Merge pull request #3269 from lann/override-connect-host

factor-outbound-http: Add InterceptRequest::override_connect_host

Author: lann

crates/factor-outbound-http/src/intercept.rs

@@ -39,6 +39,7 @@ pub enum InterceptOutcome {
 pub struct InterceptRequest {
     inner: Request<()>,
     body: InterceptBody,
+    pub(crate) override_connect_host: Option<String>,
 }
 
 enum InterceptBody {
@@ -47,6 +48,18 @@ enum InterceptBody {
 }
 
 impl InterceptRequest {
+    /// Overrides the host that will be connected to for this outbound request.
+    ///
+    /// This override does not have any effect on TLS server name checking or
+    /// HTTP authority / host headers.
+    ///
+    /// This host will not be checked against `allowed_outbound_hosts`; if that
+    /// check should occur it must be performed by the interceptor. The resolved
+    /// IP addresses from this host will be checked against blocked IP networks.
+    pub fn override_connect_host(&mut self, host: impl Into<String>) {
+        self.override_connect_host = Some(host.into())
+    }
+
     pub fn into_hyper_request(self) -> Request<HyperBody> {
         let (parts, ()) = self.inner.into_parts();
         Request::from_parts(parts, self.body.into())
@@ -81,6 +94,7 @@ impl From<Request<HyperBody>> for InterceptRequest {
         Self {
             inner: Request::from_parts(parts, ()),
             body: InterceptBody::Hyper(body),
+            override_connect_host: None,
         }
     }
 }
@@ -91,6 +105,7 @@ impl From<Request<Vec<u8>>> for InterceptRequest {
         Self {
             inner: Request::from_parts(parts, ()),
             body: InterceptBody::Vec(body),
+            override_connect_host: None,
         }
     }
 }

crates/factor-outbound-http/src/wasi.rs

@@ -166,10 +166,12 @@ impl RequestSender {
         spin_telemetry::inject_trace_context(&mut request);
 
         // Run any configured request interceptor
+        let mut override_connect_host = None;
         if let Some(interceptor) = &self.request_interceptor {
             let intercept_request = std::mem::take(&mut request).into();
             match interceptor.intercept(intercept_request).await? {
-                InterceptOutcome::Continue(req) => {
+                InterceptOutcome::Continue(mut req) => {
+                    override_connect_host = req.override_connect_host.take();
                     request = req.into_hyper_request();
                 }
                 InterceptOutcome::Complete(resp) => {
@@ -186,13 +188,16 @@ impl RequestSender {
         // Backfill span fields after potentially updating the URL in the interceptor
         if let Some(authority) = request.uri().authority() {
             let span = tracing::Span::current();
-            span.record("server.address", authority.host());
+            let host = override_connect_host.as_deref().unwrap_or(authority.host());
+            span.record("server.address", host);
             if let Some(port) = authority.port() {
                 span.record("server.port", port.as_u16());
             }
         }
 
-        Ok(self.send_request(request, config).await?)
+        Ok(self
+            .send_request(request, config, override_connect_host)
+            .await?)
     }
 
     async fn prepare_request(
@@ -270,6 +275,7 @@ impl RequestSender {
         self,
         request: OutgoingRequest,
         config: OutgoingRequestConfig,
+        override_connect_host: Option<String>,
     ) -> Result<IncomingResponse, ErrorCode> {
         let OutgoingRequestConfig {
             use_tls,
@@ -290,6 +296,7 @@ impl RequestSender {
                 blocked_networks: self.blocked_networks,
                 connect_timeout,
                 tls_client_config,
+                override_connect_host,
             },
             async move {
                 if use_tls {
@@ -369,11 +376,16 @@ struct ConnectOptions {
     blocked_networks: BlockedNetworks,
     connect_timeout: Duration,
     tls_client_config: Option<TlsClientConfig>,
+    override_connect_host: Option<String>,
 }
 
 impl ConnectOptions {
     async fn connect_tcp(&self, uri: &Uri, default_port: u16) -> Result<TcpStream, ErrorCode> {
-        let host = uri.host().ok_or(ErrorCode::HttpRequestUriInvalid)?;
+        let host = self
+            .override_connect_host
+            .as_deref()
+            .or(uri.host())
+            .ok_or(ErrorCode::HttpRequestUriInvalid)?;
         let host_and_port = (host, uri.port_u16().unwrap_or(default_port));
 
         let mut socket_addrs = tokio::net::lookup_host(host_and_port)

crates/factor-outbound-http/tests/factor_test.rs

@@ -4,12 +4,14 @@ use anyhow::bail;
 use http::{Request, Uri};
 use spin_common::{assert_matches, assert_not_matches};
 use spin_factor_outbound_http::{
+    intercept::{InterceptOutcome, InterceptRequest, OutboundHttpInterceptor},
     ErrorCode, HostFutureIncomingResponse, OutboundHttpFactor, SelfRequestOrigin,
 };
 use spin_factor_outbound_networking::OutboundNetworkingFactor;
 use spin_factor_variables::VariablesFactor;
 use spin_factors::{anyhow, RuntimeFactors};
 use spin_factors_test::{toml, TestEnvironment};
+use spin_world::async_trait;
 use wasmtime_wasi::p2::Pollable;
 use wasmtime_wasi_http::{types::OutgoingRequestConfig, WasiHttpView};
 
@@ -98,6 +100,34 @@ async fn disallowed_private_ips_fails() -> anyhow::Result<()> {
     Ok(())
 }
 
+#[tokio::test]
+async fn override_connect_host_disallowed_private_ip_fails() -> anyhow::Result<()> {
+    let mut state = test_instance_state("http://*", false).await?;
+    state.http.set_request_interceptor({
+        struct Interceptor;
+        #[async_trait]
+        impl OutboundHttpInterceptor for Interceptor {
+            async fn intercept(
+                &self,
+                mut request: InterceptRequest,
+            ) -> wasmtime_wasi_http::HttpResult<InterceptOutcome> {
+                request.override_connect_host("localhost");
+                Ok(InterceptOutcome::Continue(request))
+            }
+        }
+        Interceptor
+    })?;
+    let mut wasi_http = OutboundHttpFactor::get_wasi_http_impl(&mut state).unwrap();
+    let req = Request::get("http://1.1.1.1").body(Default::default())?;
+    let mut future_resp = wasi_http.send_request(req, test_request_config())?;
+    future_resp.ready().await;
+    assert_matches!(
+        future_resp.unwrap_ready().unwrap(),
+        Err(ErrorCode::DestinationIpProhibited),
+    );
+    Ok(())
+}
+
 async fn test_instance_state(
     allowed_outbound_hosts: &str,
     allow_private_ips: bool,
@@ -128,9 +158,9 @@ async fn test_instance_state(
 fn test_request_config() -> OutgoingRequestConfig {
     OutgoingRequestConfig {
         use_tls: false,
-        connect_timeout: Duration::from_millis(1),
-        first_byte_timeout: Duration::from_millis(1),
-        between_bytes_timeout: Duration::from_millis(1),
+        connect_timeout: Duration::from_millis(10),
+        first_byte_timeout: Duration::from_millis(10),
+        between_bytes_timeout: Duration::from_millis(10),
     }
 }