traefik/pkg/server/server_entrypoint_tcp_http3_test.go

package server

import (
	"bufio"
	"context"
	"crypto/tls"
	"net/http"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"github.com/traefik/traefik/v3/pkg/config/static"
	tcprouter "github.com/traefik/traefik/v3/pkg/server/router/tcp"
	"github.com/traefik/traefik/v3/pkg/types"
)

// LocalhostCert is a PEM-encoded TLS cert with SAN IPs
// "127.0.0.1" and "[::1]", expiring at Jan 29 16:00:00 2084 GMT.
// generated from src/crypto/tls:
// go run generate_cert.go  --rsa-bits 2048 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h
var (
	localhostCert = types.FileOrContent(`-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIQSRJrEpBGFc7tNb1fb5pKFzANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw
MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA6Gba5tHV1dAKouAaXO3/ebDUU4rvwCUg/CNaJ2PT5xLD4N1Vcb8r
bFSW2HXKq+MPfVdwIKR/1DczEoAGf/JWQTW7EgzlXrCd3rlajEX2D73faWJekD0U
aUgz5vtrTXZ90BQL7WvRICd7FlEZ6FPOcPlumiyNmzUqtwGhO+9ad1W5BqJaRI6P
YfouNkwR6Na4TzSj5BrqUfP0FwDizKSJ0XXmh8g8G9mtwxOSN3Ru1QFc61Xyeluk
POGKBV/q6RBNklTNe0gI8usUMlYyoC7ytppNMW7X2vodAelSu25jgx2anj9fDVZu
h7AXF5+4nJS4AAt0n1lNY7nGSsdZas8PbQIDAQABo4GIMIGFMA4GA1UdDwEB/wQE
AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
DgQWBBStsdjh3/JCXXYlQryOrL4Sh7BW5TAuBgNVHREEJzAlggtleGFtcGxlLmNv
bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAxWGI
5NhpF3nwwy/4yB4i/CwwSpLrWUa70NyhvprUBC50PxiXav1TeDzwzLx/o5HyNwsv
cxv3HdkLW59i/0SlJSrNnWdfZ19oTcS+6PtLoVyISgtyN6DpkKpdG1cOkW3Cy2P2
+tK/tKHRP1Y/Ra0RiDpOAmqn0gCOFGz8+lqDIor/T7MTpibL3IxqWfPrvfVRHL3B
grw/ZQTTIVjjh4JBSW3WyWgNo/ikC1lrVxzl4iPUGptxT36Cr7Zk2Bsg0XqwbOvK
5d+NTDREkSnUbie4GeutujmX3Dsx88UiV6UY/4lHJa6I5leHUNOHahRbpbWeOfs/
WkBKOclmOV2xlTVuPw==
-----END CERTIFICATE-----`)

	// LocalhostKey is the private key for localhostCert.
	localhostKey = types.FileOrContent(`-----BEGIN RSA PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDoZtrm0dXV0Aqi
4Bpc7f95sNRTiu/AJSD8I1onY9PnEsPg3VVxvytsVJbYdcqr4w99V3AgpH/UNzMS
gAZ/8lZBNbsSDOVesJ3euVqMRfYPvd9pYl6QPRRpSDPm+2tNdn3QFAvta9EgJ3sW
URnoU85w+W6aLI2bNSq3AaE771p3VbkGolpEjo9h+i42TBHo1rhPNKPkGupR8/QX
AOLMpInRdeaHyDwb2a3DE5I3dG7VAVzrVfJ6W6Q84YoFX+rpEE2SVM17SAjy6xQy
VjKgLvK2mk0xbtfa+h0B6VK7bmODHZqeP18NVm6HsBcXn7iclLgAC3SfWU1jucZK
x1lqzw9tAgMBAAECggEABWzxS1Y2wckblnXY57Z+sl6YdmLV+gxj2r8Qib7g4ZIk
lIlWR1OJNfw7kU4eryib4fc6nOh6O4AWZyYqAK6tqNQSS/eVG0LQTLTTEldHyVJL
dvBe+MsUQOj4nTndZW+QvFzbcm2D8lY5n2nBSxU5ypVoKZ1EqQzytFcLZpTN7d89
EPj0qDyrV4NZlWAwL1AygCwnlwhMQjXEalVF1ylXwU3QzyZ/6MgvF6d3SSUlh+sq
XefuyigXw484cQQgbzopv6niMOmGP3of+yV4JQqUSb3IDmmT68XjGd2Dkxl4iPki
6ZwXf3CCi+c+i/zVEcufgZ3SLf8D99kUGE7v7fZ6AQKBgQD1ZX3RAla9hIhxCf+O
3D+I1j2LMrdjAh0ZKKqwMR4JnHX3mjQI6LwqIctPWTU8wYFECSh9klEclSdCa64s
uI/GNpcqPXejd0cAAdqHEEeG5sHMDt0oFSurL4lyud0GtZvwlzLuwEweuDtvT9cJ
Wfvl86uyO36IW8JdvUprYDctrQKBgQDycZ697qutBieZlGkHpnYWUAeImVA878sJ
w44NuXHvMxBPz+lbJGAg8Cn8fcxNAPqHIraK+kx3po8cZGQywKHUWsxi23ozHoxo
+bGqeQb9U661TnfdDspIXia+xilZt3mm5BPzOUuRqlh4Y9SOBpSWRmEhyw76w4ZP
OPxjWYAgwQKBgA/FehSYxeJgRjSdo+MWnK66tjHgDJE8bYpUZsP0JC4R9DL5oiaA
brd2fI6Y+SbyeNBallObt8LSgzdtnEAbjIH8uDJqyOmknNePRvAvR6mP4xyuR+Bv
m+Lgp0DMWTw5J9CKpydZDItc49T/mJ5tPhdFVd+am0NAQnmr1MCZ6nHxAoGABS3Y
LkaC9FdFUUqSU8+Chkd/YbOkuyiENdkvl6t2e52jo5DVc1T7mLiIrRQi4SI8N9bN
/3oJWCT+uaSLX2ouCtNFunblzWHBrhxnZzTeqVq4SLc8aESAnbslKL4i8/+vYZlN
s8xtiNcSvL+lMsOBORSXzpj/4Ot8WwTkn1qyGgECgYBKNTypzAHeLE6yVadFp3nQ
Ckq9yzvP/ib05rvgbvrne00YeOxqJ9gtTrzgh7koqJyX1L4NwdkEza4ilDWpucn0
xiUZS4SoaJq6ZvcBYS62Yr1t8n09iG47YL8ibgtmH3L+svaotvpVxVK+d7BLevA/
ZboOWVe3icTy64BT3OQhmg==
-----END RSA PRIVATE KEY-----`)
)

func TestHTTP3AdvertisedPort(t *testing.T) {
	certContent, err := localhostCert.Read()
	require.NoError(t, err)

	keyContent, err := localhostKey.Read()
	require.NoError(t, err)

	tlsCert, err := tls.X509KeyPair(certContent, keyContent)
	require.NoError(t, err)

	epConfig := &static.EntryPointsTransport{}
	epConfig.SetDefaults()

	entryPoint, err := NewTCPEntryPoint(context.Background(), &static.EntryPoint{
		Address:          "127.0.0.1:8090",
		Transport:        epConfig,
		ForwardedHeaders: &static.ForwardedHeaders{},
		HTTP2:            &static.HTTP2Config{},
		HTTP3: &static.HTTP3Config{
			AdvertisedPort: 8080,
		},
	}, nil, nil)
	require.NoError(t, err)

	router, err := tcprouter.NewRouter()
	require.NoError(t, err)

	router.AddHTTPTLSConfig("*", &tls.Config{
		Certificates: []tls.Certificate{tlsCert},
	})
	router.SetHTTPSHandler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
		rw.WriteHeader(http.StatusOK)
	}), nil)

	go entryPoint.Start(context.Background())
	entryPoint.SwitchRouter(router)

	conn, err := tls.Dial("tcp", "127.0.0.1:8090", &tls.Config{
		InsecureSkipVerify: true,
	})
	require.NoError(t, err)

	// We are racing with the http3Server readiness happening in the goroutine starting the entrypoint
	time.Sleep(time.Second)

	request, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:8090", nil)
	require.NoError(t, err)

	err = request.Write(conn)
	require.NoError(t, err)

	r, err := http.ReadResponse(bufio.NewReader(conn), nil)
	require.NoError(t, err)

	assert.NotContains(t, r.Header.Get("Alt-Svc"), ":8090")
	assert.Contains(t, r.Header.Get("Alt-Svc"), ":8080")
}
Add HTTP3Config 2021-09-10 21:58:13 +09:00			`package server`

			`import (`
			`"bufio"`
			`"context"`
			`"crypto/tls"`
			`"net/http"`
			`"testing"`
mitigate race against server readiness in test Co-authored-by: Romain <rtribotte@users.noreply.github.com> 2022-12-15 11:18:05 +01:00			`"time"`
Add HTTP3Config 2021-09-10 21:58:13 +09:00
			`"github.com/stretchr/testify/assert"`
			`"github.com/stretchr/testify/require"`
fix: go module 2023-02-03 15:24:05 +01:00			`"github.com/traefik/traefik/v3/pkg/config/static"`
			`tcprouter "github.com/traefik/traefik/v3/pkg/server/router/tcp"`
Support file path as input param for Kubernetes token value 2024-01-11 21:36:06 +05:30			`"github.com/traefik/traefik/v3/pkg/types"`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			`)`

			`// LocalhostCert is a PEM-encoded TLS cert with SAN IPs`
			`// "127.0.0.1" and "[::1]", expiring at Jan 29 16:00:00 2084 GMT.`
			`// generated from src/crypto/tls:`
Update test certificates 2022-02-14 14:08:07 +01:00			`// go run generate_cert.go --rsa-bits 2048 --host 127.0.0.1,::1,example.com --ca --start-date "Jan 1 00:00:00 1970" --duration=1000000h`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			`var (`
Support file path as input param for Kubernetes token value 2024-01-11 21:36:06 +05:30			localhostCert = types.FileOrContent(`-----BEGIN CERTIFICATE-----
Update test certificates 2022-02-14 14:08:07 +01:00			`MIIDOTCCAiGgAwIBAgIQSRJrEpBGFc7tNb1fb5pKFzANBgkqhkiG9w0BAQsFADAS`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			`MRAwDgYDVQQKEwdBY21lIENvMCAXDTcwMDEwMTAwMDAwMFoYDzIwODQwMTI5MTYw`
Update test certificates 2022-02-14 14:08:07 +01:00			`MDAwWjASMRAwDgYDVQQKEwdBY21lIENvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A`
			`MIIBCgKCAQEA6Gba5tHV1dAKouAaXO3/ebDUU4rvwCUg/CNaJ2PT5xLD4N1Vcb8r`
			`bFSW2HXKq+MPfVdwIKR/1DczEoAGf/JWQTW7EgzlXrCd3rlajEX2D73faWJekD0U`
			`aUgz5vtrTXZ90BQL7WvRICd7FlEZ6FPOcPlumiyNmzUqtwGhO+9ad1W5BqJaRI6P`
			`YfouNkwR6Na4TzSj5BrqUfP0FwDizKSJ0XXmh8g8G9mtwxOSN3Ru1QFc61Xyeluk`
			`POGKBV/q6RBNklTNe0gI8usUMlYyoC7ytppNMW7X2vodAelSu25jgx2anj9fDVZu`
			`h7AXF5+4nJS4AAt0n1lNY7nGSsdZas8PbQIDAQABo4GIMIGFMA4GA1UdDwEB/wQE`
			`AwICpDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud`
			`DgQWBBStsdjh3/JCXXYlQryOrL4Sh7BW5TAuBgNVHREEJzAlggtleGFtcGxlLmNv`
			`bYcEfwAAAYcQAAAAAAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAQEAxWGI`
			`5NhpF3nwwy/4yB4i/CwwSpLrWUa70NyhvprUBC50PxiXav1TeDzwzLx/o5HyNwsv`
			`cxv3HdkLW59i/0SlJSrNnWdfZ19oTcS+6PtLoVyISgtyN6DpkKpdG1cOkW3Cy2P2`
			`+tK/tKHRP1Y/Ra0RiDpOAmqn0gCOFGz8+lqDIor/T7MTpibL3IxqWfPrvfVRHL3B`
			`grw/ZQTTIVjjh4JBSW3WyWgNo/ikC1lrVxzl4iPUGptxT36Cr7Zk2Bsg0XqwbOvK`
			`5d+NTDREkSnUbie4GeutujmX3Dsx88UiV6UY/4lHJa6I5leHUNOHahRbpbWeOfs/`
			`WkBKOclmOV2xlTVuPw==`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			-----END CERTIFICATE-----`)

			`// LocalhostKey is the private key for localhostCert.`
Support file path as input param for Kubernetes token value 2024-01-11 21:36:06 +05:30			localhostKey = types.FileOrContent(`-----BEGIN RSA PRIVATE KEY-----
Update test certificates 2022-02-14 14:08:07 +01:00			`MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDoZtrm0dXV0Aqi`
			`4Bpc7f95sNRTiu/AJSD8I1onY9PnEsPg3VVxvytsVJbYdcqr4w99V3AgpH/UNzMS`
			`gAZ/8lZBNbsSDOVesJ3euVqMRfYPvd9pYl6QPRRpSDPm+2tNdn3QFAvta9EgJ3sW`
			`URnoU85w+W6aLI2bNSq3AaE771p3VbkGolpEjo9h+i42TBHo1rhPNKPkGupR8/QX`
			`AOLMpInRdeaHyDwb2a3DE5I3dG7VAVzrVfJ6W6Q84YoFX+rpEE2SVM17SAjy6xQy`
			`VjKgLvK2mk0xbtfa+h0B6VK7bmODHZqeP18NVm6HsBcXn7iclLgAC3SfWU1jucZK`
			`x1lqzw9tAgMBAAECggEABWzxS1Y2wckblnXY57Z+sl6YdmLV+gxj2r8Qib7g4ZIk`
			`lIlWR1OJNfw7kU4eryib4fc6nOh6O4AWZyYqAK6tqNQSS/eVG0LQTLTTEldHyVJL`
			`dvBe+MsUQOj4nTndZW+QvFzbcm2D8lY5n2nBSxU5ypVoKZ1EqQzytFcLZpTN7d89`
			`EPj0qDyrV4NZlWAwL1AygCwnlwhMQjXEalVF1ylXwU3QzyZ/6MgvF6d3SSUlh+sq`
			`XefuyigXw484cQQgbzopv6niMOmGP3of+yV4JQqUSb3IDmmT68XjGd2Dkxl4iPki`
			`6ZwXf3CCi+c+i/zVEcufgZ3SLf8D99kUGE7v7fZ6AQKBgQD1ZX3RAla9hIhxCf+O`
			`3D+I1j2LMrdjAh0ZKKqwMR4JnHX3mjQI6LwqIctPWTU8wYFECSh9klEclSdCa64s`
			`uI/GNpcqPXejd0cAAdqHEEeG5sHMDt0oFSurL4lyud0GtZvwlzLuwEweuDtvT9cJ`
			`Wfvl86uyO36IW8JdvUprYDctrQKBgQDycZ697qutBieZlGkHpnYWUAeImVA878sJ`
			`w44NuXHvMxBPz+lbJGAg8Cn8fcxNAPqHIraK+kx3po8cZGQywKHUWsxi23ozHoxo`
			`+bGqeQb9U661TnfdDspIXia+xilZt3mm5BPzOUuRqlh4Y9SOBpSWRmEhyw76w4ZP`
			`OPxjWYAgwQKBgA/FehSYxeJgRjSdo+MWnK66tjHgDJE8bYpUZsP0JC4R9DL5oiaA`
			`brd2fI6Y+SbyeNBallObt8LSgzdtnEAbjIH8uDJqyOmknNePRvAvR6mP4xyuR+Bv`
			`m+Lgp0DMWTw5J9CKpydZDItc49T/mJ5tPhdFVd+am0NAQnmr1MCZ6nHxAoGABS3Y`
			`LkaC9FdFUUqSU8+Chkd/YbOkuyiENdkvl6t2e52jo5DVc1T7mLiIrRQi4SI8N9bN`
			`/3oJWCT+uaSLX2ouCtNFunblzWHBrhxnZzTeqVq4SLc8aESAnbslKL4i8/+vYZlN`
			`s8xtiNcSvL+lMsOBORSXzpj/4Ot8WwTkn1qyGgECgYBKNTypzAHeLE6yVadFp3nQ`
			`Ckq9yzvP/ib05rvgbvrne00YeOxqJ9gtTrzgh7koqJyX1L4NwdkEza4ilDWpucn0`
			`xiUZS4SoaJq6ZvcBYS62Yr1t8n09iG47YL8ibgtmH3L+svaotvpVxVK+d7BLevA/`
			`ZboOWVe3icTy64BT3OQhmg==`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			-----END RSA PRIVATE KEY-----`)
			`)`

			`func TestHTTP3AdvertisedPort(t *testing.T) {`
			`certContent, err := localhostCert.Read()`
			`require.NoError(t, err)`

			`keyContent, err := localhostKey.Read()`
			`require.NoError(t, err)`

			`tlsCert, err := tls.X509KeyPair(certContent, keyContent)`
			`require.NoError(t, err)`

			`epConfig := &static.EntryPointsTransport{}`
			`epConfig.SetDefaults()`

			`entryPoint, err := NewTCPEntryPoint(context.Background(), &static.EntryPoint{`
			`Address: "127.0.0.1:8090",`
			`Transport: epConfig,`
			`ForwardedHeaders: &static.ForwardedHeaders{},`
Allow HTTP/2 max concurrent stream configuration 2022-04-04 11:46:07 +02:00			`HTTP2: &static.HTTP2Config{},`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			`HTTP3: &static.HTTP3Config{`
			`AdvertisedPort: 8080,`
			`},`
Fix open connections metric Co-authored-by: Romain <rtribotte@users.noreply.github.com> 2023-03-20 16:02:06 +01:00			`}, nil, nil)`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			`require.NoError(t, err)`

Add muxer for TCP Routers 2022-03-17 11:02:08 -06:00			`router, err := tcprouter.NewRouter()`
			`require.NoError(t, err)`

			`router.AddHTTPTLSConfig("*", &tls.Config{`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			`Certificates: []tls.Certificate{tlsCert},`
			`})`
Add muxer for TCP Routers 2022-03-17 11:02:08 -06:00			`router.SetHTTPSHandler(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {`
Add HTTP3Config 2021-09-10 21:58:13 +09:00			`rw.WriteHeader(http.StatusOK)`
			`}), nil)`

			`go entryPoint.Start(context.Background())`
			`entryPoint.SwitchRouter(router)`

			`conn, err := tls.Dial("tcp", "127.0.0.1:8090", &tls.Config{`
			`InsecureSkipVerify: true,`
			`})`
			`require.NoError(t, err)`

mitigate race against server readiness in test Co-authored-by: Romain <rtribotte@users.noreply.github.com> 2022-12-15 11:18:05 +01:00			`// We are racing with the http3Server readiness happening in the goroutine starting the entrypoint`
			`time.Sleep(time.Second)`

Add HTTP3Config 2021-09-10 21:58:13 +09:00			`request, err := http.NewRequest(http.MethodGet, "https://127.0.0.1:8090", nil)`
			`require.NoError(t, err)`

			`err = request.Write(conn)`
			`require.NoError(t, err)`

			`r, err := http.ReadResponse(bufio.NewReader(conn), nil)`
			`require.NoError(t, err)`

			`assert.NotContains(t, r.Header.Get("Alt-Svc"), ":8090")`
			`assert.Contains(t, r.Header.Get("Alt-Svc"), ":8080")`
			`}`