mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
Merge pull request #113283 from 3point2/kubectl-issue-gh-791
Fix SPDY proxy authentication with percent escaped characters
This commit is contained in:
commit
bdc6fb51bf
@ -184,12 +184,15 @@ func (s *SpdyRoundTripper) dialWithHttpProxy(req *http.Request, proxyURL *url.UR
|
|||||||
|
|
||||||
//nolint:staticcheck // SA1019 ignore deprecated httputil.NewProxyClientConn
|
//nolint:staticcheck // SA1019 ignore deprecated httputil.NewProxyClientConn
|
||||||
proxyClientConn := httputil.NewProxyClientConn(proxyDialConn, nil)
|
proxyClientConn := httputil.NewProxyClientConn(proxyDialConn, nil)
|
||||||
_, err = proxyClientConn.Do(&proxyReq)
|
response, err := proxyClientConn.Do(&proxyReq)
|
||||||
//nolint:staticcheck // SA1019 ignore deprecated httputil.ErrPersistEOF: it might be
|
//nolint:staticcheck // SA1019 ignore deprecated httputil.ErrPersistEOF: it might be
|
||||||
// returned from the invocation of proxyClientConn.Do
|
// returned from the invocation of proxyClientConn.Do
|
||||||
if err != nil && err != httputil.ErrPersistEOF {
|
if err != nil && err != httputil.ErrPersistEOF {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
if response != nil && response.StatusCode >= 300 || response.StatusCode < 200 {
|
||||||
|
return nil, fmt.Errorf("CONNECT request to %s returned response: %s", proxyURL.Redacted(), response.Status)
|
||||||
|
}
|
||||||
|
|
||||||
rwc, _ := proxyClientConn.Hijack()
|
rwc, _ := proxyClientConn.Hijack()
|
||||||
|
|
||||||
@ -294,9 +297,10 @@ func (s *SpdyRoundTripper) proxyAuth(proxyURL *url.URL) string {
|
|||||||
if proxyURL == nil || proxyURL.User == nil {
|
if proxyURL == nil || proxyURL.User == nil {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
credentials := proxyURL.User.String()
|
username := proxyURL.User.Username()
|
||||||
encodedAuth := base64.StdEncoding.EncodeToString([]byte(credentials))
|
password, _ := proxyURL.User.Password()
|
||||||
return fmt.Sprintf("Basic %s", encodedAuth)
|
auth := username + ":" + password
|
||||||
|
return "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
|
||||||
}
|
}
|
||||||
|
|
||||||
// RoundTrip executes the Request and upgrades it. After a successful upgrade,
|
// RoundTrip executes the Request and upgrades it. After a successful upgrade,
|
||||||
|
@ -20,7 +20,6 @@ import (
|
|||||||
"context"
|
"context"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/base64"
|
|
||||||
"io"
|
"io"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
@ -291,6 +290,16 @@ func TestRoundTripAndNewConnection(t *testing.T) {
|
|||||||
serverStatusCode: http.StatusSwitchingProtocols,
|
serverStatusCode: http.StatusSwitchingProtocols,
|
||||||
shouldError: false,
|
shouldError: false,
|
||||||
},
|
},
|
||||||
|
"proxied valid https, proxy auth with chars that percent escape -> valid https": {
|
||||||
|
serverFunc: httpsServerValidHostname(t),
|
||||||
|
proxyServerFunc: httpsServerValidHostname(t),
|
||||||
|
proxyAuth: url.UserPassword("proxy user", "proxypasswd%"),
|
||||||
|
clientTLS: &tls.Config{RootCAs: localhostPool},
|
||||||
|
serverConnectionHeader: "Upgrade",
|
||||||
|
serverUpgradeHeader: "SPDY/3.1",
|
||||||
|
serverStatusCode: http.StatusSwitchingProtocols,
|
||||||
|
shouldError: false,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for k, testCase := range testCases {
|
for k, testCase := range testCases {
|
||||||
@ -400,18 +409,19 @@ func TestRoundTripAndNewConnection(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
var expectedProxyAuth string
|
|
||||||
if testCase.proxyAuth != nil {
|
if testCase.proxyAuth != nil {
|
||||||
encodedCredentials := base64.StdEncoding.EncodeToString([]byte(testCase.proxyAuth.String()))
|
expectedUsername := testCase.proxyAuth.Username()
|
||||||
expectedProxyAuth = "Basic " + encodedCredentials
|
expectedPassword, _ := testCase.proxyAuth.Password()
|
||||||
}
|
username, password, ok := (&http.Request{Header: http.Header{"Authorization": []string{proxyCalledWithAuthHeader}}}).BasicAuth()
|
||||||
if len(expectedProxyAuth) == 0 && proxyCalledWithAuth {
|
if !ok {
|
||||||
|
t.Fatalf("invalid proxy auth header %s", proxyCalledWithAuthHeader)
|
||||||
|
}
|
||||||
|
if username != expectedUsername || password != expectedPassword {
|
||||||
|
t.Fatalf("expected proxy auth \"%s:%s\", got \"%s:%s\"", expectedUsername, expectedPassword, username, password)
|
||||||
|
}
|
||||||
|
} else if proxyCalledWithAuth {
|
||||||
t.Fatalf("proxy authorization unexpected, got %q", proxyCalledWithAuthHeader)
|
t.Fatalf("proxy authorization unexpected, got %q", proxyCalledWithAuthHeader)
|
||||||
}
|
}
|
||||||
if proxyCalledWithAuthHeader != expectedProxyAuth {
|
|
||||||
t.Fatalf("expected to see a call to the proxy with credentials %q, got %q", testCase.proxyAuth, proxyCalledWithAuthHeader)
|
|
||||||
}
|
|
||||||
|
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user