From 015d1e1fb1ebd9d013f37a1d23bb3453cfc8fe94 Mon Sep 17 00:00:00 2001 From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com> Date: Thu, 20 Jul 2023 14:40:15 -0700 Subject: [PATCH] envoy: configure upstream IP SAN match as needed When building an upstream validation context for a particular URL, check whether the hostname is an IP address. If so, configure the SAN match to use type IP_ADDRESS rather than DNS. --- config/envoyconfig/tls.go | 12 ++++++++++++ config/envoyconfig/tls_test.go | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/config/envoyconfig/tls.go b/config/envoyconfig/tls.go index 66bdc1678..595589fb6 100644 --- a/config/envoyconfig/tls.go +++ b/config/envoyconfig/tls.go @@ -5,6 +5,7 @@ import ( "crypto/x509" "encoding/asn1" "fmt" + "net" "net/url" "regexp" "strings" @@ -24,6 +25,17 @@ func (b *Builder) buildSubjectAltNameMatcher( sni = overrideName } + if net.ParseIP(sni) != nil { + return &envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher{ + SanType: envoy_extensions_transport_sockets_tls_v3.SubjectAltNameMatcher_IP_ADDRESS, + Matcher: &envoy_type_matcher_v3.StringMatcher{ + MatchPattern: &envoy_type_matcher_v3.StringMatcher_Exact{ + Exact: sni, + }, + }, + } + } + if strings.Contains(sni, "*") { pattern := regexp.QuoteMeta(sni) pattern = strings.Replace(pattern, "\\*", ".*", -1) diff --git a/config/envoyconfig/tls_test.go b/config/envoyconfig/tls_test.go index c41f58696..5baab9a14 100644 --- a/config/envoyconfig/tls_test.go +++ b/config/envoyconfig/tls_test.go @@ -21,6 +21,18 @@ func TestBuildSubjectAltNameMatcher(t *testing.T) { "exact": "example.com" } }`, b.buildSubjectAltNameMatcher(&url.URL{Host: "example.com:1234"}, "")) + testutil.AssertProtoJSONEqual(t, `{ + "sanType": "IP_ADDRESS", + "matcher": { + "exact": "10.0.0.1" + } + }`, b.buildSubjectAltNameMatcher(&url.URL{Host: "10.0.0.1:1234"}, "")) + testutil.AssertProtoJSONEqual(t, `{ + "sanType": "IP_ADDRESS", + "matcher": { + "exact": "fd12:3456:789a:1::1" + } + }`, b.buildSubjectAltNameMatcher(&url.URL{Host: "[fd12:3456:789a:1::1]:1234"}, "")) testutil.AssertProtoJSONEqual(t, `{ "sanType": "DNS", "matcher": {