mirror of
https://github.com/ceph/ceph-csi.git
synced 2025-05-21 06:46:42 +00:00
dd77e72800
Bumps the k8s-dependencies group in /e2e with 3 updates: [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery), [k8s.io/cloud-provider](https://github.com/kubernetes/cloud-provider) and [k8s.io/pod-security-admission](https://github.com/kubernetes/pod-security-admission). Updates `k8s.io/apimachinery` from 0.32.3 to 0.33.0 - [Commits](https://github.com/kubernetes/apimachinery/compare/v0.32.3...v0.33.0) Updates `k8s.io/cloud-provider` from 0.32.3 to 0.33.0 - [Commits](https://github.com/kubernetes/cloud-provider/compare/v0.32.3...v0.33.0) Updates `k8s.io/pod-security-admission` from 0.32.3 to 0.33.0 - [Commits](https://github.com/kubernetes/pod-security-admission/compare/v0.32.3...v0.33.0) --- updated-dependencies: - dependency-name: k8s.io/apimachinery dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-dependencies - dependency-name: k8s.io/cloud-provider dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-dependencies - dependency-name: k8s.io/pod-security-admission dependency-version: 0.33.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: k8s-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
518 lines
16 KiB
Go
518 lines
16 KiB
Go
// Copyright 2013 The Gorilla WebSocket Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package websocket
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/tls"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptrace"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
)
|
|
|
|
// ErrBadHandshake is returned when the server response to opening handshake is
|
|
// invalid.
|
|
var ErrBadHandshake = errors.New("websocket: bad handshake")
|
|
|
|
var errInvalidCompression = errors.New("websocket: invalid compression negotiation")
|
|
|
|
// NewClient creates a new client connection using the given net connection.
|
|
// The URL u specifies the host and request URI. Use requestHeader to specify
|
|
// the origin (Origin), subprotocols (Sec-WebSocket-Protocol) and cookies
|
|
// (Cookie). Use the response.Header to get the selected subprotocol
|
|
// (Sec-WebSocket-Protocol) and cookies (Set-Cookie).
|
|
//
|
|
// If the WebSocket handshake fails, ErrBadHandshake is returned along with a
|
|
// non-nil *http.Response so that callers can handle redirects, authentication,
|
|
// etc.
|
|
//
|
|
// Deprecated: Use Dialer instead.
|
|
func NewClient(netConn net.Conn, u *url.URL, requestHeader http.Header, readBufSize, writeBufSize int) (c *Conn, response *http.Response, err error) {
|
|
d := Dialer{
|
|
ReadBufferSize: readBufSize,
|
|
WriteBufferSize: writeBufSize,
|
|
NetDial: func(net, addr string) (net.Conn, error) {
|
|
return netConn, nil
|
|
},
|
|
}
|
|
return d.Dial(u.String(), requestHeader)
|
|
}
|
|
|
|
// A Dialer contains options for connecting to WebSocket server.
|
|
//
|
|
// It is safe to call Dialer's methods concurrently.
|
|
type Dialer struct {
|
|
// The following custom dial functions can be set to establish
|
|
// connections to either the backend server or the proxy (if it
|
|
// exists). The scheme of the dialed entity (either backend or
|
|
// proxy) determines which custom dial function is selected:
|
|
// either NetDialTLSContext for HTTPS or NetDialContext/NetDial
|
|
// for HTTP. Since the "Proxy" function can determine the scheme
|
|
// dynamically, it can make sense to set multiple custom dial
|
|
// functions simultaneously.
|
|
//
|
|
// NetDial specifies the dial function for creating TCP connections. If
|
|
// NetDial is nil, net.Dialer DialContext is used.
|
|
// If "Proxy" field is also set, this function dials the proxy--not
|
|
// the backend server.
|
|
NetDial func(network, addr string) (net.Conn, error)
|
|
|
|
// NetDialContext specifies the dial function for creating TCP connections. If
|
|
// NetDialContext is nil, NetDial is used.
|
|
// If "Proxy" field is also set, this function dials the proxy--not
|
|
// the backend server.
|
|
NetDialContext func(ctx context.Context, network, addr string) (net.Conn, error)
|
|
|
|
// NetDialTLSContext specifies the dial function for creating TLS/TCP connections. If
|
|
// NetDialTLSContext is nil, NetDialContext is used.
|
|
// If NetDialTLSContext is set, Dial assumes the TLS handshake is done there and
|
|
// TLSClientConfig is ignored.
|
|
// If "Proxy" field is also set, this function dials the proxy (and performs
|
|
// the TLS handshake with the proxy, ignoring TLSClientConfig). In this TLS proxy
|
|
// dialing case the TLSClientConfig could still be necessary for TLS to the backend server.
|
|
NetDialTLSContext func(ctx context.Context, network, addr string) (net.Conn, error)
|
|
|
|
// Proxy specifies a function to return a proxy for a given
|
|
// Request. If the function returns a non-nil error, the
|
|
// request is aborted with the provided error.
|
|
// If Proxy is nil or returns a nil *URL, no proxy is used.
|
|
Proxy func(*http.Request) (*url.URL, error)
|
|
|
|
// TLSClientConfig specifies the TLS configuration to use with tls.Client.
|
|
// If nil, the default configuration is used.
|
|
// If NetDialTLSContext is set, Dial assumes the TLS handshake
|
|
// is done there and TLSClientConfig is ignored.
|
|
TLSClientConfig *tls.Config
|
|
|
|
// HandshakeTimeout specifies the duration for the handshake to complete.
|
|
HandshakeTimeout time.Duration
|
|
|
|
// ReadBufferSize and WriteBufferSize specify I/O buffer sizes in bytes. If a buffer
|
|
// size is zero, then a useful default size is used. The I/O buffer sizes
|
|
// do not limit the size of the messages that can be sent or received.
|
|
ReadBufferSize, WriteBufferSize int
|
|
|
|
// WriteBufferPool is a pool of buffers for write operations. If the value
|
|
// is not set, then write buffers are allocated to the connection for the
|
|
// lifetime of the connection.
|
|
//
|
|
// A pool is most useful when the application has a modest volume of writes
|
|
// across a large number of connections.
|
|
//
|
|
// Applications should use a single pool for each unique value of
|
|
// WriteBufferSize.
|
|
WriteBufferPool BufferPool
|
|
|
|
// Subprotocols specifies the client's requested subprotocols.
|
|
Subprotocols []string
|
|
|
|
// EnableCompression specifies if the client should attempt to negotiate
|
|
// per message compression (RFC 7692). Setting this value to true does not
|
|
// guarantee that compression will be supported. Currently only "no context
|
|
// takeover" modes are supported.
|
|
EnableCompression bool
|
|
|
|
// Jar specifies the cookie jar.
|
|
// If Jar is nil, cookies are not sent in requests and ignored
|
|
// in responses.
|
|
Jar http.CookieJar
|
|
}
|
|
|
|
// Dial creates a new client connection by calling DialContext with a background context.
|
|
func (d *Dialer) Dial(urlStr string, requestHeader http.Header) (*Conn, *http.Response, error) {
|
|
return d.DialContext(context.Background(), urlStr, requestHeader)
|
|
}
|
|
|
|
var errMalformedURL = errors.New("malformed ws or wss URL")
|
|
|
|
func hostPortNoPort(u *url.URL) (hostPort, hostNoPort string) {
|
|
hostPort = u.Host
|
|
hostNoPort = u.Host
|
|
if i := strings.LastIndex(u.Host, ":"); i > strings.LastIndex(u.Host, "]") {
|
|
hostNoPort = hostNoPort[:i]
|
|
} else {
|
|
switch u.Scheme {
|
|
case "wss":
|
|
hostPort += ":443"
|
|
case "https":
|
|
hostPort += ":443"
|
|
default:
|
|
hostPort += ":80"
|
|
}
|
|
}
|
|
return hostPort, hostNoPort
|
|
}
|
|
|
|
// DefaultDialer is a dialer with all fields set to the default values.
|
|
var DefaultDialer = &Dialer{
|
|
Proxy: http.ProxyFromEnvironment,
|
|
HandshakeTimeout: 45 * time.Second,
|
|
}
|
|
|
|
// nilDialer is dialer to use when receiver is nil.
|
|
var nilDialer = *DefaultDialer
|
|
|
|
// DialContext creates a new client connection. Use requestHeader to specify the
|
|
// origin (Origin), subprotocols (Sec-WebSocket-Protocol) and cookies (Cookie).
|
|
// Use the response.Header to get the selected subprotocol
|
|
// (Sec-WebSocket-Protocol) and cookies (Set-Cookie).
|
|
//
|
|
// The context will be used in the request and in the Dialer.
|
|
//
|
|
// If the WebSocket handshake fails, ErrBadHandshake is returned along with a
|
|
// non-nil *http.Response so that callers can handle redirects, authentication,
|
|
// etcetera. The response body may not contain the entire response and does not
|
|
// need to be closed by the application.
|
|
func (d *Dialer) DialContext(ctx context.Context, urlStr string, requestHeader http.Header) (*Conn, *http.Response, error) {
|
|
if d == nil {
|
|
d = &nilDialer
|
|
}
|
|
|
|
challengeKey, err := generateChallengeKey()
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
u, err := url.Parse(urlStr)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
switch u.Scheme {
|
|
case "ws":
|
|
u.Scheme = "http"
|
|
case "wss":
|
|
u.Scheme = "https"
|
|
default:
|
|
return nil, nil, errMalformedURL
|
|
}
|
|
|
|
if u.User != nil {
|
|
// User name and password are not allowed in websocket URIs.
|
|
return nil, nil, errMalformedURL
|
|
}
|
|
|
|
req := &http.Request{
|
|
Method: http.MethodGet,
|
|
URL: u,
|
|
Proto: "HTTP/1.1",
|
|
ProtoMajor: 1,
|
|
ProtoMinor: 1,
|
|
Header: make(http.Header),
|
|
Host: u.Host,
|
|
}
|
|
req = req.WithContext(ctx)
|
|
|
|
// Set the cookies present in the cookie jar of the dialer
|
|
if d.Jar != nil {
|
|
for _, cookie := range d.Jar.Cookies(u) {
|
|
req.AddCookie(cookie)
|
|
}
|
|
}
|
|
|
|
// Set the request headers using the capitalization for names and values in
|
|
// RFC examples. Although the capitalization shouldn't matter, there are
|
|
// servers that depend on it. The Header.Set method is not used because the
|
|
// method canonicalizes the header names.
|
|
req.Header["Upgrade"] = []string{"websocket"}
|
|
req.Header["Connection"] = []string{"Upgrade"}
|
|
req.Header["Sec-WebSocket-Key"] = []string{challengeKey}
|
|
req.Header["Sec-WebSocket-Version"] = []string{"13"}
|
|
if len(d.Subprotocols) > 0 {
|
|
req.Header["Sec-WebSocket-Protocol"] = []string{strings.Join(d.Subprotocols, ", ")}
|
|
}
|
|
for k, vs := range requestHeader {
|
|
switch {
|
|
case k == "Host":
|
|
if len(vs) > 0 {
|
|
req.Host = vs[0]
|
|
}
|
|
case k == "Upgrade" ||
|
|
k == "Connection" ||
|
|
k == "Sec-Websocket-Key" ||
|
|
k == "Sec-Websocket-Version" ||
|
|
k == "Sec-Websocket-Extensions" ||
|
|
(k == "Sec-Websocket-Protocol" && len(d.Subprotocols) > 0):
|
|
return nil, nil, errors.New("websocket: duplicate header not allowed: " + k)
|
|
case k == "Sec-Websocket-Protocol":
|
|
req.Header["Sec-WebSocket-Protocol"] = vs
|
|
default:
|
|
req.Header[k] = vs
|
|
}
|
|
}
|
|
|
|
if d.EnableCompression {
|
|
req.Header["Sec-WebSocket-Extensions"] = []string{"permessage-deflate; server_no_context_takeover; client_no_context_takeover"}
|
|
}
|
|
|
|
if d.HandshakeTimeout != 0 {
|
|
var cancel func()
|
|
ctx, cancel = context.WithTimeout(ctx, d.HandshakeTimeout)
|
|
defer cancel()
|
|
}
|
|
|
|
var proxyURL *url.URL
|
|
if d.Proxy != nil {
|
|
proxyURL, err = d.Proxy(req)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
}
|
|
netDial, err := d.netDialFn(ctx, proxyURL, u)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
hostPort, hostNoPort := hostPortNoPort(u)
|
|
trace := httptrace.ContextClientTrace(ctx)
|
|
if trace != nil && trace.GetConn != nil {
|
|
trace.GetConn(hostPort)
|
|
}
|
|
|
|
netConn, err := netDial(ctx, "tcp", hostPort)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
if trace != nil && trace.GotConn != nil {
|
|
trace.GotConn(httptrace.GotConnInfo{
|
|
Conn: netConn,
|
|
})
|
|
}
|
|
|
|
// Close the network connection when returning an error. The variable
|
|
// netConn is set to nil before the success return at the end of the
|
|
// function.
|
|
defer func() {
|
|
if netConn != nil {
|
|
// It's safe to ignore the error from Close() because this code is
|
|
// only executed when returning a more important error to the
|
|
// application.
|
|
_ = netConn.Close()
|
|
}
|
|
}()
|
|
|
|
// Do TLS handshake over established connection if a proxy exists.
|
|
if proxyURL != nil && u.Scheme == "https" {
|
|
|
|
cfg := cloneTLSConfig(d.TLSClientConfig)
|
|
if cfg.ServerName == "" {
|
|
cfg.ServerName = hostNoPort
|
|
}
|
|
tlsConn := tls.Client(netConn, cfg)
|
|
netConn = tlsConn
|
|
|
|
if trace != nil && trace.TLSHandshakeStart != nil {
|
|
trace.TLSHandshakeStart()
|
|
}
|
|
err := doHandshake(ctx, tlsConn, cfg)
|
|
if trace != nil && trace.TLSHandshakeDone != nil {
|
|
trace.TLSHandshakeDone(tlsConn.ConnectionState(), err)
|
|
}
|
|
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
}
|
|
|
|
conn := newConn(netConn, false, d.ReadBufferSize, d.WriteBufferSize, d.WriteBufferPool, nil, nil)
|
|
|
|
if err := req.Write(netConn); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
if trace != nil && trace.GotFirstResponseByte != nil {
|
|
if peek, err := conn.br.Peek(1); err == nil && len(peek) == 1 {
|
|
trace.GotFirstResponseByte()
|
|
}
|
|
}
|
|
|
|
resp, err := http.ReadResponse(conn.br, req)
|
|
if err != nil {
|
|
if d.TLSClientConfig != nil {
|
|
for _, proto := range d.TLSClientConfig.NextProtos {
|
|
if proto != "http/1.1" {
|
|
return nil, nil, fmt.Errorf(
|
|
"websocket: protocol %q was given but is not supported;"+
|
|
"sharing tls.Config with net/http Transport can cause this error: %w",
|
|
proto, err,
|
|
)
|
|
}
|
|
}
|
|
}
|
|
return nil, nil, err
|
|
}
|
|
|
|
if d.Jar != nil {
|
|
if rc := resp.Cookies(); len(rc) > 0 {
|
|
d.Jar.SetCookies(u, rc)
|
|
}
|
|
}
|
|
|
|
if resp.StatusCode != 101 ||
|
|
!tokenListContainsValue(resp.Header, "Upgrade", "websocket") ||
|
|
!tokenListContainsValue(resp.Header, "Connection", "upgrade") ||
|
|
resp.Header.Get("Sec-Websocket-Accept") != computeAcceptKey(challengeKey) {
|
|
// Before closing the network connection on return from this
|
|
// function, slurp up some of the response to aid application
|
|
// debugging.
|
|
buf := make([]byte, 1024)
|
|
n, _ := io.ReadFull(resp.Body, buf)
|
|
resp.Body = io.NopCloser(bytes.NewReader(buf[:n]))
|
|
return nil, resp, ErrBadHandshake
|
|
}
|
|
|
|
for _, ext := range parseExtensions(resp.Header) {
|
|
if ext[""] != "permessage-deflate" {
|
|
continue
|
|
}
|
|
_, snct := ext["server_no_context_takeover"]
|
|
_, cnct := ext["client_no_context_takeover"]
|
|
if !snct || !cnct {
|
|
return nil, resp, errInvalidCompression
|
|
}
|
|
conn.newCompressionWriter = compressNoContextTakeover
|
|
conn.newDecompressionReader = decompressNoContextTakeover
|
|
break
|
|
}
|
|
|
|
resp.Body = io.NopCloser(bytes.NewReader([]byte{}))
|
|
conn.subprotocol = resp.Header.Get("Sec-Websocket-Protocol")
|
|
|
|
if err := netConn.SetDeadline(time.Time{}); err != nil {
|
|
return nil, resp, err
|
|
}
|
|
|
|
// Success! Set netConn to nil to stop the deferred function above from
|
|
// closing the network connection.
|
|
netConn = nil
|
|
|
|
return conn, resp, nil
|
|
}
|
|
|
|
// Returns the dial function to establish the connection to either the backend
|
|
// server or the proxy (if it exists). If the dialed entity is HTTPS, then the
|
|
// returned dial function *also* performs the TLS handshake to the dialed entity.
|
|
// NOTE: If a proxy exists, it is possible for a second TLS handshake to be
|
|
// necessary over the established connection.
|
|
func (d *Dialer) netDialFn(ctx context.Context, proxyURL *url.URL, backendURL *url.URL) (netDialerFunc, error) {
|
|
var netDial netDialerFunc
|
|
if proxyURL != nil {
|
|
netDial = d.netDialFromURL(proxyURL)
|
|
} else {
|
|
netDial = d.netDialFromURL(backendURL)
|
|
}
|
|
// If needed, wrap the dial function to set the connection deadline.
|
|
if deadline, ok := ctx.Deadline(); ok {
|
|
netDial = netDialWithDeadline(netDial, deadline)
|
|
}
|
|
// Proxy dialing is wrapped to implement CONNECT method and possibly proxy auth.
|
|
if proxyURL != nil {
|
|
return proxyFromURL(proxyURL, netDial)
|
|
}
|
|
return netDial, nil
|
|
}
|
|
|
|
// Returns function to create the connection depending on the Dialer's
|
|
// custom dialing functions and the passed URL of entity connecting to.
|
|
func (d *Dialer) netDialFromURL(u *url.URL) netDialerFunc {
|
|
var netDial netDialerFunc
|
|
switch {
|
|
case d.NetDialContext != nil:
|
|
netDial = d.NetDialContext
|
|
case d.NetDial != nil:
|
|
netDial = func(ctx context.Context, net, addr string) (net.Conn, error) {
|
|
return d.NetDial(net, addr)
|
|
}
|
|
default:
|
|
netDial = (&net.Dialer{}).DialContext
|
|
}
|
|
// If dialed entity is HTTPS, then either use custom TLS dialing function (if exists)
|
|
// or wrap the previously computed "netDial" to use TLS config for handshake.
|
|
if u.Scheme == "https" {
|
|
if d.NetDialTLSContext != nil {
|
|
netDial = d.NetDialTLSContext
|
|
} else {
|
|
netDial = netDialWithTLSHandshake(netDial, d.TLSClientConfig, u)
|
|
}
|
|
}
|
|
return netDial
|
|
}
|
|
|
|
// Returns wrapped "netDial" function, performing TLS handshake after connecting.
|
|
func netDialWithTLSHandshake(netDial netDialerFunc, tlsConfig *tls.Config, u *url.URL) netDialerFunc {
|
|
return func(ctx context.Context, unused, addr string) (net.Conn, error) {
|
|
hostPort, hostNoPort := hostPortNoPort(u)
|
|
trace := httptrace.ContextClientTrace(ctx)
|
|
if trace != nil && trace.GetConn != nil {
|
|
trace.GetConn(hostPort)
|
|
}
|
|
// Creates TCP connection to addr using passed "netDial" function.
|
|
conn, err := netDial(ctx, "tcp", addr)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
cfg := cloneTLSConfig(tlsConfig)
|
|
if cfg.ServerName == "" {
|
|
cfg.ServerName = hostNoPort
|
|
}
|
|
tlsConn := tls.Client(conn, cfg)
|
|
// Do the TLS handshake using TLSConfig over the wrapped connection.
|
|
if trace != nil && trace.TLSHandshakeStart != nil {
|
|
trace.TLSHandshakeStart()
|
|
}
|
|
err = doHandshake(ctx, tlsConn, cfg)
|
|
if trace != nil && trace.TLSHandshakeDone != nil {
|
|
trace.TLSHandshakeDone(tlsConn.ConnectionState(), err)
|
|
}
|
|
if err != nil {
|
|
tlsConn.Close()
|
|
return nil, err
|
|
}
|
|
return tlsConn, nil
|
|
}
|
|
}
|
|
|
|
// Returns wrapped "netDial" function, setting passed deadline.
|
|
func netDialWithDeadline(netDial netDialerFunc, deadline time.Time) netDialerFunc {
|
|
return func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
c, err := netDial(ctx, network, addr)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
err = c.SetDeadline(deadline)
|
|
if err != nil {
|
|
c.Close()
|
|
return nil, err
|
|
}
|
|
return c, nil
|
|
}
|
|
}
|
|
|
|
func cloneTLSConfig(cfg *tls.Config) *tls.Config {
|
|
if cfg == nil {
|
|
return &tls.Config{}
|
|
}
|
|
return cfg.Clone()
|
|
}
|
|
|
|
func doHandshake(ctx context.Context, tlsConn *tls.Conn, cfg *tls.Config) error {
|
|
if err := tlsConn.HandshakeContext(ctx); err != nil {
|
|
return err
|
|
}
|
|
if !cfg.InsecureSkipVerify {
|
|
if err := tlsConn.VerifyHostname(cfg.ServerName); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
return nil
|
|
}
|