Merge pull request #2837 from fermyon/convert-from-old-http

Convert from old allowed_http_hosts locked app value.

Author: rylev

Cargo.lock

@@ -466,7 +466,7 @@ mod tests {
         let out_dir = PathBuf::from(std::env::var_os("OUT_DIR").unwrap());
         let mut cmd = process::Command::new("cargo");
         cmd.arg("build")
-            .current_dir(&format!("tests/{name}"))
+            .current_dir(format!("tests/{name}"))
             .arg("--release")
             .arg("--target=wasm32-wasi")
             .env("CARGO_TARGET_DIR", out_dir);

crates/componentize/src/lib.rs

@@ -18,6 +18,7 @@ spin-factor-variables = { path = "../factor-variables" }
 spin-factor-wasi = { path = "../factor-wasi" }
 spin-factors = { path = "../factors" }
 spin-locked-app = { path = "../locked-app" }
+spin-manifest = { path = "../manifest" }
 spin-serde = { path = "../serde" }
 terminal = { path = "../terminal" }
 tracing = { workspace = true }

crates/factor-outbound-networking/Cargo.toml

@@ -1,13 +1,39 @@
 use std::ops::Range;
 
 use anyhow::{bail, ensure, Context};
+use spin_factors::AppComponent;
 use spin_locked_app::MetadataKey;
 
-pub const ALLOWED_HOSTS_KEY: MetadataKey<Vec<String>> = MetadataKey::new("allowed_outbound_hosts");
+const ALLOWED_HOSTS_KEY: MetadataKey<Vec<String>> = MetadataKey::new("allowed_outbound_hosts");
+const ALLOWED_HTTP_KEY: MetadataKey<Vec<String>> = MetadataKey::new("allowed_http_hosts");
 
 pub const SERVICE_CHAINING_DOMAIN: &str = "spin.internal";
 pub const SERVICE_CHAINING_DOMAIN_SUFFIX: &str = ".spin.internal";
 
+/// Get the raw values of the `allowed_outbound_hosts` locked app metadata key.
+///
+/// This has support for converting the old `allowed_http_hosts` key to the new `allowed_outbound_hosts` key.
+pub fn allowed_outbound_hosts(component: &AppComponent) -> anyhow::Result<Vec<String>> {
+    let mut allowed_hosts = component
+        .get_metadata(ALLOWED_HOSTS_KEY)
+        .with_context(|| {
+            format!(
+                "locked app metadata was malformed for key {}",
+                ALLOWED_HOSTS_KEY.as_ref()
+            )
+        })?
+        .unwrap_or_default();
+    let allowed_http = component
+        .get_metadata(ALLOWED_HTTP_KEY)
+        .map(|h| h.unwrap_or_default())
+        .unwrap_or_default();
+    let converted =
+        spin_manifest::compat::convert_allowed_http_to_allowed_hosts(&allowed_http, false)
+            .unwrap_or_default();
+    allowed_hosts.extend(converted);
+    Ok(allowed_hosts)
+}
+
 /// An address is a url-like string that contains a host, a port, and an optional scheme
 #[derive(Eq, Debug, Clone)]
 pub struct AllowedHostConfig {
@@ -718,6 +744,11 @@ mod test {
         );
     }
 
+    #[test]
+    fn test_missing_scheme() {
+        assert!(AllowedHostConfig::parse("example.com").is_err());
+    }
+
     #[test]
     fn test_allowed_hosts_can_be_specific() {
         let allowed = AllowedHostsConfig::parse(

crates/factor-outbound-networking/src/config.rs

@@ -3,7 +3,6 @@ pub mod runtime_config;
 
 use std::{collections::HashMap, sync::Arc};
 
-use config::ALLOWED_HOSTS_KEY;
 use futures_util::{
     future::{BoxFuture, Shared},
     FutureExt,
@@ -17,8 +16,8 @@ use spin_factors::{
 };
 
 pub use config::{
-    is_service_chaining_host, parse_service_chaining_target, AllowedHostConfig, AllowedHostsConfig,
-    HostConfig, OutboundUrl, SERVICE_CHAINING_DOMAIN_SUFFIX,
+    allowed_outbound_hosts, is_service_chaining_host, parse_service_chaining_target,
+    AllowedHostConfig, AllowedHostsConfig, HostConfig, OutboundUrl, SERVICE_CHAINING_DOMAIN_SUFFIX,
 };
 
 pub use runtime_config::ComponentTlsConfigs;
@@ -58,9 +57,7 @@ impl Factor for OutboundNetworkingFactor {
             .map(|component| {
                 Ok((
                     component.id().to_string(),
-                    component
-                        .get_metadata(ALLOWED_HOSTS_KEY)?
-                        .unwrap_or_default()
+                    allowed_outbound_hosts(&component)?
                         .into_boxed_slice()
                         .into(),
                 ))

crates/factor-outbound-networking/src/lib.rs

@@ -97,7 +97,11 @@ pub fn v1_to_v2_app(manifest: v1::AppManifestV1) -> Result<v2::AppManifest, Erro
     })
 }
 
-pub(crate) fn convert_allowed_http_to_allowed_hosts(
+/// Converts the old `allowed_http_hosts` field to the new `allowed_outbound_hosts` field.
+///
+/// If `allow_database_access` is `true`, the function will also allow access to all redis,
+/// mysql, and postgres databases as this was the default before `allowed_outbound_hosts` was introduced.
+pub fn convert_allowed_http_to_allowed_hosts(
     allowed_http_hosts: &[impl AsRef<str>],
     allow_database_access: bool,
 ) -> anyhow::Result<Vec<String>> {