conformance: test cases for HTTPS connection coalescing

[snorwin]

What type of PR is this?

/area conformance-test

What this PR does / why we need it:
In #3630, the Gateway API’s interaction with connection coalescing was improved as part of GEP-3567. However, these changes are not yet reflected in the conformance tests.

Which issue(s) this PR fixes:

N/A

Does this PR introduce a user-facing change?:

Added conformance tests validating Gateway behavior for connection coalescing when SNI and Host headers do not match, including correct use of HTTP 421 for potentially misdirected requests.

[snorwin]

/cc @robscott

[snorwin]

/retest

[robscott]

Thanks @snorwin!

[robscott]

I think the relevant part of the spec is here:

gateway-api/apis/v1/gateway_types.go

Line 394 in f95fe2b

// the Gateway SHOULD return a 421.

We're actually using RFC 2119 interpretation of keywords here, so SHOULD is a recommendation, not a requirement. With that said, I think we could justify an extended test (separate feature name) to cover this.

cc @youngnick @rikatz

[kl52752]

Shouldn't we enforce this behaviour only for reused connections? If Cx is estabilishing a new connection per request then misdirected does not make sense.

@snorwin can you verify that connection is being reused in this test? I was looking into RoundTripper and I can see that DisableKeepAlives is set.

[snorwin]

For example, a request might have been misdirected, deliberately or accidentally, such that the information within a received Host header field differs from the connection's host or port.
https://www.rfc-editor.org/rfc/rfc9110.html#name-rejecting-misdirected-reque

In the case of TLS, the connection’s host is determined by the SNI extension sent during the initial TLS handshake. In my opinion, it should not matter whether the connection was established specifically for this request or reused from a previous one.

@kl52752 which HTTP status code would you expect when a request sent over a newly established connection has a mismatch between the SNI value and the Host header?

Related references:

• https://developer.mozilla.org/de/docs/Web/HTTP/Reference/Status/421
• https://httpd.apache.org/docs/2.4/en/mod/mod_ssl.html#sslvhostsnipolicy

[kl52752]

I'm referring to:

// * If another Listener has an exact match or more specific wildcard entry,
// the Gateway SHOULD return a 421.

Imagine we have 2 listeners on the same port one with *.example.com and second one with foo.example.com.

Like you mentioned SNI is validated in initial TLS handshake, so if client is connecting to *.example.com and this is the only "destination" for this request I think that 200 should be returned because TLS handshake was performed for *.example.com.

What we should test is that after client connects to *.example.com and reuse this connection to foo.example.com on different listener then 421 should be returned.

Does it makes sense?

[snorwin]

I understand your example. Let’s assume we have 2 listeners on the same port one with *.example.com and second one with foo.example.com.

What HTTP error code would you expect for a request on a new connection with SNI bar.example.com and a Host header foo.example.com?

[kl52752]

oh yeah sorry I missed the fact that SNI and host mismatch here. Now it makes sense :)

[howardjohn]

IIUC:

• Anything around 421 should be a separate test since its a SHOULD
• 421 should only be returned when it would otherwise match, otherwise its a 404. We should have cases to handle this, and ensure we do not return 421 when there is not otherwise a match

[howardjohn]

Hmm, one thing i think is vague in the spec

	//
	// * If another Listener has an exact match or more specific wildcard entry,
	//   the Gateway SHOULD return a 421.

Can an empty listener.hostname be "more specific wildcard entry"? On one hand, empty != wildcard, but on the other hand, empty is a complete wildcard.

We treat case 4 {host: "unknown-example.org", serverName: "second-example.org", statusCode: 404}, as a 404. But, IMO, this seems like it should be misdirected: the fact the 'other listener' has no hostname disqualifies is irrelevant to users and show behave the same as a wildcard IMO.

I am leaning towards changing this test and making the spec slightly tweaked...

[howardjohn]

Actually, a closer look suggests this must be a 421 even with the current wording of the spec:

if (another listener has an exact match or more specific wildcard) {
	// per discussion, this is currently NOT hit, but IMO should be
	421
} else if (current listener does not match host) {
	// This is hit
	if (another listener does match the host) {
		// This IS hit, because it doesn't disqualify unspecified listener hostnames
		421
	} else {
		404 // The test currently incorrectly asserts 404 here
	}
}

[robscott]

Since these are both a MUST, I don't think they need any qualifiers and can be a part of a core conformance test. Hopefully these don't trip up any existing implementations.

/cc @kl52752 @rostislavbobo

[kl52752]

LGTM

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kl52752, snorwin
Once this PR has been reviewed and has the lgtm label, please assign liorlieberman for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• conformance/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[howardjohn]

I have a passing implementation of this, pending discussion in #4364 (comment): agentgateway/agentgateway#763