Public sync

CONTRIBUTING.md

@@ -23,7 +23,7 @@ the change with the owners before investing a lot of time coding. The process
 could be:
 
 1. Open an issue explaining the improvment or fix you want to add
-2. [Fork the project](https://github.com/luraproject/lura/fork_select)
+2. [Fork the project](https://github.com/luraproject/lura/fork)
 3. Code it in your fork
 4. Submit a [pull request](https://help.github.com/articles/creating-a-pull-request) referencing the issue
 

README.md

@@ -7,7 +7,7 @@
 ![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3151/badge)
 ![Docker Pulls](https://img.shields.io/docker/pulls/devopsfaith/krakend.svg)
 [![Slack Widget](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true&logo=slack&colorB=red)](https://gophers.slack.com/messages/lura)
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fluraproject%2Flura.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fluraproject%2Flura?ref=badge_shield)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fluraproject%2Flura.svg?type=shield&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Fluraproject%2Flura?ref=badge_shield&issueType=license)
 
 
 An open framework to assemble ultra performance API Gateways with middlewares; formerly known as _KrakenD framework_, and core service of the [KrakenD API Gateway](http://www.krakend.io).
@@ -124,4 +124,4 @@ Enjoy Lura!
 
 
 ## License
-[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fluraproject%2Flura.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fluraproject%2Flura?ref=badge_large)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fluraproject%2Flura.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fluraproject%2Flura?ref=badge_large)

config/config.go

@@ -11,6 +11,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/textproto"
 	"regexp"
@@ -56,6 +57,8 @@ type ServiceConfig struct {
 	Host []string `mapstructure:"host"`
 	// port to bind the lura service
 	Port int `mapstructure:"port"`
+	// address to listen
+	Address string `mapstructure:"listen_ip"`
 	// version code of the configuration
 	Version int `mapstructure:"version"`
 	// OutputEncoding defines the default encoding strategy to use for the endpoint responses
@@ -157,10 +160,13 @@ type ServiceConfig struct {
 	// the router layer
 	TLS *TLS `mapstructure:"tls"`
 
+	// UseH2C enables h2c support.
+	UseH2C bool `mapstructure:"use_h2c"`
+
 	// run lura in debug mode
 	Debug     bool `mapstructure:"debug_endpoint"`
 	Echo      bool `mapstructure:"echo_endpoint"`
-	uriParser URIParser
+	uriParser SafeURIParser
 
 	// SequentialStart flags if the agents should be started sequentially
 	// before starting the router
@@ -272,6 +278,8 @@ type Backend struct {
 	ExtraConfig ExtraConfig `mapstructure:"extra_config"`
 	// HeadersToPass defines the list of headers to pass to this backend
 	HeadersToPass []string `mapstructure:"input_headers"`
+	// QueryStringsToPass has the list of query string params to be sent to the backend
+	QueryStringsToPass []string `mapstructure:"input_query_strings"`
 }
 
 // Plugin contains the config required by the plugin module
@@ -297,13 +305,21 @@ type TLS struct {
 
 // ClientTLS defines the configuration params for an HTTP Client
 type ClientTLS struct {
-	AllowInsecureConnections bool     `mapstructure:"allow_insecure_connections"`
-	CaCerts                  []string `mapstructure:"ca_certs"`
-	DisableSystemCaPool      bool     `mapstructure:"disable_system_ca_pool"`
-	MinVersion               string   `mapstructure:"min_version"`
-	MaxVersion               string   `mapstructure:"max_version"`
-	CurvePreferences         []uint16 `mapstructure:"curve_preferences"`
-	CipherSuites             []uint16 `mapstructure:"cipher_suites"`
+	AllowInsecureConnections bool            `mapstructure:"allow_insecure_connections"`
+	CaCerts                  []string        `mapstructure:"ca_certs"`
+	DisableSystemCaPool      bool            `mapstructure:"disable_system_ca_pool"`
+	MinVersion               string          `mapstructure:"min_version"`
+	MaxVersion               string          `mapstructure:"max_version"`
+	CurvePreferences         []uint16        `mapstructure:"curve_preferences"`
+	CipherSuites             []uint16        `mapstructure:"cipher_suites"`
+	ClientCerts              []ClientTLSCert `mapstructure:"client_certs"`
+}
+
+// ClientTLSCert holds a certificate with its private key to be
+// used for mTLS against the backend services
+type ClientTLSCert struct {
+	Certificate string `mapstructure:"certificate"`
+	PrivateKey  string `mapstructure:"private_key"`
 }
 
 // ExtraConfig is a type to store extra configurations for customized behaviours
@@ -361,7 +377,7 @@ func (s *ServiceConfig) Hash() (string, error) {
 // Init also sanitizes the values, applies the default ones whenever necessary and
 // normalizes all the things.
 func (s *ServiceConfig) Init() error {
-	s.uriParser = NewURIParser()
+	s.uriParser = NewSafeURIParser()
 
 	if s.Version != ConfigVersion {
 		return &UnsupportedVersionError{
@@ -370,9 +386,13 @@ func (s *ServiceConfig) Init() error {
 		}
 	}
 
-	s.initGlobalParams()
+	if err := s.initGlobalParams(); err != nil {
+		return err
+	}
 
-	s.initAsyncAgents()
+	if err := s.initAsyncAgents(); err != nil {
+		return err
+	}
 
 	return s.initEndpoints()
 }
@@ -393,19 +413,31 @@ func (s *ServiceConfig) Normalize() {
 	}
 }
 
-func (s *ServiceConfig) initGlobalParams() {
+func (s *ServiceConfig) initGlobalParams() error {
 	if s.Port == 0 {
 		s.Port = defaultPort
 	}
+
+	if s.Address != "" {
+		if !validateAddress(s.Address) {
+			return fmt.Errorf("invalid ip address %s", s.Address)
+		}
+	}
+
 	if s.MaxIdleConnsPerHost == 0 {
 		s.MaxIdleConnsPerHost = DefaultMaxIdleConnsPerHost
 	}
 	if s.Timeout == 0 {
 		s.Timeout = DefaultTimeout
 	}
 
-	s.Host = s.uriParser.CleanHosts(s.Host)
+	var err error
+	s.Host, err = s.uriParser.SafeCleanHosts(s.Host)
+	if err != nil {
+		return err
+	}
 	s.ExtraConfig.sanitize()
+	return nil
 }
 
 func (s *ServiceConfig) initAsyncAgents() error {
@@ -418,7 +450,11 @@ func (s *ServiceConfig) initAsyncAgents() error {
 			if len(b.Host) == 0 {
 				b.Host = s.Host
 			} else if !b.HostSanitizationDisabled {
-				b.Host = s.uriParser.CleanHosts(b.Host)
+				var err error
+				b.Host, err = s.uriParser.SafeCleanHosts(b.Host)
+				if err != nil {
+					return err
+				}
 			}
 			if b.Method == "" {
 				b.Method = http.MethodGet
@@ -461,7 +497,9 @@ func (s *ServiceConfig) initEndpoints() error {
 		e.ExtraConfig.sanitize()
 
 		for j, b := range e.Backend {
-			s.initBackendDefaults(i, j)
+			if err := s.initBackendDefaults(i, j); err != nil {
+				return err
+			}
 
 			if err := s.initBackendURLMappings(i, j, inputSet); err != nil {
 				return err
@@ -525,13 +563,17 @@ func (s *ServiceConfig) initAsyncAgentDefaults(e int) {
 	}
 }
 
-func (s *ServiceConfig) initBackendDefaults(e, b int) {
+func (s *ServiceConfig) initBackendDefaults(e, b int) error {
 	endpoint := s.Endpoints[e]
 	backend := endpoint.Backend[b]
 	if len(backend.Host) == 0 {
 		backend.Host = s.Host
 	} else if !backend.HostSanitizationDisabled {
-		backend.Host = s.uriParser.CleanHosts(backend.Host)
+		var err error
+		backend.Host, err = s.uriParser.SafeCleanHosts(backend.Host)
+		if err != nil {
+			return err
+		}
 	}
 	if backend.Method == "" {
 		backend.Method = endpoint.Method
@@ -549,6 +591,7 @@ func (s *ServiceConfig) initBackendDefaults(e, b int) {
 	if backend.SDScheme == "" {
 		backend.SDScheme = "http"
 	}
+	return nil
 }
 
 func (s *ServiceConfig) initBackendURLMappings(e, b int, inputParams map[string]interface{}) error {
@@ -743,3 +786,8 @@ func SetSequentialParamsPattern(pattern string) error {
 	sequentialParamsPattern = re
 	return nil
 }
+
+func validateAddress(address string) bool {
+	ip := net.ParseIP(address)
+	return ip != nil
+}

config/config_test.go

@@ -3,6 +3,7 @@
 package config
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 	"testing"
@@ -61,7 +62,7 @@ func TestConfig_initBackendURLMappings_ok(t *testing.T) {
 
 	backend := Backend{}
 	endpoint := EndpointConfig{Backend: []*Backend{&backend}}
-	subject := ServiceConfig{Endpoints: []*EndpointConfig{&endpoint}, uriParser: NewURIParser()}
+	subject := ServiceConfig{Endpoints: []*EndpointConfig{&endpoint}, uriParser: NewSafeURIParser()}
 
 	inputSet := map[string]interface{}{
 		"tupu":     nil,
@@ -89,7 +90,7 @@ func TestConfig_initBackendURLMappings_tooManyOutput(t *testing.T) {
 		Endpoint: "/some/{tupu}",
 		Backend:  []*Backend{&backend},
 	}
-	subject := ServiceConfig{Endpoints: []*EndpointConfig{&endpoint}, uriParser: NewURIParser()}
+	subject := ServiceConfig{Endpoints: []*EndpointConfig{&endpoint}, uriParser: NewSafeURIParser()}
 
 	inputSet := map[string]interface{}{
 		"tupu": nil,
@@ -106,7 +107,7 @@ func TestConfig_initBackendURLMappings_tooManyOutput(t *testing.T) {
 func TestConfig_initBackendURLMappings_undefinedOutput(t *testing.T) {
 	backend := Backend{URLPattern: "supu/{tupu_56}/{supu-5t6}?a={foo}&b={foo}"}
 	endpoint := EndpointConfig{Endpoint: "/", Method: "GET", Backend: []*Backend{&backend}}
-	subject := ServiceConfig{Endpoints: []*EndpointConfig{&endpoint}, uriParser: NewURIParser()}
+	subject := ServiceConfig{Endpoints: []*EndpointConfig{&endpoint}, uriParser: NewSafeURIParser()}
 
 	inputSet := map[string]interface{}{
 		"tupu": nil,
@@ -210,7 +211,7 @@ func TestConfig_init(t *testing.T) {
 		t.Error(err.Error())
 	}
 
-	if hash != "0O1SlXMLFZwKikXa02ymwM301C8q0P4ekbb5PzsBbxM=" {
+	if hash != "GdZTJtCn9ZHj3iBR1ZxmZL65HjbTCU8HhbDG8YWudAo=" {
 		t.Errorf("unexpected hash: %s", hash)
 	}
 }
@@ -261,11 +262,6 @@ func TestConfig_initKOMultipleBackendsForNoopEncoder(t *testing.T) {
 }
 
 func TestConfig_initKOInvalidHost(t *testing.T) {
-	defer func() {
-		if r := recover(); r == nil {
-			t.Errorf("The init process did not panic with an invalid host!")
-		}
-	}()
 	subject := ServiceConfig{
 		Version: ConfigVersion,
 		Host:    []string{"http://127.0.0.1:8080http://127.0.0.1:8080"},
@@ -278,7 +274,16 @@ func TestConfig_initKOInvalidHost(t *testing.T) {
 		},
 	}
 
-	subject.Init()
+	err := subject.Init()
+	if err == nil {
+		t.Errorf("expected to fail with invalid host")
+		return
+	}
+
+	if !errors.Is(err, errInvalidHost) {
+		t.Errorf("expected 'errInvalidHost' got: %s", err.Error())
+		return
+	}
 }
 
 func TestConfig_initKOInvalidDebugPattern(t *testing.T) {

config/parser.go

@@ -139,6 +139,7 @@ type parseableServiceConfig struct {
 	CacheTTL              string                     `json:"cache_ttl"`
 	Host                  []string                   `json:"host"`
 	Port                  int                        `json:"port"`
+	Address               string                     `json:"listen_ip"`
 	Version               int                        `json:"version"`
 	ExtraConfig           *ExtraConfig               `json:"extra_config,omitempty"`
 	ReadTimeout           string                     `json:"read_timeout"`
@@ -162,6 +163,7 @@ type parseableServiceConfig struct {
 	Plugin                *Plugin                    `json:"plugin,omitempty"`
 	TLS                   *parseableTLS              `json:"tls,omitempty"`
 	ClientTLS             *parseableClientTLS        `json:"client_tls,omitempty"`
+	UseH2C                bool                       `json:"use_h2c,omitempty"`
 }
 
 func (p *parseableServiceConfig) normalize() ServiceConfig {
@@ -171,6 +173,7 @@ func (p *parseableServiceConfig) normalize() ServiceConfig {
 		CacheTTL:              parseDuration(p.CacheTTL),
 		Host:                  p.Host,
 		Port:                  p.Port,
+		Address:               p.Address,
 		Version:               p.Version,
 		Debug:                 p.Debug,
 		Echo:                  p.Echo,
@@ -191,6 +194,7 @@ func (p *parseableServiceConfig) normalize() ServiceConfig {
 		DialerKeepAlive:       parseDuration(p.DialerKeepAlive),
 		OutputEncoding:        p.OutputEncoding,
 		Plugin:                p.Plugin,
+		UseH2C:                p.UseH2C,
 	}
 	if p.TLS != nil {
 		cfg.TLS = &TLS{
@@ -216,6 +220,10 @@ func (p *parseableServiceConfig) normalize() ServiceConfig {
 			MaxVersion:               p.ClientTLS.MaxVersion,
 			CurvePreferences:         p.ClientTLS.CurvePreferences,
 			CipherSuites:             p.ClientTLS.CipherSuites,
+			ClientCerts:              make([]ClientTLSCert, 0, len(p.ClientTLS.ClientCerts)),
+		}
+		for _, cc := range p.ClientTLS.ClientCerts {
+			cfg.ClientTLS.ClientCerts = append(cfg.ClientTLS.ClientCerts, ClientTLSCert(cc))
 		}
 	}
 	if p.ExtraConfig != nil {
@@ -249,13 +257,19 @@ type parseableTLS struct {
 }
 
 type parseableClientTLS struct {
-	AllowInsecureConnections bool     `json:"allow_insecure_connections"`
-	CaCerts                  []string `json:"ca_certs"`
-	DisableSystemCaPool      bool     `json:"disable_system_ca_pool"`
-	MinVersion               string   `json:"min_version"`
-	MaxVersion               string   `json:"max_version"`
-	CurvePreferences         []uint16 `json:"curve_preferences"`
-	CipherSuites             []uint16 `json:"cipher_suites"`
+	AllowInsecureConnections bool                     `json:"allow_insecure_connections"`
+	CaCerts                  []string                 `json:"ca_certs"`
+	DisableSystemCaPool      bool                     `json:"disable_system_ca_pool"`
+	MinVersion               string                   `json:"min_version"`
+	MaxVersion               string                   `json:"max_version"`
+	CurvePreferences         []uint16                 `json:"curve_preferences"`
+	CipherSuites             []uint16                 `json:"cipher_suites"`
+	ClientCerts              []parseableClientTLSCert `json:"client_certs"`
+}
+
+type parseableClientTLSCert struct {
+	Certificate string `json:"certificate"`
+	PrivateKey  string `json:"private_key"`
 }
 
 type parseableEndpointConfig struct {
@@ -354,6 +368,7 @@ type parseableBackend struct {
 	SD                       string            `json:"sd"`
 	HeadersToPass            []string          `json:"input_headers"`
 	SDScheme                 string            `json:"sd_scheme"`
+	QueryStringsToPass       []string          `json:"input_query_strings"`
 }
 
 func (p *parseableBackend) normalize() *Backend {
@@ -372,6 +387,7 @@ func (p *parseableBackend) normalize() *Backend {
 		AllowList:                p.AllowList,
 		DenyList:                 p.DenyList,
 		HeadersToPass:            p.HeadersToPass,
+		QueryStringsToPass:       p.QueryStringsToPass,
 	}
 	if b.SDScheme == "" {
 		b.SDScheme = "http"