From 2dfbc4e9ab39f5458cd4f218cc3b3aa09a76fadc Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Tue, 17 Jun 2025 14:55:38 +0530 Subject: [PATCH] fix bug in hostname overlap detection Signed-off-by: Rudrakh Panigrahi --- internal/gatewayapi/listener.go | 13 ++++++++++--- internal/gatewayapi/listener_test.go | 6 ++++++ release-notes/current.yaml | 1 + 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/internal/gatewayapi/listener.go b/internal/gatewayapi/listener.go index 9b7c3c8b9d..a48cbcf6e7 100644 --- a/internal/gatewayapi/listener.go +++ b/internal/gatewayapi/listener.go @@ -408,10 +408,17 @@ func isOverlappingHostname(hostname1, hostname2 *gwapiv1.Hostname) bool { if hostname1 == nil || hostname2 == nil { return true } + domain1 := strings.Replace(string(*hostname1), "*.", "", 1) + domain2 := strings.Replace(string(*hostname2), "*.", "", 1) + return isSubdomain(domain1, domain2) || isSubdomain(domain2, domain1) +} - h1 := strings.Replace(string(*hostname1), "*.", "", 1) - h2 := strings.Replace(string(*hostname2), "*.", "", 1) - return strings.HasSuffix(h1, h2) || strings.HasSuffix(h2, h1) +// isSubdomain checks if subDomain is a sub-domain of domain +func isSubdomain(subDomain, domain string) bool { + if subDomain == domain { + return true + } + return strings.HasSuffix(subDomain, fmt.Sprintf(".%s", domain)) } func buildListenerMetadata(listener *ListenerContext, gateway *GatewayContext) *ir.ResourceMetadata { diff --git a/internal/gatewayapi/listener_test.go b/internal/gatewayapi/listener_test.go index 9c16fa6500..293ded7f1b 100644 --- a/internal/gatewayapi/listener_test.go +++ b/internal/gatewayapi/listener_test.go @@ -174,6 +174,12 @@ func TestIsOverlappingHostname(t *testing.T) { hostname2: ptr.To(gwapiv1.Hostname("*.test.com")), want: false, }, + { + name: "different sub domains of same domain", + hostname1: ptr.To(gwapiv1.Hostname("api.foo.dev")), + hostname2: ptr.To(gwapiv1.Hostname("testing-api.foo.dev")), + want: false, + }, } for _, tt := range tests { diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 431d6df99c..26bab493fc 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -31,6 +31,7 @@ bug fixes: | Keep ALPN configuration for listeners with overlapping certificates when ALPN is explicitly set in ClientTrafficPolicy. Fixed issue that switch on wrong SubjectAltNameType enum value in BackendTLSPolicy. Fixed issue that BackendTLSPolicy should not reference ConfigMap or Secret across namespace. + Fixed bug in certificate SANs overlap detection in listeners. # Enhancements that improve performance. performance improvements: |