Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-27741: Properly handle route path while rewriting #607

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

gcs278
Copy link
Contributor

@gcs278 gcs278 commented May 29, 2024

Process the route's spec.path while using the
haproxy.router.openshift.io/rewrite-target annotation to prevent HAProxy configuration issues.

Previously, values in the route's path would be interpreted as regex meta characters. Now, this fix forces literal interpretation of the characters in spec.path when matching for rewriting. This change introduces some unavoidable incompatibilities if users were previously using regex meta characters in a spec.path.

Use cases have been documented here: https://docs.google.com/document/d/1wA6ZdRYaiN70TY5UbTOn1wl5qAn_NPb2ty_G85XhnYM/edit#heading=h.pca9p2i57r2u

@openshift-ci-robot openshift-ci-robot added jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels May 29, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 29, 2024
@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label May 29, 2024
@openshift-ci-robot
Copy link
Contributor

@gcs278: This pull request references Jira Issue OCPBUGS-27741, which is invalid:

  • expected the bug to target either version "4.17." or "openshift-4.17.", but it targets "4.16.0" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Process the route's spec.path while using the
haproxy.router.openshift.io/rewrite-target annotation to prevent HAProxy configuration issues.

Previously, values in the route's path would be interpreted as regex meta characters. Now, this fix forces literal interpretation of the characters in spec.path when matching for rewriting. This change introduces some unavoidable incompatibilities if users were previously using regex meta characters in a spec.path.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from candita and knobunc May 29, 2024 17:57
Copy link
Contributor

openshift-ci bot commented May 29, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from gcs278. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gcs278
Copy link
Contributor Author

gcs278 commented May 29, 2024

/jira refresh

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label May 29, 2024
@openshift-ci-robot
Copy link
Contributor

@gcs278: This pull request references Jira Issue OCPBUGS-27741, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.0) matches configured target version for branch (4.17.0)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label May 29, 2024
@openshift-ci openshift-ci bot requested a review from ShudiLi May 29, 2024 17:58
@gcs278 gcs278 changed the title [WIP] OCPBUGS-27741: Properly handle route path while rewriting OCPBUGS-27741: Properly handle route path while rewriting May 29, 2024
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 29, 2024
@ShudiLi
Copy link
Member

ShudiLi commented May 31, 2024

/label qe-approved

tested it with 4.16.0-0.ci.test-2024-05-31-012256-ci-ln-982w7yk-latest

1.
% oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.16.0-0.ci.test-2024-05-31-012256-ci-ln-982w7yk-latest   True        False         55m     Cluster version is 4.16.0-0.ci.test-2024-05-31-012256-ci-ln-982w7yk-latest

2.
% oc -n openshift-ingress get pods
NAME                              READY   STATUS    RESTARTS   AGE
router-default-7fd8bdbb55-ffvj9   1/1     Running   0          59m
router-default-7fd8bdbb55-g8cl9   1/1     Running   0          59m

3.
% oc -n openshift-ingress rsh router-default-7fd8bdbb55-ffvj9       
sh-5.1$ 
sh-5.1$ grep "http-request replace-path" haproxy         
haproxy-config.template  haproxy.config           
sh-5.1$ grep "http-request replace-path" haproxy-config.template 
  http-request replace-path '^\Q{{ processRewritePath $cfg.Path }}/\E?(.*)$' '{{ processRewriteTarget $pathRewriteTarget }}'
  http-

4.
% oc create route edge edge1 --service=unsec-server3               
route.route.openshift.io/edge1 created

5.
% oc patch route edge1 --type='merge' -p '{"spec":{"path":"/path1/#"}}' 
route.route.openshift.io/edge1 patched

6.
% oc annotate route edge1 "haproxy.router.openshift.io/rewrite-target"='/path/app/#'
route.route.openshift.io/edge1 annotate

7.
% oc get route edge1 -oyaml | grep -E "haproxy.router.openshift.io|path:" 
    haproxy.router.openshift.io/rewrite-target: /path/app/#
  path: /path1/#

8.
% oc -n openshift-ingress logs router-default-7fd8bdbb55-ffvj9 --tail=20
I0531 01:47:59.063258       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:48:06.009948       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:48:29.568934       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:48:34.564661       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:48:44.395788       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:48:49.372038       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:48:55.357546       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:49:00.353958       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:49:43.442301       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:49:48.410537       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:50:03.750952       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:50:08.705220       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:50:16.114628       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:50:44.912551       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:50:54.981343       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:51:06.963978       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 01:51:11.949069       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 02:23:15.068772       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 02:31:19.633735       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"
I0531 02:37:44.769399       1 router.go:669] "msg"="router reloaded" "logger"="template" "output"=" - Checking http://localhost:80 ...\n - Health check ok : 0 retry attempt(s).\n"

@openshift-ci openshift-ci bot added the qe-approved Signifies that QE has signed off on this PR label May 31, 2024
@openshift-ci-robot
Copy link
Contributor

@gcs278: This pull request references Jira Issue OCPBUGS-27741, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.17.0) matches configured target version for branch (4.17.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Process the route's spec.path while using the
haproxy.router.openshift.io/rewrite-target annotation to prevent HAProxy configuration issues.

Previously, values in the route's path would be interpreted as regex meta characters. Now, this fix forces literal interpretation of the characters in spec.path when matching for rewriting. This change introduces some unavoidable incompatibilities if users were previously using regex meta characters in a spec.path.

Use cases have been documented here: https://docs.google.com/document/d/1wA6ZdRYaiN70TY5UbTOn1wl5qAn_NPb2ty_G85XhnYM/edit#heading=h.pca9p2i57r2u

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@candita
Copy link
Contributor

candita commented Jun 5, 2024

/assign @rfredette

{
name: "single quotes should be always be escaped",
input: `'foo'foo\'`,
output: `'\''foo'\''foo\'\''`,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

\' ends up generating an unpaired quote. Doesn't that still break the template?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So \' generates \'\'' because our rule is simple & universal: ' gets translated to '\'', and we don't do anything with the \, so you mostly disregard it.

To explain the '\'' sequence:

  1. The first ' terminates the outer quote provided by the template.
  2. The \' specifies a literal escaped quote (it must be outside of the protection of '')
  3. The last ' starts the outer quote again.

So the answer is no: it doesn't break the template, the \ in front of the quote doesn't matter. The result of \' is that it gets interpreted as literal \', which is desirable in this specific situation.

I'll also mention that we did handle single quotes in a different way in the fix for https://issues.redhat.com/browse/OCPBUGS-22739, but the key different here is that, in OCPBUGS-22739, \' was a valid rewrite annotation sequence (it matched '), where for this fix, though it doesn't cause a syntax error, it causes an unreachable situation, because the HAProxy map files MUST match the same pattern as the replace-path regex. The GenerateRouteRegexp function is the reason why the HAPRoxy map path regexs are interpreted literally. I updated https://docs.google.com/document/d/1wA6ZdRYaiN70TY5UbTOn1wl5qAn_NPb2ty_G85XhnYM/edit with more info on this situation where the map files don't match the <match-regex> argument for rewrite target.

I'm on a bit of a tangent in this comment. I also realized GenerateRouteRegexp used regexp.QuoteMeta(path) instead of \Q...\E. They appear to do the same exact thing, but I think it's better to be consistent, especially if there is a subtle different between the two. We need to have the path interpreted in the same exact way for rewrites to work.

So I'll update the code to use QuoteMeta, and I also found that you can add a newline character in spec.path and break this config. So I fixed that too.

@gcs278 gcs278 force-pushed the OCPBUGS-27741-path-with-rewrite branch from 27825bf to f43b373 Compare July 3, 2024 23:03
Process the route's spec.path while using the
`haproxy.router.openshift.io/rewrite-target` annotation to prevent
HAProxy configuration issues.

Previously, values in the route's path would be interpreted as
regex meta characters. Now, this fix forces literal interpretation
of the characters in spec.path when matching for rewriting. This
change introduces some unavoidable incompatibilities if users were
previously using regex meta characters in a spec.path.
@gcs278 gcs278 force-pushed the OCPBUGS-27741-path-with-rewrite branch from f43b373 to ffa97d7 Compare August 20, 2024 16:29
Copy link
Contributor

openshift-ci bot commented Aug 20, 2024

@gcs278: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@gcs278
Copy link
Contributor Author

gcs278 commented Aug 27, 2024

Per our discussion, I am planning to investigate what it would take to reject a route based on certain characters that are currently invalid.

/hold

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 27, 2024
@openshift-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/severity-critical Referenced Jira bug's severity is critical for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants