This is an automated email from the ASF dual-hosted git repository. masaori pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push: new 0ce2a09 Add unit tests for PROXY Protocol v1 parser (#7332) 0ce2a09 is described below commit 0ce2a09155d33bc70adfb5cb430f0933f5e882ae Author: Masaori Koshiba <masa...@apache.org> AuthorDate: Thu Jan 14 07:46:24 2021 +0900 Add unit tests for PROXY Protocol v1 parser (#7332) --- .gitignore | 1 + iocore/net/Makefile.am | 32 +++++- iocore/net/ProxyProtocol.cc | 57 ++++++++--- iocore/net/unit_tests/test_ProxyProtocol.cc | 147 ++++++++++++++++++++++++++++ 4 files changed, 224 insertions(+), 13 deletions(-) diff --git a/.gitignore b/.gitignore index d503dab..64feec8 100644 --- a/.gitignore +++ b/.gitignore @@ -94,6 +94,7 @@ lib/perl/lib/Apache/TS.pm iocore/net/test_certlookup iocore/net/test_UDPNet +iocore/net/test_libinknet iocore/net/quic/test_QUIC* iocore/aio/test_AIO iocore/eventsystem/test_IOBuffer diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am index fa60587..0209c3a 100644 --- a/iocore/net/Makefile.am +++ b/iocore/net/Makefile.am @@ -37,7 +37,7 @@ AM_CPPFLAGS += \ TESTS = $(check_PROGRAMS) -check_PROGRAMS = test_certlookup test_UDPNet +check_PROGRAMS = test_certlookup test_UDPNet test_libinknet noinst_LIBRARIES = libinknet.a test_certlookup_LDFLAGS = \ @@ -85,6 +85,36 @@ test_UDPNet_SOURCES = \ libinknet_stub.cc \ test_I_UDPNet.cc +test_libinknet_SOURCES = \ + unit_tests/test_ProxyProtocol.cc + +test_libinknet_CPPFLAGS = \ + $(AM_CPPFLAGS) \ + $(iocore_include_dirs) \ + -I$(abs_top_srcdir)/tests/include \ + -I$(abs_top_srcdir)/proxy \ + -I$(abs_top_srcdir)/proxy/hdrs \ + -I$(abs_top_srcdir)/proxy/http \ + -I$(abs_top_srcdir)/proxy/logging \ + -I$(abs_top_srcdir)/mgmt \ + -I$(abs_top_srcdir)/mgmt/utils \ + @OPENSSL_INCLUDES@ + +test_libinknet_LDFLAGS = \ + @AM_LDFLAGS@ \ + @OPENSSL_LDFLAGS@ \ + @YAMLCPP_LDFLAGS@ + +test_libinknet_LDADD = \ + libinknet.a \ + $(top_builddir)/iocore/eventsystem/libinkevent.a \ + $(top_builddir)/mgmt/libmgmt_p.la \ + $(top_builddir)/lib/records/librecords_p.a \ + $(top_builddir)/src/tscore/libtscore.la \ + $(top_builddir)/src/tscpp/util/libtscpputil.la \ + $(top_builddir)/proxy/ParentSelectionStrategy.o \ + @HWLOC_LIBS@ @OPENSSL_LIBS@ @LIBPCRE@ @YAMLCPP_LIBS@ + libinknet_a_SOURCES = \ ALPNSupport.cc \ BIO_fastopen.cc \ diff --git a/iocore/net/ProxyProtocol.cc b/iocore/net/ProxyProtocol.cc index c0cd45a..2de8673 100644 --- a/iocore/net/ProxyProtocol.cc +++ b/iocore/net/ProxyProtocol.cc @@ -39,6 +39,10 @@ constexpr ts::TextView PPv2_CONNECTION_PREFACE = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x constexpr size_t PPv1_CONNECTION_HEADER_LEN_MIN = 15; constexpr size_t PPv2_CONNECTION_HEADER_LEN_MIN = 16; +constexpr ts::TextView PPv1_PROTO_UNKNOWN = "UNKNOWN"sv; +constexpr ts::TextView PPv1_PROTO_TCP4 = "TCP4"sv; +constexpr ts::TextView PPv1_PROTO_TCP6 = "TCP6"sv; + /** PROXY Protocol v1 Parser @@ -47,15 +51,21 @@ constexpr size_t PPv2_CONNECTION_HEADER_LEN_MIN = 16; size_t proxy_protocol_v1_parse(ProxyProtocol *pp_info, ts::TextView hdr) { - // Find the terminating newline + ink_release_assert(hdr.size() >= PPv1_CONNECTION_HEADER_LEN_MIN); + + // Find the terminating newline ts::TextView::size_type pos = hdr.find('\n'); if (pos == hdr.npos) { - Debug("proxyprotocol_v1", "ssl_has_proxy_v1: newline not found"); + Debug("proxyprotocol_v1", "ssl_has_proxy_v1: LF not found"); + return 0; + } + + if (hdr[pos - 1] != '\r') { + Debug("proxyprotocol_v1", "ssl_has_proxy_v1: CR not found"); return 0; } ts::TextView token; - in_port_t port; // All the cases are special and sequence, might as well unroll them. @@ -69,8 +79,28 @@ proxy_protocol_v1_parse(ProxyProtocol *pp_info, ts::TextView hdr) Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = PREFACE", static_cast<int>(token.size()), token.data()); // The INET protocol family - TCP4, TCP6 or UNKNOWN - token = hdr.split_prefix_at(' '); - if (0 == token.size()) { + if (PPv1_PROTO_UNKNOWN.isPrefixOf(hdr)) { + Debug("proxyprotocol_v1", "proxy_protov1_parse: [UNKNOWN] = INET Family"); + + // Ignore anything presented before the CRLF + pp_info->version = ProxyProtocolVersion::V1; + + return pos + 1; + } else if (PPv1_PROTO_TCP4.isPrefixOf(hdr)) { + token = hdr.split_prefix_at(' '); + if (0 == token.size()) { + return 0; + } + + pp_info->ip_family = AF_INET; + } else if (PPv1_PROTO_TCP6.isPrefixOf(hdr)) { + token = hdr.split_prefix_at(' '); + if (0 == token.size()) { + return 0; + } + + pp_info->ip_family = AF_INET6; + } else { return 0; } Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = INET Family", static_cast<int>(token.size()), token.data()); @@ -104,26 +134,29 @@ proxy_protocol_v1_parse(ProxyProtocol *pp_info, ts::TextView hdr) } Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = Source Port", static_cast<int>(token.size()), token.data()); - if (0 == (port = ts::svtoi(token))) { - Debug("proxyprotocol_v1", "proxy_protov1_parse: src port [%d] token [%.*s] failed to parse", port, + in_port_t src_port = ts::svtoi(token); + if (src_port == 0) { + Debug("proxyprotocol_v1", "proxy_protov1_parse: src port [%d] token [%.*s] failed to parse", src_port, static_cast<int>(token.size()), token.data()); return 0; } - pp_info->src_addr.port() = htons(port); + pp_info->src_addr.port() = htons(src_port); // Next is the TCP destination port represented as a decimal number in the range of [0..65535] inclusive. // Final trailer is CR LF so split at CR. token = hdr.split_prefix_at('\r'); - if (0 == token.size()) { + if (0 == token.size() || token.find(0x20) != token.npos) { return 0; } Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = Destination Port", static_cast<int>(token.size()), token.data()); - if (0 == (port = ts::svtoi(token))) { - Debug("proxyprotocol_v1", "proxy_protov1_parse: dst port [%d] token [%.*s] failed to parse", port, + + in_port_t dst_port = ts::svtoi(token); + if (dst_port == 0) { + Debug("proxyprotocol_v1", "proxy_protov1_parse: dst port [%d] token [%.*s] failed to parse", dst_port, static_cast<int>(token.size()), token.data()); return 0; } - pp_info->dst_addr.port() = htons(port); + pp_info->dst_addr.port() = htons(dst_port); pp_info->version = ProxyProtocolVersion::V1; diff --git a/iocore/net/unit_tests/test_ProxyProtocol.cc b/iocore/net/unit_tests/test_ProxyProtocol.cc new file mode 100644 index 0000000..da2b754 --- /dev/null +++ b/iocore/net/unit_tests/test_ProxyProtocol.cc @@ -0,0 +1,147 @@ +/** @file + + Catch based unit tests for PROXY Protocol + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#define CATCH_CONFIG_MAIN +#include "catch.hpp" + +#include "ProxyProtocol.h" + +using namespace std::literals; + +TEST_CASE("PROXY Protocol v1 Parser", "[ProxyProtocol][ProxyProtocolv1]") +{ + IpEndpoint src_addr; + IpEndpoint dst_addr; + + SECTION("TCP over IPv4") + { + ts::TextView raw_data = "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv; + + ProxyProtocol pp_info; + REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size()); + + REQUIRE(ats_ip_pton("192.0.2.1:50000", src_addr) == 0); + REQUIRE(ats_ip_pton("198.51.100.1:443", dst_addr) == 0); + + CHECK(pp_info.version == ProxyProtocolVersion::V1); + CHECK(pp_info.ip_family == AF_INET); + CHECK(pp_info.src_addr == src_addr); + CHECK(pp_info.dst_addr == dst_addr); + } + + SECTION("TCP over IPv6") + { + ts::TextView raw_data = "PROXY TCP6 2001:0DB8:0:0:0:0:0:1 2001:0DB8:0:0:0:0:0:2 50000 443\r\n"sv; + + ProxyProtocol pp_info; + REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size()); + + REQUIRE(ats_ip_pton("[2001:0DB8:0:0:0:0:0:1]:50000", src_addr) == 0); + REQUIRE(ats_ip_pton("[2001:0DB8:0:0:0:0:0:2]:443", dst_addr) == 0); + + CHECK(pp_info.version == ProxyProtocolVersion::V1); + CHECK(pp_info.ip_family == AF_INET6); + CHECK(pp_info.src_addr == src_addr); + CHECK(pp_info.dst_addr == dst_addr); + } + + SECTION("UNKNOWN connection (short form)") + { + ts::TextView raw_data = "PROXY UNKNOWN\r\n"sv; + + ProxyProtocol pp_info; + REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size()); + + CHECK(pp_info.version == ProxyProtocolVersion::V1); + CHECK(pp_info.ip_family == AF_UNSPEC); + } + + SECTION("UNKNOWN connection (worst case)") + { + ts::TextView raw_data = + "PROXY UNKNOWN ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 65535 65535\r\n"sv; + + ProxyProtocol pp_info; + REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size()); + + CHECK(pp_info.version == ProxyProtocolVersion::V1); + CHECK(pp_info.ip_family == AF_UNSPEC); + } + + SECTION("Malformed Headers") + { + ProxyProtocol pp_info; + + // lack of some fields + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 \r\n"sv) == 0); + + // invalid preface + CHECK(proxy_protocol_parse(&pp_info, "PROX TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXZ TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + + // invalid transport protocol & address family + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP1 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY UDP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + + // extra space + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443 \r\n"sv) == 0); + + // invalid CRLF + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\n"sv) == 0); + CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r"sv) == 0); + } +} + +TEST_CASE("PROXY Protocol v2 Parser", "[ProxyProtocol][ProxyProtocolv2]") +{ + SECTION("TCP over IPv4") + { + uint8_t raw_data[] = { + 0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, ///< sig + 0x55, 0x49, 0x54, 0x0A, ///< + 0x02, ///< ver_vmd + 0x11, ///< fam + 0x00, 0x0C, ///< len + 0xC0, 0x00, 0x02, 0x01, ///< src_addr + 0xC6, 0x33, 0x64, 0x01, ///< dst_addr + 0xC3, 0x50, ///< src_port + 0x01, 0xBB, ///< dst_port + }; + + ts::TextView tv(reinterpret_cast<char *>(raw_data), sizeof(raw_data)); + + ProxyProtocol pp_info; + // TODO: add test when implemented. Just checking this doesn't crash for now + REQUIRE(proxy_protocol_parse(&pp_info, tv) == 0); + } +}