This is an automated email from the ASF dual-hosted git repository.
masaori pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 0ce2a09 Add unit tests for PROXY Protocol v1 parser (#7332)
0ce2a09 is described below
commit 0ce2a09155d33bc70adfb5cb430f0933f5e882ae
Author: Masaori Koshiba <masa...@apache.org>
AuthorDate: Thu Jan 14 07:46:24 2021 +0900
Add unit tests for PROXY Protocol v1 parser (#7332)
---
.gitignore | 1 +
iocore/net/Makefile.am | 32 +++++-
iocore/net/ProxyProtocol.cc | 57 ++++++++---
iocore/net/unit_tests/test_ProxyProtocol.cc | 147 ++++++++++++++++++++++++++++
4 files changed, 224 insertions(+), 13 deletions(-)
diff --git a/.gitignore b/.gitignore
index d503dab..64feec8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -94,6 +94,7 @@ lib/perl/lib/Apache/TS.pm
iocore/net/test_certlookup
iocore/net/test_UDPNet
+iocore/net/test_libinknet
iocore/net/quic/test_QUIC*
iocore/aio/test_AIO
iocore/eventsystem/test_IOBuffer
diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
index fa60587..0209c3a 100644
--- a/iocore/net/Makefile.am
+++ b/iocore/net/Makefile.am
@@ -37,7 +37,7 @@ AM_CPPFLAGS += \
TESTS = $(check_PROGRAMS)
-check_PROGRAMS = test_certlookup test_UDPNet
+check_PROGRAMS = test_certlookup test_UDPNet test_libinknet
noinst_LIBRARIES = libinknet.a
test_certlookup_LDFLAGS = \
@@ -85,6 +85,36 @@ test_UDPNet_SOURCES = \
libinknet_stub.cc \
test_I_UDPNet.cc
+test_libinknet_SOURCES = \
+ unit_tests/test_ProxyProtocol.cc
+
+test_libinknet_CPPFLAGS = \
+ $(AM_CPPFLAGS) \
+ $(iocore_include_dirs) \
+ -I$(abs_top_srcdir)/tests/include \
+ -I$(abs_top_srcdir)/proxy \
+ -I$(abs_top_srcdir)/proxy/hdrs \
+ -I$(abs_top_srcdir)/proxy/http \
+ -I$(abs_top_srcdir)/proxy/logging \
+ -I$(abs_top_srcdir)/mgmt \
+ -I$(abs_top_srcdir)/mgmt/utils \
+ @OPENSSL_INCLUDES@
+
+test_libinknet_LDFLAGS = \
+ @AM_LDFLAGS@ \
+ @OPENSSL_LDFLAGS@ \
+ @YAMLCPP_LDFLAGS@
+
+test_libinknet_LDADD = \
+ libinknet.a \
+ $(top_builddir)/iocore/eventsystem/libinkevent.a \
+ $(top_builddir)/mgmt/libmgmt_p.la \
+ $(top_builddir)/lib/records/librecords_p.a \
+ $(top_builddir)/src/tscore/libtscore.la \
+ $(top_builddir)/src/tscpp/util/libtscpputil.la \
+ $(top_builddir)/proxy/ParentSelectionStrategy.o \
+ @HWLOC_LIBS@ @OPENSSL_LIBS@ @LIBPCRE@ @YAMLCPP_LIBS@
+
libinknet_a_SOURCES = \
ALPNSupport.cc \
BIO_fastopen.cc \
diff --git a/iocore/net/ProxyProtocol.cc b/iocore/net/ProxyProtocol.cc
index c0cd45a..2de8673 100644
--- a/iocore/net/ProxyProtocol.cc
+++ b/iocore/net/ProxyProtocol.cc
@@ -39,6 +39,10 @@ constexpr ts::TextView PPv2_CONNECTION_PREFACE =
"\x0D\x0A\x0D\x0A\x00\x0D\x0A\x
constexpr size_t PPv1_CONNECTION_HEADER_LEN_MIN = 15;
constexpr size_t PPv2_CONNECTION_HEADER_LEN_MIN = 16;
+constexpr ts::TextView PPv1_PROTO_UNKNOWN = "UNKNOWN"sv;
+constexpr ts::TextView PPv1_PROTO_TCP4 = "TCP4"sv;
+constexpr ts::TextView PPv1_PROTO_TCP6 = "TCP6"sv;
+
/**
PROXY Protocol v1 Parser
@@ -47,15 +51,21 @@ constexpr size_t PPv2_CONNECTION_HEADER_LEN_MIN = 16;
size_t
proxy_protocol_v1_parse(ProxyProtocol *pp_info, ts::TextView hdr)
{
- // Find the terminating newline
+ ink_release_assert(hdr.size() >= PPv1_CONNECTION_HEADER_LEN_MIN);
+
+ // Find the terminating newline
ts::TextView::size_type pos = hdr.find('\n');
if (pos == hdr.npos) {
- Debug("proxyprotocol_v1", "ssl_has_proxy_v1: newline not found");
+ Debug("proxyprotocol_v1", "ssl_has_proxy_v1: LF not found");
+ return 0;
+ }
+
+ if (hdr[pos - 1] != '\r') {
+ Debug("proxyprotocol_v1", "ssl_has_proxy_v1: CR not found");
return 0;
}
ts::TextView token;
- in_port_t port;
// All the cases are special and sequence, might as well unroll them.
@@ -69,8 +79,28 @@ proxy_protocol_v1_parse(ProxyProtocol *pp_info, ts::TextView
hdr)
Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = PREFACE",
static_cast<int>(token.size()), token.data());
// The INET protocol family - TCP4, TCP6 or UNKNOWN
- token = hdr.split_prefix_at(' ');
- if (0 == token.size()) {
+ if (PPv1_PROTO_UNKNOWN.isPrefixOf(hdr)) {
+ Debug("proxyprotocol_v1", "proxy_protov1_parse: [UNKNOWN] = INET Family");
+
+ // Ignore anything presented before the CRLF
+ pp_info->version = ProxyProtocolVersion::V1;
+
+ return pos + 1;
+ } else if (PPv1_PROTO_TCP4.isPrefixOf(hdr)) {
+ token = hdr.split_prefix_at(' ');
+ if (0 == token.size()) {
+ return 0;
+ }
+
+ pp_info->ip_family = AF_INET;
+ } else if (PPv1_PROTO_TCP6.isPrefixOf(hdr)) {
+ token = hdr.split_prefix_at(' ');
+ if (0 == token.size()) {
+ return 0;
+ }
+
+ pp_info->ip_family = AF_INET6;
+ } else {
return 0;
}
Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = INET Family",
static_cast<int>(token.size()), token.data());
@@ -104,26 +134,29 @@ proxy_protocol_v1_parse(ProxyProtocol *pp_info,
ts::TextView hdr)
}
Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = Source Port",
static_cast<int>(token.size()), token.data());
- if (0 == (port = ts::svtoi(token))) {
- Debug("proxyprotocol_v1", "proxy_protov1_parse: src port [%d] token [%.*s]
failed to parse", port,
+ in_port_t src_port = ts::svtoi(token);
+ if (src_port == 0) {
+ Debug("proxyprotocol_v1", "proxy_protov1_parse: src port [%d] token [%.*s]
failed to parse", src_port,
static_cast<int>(token.size()), token.data());
return 0;
}
- pp_info->src_addr.port() = htons(port);
+ pp_info->src_addr.port() = htons(src_port);
// Next is the TCP destination port represented as a decimal number in the
range of [0..65535] inclusive.
// Final trailer is CR LF so split at CR.
token = hdr.split_prefix_at('\r');
- if (0 == token.size()) {
+ if (0 == token.size() || token.find(0x20) != token.npos) {
return 0;
}
Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = Destination Port",
static_cast<int>(token.size()), token.data());
- if (0 == (port = ts::svtoi(token))) {
- Debug("proxyprotocol_v1", "proxy_protov1_parse: dst port [%d] token [%.*s]
failed to parse", port,
+
+ in_port_t dst_port = ts::svtoi(token);
+ if (dst_port == 0) {
+ Debug("proxyprotocol_v1", "proxy_protov1_parse: dst port [%d] token [%.*s]
failed to parse", dst_port,
static_cast<int>(token.size()), token.data());
return 0;
}
- pp_info->dst_addr.port() = htons(port);
+ pp_info->dst_addr.port() = htons(dst_port);
pp_info->version = ProxyProtocolVersion::V1;
diff --git a/iocore/net/unit_tests/test_ProxyProtocol.cc
b/iocore/net/unit_tests/test_ProxyProtocol.cc
new file mode 100644
index 0000000..da2b754
--- /dev/null
+++ b/iocore/net/unit_tests/test_ProxyProtocol.cc
@@ -0,0 +1,147 @@
+/** @file
+
+ Catch based unit tests for PROXY Protocol
+
+ @section license License
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+#define CATCH_CONFIG_MAIN
+#include "catch.hpp"
+
+#include "ProxyProtocol.h"
+
+using namespace std::literals;
+
+TEST_CASE("PROXY Protocol v1 Parser", "[ProxyProtocol][ProxyProtocolv1]")
+{
+ IpEndpoint src_addr;
+ IpEndpoint dst_addr;
+
+ SECTION("TCP over IPv4")
+ {
+ ts::TextView raw_data = "PROXY TCP4 192.0.2.1 198.51.100.1 50000
443\r\n"sv;
+
+ ProxyProtocol pp_info;
+ REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size());
+
+ REQUIRE(ats_ip_pton("192.0.2.1:50000", src_addr) == 0);
+ REQUIRE(ats_ip_pton("198.51.100.1:443", dst_addr) == 0);
+
+ CHECK(pp_info.version == ProxyProtocolVersion::V1);
+ CHECK(pp_info.ip_family == AF_INET);
+ CHECK(pp_info.src_addr == src_addr);
+ CHECK(pp_info.dst_addr == dst_addr);
+ }
+
+ SECTION("TCP over IPv6")
+ {
+ ts::TextView raw_data = "PROXY TCP6 2001:0DB8:0:0:0:0:0:1
2001:0DB8:0:0:0:0:0:2 50000 443\r\n"sv;
+
+ ProxyProtocol pp_info;
+ REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size());
+
+ REQUIRE(ats_ip_pton("[2001:0DB8:0:0:0:0:0:1]:50000", src_addr) == 0);
+ REQUIRE(ats_ip_pton("[2001:0DB8:0:0:0:0:0:2]:443", dst_addr) == 0);
+
+ CHECK(pp_info.version == ProxyProtocolVersion::V1);
+ CHECK(pp_info.ip_family == AF_INET6);
+ CHECK(pp_info.src_addr == src_addr);
+ CHECK(pp_info.dst_addr == dst_addr);
+ }
+
+ SECTION("UNKNOWN connection (short form)")
+ {
+ ts::TextView raw_data = "PROXY UNKNOWN\r\n"sv;
+
+ ProxyProtocol pp_info;
+ REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size());
+
+ CHECK(pp_info.version == ProxyProtocolVersion::V1);
+ CHECK(pp_info.ip_family == AF_UNSPEC);
+ }
+
+ SECTION("UNKNOWN connection (worst case)")
+ {
+ ts::TextView raw_data =
+ "PROXY UNKNOWN ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 65535 65535\r\n"sv;
+
+ ProxyProtocol pp_info;
+ REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size());
+
+ CHECK(pp_info.version == ProxyProtocolVersion::V1);
+ CHECK(pp_info.ip_family == AF_UNSPEC);
+ }
+
+ SECTION("Malformed Headers")
+ {
+ ProxyProtocol pp_info;
+
+ // lack of some fields
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1
198.51.100.1\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1
198.51.100.1\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 \r\n"sv) == 0);
+
+ // invalid preface
+ CHECK(proxy_protocol_parse(&pp_info, "PROX TCP4 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXZ TCP4 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+
+ // invalid transport protocol & address family
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP1 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY UDP4 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+
+ // extra space
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443\r\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443 \r\n"sv) == 0);
+
+ // invalid CRLF
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443\n"sv) == 0);
+ CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1
50000 443\r"sv) == 0);
+ }
+}
+
+TEST_CASE("PROXY Protocol v2 Parser", "[ProxyProtocol][ProxyProtocolv2]")
+{
+ SECTION("TCP over IPv4")
+ {
+ uint8_t raw_data[] = {
+ 0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, ///< sig
+ 0x55, 0x49, 0x54, 0x0A, ///<
+ 0x02, ///< ver_vmd
+ 0x11, ///< fam
+ 0x00, 0x0C, ///< len
+ 0xC0, 0x00, 0x02, 0x01, ///< src_addr
+ 0xC6, 0x33, 0x64, 0x01, ///< dst_addr
+ 0xC3, 0x50, ///< src_port
+ 0x01, 0xBB, ///< dst_port
+ };
+
+ ts::TextView tv(reinterpret_cast<char *>(raw_data), sizeof(raw_data));
+
+ ProxyProtocol pp_info;
+ // TODO: add test when implemented. Just checking this doesn't crash for
now
+ REQUIRE(proxy_protocol_parse(&pp_info, tv) == 0);
+ }
+}
