Use hostname instead of host and split on ":"

Co-authored-by: Christian Ang <angc@vmware.com>
Co-authored-by: Tyler Schultz <tschultz@vmware.com>
This commit is contained in:
Guangyuan Wang 2021-06-28 23:03:05 +00:00
parent 8026729c43
commit 76dc39ac2d
2 changed files with 20 additions and 5 deletions

View File

@ -118,7 +118,6 @@ func (c *tlsCertObserverController) certFromSecret(ns string, secretName string)
} }
func lowercaseHostWithoutPort(issuerURL *url.URL) string { func lowercaseHostWithoutPort(issuerURL *url.URL) string {
lowercaseHost := strings.ToLower(issuerURL.Host) lowercaseHost := strings.ToLower(issuerURL.Hostname())
colonSegments := strings.Split(lowercaseHost, ":") return lowercaseHost
return colonSegments[0]
} }

View File

@ -279,6 +279,17 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
TLS: &v1alpha1.FederationDomainTLSSpec{SecretName: "good-tls-secret-name2"}, TLS: &v1alpha1.FederationDomainTLSSpec{SecretName: "good-tls-secret-name2"},
}, },
} }
federationDomainWithIPv6Issuer := &v1alpha1.FederationDomain{
ObjectMeta: metav1.ObjectMeta{
Name: "ipv6-issuer-federationdomain",
Namespace: installedInNamespace,
},
// Issuer hostname should be treated correctly when it is an IPv6 address. Test with a port number.
Spec: v1alpha1.FederationDomainSpec{
Issuer: "https://[2001:db8::1]:1234/path",
TLS: &v1alpha1.FederationDomainTLSSpec{SecretName: "good-tls-secret-name1"},
},
}
testCrt1 := readTestFile("testdata/test.crt") testCrt1 := readTestFile("testdata/test.crt")
r.NotEmpty(testCrt1) r.NotEmpty(testCrt1)
testCrt2 := readTestFile("testdata/test2.crt") testCrt2 := readTestFile("testdata/test2.crt")
@ -309,6 +320,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithBadIssuer)) r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithBadIssuer))
r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithGoodSecret1)) r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithGoodSecret1))
r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithGoodSecret2)) r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithGoodSecret2))
r.NoError(pinnipedInformerClient.Tracker().Add(federationDomainWithIPv6Issuer))
r.NoError(kubeInformerClient.Tracker().Add(goodTLSSecret1)) r.NoError(kubeInformerClient.Tracker().Add(goodTLSSecret1))
r.NoError(kubeInformerClient.Tracker().Add(goodTLSSecret2)) r.NoError(kubeInformerClient.Tracker().Add(goodTLSSecret2))
r.NoError(kubeInformerClient.Tracker().Add(badTLSSecret)) r.NoError(kubeInformerClient.Tracker().Add(badTLSSecret))
@ -322,7 +334,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
r.Nil(issuerTLSCertSetter.setDefaultTLSCertReceived) r.Nil(issuerTLSCertSetter.setDefaultTLSCertReceived)
r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled) r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled)
r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 2) r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 3)
// They keys in the map should be lower case and should not include the port numbers, because // They keys in the map should be lower case and should not include the port numbers, because
// TLS SNI says that SNI hostnames must be DNS names (not ports) and must be case insensitive. // TLS SNI says that SNI hostnames must be DNS names (not ports) and must be case insensitive.
@ -334,6 +346,10 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
actualCertificate2 := issuerTLSCertSetter.issuerHostToTLSCertMapReceived["www.issuer-with-good-secret2.com"] actualCertificate2 := issuerTLSCertSetter.issuerHostToTLSCertMapReceived["www.issuer-with-good-secret2.com"]
r.NotNil(actualCertificate2) r.NotNil(actualCertificate2)
r.Equal(expectedCertificate2, *actualCertificate2) r.Equal(expectedCertificate2, *actualCertificate2)
actualCertificate3 := issuerTLSCertSetter.issuerHostToTLSCertMapReceived["2001:db8::1"]
r.NotNil(actualCertificate3)
r.Equal(expectedCertificate1, *actualCertificate3)
}) })
when("there is also a default TLS cert secret with the configured default TLS cert secret name", func() { when("there is also a default TLS cert secret with the configured default TLS cert secret name", func() {
@ -366,7 +382,7 @@ func TestTLSCertObserverControllerSync(t *testing.T) {
r.Equal(expectedDefaultCertificate, *actualDefaultCertificate) r.Equal(expectedDefaultCertificate, *actualDefaultCertificate)
r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled) r.True(issuerTLSCertSetter.setIssuerHostToTLSCertMapWasCalled)
r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 2) r.Len(issuerTLSCertSetter.issuerHostToTLSCertMapReceived, 3)
}) })
}) })
}) })