From fe62f50dbe17aa62c9941b123a01ecdc2fdbdb81 Mon Sep 17 00:00:00 2001
From: Max Schmitt <max@schmitt.mx>
Date: Wed, 24 Jul 2024 18:10:09 +0200
Subject: [PATCH] chore: remove glob from client-certificate matching

---
 docs/src/api/params.md                        |  4 ++--
 .../socksClientCertificatesInterceptor.ts     | 14 ++---------
 packages/playwright-core/types/types.d.ts     | 24 +++++++++----------
 packages/playwright/types/test.d.ts           |  4 ++--
 4 files changed, 18 insertions(+), 28 deletions(-)

diff --git a/docs/src/api/params.md b/docs/src/api/params.md
index 487270d79e..f52c1c2a39 100644
--- a/docs/src/api/params.md
+++ b/docs/src/api/params.md
@@ -523,7 +523,7 @@ Does not enforce fixed viewport, allows resizing window in the headed mode.
 
 ## context-option-clientCertificates
 - `clientCertificates` <[Array]<[Object]>>
-  - `origin` <[string]> Glob pattern to match against the request origin that the certificate is valid for.
+  - `origin` <[string]> Exact origin that the certificate is valid for.
   - `certPath` ?<[string]> Path to the file with the certificate in PEM format.
   - `keyPath` ?<[string]> Path to the file with the private key in PEM format.
   - `pfxPath` ?<[string]> Path to the PFX or PKCS12 encoded private key and certificate chain.
@@ -533,7 +533,7 @@ TLS Client Authentication allows the server to request a client certificate and
 
 **Details**
 
-An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be provided with a glob pattern to match the origins that the certificate is valid for.
+An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the certficiate is encrypted. The `origin` property should be provided with an exact match to the request origin that the certificate is valid for.
 
 :::note
 Using Client Certificates in combination with Proxy Servers is not supported.
diff --git a/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts b/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts
index 87b0f11c16..07d0bbbb79 100644
--- a/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts
+++ b/packages/playwright-core/src/server/socksClientCertificatesInterceptor.ts
@@ -21,7 +21,7 @@ import fs from 'fs';
 import tls from 'tls';
 import stream from 'stream';
 import { createSocket } from '../utils/happy-eyeballs';
-import { globToRegex, isUnderTest, ManualPromise } from '../utils';
+import { isUnderTest, ManualPromise } from '../utils';
 import type { SocksSocketClosedPayload, SocksSocketDataPayload, SocksSocketRequestedPayload } from '../common/socksProxy';
 import { SocksProxy } from '../common/socksProxy';
 import type * as channels from '@protocol/channels';
@@ -224,21 +224,11 @@ export class ClientCertificatesProxy {
   }
 }
 
-const kClientCertificatesGlobRegex = Symbol('kClientCertificatesGlobRegex');
-
 export function clientCertificatesToTLSOptions(
   clientCertificates: channels.BrowserNewContextOptions['clientCertificates'],
   origin: string
 ): Pick<https.RequestOptions, 'pfx' | 'key' | 'cert'> | undefined {
-  const matchingCerts = clientCertificates?.filter(c => {
-    let regex: RegExp | undefined = (c as any)[kClientCertificatesGlobRegex];
-    if (!regex) {
-      regex = globToRegex(c.origin);
-      (c as any)[kClientCertificatesGlobRegex] = regex;
-    }
-    regex.lastIndex = 0;
-    return regex.test(origin);
-  });
+  const matchingCerts = clientCertificates?.filter(c => c.origin === origin);
   if (!matchingCerts || !matchingCerts.length)
     return;
   const tlsOptions = {
diff --git a/packages/playwright-core/types/types.d.ts b/packages/playwright-core/types/types.d.ts
index d207756459..1b1cba0b5a 100644
--- a/packages/playwright-core/types/types.d.ts
+++ b/packages/playwright-core/types/types.d.ts
@@ -13172,8 +13172,8 @@ export interface BrowserType<Unused = {}> {
      *
      * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
      * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-     * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-     * provided with a glob pattern to match the origins that the certificate is valid for.
+     * certficiate is encrypted. The `origin` property should be provided with an exact match to the request origin that
+     * the certificate is valid for.
      *
      * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
      *
@@ -13182,7 +13182,7 @@ export interface BrowserType<Unused = {}> {
      */
     clientCertificates?: Array<{
       /**
-       * Glob pattern to match against the request origin that the certificate is valid for.
+       * Exact origin that the certificate is valid for.
        */
       origin: string;
 
@@ -15583,8 +15583,8 @@ export interface APIRequest {
      *
      * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
      * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-     * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-     * provided with a glob pattern to match the origins that the certificate is valid for.
+     * certficiate is encrypted. The `origin` property should be provided with an exact match to the request origin that
+     * the certificate is valid for.
      *
      * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
      *
@@ -15593,7 +15593,7 @@ export interface APIRequest {
      */
     clientCertificates?: Array<{
       /**
-       * Glob pattern to match against the request origin that the certificate is valid for.
+       * Exact origin that the certificate is valid for.
        */
       origin: string;
 
@@ -16776,8 +16776,8 @@ export interface Browser extends EventEmitter {
      *
      * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
      * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-     * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-     * provided with a glob pattern to match the origins that the certificate is valid for.
+     * certficiate is encrypted. The `origin` property should be provided with an exact match to the request origin that
+     * the certificate is valid for.
      *
      * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
      *
@@ -16786,7 +16786,7 @@ export interface Browser extends EventEmitter {
      */
     clientCertificates?: Array<{
       /**
-       * Glob pattern to match against the request origin that the certificate is valid for.
+       * Exact origin that the certificate is valid for.
        */
       origin: string;
 
@@ -20226,8 +20226,8 @@ export interface BrowserContextOptions {
    *
    * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
    * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-   * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-   * provided with a glob pattern to match the origins that the certificate is valid for.
+   * certficiate is encrypted. The `origin` property should be provided with an exact match to the request origin that
+   * the certificate is valid for.
    *
    * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
    *
@@ -20236,7 +20236,7 @@ export interface BrowserContextOptions {
    */
   clientCertificates?: Array<{
     /**
-     * Glob pattern to match against the request origin that the certificate is valid for.
+     * Exact origin that the certificate is valid for.
      */
     origin: string;
 
diff --git a/packages/playwright/types/test.d.ts b/packages/playwright/types/test.d.ts
index f1f9ee32dd..c5a3f5d9dd 100644
--- a/packages/playwright/types/test.d.ts
+++ b/packages/playwright/types/test.d.ts
@@ -5208,8 +5208,8 @@ export interface PlaywrightTestOptions {
    *
    * An array of client certificates to be used. Each certificate object must have both `certPath` and `keyPath` or a
    * single `pfxPath` to load the client certificate. Optionally, `passphrase` property should be provided if the
-   * certficiate is encrypted. If the certificate is valid only for specific origins, the `origin` property should be
-   * provided with a glob pattern to match the origins that the certificate is valid for.
+   * certficiate is encrypted. The `origin` property should be provided with an exact match to the request origin that
+   * the certificate is valid for.
    *
    * **NOTE** Using Client Certificates in combination with Proxy Servers is not supported.
    *