Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

conformance: HTTPS Redirect tests make requests with inconsistent SNI/Host #2038

Closed
sunjayBhatia opened this issue May 18, 2023 · 0 comments · Fixed by #2039
Closed

conformance: HTTPS Redirect tests make requests with inconsistent SNI/Host #2038

sunjayBhatia opened this issue May 18, 2023 · 0 comments · Fixed by #2039
Assignees
@sunjayBhatia
Labels
area/conformance kind/bug Categorizes issue or PR as related to a bug.
Milestone
v0.7.1

Comments

@sunjayBhatia
Copy link
Member

What happened:

This block of tests makes requests with inconsistent SNI and Host specifications:

gateway-api/conformance/tests/httproute-redirect-port-and-scheme.go

Lines 214 to 301 in ef48937

////////////////////////////////////////////////////////////////////////////
// Test cases that use http-route-for-listener-on-port-443
////////////////////////////////////////////////////////////////////////////
testCases = []http.ExpectedResponse{
{
Request: http.Request{
Path: "/scheme-nil-and-port-nil",
UnfollowRedirect: true,
},
Response: http.Response{StatusCode: 302},
RedirectRequest: &roundtripper.RedirectRequest{
Scheme: "https",
Host: "example.org",
},
Namespace: ns,
},
{
Request: http.Request{
Path: "/scheme-nil-and-port-443",
UnfollowRedirect: true,
},
Response: http.Response{StatusCode: 302},
RedirectRequest: &roundtripper.RedirectRequest{
Scheme: "https",
Host: "example.org",
},
Namespace: ns,
},
{
Request: http.Request{
Path: "/scheme-nil-and-port-8443",
UnfollowRedirect: true,
},
Response: http.Response{StatusCode: 302},
RedirectRequest: &roundtripper.RedirectRequest{
Scheme: "https",
Port: "8443",
Host: "example.org",
},
Namespace: ns,
},
{
Request: http.Request{
Path: "/scheme-http-and-port-nil",
UnfollowRedirect: true,
},
Response: http.Response{StatusCode: 302},
RedirectRequest: &roundtripper.RedirectRequest{
Scheme: "http",
Host: "example.org",
},
Namespace: ns,
},
{
Request: http.Request{
Path: "/scheme-http-and-port-80",
UnfollowRedirect: true,
},
Response: http.Response{StatusCode: 302},
RedirectRequest: &roundtripper.RedirectRequest{
Scheme: "http",
Host: "example.org",
},
Namespace: ns,
},
{
Request: http.Request{
Path: "/scheme-http-and-port-8080",
UnfollowRedirect: true,
},
Response: http.Response{StatusCode: 302},
RedirectRequest: &roundtripper.RedirectRequest{
Scheme: "http",
Port: "8080",
Host: "example.org",
},
Namespace: ns,
},
}
for i := range testCases {
tc := testCases[i]
t.Run("https-listener-on-443/"+tc.GetTestCaseName(i), func(t *testing.T) {
t.Parallel()
tls.MakeTLSRequestAndExpectEventuallyConsistentResponse(t, suite.RoundTripper, suite.TimeoutConfig, gwAddr443, cPem, keyPem, "example", tc)
})
}

From Envoy debug logs when running these tests against Contour:

[2023-05-18 21:42:12.536][31][debug][conn_handler] [source/extensions/listener_managers/listener_manager/active_tcp_listener.cc:155] [C22] new connection from 172.18.0.1:48360
[2023-05-18 21:42:12.536][25][debug][filter] [source/extensions/filters/listener/tls_inspector/tls_inspector.cc:117] tls:onServerName(), requestedServerName: example
[2023-05-18 21:42:12.536][25][debug][conn_handler] [source/extensions/listener_managers/listener_manager/active_tcp_listener.cc:155] [C23] new connection from 172.18.0.1:48334
[2023-05-18 21:42:12.536][25][debug][filter] [source/extensions/filters/listener/tls_inspector/tls_inspector.cc:117] tls:onServerName(), requestedServerName: example
[2023-05-18 21:42:12.536][25][debug][conn_handler] [source/extensions/listener_managers/listener_manager/active_tcp_listener.cc:155] [C24] new connection from 172.18.0.1:48368
[2023-05-18 21:42:12.539][19][debug][filter] [source/extensions/filters/listener/tls_inspector/tls_inspector.cc:117] tls:onServerName(), requestedServerName: example
[2023-05-18 21:42:12.539][19][debug][conn_handler] [source/extensions/listener_managers/listener_manager/active_tcp_listener.cc:155] [C25] new connection from 172.18.0.1:48330
[2023-05-18 21:42:12.541][31][debug][http] [source/common/http/conn_manager_impl.cc:349] [C22] new stream
[2023-05-18 21:42:12.541][31][debug][http] [source/common/http/conn_manager_impl.cc:1039] [C22][S13650922495304120506] request headers complete (end_stream=true):
':authority', '172.18.255.202'
':path', '/scheme-nil-and-port-443'
':method', 'GET'
'user-agent', 'Go-http-client/1.1'
'x-echo-set-header', ''
'accept-encoding', 'gzip'

Note the requested server name example and request :authority of the Gateway IP

The requested server name does not match the returned redirect hostname that the tests expect (example.org)

The cert configured on the Gateway also is not valid for example.org (needs to have *.org or example.org in the SANs for the generated cert):

gateway-api/conformance/utils/suite/suite.go

Line 158 in ef48937

secret = kubernetes.MustCreateSelfSignedCertSecret(t, "gateway-conformance-infra", "tls-validity-checks-certificate", []string{"*"}) 

=== NAME  TestGatewayConformance/HTTPRouteRedirectPortAndScheme/https-listener-on-443/1_request_to_'/scheme-nil-and-port-443'_should_receive_a_302
    tls.go:52: Request failed, not ready yet: Get "https://172.18.255.202/scheme-nil-and-port-443": tls: failed to verify certificate: x509: certificate is valid for *, not example.org (after 29.114248881s)

What you expected to happen:

The tests to make requests with a coherent Host and SNI and have cert fixtures with the correct SAN content

How to reproduce it (as minimally and precisely as possible):

Found while running v0.7.0 conformance tests against Contour main

Anything else we need to know?:

N/A for now
@sunjayBhatia sunjayBhatia added the kind/bug Categorizes issue or PR as related to a bug. label May 18, 2023
sunjayBhatia added a commit to sunjayBhatia/gateway-api that referenced this issue May 18, 2023
@sunjayBhatia
conformance: Fixes to port and scheme redirect tests
a4df88f 
Tests expected redirect host was not consistent with request host,
were sending HTTPS requests send inconsistent SNI and Host, cert
presented by Gateway did not have the correct SANs.

Fixes kubernetes-sigs#2038

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
This was referenced May 18, 2023
Merged
Merged
@shaneutt shaneutt moved this to In Progress in Gateway API: The Road to GA May 19, 2023
@shaneutt shaneutt added this to the v0.7.1 milestone May 19, 2023
@github-project-automation github-project-automation bot moved this from In Progress to Done in Gateway API: The Road to GA May 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sunjayBhatia sunjayBhatia

Labels
area/conformance kind/bug Categorizes issue or PR as related to a bug.
Projects
No open projects
Gateway API: The Road to GA
Status: Done
Milestone
v0.7.1
Development

Successfully merging a pull request may close this issue.

conformance: Fixes to port and scheme redirect tests sunjayBhatia/gateway-api
2 participants
@shaneutt @sunjayBhatia