Merge branch 'main' into update-dos-games

zarf-dev · Aug 7, 2024 · e9fff3b · e9fff3b
2 parents ba69765 + 35952d8
commit e9fff3b
Show file tree

Hide file tree

Showing 25 changed files with 563 additions and 264 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -72,7 +72,7 @@ jobs:
 
       # Upload the contents of the build directory for later stages to use
       - name: Upload build artifacts
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: build-artifacts
           path: build/
@@ -186,7 +186,7 @@ jobs:
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.brew-tap-token.outputs.token }}
 
       - name: Save CVE report
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: cve-report
           path: build/zarf-known-cves.csv
diff --git a/.github/workflows/scan-codeql.yml b/.github/workflows/scan-codeql.yml
@@ -53,7 +53,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/init@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql.yaml
@@ -62,6 +62,6 @@ jobs:
         run: make build-cli-linux-amd
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/analyze@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -36,14 +36,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
+        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/test-bigbang.yml b/.github/workflows/test-bigbang.yml
@@ -63,7 +63,7 @@ jobs:
 
       # Upload the contents of the build directory for later stages to use
       - name: Upload build artifacts
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: build-artifacts
           path: build/

diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
@@ -47,7 +47,7 @@ jobs:
 
       # Upload the contents of the build directory for later stages to use
       - name: Upload build artifacts
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: build-artifacts
           path: build/

diff --git a/.github/workflows/test-upgrade.yml b/.github/workflows/test-upgrade.yml
@@ -46,7 +46,7 @@ jobs:
 
       # Upload the contents of the build directory for later stages to use
       - name: Upload build artifacts
-        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
         with:
           name: build-artifacts
           path: build/

diff --git a/src/cmd/internal.go b/src/cmd/internal.go
@@ -43,7 +43,11 @@ var agentCmd = &cobra.Command{
 	Short: lang.CmdInternalAgentShort,
 	Long:  lang.CmdInternalAgentLong,
 	RunE: func(cmd *cobra.Command, _ []string) error {
-		return agent.StartWebhook(cmd.Context())
+		cluster, err := cluster.NewCluster()
+		if err != nil {
+			return err
+		}
+		return agent.StartWebhook(cmd.Context(), cluster)
 	},
 }
 
@@ -52,7 +56,11 @@ var httpProxyCmd = &cobra.Command{
 	Short: lang.CmdInternalProxyShort,
 	Long:  lang.CmdInternalProxyLong,
 	RunE: func(cmd *cobra.Command, _ []string) error {
-		return agent.StartHTTPProxy(cmd.Context())
+		cluster, err := cluster.NewCluster()
+		if err != nil {
+			return err
+		}
+		return agent.StartHTTPProxy(cmd.Context(), cluster)
 	},
 }
 

diff --git a/src/config/lang/english.go b/src/config/lang/english.go
@@ -611,7 +611,6 @@ const (
 	AgentErrMarshallJSONPatch      = "unable to marshall the json patch"
 	AgentErrMarshalResponse        = "unable to marshal the response"
 	AgentErrNilReq                 = "malformed admission review: request is nil"
-	AgentErrUnableTransform        = "unable to transform the provided request; see zarf http proxy logs for more details"
 )
 
 // Package create

diff --git a/src/internal/agent/http/proxy.go b/src/internal/agent/http/proxy.go
@@ -5,7 +5,6 @@
 package http
 
 import (
-	"context"
 	"crypto/tls"
 	"fmt"
 	"io"
@@ -14,51 +13,43 @@ import (
 	"net/url"
 	"strings"
 
-	"github.com/zarf-dev/zarf/src/config/lang"
 	"github.com/zarf-dev/zarf/src/pkg/cluster"
 	"github.com/zarf-dev/zarf/src/pkg/message"
 	"github.com/zarf-dev/zarf/src/pkg/transform"
+	"github.com/zarf-dev/zarf/src/types"
 )
 
 // ProxyHandler constructs a new httputil.ReverseProxy and returns an http handler.
-func ProxyHandler() http.HandlerFunc {
+func ProxyHandler(cluster *cluster.Cluster) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		err := proxyRequestTransform(r)
+		state, err := cluster.LoadZarfState(r.Context())
 		if err != nil {
 			message.Debugf("%#v", err)
 			w.WriteHeader(http.StatusInternalServerError)
 			//nolint: errcheck // ignore
-			w.Write([]byte(lang.AgentErrUnableTransform))
+			w.Write([]byte("unable to load Zarf state, see the Zarf HTTP proxy logs for more details"))
+			return
+		}
+		err = proxyRequestTransform(r, state)
+		if err != nil {
+			message.Debugf("%#v", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			//nolint: errcheck // ignore
+			w.Write([]byte("unable to transform the provided request, see the Zarf HTTP proxy logs for more details"))
 			return
 		}
-
 		proxy := &httputil.ReverseProxy{Director: func(_ *http.Request) {}, ModifyResponse: proxyResponseTransform}
 		proxy.ServeHTTP(w, r)
 	}
 }
 
-func proxyRequestTransform(r *http.Request) error {
-	message.Debugf("Before Req %#v", r)
-	message.Debugf("Before Req URL %#v", r.URL)
-
+func proxyRequestTransform(r *http.Request, state *types.ZarfState) error {
 	// We add this so that we can use it to rewrite urls in the response if needed
 	r.Header.Add("X-Forwarded-Host", r.Host)
 
 	// We remove this so that go will encode and decode on our behalf (see https://pkg.go.dev/net/http#Transport DisableCompression)
 	r.Header.Del("Accept-Encoding")
 
-	c, err := cluster.NewCluster()
-	if err != nil {
-		return err
-	}
-	ctx := context.Background()
-	state, err := c.LoadZarfState(ctx)
-	if err != nil {
-		return err
-	}
-
-	var targetURL *url.URL
-
 	// Setup authentication for each type of service based on User Agent
 	switch {
 	case isGitUserAgent(r.UserAgent()):
@@ -70,6 +61,8 @@ func proxyRequestTransform(r *http.Request) error {
 	}
 
 	// Transform the URL; if we see the NoTransform prefix, strip it; otherwise, transform the URL based on User Agent
+	var err error
+	var targetURL *url.URL
 	if strings.HasPrefix(r.URL.Path, transform.NoTransform) {
 		switch {
 		case isGitUserAgent(r.UserAgent()):
@@ -89,7 +82,6 @@ func proxyRequestTransform(r *http.Request) error {
 			targetURL, err = transform.GenTransformURL(state.ArtifactServer.Address, getTLSScheme(r.TLS)+r.Host+r.URL.String())
 		}
 	}
-
 	if err != nil {
 		return err
 	}
@@ -98,19 +90,12 @@ func proxyRequestTransform(r *http.Request) error {
 	r.URL = targetURL
 	r.RequestURI = getRequestURI(targetURL.Path, targetURL.RawQuery, targetURL.Fragment)
 
-	message.Debugf("After Req %#v", r)
-	message.Debugf("After Req URL%#v", r.URL)
-
 	return nil
 }
 
 func proxyResponseTransform(resp *http.Response) error {
-	message.Debugf("Before Resp %#v", resp)
-
 	// Handle redirection codes (3xx) by adding a marker to let Zarf know this has been redirected
 	if resp.StatusCode/100 == 3 {
-		message.Debugf("Before Resp Location %#v", resp.Header.Get("Location"))
-
 		locationURL, err := url.Parse(resp.Header.Get("Location"))
 		if err != nil {
 			return err
@@ -119,72 +104,46 @@ func proxyResponseTransform(resp *http.Response) error {
 		locationURL.Host = resp.Request.Header.Get("X-Forwarded-Host")
 
 		resp.Header.Set("Location", locationURL.String())
-
-		message.Debugf("After Resp Location %#v", resp.Header.Get("Location"))
 	}
 
-	contentType := resp.Header.Get("Content-Type")
-
 	// Handle text content returns that may contain links
+	contentType := resp.Header.Get("Content-Type")
 	if strings.HasPrefix(contentType, "text") || strings.HasPrefix(contentType, "application/json") || strings.HasPrefix(contentType, "application/xml") {
-		err := replaceBodyLinks(resp)
-
+		forwardedPrefix := fmt.Sprintf("%s%s%s", getTLSScheme(resp.Request.TLS), resp.Request.Header.Get("X-Forwarded-Host"), transform.NoTransform)
+		targetPrefix := fmt.Sprintf("%s%s", getTLSScheme(resp.TLS), resp.Request.Host)
+		b, err := io.ReadAll(resp.Body)
 		if err != nil {
-			message.Debugf("%#v", err)
+			return err
 		}
-	}
-
-	message.Debugf("After Resp %#v", resp)
-
-	return nil
-}
-
-func replaceBodyLinks(resp *http.Response) error {
-	message.Debugf("Resp Request: %#v", resp.Request)
-
-	// Create the forwarded (online) and target (offline) URL prefixes to replace
-	forwardedPrefix := fmt.Sprintf("%s%s%s", getTLSScheme(resp.Request.TLS), resp.Request.Header.Get("X-Forwarded-Host"), transform.NoTransform)
-	targetPrefix := fmt.Sprintf("%s%s", getTLSScheme(resp.TLS), resp.Request.Host)
+		err = resp.Body.Close()
+		if err != nil {
+			return err
+		}
+		bodyString := strings.ReplaceAll(string(b), targetPrefix, forwardedPrefix)
 
-	b, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-	err = resp.Body.Close()
-	if err != nil {
-		return err
+		resp.Body = io.NopCloser(strings.NewReader(bodyString))
+		resp.ContentLength = int64(len(bodyString))
+		resp.Header.Set("Content-Length", fmt.Sprint(int64(len(bodyString))))
 	}
-	bodyString := strings.ReplaceAll(string(b), targetPrefix, forwardedPrefix)
-
-	// Setup the new reader, and correct the content length
-	resp.Body = io.NopCloser(strings.NewReader(bodyString))
-	resp.ContentLength = int64(len(bodyString))
-	resp.Header.Set("Content-Length", fmt.Sprint(int64(len(bodyString))))
-
 	return nil
 }
 
 func getTLSScheme(tls *tls.ConnectionState) string {
 	scheme := "https://"
-
 	if tls == nil {
 		scheme = "http://"
 	}
-
 	return scheme
 }
 
 func getRequestURI(path, query, fragment string) string {
 	uri := path
-
 	if query != "" {
 		uri += "?" + query
 	}
-
 	if fragment != "" {
 		uri += "#" + fragment
 	}
-
 	return uri
 }