Merge v2.6 into v2.7

2022-03-29 15:43:10 +02:00 · 2022-03-29 15:43:10 +02:00 · 45328ab719
commit 45328ab719
parent c0b0f3f0f7 4b755dc58d
10 changed files with 157 additions and 12 deletions
--- a/pkg/plugins/middlewares.go
+++ b/pkg/plugins/middlewares.go
@ -86,7 +86,7 @@ func (p middlewareBuilder) createConfig(config map[string]interface{}) (reflect.
 	vConfig := results[0]

 	cfg := &mapstructure.DecoderConfig{
-		DecodeHook:       mapstructure.StringToSliceHookFunc(","),
+		DecodeHook:       stringToSliceHookFunc,
 		WeaklyTypedInput: true,
 		Result:           vConfig.Interface(),
 	}
--- a/pkg/plugins/plugins.go
+++ b/pkg/plugins/plugins.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"reflect"
 	"strings"

 	"github.com/hashicorp/go-multierror"
@ -166,3 +167,26 @@ func checkLocalPluginManifest(descriptor LocalDescriptor) error {

 	return errs.ErrorOrNil()
 }
+
+func stringToSliceHookFunc(f reflect.Kind, t reflect.Kind, data interface{}) (interface{}, error) {
+	if f != reflect.String || t != reflect.Slice {
+		return data, nil
+	}
+
+	raw := data.(string)
+	if raw == "" {
+		return []string{}, nil
+	}
+
+	if strings.Contains(raw, "║") {
+		values := strings.Split(raw, "║")
+		// Removes the first value if the slice has a length of 2 and a first value empty.
+		// It's a workaround to escape the parsing on `,`.
+		if len(values) == 2 && values[0] == "" {
+			return values[1:], nil
+		}
+		return values, nil
+	}
+
+	return strings.Split(raw, ","), nil
+}
--- a/pkg/plugins/plugins_test.go
+++ b/pkg/plugins/plugins_test.go
@ -0,0 +1,60 @@
+package plugins
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_stringToSliceHookFunc(t *testing.T) {
+	testCases := []struct {
+		desc     string
+		data     string
+		expected []string
+	}{
+		{
+			desc:     "without separator",
+			data:     "abc",
+			expected: []string{"abc"},
+		},
+		{
+			desc:     "with the file separator",
+			data:     "a║b║c",
+			expected: []string{"a", "b", "c"},
+		},
+		{
+			desc:     "with the label separator",
+			data:     "a,b,c",
+			expected: []string{"a", "b", "c"},
+		},
+		{
+			desc:     "with the file separator and values with commas",
+			data:     "a,z║b,w║c,x,y",
+			expected: []string{"a,z", "b,w", "c,x,y"},
+		},
+		{
+			desc:     "escaping workaround",
+			data:     "║a,z",
+			expected: []string{"a,z"},
+		},
+		{
+			desc:     "with the file separator and empty item",
+			data:     "║a║z",
+			expected: []string{"", "a", "z"},
+		},
+	}
+
+	for _, test := range testCases {
+		test := test
+		t.Run(test.desc, func(t *testing.T) {
+			t.Parallel()
+
+			values, err := stringToSliceHookFunc(reflect.String, reflect.Slice, test.data)
+			require.NoError(t, err)
+
+			assert.EqualValues(t, test.expected, values)
+		})
+	}
+}
--- a/pkg/plugins/providers.go
+++ b/pkg/plugins/providers.go
@ -93,7 +93,7 @@ func newProvider(builder providerBuilder, config map[string]interface{}, provide
 	}

 	cfg := &mapstructure.DecoderConfig{
-		DecodeHook:       mapstructure.StringToSliceHookFunc(","),
+		DecodeHook:       stringToSliceHookFunc,
 		WeaklyTypedInput: true,
 		Result:           vConfig.Interface(),
 	}
--- a/pkg/tls/tlsmanager.go
+++ b/pkg/tls/tlsmanager.go
@ -143,7 +143,18 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
 		if isACMETLS(clientHello) {
 			certificate := acmeTLSStore.GetBestCertificate(clientHello)
 			if certificate == nil {
-				return nil, fmt.Errorf("no certificate for TLSALPN challenge: %s", domainToCheck)
+				log.WithoutContext().Debugf("TLS: no certificate for TLSALPN challenge: %s", domainToCheck)
+				// We want the user to eventually get the (alertUnrecognizedName) "unrecognized
+				// name" error.
+				// Unfortunately, if we returned an error here, since we can't use
+				// the unexported error (errNoCertificates) that our caller (config.getCertificate
+				// in crypto/tls) uses as a sentinel, it would report an (alertInternalError)
+				// "internal error" instead of an alertUnrecognizedName.
+				// Which is why we return no error, and we let the caller detect that there's
+				// actually no certificate, and fall back into the flow that will report
+				// the desired error.
+				// https://cs.opensource.google/go/go/+/dev.boringcrypto.go1.17:src/crypto/tls/common.go;l=1058
+				return nil, nil
 			}

 			return certificate, nil
@ -155,7 +166,9 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
 		}

 		if sniStrict {
-			return nil, fmt.Errorf("strict SNI enabled - No certificate found for domain: %q, closing connection", domainToCheck)
+			log.WithoutContext().Debugf("TLS: strict SNI enabled - No certificate found for domain: %q, closing connection", domainToCheck)
+			// Same comment as above, as in the isACMETLS case.
+			return nil, nil
 		}

 		log.WithoutContext().Debugf("Serving default certificate for request: %q", domainToCheck)