coupergateway · malud · Apr 22, 2022 · Apr 12, 2022 · Apr 12, 2022 · Apr 12, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,6 +24,7 @@ Unreleased changes are available as `avenga/couper:edge` container.
   * Multiple labels for [`error_handler` blocks](./docs/ERRORS.md#error_handler-specification) ([#462](https://github.com/avenga/couper/pull/462))
   * [`error_handler` blocks](./docs/REFERENCE.md#error-handler-block) for an error type defined in both `endpoint` and `api` ([#469](https://github.com/avenga/couper/pull/469))
   * Request methods are treated case-insensitively when comparing them to methods in the `allowed_methods` attribute of [`api`](./docs/REFERENCE.md#api-block) or [`endpoint`](./docs/REFERENCE.md#endpoint-block) blocks ([#478](https://github.com/avenga/couper/pull/478))
+  * Do not allow multiple `backend` blocks in `proxy` and `request` blocks ([#483](https://github.com/avenga/couper/pull/483))
 
 * **Removed**
   * support for `beta_oidc` block (use [`oidc` block](./docs/REFERENCE.md#oidc-block) instead) ([#475](https://github.com/avenga/couper/pull/475))

diff --git a/config/configload/helper.go b/config/configload/helper.go
@@ -95,7 +95,7 @@ func (h *helper) configureACBackends() error {
 		acs = append(acs, ac)
 	}
 
-	for _, ac := range append(h.config.Definitions.OIDC) {
+	for _, ac := range h.config.Definitions.OIDC {
 		acs = append(acs, ac)
 	}
 

diff --git a/config/configload/merge.go b/config/configload/merge.go
@@ -13,49 +13,10 @@ import (
 	"github.com/zclconf/go-cty/cty"
 )
 
-func errorUniqueLabels(block *hclsyntax.Block) error {
-	defRange := block.DefRange()
-
-	return hcl.Diagnostics{
-		&hcl.Diagnostic{
-			Severity: hcl.DiagError,
-			Summary:  fmt.Sprintf("All %s blocks must have unique labels.", block.Type),
-			Subject:  &defRange,
-		},
-	}
-}
-
-// absPath replaces the given attribute path expression with an absolute path
-// related to its filename if not already an absolute one.
-func absPath(attr *hclsyntax.Attribute) hclsyntax.Expression {
-	value, diags := attr.Expr.Value(envContext)
-	if diags.HasErrors() || strings.Index(value.AsString(), "/") == 0 {
-		return attr.Expr // Return unchanged in error cases and for absolute path values.
-	}
-
-	return &hclsyntax.LiteralValueExpr{
-		Val: cty.StringVal(
-			path.Join(filepath.Dir(attr.SrcRange.Filename), value.AsString()),
-		),
-		SrcRange: attr.SrcRange,
-	}
-}
-
-func absBackendBlock(backendBlock *hclsyntax.Block) {
-	for _, block := range backendBlock.Body.Blocks {
-		if block.Type == "openapi" {
-			if attr, ok := block.Body.Attributes["file"]; ok {
-				block.Body.Attributes["file"].Expr = absPath(attr)
-			}
-		} else if block.Type == oauth2 {
-			for _, innerBlock := range block.Body.Blocks {
-				if innerBlock.Type == backend {
-					absBackendBlock(innerBlock) // Recursive call
-				}
-			}
-		}
-	}
-}
+const (
+	errMultipleBackends = "Multiple definitions of backend are not allowed."
+	errUniqueLabels     = "All %s blocks must have unique labels."
+)
 
 func mergeServers(bodies []*hclsyntax.Body) (hclsyntax.Blocks, error) {
 	type (
@@ -110,7 +71,7 @@ func mergeServers(bodies []*hclsyntax.Body) (hclsyntax.Blocks, error) {
 
 			if len(bodies) > 1 {
 				if _, ok := uniqueServerLabels[serverKey]; ok {
-					return nil, errorUniqueLabels(outerBlock)
+					return nil, newMergeError(errUniqueLabels, outerBlock)
 				}
 
 				uniqueServerLabels[serverKey] = struct{}{}
@@ -166,17 +127,15 @@ func mergeServers(bodies []*hclsyntax.Body) (hclsyntax.Blocks, error) {
 				}
 
 				if block.Type == endpoint {
+					if err := absInBackends(block); err != nil { // Backend block inside a free endpoint block
+						return nil, err
+					}
+
 					if len(block.Labels) == 0 {
-						return nil, errorUniqueLabels(block)
+						return nil, newMergeError(errUniqueLabels, block)
 					}
 
 					results[serverKey].endpoints[block.Labels[0]] = block
-
-					for _, innerBlock := range block.Body.Blocks {
-						if innerBlock.Type == backend {
-							absBackendBlock(innerBlock) // Backend block inside a free endpoint block
-						}
-					}
 				} else if block.Type == api {
 					var apiKey string
 
@@ -186,7 +145,7 @@ func mergeServers(bodies []*hclsyntax.Body) (hclsyntax.Blocks, error) {
 
 					if len(bodies) > 1 {
 						if _, ok := uniqueAPILabels[apiKey]; ok {
-							return nil, errorUniqueLabels(block)
+							return nil, newMergeError(errUniqueLabels, block)
 						}
 
 						uniqueAPILabels[apiKey] = struct{}{}
@@ -211,12 +170,22 @@ func mergeServers(bodies []*hclsyntax.Body) (hclsyntax.Blocks, error) {
 
 					for _, subBlock := range block.Body.Blocks {
 						if subBlock.Type == endpoint {
+							if err := absInBackends(subBlock); err != nil {
+								return nil, err
+							}
+
 							if len(subBlock.Labels) == 0 {
-								return nil, errorUniqueLabels(subBlock)
+								return nil, newMergeError(errUniqueLabels, subBlock)
 							}
+
 							results[serverKey].apis[apiKey].endpoints[subBlock.Labels[0]] = subBlock
 						} else if subBlock.Type == errorHandler {
+							if err := absInBackends(subBlock); err != nil {
+								return nil, err
+							}
+
 							ehKey := newErrorHandlerKey(subBlock)
+
 							results[serverKey].apis[apiKey].errorHandler[ehKey] = subBlock
 						} else {
 							results[serverKey].apis[apiKey].blocks[subBlock.Type] = subBlock
@@ -299,7 +268,7 @@ func mergeDefinitions(bodies []*hclsyntax.Body) (*hclsyntax.Block, error) {
 					}
 
 					if len(innerBlock.Labels) == 0 {
-						return nil, errorUniqueLabels(innerBlock)
+						return nil, newMergeError(errUniqueLabels, innerBlock)
 					}
 
 					definitionsBlock[innerBlock.Type][innerBlock.Labels[0]] = innerBlock
@@ -313,16 +282,35 @@ func mergeDefinitions(bodies []*hclsyntax.Body) (*hclsyntax.Block, error) {
 						}
 					}
 
+					// Count the "backend" blocks and "backend" attributes to
+					// forbid multiple backend definitions.
+
+					var backends int
+
 					for _, block := range innerBlock.Body.Blocks {
 						if block.Type == errorHandler {
-							if attr, ok := innerBlock.Body.Attributes["error_file"]; ok {
-								innerBlock.Body.Attributes["error_file"].Expr = absPath(attr)
+							if attr, ok := block.Body.Attributes["error_file"]; ok {
+								block.Body.Attributes["error_file"].Expr = absPath(attr)
+							}
+
+							if err := absInBackends(block); err != nil {
+								return nil, err
 							}
 						} else if block.Type == backend {
-							absBackendBlock(innerBlock) // Backend block inside a AC block
+							absBackendBlock(block) // Backend block inside an AC block
+
+							backends++
 						}
 					}
 
+					if _, ok := innerBlock.Body.Attributes[backend]; ok {
+						backends++
+					}
+
+					if backends > 1 {
+						return nil, newMergeError(errMultipleBackends, innerBlock)
+					}
+
 					if innerBlock.Type == backend {
 						absBackendBlock(innerBlock) // Backend block inside the definitions block
 					}
@@ -347,22 +335,6 @@ func mergeDefinitions(bodies []*hclsyntax.Body) (*hclsyntax.Block, error) {
 	}, nil
 }
 
-// newErrorHandlerKey returns a merge key based on a possible mixed error-kind format.
-// "label1" and/or "label2 label3" results in "label1 label2 label3".
-func newErrorHandlerKey(block *hclsyntax.Block) (key string) {
-	if len(block.Labels) == 0 {
-		return key
-	}
-
-	var sorted []string
-	for _, l := range block.Labels {
-		sorted = append(sorted, strings.Split(l, errorHandlerLabelSep)...)
-	}
-	sort.Strings(sorted)
-	key = strings.Join(sorted, errorHandlerLabelSep)
-	return key
-}
-
 func mergeDefaults(bodies []*hclsyntax.Body) (*hclsyntax.Block, error) {
 	attrs := make(hclsyntax.Attributes)
 	envVars := make(map[string]cty.Value)
@@ -433,3 +405,98 @@ func mergeSettings(bodies []*hclsyntax.Body) *hclsyntax.Block {
 		},
 	}
 }
+
+func newMergeError(msg string, block *hclsyntax.Block) error {
+	defRange := block.DefRange()
+
+	return hcl.Diagnostics{
+		&hcl.Diagnostic{
+			Severity: hcl.DiagError,
+			Summary:  fmt.Sprintf(msg, block.Type),
+			Subject:  &defRange,
+		},
+	}
+}
+
+// absPath replaces the given attribute path expression with an absolute path
+// related to its filename if not already an absolute one.
+func absPath(attr *hclsyntax.Attribute) hclsyntax.Expression {
+	value, diags := attr.Expr.Value(envContext)
+	if diags.HasErrors() || strings.Index(value.AsString(), "/") == 0 {
+		return attr.Expr // Return unchanged in error cases and for absolute path values.
+	}
+
+	return &hclsyntax.LiteralValueExpr{
+		Val: cty.StringVal(
+			path.Join(filepath.Dir(attr.SrcRange.Filename), value.AsString()),
+		),
+		SrcRange: attr.SrcRange,
+	}
+}
+
+func absBackendBlock(backendBlock *hclsyntax.Block) {
+	for _, block := range backendBlock.Body.Blocks {
+		if block.Type == "openapi" {
+			if attr, ok := block.Body.Attributes["file"]; ok {
+				block.Body.Attributes["file"].Expr = absPath(attr)
+			}
+		} else if block.Type == oauth2 {
+			for _, innerBlock := range block.Body.Blocks {
+				if innerBlock.Type == backend {
+					absBackendBlock(innerBlock) // Recursive call
+				}
+			}
+		}
+	}
+}
+
+// absInBackends searches for "backend" blocks inside a proxy or request block to
+// be able to rewrite relative pathes. Additionally, the function counts the "backend"
+// blocks and "backend" attributes to forbid multiple backend definitions.
+func absInBackends(block *hclsyntax.Block) error {
+	for _, subBlock := range block.Body.Blocks {
+		if subBlock.Type == errorHandler {
+			return absInBackends(subBlock) // Recursive call
+		}
+
+		if subBlock.Type != proxy && subBlock.Type != request {
+			continue
+		}
+
+		var backends int
+
+		for _, subSubBlock := range subBlock.Body.Blocks {
+			if subSubBlock.Type == backend {
+				absBackendBlock(subSubBlock) // Backend block inside a proxy or request block
+
+				backends++
+			}
+		}
+
+		if _, ok := subBlock.Body.Attributes[backend]; ok {
+			backends++
+		}
+
+		if backends > 1 {
+			return newMergeError(errMultipleBackends, block)
+		}
+	}
+
+	return nil
+}
+
+// newErrorHandlerKey returns a merge key based on a possible mixed error-kind format.
+// "label1" and/or "label2 label3" results in "label1 label2 label3".
+func newErrorHandlerKey(block *hclsyntax.Block) (key string) {
+	if len(block.Labels) == 0 {
+		return key
+	}
+
+	var sorted []string
+	for _, l := range block.Labels {
+		sorted = append(sorted, strings.Split(l, errorHandlerLabelSep)...)
+	}
+	sort.Strings(sorted)
+
+	return strings.Join(sorted, errorHandlerLabelSep)
+}
diff --git a/config/configload/validate.go b/config/configload/validate.go
@@ -117,7 +117,7 @@ func invalidOriginRefinement(reference, params hcl.Body) error {
 
 	if paramOrigin != nil && refOrigin != nil {
 		if paramOrigin.Expr != refOrigin.Expr {
-			return newDiagErr(&paramOrigin.Range, fmt.Sprintf("backend reference: origin must be equal"))
+			return newDiagErr(&paramOrigin.Range, "backend reference: origin must be equal")
 		}
 	}
 	return nil

diff --git a/server/multi_files_test.go b/server/multi_files_test.go
@@ -3,9 +3,11 @@ package server_test
 import (
 	"io"
 	"net/http"
+	"path/filepath"
 	"strings"
 	"testing"
 
+	"github.com/avenga/couper/config/configload"
 	"github.com/avenga/couper/internal/test"
 )
 
@@ -27,7 +29,7 @@ func TestMultiFiles_Server(t *testing.T) {
 	req, err := http.NewRequest(http.MethodGet, "http://example.com:8080/", nil)
 	helper.Must(err)
 
-	res, err := client.Do(req)
+	_, err = client.Do(req)
 	if err == nil || err.Error() != `Get "http://example.com:8080/": dial tcp4 127.0.0.1:8080: connect: connection refused` {
 		t.Error("Expected hosts port override to 9080")
 	}
@@ -60,7 +62,7 @@ func TestMultiFiles_Server(t *testing.T) {
 			req.Header.Set(k, v)
 		}
 
-		res, err = client.Do(req)
+		res, err := client.Do(req)
 		helper.Must(err)
 
 		if res.StatusCode != tc.expStatus {
@@ -175,3 +177,24 @@ func TestMultiFiles_Definitions(t *testing.T) {
 		t.Errorf("Unexpected body given: %s", s)
 	}
 }
+
+func TestMultiFiles_MultipleBackends(t *testing.T) {
+	type testCase struct {
+		config string
+	}
+
+	for _, tc := range []testCase{
+		{"testdata/multi/backends/errors/ac.hcl"},
+		{"testdata/multi/backends/errors/ac_eh.hcl"},
+		{"testdata/multi/backends/errors/ep.hcl"},
+		{"testdata/multi/backends/errors/api_ep.hcl"},
+	} {
+		t.Run(tc.config, func(st *testing.T) {
+			_, err := configload.LoadFiles(filepath.Join(testWorkingDir, tc.config), "")
+
+			if !strings.Contains(err.Error(), "Multiple definitions of backend are not allowed.") {
+				st.Errorf("Unexpected error: %s", err.Error())
+			}
+		})
+	}
+}
diff --git a/server/mux.go b/server/mux.go
@@ -30,12 +30,6 @@ type Mux struct {
 	spaRoot      *pathpattern.Node
 }
 
-var fileMethods = []string{
-	http.MethodGet,
-	http.MethodHead,
-	http.MethodOptions,
-}
-
 const (
 	serverOptionsKey    = "serverContextOptions"
 	wildcardReplacement = "/{_couper_wildcardMatch*}"

diff --git a/server/testdata/multi/backends/errors/ac.hcl b/server/testdata/multi/backends/errors/ac.hcl
@@ -0,0 +1,8 @@
+definitions {
+  jwt "JWT" {
+    backend {
+      origin = "https:/example.com"
+    }
+    backend = "BE"
+  }
+}