From a4100373e5a2944750dd2c83a8db6d2d6f772cf0 Mon Sep 17 00:00:00 2001
From: Conrad Ludgate <conradludgate@gmail.com>
Date: Mon, 23 Sep 2024 12:39:22 +0100
Subject: [PATCH] fix common name parsing

---
 proxy/src/auth/credentials.rs |  8 ++++----
 proxy/src/config.rs           | 13 ++++++++-----
 proxy/src/serverless.rs       |  1 -
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/proxy/src/auth/credentials.rs b/proxy/src/auth/credentials.rs
index a1af41d12b..cba8601d14 100644
--- a/proxy/src/auth/credentials.rs
+++ b/proxy/src/auth/credentials.rs
@@ -6,7 +6,7 @@ use crate::{
     error::{ReportableError, UserFacingError},
     metrics::{Metrics, SniKind},
     proxy::NeonOptions,
-    serverless::{SERVERLESS_DRIVER_AUTH_BROKER_SNI, SERVERLESS_DRIVER_SNI},
+    serverless::SERVERLESS_DRIVER_SNI,
     EndpointId, RoleName,
 };
 use itertools::Itertools;
@@ -71,14 +71,14 @@ pub(crate) fn endpoint_sni(
     let Some((subdomain, common_name)) = sni.split_once('.') else {
         return Err(ComputeUserInfoParseError::UnknownCommonName { cn: sni.into() });
     };
-    if subdomain == SERVERLESS_DRIVER_SNI || subdomain == SERVERLESS_DRIVER_AUTH_BROKER_SNI {
-        return Ok(None);
-    }
     if !common_names.contains(common_name) {
         return Err(ComputeUserInfoParseError::UnknownCommonName {
             cn: common_name.into(),
         });
     }
+    if subdomain == SERVERLESS_DRIVER_SNI {
+        return Ok(None);
+    }
     Ok(Some(EndpointId::from(subdomain)))
 }
 
diff --git a/proxy/src/config.rs b/proxy/src/config.rs
index 1fe121d59c..07bb81e3e7 100644
--- a/proxy/src/config.rs
+++ b/proxy/src/config.rs
@@ -262,12 +262,15 @@ impl CertResolver {
         // and passed None instead, which blows up number of cases downstream code should handle. Proper coding
         // here should better avoid Option for common_names, and do wildcard-based certificate selection instead
         // of cutting off '*.' parts.
-        let common_name = if common_name.starts_with("CN=*.") {
-            common_name.strip_prefix("CN=*.").map(|s| s.to_string())
+        let common_name = if let Some(s) = common_name.strip_prefix("CN=*.") {
+            s.to_string()
+        } else if let Some(s) = common_name.strip_prefix("CN=apiauth.") {
+            s.to_string()
+        } else if let Some(s) = common_name.strip_prefix("CN=") {
+            s.to_string()
         } else {
-            common_name.strip_prefix("CN=").map(|s| s.to_string())
-        }
-        .context("Failed to parse common name from certificate")?;
+            bail!("Failed to parse common name from certificate")
+        };
 
         let cert = Arc::new(rustls::sign::CertifiedKey::new(cert_chain, key));
 
diff --git a/proxy/src/serverless.rs b/proxy/src/serverless.rs
index 8e0c62af34..a7e3fa709b 100644
--- a/proxy/src/serverless.rs
+++ b/proxy/src/serverless.rs
@@ -51,7 +51,6 @@ use tracing::{error, info, warn, Instrument};
 use utils::http::error::ApiError;
 
 pub(crate) const SERVERLESS_DRIVER_SNI: &str = "api";
-pub(crate) const SERVERLESS_DRIVER_AUTH_BROKER_SNI: &str = "apiauth";
 
 pub async fn task_main(
     config: &'static ProxyConfig,