traefik/trunk/49ed06686b6c4be2164c65eb6d807b0fc542aea4.patch

   1 From 49ed06686b6c4be2164c65eb6d807b0fc542aea4 Mon Sep 17 00:00:00 2001
   2 From: Fernandez Ludovic <ludovic@containo.us>
   3 Date: Thu, 13 Aug 2020 19:14:25 +0200
   4 Subject: [PATCH] fix: HTTP smuggling fix.
   5
   6 ---
   7  pkg/middlewares/auth/forward_test.go | 47 ++++++++++++++--------------
   8  1 file changed, 23 insertions(+), 24 deletions(-)
   9
  10 diff --git a/pkg/middlewares/auth/forward_test.go b/pkg/middlewares/auth/forward_test.go
  11 index 7674a1384d..44486379ac 100644
  12 --- a/pkg/middlewares/auth/forward_test.go
  13 +++ b/pkg/middlewares/auth/forward_test.go
  14 @@ -28,7 +28,7 @@ func TestForwardAuthFail(t *testing.T) {
  15         server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  16                 http.Error(w, "Forbidden", http.StatusForbidden)
  17         }))
  18 -       defer server.Close()
  19 +       t.Cleanup(server.Close)
  20
  21         middleware, err := NewForward(context.Background(), next, dynamic.ForwardAuth{
  22                 Address: server.URL,
  23 @@ -36,7 +36,7 @@ func TestForwardAuthFail(t *testing.T) {
  24         require.NoError(t, err)
  25
  26         ts := httptest.NewServer(middleware)
  27 -       defer ts.Close()
  28 +       t.Cleanup(ts.Close)
  29
  30         req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
  31         res, err := http.DefaultClient.Do(req)
  32 @@ -59,7 +59,7 @@ func TestForwardAuthSuccess(t *testing.T) {
  33                 w.Header().Add("X-Auth-Group", "group2")
  34                 fmt.Fprintln(w, "Success")
  35         }))
  36 -       defer server.Close()
  37 +       t.Cleanup(server.Close)
  38
  39         next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  40                 assert.Equal(t, "user@example.com", r.Header.Get("X-Auth-User"))
  41 @@ -76,7 +76,7 @@ func TestForwardAuthSuccess(t *testing.T) {
  42         require.NoError(t, err)
  43
  44         ts := httptest.NewServer(middleware)
  45 -       defer ts.Close()
  46 +       t.Cleanup(ts.Close)
  47
  48         req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
  49         req.Header.Set("X-Auth-Group", "admin_group")
  50 @@ -95,20 +95,19 @@ func TestForwardAuthRedirect(t *testing.T) {
  51         authTs := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  52                 http.Redirect(w, r, "http://example.com/redirect-test", http.StatusFound)
  53         }))
  54 -       defer authTs.Close()
  55 +       t.Cleanup(authTs.Close)
  56
  57         next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  58                 fmt.Fprintln(w, "traefik")
  59         })
  60
  61 -       auth := dynamic.ForwardAuth{
  62 -               Address: authTs.URL,
  63 -       }
  64 +       auth := dynamic.ForwardAuth{Address: authTs.URL}
  65 +
  66         authMiddleware, err := NewForward(context.Background(), next, auth, "authTest")
  67         require.NoError(t, err)
  68
  69         ts := httptest.NewServer(authMiddleware)
  70 -       defer ts.Close()
  71 +       t.Cleanup(ts.Close)
  72
  73         client := &http.Client{
  74                 CheckRedirect: func(r *http.Request, via []*http.Request) error {
  75 @@ -139,7 +138,7 @@ func TestForwardAuthRemoveHopByHopHeaders(t *testing.T) {
  76                 headers := w.Header()
  77                 for _, header := range forward.HopHeaders {
  78                         if header == forward.TransferEncoding {
  79 -                               headers.Add(header, "identity")
  80 +                               headers.Set(header, "chunked")
  81                         } else {
  82                                 headers.Add(header, "test")
  83                         }
  84 @@ -147,29 +146,29 @@ func TestForwardAuthRemoveHopByHopHeaders(t *testing.T) {
  85
  86                 http.Redirect(w, r, "http://example.com/redirect-test", http.StatusFound)
  87         }))
  88 -       defer authTs.Close()
  89 +       t.Cleanup(authTs.Close)
  90
  91         next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  92                 fmt.Fprintln(w, "traefik")
  93         })
  94 -       auth := dynamic.ForwardAuth{
  95 -               Address: authTs.URL,
  96 -       }
  97 -       authMiddleware, err := NewForward(context.Background(), next, auth, "authTest")
  98
  99 -       assert.NoError(t, err, "there should be no error")
 100 +       auth := dynamic.ForwardAuth{Address: authTs.URL}
 101 +
 102 +       authMiddleware, err := NewForward(context.Background(), next, auth, "authTest")
 103 +       require.NoError(t, err)
 104
 105         ts := httptest.NewServer(authMiddleware)
 106 -       defer ts.Close()
 107 +       t.Cleanup(ts.Close)
 108
 109         client := &http.Client{
 110                 CheckRedirect: func(r *http.Request, via []*http.Request) error {
 111                         return http.ErrUseLastResponse
 112                 },
 113         }
 114 +
 115         req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
 116         res, err := client.Do(req)
 117 -       assert.NoError(t, err, "there should be no error")
 118 +       require.NoError(t, err)
 119         assert.Equal(t, http.StatusFound, res.StatusCode, "they should be equal")
 120
 121         for _, header := range forward.HopHeaders {
 122 @@ -177,11 +176,11 @@ func TestForwardAuthRemoveHopByHopHeaders(t *testing.T) {
 123         }
 124
 125         location, err := res.Location()
 126 -       assert.NoError(t, err, "there should be no error")
 127 +       require.NoError(t, err)
 128         assert.Equal(t, "http://example.com/redirect-test", location.String(), "they should be equal")
 129
 130         body, err := ioutil.ReadAll(res.Body)
 131 -       assert.NoError(t, err, "there should be no error")
 132 +       require.NoError(t, err)
 133         assert.NotEmpty(t, string(body), "there should be something in the body")
 134  }
 135
 136 @@ -192,7 +191,7 @@ func TestForwardAuthFailResponseHeaders(t *testing.T) {
 137                 w.Header().Add("X-Foo", "bar")
 138                 http.Error(w, "Forbidden", http.StatusForbidden)
 139         }))
 140 -       defer authTs.Close()
 141 +       t.Cleanup(authTs.Close)
 142
 143         next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 144                 fmt.Fprintln(w, "traefik")
 145 @@ -205,7 +204,7 @@ func TestForwardAuthFailResponseHeaders(t *testing.T) {
 146         require.NoError(t, err)
 147
 148         ts := httptest.NewServer(authMiddleware)
 149 -       defer ts.Close()
 150 +       t.Cleanup(ts.Close)
 151
 152         req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
 153
 154 @@ -407,7 +406,7 @@ func TestForwardAuthUsesTracing(t *testing.T) {
 155                         t.Errorf("expected Mockpfx-Ids-Traceid header to be present in request")
 156                 }
 157         }))
 158 -       defer server.Close()
 159 +       t.Cleanup(server.Close)
 160
 161         next := http.Handler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
 162
 163 @@ -426,7 +425,7 @@ func TestForwardAuthUsesTracing(t *testing.T) {
 164         next = tracingMiddleware.NewEntryPoint(context.Background(), tr, "tracingTest", next)
 165
 166         ts := httptest.NewServer(next)
 167 -       defer ts.Close()
 168 +       t.Cleanup(ts.Close)
 169
 170         req := testhelpers.MustNewRequest(http.MethodGet, ts.URL, nil)
 171         res, err := http.DefaultClient.Do(req)