Move snicheck to ctx instead of simulated routing

2026-06-17 19:09:29 +03:00 · 2026-05-28 10:30:07 +02:00
parent f9d9b72380
commit 5026ca97d0
19 changed files with 362 additions and 597 deletions
@@ -13,6 +13,7 @@ import (
 	"time"

 	"github.com/BurntSushi/toml"
+	"github.com/quic-go/quic-go/http3"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
@@ -254,7 +255,7 @@ func (s *HTTPSSuite) TestWithConflictingTLSOptions() {
 	assert.ErrorContains(s.T(), err, "tls: no supported versions satisfy MinVersion and MaxVersion")

 	// with unknown tls option
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains(fmt.Sprintf("found different TLS options for routers on the same host %v, so using the default TLS options instead", tr4.TLSClientConfig.ServerName)))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("found different TLS options for routers on the same host, so using the default TLS options instead"))
 	require.NoError(s.T(), err)
 }

@@ -995,19 +996,20 @@ func (s *HTTPSSuite) TestWithDomainFronting() {
 	defer backend2.Close()
 	backend3 := startTestServer("9030", http.StatusOK, "server3")
 	defer backend3.Close()
+	backend5 := startTestServer("9050", http.StatusOK, "server5")
+	defer backend5.Close()

 	file := s.adaptFile("fixtures/https/https_domain_fronting.toml", struct{}{})
 	s.traefikCmd(withConfigFile(file))

 	// wait for Traefik
-	err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 500*time.Millisecond, try.BodyContains("Host(`site1.www.snitest.com`)"))
+	err := try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1000*time.Millisecond, try.BodyContains("Host(`site1.www.snitest.com`)"))
 	require.NoError(s.T(), err)

 	testCases := []struct {
 		desc               string
 		hostHeader         string
 		serverName         string
-		expectedError      bool
 		expectedContent    string
 		expectedStatusCode int
 	}{
@@ -1025,14 +1027,6 @@ func (s *HTTPSSuite) TestWithDomainFronting() {
 			expectedContent:    "server3",
 			expectedStatusCode: http.StatusOK,
 		},
-		{
-			desc:               "Spaces after the host header",
-			hostHeader:         "site3.www.snitest.com ",
-			serverName:         "site3.www.snitest.com",
-			expectedError:      true,
-			expectedContent:    "server3",
-			expectedStatusCode: http.StatusOK,
-		},
 		{
 			desc:               "Spaces after the servername",
 			hostHeader:         "site3.www.snitest.com",
@@ -1040,14 +1034,6 @@ func (s *HTTPSSuite) TestWithDomainFronting() {
 			expectedContent:    "server3",
 			expectedStatusCode: http.StatusOK,
 		},
-		{
-			desc:               "Spaces after the servername and host header",
-			hostHeader:         "site3.www.snitest.com ",
-			serverName:         "site3.www.snitest.com ",
-			expectedError:      true,
-			expectedContent:    "server3",
-			expectedStatusCode: http.StatusOK,
-		},
 		{
 			desc:               "Domain Fronting with same tlsOptions should follow header",
 			hostHeader:         "site1.www.snitest.com",
@@ -1083,6 +1069,34 @@ func (s *HTTPSSuite) TestWithDomainFronting() {
 			expectedContent:    "server1",
 			expectedStatusCode: http.StatusOK,
 		},
+		{
+			desc:               "Domain Fronting with ambiguous TLS options should produce a 421",
+			hostHeader:         "site4.www.snitest.com",
+			serverName:         "site3.www.snitest.com",
+			expectedContent:    "",
+			expectedStatusCode: http.StatusMisdirectedRequest,
+		},
+		{
+			desc:               "Domain Fronting with same non-default TLS options should not produce a 421",
+			hostHeader:         "site5.www.snitest.com",
+			serverName:         "site3.www.snitest.com",
+			expectedContent:    "server5",
+			expectedStatusCode: http.StatusOK,
+		},
+		{
+			desc:               "FQDN host header with empty SNI to non-default TLS options route should produce a 421",
+			hostHeader:         "site3.www.snitest.com.",
+			serverName:         "",
+			expectedContent:    "",
+			expectedStatusCode: http.StatusMisdirectedRequest,
+		},
+		{
+			desc:               "Non-FQDN host header with empty SNI matching FQDN route rule should produce a 421",
+			hostHeader:         "site6.www.snitest.com",
+			serverName:         "",
+			expectedContent:    "",
+			expectedStatusCode: http.StatusMisdirectedRequest,
+		},
 	}

 	for _, test := range testCases {
@@ -1091,11 +1105,10 @@ func (s *HTTPSSuite) TestWithDomainFronting() {
 		req.Host = test.hostHeader

 		err = try.RequestWithTransport(req, 500*time.Millisecond, &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true, ServerName: test.serverName}}, try.StatusCodeIs(test.expectedStatusCode), try.BodyContains(test.expectedContent))
-		if test.expectedError {
-			assert.Error(s.T(), err)
-		} else {
-			require.NoError(s.T(), err)
-		}
+		assert.NoError(s.T(), err, "test %s failed with: %v", test.desc, err)
+
+		err = try.RequestWithTransport(req, 500*time.Millisecond, &http3.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true, ServerName: test.serverName}}, try.StatusCodeIs(test.expectedStatusCode), try.BodyContains(test.expectedContent))
+		assert.NoError(s.T(), err, "test %s failed with: %v", test.desc, err)
 	}
 }