router connects using tls_port for internal RS

- Add tests to verify that internal RS is regstered with tls_port, router initiates tls conn [#150062073] Signed-off-by: Shash Reddy <sreddy@pivotal.io>
cloudfoundry · Aug 10, 2017 · db996e8 · db996e8
1 parent e7309b7
commit db996e8
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 36 deletions.
diff --git a/example_config/example.yml b/example_config/example.yml
@@ -19,12 +19,12 @@ index: 0
 
 go_max_procs: 8
 
-publish_start_message_interval: 30
-prune_stale_droplets_interval: 30
-droplet_stale_threshold: 120
+publish_start_message_interval: 60s
+prune_stale_droplets_interval: 30s
+droplet_stale_threshold: 120s
 publish_active_apps_interval: 0 # 0 means disabled
 secure_cookies: true
-route_service_timeout: 60
+route_service_timeout: 60s
 route_services_secret: "tWPE+sWJq+ZnGJpyKkIPYg=="
 
 extra_headers_to_log:

diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go
@@ -1938,6 +1938,15 @@ func registerAddr(reg *registry.RouteRegistry, path string, routeServiceUrl stri
 	reg.Register(route.Uri(path), route.NewEndpoint(appId, host, uint16(port), instanceId, instanceIndex, nil, -1, routeServiceUrl, models.ModificationTag{}, "", false))
 }
 
+func registerAddrWithTLS(reg *registry.RouteRegistry, path string, routeServiceUrl string, addr string, instanceId, instanceIndex, appId string) {
+	host, portStr, err := net.SplitHostPort(addr)
+	Expect(err).NotTo(HaveOccurred())
+
+	port, err := strconv.Atoi(portStr)
+	Expect(err).NotTo(HaveOccurred())
+	reg.Register(route.Uri(path), route.NewEndpoint(appId, host, uint16(port), instanceId, instanceIndex, nil, -1, routeServiceUrl, models.ModificationTag{}, "", true))
+}
+
 func registerHandler(reg *registry.RouteRegistry, path string, handler connHandler) net.Listener {
 	return registerHandlerWithInstanceId(reg, path, "", handler, "")
 }
@@ -1961,6 +1970,23 @@ func registerHandlerWithAppId(reg *registry.RouteRegistry, path string, routeSer
 	return ln
 }
 
+func registerHandlerWithAppIdWithTLS(reg *registry.RouteRegistry, path string, routeServiceUrl string, handler connHandler, instanceId, appId string) net.Listener {
+	certFile := "../test/assets/certs/server.pem"
+	keyFile := "../test/assets/certs/server.key"
+
+	var config *tls.Config
+	config = &tls.Config{}
+	certificate, err := tls.LoadX509KeyPair(certFile, keyFile)
+	Expect(err).NotTo(HaveOccurred())
+	config.Certificates = append(config.Certificates, certificate)
+
+	ln, err := tls.Listen("tcp", "127.0.0.1:0", config)
+	Expect(err).NotTo(HaveOccurred())
+	go runBackendInstance(ln, handler)
+	registerAddrWithTLS(reg, path, routeServiceUrl, ln.Addr().String(), instanceId, "2", appId)
+	return ln
+}
+
 func runBackendInstance(ln net.Listener, handler connHandler) {
 	var tempDelay time.Duration // how long to sleep on accept failure
 	for {

diff --git a/proxy/route_service_test.go b/proxy/route_service_test.go
@@ -371,48 +371,98 @@ var _ = Describe("Route Services", func() {
 
 	Context("when the route service is a CF app", func() {
 
-		It("successfully looks up the route service and sends the request", func() {
+		Context("when registration message does not contain tls_port", func() {
+			It("successfully looks up the route service and sends the request", func() {
 
-			routeServiceHandler := func(conn *test_util.HttpConn) {
-				defer GinkgoRecover()
-				resp := test_util.NewResponse(http.StatusOK)
-				req, _ := conn.ReadRequest()
+				routeServiceHandler := func(conn *test_util.HttpConn) {
+					defer GinkgoRecover()
+					resp := test_util.NewResponse(http.StatusOK)
+					req, _ := conn.ReadRequest()
 
-				Expect(req.Host).ToNot(Equal("my_app.com"))
-				metaHeader := req.Header.Get(routeservice.HeaderKeyMetadata)
-				sigHeader := req.Header.Get(routeservice.HeaderKeySignature)
+					Expect(req.Host).ToNot(Equal("my_app.com"))
+					metaHeader := req.Header.Get(routeservice.HeaderKeyMetadata)
+					sigHeader := req.Header.Get(routeservice.HeaderKeySignature)
 
-				crypto, err := secure.NewAesGCM([]byte(cryptoKey))
-				Expect(err).ToNot(HaveOccurred())
-				_, err = routeservice.SignatureFromHeaders(sigHeader, metaHeader, crypto)
-				Expect(err).ToNot(HaveOccurred())
+					crypto, err := secure.NewAesGCM([]byte(cryptoKey))
+					Expect(err).ToNot(HaveOccurred())
+					_, err = routeservice.SignatureFromHeaders(sigHeader, metaHeader, crypto)
+					Expect(err).ToNot(HaveOccurred())
 
-				// X-CF-ApplicationID will only be set if the request was sent to internal cf app first time
-				Expect(req.Header.Get("X-CF-ApplicationID")).To(Equal("my-route-service-app-id"))
+					// X-CF-ApplicationID will only be set if the request was sent to internal cf app first time
+					Expect(req.Header.Get("X-CF-ApplicationID")).To(Equal("my-route-service-app-id"))
 
-				Expect(req.Header.Get("X-CF-Forwarded-Url")).To(Equal("https://my_app.com/"))
-				conn.WriteResponse(resp)
-			}
+					Expect(req.Header.Get("X-CF-Forwarded-Url")).To(Equal("https://my_app.com/"))
+					conn.WriteResponse(resp)
+				}
 
-			rsListener := registerHandlerWithAppId(r, "route_service.com", "", routeServiceHandler, "", "my-route-service-app-id")
-			appListener := registerHandlerWithRouteService(r, "my_app.com", "https://route_service.com", func(conn *test_util.HttpConn) {
-				defer GinkgoRecover()
-				resp := test_util.NewResponse(http.StatusOK)
-				conn.WriteResponse(resp)
-				Fail("Should not get here")
+				rsListener := registerHandlerWithAppId(r, "route_service.com", "", routeServiceHandler, "", "my-route-service-app-id")
+				appListener := registerHandlerWithRouteService(r, "my_app.com", "https://route_service.com", func(conn *test_util.HttpConn) {
+					defer GinkgoRecover()
+					resp := test_util.NewResponse(http.StatusOK)
+					conn.WriteResponse(resp)
+					Fail("Should not get here")
+				})
+				defer func() {
+					Expect(rsListener.Close()).ToNot(HaveErrored())
+					Expect(appListener.Close()).ToNot(HaveErrored())
+				}()
+				conn := dialProxy(proxyServer)
+
+				req := test_util.NewRequest("GET", "my_app.com", "", nil)
+				conn.WriteRequest(req)
+
+				res, _ := readResponse(conn)
+
+				Expect(res.StatusCode).To(Equal(http.StatusOK))
 			})
-			defer func() {
-				Expect(rsListener.Close()).ToNot(HaveErrored())
-				Expect(appListener.Close()).ToNot(HaveErrored())
-			}()
-			conn := dialProxy(proxyServer)
+		})
 
-			req := test_util.NewRequest("GET", "my_app.com", "", nil)
-			conn.WriteRequest(req)
+		Context("when registration message contains tls_port", func() {
+			BeforeEach(func() {
+				conf.SkipSSLValidation = true
+			})
 
-			res, _ := readResponse(conn)
+			It("successfully looks up the route service and sends the request", func() {
+				routeServiceHandler := func(conn *test_util.HttpConn) {
+					defer GinkgoRecover()
+					resp := test_util.NewResponse(http.StatusOK)
+					req, _ := conn.ReadRequest()
+
+					Expect(req.Host).ToNot(Equal("my_app.com"))
+					metaHeader := req.Header.Get(routeservice.HeaderKeyMetadata)
+					sigHeader := req.Header.Get(routeservice.HeaderKeySignature)
+
+					crypto, err := secure.NewAesGCM([]byte(cryptoKey))
+					Expect(err).ToNot(HaveOccurred())
+					_, err = routeservice.SignatureFromHeaders(sigHeader, metaHeader, crypto)
+					Expect(err).ToNot(HaveOccurred())
+
+					// X-CF-ApplicationID will only be set if the request was sent to internal cf app first time
+					Expect(req.Header.Get("X-CF-ApplicationID")).To(Equal("my-route-service-app-id"))
+
+					Expect(req.Header.Get("X-CF-Forwarded-Url")).To(Equal("https://my_app.com/"))
+					conn.WriteResponse(resp)
+				}
+
+				rsListener := registerHandlerWithAppIdWithTLS(r, "route_service.com", "", routeServiceHandler, "", "my-route-service-app-id")
+				appListener := registerHandlerWithRouteService(r, "my_app.com", "https://route_service.com", func(conn *test_util.HttpConn) {
+					defer GinkgoRecover()
+					resp := test_util.NewResponse(http.StatusOK)
+					conn.WriteResponse(resp)
+					Fail("Should not get here")
+				})
+				defer func() {
+					Expect(rsListener.Close()).ToNot(HaveErrored())
+					Expect(appListener.Close()).ToNot(HaveErrored())
+				}()
+				conn := dialProxy(proxyServer)
+
+				req := test_util.NewRequest("GET", "my_app.com", "", nil)
+				conn.WriteRequest(req)
 
-			Expect(res.StatusCode).To(Equal(http.StatusOK))
+				res, _ := readResponse(conn)
+				Expect(res.StatusCode).To(Equal(http.StatusOK))
+			})
 		})
 	})
 })