Conversation
wjun
force-pushed
the
proxy
branch
3 times, most recently
from
710ec58 to
c3b156c
Compare
cmd/vic-machine/common/proxy.go
Outdated
| } | ||
| } | ||
|
|
||
| noproxy = p.NoProxy |
There was a problem hiding this comment.
It seems like we should validate this user input and add unit tests for that validation logic.
We may also need unit or integration tests to ensure that we handle edge cases properly, like a user specifying a --no-proxy setting without specifying either proxy.
There was a problem hiding this comment.
The snippet below is how Golang http/transport process no_proxy value, and it is kind of fault tolerant.
for _, p := range strings.Split(no_proxy, ",") {
p = strings.ToLower(strings.TrimSpace(p))
if len(p) == 0 {
continue
}
if hasPort(p) {
p = p[:strings.LastIndex(p, ":")]
}
if addr == p {
return false
}
if len(p) == 0 {
// There is no host part, likely the entry is malformed; ignore.
continue
}
if p[0] == '.' && (strings.HasSuffix(addr, p) || addr == p[1:]) {
// no_proxy ".foo.com" matches "bar.foo.com" or "foo.com"
return false
}
if p[0] != '.' && strings.HasSuffix(addr, p) && addr[len(addr)-len(p)-1] == '.' {
// no_proxy "foo.com" matches "bar.foo.com"
return false
}
}
There was a problem hiding this comment.
I understand the point, but they are not necessarily set together, as we do when setting them through env variables. I also wonder if we can remove the field of proxies.IsSet field which looks redundant.
| updateSessionEnv(vicAdminSession, config.VICAdminHTTPSProxy, sProxy) | ||
| } | ||
| nProxy := "" | ||
| if c.NoProxy != nil { |
There was a problem hiding this comment.
Since proxy exclusions don't make sense if proxies haven't been configured, it seems like this should be nested under the c.proxies.IsSet block.
There was a problem hiding this comment.
I thought maybe we can align with other no_proxy settings which are not only for http protocol but also for other protocols, though we only use http protocols for now.
| hProxy := "" | ||
| if c.HTTPProxy != nil { | ||
| hProxy = c.HTTPProxy.String() | ||
| updateSessionEnv(personaSession, config.GeneralHTTPProxy, hProxy) |
There was a problem hiding this comment.
This restructuring fixes one issue as noted in the commit message, but looks like it may introduce another: it no longer seems possible to unset a previously-configured proxy.
There was a problem hiding this comment.
Good catch. Fixed the regression.
lib/apiservers/service/swagger.json
Outdated
| "format": "uri" | ||
| }, | ||
| "no_proxy": { | ||
| "type": "string" |
There was a problem hiding this comment.
It seems like this should take an array of URIs; we use "rich" data types in the API even if they're not feasible for the CLI. (This will require some changes to the API handler logic.)
There was a problem hiding this comment.
According to the snippet above, no_proxy includes not only URIs, but also domain names.
There was a problem hiding this comment.
If I recall correctly a URI should be able to encode a protocol-relative location (e.g //f.q.d.n) - I'd suggest seeing whether the url package encodes correctly when omitting the protocol (a sanity check in playground says it does). I believe you already test this in the unit test, but maybe not with the actual protocol relative form.
Regardless the data in this option is expected to be an array of valid URIs so we should define it as such.
There was a problem hiding this comment.
Right, URIs can parse '*' or domain names too. I just updated the type to URI array.
lib/apiservers/service/swagger.json
Outdated
| "format": "uri" | ||
| }, | ||
| "no_proxy": { | ||
| "type": "string" |
There was a problem hiding this comment.
If I recall correctly a URI should be able to encode a protocol-relative location (e.g //f.q.d.n) - I'd suggest seeing whether the url package encodes correctly when omitting the protocol (a sanity check in playground says it does). I believe you already test this in the unit test, but maybe not with the actual protocol relative form.
Regardless the data in this option is expected to be an array of valid URIs so we should define it as such.
cmd/vic-machine/common/proxy.go
Outdated
| } | ||
| } | ||
|
|
||
| noproxy = p.NoProxy |
| } | ||
| for _, env := range persona.Cmd.Env { | ||
| if !strings.HasPrefix(env, httpProxy) && !strings.HasPrefix(env, httpsProxy) { | ||
| if !strings.HasPrefix(env, httpProxy) && !strings.HasPrefix(env, httpsProxy) && !strings.HasPrefix(env, noProxy) { |
There was a problem hiding this comment.
This is likely much neater if using switch - something like:
for _, env := range persona.Cmd.Env {
val := strings.Split(env, "=")
switch {
case strings.HasPrefix(env, httpProxy):
...
case strings.HasPrefix(env, httpsProxy):
...
case strings.HasPrefix(env, noProxy):
...
}There was a problem hiding this comment.
Good suggestion. Just refactored to use switch.
wjun
force-pushed
the
proxy
branch
3 times, most recently
from
afeffe8 to
c1fb11e
Compare
zjs
left a comment
zjs
left a comment
There was a problem hiding this comment.
We should also ensure the API change is covered by an integration test.
| assert.NoError(t, err, "Expected %s and %s to be accepted", ghttp, ghttps) | ||
| assert.True(t, gproxy.IsSet, "Expected proxy to be marked as set") | ||
| _, _, nproxy, err := gproxy.ProcessProxies() | ||
| assert.NoError(t, err, "Expected %s, %s, %s and %s to be accepted", ghttp, ghttps, uri, nproxy) |
There was a problem hiding this comment.
It seems like this will print the --no-proxy values twice: once from uri and once from nproxy.
There was a problem hiding this comment.
I added uri and nproxy for comparison. nproxy will trim whitespaces of each uri.
| } | ||
|
|
||
| gnproxies := [...]string{ | ||
| "*", |
There was a problem hiding this comment.
Is this actually a valid value? If so, perhaps it should be mentioned in the help text (which currently says "This should be a comma-separated list of hostnames, domain names, or a mixture of both"),
There was a problem hiding this comment.
Good catch. Just updated the information.
|
|
||
| gnproxies := [...]string{ | ||
| "*", | ||
| "localhost, .example.com", |
There was a problem hiding this comment.
Maybe we should also include a test case without a space. (E.g., "localhost,.example.com")
cmd/vic-machine/common/proxy.go
Outdated
| cli.GenericFlag{ | ||
| Name: "no-proxy", | ||
| Value: flags.NewOptionalString(&p.NoProxy), | ||
| Usage: "URLs that should be excluded from proxying. This should be a comma-separated list of hostnames, domain names, or a mixture of both", |
There was a problem hiding this comment.
In the example below, you have ".example.com". Presumably this means example.com and all sub-domains. It's not clear from this help output that this would be accepted. Perhaps @stuclem can suggest a concise way to explain this.
| func FromImageFetchProxy(p *models.VCHRegistryImageFetchProxy) common.Proxies { | ||
| http := string(p.HTTP) | ||
| https := string(p.HTTPS) | ||
| var nproxy *string |
There was a problem hiding this comment.
To be consistent with the other functions in this package (where each function converts one object), this should probably be extracted into its own function (e.g., fromProxyExclusionList).
There was a problem hiding this comment.
noproxy is defined as one field of VCHRegistryImageFetchProxy, so I process it here.
| buffer.WriteString(",") | ||
| buffer.WriteString(string(v)) | ||
| } | ||
| nproxyStr := buffer.String() |
There was a problem hiding this comment.
I think this could be more clearly written as strings.Join(p.NoProxy, ",")
There was a problem hiding this comment.
I tried initially, but looks p.NoProxy is []strfmt.URL type, and strings.Join does not accept it?
| if strings.HasPrefix(env, https+"=") { | ||
| httpsProxy = strfmt.URI(strings.SplitN(env, "=", 2)[1]) | ||
| } | ||
| if strings.HasPrefix(env, nproxy+"=") { |
There was a problem hiding this comment.
Like config_to_data.go (#8201 (comment)), I think this would be clearer if it used a switch.
| nProxyStrs := strings.Split(strings.SplitN(env, "=", 2)[1], ",") | ||
| nProxy = make([]strfmt.URI, len(nProxyStrs)) | ||
| for i := range nProxy { | ||
| nProxy[i] = strfmt.URI(strings.TrimSpace(nProxyStrs[i])) |
There was a problem hiding this comment.
To be consistent with the other functions in this package (where each function converts one object), this should probably be extracted into its own function (e.g., asProxyExclusionList).
| GeneralNoProxy = "NO_PROXY" | ||
| VICAdminHTTPProxy = "VICADMIN_HTTP_PROXY" | ||
| VICAdminHTTPSProxy = "VICADMIN_HTTPS_PROXY" | ||
| VICAdminNoProxy = "NO_PROXY" |
There was a problem hiding this comment.
This seems inconsistent with VICAdminHTTPProxy and VICAdminHTTPSProxy. Should this be VICADMIN_NO_PROXY?
There was a problem hiding this comment.
NO_PROXY is used inside http.transport, so I need to put that env name
Line 202 in 2119c41
|
(cherry picked from commit 45a545a) Conflicts: lib/apiservers/service/restapi/handlers/decode/networking.go lib/apiservers/service/restapi/handlers/encode/networking.go lib/apiservers/service/restapi/handlers/vch_get.go
(cherry picked from commit 45a545a) Conflicts: lib/apiservers/service/restapi/handlers/decode/networking.go lib/apiservers/service/restapi/handlers/encode/networking.go lib/apiservers/service/restapi/handlers/vch_get.go
(cherry picked from commit 45a545a)
(cherry picked from commit 45a545a) Conflicts: deleted by us: lib/apiservers/service/restapi/handlers/decode/networking.go deleted by us: lib/apiservers/service/restapi/handlers/encode/networking.go both modified: lib/apiservers/service/restapi/handlers/vch_get.go modified: lib/apiservers/service/restapi/handlers/vch_create.go
5 participants
The previous vic-machine proxy configuration behaviour has an issue in that http and https settings will overwrite each other if we only configure one each time. This issue has been fixed as well.
Fixes #8144