep 17, 2024
3713647
Add Support for Reject Handler with Context
saurabhbhatia-stripe Oct 3, 2024
0c4798d
Update comment
saurabhbhatia-stripe Oct 4, 2024
b3a45df
Block smokescreen init incase of invalid config
saurabhbhatia-stripe Oct 4, 2024
97f1857
fix: fix slice init length
cuishuang Oct 4, 2024
04ce070
Remove duplicate validation
saurabhbhatia-stripe Oct 8, 2024
f6f8191
Merge pull request #232 from stripe/saurabhbhatia/add-reject-handler
saurabhbhatia-stripe Oct 8, 2024
bc38d13
Make SmokeScreen Fields Public
saurabhbhatia-stripe Oct 10, 2024
a6b1a34
Revert Role fixes
saurabhbhatia-stripe Oct 10, 2024
c75cffb
Revert Role fixes
saurabhbhatia-stripe Oct 10, 2024
688e70b
Merge pull request #234 from stripe/saurabhbhatia/smokescreen-ctx-cha…
saurabhbhatia-stripe Oct 11, 2024
9556eb9
Update goproxy version to v0.0.0-20241017101008-e12ef0653f22 (#235)
saurabhbhatia-stripe Oct 17, 2024
5b0cc7a
Adding [allow|deny]_addresses settings to yaml config file
eastebry Oct 18, 2024
523d927
Update goproxy version to v0.0.0-20241022131412-58117846327a (#238)
saurabhbhatia-stripe Oct 23, 2024
1c315f8
Merge pull request #237 from eastebry/master
jjiang-stripe Nov 4, 2024
bffe947
Merge pull request #233 from cuishuang/master
jjiang-stripe Nov 4, 2024
70f927d
Ignore goveralls
amber-higgins Jan 27, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Block smokescreen init incase of invalid config
saurabhbhatia-stripe committed Oct 4, 2024
commit b3a45dfb4b0b0fb6ba5a7b610fd1ef6b4ddf9616
9 changes: 9 additions & 0 deletions pkg/smokescreen/config.go
Original file line number Diff line number Diff line change
@@ -85,9 +85,11 @@ type Config struct {
ProxyDialTimeout func(ctx context.Context, network, address string, timeout time.Duration) (net.Conn, error)

// Custom handler to allow clients to modify reject responses
// Deprecated: RejectResponseHandler is deprecated.Please use RejectResponseHandlerWithCtx instead.
RejectResponseHandler func(*http.Response)

// Custom handler to allow clients to modify reject responses
// In case RejectResponseHandler is set, this cannot be used.
RejectResponseHandlerWithCtx func(*SmokescreenContext, *http.Response)

// Custom handler to allow clients to modify successful CONNECT responses
@@ -421,6 +423,13 @@ func (config *Config) SetupTls(certFile, keyFile string, clientCAFiles []string)
return nil
}

func (config *Config) Validate() error {
if config.RejectResponseHandler != nil && config.RejectResponseHandlerWithCtx != nil {
return errors.New("RejectResponseHandler and RejectResponseHandlerWithCtx cannot be used together")
}
return nil
}

func (config *Config) populateClientCaMap(pemCerts []byte) (ok bool) {

for len(pemCerts) > 0 {
11 changes: 10 additions & 1 deletion pkg/smokescreen/smokescreen.go
Original file line number Diff line number Diff line change
@@ -736,9 +736,14 @@ func findListener(ip string, defaultPort uint16) (net.Listener, error) {

func StartWithConfig(config *Config, quit <-chan interface{}) {
config.Log.Println("starting")
var err error

if err = config.Validate(); err != nil {
config.Log.Fatal("invalid config", err)
}

proxy := BuildProxy(config)
listener := config.Listener
var err error

if listener == nil {
listener, err = findListener(config.Ip, config.Port)
@@ -782,6 +787,10 @@ func StartWithConfig(config *Config, quit <-chan interface{}) {
server.IdleTimeout = config.IdleTimeout
}

if config.RejectResponseHandler != nil && config.RejectResponseHandlerWithCtx != nil {
config.Log.Fatal("RejectResponseHandler and RejectResponseHandlerWithCtx cannot be set simultaneously")
}

config.MetricsClient.SetStarted()
config.ShuttingDown.Store(false)
runServer(config, &server, listener, quit)
32 changes: 32 additions & 0 deletions pkg/smokescreen/smokescreen_test.go
Original file line number Diff line number Diff line change
@@ -1535,6 +1535,38 @@ func TestMitm(t *testing.T) {
})
}

func TestConfigValidate(t *testing.T) {
t.Run("Test invalid config", func(t *testing.T) {
conf := NewConfig()
conf.ConnectTimeout = 10 * time.Second
conf.ExitTimeout = 10 * time.Second
conf.AdditionalErrorMessageOnDeny = "Proxy denied"
conf.RejectResponseHandlerWithCtx = func(smokescreenContext *SmokescreenContext, response *http.Response) {
fmt.Println("RejectResponseHandlerWithCtx")
}
conf.RejectResponseHandler = func(response *http.Response) {
fmt.Println("RejectResponseHandler")
}
err := conf.Validate()
require.Error(t, err)

})

t.Run("Test valid config", func(t *testing.T) {
conf := NewConfig()
conf.ConnectTimeout = 10 * time.Second
conf.ExitTimeout = 10 * time.Second
conf.AdditionalErrorMessageOnDeny = "Proxy denied"

conf.RejectResponseHandler = func(response *http.Response) {
fmt.Println("RejectResponseHandler")
}
err := conf.Validate()
require.NoError(t, err)

})
}

func findCanonicalProxyDecision(logs []*logrus.Entry) *logrus.Entry {
for _, entry := range logs {
if entry.Message == CanonicalProxyDecision {