refactor: merge shared codes

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>

internal/gatewayapi/securitypolicy.go

@@ -8,6 +8,7 @@ package gatewayapi
 import (
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"sort"
@@ -531,6 +532,12 @@ func validateTokenEndpoint(tokenEndpoint string) error {
 		return fmt.Errorf("token endpoint URL scheme must be https: %s", tokenEndpoint)
 	}
 
+	if ip := net.ParseIP(parsedURL.Hostname()); ip != nil {
+		if v4 := ip.To4(); v4 != nil {
+			return fmt.Errorf("token endpoint URL must be a domain name: %s", tokenEndpoint)
+		}
+	}
+
 	if parsedURL.Port() != "" {
 		_, err = strconv.Atoi(parsedURL.Port())
 		if err != nil {

internal/xds/translator/accesslog.go

@@ -250,7 +250,7 @@ func processClusterForAccessLog(tCtx *types.ResourceVersionTable, al *ir.AccessL
 			name:         clusterName,
 			settings:     []*ir.DestinationSetting{ds},
 			tSocket:      nil,
-			endpointType: DefaultEndpointType,
+			endpointType: EndpointTypeDNS,
 		}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
 			return err
 		}

internal/xds/translator/cluster.go

@@ -43,7 +43,7 @@ func buildXdsCluster(args *xdsClusterArgs) *clusterv3.Cluster {
 		cluster.TransportSocket = args.tSocket
 	}
 
-	if args.endpointType == Static {
+	if args.endpointType == EndpointTypeStatic {
 		cluster.ClusterDiscoveryType = &clusterv3.Cluster_Type{Type: clusterv3.Cluster_EDS}
 		cluster.EdsClusterConfig = &clusterv3.Cluster_EdsClusterConfig{
 			ServiceName: args.name,

internal/xds/translator/cluster_test.go

@@ -31,7 +31,7 @@ func TestBuildXdsCluster(t *testing.T) {
 	args := &xdsClusterArgs{
 		name:         bootstrapXdsCluster.Name,
 		tSocket:      bootstrapXdsCluster.TransportSocket,
-		endpointType: DefaultEndpointType,
+		endpointType: EndpointTypeDNS,
 	}
 	dynamicXdsCluster := buildXdsCluster(args)
 

internal/xds/translator/jwt_authn.go

@@ -8,10 +8,6 @@ package translator
 import (
 	"errors"
 	"fmt"
-	"net"
-	"net/url"
-	"strconv"
-	"strings"
 
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
@@ -23,7 +19,6 @@ import (
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/durationpb"
 
-	"github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/ir"
 	"github.com/envoyproxy/gateway/internal/utils/ptr"
 	"github.com/envoyproxy/gateway/internal/xds/types"
@@ -102,7 +97,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
 			for i := range route.JWT.Providers {
 				irProvider := route.JWT.Providers[i]
 				// Create the cluster for the remote jwks, if it doesn't exist.
-				jwksCluster, err := newJWKSCluster(&irProvider)
+				jwksCluster, err := url2Cluster(irProvider.RemoteJWKS.URI)
 				if err != nil {
 					return nil, err
 				}
@@ -228,13 +223,6 @@ func patchRouteWithJWT(route *routev3.Route, irRoute *ir.HTTPRoute) error {
 	return nil
 }
 
-type jwksCluster struct {
-	name     string
-	hostname string
-	port     uint32
-	isStatic bool
-}
-
 // createJWKSClusters creates JWKS clusters from the provided routes, if needed.
 func createJWKSClusters(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRoute) error {
 	if tCtx == nil ||
@@ -248,11 +236,7 @@ func createJWKSClusters(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRoute
 		if routeContainsJWTAuthn(route) {
 			for i := range route.JWT.Providers {
 				provider := route.JWT.Providers[i]
-				jwks, err := newJWKSCluster(&provider)
-				epType := DefaultEndpointType
-				if jwks.isStatic {
-					epType = Static
-				}
+				jwks, err := url2Cluster(provider.RemoteJWKS.URI)
 				if err != nil {
 					return err
 				}
@@ -268,7 +252,7 @@ func createJWKSClusters(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRoute
 					name:         jwks.name,
 					settings:     []*ir.DestinationSetting{ds},
 					tSocket:      tSocket,
-					endpointType: epType,
+					endpointType: jwks.endpointType,
 				}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
 					return err
 				}
@@ -279,51 +263,6 @@ func createJWKSClusters(tCtx *types.ResourceVersionTable, routes []*ir.HTTPRoute
 	return nil
 }
 
-// newJWKSCluster returns a jwksCluster from the provided provider.
-func newJWKSCluster(provider *v1alpha1.JWTProvider) (*jwksCluster, error) {
-	static := false
-	if provider == nil {
-		return nil, errors.New("nil provider")
-	}
-
-	u, err := url.Parse(provider.RemoteJWKS.URI)
-	if err != nil {
-		return nil, err
-	}
-
-	var strPort string
-	switch u.Scheme {
-	case "https":
-		strPort = "443"
-	default:
-		return nil, fmt.Errorf("unsupported JWKS URI scheme %s", u.Scheme)
-	}
-
-	if u.Port() != "" {
-		strPort = u.Port()
-	}
-
-	name := fmt.Sprintf("%s_%s", strings.ReplaceAll(u.Hostname(), ".", "_"), strPort)
-
-	port, err := strconv.Atoi(strPort)
-	if err != nil {
-		return nil, err
-	}
-
-	if ip := net.ParseIP(u.Hostname()); ip != nil {
-		if v4 := ip.To4(); v4 != nil {
-			static = true
-		}
-	}
-
-	return &jwksCluster{
-		name:     name,
-		hostname: u.Hostname(),
-		port:     uint32(port),
-		isStatic: static,
-	}, nil
-}
-
 // listenerContainsJWTAuthn returns true if JWT authentication exists for the
 // provided listener.
 func listenerContainsJWTAuthn(irListener *ir.HTTPListener) bool {

internal/xds/translator/oidc.go

@@ -9,8 +9,6 @@ import (
 	"crypto/rand"
 	"errors"
 	"fmt"
-	"net/url"
-	"strconv"
 
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
@@ -30,7 +28,6 @@ import (
 
 const (
 	oauth2Filter                = "envoy.filters.http.oauth2"
-	defaultTokenEndpointPort    = 443
 	defaultTokenEndpointTimeout = 10
 	redirectURL                 = "%REQ(x-forwarded-proto)%://%REQ(:authority)%/oauth2/callback"
 	redirectPathMatcher         = "/oauth2/callback"
@@ -73,7 +70,10 @@ func patchHCMWithOAuth2Filter(mgr *hcmv3.HttpConnectionManager, irListener *ir.H
 
 // buildHCMOAuth2Filter returns an OAuth2 HTTP filter from the provided IR HTTPRoute.
 func buildHCMOAuth2Filter(route *ir.HTTPRoute) (*hcmv3.HttpFilter, error) {
-	oauth2Proto := oauth2Config(route)
+	oauth2Proto, err := oauth2Config(route)
+	if err != nil {
+		return nil, err
+	}
 
 	if err := oauth2Proto.ValidateAll(); err != nil {
 		return nil, err
@@ -96,17 +96,23 @@ func oauth2FilterName(route *ir.HTTPRoute) string {
 	return fmt.Sprintf("%s_%s", oauth2Filter, route.Name)
 }
 
-func oauth2Config(route *ir.HTTPRoute) *oauth2v3.OAuth2 {
-	// Ignore the errors because we already validate the token endpoint
-	// URL in the gateway API translator.
-	tokenEndpointURL, _ := url.Parse(route.OIDC.Provider.TokenEndpoint)
+func oauth2Config(route *ir.HTTPRoute) (*oauth2v3.OAuth2, error) {
+	cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint)
+	if err != nil {
+		return nil, err
+	}
+	if cluster.endpointType == EndpointTypeStatic {
+		return nil, fmt.Errorf(
+			"static IP cluster is not allowed: %s",
+			route.OIDC.Provider.TokenEndpoint)
+	}
 
 	oauth2 := &oauth2v3.OAuth2{
 		Config: &oauth2v3.OAuth2Config{
 			TokenEndpoint: &corev3.HttpUri{
 				Uri: route.OIDC.Provider.TokenEndpoint,
 				HttpUpstreamType: &corev3.HttpUri_Cluster{
-					Cluster: oauth2TokenEndpointClusterName(tokenEndpointURL),
+					Cluster: cluster.name,
 				},
 				Timeout: &duration.Duration{
 					Seconds: defaultTokenEndpointTimeout,
@@ -150,7 +156,7 @@ func oauth2Config(route *ir.HTTPRoute) *oauth2v3.OAuth2 {
 			AuthScopes: route.OIDC.Scopes,
 		},
 	}
-	return oauth2
+	return oauth2, nil
 }
 
 // routeContainsOIDC returns true if OIDC exists for the provided route.
@@ -181,16 +187,20 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable, routes
 			continue
 		}
 
-		// Ignore the errors because we already validate the token endpoint
-		// URL in the gateway API translator.
-		tokenEndpointURL, _ := url.Parse(route.OIDC.Provider.TokenEndpoint)
-		port := defaultTokenEndpointPort
-		if tokenEndpointURL.Port() != "" {
-			port, _ = strconv.Atoi(tokenEndpointURL.Port())
+		cluster, err := url2Cluster(route.OIDC.Provider.TokenEndpoint)
+		if err != nil {
+			return err
+		}
+
+		// EG does not support static IP clusters for token endpoint clusters.
+		if cluster.endpointType == EndpointTypeStatic {
+			return fmt.Errorf(
+				"static IP cluster is not allowed: %s",
+				route.OIDC.Provider.TokenEndpoint)
 		}
 
 		tlsContext := &tlsv3.UpstreamTlsContext{
-			Sni: tokenEndpointURL.Hostname(),
+			Sni: cluster.hostname,
 		}
 
 		tlsContextAny, err := anypb.New(tlsContext)
@@ -207,15 +217,16 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable, routes
 		ds := &ir.DestinationSetting{
 			Weight: ptr.To(uint32(1)),
 			Endpoints: []*ir.DestinationEndpoint{ir.NewDestEndpoint(
-				tokenEndpointURL.Hostname(),
-				uint32(port))},
+				cluster.hostname,
+				cluster.port),
+			},
 		}
 
 		if err := addXdsCluster(tCtx, &xdsClusterArgs{
-			name:         oauth2TokenEndpointClusterName(tokenEndpointURL),
+			name:         cluster.name,
 			settings:     []*ir.DestinationSetting{ds},
 			tSocket:      tSocket,
-			endpointType: DefaultEndpointType, // TODO support static endpoint
+			endpointType: cluster.endpointType,
 		}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
 			return err
 		}
@@ -224,9 +235,9 @@ func createOAuth2TokenEndpointClusters(tCtx *types.ResourceVersionTable, routes
 	return nil
 }
 
-func oauth2TokenEndpointClusterName(tokenEndpointURL *url.URL) string {
-	return fmt.Sprintf("oauth2_token_endpoint_%s", tokenEndpointURL.Hostname())
-}
+/*func oauth2TokenEndpointClusterName(cluster *Cluster) string {
+	return fmt.Sprintf("oauth2_token_endpoint_%s", cluster.hostname)
+}*/
 
 // createOAuth2Secrets creates OAuth2 client and HMAC secrets from the provided
 // routes, if needed.

internal/xds/translator/ratelimit.go

@@ -8,7 +8,6 @@ package translator
 import (
 	"bytes"
 	"errors"
-
 	"net/url"
 	"strconv"
 	"strings"
@@ -446,7 +445,7 @@ func (t *Translator) createRateLimitServiceCluster(tCtx *types.ResourceVersionTa
 		name:         clusterName,
 		settings:     []*ir.DestinationSetting{ds},
 		tSocket:      tSocket,
-		endpointType: DefaultEndpointType,
+		endpointType: EndpointTypeDNS,
 	}); err != nil && !errors.Is(err, ErrXdsClusterExists) {
 		return err
 	}

internal/xds/translator/shared_types.go

@@ -0,0 +1,64 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package translator
+
+import (
+	"fmt"
+	"net"
+	"net/url"
+	"strconv"
+	"strings"
+)
+
+const (
+	defaultPort = 443
+)
+
+// urlCluster is a cluster that is created from a URL.
+type urlCluster struct {
+	name         string
+	hostname     string
+	port         uint32
+	endpointType EndpointType
+}
+
+// url2Cluster returns a urlCluster from the provided url.
+func url2Cluster(strURL string) (*urlCluster, error) {
+	epType := EndpointTypeDNS
+
+	// The URL should have already been validated in the gateway API translator.
+	u, err := url.Parse(strURL)
+	if err != nil {
+		return nil, err
+	}
+
+	if u.Scheme != "https" {
+		return nil, fmt.Errorf("unsupported URI scheme %s", u.Scheme)
+	}
+
+	port := defaultPort
+	if u.Port() != "" {
+		port, err = strconv.Atoi(u.Port())
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	name := fmt.Sprintf("%s_%d", strings.ReplaceAll(u.Hostname(), ".", "_"), port)
+
+	if ip := net.ParseIP(u.Hostname()); ip != nil {
+		if v4 := ip.To4(); v4 != nil {
+			epType = EndpointTypeStatic
+		}
+	}
+
+	return &urlCluster{
+		name:         name,
+		hostname:     u.Hostname(),
+		port:         uint32(port),
+		endpointType: epType,
+	}, nil
+}