Add unit tests for PROXY Protocol v1 parser

Author: masaori335

.gitignore

@@ -94,6 +94,7 @@ lib/perl/lib/Apache/TS.pm
 
 iocore/net/test_certlookup
 iocore/net/test_UDPNet
+iocore/net/test_libinknet
 iocore/net/quic/test_QUIC*
 iocore/aio/test_AIO
 iocore/eventsystem/test_IOBuffer

iocore/net/Makefile.am

@@ -37,7 +37,7 @@ AM_CPPFLAGS += \
 
 TESTS = $(check_PROGRAMS)
 
-check_PROGRAMS = test_certlookup test_UDPNet
+check_PROGRAMS = test_certlookup test_UDPNet test_libinknet
 noinst_LIBRARIES = libinknet.a
 
 test_certlookup_LDFLAGS = \
@@ -85,6 +85,36 @@ test_UDPNet_SOURCES = \
 	libinknet_stub.cc \
 	test_I_UDPNet.cc
 
+test_libinknet_SOURCES = \
+	unit_tests/test_ProxyProtocol.cc
+
+test_libinknet_CPPFLAGS = \
+	$(AM_CPPFLAGS) \
+	$(iocore_include_dirs) \
+	-I$(abs_top_srcdir)/tests/include \
+	-I$(abs_top_srcdir)/proxy \
+	-I$(abs_top_srcdir)/proxy/hdrs \
+	-I$(abs_top_srcdir)/proxy/http \
+	-I$(abs_top_srcdir)/proxy/logging \
+	-I$(abs_top_srcdir)/mgmt \
+	-I$(abs_top_srcdir)/mgmt/utils \
+	@OPENSSL_INCLUDES@
+
+test_libinknet_LDFLAGS = \
+	@AM_LDFLAGS@ \
+	@OPENSSL_LDFLAGS@ \
+	@YAMLCPP_LDFLAGS@
+
+test_libinknet_LDADD = \
+	libinknet.a \
+	$(top_builddir)/iocore/eventsystem/libinkevent.a \
+	$(top_builddir)/mgmt/libmgmt_p.la \
+	$(top_builddir)/lib/records/librecords_p.a \
+	$(top_builddir)/src/tscore/libtscore.la \
+	$(top_builddir)/src/tscpp/util/libtscpputil.la \
+	$(top_builddir)/proxy/ParentSelectionStrategy.o \
+	@HWLOC_LIBS@ @OPENSSL_LIBS@ @LIBPCRE@ @YAMLCPP_LIBS@
+
 libinknet_a_SOURCES = \
 	ALPNSupport.cc \
 	BIO_fastopen.cc \

iocore/net/ProxyProtocol.cc

@@ -39,6 +39,10 @@ constexpr ts::TextView PPv2_CONNECTION_PREFACE = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x
 constexpr size_t PPv1_CONNECTION_HEADER_LEN_MIN = 15;
 constexpr size_t PPv2_CONNECTION_HEADER_LEN_MIN = 16;
 
+constexpr ts::TextView PPv1_PROTO_UNKNOWN = "UNKNOWN"sv;
+constexpr ts::TextView PPv1_PROTO_TCP4    = "TCP4"sv;
+constexpr ts::TextView PPv1_PROTO_TCP6    = "TCP6"sv;
+
 /**
    PROXY Protocol v1 Parser
 
@@ -47,15 +51,21 @@ constexpr size_t PPv2_CONNECTION_HEADER_LEN_MIN = 16;
 size_t
 proxy_protocol_v1_parse(ProxyProtocol *pp_info, ts::TextView hdr)
 {
-  //  Find the terminating newline
+  ink_release_assert(hdr.size() >= PPv1_CONNECTION_HEADER_LEN_MIN);
+
+  // Find the terminating newline
   ts::TextView::size_type pos = hdr.find('\n');
   if (pos == hdr.npos) {
-    Debug("proxyprotocol_v1", "ssl_has_proxy_v1: newline not found");
+    Debug("proxyprotocol_v1", "ssl_has_proxy_v1: LF not found");
+    return 0;
+  }
+
+  if (hdr[pos - 1] != '\r') {
+    Debug("proxyprotocol_v1", "ssl_has_proxy_v1: CR not found");
     return 0;
   }
 
   ts::TextView token;
-  in_port_t port;
 
   // All the cases are special and sequence, might as well unroll them.
 
@@ -69,8 +79,28 @@ proxy_protocol_v1_parse(ProxyProtocol *pp_info, ts::TextView hdr)
   Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = PREFACE", static_cast<int>(token.size()), token.data());
 
   // The INET protocol family - TCP4, TCP6 or UNKNOWN
-  token = hdr.split_prefix_at(' ');
-  if (0 == token.size()) {
+  if (PPv1_PROTO_UNKNOWN.isPrefixOf(hdr)) {
+    Debug("proxyprotocol_v1", "proxy_protov1_parse: [UNKNOWN] = INET Family");
+
+    // Ignore anything presented before the CRLF
+    pp_info->version = ProxyProtocolVersion::V1;
+
+    return pos + 1;
+  } else if (PPv1_PROTO_TCP4.isPrefixOf(hdr)) {
+    token = hdr.split_prefix_at(' ');
+    if (0 == token.size()) {
+      return 0;
+    }
+
+    pp_info->ip_family = AF_INET;
+  } else if (PPv1_PROTO_TCP6.isPrefixOf(hdr)) {
+    token = hdr.split_prefix_at(' ');
+    if (0 == token.size()) {
+      return 0;
+    }
+
+    pp_info->ip_family = AF_INET6;
+  } else {
     return 0;
   }
   Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = INET Family", static_cast<int>(token.size()), token.data());
@@ -104,26 +134,29 @@ proxy_protocol_v1_parse(ProxyProtocol *pp_info, ts::TextView hdr)
   }
   Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = Source Port", static_cast<int>(token.size()), token.data());
 
-  if (0 == (port = ts::svtoi(token))) {
-    Debug("proxyprotocol_v1", "proxy_protov1_parse: src port [%d] token [%.*s] failed to parse", port,
+  in_port_t src_port;
+  if (0 == (src_port = ts::svtoi(token))) {
+    Debug("proxyprotocol_v1", "proxy_protov1_parse: src port [%d] token [%.*s] failed to parse", src_port,
           static_cast<int>(token.size()), token.data());
     return 0;
   }
-  pp_info->src_addr.port() = htons(port);
+  pp_info->src_addr.port() = htons(src_port);
 
   // Next is the TCP destination port represented as a decimal number in the range of [0..65535] inclusive.
   // Final trailer is CR LF so split at CR.
   token = hdr.split_prefix_at('\r');
-  if (0 == token.size()) {
+  if (0 == token.size() || token.find(0x20) != token.npos) {
     return 0;
   }
   Debug("proxyprotocol_v1", "proxy_protov1_parse: [%.*s] = Destination Port", static_cast<int>(token.size()), token.data());
-  if (0 == (port = ts::svtoi(token))) {
-    Debug("proxyprotocol_v1", "proxy_protov1_parse: dst port [%d] token [%.*s] failed to parse", port,
+
+  in_port_t dst_port;
+  if (0 == (dst_port = ts::svtoi(token))) {
+    Debug("proxyprotocol_v1", "proxy_protov1_parse: dst port [%d] token [%.*s] failed to parse", dst_port,
           static_cast<int>(token.size()), token.data());
     return 0;
   }
-  pp_info->dst_addr.port() = htons(port);
+  pp_info->dst_addr.port() = htons(dst_port);
 
   pp_info->version = ProxyProtocolVersion::V1;
 

iocore/net/unit_tests/test_ProxyProtocol.cc

@@ -0,0 +1,147 @@
+/** @file
+
+  Catch based unit tests for PROXY Protocol
+
+  @section license License
+
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+ */
+
+#define CATCH_CONFIG_MAIN
+#include "catch.hpp"
+
+#include "ProxyProtocol.h"
+
+using namespace std::literals;
+
+TEST_CASE("PROXY Protocol v1 Parser", "[ProxyProtocol][ProxyProtocolv1]")
+{
+  IpEndpoint src_addr;
+  IpEndpoint dst_addr;
+
+  SECTION("TCP over IPv4")
+  {
+    ts::TextView raw_data = "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv;
+
+    ProxyProtocol pp_info;
+    REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size());
+
+    REQUIRE(ats_ip_pton("192.0.2.1:50000", src_addr) == 0);
+    REQUIRE(ats_ip_pton("198.51.100.1:443", dst_addr) == 0);
+
+    CHECK(pp_info.version == ProxyProtocolVersion::V1);
+    CHECK(pp_info.ip_family == AF_INET);
+    CHECK(pp_info.src_addr == src_addr);
+    CHECK(pp_info.dst_addr == dst_addr);
+  }
+
+  SECTION("TCP over IPv6")
+  {
+    ts::TextView raw_data = "PROXY TCP6 2001:0DB8:0:0:0:0:0:1 2001:0DB8:0:0:0:0:0:2 50000 443\r\n"sv;
+
+    ProxyProtocol pp_info;
+    REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size());
+
+    REQUIRE(ats_ip_pton("[2001:0DB8:0:0:0:0:0:1]:50000", src_addr) == 0);
+    REQUIRE(ats_ip_pton("[2001:0DB8:0:0:0:0:0:2]:443", dst_addr) == 0);
+
+    CHECK(pp_info.version == ProxyProtocolVersion::V1);
+    CHECK(pp_info.ip_family == AF_INET6);
+    CHECK(pp_info.src_addr == src_addr);
+    CHECK(pp_info.dst_addr == dst_addr);
+  }
+
+  SECTION("UNKNOWN connection (short form)")
+  {
+    ts::TextView raw_data = "PROXY UNKNOWN\r\n"sv;
+
+    ProxyProtocol pp_info;
+    REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size());
+
+    CHECK(pp_info.version == ProxyProtocolVersion::V1);
+    CHECK(pp_info.ip_family == AF_UNSPEC);
+  }
+
+  SECTION("UNKNOWN connection (worst case)")
+  {
+    ts::TextView raw_data =
+      "PROXY UNKNOWN ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 65535 65535\r\n"sv;
+
+    ProxyProtocol pp_info;
+    REQUIRE(proxy_protocol_parse(&pp_info, raw_data) == raw_data.size());
+
+    CHECK(pp_info.version == ProxyProtocolVersion::V1);
+    CHECK(pp_info.ip_family == AF_UNSPEC);
+  }
+
+  SECTION("Malformed Headers")
+  {
+    ProxyProtocol pp_info;
+
+    // lack of some fields
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 \r\n"sv) == 0);
+
+    // invalid preface
+    CHECK(proxy_protocol_parse(&pp_info, "PROX TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXZ TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0);
+
+    // invalid transport protocol & address family
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP1 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY UDP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0);
+
+    // extra space
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY  TCP4 192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4  192.0.2.1 198.51.100.1 50000 443\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1  198.51.100.1 50000 443\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1  50000 443\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000  443\r\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443 \r\n"sv) == 0);
+
+    // invalid CRLF
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\n"sv) == 0);
+    CHECK(proxy_protocol_parse(&pp_info, "PROXY TCP4 192.0.2.1 198.51.100.1 50000 443\r"sv) == 0);
+  }
+}
+
+TEST_CASE("PROXY Protocol v2 Parser", "[ProxyProtocol][ProxyProtocolv2]")
+{
+  SECTION("TCP over IPv4")
+  {
+    uint8_t raw_data[] = {
+      0x0D, 0x0A, 0x0D, 0x0A, 0x00, 0x0D, 0x0A, 0x51, ///< sig
+      0x55, 0x49, 0x54, 0x0A,                         ///<
+      0x02,                                           ///< ver_vmd
+      0x11,                                           ///< fam
+      0x00, 0x0C,                                     ///< len
+      0xC0, 0x00, 0x02, 0x01,                         ///< src_addr
+      0xC6, 0x33, 0x64, 0x01,                         ///< dst_addr
+      0xC3, 0x50,                                     ///< src_port
+      0x01, 0xBB,                                     ///< dst_port
+    };
+
+    ts::TextView tv(reinterpret_cast<char *>(raw_data), sizeof(raw_data));
+
+    ProxyProtocol pp_info;
+    // TODO: add test when implemented. Just checking this doesn't crash for now
+    REQUIRE(proxy_protocol_parse(&pp_info, tv) == 0);
+  }
+}