[Release-7.3] TLS should accept same key with different values (#11763)

kakaiu · kakaiu · commit b983f7543115 · 2025-03-11T13:22:55.000-07:00
* fix tls

* address comment
diff --git a/flow/TLSConfig.actor.cpp b/flow/TLSConfig.actor.cpp
@@ -601,7 +601,7 @@ TLSPolicy::Rule::Rule(std::string input) {
 
 			s = eq + 3;
 		} else {
-			std::map<int, Criteria>* criteria = &subject_criteria;
+			std::set<std::pair<NID, Criteria>>* criteria = &subject_criteria;
 
 			if (term.find('.') != term.npos) {
 				auto scoped = splitPair(term, '.');
@@ -626,7 +626,15 @@ TLSPolicy::Rule::Rule(std::string input) {
 
 			NID termNID = abbrevToNID(term);
 			const X509Location loc = locationForNID(termNID);
-			criteria->insert(std::make_pair(termNID, Criteria(unesc, mt, loc)));
+			auto criteriaToInsert = Criteria(unesc, mt, loc);
+			auto res = criteria->insert(std::make_pair(termNID, criteriaToInsert));
+			if (!res.second) {
+				TraceEvent(SevWarn, "TLSKeyValueDuplicated")
+				    .suppressFor(60.0)
+				    .detail("TermNID", termNID)
+				    .detail("NewCriteria", criteriaToInsert.criteria)
+				    .detail("ExistingCriteria", res.first->second.criteria);
+			}
 
 			if (remain != input.size() && input[remain] != ',')
 				throw std::runtime_error("parse_verify");
diff --git a/flow/include/flow/TLSConfig.actor.h b/flow/include/flow/TLSConfig.actor.h
@@ -42,7 +42,6 @@
 #include "flow/FastRef.h"
 #include "flow/Knobs.h"
 #include "flow/flow.h"
-
 #include "flow/actorcompiler.h" // This must be the last #include.
 
 typedef int NID;
@@ -75,6 +74,17 @@ struct Criteria {
 	}
 
 	bool operator!=(const Criteria& c) const noexcept { return !(*this == c); }
+
+	bool operator<(const Criteria& c) const {
+		if (criteria != c.criteria) {
+			return criteria < c.criteria;
+		} else if (match_type != c.match_type) {
+			return match_type < c.match_type;
+		} else if (location != c.location) {
+			return location < c.location;
+		}
+		return false;
+	}
 };
 
 enum class TLSEndpointType { UNSET = 0, CLIENT, SERVER };
@@ -247,7 +257,7 @@ class TLSPolicy : ReferenceCounted<TLSPolicy> {
 	std::string toString() const;
 
 	struct Rule {
-		using CriteriaMap = std::map<NID, Criteria>;
+		using CriteriaMap = std::set<std::pair<NID, Criteria>>;
 
 		explicit Rule(std::string input);
 
