Skip to content

Commit

Permalink
Fix SPDY proxy authentication with special chars
Browse files Browse the repository at this point in the history
The username and password sent in the Proxy-Authorization header are not
supposed to be percent escaped prior to being base64 encoded.

Kubernetes-commit: bbb5513b3b4c956c486685886634c71ce7c31b9f
  • Loading branch information
3point2 authored and k8s-publishing-bot committed Nov 2, 2022
1 parent 553a2d6 commit b5e5df6
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 13 deletions.
7 changes: 4 additions & 3 deletions pkg/util/httpstream/spdy/roundtripper.go
Original file line number Diff line number Diff line change
Expand Up @@ -297,9 +297,10 @@ func (s *SpdyRoundTripper) proxyAuth(proxyURL *url.URL) string {
if proxyURL == nil || proxyURL.User == nil {
return ""
}
credentials := proxyURL.User.String()
encodedAuth := base64.StdEncoding.EncodeToString([]byte(credentials))
return fmt.Sprintf("Basic %s", encodedAuth)
username := proxyURL.User.Username()
password, _ := proxyURL.User.Password()
auth := username + ":" + password
return "Basic " + base64.StdEncoding.EncodeToString([]byte(auth))
}

// RoundTrip executes the Request and upgrades it. After a successful upgrade,
Expand Down
30 changes: 20 additions & 10 deletions pkg/util/httpstream/spdy/roundtripper_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"context"
"crypto/tls"
"crypto/x509"
"encoding/base64"
"io"
"net"
"net/http"
Expand Down Expand Up @@ -291,6 +290,16 @@ func TestRoundTripAndNewConnection(t *testing.T) {
serverStatusCode: http.StatusSwitchingProtocols,
shouldError: false,
},
"proxied valid https, proxy auth with chars that percent escape -> valid https": {
serverFunc: httpsServerValidHostname(t),
proxyServerFunc: httpsServerValidHostname(t),
proxyAuth: url.UserPassword("proxy user", "proxypasswd%"),
clientTLS: &tls.Config{RootCAs: localhostPool},
serverConnectionHeader: "Upgrade",
serverUpgradeHeader: "SPDY/3.1",
serverStatusCode: http.StatusSwitchingProtocols,
shouldError: false,
},
}

for k, testCase := range testCases {
Expand Down Expand Up @@ -400,18 +409,19 @@ func TestRoundTripAndNewConnection(t *testing.T) {
}
}

var expectedProxyAuth string
if testCase.proxyAuth != nil {
encodedCredentials := base64.StdEncoding.EncodeToString([]byte(testCase.proxyAuth.String()))
expectedProxyAuth = "Basic " + encodedCredentials
}
if len(expectedProxyAuth) == 0 && proxyCalledWithAuth {
expectedUsername := testCase.proxyAuth.Username()
expectedPassword, _ := testCase.proxyAuth.Password()
username, password, ok := (&http.Request{Header: http.Header{"Authorization": []string{proxyCalledWithAuthHeader}}}).BasicAuth()
if !ok {
t.Fatalf("invalid proxy auth header %s", proxyCalledWithAuthHeader)
}
if username != expectedUsername || password != expectedPassword {
t.Fatalf("expected proxy auth \"%s:%s\", got \"%s:%s\"", expectedUsername, expectedPassword, username, password)
}
} else if proxyCalledWithAuth {
t.Fatalf("proxy authorization unexpected, got %q", proxyCalledWithAuthHeader)
}
if proxyCalledWithAuthHeader != expectedProxyAuth {
t.Fatalf("expected to see a call to the proxy with credentials %q, got %q", testCase.proxyAuth, proxyCalledWithAuthHeader)
}

})
}
}
Expand Down

0 comments on commit b5e5df6

Please sign in to comment.