Merge pull request #187775 from devusb/pomerium-0_18_0

pomerium: 0.17.1 -> 0.19.0
2022-09-06 11:59:18 +01:00 · 2022-09-06 11:59:18 +01:00 · c442eb76e4
commit c442eb76e4
parent aa192bd897 0b16c98205
6 changed files with 241 additions and 32 deletions
--- a/pkgs/servers/http/envoy/default.nix
+++ b/pkgs/servers/http/envoy/default.nix
@ -1,14 +1,14 @@
 { lib
-, bazel_4
+, bazel_5
 , buildBazelPackage
 , fetchFromGitHub
-, fetchpatch
 , stdenv
 , cmake
 , gn
 , go
 , jdk
 , ninja
+, patchelf
 , python3
 , linuxHeaders
 , nixosTests
@ -23,19 +23,19 @@ let
    # However, the version string is more useful for end-users.
    # These are contained in a attrset of their own to make it obvious that
    # people should update both.
-    version = "1.21.4";
-    rev = "782ba5e5ab9476770378ec9f1901803e0d38ac41";
+    version = "1.23.1";
+    rev = "edd69583372955fdfa0b8ca3820dd7312c094e46";
  };
 in
 buildBazelPackage rec {
  pname = "envoy";
  inherit (srcVer) version;
-  bazel = bazel_4;
+  bazel = bazel_5;
  src = fetchFromGitHub {
    owner = "envoyproxy";
    repo = "envoy";
    inherit (srcVer) rev;
-    hash = "sha256-SthKDMQs5yNU0iouAPVsDeCPKcsBXmO9ebDwu58UQRs=";
+    sha256 = "sha256:157dbmp479xv5507n48yibvlgi2ac0l3sl9rzm28cm9lhzwva3k0";

    postFetch = ''
      chmod -R +w $out
@ -48,26 +48,21 @@ buildBazelPackage rec {
  postPatch = ''
    sed -i 's,#!/usr/bin/env python3,#!${python3}/bin/python,' bazel/foreign_cc/luajit.patch
    sed -i '/javabase=/d' .bazelrc
-    # Patch paths to build tools, and disable gold because it just segfaults.
-    substituteInPlace bazel/external/wee8.genrule_cmd \
-      --replace '"''$$gn"' '"''$$(command -v gn)"' \
-      --replace '"''$$ninja"' '"''$$(command -v ninja)"' \
-      --replace '"''$$WEE8_BUILD_ARGS"' '"''$$WEE8_BUILD_ARGS use_gold=false"'
+
+    # Use system Python.
+    sed -i -e '/python_interpreter_target =/d' -e '/@python3_10/d' bazel/python_dependencies.bzl
  '';

  patches = [
-    # make linux/tcp.h relative. drop when upgrading to >1.21
-    (fetchpatch {
-      url = "https://github.com/envoyproxy/envoy/commit/68448aae7a78a3123097b6ea96016b270457e7b8.patch";
-      sha256 = "123kv3x37p8fgfp29jhw5xg5js5q5ipibs8hsm7gzfd5bcllnpfh";
-    })
-
    # fix issues with brotli and GCC 11.2.0+ (-Werror=vla-parameter)
    ./bump-brotli.patch

    # fix linux-aarch64 WAMR builds
    # (upstream WAMR only detects aarch64 on Darwin, not Linux)
    ./fix-aarch64-wamr.patch
+
+    # use system Python, not bazel-fetched binary Python
+    ./use-system-python.patch
  ];

  nativeBuildInputs = [
@ -77,6 +72,7 @@ buildBazelPackage rec {
    go
    jdk
    ninja
+    patchelf
  ];

  buildInputs = [
@ -85,8 +81,8 @@ buildBazelPackage rec {

  fetchAttrs = {
    sha256 = {
-      x86_64-linux = "sha256-/SA+WFHcMjk6iLwuEmuBIzy3pMhw7TThIEx292dv6IE=";
-      aarch64-linux = "sha256-0XdeirdIP7+nKy8zZbr2uHN2RZ4ZFOJt9i/+Ow1s/W4=";
+      x86_64-linux = "0y3gpvx148bnn6kljdvkg99m681vw39l0avrhvncbf62hvpifqkw";
+      aarch64-linux = "0lln5mdlskahz5hb4w268ys2ksy3051drrwlhracmk4i7rpm7fq3";
    }.${stdenv.system} or (throw "unsupported system ${stdenv.system}");
    dontUseCmakeConfigure = true;
    dontUseGnConfigure = true;
@ -95,6 +91,12 @@ buildBazelPackage rec {
      find $bazelOut/external -name requirements.bzl | while read requirements; do
        sed -i '/# Generated from /d' "$requirements"
      done
+      find $bazelOut/external -type f -executable | while read execbin; do
+        file "$execbin" | grep -q ': ELF .*, dynamically linked,' || continue
+        patchelf \
+          --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
+          "$execbin"
+      done

      # Remove references to paths in the Nix store.
      sed -i \
@ -138,6 +140,12 @@ buildBazelPackage rec {
    "--cxxopt=-Wno-maybe-uninitialized"
    "--cxxopt=-Wno-uninitialized"
    "--cxxopt=-Wno-error=type-limits"
+    "--cxxopt=-Wno-error=range-loop-construct"
+
+    # Force use of system Java.
+    "--extra_toolchains=@local_jdk//:all"
+    "--java_runtime_version=local_jdk"
+    "--tool_java_runtime_version=local_jdk"

    "--define=wasm=${wasmRuntime}"
  ];
--- a/pkgs/servers/http/envoy/use-system-python.patch
+++ b/pkgs/servers/http/envoy/use-system-python.patch
@ -0,0 +1,58 @@
+diff --git a/bazel/python_dependencies.bzl b/bazel/python_dependencies.bzl
+index d9dfb14a9b..b8e92452a7 100644
+--- a/bazel/python_dependencies.bzl
+++ b/bazel/python_dependencies.bzl
+@@ -1,10 +1,8 @@
+ load("@rules_python//python:pip.bzl", "pip_install", "pip_parse")
+-load("@python3_10//:defs.bzl", "interpreter")
+ 
+ def envoy_python_dependencies():
+     pip_parse(
+         name = "base_pip3",
+-        python_interpreter_target = interpreter,
+         requirements_lock = "@envoy//tools/base:requirements.txt",
+         extra_pip_args = ["--require-hashes"],
+     )
+@@ -12,14 +10,12 @@ def envoy_python_dependencies():
+     # These need to use `pip_install`
+     pip_install(
+         # Note: dev requirements do *not* check hashes
+-        python_interpreter_target = interpreter,
+         name = "dev_pip3",
+         requirements = "@envoy//tools/dev:requirements.txt",
+     )
+ 
+     pip_install(
+         name = "fuzzing_pip3",
+-        python_interpreter_target = interpreter,
+         requirements = "@rules_fuzzing//fuzzing:requirements.txt",
+         extra_pip_args = ["--require-hashes"],
+     )
+diff --git a/bazel/repositories_extra.bzl b/bazel/repositories_extra.bzl
+index 885b41dec6..ac5605eb30 100644
+--- a/bazel/repositories_extra.bzl
+++ b/bazel/repositories_extra.bzl
+@@ -1,22 +1,12 @@
+ load("@emsdk//:deps.bzl", emsdk_deps = "deps")
+-load("@rules_python//python:repositories.bzl", "python_register_toolchains")
+ load("@proxy_wasm_cpp_host//bazel/cargo/wasmtime:crates.bzl", "wasmtime_fetch_remote_crates")
+ load("//bazel/external/cargo:crates.bzl", "raze_fetch_remote_crates")
+ load("@aspect_bazel_lib//lib:repositories.bzl", "aspect_bazel_lib_dependencies")
+ 
+-# Python version for `rules_python`
+-PYTHON_VERSION = "3.10.2"
+-
+ # Envoy deps that rely on a first stage of dependency loading in envoy_dependencies().
+-def envoy_dependencies_extra(python_version = PYTHON_VERSION):
+def envoy_dependencies_extra():
+     emsdk_deps()
+     raze_fetch_remote_crates()
+     wasmtime_fetch_remote_crates()
+ 
+-    # Registers underscored Python minor version - eg `python3_10`
+-    python_register_toolchains(
+-        name = "python%s" % ("_".join(python_version.split(".")[:-1])),
+-        python_version = python_version,
+-    )
+-
+     aspect_bazel_lib_dependencies()
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@ -1,8 +1,10 @@
 { buildGoModule
 , fetchFromGitHub
+, callPackage
 , lib
 , envoy
-, zip
+, mkYarnPackage
+, fetchYarnDeps
 , nixosTests
 , pomerium-cli
 }:
@ -12,19 +14,49 @@ let
 in
 buildGoModule rec {
  pname = "pomerium";
-  version = "0.17.1";
+  version = "0.19.0";
  src = fetchFromGitHub {
    owner = "pomerium";
    repo = "pomerium";
    rev = "v${version}";
-    hash = "sha256:0b9mdzyfn7c6gwgslqk787yyrrcmdjf3282vx2zvhcr3psz0xqwx";
+    sha256 = "sha256:0s5ji1iywymzxlv89y3ivl5vngkifhbpidpwxdrh969l3c5r4klf";
+  };
+
+  vendorSha256 = "sha256:1p78nb7bryvs7p5iq6ihylflyjia60x4hd9c62ffwz37dwqlbi33";
+
+  ui = mkYarnPackage {
+    inherit version;
+    src = "${src}/ui";
+
+    # update pomerium-ui-package.json when updating package, sourced from ui/package.json
+    packageJSON = ./pomerium-ui-package.json;
+    offlineCache = fetchYarnDeps {
+      yarnLock = "${src}/ui/yarn.lock";
+      sha256 = "sha256:1n6swanrds9hbd4yyfjzpnfhsb8fzj1pwvvcg3w7b1cgnihclrmv";
+    };
+
+    buildPhase = ''
+      runHook preBuild
+      yarn --offline build
+      runHook postbuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+      cp -R deps/pomerium/dist $out
+      runHook postInstall
+    '';
+
+    doDist = false;
  };

-  vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
  subPackages = [
    "cmd/pomerium"
  ];

+  # patch pomerium to allow use of external envoy
+  patches = [ ./external-envoy.diff ];
+
  ldflags = let
    # Set a variety of useful meta variables for stamping the build with.
    setVars = {
@ -34,7 +66,7 @@ buildGoModule rec {
        ProjectName = "pomerium";
        ProjectURL = "github.com/pomerium/pomerium";
      };
-      "github.com/pomerium/pomerium/internal/envoy" = {
+      "github.com/pomerium/pomerium/pkg/envoy" = {
        OverrideEnvoyPath = "${envoy}/bin/envoy";
      };
    };
@ -54,8 +86,8 @@ buildGoModule rec {
    # Replace embedded envoy with nothing.
    # We set OverrideEnvoyPath above, so rawBinary should never get looked at
    # but we still need to set a checksum/version.
-    rm internal/envoy/files/files_{darwin,linux}*.go
-    cat <<EOF >internal/envoy/files/files_generic.go
+    rm pkg/envoy/files/files_{darwin,linux}*.go
+    cat <<EOF >pkg/envoy/files/files_external.go
    package files

    import _ "embed" // embed
@ -68,8 +100,11 @@ buildGoModule rec {
    //go:embed envoy.version
    var rawVersion string
    EOF
-    sha256sum '${envoy}/bin/envoy' > internal/envoy/files/envoy.sha256
-    echo '${envoy.version}' > internal/envoy/files/envoy.version
+    sha256sum '${envoy}/bin/envoy' > pkg/envoy/files/envoy.sha256
+    echo '${envoy.version}' > pkg/envoy/files/envoy.version
+
+    # put the built UI files where they will be picked up as part of binary build
+    cp -r ${ui}/* ui/dist
  '';

  installPhase = ''
--- a/pkgs/servers/http/pomerium/external-envoy.diff
+++ b/pkgs/servers/http/pomerium/external-envoy.diff
@ -0,0 +1,48 @@
+diff --git a/pkg/envoy/envoy.go b/pkg/envoy/envoy.go
+index e32cfc29..9d32c057 100644
+--- a/pkg/envoy/envoy.go
+++ b/pkg/envoy/envoy.go
+@@ -8,9 +8,9 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"io"
+	"io/fs"
+ 	"os"
+ 	"os/exec"
+-	"path"
+ 	"path/filepath"
+ 	"regexp"
+ 	"strconv"
+@@ -36,8 +36,12 @@ import (
+ 
+ const (
+ 	configFileName = "envoy-config.yaml"
+	workingDirectoryName = ".pomerium-envoy"
+	embeddedEnvoyPermissions     fs.FileMode = 0o700
+ )
+ 
+var OverrideEnvoyPath = ""
+
+ type serverOptions struct {
+ 	services string
+ 	logLevel string
+@@ -60,13 +64,16 @@ type Server struct {
+ 
+ // NewServer creates a new server with traffic routed by envoy.
+ func NewServer(ctx context.Context, src config.Source, builder *envoyconfig.Builder) (*Server, error) {
+-	envoyPath, err := Extract()
+	envoyPath := OverrideEnvoyPath
+	wd := filepath.Join(os.TempDir(), workingDirectoryName)
+
+	err := os.MkdirAll(wd, embeddedEnvoyPermissions)
+ 	if err != nil {
+-		return nil, fmt.Errorf("extracting envoy: %w", err)
+		return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err)
+ 	}
+ 
+ 	srv := &Server{
+-		wd:        path.Dir(envoyPath),
+		wd:        wd,
+ 		builder:   builder,
+ 		grpcPort:  src.GetConfig().GRPCPort,
+ 		httpPort:  src.GetConfig().HTTPPort,
--- a/pkgs/servers/http/pomerium/pomerium-ui-package.json
+++ b/pkgs/servers/http/pomerium/pomerium-ui-package.json
@ -0,0 +1,61 @@
+{
+  "name": "pomerium",
+  "version": "1.0.0",
+  "main": "src/index.tsx",
+  "license": "Apache-2.0",
+  "scripts": {
+    "build": "ts-node ./scripts/esbuild.ts",
+    "format": "prettier --write .",
+    "lint": "eslint .",
+    "watch": "ts-node ./scripts/esbuild.ts --watch"
+  },
+  "browserslist": {
+    "production": [
+      ">0.2%",
+      "not dead",
+      "not op_mini all"
+    ],
+    "development": [
+      "last 1 chrome version",
+      "last 1 firefox version",
+      "last 1 safari version"
+    ]
+  },
+  "dependencies": {
+    "@babel/core": "^7.0.0",
+    "@emotion/react": "^11.7.1",
+    "@emotion/styled": "^11.6.0",
+    "@fontsource/dm-mono": "^4.5.2",
+    "@fontsource/dm-sans": "^4.5.1",
+    "@mui/icons-material": "^5.3.1",
+    "@mui/material": "^5.4.0",
+    "luxon": "^2.3.0",
+    "markdown-to-jsx": "^7.1.7",
+    "react": "^17.0.2",
+    "react-dom": "^17.0.2",
+    "react-feather": "^2.0.9"
+  },
+  "devDependencies": {
+    "@trivago/prettier-plugin-sort-imports": "2.0.4",
+    "@types/luxon": "^2.0.9",
+    "@types/node": "^17.0.14",
+    "@types/react": "^17.0.34",
+    "@types/react-dom": "^17.0.11",
+    "@typescript-eslint/eslint-plugin": "^5.10.2",
+    "@typescript-eslint/parser": "^5.10.2",
+    "esbuild": "^0.13.12",
+    "eslint": "7.32.0",
+    "eslint-config-prettier": "^8.3.0",
+    "eslint-plugin-react": "^7.28.0",
+    "prettier": "^2.4.1",
+    "ts-node": "^10.4.0",
+    "typescript": "^4.4.4"
+  },
+  "prettier": {
+    "importOrder": [
+      "^[./]"
+    ],
+    "importOrderSeparation": true,
+    "importOrderSortSpecifiers": true
+  }
+}
--- a/pkgs/tools/security/pomerium-cli/default.nix
+++ b/pkgs/tools/security/pomerium-cli/default.nix
@ -1,7 +1,6 @@
 { buildGoModule
 , fetchFromGitHub
 , lib
-, pomerium
 }:

 let
@ -9,16 +8,16 @@ let
 in
 buildGoModule rec {
  pname = "pomerium-cli";
-  inherit (pomerium) version;
+  version = "0.18.0";

  src = fetchFromGitHub {
    owner = "pomerium";
    repo = "cli";
    rev = "v${version}";
-    hash = "sha256-AZeBtHy2MEPE8uZVJv4wLdOt6f9QNbaQnP5a2YVYYAg=";
+    sha256 = "sha256-P1aEAr+Q2wnKLq3JHQbss6SPdrYnzE8J2yp/Lu5Cg/0=";
  };

-  vendorSha256 = "sha256-K0Vdsl6wD0eJeJRsUjiNPuGx1KPkZrlCCzdyAysVonc=";
+  vendorSha256 = "sha256-AAdhFpFCbUU3kjVQ84sYWYrGBWD5u6f219MvVS0j9Oo=";

  subPackages = [
    "cmd/pomerium-cli"