2
This commit is contained in:
@@ -2756,6 +2756,7 @@ func applyQUICFabricConfigIfChanged(ctx context.Context, cfg config.Config, iden
|
||||
log.Printf("fabric_quic_reverse_event=%s", string(payload))
|
||||
},
|
||||
)
|
||||
meshState.VPNFabricQUICTransport.SetInboundFabricControlHandler(fabricControlForwardHandler(client.New(cfg.BackendURL)))
|
||||
}
|
||||
desiredAddr := strings.TrimSpace(cfg.MeshQUICFabricListenAddr)
|
||||
desiredKey := quicFabricConfigKey(cfg)
|
||||
@@ -2775,7 +2776,7 @@ func applyQUICFabricConfigIfChanged(ctx context.Context, cfg config.Config, iden
|
||||
if meshState.QUICFabricServer != nil {
|
||||
return
|
||||
}
|
||||
server, addr, certSHA256, err := startQUICFabricEndpoint(ctx, cfg, identity, meshState.VPNFabricQUICTransport, vpnFabricFrameHandlerFromMeshState(meshState), productionForwardHandlerFromMeshState(identity, meshState), webIngressForwardHandlerFromConfig(cfg, identity, client.New(cfg.BackendURL)), syntheticForwardHandlerFromMeshState(meshState))
|
||||
server, addr, certSHA256, err := startQUICFabricEndpoint(ctx, cfg, identity, meshState.VPNFabricQUICTransport, vpnFabricFrameHandlerFromMeshState(meshState), productionForwardHandlerFromMeshState(identity, meshState), webIngressForwardHandlerFromConfig(cfg, identity, client.New(cfg.BackendURL)), fabricControlForwardHandler(client.New(cfg.BackendURL)), syntheticForwardHandlerFromMeshState(meshState))
|
||||
meshState.QUICFabricServer = server
|
||||
meshState.QUICFabricConfiguredKey = desiredKey
|
||||
meshState.QUICFabricConfiguredListenAddr = desiredAddr
|
||||
@@ -2823,6 +2824,50 @@ func webIngressForwardHandlerFromConfig(cfg config.Config, identity state.Identi
|
||||
return receiver.Receive
|
||||
}
|
||||
|
||||
func fabricControlForwardHandler(api *client.Client) func(context.Context, []byte) ([]byte, error) {
|
||||
return func(ctx context.Context, payload []byte) ([]byte, error) {
|
||||
if api == nil {
|
||||
return nil, fmt.Errorf("fabric control api is not configured")
|
||||
}
|
||||
var req client.RawControlRequest
|
||||
if err := json.Unmarshal(payload, &req); err != nil {
|
||||
return nil, fmt.Errorf("invalid fabric control request")
|
||||
}
|
||||
if !fabricControlPathAllowed(req.Method, req.Path) {
|
||||
return nil, fmt.Errorf("fabric control path is not allowed")
|
||||
}
|
||||
resp, err := api.RawControl(ctx, req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return json.Marshal(resp)
|
||||
}
|
||||
}
|
||||
|
||||
func fabricControlPathAllowed(method, path string) bool {
|
||||
method = strings.ToUpper(strings.TrimSpace(method))
|
||||
path = strings.TrimSpace(path)
|
||||
if !strings.HasPrefix(path, "/") || strings.Contains(path, "://") || strings.Contains(path, "..") {
|
||||
return false
|
||||
}
|
||||
if method == "" {
|
||||
method = http.MethodGet
|
||||
}
|
||||
if method == http.MethodPost && (path == "/auth/login" || path == "/auth/refresh") {
|
||||
return true
|
||||
}
|
||||
if method == http.MethodGet && strings.HasPrefix(path, "/organizations/") {
|
||||
return true
|
||||
}
|
||||
if method == http.MethodGet && strings.Contains(path, "/vpn/client-profile") && strings.HasPrefix(path, "/clusters/") {
|
||||
return true
|
||||
}
|
||||
if strings.Contains(path, "/vpn/client-diagnostics/") && strings.HasPrefix(path, "/clusters/") {
|
||||
return method == http.MethodGet || method == http.MethodPost
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func webIngressRuntimeServiceClassesFromConfig(cfg config.Config) []string {
|
||||
serviceClasses := strings.Split(strings.TrimSpace(cfg.WebIngressRuntimeServiceClasses), ",")
|
||||
out := make([]string, 0, len(serviceClasses))
|
||||
|
||||
Reference in New Issue
Block a user