Merge branch v2.6 into v2.7

2022-04-21 10:59:46 +02:00 · 2022-04-21 10:59:46 +02:00 · 73ba7ed2d2
commit 73ba7ed2d2
parent a49b537d9c 55addfefc8
145 changed files with 1187 additions and 502 deletions
--- a/pkg/config/dynamic/tcp_middlewares.go
+++ b/pkg/config/dynamic/tcp_middlewares.go
@ -4,7 +4,7 @@ package dynamic

 // TCPMiddleware holds the TCPMiddleware configuration.
 type TCPMiddleware struct {
-	InFlightConn *TCPInFlightConn `json:"InFlightConn,omitempty" toml:"InFlightConn,omitempty" yaml:"InFlightConn,omitempty" export:"true"`
+	InFlightConn *TCPInFlightConn `json:"inFlightConn,omitempty" toml:"inFlightConn,omitempty" yaml:"inFlightConn,omitempty" export:"true"`
 	IPWhiteList  *TCPIPWhiteList  `json:"ipWhiteList,omitempty" toml:"ipWhiteList,omitempty" yaml:"ipWhiteList,omitempty" export:"true"`
 }

--- a/pkg/middlewares/buffering/buffering_test.go
+++ b/pkg/middlewares/buffering/buffering_test.go
@ -0,0 +1,72 @@
+package buffering
+
+import (
+	"bytes"
+	"context"
+	"math"
+	"math/rand"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+)
+
+func TestBuffering(t *testing.T) {
+	payload := make([]byte, math.MaxInt8)
+	rand.Read(payload)
+
+	testCases := []struct {
+		desc         string
+		config       dynamic.Buffering
+		body         []byte
+		expectedCode int
+	}{
+		{
+			desc:         "Unlimited response and request body size",
+			body:         payload,
+			expectedCode: http.StatusOK,
+		},
+		{
+			desc: "Limited request body size",
+			config: dynamic.Buffering{
+				MaxRequestBodyBytes: 1,
+			},
+			body:         payload,
+			expectedCode: http.StatusRequestEntityTooLarge,
+		},
+		{
+			desc: "Limited response body size",
+			config: dynamic.Buffering{
+				MaxResponseBodyBytes: 1,
+			},
+			body:         payload,
+			expectedCode: http.StatusInternalServerError,
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			next := http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+				rw.WriteHeader(http.StatusOK)
+				_, err := rw.Write(test.body)
+				require.NoError(t, err)
+			})
+
+			buffMiddleware, err := New(context.Background(), next, test.config, "foo")
+			require.NoError(t, err)
+
+			req := httptest.NewRequest(http.MethodPost, "http://localhost", bytes.NewBuffer(test.body))
+
+			recorder := httptest.NewRecorder()
+			buffMiddleware.ServeHTTP(recorder, req)
+
+			assert.Equal(t, test.expectedCode, recorder.Code)
+		})
+	}
+}
--- a/pkg/middlewares/customerrors/custom_errors.go
+++ b/pkg/middlewares/customerrors/custom_errors.go
@ -2,7 +2,6 @@ package customerrors

 import (
 	"bufio"
-	"bytes"
 	"context"
 	"fmt"
 	"net"
@ -12,7 +11,6 @@ import (
 	"strings"

 	"github.com/opentracing/opentracing-go/ext"
-	"github.com/sirupsen/logrus"
 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
 	"github.com/traefik/traefik/v2/pkg/log"
 	"github.com/traefik/traefik/v2/pkg/middlewares"
@ -23,7 +21,8 @@ import (

 // Compile time validation that the response recorder implements http interfaces correctly.
 var (
-	_ middlewares.Stateful = &responseRecorderWithCloseNotify{}
+	// TODO: maybe remove at least for codeModifierWithCloseNotify.
+	_ middlewares.Stateful = &codeModifierWithCloseNotify{}
 	_ middlewares.Stateful = &codeCatcherWithCloseNotify{}
 )

@ -88,44 +87,25 @@ func (c *customErrors) ServeHTTP(rw http.ResponseWriter, req *http.Request) {

 	// check the recorder code against the configured http status code ranges
 	code := catcher.getCode()
-	for _, block := range c.httpCodeRanges {
-		if code < block[0] || code > block[1] {
-			continue
-		}
+	logger.Debugf("Caught HTTP Status Code %d, returning error page", code)

-		logger.Debugf("Caught HTTP Status Code %d, returning error page", code)
-
-		var query string
-		if len(c.backendQuery) > 0 {
-			query = "/" + strings.TrimPrefix(c.backendQuery, "/")
-			query = strings.ReplaceAll(query, "{status}", strconv.Itoa(code))
-		}
-
-		pageReq, err := newRequest("http://" + req.Host + query)
-		if err != nil {
-			logger.Error(err)
-			rw.WriteHeader(code)
-			_, err = fmt.Fprint(rw, http.StatusText(code))
-			if err != nil {
-				http.Error(rw, err.Error(), http.StatusInternalServerError)
-			}
-			return
-		}
-
-		recorderErrorPage := newResponseRecorder(ctx, rw)
-		utils.CopyHeaders(pageReq.Header, req.Header)
-
-		c.backendHandler.ServeHTTP(recorderErrorPage, pageReq.WithContext(req.Context()))
-
-		utils.CopyHeaders(rw.Header(), recorderErrorPage.Header())
-		rw.WriteHeader(code)
-
-		if _, err = rw.Write(recorderErrorPage.GetBody().Bytes()); err != nil {
-			logger.Error(err)
-		}
+	var query string
+	if len(c.backendQuery) > 0 {
+		query = "/" + strings.TrimPrefix(c.backendQuery, "/")
+		query = strings.ReplaceAll(query, "{status}", strconv.Itoa(code))
+	}

+	pageReq, err := newRequest("http://" + req.Host + query)
+	if err != nil {
+		logger.Error(err)
+		http.Error(rw, http.StatusText(code), code)
 		return
 	}
+
+	utils.CopyHeaders(pageReq.Header, req.Header)
+
+	c.backendHandler.ServeHTTP(newCodeModifier(rw, code),
+		pageReq.WithContext(req.Context()))
 }

 func newRequest(baseURL string) (*http.Request, error) {
@ -158,7 +138,6 @@ type codeCatcher struct {
 	headerMap          http.Header
 	code               int
 	httpCodeRanges     types.HTTPCodeRanges
-	firstWrite         bool
 	caughtFilteredCode bool
 	responseWriter     http.ResponseWriter
 	headersSent        bool
@ -180,7 +159,6 @@ func newCodeCatcher(rw http.ResponseWriter, httpCodeRanges types.HTTPCodeRanges)
 		code:           http.StatusOK, // If backend does not call WriteHeader on us, we consider it's a 200.
 		responseWriter: rw,
 		httpCodeRanges: httpCodeRanges,
-		firstWrite:     true,
 	}
 	if _, ok := rw.(http.CloseNotifier); ok {
 		return &codeCatcherWithCloseNotify{catcher}
@ -207,22 +185,14 @@ func (cc *codeCatcher) isFilteredCode() bool {
 }

 func (cc *codeCatcher) Write(buf []byte) (int, error) {
-	if !cc.firstWrite {
-		if cc.caughtFilteredCode {
-			// We don't care about the contents of the response,
-			// since we want to serve the ones from the error page,
-			// so we just drop them.
-			return len(buf), nil
-		}
-		return cc.responseWriter.Write(buf)
-	}
-	cc.firstWrite = false
-
 	// If WriteHeader was already called from the caller, this is a NOOP.
 	// Otherwise, cc.code is actually a 200 here.
 	cc.WriteHeader(cc.code)

 	if cc.caughtFilteredCode {
+		// We don't care about the contents of the response,
+		// since we want to serve the ones from the error page,
+		// so we just drop them.
 		return len(buf), nil
 	}
 	return cc.responseWriter.Write(buf)
@ -237,14 +207,12 @@ func (cc *codeCatcher) WriteHeader(code int) {
 	for _, block := range cc.httpCodeRanges {
 		if cc.code >= block[0] && cc.code <= block[1] {
 			cc.caughtFilteredCode = true
-			break
+			// it will be up to the caller to send the headers,
+			// so it is out of our hands now.
+			return
 		}
 	}
-	// it will be up to the other response recorder to send the headers,
-	// so it is out of our hands now.
-	if cc.caughtFilteredCode {
-		return
-	}
+
 	utils.CopyHeaders(cc.responseWriter.Header(), cc.Header())
 	cc.responseWriter.WriteHeader(cc.code)
 	cc.headersSent = true
@ -269,105 +237,86 @@ func (cc *codeCatcher) Flush() {
 	}
 }

-type responseRecorder interface {
+// codeModifier forwards a response back to the client,
+// while enforcing a given response code.
+type codeModifier interface {
 	http.ResponseWriter
-	http.Flusher
-	GetCode() int
-	GetBody() *bytes.Buffer
-	IsStreamingResponseStarted() bool
 }

-// newResponseRecorder returns an initialized responseRecorder.
-func newResponseRecorder(ctx context.Context, rw http.ResponseWriter) responseRecorder {
-	recorder := &responseRecorderWithoutCloseNotify{
-		HeaderMap:      make(http.Header),
-		Body:           new(bytes.Buffer),
-		Code:           http.StatusOK,
+// newCodeModifier returns a codeModifier that enforces the given code.
+func newCodeModifier(rw http.ResponseWriter, code int) codeModifier {
+	codeMod := &codeModifierWithoutCloseNotify{
+		headerMap:      make(http.Header),
+		code:           code,
 		responseWriter: rw,
-		logger:         log.FromContext(ctx),
 	}
 	if _, ok := rw.(http.CloseNotifier); ok {
-		return &responseRecorderWithCloseNotify{recorder}
+		return &codeModifierWithCloseNotify{codeMod}
 	}
-	return recorder
+	return codeMod
 }

-// responseRecorderWithoutCloseNotify is an implementation of http.ResponseWriter that
-// records its mutations for later inspection.
-type responseRecorderWithoutCloseNotify struct {
-	Code      int           // the HTTP response code from WriteHeader
-	HeaderMap http.Header   // the HTTP response headers
-	Body      *bytes.Buffer // if non-nil, the bytes.Buffer to append written data to
+type codeModifierWithoutCloseNotify struct {
+	code int // the code enforced in the response.

-	responseWriter           http.ResponseWriter
-	err                      error
-	streamingResponseStarted bool
-	logger                   logrus.FieldLogger
+	// headerSent is whether the headers have already been sent,
+	// either through Write or WriteHeader.
+	headerSent bool
+	headerMap  http.Header // the HTTP response headers from the backend.
+
+	responseWriter http.ResponseWriter
 }

-type responseRecorderWithCloseNotify struct {
-	*responseRecorderWithoutCloseNotify
+type codeModifierWithCloseNotify struct {
+	*codeModifierWithoutCloseNotify
 }

 // CloseNotify returns a channel that receives at most a
 // single value (true) when the client connection has gone away.
-func (r *responseRecorderWithCloseNotify) CloseNotify() <-chan bool {
+func (r *codeModifierWithCloseNotify) CloseNotify() <-chan bool {
 	return r.responseWriter.(http.CloseNotifier).CloseNotify()
 }

 // Header returns the response headers.
-func (r *responseRecorderWithoutCloseNotify) Header() http.Header {
-	if r.HeaderMap == nil {
-		r.HeaderMap = make(http.Header)
+func (r *codeModifierWithoutCloseNotify) Header() http.Header {
+	if r.headerMap == nil {
+		r.headerMap = make(http.Header)
 	}

-	return r.HeaderMap
+	return r.headerMap
 }

-func (r *responseRecorderWithoutCloseNotify) GetCode() int {
-	return r.Code
+// Write calls WriteHeader to send the enforced code,
+// then writes the data directly to r.responseWriter.
+func (r *codeModifierWithoutCloseNotify) Write(buf []byte) (int, error) {
+	r.WriteHeader(r.code)
+	return r.responseWriter.Write(buf)
 }

-func (r *responseRecorderWithoutCloseNotify) GetBody() *bytes.Buffer {
-	return r.Body
-}
-
-func (r *responseRecorderWithoutCloseNotify) IsStreamingResponseStarted() bool {
-	return r.streamingResponseStarted
-}
-
-// Write always succeeds and writes to rw.Body, if not nil.
-func (r *responseRecorderWithoutCloseNotify) Write(buf []byte) (int, error) {
-	if r.err != nil {
-		return 0, r.err
+// WriteHeader sends the headers, with the enforced code (the code in argument
+// is always ignored), if it hasn't already been done.
+func (r *codeModifierWithoutCloseNotify) WriteHeader(_ int) {
+	if r.headerSent {
+		return
 	}
-	return r.Body.Write(buf)
-}

-// WriteHeader sets rw.Code.
-func (r *responseRecorderWithoutCloseNotify) WriteHeader(code int) {
-	r.Code = code
+	utils.CopyHeaders(r.responseWriter.Header(), r.Header())
+	r.responseWriter.WriteHeader(r.code)
+	r.headerSent = true
 }

 // Hijack hijacks the connection.
-func (r *responseRecorderWithoutCloseNotify) Hijack() (net.Conn, *bufio.ReadWriter, error) {
-	return r.responseWriter.(http.Hijacker).Hijack()
+func (r *codeModifierWithoutCloseNotify) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	hijacker, ok := r.responseWriter.(http.Hijacker)
+	if !ok {
+		return nil, nil, fmt.Errorf("%T is not a http.Hijacker", r.responseWriter)
+	}
+	return hijacker.Hijack()
 }

 // Flush sends any buffered data to the client.
-func (r *responseRecorderWithoutCloseNotify) Flush() {
-	if !r.streamingResponseStarted {
-		utils.CopyHeaders(r.responseWriter.Header(), r.Header())
-		r.responseWriter.WriteHeader(r.Code)
-		r.streamingResponseStarted = true
-	}
-
-	_, err := r.responseWriter.Write(r.Body.Bytes())
-	if err != nil {
-		r.logger.Errorf("Error writing response in responseRecorder: %v", err)
-		r.err = err
-	}
-	r.Body.Reset()
+func (r *codeModifierWithoutCloseNotify) Flush() {
+	r.WriteHeader(r.code)

 	if flusher, ok := r.responseWriter.(http.Flusher); ok {
 		flusher.Flush()
--- a/pkg/middlewares/customerrors/custom_errors_test.go
+++ b/pkg/middlewares/customerrors/custom_errors_test.go
@ -180,12 +180,12 @@ func TestNewResponseRecorder(t *testing.T) {
 		{
 			desc:     "Without Close Notify",
 			rw:       httptest.NewRecorder(),
-			expected: &responseRecorderWithoutCloseNotify{},
+			expected: &codeModifierWithoutCloseNotify{},
 		},
 		{
 			desc:     "With Close Notify",
 			rw:       &mockRWCloseNotify{},
-			expected: &responseRecorderWithCloseNotify{},
+			expected: &codeModifierWithCloseNotify{},
 		},
 	}

@ -194,7 +194,7 @@ func TestNewResponseRecorder(t *testing.T) {
 		t.Run(test.desc, func(t *testing.T) {
 			t.Parallel()

-			rec := newResponseRecorder(context.Background(), test.rw)
+			rec := newCodeModifier(test.rw, 0)
 			assert.IsType(t, rec, test.expected)
 		})
 	}
--- a/pkg/middlewares/redirect/redirect.go
+++ b/pkg/middlewares/redirect/redirect.go
@ -15,6 +15,8 @@ const (
 	schemeHTTPS = "https"
 )

+var uriRegexp = regexp.MustCompile(`^(https?):\/\/(\[[\w:.]+\]|[\w\._-]+)?(:\d+)?(.*)$`)
+
 type redirect struct {
 	next        http.Handler
 	regex       *regexp.Regexp
--- a/pkg/middlewares/redirect/redirect_regex.go
+++ b/pkg/middlewares/redirect/redirect_regex.go
@ -3,7 +3,6 @@ package redirect
 import (
 	"context"
 	"net/http"
-	"regexp"
 	"strings"

 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
@ -11,9 +10,7 @@ import (
 	"github.com/traefik/traefik/v2/pkg/middlewares"
 )

-const (
-	typeRegexName = "RedirectRegex"
-)
+const typeRegexName = "RedirectRegex"

 // NewRedirectRegex creates a redirect middleware.
 func NewRedirectRegex(ctx context.Context, next http.Handler, conf dynamic.RedirectRegex, name string) (http.Handler, error) {
@ -30,10 +27,7 @@ func rawURL(req *http.Request) string {
 	port := ""
 	uri := req.RequestURI

-	schemeRegex := `^(https?):\/\/(\[[\w:.]+\]|[\w\._-]+)?(:\d+)?(.*)$`
-	re, _ := regexp.Compile(schemeRegex)
-	if re.Match([]byte(req.RequestURI)) {
-		match := re.FindStringSubmatch(req.RequestURI)
+	if match := uriRegexp.FindStringSubmatch(req.RequestURI); len(match) > 0 {
 		scheme = match[1]

 		if len(match[2]) > 0 {
--- a/pkg/middlewares/redirect/redirect_scheme.go
+++ b/pkg/middlewares/redirect/redirect_scheme.go
@ -5,7 +5,6 @@ import (
 	"errors"
 	"net"
 	"net/http"
-	"regexp"
 	"strings"

 	"github.com/traefik/traefik/v2/pkg/config/dynamic"
@ -14,8 +13,8 @@ import (
 )

 const (
-	typeSchemeName      = "RedirectScheme"
-	schemeRedirectRegex = `^(https?:\/\/)?(\[[\w:.]+\]|[\w\._-]+)?(:\d+)?(.*)$`
+	typeSchemeName = "RedirectScheme"
+	uriPattern     = `^(https?:\/\/)?(\[[\w:.]+\]|[\w\._-]+)?(:\d+)?(.*)$`
 )

 // NewRedirectScheme creates a new RedirectScheme middleware.
@ -33,7 +32,7 @@ func NewRedirectScheme(ctx context.Context, next http.Handler, conf dynamic.Redi
 		port = ":" + conf.Port
 	}

-	return newRedirect(next, schemeRedirectRegex, conf.Scheme+"://${2}"+port+"${4}", conf.Permanent, rawURLScheme, name)
+	return newRedirect(next, uriPattern, conf.Scheme+"://${2}"+port+"${4}", conf.Permanent, rawURLScheme, name)
 }

 func rawURLScheme(req *http.Request) string {
@ -46,10 +45,7 @@ func rawURLScheme(req *http.Request) string {
 	}
 	uri := req.RequestURI

-	schemeRegex := `^(https?):\/\/(\[[\w:.]+\]|[\w\._-]+)?(:\d+)?(.*)$`
-	re, _ := regexp.Compile(schemeRegex)
-	if re.Match([]byte(req.RequestURI)) {
-		match := re.FindStringSubmatch(req.RequestURI)
+	if match := uriRegexp.FindStringSubmatch(req.RequestURI); len(match) > 0 {
 		scheme = match[1]

 		if len(match[2]) > 0 {
--- a/pkg/provider/ecs/ecs.go
+++ b/pkg/provider/ecs/ecs.go
@ -263,8 +263,7 @@ func (p *Provider) listInstances(ctx context.Context, client *awsClient) ([]ecsI
 			return !lastPage
 		})
 		if err != nil {
-			logger.Error("Unable to list tasks")
-			return nil, err
+			return nil, fmt.Errorf("listing tasks: %w", err)
 		}

 		// Skip to the next cluster if there are no tasks found on
@ -370,7 +369,6 @@ func (p *Provider) listInstances(ctx context.Context, client *awsClient) ([]ecsI
 }

 func (p *Provider) lookupEc2Instances(ctx context.Context, client *awsClient, clusterName *string, ecsDatas map[string]*ecs.Task) (map[string]*ec2.Instance, error) {
-	logger := log.FromContext(ctx)
 	instanceIds := make(map[string]string)
 	ec2Instances := make(map[string]*ec2.Instance)

@ -389,8 +387,7 @@ func (p *Provider) lookupEc2Instances(ctx context.Context, client *awsClient, cl
 			Cluster:            clusterName,
 		})
 		if err != nil {
-			logger.Errorf("Unable to describe container instances: %v", err)
-			return nil, err
+			return nil, fmt.Errorf("describing container instances: %w", err)
 		}

 		for _, container := range resp.ContainerInstances {
@ -418,8 +415,7 @@ func (p *Provider) lookupEc2Instances(ctx context.Context, client *awsClient, cl
 				return !lastPage
 			})
 			if err != nil {
-				logger.Errorf("Unable to describe instances: %v", err)
-				return nil, err
+				return nil, fmt.Errorf("describing instances: %w", err)
 			}
 		}
 	}
@ -440,8 +436,7 @@ func (p *Provider) lookupTaskDefinitions(ctx context.Context, client *awsClient,
 				TaskDefinition: task.TaskDefinitionArn,
 			})
 			if err != nil {
-				logger.Errorf("Unable to describe task definition: %v", err)
-				return nil, err
+				return nil, fmt.Errorf("describing task definition: %w", err)
 			}

 			taskDef[arn] = resp.TaskDefinition