go/mirko: add GetRemoteHTTPClient
Change-Id: Icf1ec5c28ea487e62a23590069042c5b9edad846
diff --git a/go/mirko/BUILD.bazel b/go/mirko/BUILD.bazel
index a771e96..4a83104 100644
--- a/go/mirko/BUILD.bazel
+++ b/go/mirko/BUILD.bazel
@@ -1,10 +1,11 @@
-load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
go_library(
name = "go_default_library",
srcs = [
"kubernetes.go",
"mirko.go",
+ "revproxy.go",
"sql.go",
"sql_migrations.go",
"trace.go",
@@ -24,3 +25,10 @@
"@org_golang_x_net//trace:go_default_library",
],
)
+
+go_test(
+ name = "go_default_test",
+ srcs = ["revproxy_test.go"],
+ embed = [":go_default_library"],
+ deps = ["@io_k8s_client_go//kubernetes:go_default_library"],
+)
diff --git a/go/mirko/revproxy.go b/go/mirko/revproxy.go
new file mode 100644
index 0000000..46f22d4
--- /dev/null
+++ b/go/mirko/revproxy.go
@@ -0,0 +1,66 @@
+package mirko
+
+import (
+ "fmt"
+ "net"
+ "net/http"
+ "strconv"
+ "strings"
+)
+
+// parsePort parses a string as a port number from 1 to 65535.
+func parsePort(s string) (uint16, error) {
+ port, err := strconv.ParseUint(s, 10, 16)
+ if err != nil {
+ return 0, fmt.Errorf("could not parse port %q: %v", s, err)
+ }
+ if port < 1 || port > 65535 {
+ return 0, fmt.Errorf("port %d out of range", port)
+ }
+ return uint16(port), nil
+}
+
+// GetHTTPRemoteClient returns the IP address and source port of the client
+// initiating the given HTTP request. This will either interpret the remote
+// side of the HTTP connection if not running within a cluster, or the source
+// IP/port as reported by the cluster reverse proxy (nginx-ingress-controller).
+// An error will be returned if the request is unparseable for this data. In
+// this case, the caller should assume that the environment is misconfigured,
+// and that the client source cannot be deduced.
+func GetHTTPRemoteClient(r *http.Request) (net.IP, uint16, error) {
+ if KubernetesClient() == nil {
+ // We're not running inside a cluster (we're probably running on a dev
+ // machine), so just return whatever net/http says.
+
+ host, portStr, err := net.SplitHostPort(r.RemoteAddr)
+ if err != nil {
+ return nil, 0, fmt.Errorf("could not split hostport: %v", err)
+ }
+ ip := net.ParseIP(host)
+ if ip == nil {
+ return nil, 0, fmt.Errorf("could not parse host %q to IP address", host)
+ }
+ port, err := parsePort(portStr)
+ if err != nil {
+ return nil, 0, err
+ }
+ return ip, uint16(port), nil
+ }
+
+ // We are running in a cluster, so we can expect Hscloud-* headers.
+ // These are configured in the nginx-ingress-controller, //cluster/kube/lib/nginx.libsonnet.
+ nsip := strings.TrimSpace(r.Header.Get("Hscloud-Nic-Source-IP"))
+ nsport := strings.TrimSpace(r.Header.Get("Hscloud-Nic-Source-Port"))
+ if nsip == "" || nsport == "" {
+ return nil, 0, fmt.Errorf("Hscloud-Nic-* headers not set")
+ }
+ ip := net.ParseIP(nsip)
+ if ip == nil {
+ return nil, 0, fmt.Errorf("Invalid Hscloud-Nix-Source-IP %q", nsip)
+ }
+ port, err := parsePort(nsport)
+ if err != nil {
+ return nil, 0, fmt.Errorf("Invalid Hscloud-Nix-Source-Port: %v", err)
+ }
+ return ip, port, nil
+}
diff --git a/go/mirko/revproxy_test.go b/go/mirko/revproxy_test.go
new file mode 100644
index 0000000..d237906
--- /dev/null
+++ b/go/mirko/revproxy_test.go
@@ -0,0 +1,75 @@
+package mirko
+
+import (
+ "net"
+ "net/http"
+ "testing"
+
+ "k8s.io/client-go/kubernetes"
+)
+
+// TestHTTPRemoteClient exercises GetHTTPRemoteClient.
+func TestHTTPRemoteClient(t *testing.T) {
+ for i, te := range []struct {
+ // k8s is whether GetHTTPRemoteClient should see itself as running in
+ // production.
+ k8s bool
+ r *http.Request
+ wantIP net.IP
+ wantPort uint16
+ }{
+ // 0: No headers set, outside cluseter - should work as expected.
+ {false, &http.Request{RemoteAddr: "1.2.3.4:1234", Header: map[string][]string{}}, net.IPv4(1, 2, 3, 4), 1234},
+ // 1: No headers set, in cluseter - should fail.
+ {true, &http.Request{RemoteAddr: "1.2.3.4:1234", Header: map[string][]string{}}, nil, 0},
+ // 2: Headers set, outside cluster - should parse request, not headers.
+ {false, &http.Request{RemoteAddr: "1.2.3.4:1234", Header: map[string][]string{
+ "Hscloud-Nic-Source-Ip": []string{"2.3.4.5"},
+ "Hscloud-Nic-Source-Port": []string{"2345"},
+ }}, net.IPv4(1, 2, 3, 4), 1234},
+ // 3: Headers set, in cluster - should parse headers, not request.
+ {true, &http.Request{RemoteAddr: "1.2.3.4:1234", Header: map[string][]string{
+ "Hscloud-Nic-Source-Ip": []string{"2.3.4.5"},
+ "Hscloud-Nic-Source-Port": []string{"2345"},
+ }}, net.IPv4(2, 3, 4, 5), 2345},
+
+ // 4: Test IPv6 parsing.
+ {false, &http.Request{RemoteAddr: "[2a0d:eb00::42]:1234", Header: map[string][]string{}},
+ net.IP([]byte{0x2a, 0x0d, 0xeb, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x42}), 1234},
+
+ // 5: Test broken IPv6.
+ {false, &http.Request{RemoteAddr: "2a0d:eb00::42:1234", Header: map[string][]string{}}, nil, 0},
+ // 6: Test broken IPv6.
+ {false, &http.Request{RemoteAddr: "2a0d:eb00::42", Header: map[string][]string{}}, nil, 0},
+ // 7: Test broken IPv6.
+ {false, &http.Request{RemoteAddr: "2a0d:80", Header: map[string][]string{}}, nil, 0},
+
+ // 8: Test broken port.
+ {false, &http.Request{RemoteAddr: "1.2.3.4", Header: map[string][]string{}}, nil, 0},
+ // 9: Test broken port.
+ {false, &http.Request{RemoteAddr: "1.2.3.4:0", Header: map[string][]string{}}, nil, 0},
+ } {
+ kubernetesCSMu.Lock()
+ if te.k8s {
+ kubernetesCS = &kubernetes.Clientset{}
+ } else {
+ kubernetesCS = nil
+ }
+ kubernetesCSValid = true
+ kubernetesCSMu.Unlock()
+
+ gotIP, gotPort, err := GetHTTPRemoteClient(te.r)
+ if err == nil {
+ if want, got := te.wantIP, gotIP; !want.Equal(got) {
+ t.Errorf("%d: wanted IP %v, got %v", i, want, got)
+ }
+ if want, got := te.wantPort, gotPort; want != got {
+ t.Errorf("%d: wanted port %d, got %d", i, want, got)
+ }
+ } else {
+ if te.wantIP != nil || te.wantPort != 0 {
+ t.Errorf("%d: wanted %v %d, got failure", te.wantIP, te.wantPort)
+ }
+ }
+ }
+}