forked from Mxmilu666/frp
Merge remote-tracking branch 'upstream/dev' into dev
This commit is contained in:
@@ -24,7 +24,6 @@ import (
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
"net/url"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
libio "github.com/fatedier/golib/io"
|
||||
@@ -160,7 +159,7 @@ func (rp *HTTPReverseProxy) UnRegister(routeCfg RouteConfig) {
|
||||
}
|
||||
|
||||
func (rp *HTTPReverseProxy) GetRouteConfig(domain, location, routeByHTTPUser string) *RouteConfig {
|
||||
vr, ok := rp.getVhost(domain, location, routeByHTTPUser)
|
||||
vr, ok := rp.vhostRouter.getByRoute(domain, location, routeByHTTPUser)
|
||||
if ok {
|
||||
log.Debugf("get new http request host [%s] path [%s] httpuser [%s]", domain, location, routeByHTTPUser)
|
||||
return vr.payload.(*RouteConfig)
|
||||
@@ -171,7 +170,7 @@ func (rp *HTTPReverseProxy) GetRouteConfig(domain, location, routeByHTTPUser str
|
||||
// CreateConnection create a new connection by route config
|
||||
func (rp *HTTPReverseProxy) CreateConnection(reqRouteInfo *RequestRouteInfo, byEndpoint bool) (net.Conn, error) {
|
||||
host, _ := httppkg.CanonicalHost(reqRouteInfo.Host)
|
||||
vr, ok := rp.getVhost(host, reqRouteInfo.URL, reqRouteInfo.HTTPUser)
|
||||
vr, ok := rp.vhostRouter.getByRoute(host, reqRouteInfo.URL, reqRouteInfo.HTTPUser)
|
||||
if ok {
|
||||
if byEndpoint {
|
||||
fn := vr.payload.(*RouteConfig).CreateConnByEndpointFn
|
||||
@@ -187,60 +186,25 @@ func (rp *HTTPReverseProxy) CreateConnection(reqRouteInfo *RequestRouteInfo, byE
|
||||
return nil, fmt.Errorf("%v: %s %s %s", ErrNoRouteFound, host, reqRouteInfo.URL, reqRouteInfo.HTTPUser)
|
||||
}
|
||||
|
||||
func (rp *HTTPReverseProxy) CheckAuth(domain, location, routeByHTTPUser, user, passwd string) bool {
|
||||
vr, ok := rp.getVhost(domain, location, routeByHTTPUser)
|
||||
if ok {
|
||||
checkUser := vr.payload.(*RouteConfig).Username
|
||||
checkPasswd := vr.payload.(*RouteConfig).Password
|
||||
if (checkUser != "" || checkPasswd != "") && (checkUser != user || checkPasswd != passwd) {
|
||||
func checkRouteAuthByRequest(req *http.Request, rc *RouteConfig) bool {
|
||||
if rc == nil {
|
||||
return true
|
||||
}
|
||||
if rc.Username == "" && rc.Password == "" {
|
||||
return true
|
||||
}
|
||||
|
||||
if req.URL.Host != "" {
|
||||
proxyAuth := req.Header.Get("Proxy-Authorization")
|
||||
if proxyAuth == "" {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
// getVhost tries to get vhost router by route policy.
|
||||
func (rp *HTTPReverseProxy) getVhost(domain, location, routeByHTTPUser string) (*Router, bool) {
|
||||
findRouter := func(inDomain, inLocation, inRouteByHTTPUser string) (*Router, bool) {
|
||||
vr, ok := rp.vhostRouter.Get(inDomain, inLocation, inRouteByHTTPUser)
|
||||
if ok {
|
||||
return vr, ok
|
||||
}
|
||||
// Try to check if there is one proxy that doesn't specify routerByHTTPUser, it means match all.
|
||||
vr, ok = rp.vhostRouter.Get(inDomain, inLocation, "")
|
||||
if ok {
|
||||
return vr, ok
|
||||
}
|
||||
return nil, false
|
||||
user, passwd, ok := httppkg.ParseBasicAuth(proxyAuth)
|
||||
return ok && user == rc.Username && passwd == rc.Password
|
||||
}
|
||||
|
||||
// First we check the full hostname
|
||||
// if not exist, then check the wildcard_domain such as *.example.com
|
||||
vr, ok := findRouter(domain, location, routeByHTTPUser)
|
||||
if ok {
|
||||
return vr, ok
|
||||
}
|
||||
|
||||
// e.g. domain = test.example.com, try to match wildcard domains.
|
||||
// *.example.com
|
||||
// *.com
|
||||
domainSplit := strings.Split(domain, ".")
|
||||
for len(domainSplit) >= 3 {
|
||||
domainSplit[0] = "*"
|
||||
domain = strings.Join(domainSplit, ".")
|
||||
vr, ok = findRouter(domain, location, routeByHTTPUser)
|
||||
if ok {
|
||||
return vr, true
|
||||
}
|
||||
domainSplit = domainSplit[1:]
|
||||
}
|
||||
|
||||
// Finally, try to check if there is one proxy that domain is "*" means match all domains.
|
||||
vr, ok = findRouter("*", location, routeByHTTPUser)
|
||||
if ok {
|
||||
return vr, true
|
||||
}
|
||||
return nil, false
|
||||
user, passwd, ok := req.BasicAuth()
|
||||
return ok && user == rc.Username && passwd == rc.Password
|
||||
}
|
||||
|
||||
func (rp *HTTPReverseProxy) connectHandler(rw http.ResponseWriter, req *http.Request) {
|
||||
@@ -266,36 +230,25 @@ func (rp *HTTPReverseProxy) connectHandler(rw http.ResponseWriter, req *http.Req
|
||||
go libio.Join(remote, client)
|
||||
}
|
||||
|
||||
func parseBasicAuth(auth string) (username, password string, ok bool) {
|
||||
const prefix = "Basic "
|
||||
// Case insensitive prefix match. See Issue 22736.
|
||||
if len(auth) < len(prefix) || !strings.EqualFold(auth[:len(prefix)], prefix) {
|
||||
return
|
||||
func getRequestRouteUser(req *http.Request) string {
|
||||
if req.URL.Host != "" {
|
||||
proxyAuth := req.Header.Get("Proxy-Authorization")
|
||||
if proxyAuth == "" {
|
||||
// Preserve legacy proxy-mode routing when clients send only Authorization,
|
||||
// so requests still hit the matched route and return 407 instead of 404.
|
||||
// Auth validation intentionally does not share this fallback.
|
||||
user, _, _ := req.BasicAuth()
|
||||
return user
|
||||
}
|
||||
user, _, _ := httppkg.ParseBasicAuth(proxyAuth)
|
||||
return user
|
||||
}
|
||||
c, err := base64.StdEncoding.DecodeString(auth[len(prefix):])
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
cs := string(c)
|
||||
s := strings.IndexByte(cs, ':')
|
||||
if s < 0 {
|
||||
return
|
||||
}
|
||||
return cs[:s], cs[s+1:], true
|
||||
user, _, _ := req.BasicAuth()
|
||||
return user
|
||||
}
|
||||
|
||||
func (rp *HTTPReverseProxy) injectRequestInfoToCtx(req *http.Request) *http.Request {
|
||||
user := ""
|
||||
// If url host isn't empty, it's a proxy request. Get http user from Proxy-Authorization header.
|
||||
if req.URL.Host != "" {
|
||||
proxyAuth := req.Header.Get("Proxy-Authorization")
|
||||
if proxyAuth != "" {
|
||||
user, _, _ = parseBasicAuth(proxyAuth)
|
||||
}
|
||||
}
|
||||
if user == "" {
|
||||
user, _, _ = req.BasicAuth()
|
||||
}
|
||||
user := getRequestRouteUser(req)
|
||||
|
||||
reqRouteInfo := &RequestRouteInfo{
|
||||
URL: req.URL.Path,
|
||||
@@ -315,16 +268,19 @@ func (rp *HTTPReverseProxy) injectRequestInfoToCtx(req *http.Request) *http.Requ
|
||||
}
|
||||
|
||||
func (rp *HTTPReverseProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||
domain, _ := httppkg.CanonicalHost(req.Host)
|
||||
location := req.URL.Path
|
||||
user, passwd, _ := req.BasicAuth()
|
||||
if !rp.CheckAuth(domain, location, user, user, passwd) {
|
||||
rw.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||
http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
||||
newreq := rp.injectRequestInfoToCtx(req)
|
||||
rc := newreq.Context().Value(RouteConfigKey).(*RouteConfig)
|
||||
if !checkRouteAuthByRequest(req, rc) {
|
||||
if req.URL.Host != "" {
|
||||
rw.Header().Set("Proxy-Authenticate", `Basic realm="Restricted"`)
|
||||
http.Error(rw, http.StatusText(http.StatusProxyAuthRequired), http.StatusProxyAuthRequired)
|
||||
} else {
|
||||
rw.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
|
||||
http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
newreq := rp.injectRequestInfoToCtx(req)
|
||||
if req.Method == http.MethodConnect {
|
||||
rp.connectHandler(rw, newreq)
|
||||
} else {
|
||||
|
||||
102
pkg/util/vhost/http_test.go
Normal file
102
pkg/util/vhost/http_test.go
Normal file
@@ -0,0 +1,102 @@
|
||||
package vhost
|
||||
|
||||
import (
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
httppkg "github.com/fatedier/frp/pkg/util/http"
|
||||
)
|
||||
|
||||
func TestCheckRouteAuthByRequest(t *testing.T) {
|
||||
rc := &RouteConfig{
|
||||
Username: "alice",
|
||||
Password: "secret",
|
||||
}
|
||||
|
||||
t.Run("accepts nil route config", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
require.True(t, checkRouteAuthByRequest(req, nil))
|
||||
})
|
||||
|
||||
t.Run("accepts route without credentials", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
require.True(t, checkRouteAuthByRequest(req, &RouteConfig{}))
|
||||
})
|
||||
|
||||
t.Run("accepts authorization header", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
req.SetBasicAuth("alice", "secret")
|
||||
require.True(t, checkRouteAuthByRequest(req, rc))
|
||||
})
|
||||
|
||||
t.Run("accepts proxy authorization header", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "http://target.example.com/", nil)
|
||||
req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("alice", "secret"))
|
||||
require.True(t, checkRouteAuthByRequest(req, rc))
|
||||
})
|
||||
|
||||
t.Run("rejects authorization fallback for proxy request", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "http://target.example.com/", nil)
|
||||
req.SetBasicAuth("alice", "secret")
|
||||
require.False(t, checkRouteAuthByRequest(req, rc))
|
||||
})
|
||||
|
||||
t.Run("rejects wrong proxy authorization even when authorization matches", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "http://target.example.com/", nil)
|
||||
req.SetBasicAuth("alice", "secret")
|
||||
req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("alice", "wrong"))
|
||||
require.False(t, checkRouteAuthByRequest(req, rc))
|
||||
})
|
||||
|
||||
t.Run("rejects when neither header matches", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "http://target.example.com/", nil)
|
||||
req.SetBasicAuth("alice", "wrong")
|
||||
req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("alice", "wrong"))
|
||||
require.False(t, checkRouteAuthByRequest(req, rc))
|
||||
})
|
||||
|
||||
t.Run("rejects proxy authorization on direct request", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("alice", "secret"))
|
||||
require.False(t, checkRouteAuthByRequest(req, rc))
|
||||
})
|
||||
}
|
||||
|
||||
func TestGetRequestRouteUser(t *testing.T) {
|
||||
t.Run("proxy request uses proxy authorization username", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "http://target.example.com/", nil)
|
||||
req.Host = "target.example.com"
|
||||
req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("proxy-user", "proxy-pass"))
|
||||
req.SetBasicAuth("direct-user", "direct-pass")
|
||||
|
||||
require.Equal(t, "proxy-user", getRequestRouteUser(req))
|
||||
})
|
||||
|
||||
t.Run("connect request keeps proxy authorization routing", func(t *testing.T) {
|
||||
req := httptest.NewRequest("CONNECT", "http://target.example.com:443", nil)
|
||||
req.Host = "target.example.com:443"
|
||||
req.Header.Set("Proxy-Authorization", httppkg.BasicAuth("proxy-user", "proxy-pass"))
|
||||
req.SetBasicAuth("direct-user", "direct-pass")
|
||||
|
||||
require.Equal(t, "proxy-user", getRequestRouteUser(req))
|
||||
})
|
||||
|
||||
t.Run("direct request uses authorization username", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "/", nil)
|
||||
req.Host = "example.com"
|
||||
req.SetBasicAuth("direct-user", "direct-pass")
|
||||
|
||||
require.Equal(t, "direct-user", getRequestRouteUser(req))
|
||||
})
|
||||
|
||||
t.Run("proxy request does not fall back when proxy authorization is invalid", func(t *testing.T) {
|
||||
req := httptest.NewRequest("GET", "http://target.example.com/", nil)
|
||||
req.Host = "target.example.com"
|
||||
req.Header.Set("Proxy-Authorization", "Basic !!!")
|
||||
req.SetBasicAuth("direct-user", "direct-pass")
|
||||
|
||||
require.Empty(t, getRequestRouteUser(req))
|
||||
})
|
||||
}
|
||||
@@ -29,11 +29,11 @@ type HTTPSMuxer struct {
|
||||
|
||||
func NewHTTPSMuxer(listener net.Listener, timeout time.Duration) (*HTTPSMuxer, error) {
|
||||
mux, err := NewMuxer(listener, GetHTTPSHostname, timeout)
|
||||
mux.SetFailHookFunc(vhostFailed)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &HTTPSMuxer{mux}, err
|
||||
mux.SetFailHookFunc(vhostFailed)
|
||||
return &HTTPSMuxer{mux}, nil
|
||||
}
|
||||
|
||||
func GetHTTPSHostname(c net.Conn) (_ net.Conn, _ map[string]string, err error) {
|
||||
|
||||
@@ -16,23 +16,53 @@ func TestGetHTTPSHostname(t *testing.T) {
|
||||
require.NoError(err)
|
||||
defer l.Close()
|
||||
|
||||
var conn net.Conn
|
||||
connCh := make(chan net.Conn, 1)
|
||||
acceptErrCh := make(chan error, 1)
|
||||
go func() {
|
||||
conn, _ = l.Accept()
|
||||
require.NotNil(conn)
|
||||
conn, err := l.Accept()
|
||||
if err != nil {
|
||||
acceptErrCh <- err
|
||||
return
|
||||
}
|
||||
connCh <- conn
|
||||
}()
|
||||
|
||||
clientErrCh := make(chan error, 1)
|
||||
go func() {
|
||||
time.Sleep(100 * time.Millisecond)
|
||||
tls.Dial("tcp", l.Addr().String(), &tls.Config{
|
||||
conn, err := tls.Dial("tcp", l.Addr().String(), &tls.Config{
|
||||
InsecureSkipVerify: true,
|
||||
ServerName: "example.com",
|
||||
})
|
||||
if conn != nil {
|
||||
_ = conn.Close()
|
||||
}
|
||||
clientErrCh <- err
|
||||
}()
|
||||
|
||||
time.Sleep(200 * time.Millisecond)
|
||||
_, infos, err := GetHTTPSHostname(conn)
|
||||
var conn net.Conn
|
||||
select {
|
||||
case conn = <-connCh:
|
||||
case err := <-acceptErrCh:
|
||||
require.NoError(err)
|
||||
case <-time.After(time.Second):
|
||||
t.Fatal("timed out waiting for accepted connection")
|
||||
}
|
||||
require.NotNil(conn)
|
||||
|
||||
serverConn, infos, err := GetHTTPSHostname(conn)
|
||||
if serverConn != nil {
|
||||
_ = serverConn.Close()
|
||||
} else {
|
||||
_ = conn.Close()
|
||||
}
|
||||
require.NoError(err)
|
||||
require.Equal("example.com", infos["Host"])
|
||||
require.Equal("https", infos["Scheme"])
|
||||
|
||||
select {
|
||||
case <-clientErrCh:
|
||||
case <-time.After(time.Second):
|
||||
t.Fatal("timed out waiting for TLS client")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -93,12 +93,19 @@ func (r *Routers) Del(domain, location, httpUser string) {
|
||||
routersByHTTPUser[httpUser] = newVrs
|
||||
}
|
||||
|
||||
// Get returns the best location match for an exact host and exact HTTP user.
|
||||
// It does not apply all-users, wildcard-domain, or catch-all-domain fallback.
|
||||
func (r *Routers) Get(host, path, httpUser string) (vr *Router, exist bool) {
|
||||
host = strings.ToLower(host)
|
||||
|
||||
r.mutex.RLock()
|
||||
defer r.mutex.RUnlock()
|
||||
|
||||
return r.getLocked(host, path, httpUser)
|
||||
}
|
||||
|
||||
// getLocked performs an exact-host lookup; host must already be lower-cased.
|
||||
func (r *Routers) getLocked(host, path, httpUser string) (vr *Router, exist bool) {
|
||||
routersByHTTPUser, found := r.indexByDomain[host]
|
||||
if !found {
|
||||
return
|
||||
@@ -117,6 +124,49 @@ func (r *Routers) Get(host, path, httpUser string) (vr *Router, exist bool) {
|
||||
return
|
||||
}
|
||||
|
||||
func (r *Routers) getByRoute(host, path, httpUser string) (*Router, bool) {
|
||||
host = strings.ToLower(host)
|
||||
|
||||
r.mutex.RLock()
|
||||
defer r.mutex.RUnlock()
|
||||
|
||||
// First we check the full hostname; if it doesn't exist, then check wildcard domains.
|
||||
// For example, test.example.com checks *.example.com before falling back to "*".
|
||||
vr, ok := r.getExactOrAllUsersLocked(host, path, httpUser)
|
||||
if ok {
|
||||
return vr, true
|
||||
}
|
||||
|
||||
hostSplit := strings.Split(host, ".")
|
||||
// Keep two-label hosts out of the wildcard walk, so example.com does not match *.com.
|
||||
for len(hostSplit) >= 3 {
|
||||
// Replace the leftmost remaining label with the wildcard marker.
|
||||
hostSplit[0] = "*"
|
||||
host = strings.Join(hostSplit, ".")
|
||||
vr, ok = r.getExactOrAllUsersLocked(host, path, httpUser)
|
||||
if ok {
|
||||
return vr, true
|
||||
}
|
||||
hostSplit = hostSplit[1:]
|
||||
}
|
||||
|
||||
// Finally, try to check if there is one proxy whose domain is "*", which means match all domains.
|
||||
return r.getExactOrAllUsersLocked("*", path, httpUser)
|
||||
}
|
||||
|
||||
func (r *Routers) getExactOrAllUsersLocked(host, path, httpUser string) (*Router, bool) {
|
||||
vr, ok := r.getLocked(host, path, httpUser)
|
||||
if ok {
|
||||
return vr, true
|
||||
}
|
||||
// Try to check if there is one proxy that doesn't specify routeByHTTPUser, it means match all.
|
||||
vr, ok = r.getLocked(host, path, "")
|
||||
if ok {
|
||||
return vr, true
|
||||
}
|
||||
return nil, false
|
||||
}
|
||||
|
||||
func (r *Routers) exist(host, path, httpUser string) (route *Router, exist bool) {
|
||||
routersByHTTPUser, found := r.indexByDomain[host]
|
||||
if !found {
|
||||
|
||||
257
pkg/util/vhost/router_test.go
Normal file
257
pkg/util/vhost/router_test.go
Normal file
@@ -0,0 +1,257 @@
|
||||
// Copyright 2017 fatedier, fatedier@gmail.com
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package vhost
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"sync"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
func TestRoutersGet(t *testing.T) {
|
||||
routers := NewRouters()
|
||||
require.NoError(t, routers.Add("example.com", "/api", "alice", "exact-user"))
|
||||
require.NoError(t, routers.Add("example.com", "/public", "", "exact-all-users"))
|
||||
require.NoError(t, routers.Add("*.example.com", "/api", "", "wildcard-all-users"))
|
||||
require.NoError(t, routers.Add("*", "/api", "", "all-domains"))
|
||||
|
||||
t.Run("exact host and user match with normalized domain", func(t *testing.T) {
|
||||
router, ok := routers.Get("EXAMPLE.COM", "/api/users", "alice")
|
||||
require.True(t, ok)
|
||||
require.Equal(t, "exact-user", router.payload)
|
||||
})
|
||||
|
||||
t.Run("exact host and empty user match", func(t *testing.T) {
|
||||
router, ok := routers.Get("EXAMPLE.COM", "/public/docs", "")
|
||||
require.True(t, ok)
|
||||
require.Equal(t, "exact-all-users", router.payload)
|
||||
})
|
||||
|
||||
t.Run("does not fall back from named user to empty user", func(t *testing.T) {
|
||||
// Get intentionally requires an exact HTTP user; route-level fallbacks live in getByRoute.
|
||||
_, ok := routers.Get("EXAMPLE.COM", "/public/docs", "alice")
|
||||
require.False(t, ok)
|
||||
})
|
||||
|
||||
t.Run("does not fall back to wildcard domains", func(t *testing.T) {
|
||||
_, ok := routers.Get("foo.example.com", "/api/users", "")
|
||||
require.False(t, ok)
|
||||
})
|
||||
|
||||
t.Run("does not fall back to catch-all domain", func(t *testing.T) {
|
||||
_, ok := routers.Get("missing.test", "/api/users", "")
|
||||
require.False(t, ok)
|
||||
})
|
||||
}
|
||||
|
||||
func TestRoutersGetByRoute(t *testing.T) {
|
||||
routers := NewRouters()
|
||||
require.NoError(t, routers.Add("example.com", "/api", "alice", "exact-user"))
|
||||
require.NoError(t, routers.Add("example.com", "/api", "", "exact-all-users"))
|
||||
require.NoError(t, routers.Add("exact.example.com", "/api", "", "exact-subdomain"))
|
||||
require.NoError(t, routers.Add("*.example.com", "/api", "", "wildcard-all-users"))
|
||||
require.NoError(t, routers.Add("*.foo.example.com", "/api", "", "specific-wildcard"))
|
||||
require.NoError(t, routers.Add("*.bar.com", "/api", "", "wildcard-parent-domain"))
|
||||
require.NoError(t, routers.Add("*", "/admin", "root", "all-domains-user"))
|
||||
require.NoError(t, routers.Add("*", "/", "", "all-domains"))
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
domain string
|
||||
location string
|
||||
httpUser string
|
||||
want string
|
||||
}{
|
||||
{
|
||||
name: "exact domain and http user",
|
||||
domain: "example.com",
|
||||
location: "/api/users",
|
||||
httpUser: "alice",
|
||||
want: "exact-user",
|
||||
},
|
||||
{
|
||||
name: "exact domain falls back to all users",
|
||||
domain: "example.com",
|
||||
location: "/api/users",
|
||||
httpUser: "bob",
|
||||
want: "exact-all-users",
|
||||
},
|
||||
{
|
||||
name: "wildcard domain uses all users fallback",
|
||||
domain: "foo.example.com",
|
||||
location: "/api/users",
|
||||
httpUser: "bob",
|
||||
want: "wildcard-all-users",
|
||||
},
|
||||
{
|
||||
name: "mixed-case domain is normalized",
|
||||
domain: "Foo.Example.Com",
|
||||
location: "/api/users",
|
||||
httpUser: "bob",
|
||||
want: "wildcard-all-users",
|
||||
},
|
||||
{
|
||||
name: "exact domain wins over wildcard domain",
|
||||
domain: "exact.example.com",
|
||||
location: "/api/users",
|
||||
httpUser: "bob",
|
||||
want: "exact-subdomain",
|
||||
},
|
||||
{
|
||||
name: "more specific wildcard wins over broader wildcard",
|
||||
domain: "bar.foo.example.com",
|
||||
location: "/api/users",
|
||||
httpUser: "bob",
|
||||
want: "specific-wildcard",
|
||||
},
|
||||
{
|
||||
name: "wildcard walk checks parent domains",
|
||||
domain: "a.b.bar.com",
|
||||
location: "/api/users",
|
||||
httpUser: "bob",
|
||||
want: "wildcard-parent-domain",
|
||||
},
|
||||
{
|
||||
name: "catch-all domain fallback",
|
||||
domain: "foo.test.com",
|
||||
location: "/other",
|
||||
httpUser: "bob",
|
||||
want: "all-domains",
|
||||
},
|
||||
{
|
||||
name: "catch-all domain honors http user",
|
||||
domain: "foo.test.com",
|
||||
location: "/admin/panel",
|
||||
httpUser: "root",
|
||||
want: "all-domains-user",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
router, ok := routers.getByRoute(tt.domain, tt.location, tt.httpUser)
|
||||
require.True(t, ok)
|
||||
require.Equal(t, tt.want, router.payload)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestRoutersGetByRouteNoMatch(t *testing.T) {
|
||||
routers := NewRouters()
|
||||
require.NoError(t, routers.Add("*.example.com", "/api", "", "wildcard-all-users"))
|
||||
require.NoError(t, routers.Add("*.com", "/api", "", "top-level-wildcard"))
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
domain string
|
||||
location string
|
||||
}{
|
||||
{
|
||||
name: "two-label domain does not enter wildcard walk",
|
||||
domain: "example.com",
|
||||
location: "/api/users",
|
||||
},
|
||||
{
|
||||
name: "missing catch-all remains no match",
|
||||
domain: "foo.test.com",
|
||||
location: "/api/users",
|
||||
},
|
||||
{
|
||||
name: "wrong path remains no match",
|
||||
domain: "foo.example.com",
|
||||
location: "/other",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
router, ok := routers.getByRoute(tt.domain, tt.location, "bob")
|
||||
require.False(t, ok)
|
||||
require.Nil(t, router)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestRoutersConcurrentGetByRouteAndAdd(t *testing.T) {
|
||||
routers := NewRouters()
|
||||
require.NoError(t, routers.Add("*.example.com", "/api", "", "wildcard"))
|
||||
|
||||
const readers = 8
|
||||
const iterations = 200
|
||||
|
||||
ctx, cancel := context.WithCancel(context.Background())
|
||||
defer cancel()
|
||||
start := make(chan struct{})
|
||||
errCh := make(chan error, readers+1)
|
||||
var wg sync.WaitGroup
|
||||
|
||||
for id := range readers {
|
||||
wg.Go(func() {
|
||||
<-start
|
||||
for j := range iterations {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return
|
||||
default:
|
||||
}
|
||||
router, ok := routers.getByRoute("foo.example.com", "/api/users", "")
|
||||
if !ok || router == nil || router.payload != "wildcard" {
|
||||
errCh <- fmt.Errorf("reader %d iteration %d got router=%v ok=%v", id, j, router, ok)
|
||||
return
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
wg.Go(func() {
|
||||
<-start
|
||||
for i := range iterations {
|
||||
select {
|
||||
case <-ctx.Done():
|
||||
return
|
||||
default:
|
||||
}
|
||||
err := routers.Add(fmt.Sprintf("host-%d.example.com", i), "/api", "", i)
|
||||
if err != nil {
|
||||
errCh <- err
|
||||
return
|
||||
}
|
||||
}
|
||||
})
|
||||
|
||||
close(start)
|
||||
|
||||
done := make(chan struct{})
|
||||
go func() {
|
||||
wg.Wait()
|
||||
close(done)
|
||||
}()
|
||||
|
||||
select {
|
||||
case <-done:
|
||||
case <-time.After(5 * time.Second):
|
||||
cancel()
|
||||
t.Fatal("concurrent route lookup and add timed out")
|
||||
}
|
||||
|
||||
close(errCh)
|
||||
for err := range errCh {
|
||||
require.NoError(t, err)
|
||||
}
|
||||
}
|
||||
@@ -148,41 +148,9 @@ func (v *Muxer) Listen(ctx context.Context, cfg *RouteConfig) (l *Listener, err
|
||||
}
|
||||
|
||||
func (v *Muxer) getListener(name, path, httpUser string) (*Listener, bool) {
|
||||
findRouter := func(inName, inPath, inHTTPUser string) (*Listener, bool) {
|
||||
vr, ok := v.registryRouter.Get(inName, inPath, inHTTPUser)
|
||||
if ok {
|
||||
return vr.payload.(*Listener), true
|
||||
}
|
||||
// Try to check if there is one proxy that doesn't specify routerByHTTPUser, it means match all.
|
||||
vr, ok = v.registryRouter.Get(inName, inPath, "")
|
||||
if ok {
|
||||
return vr.payload.(*Listener), true
|
||||
}
|
||||
return nil, false
|
||||
}
|
||||
|
||||
// first we check the full hostname
|
||||
// if not exist, then check the wildcard_domain such as *.example.com
|
||||
l, ok := findRouter(name, path, httpUser)
|
||||
vr, ok := v.registryRouter.getByRoute(name, path, httpUser)
|
||||
if ok {
|
||||
return l, true
|
||||
}
|
||||
|
||||
domainSplit := strings.Split(name, ".")
|
||||
for len(domainSplit) >= 3 {
|
||||
domainSplit[0] = "*"
|
||||
name = strings.Join(domainSplit, ".")
|
||||
|
||||
l, ok = findRouter(name, path, httpUser)
|
||||
if ok {
|
||||
return l, true
|
||||
}
|
||||
domainSplit = domainSplit[1:]
|
||||
}
|
||||
// Finally, try to check if there is one proxy that domain is "*" means match all domains.
|
||||
l, ok = findRouter("*", path, httpUser)
|
||||
if ok {
|
||||
return l, true
|
||||
return vr.payload.(*Listener), true
|
||||
}
|
||||
return nil, false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user