3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

autocert: exclude non-https routes (#5733)

Browse source 
Exclude non-https routes from the domains eligible for autocert.
This commit is contained in:
Kenneth Jenkins 2025-07-22 09:28:33 -07:00 committed by GitHub
parent 254b86c479
commit bbf0f60e2d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 44 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

22
internal/autocert/manager.go
View file

@ -496,8 +496,8 @@ func sourceHostnames(cfg *config.Config) []string {
dedupe := map[string]struct{}{} dedupe := map[string]struct{}{}
for p := range cfg.Options.GetAllPolicies() { for p := range cfg.Options.GetAllPolicies() {
if u, _ := urlutil.ParseAndValidateURL(p.From); u != nil && !strings.Contains(u.Host, "*") { if h := eligibleHostname(p); h != "" {
dedupe[u.Hostname()] = struct{}{} dedupe[h] = struct{}{}
} }
} }
if cfg.Options.AuthenticateURLString != "" { if cfg.Options.AuthenticateURLString != "" {
@ -520,6 +520,24 @@ func sourceHostnames(cfg *config.Config) []string {
return h return h
} }
var eligibleSchemes = map[string]struct{}{
"https": {},
"tcp+https": {},
"udp+https": {},
}
// eligibleHostname accepts a route and returns the hostname, if eligible for use
// with autocert, or the empty string if not.
func eligibleHostname(p *config.Policy) string {
u, _ := urlutil.ParseAndValidateURL(p.From)
if u == nil || strings.Contains(u.Host, "*") {
return ""
} else if _, ok := eligibleSchemes[u.Scheme]; !ok {
return ""
}
return u.Hostname()
}
func shouldEnableHTTPChallenge(cfg *config.Config) bool { func shouldEnableHTTPChallenge(cfg *config.Config) bool {
if cfg == nil || cfg.Options == nil { if cfg == nil || cfg.Options == nil {
return false return false

25
internal/autocert/manager_test.go
View file

@ -231,7 +231,7 @@ func TestConfig(t *testing.T) {
require.NoError(t, err) require.NoError(t, err)
p1 := config.Policy{ p1 := config.Policy{
From: "http://from.example.com", To: to, From: "https://from.example.com", To: to,
} }
_ = p1.Validate() _ = p1.Validate()
@ -631,6 +631,29 @@ func Test_configureTrustedRoots(t *testing.T) {
} }
} }
func Test_sourceHostnames(t *testing.T) {
t.Parallel()
cfg := &config.Config{
Options: config.NewDefaultOptions(),
}
cfg.Options.Policies = []config.Policy{
{From: "https://foo.example.com"},
{From: "http://non-https-route.example.com"},
{From: "https://bar.example.com:5443"},
{From: "ssh://ssh-hostname"},
{From: "tcp+https://baz.example.com:1234"},
{From: "udp+https://quux.example.com:5678"},
}
assert.ElementsMatch(t, []string{
"foo.example.com",
"bar.example.com",
"baz.example.com",
"quux.example.com",
}, sourceHostnames(cfg))
}
func TestShouldEnableHTTPChallenge(t *testing.T) { func TestShouldEnableHTTPChallenge(t *testing.T) {
t.Parallel() t.Parallel()