use authority for sni

author: Håvard Pettersen <havardpe@oath.com> 2020-02-17 13:21:43 +0000
committer: Håvard Pettersen <havardpe@oath.com> 2020-02-21 09:47:50 +0000
commit: 6e23a79c7cef059495a2163de38aca02b8e3c79d (patch)
tree: 416e3fca69e6b00b643345bf68de9d4d8c81f444 /fbench
parent: 25bcc44fcf22a5e4737d6d4551b4a292bc04d4e0 (diff)
9 files changed, 184 insertions, 12 deletions
diff --git a/fbench/CMakeLists.txt b/fbench/CMakeLists.txt
index 5cc56786227..3da632d98a6 100644
--- a/fbench/CMakeLists.txt
+++ b/fbench/CMakeLists.txt
@@ -15,6 +15,7 @@ vespa_define_module(
 
     TESTS
     src/test
+    src/test/authority
 )
 
 vespa_install_script(util/resultfilter.pl vespa-fbench-result-filter.pl bin)
diff --git a/fbench/src/httpclient/CMakeLists.txt b/fbench/src/httpclient/CMakeLists.txt
index 5f3333128b3..a28f3666383 100644
--- a/fbench/src/httpclient/CMakeLists.txt
+++ b/fbench/src/httpclient/CMakeLists.txt
@@ -3,5 +3,6 @@ vespa_add_library(fbench_httpclient STATIC
     SOURCES
     httpclient.cpp
     DEPENDS
+    fbench_util
     fastos
 )
diff --git a/fbench/src/httpclient/httpclient.cpp b/fbench/src/httpclient/httpclient.cpp
index 99134a6e297..9615a6e6df7 100644
--- a/fbench/src/httpclient/httpclient.cpp
+++ b/fbench/src/httpclient/httpclient.cpp
@@ -1,6 +1,7 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 #include "httpclient.h"
 #include <vespa/vespalib/net/socket_spec.h>
+#include <util/authority.h>
 #include <cassert>
 #include <cstring>
 
@@ -29,7 +30,8 @@ HTTPClient::HTTPClient(vespalib::CryptoEngine::SP engine, const char *hostname,
       _keepAlive(keepAlive),
       _headerBenchmarkdataCoverage(headerBenchmarkdataCoverage),
       _extraHeaders(extraHeaders),
-      _authority(authority),
+    _sni_spec(make_sni_spec(authority, hostname, port, _engine->use_tls_when_client())),
+    _host_header_value(make_host_header_value(_sni_spec, _engine->use_tls_when_client())),
     _reuseCount(0),
     _bufsize(10240),
     _buf(new char[_bufsize]),
@@ -51,11 +53,6 @@ HTTPClient::HTTPClient(vespalib::CryptoEngine::SP engine, const char *hostname,
     _dataDone(false),
     _reader(NULL)
 {
-    if (_authority == "") {
-        char tmp[1024];
-        snprintf(tmp, 1024, "%s:%d", hostname, port);
-        _authority = tmp;
-    }
 }
 
 bool
@@ -70,8 +67,7 @@ HTTPClient::connect_socket()
     if (!handle.valid()) {
         return false;
     }
-    _socket = vespalib::SyncCryptoSocket::create_client(*_engine, std::move(handle),
-                                                        vespalib::SocketSpec::from_host_port(_hostname, _port));
+    _socket = vespalib::SyncCryptoSocket::create_client(*_engine, std::move(handle), _sni_spec);
     return bool(_socket);
 }
 
@@ -153,14 +149,14 @@ HTTPClient::Connect(const char *url, bool usePost, const char *content, int cLen
                  "Content-Length: %d\r\n"
                  "%s"
                  "\r\n",
-                 url, _authority.c_str(), cLen, headers.c_str());
+                 url, _host_header_value.c_str(), cLen, headers.c_str());
     } else {
         snprintf(req, req_max,
                  "GET %s HTTP/1.1\r\n"
                  "Host: %s\r\n"
                  "%s"
                  "\r\n",
-                 url, _authority.c_str(), headers.c_str());
+                 url, _host_header_value.c_str(), headers.c_str());
     }
 
     // try to reuse connection if keep-alive is enabled
diff --git a/fbench/src/httpclient/httpclient.h b/fbench/src/httpclient/httpclient.h
index 9c3ccd437d1..cad01826db7 100644
--- a/fbench/src/httpclient/httpclient.h
+++ b/fbench/src/httpclient/httpclient.h
@@ -6,6 +6,7 @@
 #include <vespa/vespalib/net/sync_crypto_socket.h>
 #include <vespa/vespalib/net/crypto_engine.h>
 #include <vespa/vespalib/net/socket_address.h>
+#include <vespa/vespalib/net/socket_spec.h>
 
 /**
  * This class implements a HTTP client that may be used to fetch
@@ -99,7 +100,8 @@ protected:
   bool             _keepAlive;
   bool             _headerBenchmarkdataCoverage;
   std::string      _extraHeaders;
-  std::string      _authority;
+  vespalib::SocketSpec _sni_spec;
+  std::string      _host_header_value;
   uint64_t         _reuseCount;
 
   size_t           _bufsize;
diff --git a/fbench/src/test/authority/CMakeLists.txt b/fbench/src/test/authority/CMakeLists.txt
new file mode 100644
index 00000000000..00f804f43f6
--- /dev/null
+++ b/fbench/src/test/authority/CMakeLists.txt
@@ -0,0 +1,10 @@
+# Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+vespa_add_executable(fbench_authority_test_app TEST
+    SOURCES
+    authority_test.cpp
+    DEPENDS
+    fbench_util
+    vespalib
+    gtest
+)
+vespa_add_test(NAME fbench_authority_test_app COMMAND fbench_authority_test_app)
diff --git a/fbench/src/test/authority/authority_test.cpp b/fbench/src/test/authority/authority_test.cpp
new file mode 100644
index 00000000000..f5d0afa32bb
--- /dev/null
+++ b/fbench/src/test/authority/authority_test.cpp
@@ -0,0 +1,89 @@
+// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+#include <util/authority.h>
+#include <vespa/vespalib/gtest/gtest.h>
+
+using vespalib::SocketSpec;
+
+//-----------------------------------------------------------------------------
+
+TEST(MakeSNISpecTest, host_port_is_parsed_as_expected) {
+    EXPECT_EQ(make_sni_spec("my_host:123", "fallback", 456, false).host(), "my_host");
+    EXPECT_EQ(make_sni_spec("my_host:123", "fallback", 456, true).host(), "my_host");
+    EXPECT_EQ(make_sni_spec("my_host:123", "fallback", 456, false).port(), 123);
+    EXPECT_EQ(make_sni_spec("my_host:123", "fallback", 456, true).port(), 123);
+}
+
+TEST(MakeSNISpecTest, user_info_is_stripped) {
+    EXPECT_EQ(make_sni_spec("myuser:deprecated@my_host:123", "fallback", 456, false).host(), "my_host");
+    EXPECT_EQ(make_sni_spec("myuser:deprecated@my_host:123", "fallback", 456, true).host(), "my_host");
+    EXPECT_EQ(make_sni_spec("myuser:deprecated@my_host:123", "fallback", 456, false).port(), 123);
+    EXPECT_EQ(make_sni_spec("myuser:deprecated@my_host:123", "fallback", 456, true).port(), 123);
+}
+
+TEST(MakeSNISpecTest, port_can_be_skipped) {
+    EXPECT_EQ(make_sni_spec("my_host", "fallback", 456, false).host(), "my_host");
+    EXPECT_EQ(make_sni_spec("my_host", "fallback", 456, true).host(), "my_host");
+    EXPECT_EQ(make_sni_spec("my_host", "fallback", 456, false).port(), 80);
+    EXPECT_EQ(make_sni_spec("my_host", "fallback", 456, true).port(), 443);
+}
+
+TEST(MakeSNISpecTest, quoted_ip_addresses_work_as_expected) {
+    EXPECT_EQ(make_sni_spec("[::1]:123", "fallback", 456, false).host(), "::1");
+    EXPECT_EQ(make_sni_spec("[::1]:123", "fallback", 456, true).host(), "::1");
+    EXPECT_EQ(make_sni_spec("[::1]:123", "fallback", 456, false).port(), 123);
+    EXPECT_EQ(make_sni_spec("[::1]:123", "fallback", 456, true).port(), 123);
+    EXPECT_EQ(make_sni_spec("[::1]", "fallback", 456, false).host(), "::1");
+    EXPECT_EQ(make_sni_spec("[::1]", "fallback", 456, true).host(), "::1");
+    EXPECT_EQ(make_sni_spec("[::1]", "fallback", 456, false).port(), 80);
+    EXPECT_EQ(make_sni_spec("[::1]", "fallback", 456, true).port(), 443);
+}
+
+TEST(MakeSNISpecTest, supplied_host_port_is_used_as_fallback) {
+    EXPECT_EQ(make_sni_spec("", "fallback", 456, false).host(), "fallback");
+    EXPECT_EQ(make_sni_spec("", "fallback", 456, true).host(), "fallback");
+    EXPECT_EQ(make_sni_spec("", "fallback", 456, false).port(), 456);
+    EXPECT_EQ(make_sni_spec("", "fallback", 456, true).port(), 456);
+}
+
+//-----------------------------------------------------------------------------
+
+std::string make_host_header_value(const vespalib::SocketSpec &sni_spec, bool use_https);
+
+TEST(MakeHostHeaderValueTest, host_port_is_formatted_as_expected) {
+    auto my_spec = SocketSpec::from_host_port("myhost", 123);
+    EXPECT_EQ(make_host_header_value(my_spec, false), "myhost:123");
+    EXPECT_EQ(make_host_header_value(my_spec, true), "myhost:123");
+}
+
+TEST(MakeHostHeaderValueTest, inappropriate_spec_gives_empty_host_value) {
+    std::vector<SocketSpec> bad_specs = {
+        SocketSpec::invalid,
+        SocketSpec::from_port(123),
+        SocketSpec::from_name("foo"),
+        SocketSpec::from_path("bar")
+    };
+    for (const auto &spec: bad_specs) {
+        EXPECT_EQ(make_host_header_value(spec, false), "");
+        EXPECT_EQ(make_host_header_value(spec, true), "");
+    }
+}
+
+TEST(MakeHostHeaderValueTest, default_port_is_omitted) {
+    auto spec1 = SocketSpec::from_host_port("myhost", 80);
+    auto spec2 = SocketSpec::from_host_port("myhost", 443);
+    EXPECT_EQ(make_host_header_value(spec1, false), "myhost");
+    EXPECT_EQ(make_host_header_value(spec1, true), "myhost:80");
+    EXPECT_EQ(make_host_header_value(spec2, false), "myhost:443");
+    EXPECT_EQ(make_host_header_value(spec2, true), "myhost");
+}
+
+TEST(MakeHostHeaderValueTest, ipv6_addresses_are_quoted) {
+    auto my_spec = SocketSpec::from_host_port("::1", 123);
+    EXPECT_EQ(make_host_header_value(my_spec, false), "[::1]:123");
+    EXPECT_EQ(make_host_header_value(my_spec, true), "[::1]:123");
+}
+
+//-----------------------------------------------------------------------------
+
+GTEST_MAIN_RUN_ALL_TESTS()
diff --git a/fbench/src/util/CMakeLists.txt b/fbench/src/util/CMakeLists.txt
index 47cc46ffc8f..3cdff26ce16 100644
--- a/fbench/src/util/CMakeLists.txt
+++ b/fbench/src/util/CMakeLists.txt
@@ -1,8 +1,9 @@
 # Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 vespa_add_library(fbench_util STATIC
     SOURCES
+    authority.cpp
+    clientstatus.cpp
     filereader.cpp
     timer.cpp
-    clientstatus.cpp
     DEPENDS
 )
diff --git a/fbench/src/util/authority.cpp b/fbench/src/util/authority.cpp
new file mode 100644
index 00000000000..6247c72d9b0
--- /dev/null
+++ b/fbench/src/util/authority.cpp
@@ -0,0 +1,42 @@
+// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+#include "authority.h"
+#include <vespa/vespalib/util/stringfmt.h>
+#include <cassert>
+
+namespace {
+
+int default_port(bool use_https) { return use_https ? 443 : 80; }
+
+}
+
+vespalib::SocketSpec make_sni_spec(const std::string &authority, const char *hostname, int port, bool use_https) {
+    if (authority.empty()) {
+        return vespalib::SocketSpec::from_host_port(hostname, port);
+    }
+    auto split = authority.rfind('@');
+    std::string spec_str = (split == std::string::npos) ? authority : authority.substr(split + 1);
+    auto a = spec_str.rfind(':');
+    auto b = spec_str.rfind(']');
+    bool has_port = (a != std::string::npos) && ((b == std::string::npos) || (a > b));
+    if (has_port) {
+        spec_str = "tcp/" + spec_str;
+    } else {
+        spec_str = vespalib::make_string("tcp/%s:%d", spec_str.c_str(), default_port(use_https));
+    }
+    // use SocketSpec parser to ensure ipv6 addresses are dequoted
+    return vespalib::SocketSpec(spec_str);
+}
+
+std::string make_host_header_value(const vespalib::SocketSpec &sni_spec, bool use_https) {
+    if (sni_spec.host().empty()) {
+        return "";
+    }
+    if (sni_spec.port() == default_port(use_https)) {
+        return sni_spec.host();
+    }
+    // use SocketSpec formatter to ensure ipv6 addresses are quoted
+    std::string spec_str = sni_spec.spec();
+    assert(spec_str.find("tcp/") == 0);
+    return spec_str.substr(4);
+}
diff --git a/fbench/src/util/authority.h b/fbench/src/util/authority.h
new file mode 100644
index 00000000000..49dab4a29fd
--- /dev/null
+++ b/fbench/src/util/authority.h
@@ -0,0 +1,30 @@
+// Copyright 2020 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+#pragma once
+
+#include <vespa/vespalib/net/socket_spec.h>
+
+/**
+ * Assemble an SNI (Server Name Indication) spec that will be used
+ * when handshaking over TLS. The authority will be used if
+ * non-empty. Hostname/port will be used as fall-back. Note that the
+ * SNI spec will also be used to generate the Host header used in
+ * subsequent HTTP requests.
+ *
+ * @return sni spec
+ * @param authority user-provided authority
+ * @param hostname name of the host we are connecting to
+ * @param port which port we are connecting to
+ * @param use_https are we using https? (TLS)
+ **/
+vespalib::SocketSpec make_sni_spec(const std::string &authority, const char *hostname, int port, bool use_https);
+
+/**
+ * Use an SNI spec to generate a matching Host header to be used in
+ * HTTP requests. Note that default port numbers will be omitted.
+ *
+ * @return host header value
+ * @param sni_spec SNI spec
+ * @param use_https are we using https? (TLS)
+ **/
+std::string make_host_header_value(const vespalib::SocketSpec &sni_spec, bool use_https);
author	Håvard Pettersen <havardpe@oath.com>	2020-02-17 13:21:43 +0000
committer	Håvard Pettersen <havardpe@oath.com>	2020-02-21 09:47:50 +0000
commit	6e23a79c7cef059495a2163de38aca02b8e3c79d (patch)
tree	416e3fca69e6b00b643345bf68de9d4d8c81f444 /fbench
parent	25bcc44fcf22a5e4737d6d4551b4a292bc04d4e0 (diff)