Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix missing host header in http check #15337

Merged
merged 7 commits into from
Nov 23, 2022
Merged

Fix missing host header in http check #15337

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
0be23c3
chore: add failing test case
SamMousa Nov 21, 2022
c0ea0bd
fix: set host header directly on request, support host header in tests
SamMousa Nov 21, 2022
3bc312e
fix: case insensitivity of host header
SamMousa Nov 21, 2022
a1b509e
fix: refactor check to use http.Header
SamMousa Nov 21, 2022
b780037
chore: revert changes to serializable objects
SamMousa Nov 23, 2022
b80a16d
chore: make sure test case are uniquely named
SamMousa Nov 23, 2022
5fefab7
chore: add changelog
SamMousa Nov 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
9 changes: 8 additions & 1 deletion client/serviceregistration/checks/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,14 @@ func (c *checker) checkHTTP(ctx context.Context, qc *QueryContext, q *Query) *st
qr.Status = structs.CheckFailure
return qr
}
request.Header = q.Headers
for header, values := range q.Headers {
for _, value := range values {
request.Header.Add(header, value)
}
}
SamMousa marked this conversation as resolved.
Show resolved Hide resolved

request.Host = request.Header.Get("Host")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note for future readers of this PR: this is safe without checking for it being empty because:

// For client requests, Host optionally overrides the Host
// header to send. If empty, the Request.Write method uses
// the value of URL.Host. Host may contain an international
// domain name.


request.Body = io.NopCloser(strings.NewReader(q.Body))
request = request.WithContext(ctx)

Expand Down
39 changes: 38 additions & 1 deletion client/serviceregistration/checks/client_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,12 +215,14 @@ func TestChecker_Do_HTTP_extras(t *testing.T) {
method string
body []byte
headers map[string][]string
host string
)

ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
method = r.Method
body, _ = io.ReadAll(r.Body)
headers = maps.Clone(r.Header)
host = r.Host
w.WriteHeader(http.StatusOK)
}))
defer ts.Close()
Expand All @@ -244,7 +246,7 @@ func TestChecker_Do_HTTP_extras(t *testing.T) {
name string
method string
body string
headers map[string][]string
headers http.Header
}{
{
name: "method GET",
Expand All @@ -269,6 +271,25 @@ func TestChecker_Do_HTTP_extras(t *testing.T) {
[2]string{"Authorization", "Basic ZWxhc3RpYzpjaGFuZ2VtZQ=="},
),
},
{
name: "host header",
method: "GET",
headers: makeHeaders(encoding, agent,
[2]string{"Host", "hello"},
[2]string{"Test-Abc", "hello"},
),
},
{
name: "host header",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: this is the second test case named "host header"; making them unique helps quickly tracking down failures

method: "GET",
body: "",
// This is needed to prevent header normalization by http.Header.Set
headers: func() map[string][]string {
h := makeHeaders(encoding, agent, [2]string{"Test-Abc", "hello"})
h["hoST"] = []string{"heLLO"}
return h
}(),
},
Comment on lines +287 to +292
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still test sending in weird data although we don't expect our code to ever send us this data since everything is normalized at the edge.

{
name: "with body",
method: "POST",
Expand Down Expand Up @@ -312,9 +333,25 @@ func TestChecker_Do_HTTP_extras(t *testing.T) {
must.Eq(t, http.StatusOK, result.StatusCode,
must.Sprintf("test.URL: %s", ts.URL),
must.Sprintf("headers: %v", tc.headers),
must.Sprintf("received headers: %v", tc.headers),
)
must.Eq(t, tc.method, method)
must.Eq(t, tc.body, string(body))

hostSent := false

for key, values := range tc.headers {
if strings.EqualFold(key, "Host") && len(values) > 0 {
must.Eq(t, values[0], host)
hostSent = true
delete(tc.headers, key)

}
}
if !hostSent {
must.Eq(t, nil, tc.headers["Host"])
}

must.Eq(t, tc.headers, headers)
})
}
Expand Down
11 changes: 8 additions & 3 deletions client/taskenv/services.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package taskenv

import (
"net/http"

"github.com/hashicorp/nomad/nomad/structs"
)

Expand Down Expand Up @@ -50,14 +52,17 @@ func InterpolateServices(taskEnv *TaskEnv, services []*structs.Service) []*struc
return interpolated
}

func interpolateMapStringSliceString(taskEnv *TaskEnv, orig map[string][]string) map[string][]string {
func interpolateMapStringSliceString(taskEnv *TaskEnv, orig map[string][]string) http.Header {
if len(orig) == 0 {
return nil
}

m := make(map[string][]string, len(orig))
m := http.Header{}
for k, vs := range orig {
m[taskEnv.ReplaceEnv(k)] = taskEnv.ParseAndReplace(vs)
for _, v := range taskEnv.ParseAndReplace(vs) {
m.Add(taskEnv.ReplaceEnv(k), v)
}

}
return m
}
Expand Down
10 changes: 6 additions & 4 deletions client/taskenv/services_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package taskenv

import (
"net/http"
"testing"
"time"

Expand Down Expand Up @@ -126,10 +127,11 @@ func TestInterpolate_interpolateMapStringSliceString(t *testing.T) {
})

t.Run("not nil", func(t *testing.T) {
require.Equal(t, map[string][]string{
"a": {"b"},
"bar": {"blah", "c"},
}, interpolateMapStringSliceString(testEnv, map[string][]string{
expected := http.Header{}
expected.Add("a", "b")
expected.Add("bar", "blah")
expected.Add("bar", "c")
require.Equal(t, expected, interpolateMapStringSliceString(testEnv, map[string][]string{
"a": {"b"},
"${foo}": {"${baz}", "c"},
}))
Expand Down
46 changes: 24 additions & 22 deletions nomad/structs/services.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ import (
"strings"
"time"

"net/http"

"github.com/hashicorp/consul/api"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/go-set"
Expand Down Expand Up @@ -53,28 +55,28 @@ const (
// The fields available depend on the service provider the check is being
// registered into.
type ServiceCheck struct {
Name string // Name of the check, defaults to a generated label
Type string // Type of the check - tcp, http, docker and script
Command string // Command is the command to run for script checks
Args []string // Args is a list of arguments for script checks
Path string // path of the health check url for http type check
Protocol string // Protocol to use if check is http, defaults to http
PortLabel string // The port to use for tcp/http checks
Expose bool // Whether to have Envoy expose the check path (connect-enabled group-services only)
AddressMode string // Must be empty, "alloc", "host", or "driver"
Interval time.Duration // Interval of the check
Timeout time.Duration // Timeout of the response from the check before consul fails the check
InitialStatus string // Initial status of the check
TLSSkipVerify bool // Skip TLS verification when Protocol=https
Method string // HTTP Method to use (GET by default)
Header map[string][]string // HTTP Headers for Consul to set when making HTTP checks
CheckRestart *CheckRestart // If and when a task should be restarted based on checks
GRPCService string // Service for GRPC checks
GRPCUseTLS bool // Whether or not to use TLS for GRPC checks
TaskName string // What task to execute this check in
SuccessBeforePassing int // Number of consecutive successes required before considered healthy
FailuresBeforeCritical int // Number of consecutive failures required before considered unhealthy
Body string // Body to use in HTTP check
Name string // Name of the check, defaults to a generated label
Type string // Type of the check - tcp, http, docker and script
Command string // Command is the command to run for script checks
Args []string // Args is a list of arguments for script checks
Path string // path of the health check url for http type check
Protocol string // Protocol to use if check is http, defaults to http
PortLabel string // The port to use for tcp/http checks
Expose bool // Whether to have Envoy expose the check path (connect-enabled group-services only)
AddressMode string // Must be empty, "alloc", "host", or "driver"
Interval time.Duration // Interval of the check
Timeout time.Duration // Timeout of the response from the check before consul fails the check
InitialStatus string // Initial status of the check
TLSSkipVerify bool // Skip TLS verification when Protocol=https
Method string // HTTP Method to use (GET by default)
Header http.Header // HTTP Headers for Consul to set when making HTTP checks
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'd rightfully think that encoding shouldn't care about a type alias. But between Go and optimized MessagePack encoding we can't have nice things. 😀 Changing this value breaks the MessagePack encoding we use to serialize these structs to raft. If you run make generate-structs and then:

func Test_EncodeServiceCheck(t *testing.T) {

	check := &structs.ServiceCheck{
		Name:   uuid.Generate(),
		Type:   "http",
		Header: map[string][]string{"Host": {"example.com"}},
	}

	data := []byte{}
	buf := bytes.NewBuffer(data)
	encoder := codec.NewEncoder(buf, structs.MsgpackHandle)

	err := encoder.Encode(check)
	must.NoError(t, err)

	err = os.WriteFile("encoded.msgpack", buf.Bytes(), 0o700)
	must.NoError(t, err)
}

Then make this change and run make generate-structs again the following test will fail!

func Test_DecodeServiceCheck(t *testing.T) {

	data, err := os.ReadFile("encoded.msgpack")
	must.NoError(t, err)

	buf := bytes.NewBuffer(data)
	decoder := codec.NewDecoder(buf, structs.MsgpackHandle)

	var check *structs.ServiceCheck
	err = decoder.Decode(check)
	must.NoError(t, err)
	must.NotNil(t, check)
	must.Eq(t, "example.com", check.Header.Get("Host"))
}
$ go test -v -count=1 ./nomad -run Test_DecodeServiceCheck
# github.com/hashicorp/nomad/nomad.test
ld: warning: -no_pie is deprecated when targeting new OS versions
=== RUN   Test_DecodeServiceCheck
    assert.go:24:
        service_registration_endpoint_test.go:1547: expected nil error
        ↪ error: msgpack decode error [pos 1]: cannot decode into value of kind: ptr, type: *structs.ServiceCheck, <nil>
--- FAIL: Test_DecodeServiceCheck (0.00s)
FAIL
FAIL    github.com/hashicorp/nomad/nomad        0.525s
FAIL

So unfortunately for backwards compatibility with existing raft entries, we'll need to leave this field untouched and only fix it up in client/serviceregistration/checks/client.go

CheckRestart *CheckRestart // If and when a task should be restarted based on checks
GRPCService string // Service for GRPC checks
GRPCUseTLS bool // Whether or not to use TLS for GRPC checks
TaskName string // What task to execute this check in
SuccessBeforePassing int // Number of consecutive successes required before considered healthy
FailuresBeforeCritical int // Number of consecutive failures required before considered unhealthy
Body string // Body to use in HTTP check
OnUpdate string
}

Expand Down