fix common name parsing

2026-01-15 01:12:56 +00:00 · 2024-09-23 12:39:22 +01:00
parent 040d8cf4f6
commit a4100373e5
3 changed files with 12 additions and 10 deletions
--- a/proxy/src/auth/credentials.rs
+++ b/proxy/src/auth/credentials.rs
@@ -6,7 +6,7 @@ use crate::{
    error::{ReportableError, UserFacingError},
    metrics::{Metrics, SniKind},
    proxy::NeonOptions,
-    serverless::{SERVERLESS_DRIVER_AUTH_BROKER_SNI, SERVERLESS_DRIVER_SNI},
+    serverless::SERVERLESS_DRIVER_SNI,
    EndpointId, RoleName,
 };
 use itertools::Itertools;
@@ -71,14 +71,14 @@ pub(crate) fn endpoint_sni(
    let Some((subdomain, common_name)) = sni.split_once('.') else {
        return Err(ComputeUserInfoParseError::UnknownCommonName { cn: sni.into() });
    };
-    if subdomain == SERVERLESS_DRIVER_SNI || subdomain == SERVERLESS_DRIVER_AUTH_BROKER_SNI {
-        return Ok(None);
-    }
    if !common_names.contains(common_name) {
        return Err(ComputeUserInfoParseError::UnknownCommonName {
            cn: common_name.into(),
        });
    }
+    if subdomain == SERVERLESS_DRIVER_SNI {
+        return Ok(None);
+    }
    Ok(Some(EndpointId::from(subdomain)))
 }

--- a/proxy/src/config.rs
+++ b/proxy/src/config.rs
@@ -262,12 +262,15 @@ impl CertResolver {
        // and passed None instead, which blows up number of cases downstream code should handle. Proper coding
        // here should better avoid Option for common_names, and do wildcard-based certificate selection instead
        // of cutting off '*.' parts.
-        let common_name = if common_name.starts_with("CN=*.") {
-            common_name.strip_prefix("CN=*.").map(|s| s.to_string())
+        let common_name = if let Some(s) = common_name.strip_prefix("CN=*.") {
+            s.to_string()
+        } else if let Some(s) = common_name.strip_prefix("CN=apiauth.") {
+            s.to_string()
+        } else if let Some(s) = common_name.strip_prefix("CN=") {
+            s.to_string()
        } else {
-            common_name.strip_prefix("CN=").map(|s| s.to_string())
-        }
-        .context("Failed to parse common name from certificate")?;
+            bail!("Failed to parse common name from certificate")
+        };

        let cert = Arc::new(rustls::sign::CertifiedKey::new(cert_chain, key));

--- a/proxy/src/serverless.rs
+++ b/proxy/src/serverless.rs
@@ -51,7 +51,6 @@ use tracing::{error, info, warn, Instrument};
 use utils::http::error::ApiError;

 pub(crate) const SERVERLESS_DRIVER_SNI: &str = "api";
-pub(crate) const SERVERLESS_DRIVER_AUTH_BROKER_SNI: &str = "apiauth";

 pub async fn task_main(
    config: &'static ProxyConfig,