Merge pull request #187775 from devusb/pomerium-0_18_0

pomerium: 0.17.1 -> 0.19.0

5 files changed, 238 insertions, 28 deletions

diff --git a/pkgs/servers/http/envoy/default.nix b/pkgs/servers/http/envoy/default.nix
index 1cd6e0c785efa..b9342ccd4fac5 100644
--- a/pkgs/servers/http/envoy/default.nix
+++ b/pkgs/servers/http/envoy/default.nix
@@ -1,14 +1,14 @@
 { lib
-, bazel_4
+, bazel_5
 , buildBazelPackage
 , fetchFromGitHub
-, fetchpatch
 , stdenv
 , cmake
 , gn
 , go
 , jdk
 , ninja
+, patchelf
 , python3
 , linuxHeaders
 , nixosTests
@@ -23,19 +23,19 @@ let
     # However, the version string is more useful for end-users.
     # These are contained in a attrset of their own to make it obvious that
     # people should update both.
-    version = "1.21.4";
-    rev = "782ba5e5ab9476770378ec9f1901803e0d38ac41";
+    version = "1.23.1";
+    rev = "edd69583372955fdfa0b8ca3820dd7312c094e46";
   };
 in
 buildBazelPackage rec {
   pname = "envoy";
   inherit (srcVer) version;
-  bazel = bazel_4;
+  bazel = bazel_5;
   src = fetchFromGitHub {
     owner = "envoyproxy";
     repo = "envoy";
     inherit (srcVer) rev;
-    hash = "sha256-SthKDMQs5yNU0iouAPVsDeCPKcsBXmO9ebDwu58UQRs=";
+    sha256 = "sha256:157dbmp479xv5507n48yibvlgi2ac0l3sl9rzm28cm9lhzwva3k0";
 
     postFetch = ''
       chmod -R +w $out
@@ -48,26 +48,21 @@ buildBazelPackage rec {
   postPatch = ''
     sed -i 's,#!/usr/bin/env python3,#!${python3}/bin/python,' bazel/foreign_cc/luajit.patch
     sed -i '/javabase=/d' .bazelrc
-    # Patch paths to build tools, and disable gold because it just segfaults.
-    substituteInPlace bazel/external/wee8.genrule_cmd \
-      --replace '"''$$gn"' '"''$$(command -v gn)"' \
-      --replace '"''$$ninja"' '"''$$(command -v ninja)"' \
-      --replace '"''$$WEE8_BUILD_ARGS"' '"''$$WEE8_BUILD_ARGS use_gold=false"'
+
+    # Use system Python.
+    sed -i -e '/python_interpreter_target =/d' -e '/@python3_10/d' bazel/python_dependencies.bzl
   '';
 
   patches = [
-    # make linux/tcp.h relative. drop when upgrading to >1.21
-    (fetchpatch {
-      url = "https://github.com/envoyproxy/envoy/commit/68448aae7a78a3123097b6ea96016b270457e7b8.patch";
-      sha256 = "123kv3x37p8fgfp29jhw5xg5js5q5ipibs8hsm7gzfd5bcllnpfh";
-    })
-
     # fix issues with brotli and GCC 11.2.0+ (-Werror=vla-parameter)
     ./bump-brotli.patch
 
     # fix linux-aarch64 WAMR builds
     # (upstream WAMR only detects aarch64 on Darwin, not Linux)
     ./fix-aarch64-wamr.patch
+
+    # use system Python, not bazel-fetched binary Python
+    ./use-system-python.patch
   ];
 
   nativeBuildInputs = [
@@ -77,6 +72,7 @@ buildBazelPackage rec {
     go
     jdk
     ninja
+    patchelf
   ];
 
   buildInputs = [
@@ -85,8 +81,8 @@ buildBazelPackage rec {
 
   fetchAttrs = {
     sha256 = {
-      x86_64-linux = "sha256-/SA+WFHcMjk6iLwuEmuBIzy3pMhw7TThIEx292dv6IE=";
-      aarch64-linux = "sha256-0XdeirdIP7+nKy8zZbr2uHN2RZ4ZFOJt9i/+Ow1s/W4=";
+      x86_64-linux = "0y3gpvx148bnn6kljdvkg99m681vw39l0avrhvncbf62hvpifqkw";
+      aarch64-linux = "0lln5mdlskahz5hb4w268ys2ksy3051drrwlhracmk4i7rpm7fq3";
     }.${stdenv.system} or (throw "unsupported system ${stdenv.system}");
     dontUseCmakeConfigure = true;
     dontUseGnConfigure = true;
@@ -95,6 +91,12 @@ buildBazelPackage rec {
       find $bazelOut/external -name requirements.bzl | while read requirements; do
         sed -i '/# Generated from /d' "$requirements"
       done
+      find $bazelOut/external -type f -executable | while read execbin; do
+        file "$execbin" | grep -q ': ELF .*, dynamically linked,' || continue
+        patchelf \
+          --set-interpreter $(cat ${stdenv.cc}/nix-support/dynamic-linker) \
+          "$execbin"
+      done
 
       # Remove references to paths in the Nix store.
       sed -i \
@@ -138,6 +140,12 @@ buildBazelPackage rec {
     "--cxxopt=-Wno-maybe-uninitialized"
     "--cxxopt=-Wno-uninitialized"
     "--cxxopt=-Wno-error=type-limits"
+    "--cxxopt=-Wno-error=range-loop-construct"
+
+    # Force use of system Java.
+    "--extra_toolchains=@local_jdk//:all"
+    "--java_runtime_version=local_jdk"
+    "--tool_java_runtime_version=local_jdk"
 
     "--define=wasm=${wasmRuntime}"
   ];
diff --git a/pkgs/servers/http/envoy/use-system-python.patch b/pkgs/servers/http/envoy/use-system-python.patch
new file mode 100644
index 0000000000000..a2030cc75fd05
--- /dev/null
+++ b/pkgs/servers/http/envoy/use-system-python.patch
@@ -0,0 +1,58 @@
+diff --git a/bazel/python_dependencies.bzl b/bazel/python_dependencies.bzl
+index d9dfb14a9b..b8e92452a7 100644
+--- a/bazel/python_dependencies.bzl
++++ b/bazel/python_dependencies.bzl
+@@ -1,10 +1,8 @@
+ load("@rules_python//python:pip.bzl", "pip_install", "pip_parse")
+-load("@python3_10//:defs.bzl", "interpreter")
+ 
+ def envoy_python_dependencies():
+     pip_parse(
+         name = "base_pip3",
+-        python_interpreter_target = interpreter,
+         requirements_lock = "@envoy//tools/base:requirements.txt",
+         extra_pip_args = ["--require-hashes"],
+     )
+@@ -12,14 +10,12 @@ def envoy_python_dependencies():
+     # These need to use `pip_install`
+     pip_install(
+         # Note: dev requirements do *not* check hashes
+-        python_interpreter_target = interpreter,
+         name = "dev_pip3",
+         requirements = "@envoy//tools/dev:requirements.txt",
+     )
+ 
+     pip_install(
+         name = "fuzzing_pip3",
+-        python_interpreter_target = interpreter,
+         requirements = "@rules_fuzzing//fuzzing:requirements.txt",
+         extra_pip_args = ["--require-hashes"],
+     )
+diff --git a/bazel/repositories_extra.bzl b/bazel/repositories_extra.bzl
+index 885b41dec6..ac5605eb30 100644
+--- a/bazel/repositories_extra.bzl
++++ b/bazel/repositories_extra.bzl
+@@ -1,22 +1,12 @@
+ load("@emsdk//:deps.bzl", emsdk_deps = "deps")
+-load("@rules_python//python:repositories.bzl", "python_register_toolchains")
+ load("@proxy_wasm_cpp_host//bazel/cargo/wasmtime:crates.bzl", "wasmtime_fetch_remote_crates")
+ load("//bazel/external/cargo:crates.bzl", "raze_fetch_remote_crates")
+ load("@aspect_bazel_lib//lib:repositories.bzl", "aspect_bazel_lib_dependencies")
+ 
+-# Python version for `rules_python`
+-PYTHON_VERSION = "3.10.2"
+-
+ # Envoy deps that rely on a first stage of dependency loading in envoy_dependencies().
+-def envoy_dependencies_extra(python_version = PYTHON_VERSION):
++def envoy_dependencies_extra():
+     emsdk_deps()
+     raze_fetch_remote_crates()
+     wasmtime_fetch_remote_crates()
+ 
+-    # Registers underscored Python minor version - eg `python3_10`
+-    python_register_toolchains(
+-        name = "python%s" % ("_".join(python_version.split(".")[:-1])),
+-        python_version = python_version,
+-    )
+-
+     aspect_bazel_lib_dependencies()
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
index b6de805a619bd..42af2054caf28 100644
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@@ -1,8 +1,10 @@
 { buildGoModule
 , fetchFromGitHub
+, callPackage
 , lib
 , envoy
-, zip
+, mkYarnPackage
+, fetchYarnDeps
 , nixosTests
 , pomerium-cli
 }:
@@ -12,19 +14,49 @@ let
 in
 buildGoModule rec {
   pname = "pomerium";
-  version = "0.17.1";
+  version = "0.19.0";
   src = fetchFromGitHub {
     owner = "pomerium";
     repo = "pomerium";
     rev = "v${version}";
-    hash = "sha256:0b9mdzyfn7c6gwgslqk787yyrrcmdjf3282vx2zvhcr3psz0xqwx";
+    sha256 = "sha256:0s5ji1iywymzxlv89y3ivl5vngkifhbpidpwxdrh969l3c5r4klf";
+  };
+
+  vendorSha256 = "sha256:1p78nb7bryvs7p5iq6ihylflyjia60x4hd9c62ffwz37dwqlbi33";
+
+  ui = mkYarnPackage {
+    inherit version;
+    src = "${src}/ui";
+
+    # update pomerium-ui-package.json when updating package, sourced from ui/package.json
+    packageJSON = ./pomerium-ui-package.json;
+    offlineCache = fetchYarnDeps {
+      yarnLock = "${src}/ui/yarn.lock";
+      sha256 = "sha256:1n6swanrds9hbd4yyfjzpnfhsb8fzj1pwvvcg3w7b1cgnihclrmv";
+    };
+
+    buildPhase = ''
+      runHook preBuild
+      yarn --offline build
+      runHook postbuild
+    '';
+
+    installPhase = ''
+      runHook preInstall
+      cp -R deps/pomerium/dist $out
+      runHook postInstall
+    '';
+
+    doDist = false;
   };
 
-  vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
   subPackages = [
     "cmd/pomerium"
   ];
 
+  # patch pomerium to allow use of external envoy
+  patches = [ ./external-envoy.diff ];
+
   ldflags = let
     # Set a variety of useful meta variables for stamping the build with.
     setVars = {
@@ -34,7 +66,7 @@ buildGoModule rec {
         ProjectName = "pomerium";
         ProjectURL = "github.com/pomerium/pomerium";
       };
-      "github.com/pomerium/pomerium/internal/envoy" = {
+      "github.com/pomerium/pomerium/pkg/envoy" = {
         OverrideEnvoyPath = "${envoy}/bin/envoy";
       };
     };
@@ -54,8 +86,8 @@ buildGoModule rec {
     # Replace embedded envoy with nothing.
     # We set OverrideEnvoyPath above, so rawBinary should never get looked at
     # but we still need to set a checksum/version.
-    rm internal/envoy/files/files_{darwin,linux}*.go
-    cat <<EOF >internal/envoy/files/files_generic.go
+    rm pkg/envoy/files/files_{darwin,linux}*.go
+    cat <<EOF >pkg/envoy/files/files_external.go
     package files
 
     import _ "embed" // embed
@@ -68,8 +100,11 @@ buildGoModule rec {
     //go:embed envoy.version
     var rawVersion string
     EOF
-    sha256sum '${envoy}/bin/envoy' > internal/envoy/files/envoy.sha256
-    echo '${envoy.version}' > internal/envoy/files/envoy.version
+    sha256sum '${envoy}/bin/envoy' > pkg/envoy/files/envoy.sha256
+    echo '${envoy.version}' > pkg/envoy/files/envoy.version
+
+    # put the built UI files where they will be picked up as part of binary build
+    cp -r ${ui}/* ui/dist
   '';
 
   installPhase = ''
diff --git a/pkgs/servers/http/pomerium/external-envoy.diff b/pkgs/servers/http/pomerium/external-envoy.diff
new file mode 100644
index 0000000000000..49f4985ad77c3
--- /dev/null
+++ b/pkgs/servers/http/pomerium/external-envoy.diff
@@ -0,0 +1,48 @@
+diff --git a/pkg/envoy/envoy.go b/pkg/envoy/envoy.go
+index e32cfc29..9d32c057 100644
+--- a/pkg/envoy/envoy.go
++++ b/pkg/envoy/envoy.go
+@@ -8,9 +8,9 @@ import (
+ 	"errors"
+ 	"fmt"
+ 	"io"
++	"io/fs"
+ 	"os"
+ 	"os/exec"
+-	"path"
+ 	"path/filepath"
+ 	"regexp"
+ 	"strconv"
+@@ -36,8 +36,12 @@ import (
+ 
+ const (
+ 	configFileName = "envoy-config.yaml"
++	workingDirectoryName = ".pomerium-envoy"
++	embeddedEnvoyPermissions     fs.FileMode = 0o700
+ )
+ 
++var OverrideEnvoyPath = ""
++
+ type serverOptions struct {
+ 	services string
+ 	logLevel string
+@@ -60,13 +64,16 @@ type Server struct {
+ 
+ // NewServer creates a new server with traffic routed by envoy.
+ func NewServer(ctx context.Context, src config.Source, builder *envoyconfig.Builder) (*Server, error) {
+-	envoyPath, err := Extract()
++	envoyPath := OverrideEnvoyPath
++	wd := filepath.Join(os.TempDir(), workingDirectoryName)
++
++	err := os.MkdirAll(wd, embeddedEnvoyPermissions)
+ 	if err != nil {
+-		return nil, fmt.Errorf("extracting envoy: %w", err)
++		return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err)
+ 	}
+ 
+ 	srv := &Server{
+-		wd:        path.Dir(envoyPath),
++		wd:        wd,
+ 		builder:   builder,
+ 		grpcPort:  src.GetConfig().GRPCPort,
+ 		httpPort:  src.GetConfig().HTTPPort,
diff --git a/pkgs/servers/http/pomerium/pomerium-ui-package.json b/pkgs/servers/http/pomerium/pomerium-ui-package.json
new file mode 100644
index 0000000000000..6b9dcf4a3e8d9
--- /dev/null
+++ b/pkgs/servers/http/pomerium/pomerium-ui-package.json
@@ -0,0 +1,61 @@
+{
+  "name": "pomerium",
+  "version": "1.0.0",
+  "main": "src/index.tsx",
+  "license": "Apache-2.0",
+  "scripts": {
+    "build": "ts-node ./scripts/esbuild.ts",
+    "format": "prettier --write .",
+    "lint": "eslint .",
+    "watch": "ts-node ./scripts/esbuild.ts --watch"
+  },
+  "browserslist": {
+    "production": [
+      ">0.2%",
+      "not dead",
+      "not op_mini all"
+    ],
+    "development": [
+      "last 1 chrome version",
+      "last 1 firefox version",
+      "last 1 safari version"
+    ]
+  },
+  "dependencies": {
+    "@babel/core": "^7.0.0",
+    "@emotion/react": "^11.7.1",
+    "@emotion/styled": "^11.6.0",
+    "@fontsource/dm-mono": "^4.5.2",
+    "@fontsource/dm-sans": "^4.5.1",
+    "@mui/icons-material": "^5.3.1",
+    "@mui/material": "^5.4.0",
+    "luxon": "^2.3.0",
+    "markdown-to-jsx": "^7.1.7",
+    "react": "^17.0.2",
+    "react-dom": "^17.0.2",
+    "react-feather": "^2.0.9"
+  },
+  "devDependencies": {
+    "@trivago/prettier-plugin-sort-imports": "2.0.4",
+    "@types/luxon": "^2.0.9",
+    "@types/node": "^17.0.14",
+    "@types/react": "^17.0.34",
+    "@types/react-dom": "^17.0.11",
+    "@typescript-eslint/eslint-plugin": "^5.10.2",
+    "@typescript-eslint/parser": "^5.10.2",
+    "esbuild": "^0.13.12",
+    "eslint": "7.32.0",
+    "eslint-config-prettier": "^8.3.0",
+    "eslint-plugin-react": "^7.28.0",
+    "prettier": "^2.4.1",
+    "ts-node": "^10.4.0",
+    "typescript": "^4.4.4"
+  },
+  "prettier": {
+    "importOrder": [
+      "^[./]"
+    ],
+    "importOrderSeparation": true,
+    "importOrderSortSpecifiers": true
+  }
+}