github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 05:57:25 +00:00
Code Issues Projects Releases Wiki Activity

Fix SPDY proxy authentication with special chars

Browse Source 
The username and password sent in the Proxy-Authorization header are not
supposed to be percent escaped prior to being base64 encoded.
This commit is contained in:
Vasili Revelas 2022-11-02 21:45:29 +02:00
parent 0c74b9e00d
commit 23d32cf1bc
2 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
staging/src/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go
View File

@ -297,9 +297,10 @@ func (s *SpdyRoundTripper) proxyAuth(proxyURL *url.URL) string {
if proxyURL == nil || proxyURL.User == nil { if proxyURL == nil || proxyURL.User == nil {
return "" return ""
} }
credentials := proxyURL.User.String() username := proxyURL.User.Username()
encodedAuth := base64.StdEncoding.EncodeToString([]byte(credentials)) password, _ := proxyURL.User.Password()
return fmt.Sprintf("Basic %s", encodedAuth) auth := username + ":" + password
return "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
} }
// RoundTrip executes the Request and upgrades it. After a successful upgrade, // RoundTrip executes the Request and upgrades it. After a successful upgrade,

28
staging/src/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper_test.go
View File

@ -20,7 +20,6 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"encoding/base64"
"io" "io"
"net" "net"
"net/http" "net/http"
@ -291,6 +290,16 @@ func TestRoundTripAndNewConnection(t *testing.T) {
serverStatusCode: http.StatusSwitchingProtocols, serverStatusCode: http.StatusSwitchingProtocols,
shouldError: false, shouldError: false,
}, },
"proxied valid https, proxy auth with chars that percent escape -> valid https": {
serverFunc: httpsServerValidHostname(t),
proxyServerFunc: httpsServerValidHostname(t),
proxyAuth: url.UserPassword("proxy user", "proxypasswd%"),
clientTLS: &tls.Config{RootCAs: localhostPool},
serverConnectionHeader: "Upgrade",
serverUpgradeHeader: "SPDY/3.1",
serverStatusCode: http.StatusSwitchingProtocols,
shouldError: false,
},
} }
for k, testCase := range testCases { for k, testCase := range testCases {
@ -400,18 +409,19 @@ func TestRoundTripAndNewConnection(t *testing.T) {
} }
} }
var expectedProxyAuth string
if testCase.proxyAuth != nil { if testCase.proxyAuth != nil {
encodedCredentials := base64.StdEncoding.EncodeToString([]byte(testCase.proxyAuth.String())) expectedUsername := testCase.proxyAuth.Username()
expectedProxyAuth = "Basic " + encodedCredentials expectedPassword, _ := testCase.proxyAuth.Password()
username, password, ok := (&http.Request{Header: http.Header{"Authorization": []string{proxyCalledWithAuthHeader}}}).BasicAuth()
if !ok {
t.Fatalf("invalid proxy auth header %s", proxyCalledWithAuthHeader)
} }
if len(expectedProxyAuth) == 0 && proxyCalledWithAuth { if username != expectedUsername || password != expectedPassword {
t.Fatalf("expected proxy auth \"%s:%s\", got \"%s:%s\"", expectedUsername, expectedPassword, username, password)
}
} else if proxyCalledWithAuth {
t.Fatalf("proxy authorization unexpected, got %q", proxyCalledWithAuthHeader) t.Fatalf("proxy authorization unexpected, got %q", proxyCalledWithAuthHeader)
} }
if proxyCalledWithAuthHeader != expectedProxyAuth {
t.Fatalf("expected to see a call to the proxy with credentials %q, got %q", testCase.proxyAuth, proxyCalledWithAuthHeader)
}
}) })
} }
} }