From 49eea19b4baf53dc79421375f3f556d7e08605ed Mon Sep 17 00:00:00 2001
From: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
Date: Mon, 26 Jun 2023 19:01:02 +0530
Subject: [PATCH] runtime/client: add util func to check conn options
 compatibility with env

Add `CheckEnvironmentCompatibility()` to check whether the configured
connection options are compatible with the environment, by checking env
vars like `HTTP_PROXY` and `HTTPS_PROXY`.

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>
---
 runtime/controller/connection.go | 38 +++++++++++++++++++++++++++++---
 runtime/go.mod                   |  2 +-
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/runtime/controller/connection.go b/runtime/controller/connection.go
index 57688075..afd0f40d 100644
--- a/runtime/controller/connection.go
+++ b/runtime/controller/connection.go
@@ -16,12 +16,21 @@ limitations under the License.
 
 package controller
 
-import "github.com/spf13/pflag"
+import (
+	"fmt"
+	"net/url"
 
-const flagInsecureAllowHTTP = "insecure-allow-http"
+	"github.com/spf13/pflag"
+	"golang.org/x/net/http/httpproxy"
+)
+
+const (
+	flagInsecureAllowHTTP = "insecure-allow-http"
+)
 
 // ConnectionOptions defines the configurable options for outbound connections
-// opened by reconcilers.
+// opened by reconcilers. Consumers are expected to check for compatibility via
+// `CheckEnvironmentCompatibility()` before using its values.
 type ConnectionOptions struct {
 	// AllowHTTP, if set to true allows the controller to make plain HTTP
 	// connections to external services.
@@ -34,3 +43,26 @@ func (o *ConnectionOptions) BindFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&o.AllowHTTP, flagInsecureAllowHTTP, true,
 		"Allow the controller to make HTTP requests to external services like insecure Git servers, container registries, etc.")
 }
+
+// CheckEnvironmentCompatibility checks if the enviornment is compatible with
+// the configured connection options.
+func (o *ConnectionOptions) CheckEnvironmentCompatibility() error {
+	if !o.AllowHTTP {
+		config := httpproxy.FromEnvironment()
+		if config.HTTPProxy != "" {
+			return fmt.Errorf("usage of HTTP requests is blocked but found a HTTP proxy set in enviornment")
+		}
+
+		if config.HTTPSProxy != "" {
+			proxy, err := url.Parse(config.HTTPSProxy)
+			if err != nil {
+				return fmt.Errorf("unable to parse address specified in the HTTPS proxy enviornment setting: %w", err)
+			}
+
+			if proxy.Scheme != "https" {
+				return fmt.Errorf("usage of HTTP requests is blocked but found a non-https address in the HTTPS proxy enviornment setting")
+			}
+		}
+	}
+	return nil
+}
diff --git a/runtime/go.mod b/runtime/go.mod
index 7a4eec10..eafeb2a1 100644
--- a/runtime/go.mod
+++ b/runtime/go.mod
@@ -23,6 +23,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.8.4
 	go.uber.org/zap v1.24.0
+	golang.org/x/net v0.10.0
 	k8s.io/api v0.27.3
 	k8s.io/apimachinery v0.27.3
 	k8s.io/client-go v0.27.3
@@ -89,7 +90,6 @@ require (
 	go.starlark.net v0.0.0-20221028183056-acb66ad56dd2 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/oauth2 v0.5.0 // indirect
 	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/term v0.8.0 // indirect