homelab/traefik
1
0
Fork 0
Code Activity

Add HostSNIRegexp rule matcher for TCP

Browse source
This commit is contained in:
Romain 2022-03-18 16:04:08 +01:00 committed by GitHub
parent 0d58e8d1ad
commit 2da7fa0397
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 311 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

128
pkg/muxer/tcp/mux.go
View file

@ -1,11 +1,13 @@
package tcp
import (
"bytes"
"errors"
"fmt"
"net"
"regexp"
"sort"
"strconv"
"strings"
"github.com/traefik/traefik/v2/pkg/ip"
@ -17,8 +19,9 @@ import (
)
var tcpFuncs = map[string]func(*matchersTree, ...string) error{
"HostSNI": hostSNI,
"ClientIP": clientIP,
"HostSNI": hostSNI,
"HostSNIRegexp": hostSNIRegexp,
"ClientIP": clientIP,
}
// ParseHostSNI extracts the HostSNIs declared in a rule.
@ -326,3 +329,124 @@ func hostSNI(tree *matchersTree, hosts ...string) error {
return nil
}
// hostSNIRegexp checks if the SNI Host of the connection matches the matcher host regexp.
func hostSNIRegexp(tree *matchersTree, templates ...string) error {
if len(templates) == 0 {
return fmt.Errorf("empty value for \"HostSNIRegexp\" matcher is not allowed")
}
var regexps []*regexp.Regexp
for _, template := range templates {
preparedPattern, err := preparePattern(template)
if err != nil {
return fmt.Errorf("invalid pattern value for \"HostSNIRegexp\" matcher, %q is not a valid pattern: %w", template, err)
}
regexp, err := regexp.Compile(preparedPattern)
if err != nil {
return err
}
regexps = append(regexps, regexp)
}
tree.matcher = func(meta ConnData) bool {
for _, regexp := range regexps {
if regexp.MatchString(meta.serverName) {
return true
}
}
return false
}
return nil
}
// TODO: expose more of containous/mux fork to get rid of the following copied code (https://github.com/containous/mux/blob/8ffa4f6d063c/regexp.go).
// preparePattern builds a regexp pattern from the initial user defined expression.
// This function reuses the code dedicated to host matching of the newRouteRegexp func from the gorilla/mux library.
// https://github.com/containous/mux/tree/8ffa4f6d063c1e2b834a73be6a1515cca3992618.
func preparePattern(template string) (string, error) {
// Check if it is well-formed.
idxs, errBraces := braceIndices(template)
if errBraces != nil {
return "", errBraces
}
defaultPattern := "[^.]+"
pattern := bytes.NewBufferString("")
// Host SNI matching is case-insensitive
fmt.Fprint(pattern, "(?i)")
pattern.WriteByte('^')
var end int
var err error
for i := 0; i < len(idxs); i += 2 {
// Set all values we are interested in.
raw := template[end:idxs[i]]
end = idxs[i+1]
parts := strings.SplitN(template[idxs[i]+1:end-1], ":", 2)
name := parts[0]
patt := defaultPattern
if len(parts) == 2 {
patt = parts[1]
}
// Name or pattern can't be empty.
if name == "" || patt == "" {
return "", fmt.Errorf("mux: missing name or pattern in %q",
template[idxs[i]:end])
}
// Build the regexp pattern.
fmt.Fprintf(pattern, "%s(?P<%s>%s)", regexp.QuoteMeta(raw), varGroupName(i/2), patt)
// Append variable name and compiled pattern.
if err != nil {
return "", err
}
}
// Add the remaining.
raw := template[end:]
pattern.WriteString(regexp.QuoteMeta(raw))
pattern.WriteByte('$')
return pattern.String(), nil
}
// varGroupName builds a capturing group name for the indexed variable.
// This function is a copy of varGroupName func from the gorilla/mux library.
// https://github.com/containous/mux/tree/8ffa4f6d063c1e2b834a73be6a1515cca3992618.
func varGroupName(idx int) string {
return "v" + strconv.Itoa(idx)
}
// braceIndices returns the first level curly brace indices from a string.
// This function is a copy of braceIndices func from the gorilla/mux library.
// https://github.com/containous/mux/tree/8ffa4f6d063c1e2b834a73be6a1515cca3992618.
func braceIndices(s string) ([]int, error) {
var level, idx int
var idxs []int
for i := 0; i < len(s); i++ {
switch s[i] {
case '{':
if level++; level == 1 {
idx = i
}
case '}':
if level--; level == 0 {
idxs = append(idxs, idx, i+1)
} else if level < 0 {
return nil, fmt.Errorf("mux: unbalanced braces in %q", s)
}
}
}
if level != 0 {
return nil, fmt.Errorf("mux: unbalanced braces in %q", s)
}
return idxs, nil
}

171
pkg/muxer/tcp/mux_test.go
View file

@ -108,12 +108,66 @@ func Test_addTCPRoute(t *testing.T) {
serverName: "bar",
matchErr: true,
},
{
desc: "Empty HostSNIRegexp rule",
rule: "HostSNIRegexp()",
serverName: "foobar",
routeErr: true,
},
{
desc: "Empty HostSNIRegexp rule",
rule: "HostSNIRegexp(``)",
serverName: "foobar",
routeErr: true,
},
{
desc: "Valid HostSNIRegexp rule matching",
rule: "HostSNIRegexp(`{subdomain:[a-z]+}.foobar`)",
serverName: "sub.foobar",
},
{
desc: "Valid negative HostSNIRegexp rule matching",
rule: "!HostSNIRegexp(`bar`)",
serverName: "foobar",
},
{
desc: "Valid HostSNIRegexp rule matching with alternative case",
rule: "hostsniregexp(`foobar`)",
serverName: "foobar",
},
{
desc: "Valid HostSNIRegexp rule matching with alternative case",
rule: "HOSTSNIREGEXP(`foobar`)",
serverName: "foobar",
},
{
desc: "Valid HostSNIRegexp rule not matching",
rule: "HostSNIRegexp(`foobar`)",
serverName: "bar",
matchErr: true,
},
{
desc: "Valid negative HostSNI rule not matching",
rule: "!HostSNI(`bar`)",
serverName: "bar",
matchErr: true,
},
{
desc: "Valid HostSNIRegexp rule matching empty servername",
rule: "HostSNIRegexp(`{subdomain:[a-z]*}`)",
serverName: "",
},
{
desc: "Valid HostSNIRegexp rule with one name",
rule: "HostSNIRegexp(`{dummy}`)",
serverName: "toto",
},
{
desc: "Valid HostSNIRegexp rule with one name 2",
rule: "HostSNIRegexp(`{dummy}`)",
serverName: "toto.com",
matchErr: true,
},
{
desc: "Empty ClientIP rule",
rule: "ClientIP()",
@ -608,6 +662,123 @@ func Test_HostSNI(t *testing.T) {
}
}
func Test_HostSNIRegexp(t *testing.T) {
testCases := []struct {
desc string
pattern string
serverNames map[string]bool
buildErr bool
}{
{
desc: "unbalanced braces",
pattern: "subdomain:(foo\\.)?bar\\.com}",
buildErr: true,
},
{
desc: "empty group name",
pattern: "{:(foo\\.)?bar\\.com}",
buildErr: true,
},
{
desc: "empty capturing group",
pattern: "{subdomain:}",
buildErr: true,
},
{
desc: "malformed capturing group",
pattern: "{subdomain:(foo\\.?bar\\.com}",
buildErr: true,
},
{
desc: "not interpreted as a regexp",
pattern: "bar.com",
serverNames: map[string]bool{
"bar.com": true,
"barucom": false,
},
},
{
desc: "capturing group",
pattern: "{subdomain:(foo\\.)?bar\\.com}",
serverNames: map[string]bool{
"foo.bar.com": true,
"bar.com": true,
"fooubar.com": false,
"barucom": false,
"barcom": false,
},
},
{
desc: "non capturing group",
pattern: "{subdomain:(?:foo\\.)?bar\\.com}",
serverNames: map[string]bool{
"foo.bar.com": true,
"bar.com": true,
"fooubar.com": false,
"barucom": false,
"barcom": false,
},
},
{
desc: "regex insensitive",
pattern: "{dummy:[A-Za-z-]+\\.bar\\.com}",
serverNames: map[string]bool{
"FOO.bar.com": true,
"foo.bar.com": true,
"fooubar.com": false,
"barucom": false,
"barcom": false,
},
},
{
desc: "insensitive host",
pattern: "{dummy:[a-z-]+\\.bar\\.com}",
serverNames: map[string]bool{
"FOO.bar.com": true,
"foo.bar.com": true,
"fooubar.com": false,
"barucom": false,
"barcom": false,
},
},
{
desc: "insensitive host simple",
pattern: "foo.bar.com",
serverNames: map[string]bool{
"FOO.bar.com": true,
"foo.bar.com": true,
"fooubar.com": false,
"barucom": false,
"barcom": false,
},
},
}
for _, test := range testCases {
test := test
t.Run(test.desc, func(t *testing.T) {
t.Parallel()
matchersTree := &matchersTree{}
err := hostSNIRegexp(matchersTree, test.pattern)
if test.buildErr {
require.Error(t, err)
return
}
require.NoError(t, err)
for serverName, match := range test.serverNames {
meta := ConnData{
serverName: serverName,
}
assert.Equal(t, match, matchersTree.match(meta))
}
})
}
}
func Test_ClientIP(t *testing.T) {
testCases := []struct {
desc string