cloudfoundry · winkingturtle-vmw · Feb 7, 2024 · Jan 30, 2024 · Feb 6, 2024 · Feb 6, 2024
@@ -7,6 +7,7 @@ import (
 
 	router_http "code.cloudfoundry.org/gorouter/common/http"
 	"code.cloudfoundry.org/gorouter/config"
+	"code.cloudfoundry.org/gorouter/logger"
 	"code.cloudfoundry.org/gorouter/route"
 )
 
@@ -62,22 +63,29 @@ func upgradeHeader(request *http.Request) string {
 	return ""
 }
 
-func EndpointIteratorForRequest(request *http.Request, loadBalanceMethod string, stickySessionCookieNames config.StringSet, azPreference string, az string) (route.EndpointIterator, error) {
+func EndpointIteratorForRequest(logger logger.Logger, request *http.Request, loadBalanceMethod string, stickySessionCookieNames config.StringSet, azPreference string, az string) (route.EndpointIterator, error) {
 	reqInfo, err := ContextRequestInfo(request)
 	if err != nil {
 		return nil, fmt.Errorf("could not find reqInfo in context")
 	}
-	return reqInfo.RoutePool.Endpoints(loadBalanceMethod, getStickySession(request, stickySessionCookieNames), azPreference, az), nil
+	stickyEndpointID, mustBeSticky := GetStickySession(request, stickySessionCookieNames)
+	return reqInfo.RoutePool.Endpoints(logger, loadBalanceMethod, stickyEndpointID, mustBeSticky, azPreference, az), nil
 }
 
-func getStickySession(request *http.Request, stickySessionCookieNames config.StringSet) string {
+func GetStickySession(request *http.Request, stickySessionCookieNames config.StringSet) (string, bool) {
+	containsAuthNegotiateHeader := strings.HasPrefix(strings.ToLower(request.Header.Get("Authorization")), "negotiate")
+	if containsAuthNegotiateHeader {
+		if sticky, err := request.Cookie(VcapCookieId); err == nil {
+			return sticky.Value, true
+		}
+	}
 	// Try choosing a backend using sticky session
 	for stickyCookieName, _ := range stickySessionCookieNames {
 		if _, err := request.Cookie(stickyCookieName); err == nil {
 			if sticky, err := request.Cookie(VcapCookieId); err == nil {
-				return sticky.Value
+				return sticky.Value, false
 			}
 		}
 	}
-	return ""
+	return "", false
 }
@@ -54,7 +54,7 @@ func (m *MaxRequestSize) ServeHTTP(rw http.ResponseWriter, r *http.Request, next
 		if err != nil {
 			logger.Error("request-info-err", zap.Error(err))
 		} else {
-			endpointIterator, err := EndpointIteratorForRequest(r, m.cfg.LoadBalance, m.cfg.StickySessionCookieNames, m.cfg.LoadBalanceAZPreference, m.cfg.Zone)
+			endpointIterator, err := EndpointIteratorForRequest(logger, r, m.cfg.LoadBalance, m.cfg.StickySessionCookieNames, m.cfg.LoadBalanceAZPreference, m.cfg.Zone)
 			if err != nil {
 				logger.Error("failed-to-find-endpoint-for-req-during-431-short-circuit", zap.Error(err))
 			} else {

@@ -237,7 +237,7 @@ func (p *proxy) ServeHTTP(responseWriter http.ResponseWriter, request *http.Requ
 		logger.Panic("request-info-err", zap.Error(errors.New("failed-to-access-RoutePool")))
 	}
 
-	nestedIterator, err := handlers.EndpointIteratorForRequest(request, p.config.LoadBalance, p.config.StickySessionCookieNames, p.config.LoadBalanceAZPreference, p.config.Zone)
+	nestedIterator, err := handlers.EndpointIteratorForRequest(logger, request, p.config.LoadBalance, p.config.StickySessionCookieNames, p.config.LoadBalanceAZPreference, p.config.Zone)
 	if err != nil {
 		logger.Panic("request-info-err", zap.Error(err))
 	}

@@ -10,6 +10,7 @@ import (
 	"net/http/httptrace"
 	"net/textproto"
 	"net/url"
+	"strings"
 	"sync"
 	"time"
 
@@ -27,15 +28,16 @@ import (
 )
 
 const (
-	VcapCookieId              = "__VCAP_ID__"
-	CookieHeader              = "Set-Cookie"
-	BadGatewayMessage         = "502 Bad Gateway: Registered endpoint failed to handle the request."
-	HostnameErrorMessage      = "503 Service Unavailable"
-	InvalidCertificateMessage = "526 Invalid SSL Certificate"
-	SSLHandshakeMessage       = "525 SSL Handshake Failed"
-	SSLCertRequiredMessage    = "496 SSL Certificate Required"
-	ContextCancelledMessage   = "499 Request Cancelled"
-	HTTP2Protocol             = "http2"
+	VcapCookieId                             = "__VCAP_ID__"
+	CookieHeader                             = "Set-Cookie"
+	BadGatewayMessage                        = "502 Bad Gateway: Registered endpoint failed to handle the request."
+	HostnameErrorMessage                     = "503 Service Unavailable"
+	InvalidCertificateMessage                = "526 Invalid SSL Certificate"
+	SSLHandshakeMessage                      = "525 SSL Handshake Failed"
+	SSLCertRequiredMessage                   = "496 SSL Certificate Required"
+	ContextCancelledMessage                  = "499 Request Cancelled"
+	HTTP2Protocol                            = "http2"
+	AuthNegotiateHeaderCookieMaxAgeInSeconds = 60
 )
 
 //go:generate counterfeiter -o fakes/fake_proxy_round_tripper.go . ProxyRoundTripper
@@ -134,9 +136,9 @@ func (rt *roundTripper) RoundTrip(originalRequest *http.Request) (*http.Response
 		return nil, errors.New("ProxyResponseWriter not set on context")
 	}
 
-	stickyEndpointID := getStickySession(request, rt.config.StickySessionCookieNames)
+	stickyEndpointID, mustBeSticky := handlers.GetStickySession(request, rt.config.StickySessionCookieNames)
 	numberOfEndpoints := reqInfo.RoutePool.NumEndpoints()
-	iter := reqInfo.RoutePool.Endpoints(rt.config.LoadBalance, stickyEndpointID, rt.config.LoadBalanceAZPreference, rt.config.Zone)
+	iter := reqInfo.RoutePool.Endpoints(rt.logger, rt.config.LoadBalance, stickyEndpointID, mustBeSticky, rt.config.LoadBalanceAZPreference, rt.config.Zone)
 
 	// The selectEndpointErr needs to be tracked separately. If we get an error
 	// while selecting an endpoint we might just have run out of routes. In
@@ -388,24 +390,30 @@ func setupStickySession(
 
 	requestContainsStickySessionCookies := originalEndpointId != ""
 	requestNotSentToRequestedApp := originalEndpointId != endpoint.PrivateInstanceId
-	shouldSetVCAPID := requestContainsStickySessionCookies && requestNotSentToRequestedApp
+	responseContainsAuthNegotiateHeader := strings.HasPrefix(strings.ToLower(response.Header.Get("WWW-Authenticate")), "negotiate")
+	shouldSetVCAPID := (responseContainsAuthNegotiateHeader || requestContainsStickySessionCookies) && requestNotSentToRequestedApp
 
 	secure := false
 	maxAge := 0
 	sameSite := http.SameSite(0)
 	expiry := time.Time{}
 
-	for _, v := range response.Cookies() {
-		if _, ok := stickySessionCookieNames[v.Name]; ok {
-			shouldSetVCAPID = true
+	if responseContainsAuthNegotiateHeader {
+		maxAge = AuthNegotiateHeaderCookieMaxAgeInSeconds
+		sameSite = http.SameSiteStrictMode
+	} else {
+		for _, v := range response.Cookies() {
+			if _, ok := stickySessionCookieNames[v.Name]; ok {
+				shouldSetVCAPID = true
 
-			if v.MaxAge < 0 {
-				maxAge = v.MaxAge
+				if v.MaxAge < 0 {
+					maxAge = v.MaxAge
+				}
+				secure = v.Secure
+				sameSite = v.SameSite
+				expiry = v.Expires
+				break
 			}
-			secure = v.Secure
-			sameSite = v.SameSite
-			expiry = v.Expires
-			break
 		}
 	}
 
@@ -440,18 +448,6 @@ func setupStickySession(
 	}
 }
 
-func getStickySession(request *http.Request, stickySessionCookieNames config.StringSet) string {
-	// Try choosing a backend using sticky session
-	for stickyCookieName, _ := range stickySessionCookieNames {
-		if _, err := request.Cookie(stickyCookieName); err == nil {
-			if sticky, err := request.Cookie(VcapCookieId); err == nil {
-				return sticky.Value
-			}
-		}
-	}
-	return ""
-}
-
 func requestSentToRouteService(request *http.Request) bool {
 	sigHeader := request.Header.Get(routeservice.HeaderKeySignature)
 	rsUrl := request.Header.Get(routeservice.HeaderKeyForwardedURL)