Add PROXY header getter to the grpc proxy client (#31992)

gravitational · Sep 18, 2023 · 0111c24 · 0111c24
1 parent 8f24c4f
commit 0111c24
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 0 deletions.
diff --git a/api/client/proxy/client.go b/api/client/proxy/client.go
@@ -70,6 +70,9 @@ type ClientConfig struct {
 	// ViaJumpHost indicates if the connection to the cluster is direct
 	// or via another cluster.
 	ViaJumpHost bool
+	// PROXYHeaderGetter is used if present to get signed PROXY headers to propagate client's IP.
+	// Used by proxy's web server to make calls on behalf of connected clients.
+	PROXYHeaderGetter client.PROXYHeaderGetter
 
 	// The below items are intended to be used by tests to connect without mTLS.
 	// The gRPC transport credentials to use when establishing the connection to proxy.
@@ -315,6 +318,7 @@ func newDialerForGRPCClient(ctx context.Context, cfg *ClientConfig) func(context
 		client.WithInsecureSkipVerify(cfg.InsecureSkipVerify),
 		client.WithALPNConnUpgrade(cfg.ALPNConnUpgradeRequired),
 		client.WithALPNConnUpgradePing(true), // Use Ping protocol for long-lived connections.
+		client.WithPROXYHeaderGetter(cfg.PROXYHeaderGetter),
 	))
 }
 

diff --git a/api/client/proxy/client_test.go b/api/client/proxy/client_test.go
@@ -30,9 +30,11 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	"github.com/gravitational/trace"
 	"github.com/gravitational/trace/trail"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/agent"
+	"golang.org/x/exp/slices"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
@@ -678,3 +680,57 @@ func TestClusterCredentials(t *testing.T) {
 		})
 	}
 }
+
+func TestNewDialerForGRPCClient(t *testing.T) {
+	t.Run("Check that PROXYHeaderGetter if present sends PROXY header as first bytes on the connection", func(t *testing.T) {
+		listener, err := net.Listen("tcp", "127.0.0.1:0")
+		require.NoError(t, err)
+		t.Cleanup(func() {
+			require.NoError(t, listener.Close())
+		})
+
+		prefix := []byte("FAKEPROXY")
+		proxyHeaderGetter := func() ([]byte, error) {
+			return prefix, nil
+		}
+
+		ctx := context.Background()
+		cfg := &ClientConfig{
+			PROXYHeaderGetter: proxyHeaderGetter,
+		}
+		dialer := newDialerForGRPCClient(ctx, cfg)
+
+		resultChan := make(chan bool)
+		// Start listening, emulating receiving end of connection
+		go func() {
+			conn, err := listener.Accept()
+			if err != nil {
+				assert.Fail(t, err.Error())
+				return
+			}
+
+			buf := make([]byte, len(prefix))
+			_, err = conn.Read(buf)
+			assert.NoError(t, err)
+			t.Cleanup(func() {
+				require.NoError(t, conn.Close())
+			})
+
+			// On the received connection first bytes should be our PROXY prefix
+			resultChan <- slices.Equal(buf, prefix)
+		}()
+
+		conn, err := dialer(ctx, listener.Addr().String())
+		require.NoError(t, err)
+		t.Cleanup(func() {
+			require.NoError(t, conn.Close())
+		})
+
+		select {
+		case res := <-resultChan:
+			require.True(t, res, "Didn't receive required prefix as first bytes on the connection")
+		case <-time.After(time.Second):
+			require.Fail(t, "Timed out waiting for connection")
+		}
+	})
+}
diff --git a/lib/client/api.go b/lib/client/api.go
@@ -2837,6 +2837,7 @@ func (tc *TeleportClient) ConnectToCluster(ctx context.Context) (*ClusterClient,
 		ALPNConnUpgradeRequired: tc.TLSRoutingConnUpgradeRequired,
 		InsecureSkipVerify:      tc.InsecureSkipVerify,
 		ViaJumpHost:             len(tc.JumpHosts) > 0,
+		PROXYHeaderGetter:       CreatePROXYHeaderGetter(ctx, tc.PROXYSigner),
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)