Fix pickDefaultAddr not respecting HTTPS_PROXY (#22490)

This change fixes a bug where tsh would not respect HTTPS_PROXY when it has to guess the Telport proxy's port.
gravitational · Mar 10, 2023 · e829922 · e829922
1 parent a42a403
commit e829922
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 9 deletions.
diff --git a/integration/helpers.go b/integration/helpers.go
@@ -1840,8 +1840,8 @@ func genUserKey() (*client.Key, error) {
 	}, nil
 }
 
-// getLocalIP gets the non-loopback IP address of this host.
-func getLocalIP() (string, error) {
+// GetLocalIP gets the non-loopback IP address of this host.
+func GetLocalIP() (string, error) {
 	addrs, err := net.InterfaceAddrs()
 	if err != nil {
 		return "", trace.Wrap(err)

diff --git a/integration/integration_test.go b/integration/integration_test.go
@@ -1948,7 +1948,7 @@ func testTwoClustersProxy(t *testing.T, suite *integrationTestSuite) {
 
 	// httpproxy doesn't allow proxying when the target is localhost, so use
 	// this address instead.
-	addr, err := getLocalIP()
+	addr, err := GetLocalIP()
 	require.NoError(t, err)
 	a := suite.newNamedTeleportInstance(t, "site-A", WithNodeName(addr))
 	b := suite.newNamedTeleportInstance(t, "site-B", WithNodeName(addr))

diff --git a/integration/proxy_test.go b/integration/proxy_test.go
@@ -220,7 +220,7 @@ func TestALPNSNIHTTPSProxy(t *testing.T) {
 
 	username := mustGetCurrentUser(t).Username
 	// httpproxy won't proxy when target address is localhost, so use this instead.
-	addr, err := getLocalIP()
+	addr, err := GetLocalIP()
 	require.NoError(t, err)
 
 	suite := newProxySuite(t,
@@ -258,7 +258,7 @@ func TestMultiPortHTTPSProxy(t *testing.T) {
 
 	username := mustGetCurrentUser(t).Username
 	// httpproxy won't proxy when target address is localhost, so use this instead.
-	addr, err := getLocalIP()
+	addr, err := GetLocalIP()
 	require.NoError(t, err)
 
 	suite := newProxySuite(t,
@@ -943,7 +943,7 @@ func TestALPNProxyHTTPProxyNoProxyDial(t *testing.T) {
 	lib.SetInsecureDevMode(true)
 	defer lib.SetInsecureDevMode(false)
 
-	addr, err := getLocalIP()
+	addr, err := GetLocalIP()
 	require.NoError(t, err)
 
 	rc := NewInstance(InstanceConfig{
@@ -1018,7 +1018,7 @@ func TestALPNProxyHTTPProxyBasicAuthDial(t *testing.T) {
 
 	log := utils.NewLoggerForTests()
 
-	rcAddr, err := getLocalIP()
+	rcAddr, err := GetLocalIP()
 	require.NoError(t, err)
 
 	rc := NewInstance(InstanceConfig{

diff --git a/tool/tsh/resolve_default_addr.go b/tool/tsh/resolve_default_addr.go
@@ -23,13 +23,15 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"net/url"
 	"strconv"
 	"sync"
 	"time"
 
 	"github.com/gravitational/trace"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
 
+	"github.com/gravitational/teleport/api/client/proxy"
 	"github.com/gravitational/teleport/api/observability/tracing"
 )
 
@@ -119,6 +121,9 @@ func pickDefaultAddr(ctx context.Context, insecure bool, host string, ports []in
 				TLSClientConfig: &tls.Config{
 					InsecureSkipVerify: insecure,
 				},
+				Proxy: func(req *http.Request) (*url.URL, error) {
+					return proxy.GetProxyURL(req.URL.String()), nil
+				},
 			},
 			otelhttp.WithSpanNameFormatter(tracing.HTTPTransportFormatter),
 		),

diff --git a/tool/tsh/resolve_default_addr_test.go b/tool/tsh/resolve_default_addr_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -29,6 +30,9 @@ import (
 
 	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
+
+	"github.com/gravitational/teleport/integration"
+	"github.com/gravitational/teleport/integration/helpers"
 )
 
 var testLog = log.WithField(trace.Component, "test")
@@ -74,8 +78,14 @@ func mustGetCandidatePorts(servers []*httptest.Server) []int {
 	return result
 }
 
-func makeTestServer(t *testing.T, h http.Handler) *httptest.Server {
-	svr := httptest.NewTLSServer(h)
+type testServerOption func(*httptest.Server)
+
+func makeTestServer(t *testing.T, h http.Handler, opts ...testServerOption) *httptest.Server {
+	svr := httptest.NewUnstartedServer(h)
+	for _, opt := range opts {
+		opt(svr)
+	}
+	svr.StartTLS()
 	t.Cleanup(func() { svr.Close() })
 	return svr
 }
@@ -259,3 +269,35 @@ func TestResolveDefaultAddrTimeoutBeforeAllRacersLaunched(t *testing.T) {
 	// the call timing out.
 	require.Equal(t, context.DeadlineExceeded, err)
 }
+
+func TestResolveDefaultAddrHTTPProxy(t *testing.T) {
+	proxyHandler := &helpers.ProxyHandler{}
+	proxyServer := httptest.NewServer(proxyHandler)
+	t.Cleanup(proxyServer.Close)
+
+	// Go won't proxy to localhost, so use this address instead.
+	localIP, err := integration.GetLocalIP()
+	require.NoError(t, err)
+
+	var serverAddr net.Addr
+	respondingHandler := newRespondingHandler()
+	server := makeTestServer(t, respondingHandler, func(srv *httptest.Server) {
+		// Replace the test server's address.
+		l, err := net.Listen("tcp", localIP+":0")
+		require.NoError(t, err)
+		require.NoError(t, srv.Listener.Close())
+		srv.Listener = l
+		serverAddr = l.Addr()
+	})
+
+	ports := mustGetCandidatePorts([]*httptest.Server{server})
+
+	// Given an http proxy address...
+	t.Setenv("HTTPS_PROXY", proxyServer.URL)
+	// When I attempt to resove an address...
+	addr, err := pickDefaultAddr(context.Background(), true, localIP, ports)
+	// Expect that pickDefaultAddr uses the http proxy.
+	require.NoError(t, err)
+	require.Equal(t, serverAddr.String(), addr)
+	require.Equal(t, 1, proxyHandler.Count())
+}