Merge current v2.11 into v3.0

2024-02-08 14:15:45 +01:00 · 2024-02-08 14:15:45 +01:00 · bc84fdd006
commit bc84fdd006
parent 9df04df334 d5cb9b50f4
143 changed files with 8736 additions and 6601 deletions
--- a/pkg/server/service/roundtripper.go
+++ b/pkg/server/service/roundtripper.go
@ -1,6 +1,7 @@
 package service

 import (
+	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@ -8,6 +9,7 @@ import (
 	"net"
 	"net/http"
 	"reflect"
+	"strings"
 	"sync"
 	"time"

@ -180,10 +182,71 @@ func (r *RoundTripperManager) createRoundTripper(cfg *dynamic.ServersTransport)

 	// Return directly HTTP/1.1 transport when HTTP/2 is disabled
 	if cfg.DisableHTTP2 {
-		return transport, nil
+		return &KerberosRoundTripper{
+			OriginalRoundTripper: transport,
+			new: func() http.RoundTripper {
+				return transport.Clone()
+			},
+		}, nil
 	}

-	return newSmartRoundTripper(transport, cfg.ForwardingTimeouts)
+	rt, err := newSmartRoundTripper(transport, cfg.ForwardingTimeouts)
+	if err != nil {
+		return nil, err
+	}
+	return &KerberosRoundTripper{
+		OriginalRoundTripper: rt,
+		new: func() http.RoundTripper {
+			return rt.Clone()
+		},
+	}, nil
+}
+
+type KerberosRoundTripper struct {
+	new                  func() http.RoundTripper
+	OriginalRoundTripper http.RoundTripper
+}
+
+type stickyRoundTripper struct {
+	RoundTripper http.RoundTripper
+}
+
+type transportKeyType string
+
+var transportKey transportKeyType = "transport"
+
+func AddTransportOnContext(ctx context.Context) context.Context {
+	return context.WithValue(ctx, transportKey, &stickyRoundTripper{})
+}
+
+func (k *KerberosRoundTripper) RoundTrip(request *http.Request) (*http.Response, error) {
+	value, ok := request.Context().Value(transportKey).(*stickyRoundTripper)
+	if !ok {
+		return k.OriginalRoundTripper.RoundTrip(request)
+	}
+
+	if value.RoundTripper != nil {
+		return value.RoundTripper.RoundTrip(request)
+	}
+
+	resp, err := k.OriginalRoundTripper.RoundTrip(request)
+
+	// If we found that we are authenticating with Kerberos (Negotiate) or NTLM.
+	// We put a dedicated roundTripper in the ConnContext.
+	// This will stick the next calls to the same connection with the backend.
+	if err == nil && containsNTLMorNegotiate(resp.Header.Values("WWW-Authenticate")) {
+		value.RoundTripper = k.new()
+	}
+	return resp, err
+}
+
+func containsNTLMorNegotiate(h []string) bool {
+	for _, s := range h {
+		if strings.HasPrefix(s, "NTLM") || strings.HasPrefix(s, "Negotiate") {
+			return true
+		}
+	}
+	return false
 }

 func createRootCACertPool(rootCAs []types.FileOrContent) *x509.CertPool {