in internal/validation/request.go [75:110]
func (cv DefaultCredentialValidator) validateRequestTargetHost(ctx context.Context, requestTargetHost string) error {
// sometimes the port is included in the requestTargetHost, (eg when the port we are listening on
// is not HTTP's default 80)
log := logger.FromContext(ctx).WithField("target-host", requestTargetHost)
if host, port, err := net.SplitHostPort(requestTargetHost); err == nil {
log.WithFields(map[string]interface{}{
"host": host,
"port": port,
}).Tracef("Parsing request target host as host-port addr")
requestTargetHost = host
}
// sometimes IPv6 host is expressed as "[fe00::]" so we want to drop the brackets
if len(requestTargetHost) > 1 && requestTargetHost[0] == '[' && requestTargetHost[len(requestTargetHost)-1] == ']' {
requestTargetHost = requestTargetHost[1 : len(requestTargetHost)-1]
}
// if all else fails we may have some custom target host that we don't know how to parse, eg localhost or some
// dns address that might fail validation. Unit tests bind use localhost so we will leave this as is.
log.Trace("Interpreting request target host without port")
desiredTargetHosts := defaultValidTargetHosts
if cv.TargetHosts != nil {
desiredTargetHosts = cv.TargetHosts
}
for _, desiredTargetHost := range desiredTargetHosts {
if desiredTargetHost == requestTargetHost {
return nil
}
}
return errors.NewAccessDeniedError(
fmt.Sprintf(
"Called agent through invalid address, please use either %s address not %s", desiredTargetHosts, requestTargetHost))
}