fix: strip port from Host header before mTLS domain matching

HTTP clients that include explicit ports in URLs (e.g., https://app.example.com:443/)
result in Go's http.Request.Host containing the port (app.example.com:443).

Previously, GetMtlsDomainConfig() did not strip the port before matching against
configured mTLS domains (e.g., *.apps.identity), causing:
- Domain matching to fail for requests with explicit ports
- No XFCC header added (fell back to default behavior)
- Identity extraction failure in CallerIdentity
- Pre-auth handler denying requests with 403 and reason "identity-extraction-failed"

This particularly affected Java Spring Boot HTTP clients which construct URLs
with explicit ports by default.

Fix: Use net.SplitHostPort() to strip port before domain matching, ensuring
consistent behavior regardless of whether clients include explicit ports.

Added comprehensive unit tests covering:
- Wildcard domain matching with/without ports
- Exact domain matching with/without ports
- IsMtlsDomain() function with/without ports
- Negative test cases for non-mTLS domains

Author: rkoster

src/code.cloudfoundry.org/gorouter/config/config.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"net"
 	"net/url"
 	"os"
 	"runtime"
@@ -1015,6 +1016,12 @@ func (c *Config) RoutingApiEnabled() bool {
 // It checks for exact matches first, then wildcard matches (e.g., *.apps.mtls.internal).
 // Returns nil if the host is not an mTLS domain.
 func (c *Config) GetMtlsDomainConfig(host string) *MtlsDomainConfig {
+	// Strip port if present (e.g., "app.example.com:443" → "app.example.com")
+	// This ensures consistent matching regardless of whether clients include explicit ports
+	if h, _, err := net.SplitHostPort(host); err == nil {
+		host = h
+	}
+
 	// Check exact match first
 	if cfg, ok := c.mtlsDomainMap[host]; ok {
 		return cfg

src/code.cloudfoundry.org/gorouter/config/config_test.go

@@ -2043,6 +2043,109 @@ drain_timeout: 60s
 		})
 
 	})
+
+	Describe("GetMtlsDomainConfig", func() {
+		var certChain test_util.CertChain
+
+		BeforeEach(func() {
+			certChain = test_util.CreateSignedCertWithRootCA(test_util.CertNames{SANs: test_util.SubjectAltNames{DNS: "test.com"}})
+			cfgForSnippet.Domains = []MtlsDomainConfig{
+				{
+					Domain:     "*.apps.identity",
+					XFCCFormat: "envoy",
+					CACerts:    string(certChain.CACertPEM),
+				},
+				{
+					Domain:     "exact.example.com",
+					XFCCFormat: "raw",
+					CACerts:    string(certChain.CACertPEM),
+				},
+			}
+			err := config.Initialize(createYMLSnippet(cfgForSnippet))
+			Expect(err).ToNot(HaveOccurred())
+			err = config.Process()
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		Context("when host includes explicit port", func() {
+			It("strips port and matches wildcard domain", func() {
+				cfg := config.GetMtlsDomainConfig("xfcc-tester.apps.identity:443")
+				Expect(cfg).ToNot(BeNil())
+				Expect(cfg.Domain).To(Equal("*.apps.identity"))
+				Expect(cfg.XFCCFormat).To(Equal("envoy"))
+			})
+
+			It("strips port and matches exact domain", func() {
+				cfg := config.GetMtlsDomainConfig("exact.example.com:8443")
+				Expect(cfg).ToNot(BeNil())
+				Expect(cfg.Domain).To(Equal("exact.example.com"))
+				Expect(cfg.XFCCFormat).To(Equal("raw"))
+			})
+		})
+
+		Context("when host does not include port", func() {
+			It("matches wildcard domain without port", func() {
+				cfg := config.GetMtlsDomainConfig("xfcc-tester.apps.identity")
+				Expect(cfg).ToNot(BeNil())
+				Expect(cfg.Domain).To(Equal("*.apps.identity"))
+				Expect(cfg.XFCCFormat).To(Equal("envoy"))
+			})
+
+			It("matches exact domain without port", func() {
+				cfg := config.GetMtlsDomainConfig("exact.example.com")
+				Expect(cfg).ToNot(BeNil())
+				Expect(cfg.Domain).To(Equal("exact.example.com"))
+				Expect(cfg.XFCCFormat).To(Equal("raw"))
+			})
+		})
+
+		Context("when host is not an mTLS domain", func() {
+			It("returns nil for non-matching host with port", func() {
+				cfg := config.GetMtlsDomainConfig("other.example.com:443")
+				Expect(cfg).To(BeNil())
+			})
+
+			It("returns nil for non-matching host without port", func() {
+				cfg := config.GetMtlsDomainConfig("other.example.com")
+				Expect(cfg).To(BeNil())
+			})
+		})
+	})
+
+	Describe("IsMtlsDomain", func() {
+		var certChain test_util.CertChain
+
+		BeforeEach(func() {
+			certChain = test_util.CreateSignedCertWithRootCA(test_util.CertNames{SANs: test_util.SubjectAltNames{DNS: "test.com"}})
+			cfgForSnippet.Domains = []MtlsDomainConfig{
+				{
+					Domain:     "*.apps.identity",
+					XFCCFormat: "envoy",
+					CACerts:    string(certChain.CACertPEM),
+				},
+			}
+			err := config.Initialize(createYMLSnippet(cfgForSnippet))
+			Expect(err).ToNot(HaveOccurred())
+			err = config.Process()
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("returns true for mTLS domain with port", func() {
+			Expect(config.IsMtlsDomain("xfcc-tester.apps.identity:443")).To(BeTrue())
+		})
+
+		It("returns true for mTLS domain without port", func() {
+			Expect(config.IsMtlsDomain("xfcc-tester.apps.identity")).To(BeTrue())
+		})
+
+		It("returns false for non-mTLS domain with port", func() {
+			Expect(config.IsMtlsDomain("other.example.com:443")).To(BeFalse())
+		})
+
+		It("returns false for non-mTLS domain without port", func() {
+			Expect(config.IsMtlsDomain("other.example.com")).To(BeFalse())
+		})
+	})
 })
 
 func baseConfigFixture() *Config {