Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1878319: Allow trailing dots in host names #180

Merged
merged 2 commits into from Sep 14, 2020
Merged

Bug 1878319: Allow trailing dots in host names #180

merged 2 commits into from Sep 14, 2020

Conversation

Miciah
Copy link
Contributor

@Miciah Miciah commented Sep 11, 2020
edited

generateSNIPassthroughMapEntry: Match only host

Change the generated os_sni_passthrough.map map file to match server names without port numbers or paths.

  • pkg/router/template/util/util.go (generateRouteHostRegexp): New function. Generate a regular expression just for the route host, for use in other regular expressions.
    (GenerateRouteRegexp): Use generateRouteHostRegexp.
    (GenerateSNIRegexp): New function. Use generateRouteHostRegexp to generate a regular expression to match route hosts against a server name in a TLS client hello message.
  • pkg/router/template/util/haproxy/map_entry.go (generateTCPMapEntry): Use GenerateSNIRegexp.
  • pkg/router/template/util/haproxy/map_entry_test.go (TestGenerateSNIPassthroughMapEntry): Expect keys that match only server names (not port number or path).
  • pkg/router/template/template_helper_test.go (TestGenerateHAProxyMap): Expect os_sni_passthrough.map to have patterns that match only server names (not port number or path).

Allow trailing dots in host names

When generating the pattern for a map entry to match a route host and path, make sure the pattern allows for a trailing dot in the host name.

RFC 7230, section 5.4, specifies that the HTTP "host" header value includes the URI host as defined in RFC 3986, section 3.2.2, which indicates that a trailing dot is permitted.

Note that the same treatment is not required for entries in the certificate map because RFC 3546, section 3.1, specifies that the server name in a TLS client hello message does not have a trailing dot.

  • pkg/router/template/util/util.go (GenerateRouteRegexp): Match an optional trailing dot in the host name.
  • pkg/router/template/template_helper_test.go (TestGenerateHAProxyMap):
  • pkg/router/template/util/haproxy/map_entry_test.go (TestGenerateWildcardDomainMapEntry, TestGenerateHttpMapEntry, TestGenerateEdgeReencryptMapEntry, TestGenerateHttpRedirectMapEntry, TestGenerateTCPMapEntry):
  • pkg/router/template/util/util_test.go (TestGenerateRouteRegexp): Verify that the trailing dot is permitted.

@openshift-ci-robot openshift-ci-robot added bugzilla/severity-low Referenced Bugzilla bug's severity is low for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. labels Sep 11, 2020
@openshift-ci-robot
Copy link
Contributor

@Miciah: This pull request references Bugzilla bug 1878319, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.6.0) matches configured target release for branch (4.6.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1878319: Allow trailing dots in host names

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 11, 2020
@Miciah Miciah force-pushed the allow-trailing-dots-in-host-names branch from 43b87b3 to 79d252b Compare September 12, 2020 00:23
@openshift-ci-robot
Copy link
Contributor

@Miciah: This pull request references Bugzilla bug 1878319, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.6.0) matches configured target release for branch (4.6.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1878319: Allow trailing dots in host names

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

sgreene570
sgreene570 reviewed Sep 14, 2020
View reviewed changes
Copy link

@sgreene570 sgreene570 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome work. Pointed out one small concern.

pkg/router/template/util/util.go Show resolved Hide resolved
@Miciah
generateSNIPassthroughMapEntry: Match only host
1ce1a57 
Change the generated os_sni_passthrough.map map file to match server names
without port numbers or paths.

* pkg/router/template/util/util.go (generateRouteHostRegexp): New function.
Generate a regular expression just for the route host, for use in other
regular expressions.
(GenerateRouteRegexp): Use generateRouteHostRegexp.
(GenerateSNIRegexp): New function.  Use generateRouteHostRegexp to generate
a regular expression to match route hosts against a server name in a TLS
client hello message.
* pkg/router/template/util/haproxy/map_entry.go (generateTCPMapEntry): Use
GenerateSNIRegexp.
* pkg/router/template/util/haproxy/map_entry_test.go
(TestGenerateSNIPassthroughMapEntry): Expect keys that match only server
names (not port number or path).
* pkg/router/template/template_helper_test.go (TestGenerateHAProxyMap):
Expect os_sni_passthrough.map to have patterns that match only server names
(not port number or path).
@Miciah
Allow trailing dots in host names
0614648 
When generating the pattern for a map entry to match a route host and path,
make sure the pattern allows for a trailing dot in the host name.

RFC 7230, section 5.4, specifies that the HTTP "host" header value includes
the URI host as defined in RFC 3986, section 3.2.2, which indicates that a
trailing dot is permitted.

Note that the same treatment is not required for entries in the certificate
map because RFC 3546, section 3.1, specifies that the server name in a TLS
client hello message does *not* have a trailing dot.

This commit fixes bug 1878319.

https://bugzilla.redhat.com/show_bug.cgi?id=1878319

* pkg/router/template/util/util.go (GenerateRouteRegexp): Match an optional
trailing dot in the host name.
* pkg/router/template/template_helper_test.go (TestGenerateHAProxyMap):
* pkg/router/template/util/haproxy/map_entry_test.go
(TestGenerateWildcardDomainMapEntry, TestGenerateHttpMapEntry)
(TestGenerateEdgeReencryptMapEntry, TestGenerateHttpRedirectMapEntry)
(TestGenerateTCPMapEntry):
* pkg/router/template/util/util_test.go (TestGenerateRouteRegexp): Verify
that the trailing dot is permitted.
@Miciah Miciah force-pushed the allow-trailing-dots-in-host-names branch from 79d252b to 0614648 Compare September 14, 2020 19:13
@openshift-ci-robot
Copy link
Contributor

@Miciah: This pull request references Bugzilla bug 1878319, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.6.0) matches configured target release for branch (4.6.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)

In response to this:

Bug 1878319: Allow trailing dots in host names

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sgreene570
Copy link

Looks great!
/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 14, 2020
@openshift-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Miciah, sgreene570

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit 7834b9a into openshift:master Sep 14, 2020
@openshift-ci-robot
Copy link
Contributor

@Miciah: All pull requests linked via external trackers have merged:

Bugzilla bug 1878319 has been moved to the MODIFIED state.

In response to this:

Bug 1878319: Allow trailing dots in host names

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgreene570 sgreene570 sgreene570 left review comments

@knobunc knobunc Awaiting requested review from knobunc

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

@sgreene570 sgreene570

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. bugzilla/severity-low Referenced Bugzilla bug's severity is low for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@Miciah @openshift-ci-robot @sgreene570 @openshift-bot @openshift-merge-robot