3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-03 08:50:42 +02:00
Code Issues Projects Releases Packages Wiki Activity

envoy: configure upstream IP SAN match as needed (#4380)

Browse source 
When building an upstream validation context for a particular URL, check
whether the hostname is an IP address. If so, configure the SAN match to
use type IP_ADDRESS rather than DNS.
This commit is contained in:
Kenneth Jenkins 2023-07-21 12:02:51 -07:00 committed by GitHub
parent 26bbcdfe07
commit d2e8ecc7da
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 34 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
config/envoyconfig/tls_test.go
View file

@ -21,6 +21,24 @@ func TestBuildSubjectAltNameMatcher(t *testing.T) {
"exact": "example.com"
}
}`, b.buildSubjectAltNameMatcher(&url.URL{Host: "example.com:1234"}, ""))
testutil.AssertProtoJSONEqual(t, `{
"sanType": "IP_ADDRESS",
"matcher": {
"exact": "10.0.0.1"
}
}`, b.buildSubjectAltNameMatcher(&url.URL{Host: "10.0.0.1:1234"}, ""))
testutil.AssertProtoJSONEqual(t, `{
"sanType": "IP_ADDRESS",
"matcher": {
"exact": "fd12:3456:789a:1::1"
}
}`, b.buildSubjectAltNameMatcher(&url.URL{Host: "[fd12:3456:789a:1::1]:1234"}, ""))
testutil.AssertProtoJSONEqual(t, `{
"sanType": "IP_ADDRESS",
"matcher": {
"exact": "fe80::1ff:fe23:4567:890a"
}
}`, b.buildSubjectAltNameMatcher(&url.URL{Host: "[fe80::1ff:fe23:4567:890a%eth2]:1234"}, ""))
testutil.AssertProtoJSONEqual(t, `{
"sanType": "DNS",
"matcher": {