resolve proxy to inject using http package

changelog/fragments/1738329703-environment-proxy-injection-fix.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# Change summary; a 80ish characters long description of the change.
+summary: environment-proxy-injection-fix
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: When injecting environment proxy into Elastic Defend config the Agent should use http library to resolve the proxy settings to ensure consistency across all components.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/6675
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/6209

internal/pkg/agent/application/inject_proxy_component_modifier.go

@@ -5,8 +5,7 @@
 package application
 
 import (
-	"os"
-	"strings"
+	"net/http"
 
 	"github.com/elastic/elastic-agent-client/v7/pkg/client"
 	"github.com/elastic/elastic-agent/internal/pkg/agent/application/coordinator"
@@ -59,9 +58,8 @@ func InjectProxyEndpointModifier() coordinator.ComponentsModifier {
 
 // injectProxyURL will inject the a proxy_url into the passed map if there is no existing key and there is an appropriate proxy through defined as an env var.
 //
-// The 1st item of the passed hosts list is checked to see if it starts with https or http and the corresponding proxy var is used.
-// Nothing is injected if the *_PROXY env var is empty, the map contains proxy_url: "", or the map has proxy_disable: true.
-// If no hosts are passed, then the HTTPS_PROXY value is used over the HTTP_PROXY value if it's defined.
+// Go http client is used to determine the proxy URL, to ensure consistent behavior across all components.
+// Traffic through proxy is preferred if the proxy is defined for any of the hosts.
 func injectProxyURL(m map[string]interface{}, hosts []string) {
 	if m == nil {
 		return
@@ -79,28 +77,20 @@ func injectProxyURL(m map[string]interface{}, hosts []string) {
 		}
 	}
 
-	var proxyURL string
-	matched := false
-	// If hosts are specified, check the 1st to see if HTTPS or HTTP is used to determine proxy
-	if len(hosts) > 0 {
-		if strings.HasPrefix(hosts[0], "https://") {
-			matched = true
-			proxyURL = os.Getenv("HTTPS_PROXY")
-		} else if strings.HasPrefix(hosts[0], "http://") {
-			matched = true
-			proxyURL = os.Getenv("HTTP_PROXY")
+	// Check if a proxy is defined for the hosts
+	for _, host := range hosts {
+		//nolint:noctx // this request will not be executed
+		request, err := http.NewRequest("GET", host, nil)
+		if err != nil {
+			continue
 		}
-	}
-	// if no hosts are specified, or it could not match a host prefix prefer HTTPS_PROXY over HTTP_PROXY
-	if proxyURL == "" && !matched {
-		proxyURL = os.Getenv("HTTPS_PROXY")
-		if proxyURL == "" {
-			proxyURL = os.Getenv("HTTP_PROXY")
+		proxyURL, err := http.ProxyFromEnvironment(request)
+		if err != nil {
+			continue
+		}
+		if proxyURL != nil && proxyURL.String() != "" {
+			m["proxy_url"] = proxyURL.String()
+			return
 		}
 	}
-	// No proxy defined
-	if proxyURL == "" {
-		return
-	}
-	m["proxy_url"] = proxyURL
 }

internal/pkg/agent/application/inject_proxy_component_modifier_test.go

@@ -43,7 +43,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"]}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"]}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -64,7 +64,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"]}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"]}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -88,7 +88,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"],"proxy_url":"https://proxy:8080"}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"],"proxy_url":"https://proxy:8080"}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -109,7 +109,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"],"proxy_url":"https://proxy:8080"}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"],"proxy_url":"https://proxy:8080"}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -133,7 +133,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"],"proxy_url":""}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"],"proxy_url":""}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -154,7 +154,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"],"proxy_url":""}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"],"proxy_url":""}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -178,7 +178,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"],"proxy_disable":true}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"],"proxy_disable":true}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -199,7 +199,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"],"proxy_disable":true}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"],"proxy_disable":true}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -223,7 +223,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"]}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"]}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -244,7 +244,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://localhost:9200"],"proxy_url":"https://localhost:8080"}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["https://example.output:9200"],"proxy_url":"https://localhost:8080"}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -268,7 +268,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["http://localhost:9200"]}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["http://example.output:9200"]}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -289,7 +289,7 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 								Type: elasticsearch,
 								Source: func() *structpb.Struct {
 									var source structpb.Struct
-									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["http://localhost:9200"],"proxy_url":"http://localhost:8081"}`))
+									err := source.UnmarshalJSON([]byte(`{"type":"elasticsearch","hosts":["http://example.output:9200"],"proxy_url":"http://localhost:8081"}`))
 									require.NoError(t, err)
 									return &source
 								}(),
@@ -318,9 +318,6 @@ func TestInjectProxyEndpointModifier(t *testing.T) {
 }
 
 func Test_injectProxyURL(t *testing.T) {
-	t.Setenv("HTTPS_PROXY", "https://localhost:8080")
-	t.Setenv("HTTP_PROXY", "http://localhost:8081")
-
 	tests := []struct {
 		name   string
 		m      map[string]interface{}
@@ -341,41 +338,30 @@ func Test_injectProxyURL(t *testing.T) {
 		hosts:  nil,
 		expect: map[string]interface{}{"key": "value", "proxy_disable": true},
 	}, {
-		name:   "no hosts uses HTTPS_PROXY",
+		name:   "http hosts uses HTTP_PROXY",
 		m:      map[string]interface{}{"key": "value"},
-		hosts:  nil,
-		expect: map[string]interface{}{"key": "value", "proxy_url": "https://localhost:8080"},
+		hosts:  []string{"http://example:80"},
+		expect: map[string]interface{}{"key": "value", "proxy_url": "http://localhost:8081"},
 	}, {
 		name:   "https hosts uses HTTPS_PROXY",
 		m:      map[string]interface{}{"key": "value"},
 		hosts:  []string{"https://example:443"},
 		expect: map[string]interface{}{"key": "value", "proxy_url": "https://localhost:8080"},
 	}, {
-		name:   "http host uses HTTP_PROXY",
+		name:   "host skipped by NO_PROXY",
 		m:      map[string]interface{}{"key": "value"},
-		hosts:  []string{"http://example:80"},
-		expect: map[string]interface{}{"key": "value", "proxy_url": "http://localhost:8081"},
+		hosts:  []string{"https://do.not.inject.proxy.for.me", "https://do.not.inject.proxy.for.me:8080", "really.do.not.inject.proxy.for.me"},
+		expect: map[string]interface{}{"key": "value"},
 	}}
+
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv("HTTPS_PROXY", "https://localhost:8080")
+			t.Setenv("HTTP_PROXY", "http://localhost:8081")
+			t.Setenv("NO_PROXY", "do.not.inject.proxy.for.me")
+
 			injectProxyURL(tc.m, tc.hosts)
 			require.Equal(t, tc.expect, tc.m)
 		})
 	}
-
-	t.Run("no hosts or HTTPS_PROXY uses HTTP_PROXY", func(t *testing.T) {
-		t.Setenv("HTTPS_PROXY", "")
-		t.Setenv("HTTP_PROXY", "http://localhost:8081")
-
-		m := map[string]interface{}{"key": "value"}
-		injectProxyURL(m, nil)
-		require.Equal(t, map[string]interface{}{"key": "value", "proxy_url": "http://localhost:8081"}, m)
-	})
-	t.Run("no env vars", func(t *testing.T) {
-		t.Setenv("HTTPS_PROXY", "")
-		t.Setenv("HTTP_PROXY", "")
-		m := map[string]interface{}{"key": "value"}
-		injectProxyURL(m, nil)
-		require.Equal(t, map[string]interface{}{"key": "value"}, m)
-	})
 }