ingress-nginx-helm/test/e2e/settings/global_external_auth.go

/*
Copyright 2018 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package settings

import (
	"fmt"
	"net/http"
	"time"

	. "github.com/onsi/ginkgo"
	. "github.com/onsi/gomega"
	"github.com/parnurzeal/gorequest"

	"k8s.io/ingress-nginx/test/e2e/framework"
)

var _ = framework.DescribeSetting("[Security] global-auth-url", func() {
	f := framework.NewDefaultFramework("global-external-auth")

	host := "global-external-auth"

	echoServiceName := framework.EchoService

	globalExternalAuthURLSetting := "global-auth-url"

	fooPath := "/foo"
	barPath := "/bar"

	noAuthSetting := "no-auth-locations"
	noAuthLocations := barPath

	enableGlobalExternalAuthAnnotation := "nginx.ingress.kubernetes.io/enable-global-auth"

	BeforeEach(func() {
		f.NewEchoDeployment()
		f.NewHttpbinDeployment()
	})

	Context("when global external authentication is configured", func() {

		BeforeEach(func() {
			globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/401", framework.HTTPBinService, f.Namespace)

			By("Adding an ingress rule for /foo")
			fooIng := framework.NewSingleIngress("foo-ingress", fooPath, host, f.Namespace, echoServiceName, 80, nil)
			f.EnsureIngress(fooIng)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring("location /foo"))
				})

			By("Adding an ingress rule for /bar")
			barIng := framework.NewSingleIngress("bar-ingress", barPath, host, f.Namespace, echoServiceName, 80, nil)
			f.EnsureIngress(barIng)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring("location /bar"))
				})

			By("Adding a global-auth-url to configMap")
			f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, globalExternalAuthURL)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring(globalExternalAuthURL))
				})
		})

		It("should return status code 401 when request any protected service", func() {

			By("Sending a request to protected service /foo")
			fooResp, _, _ := gorequest.New().
				Get(f.GetURL(framework.HTTP)+fooPath).
				Set("Host", host).
				End()
			Expect(fooResp.StatusCode).Should(Equal(http.StatusUnauthorized))

			By("Sending a request to protected service /bar")
			barResp, _, _ := gorequest.New().
				Get(f.GetURL(framework.HTTP)+barPath).
				Set("Host", host).
				End()
			Expect(barResp.StatusCode).Should(Equal(http.StatusUnauthorized))
		})

		It("should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service", func() {

			By("Adding a no-auth-locations for /bar to configMap")
			f.UpdateNginxConfigMapData(noAuthSetting, noAuthLocations)

			By("Sending a request to protected service /foo")
			fooResp, _, _ := gorequest.New().
				Get(f.GetURL(framework.HTTP)+fooPath).
				Set("Host", host).
				End()
			Expect(fooResp.StatusCode).Should(Equal(http.StatusUnauthorized))

			By("Sending a request to whitelisted service /bar")
			barResp, _, _ := gorequest.New().
				Get(f.GetURL(framework.HTTP)+barPath).
				Set("Host", host).
				End()
			Expect(barResp.StatusCode).Should(Equal(http.StatusOK))
		})

		It("should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service", func() {

			By("Adding an ingress rule for /bar with annotation enable-global-auth = false")
			annotations := map[string]string{
				enableGlobalExternalAuthAnnotation: "false",
			}
			barIng := framework.NewSingleIngress("bar-ingress", barPath, host, f.Namespace, echoServiceName, 80, annotations)
			f.EnsureIngress(barIng)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring("location /bar"))
				})

			By("Sending a request to protected service /foo")
			fooResp, _, _ := gorequest.New().
				Get(f.GetURL(framework.HTTP)+fooPath).
				Set("Host", host).
				End()
			Expect(fooResp.StatusCode).Should(Equal(http.StatusUnauthorized))

			By("Sending a request to whitelisted service /bar")
			barResp, _, _ := gorequest.New().
				Get(f.GetURL(framework.HTTP)+barPath).
				Set("Host", host).
				End()
			Expect(barResp.StatusCode).Should(Equal(http.StatusOK))
		})

		It("should still return status code 200 after auth backend is deleted using cache ", func() {

			globalExternalAuthCacheKeySetting := "global-auth-cache-key"
			globalExternalAuthCacheKey := "foo"
			globalExternalAuthCacheDurationSetting := "global-auth-cache-duration"
			globalExternalAuthCacheDuration := "200 201 401 30m"
			globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/200", framework.HTTPBinService, f.Namespace)

			By("Adding a global-auth-cache-key to configMap")
			f.UpdateNginxConfigMapData(globalExternalAuthCacheKeySetting, globalExternalAuthCacheKey)
			f.UpdateNginxConfigMapData(globalExternalAuthCacheDurationSetting, globalExternalAuthCacheDuration)
			f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, globalExternalAuthURL)

			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(MatchRegexp(`\$cache_key.*foo`)) &&
						Expect(server).Should(ContainSubstring(`proxy_cache_valid 200 201 401 30m;`))
				})

			resp, _, errs := gorequest.New().
				Get(f.GetURL(framework.HTTP)+barPath).
				Retry(10, 1*time.Second, http.StatusNotFound).
				Set("Host", host).
				SetBasicAuth("user", "password").
				End()

			for _, err := range errs {
				Expect(err).NotTo(HaveOccurred())
			}
			Expect(resp.StatusCode).Should(Equal(http.StatusOK))

			err := f.DeleteDeployment(framework.HTTPBinService)
			Expect(err).NotTo(HaveOccurred())

			_, _, errs = gorequest.New().
				Get(f.GetURL(framework.HTTP)).
				Retry(10, 1*time.Second, http.StatusNotFound).
				Set("Host", host).
				SetBasicAuth("user", "password").
				End()

			for _, err := range errs {
				Expect(err).NotTo(HaveOccurred())
			}
		})

		It(`should proxy_method method when global-auth-method is configured`, func() {

			globalExternalAuthMethodSetting := "global-auth-method"
			globalExternalAuthMethod := "GET"

			By("Adding a global-auth-method to configMap")
			f.UpdateNginxConfigMapData(globalExternalAuthMethodSetting, globalExternalAuthMethod)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring("proxy_method"))
				})
		})

		It(`should add custom error page when global-auth-signin url is configured`, func() {

			globalExternalAuthSigninSetting := "global-auth-signin"
			globalExternalAuthSignin := "http://foo.com/global-error-page"

			By("Adding a global-auth-signin to configMap")
			f.UpdateNginxConfigMapData(globalExternalAuthSigninSetting, globalExternalAuthSignin)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring("error_page 401 = "))
				})
		})

		It(`should add auth headers when global-auth-response-headers is configured`, func() {

			globalExternalAuthResponseHeadersSetting := "global-auth-response-headers"
			globalExternalAuthResponseHeaders := "Foo, Bar"

			By("Adding a global-auth-response-headers to configMap")
			f.UpdateNginxConfigMapData(globalExternalAuthResponseHeadersSetting, globalExternalAuthResponseHeaders)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring("auth_request_set $authHeader0 $upstream_http_foo;")) &&
						Expect(server).Should(ContainSubstring("auth_request_set $authHeader1 $upstream_http_bar;"))
				})
		})

		It(`should set request-redirect when global-auth-request-redirect is configured`, func() {

			globalExternalAuthRequestRedirectSetting := "global-auth-request-redirect"
			globalExternalAuthRequestRedirect := "Foo-Redirect"

			By("Adding a global-auth-request-redirect to configMap")
			f.UpdateNginxConfigMapData(globalExternalAuthRequestRedirectSetting, globalExternalAuthRequestRedirect)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring(globalExternalAuthRequestRedirect))
				})
		})

		It(`should set snippet when global external auth is configured`, func() {

			globalExternalAuthSnippetSetting := "global-auth-snippet"
			globalExternalAuthSnippet := "proxy_set_header My-Custom-Header 42;"

			By("Adding a global-auth-snippet to configMap")
			f.UpdateNginxConfigMapData(globalExternalAuthSnippetSetting, globalExternalAuthSnippet)
			f.WaitForNginxServer(host,
				func(server string) bool {
					return Expect(server).Should(ContainSubstring(globalExternalAuthSnippet))
				})
		})

	})

})
Added Global External Authentication settings to configmap parameters incl. addons 2018-11-27 16:12:17 +00:00			`/*`
			`Copyright 2018 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package settings`

			`import (`
			`"fmt"`
			`"net/http"`
feat: auth-req caching add a way to configure the `proxy_cache_` [1] directive for external-auth. The user-defined cache_key may contain sensitive information (e.g. Authorization header). We want to store only* a hash of that key, not the key itself on disk. [1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2019-07-07 16:34:56 +00:00			`"time"`
Added Global External Authentication settings to configmap parameters incl. addons 2018-11-27 16:12:17 +00:00
			`. "github.com/onsi/ginkgo"`
			`. "github.com/onsi/gomega"`
			`"github.com/parnurzeal/gorequest"`

			`"k8s.io/ingress-nginx/test/e2e/framework"`
			`)`

Cleanup and standardization of e2e test definitions (#5090) 2020-02-16 18:27:58 +00:00			`var _ = framework.DescribeSetting("[Security] global-auth-url", func() {`
Added Global External Authentication settings to configmap parameters incl. addons 2018-11-27 16:12:17 +00:00			`f := framework.NewDefaultFramework("global-external-auth")`

			`host := "global-external-auth"`

Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`echoServiceName := framework.EchoService`
Added Global External Authentication settings to configmap parameters incl. addons 2018-11-27 16:12:17 +00:00
			`globalExternalAuthURLSetting := "global-auth-url"`

			`fooPath := "/foo"`
			`barPath := "/bar"`

			`noAuthSetting := "no-auth-locations"`
			`noAuthLocations := barPath`

			`enableGlobalExternalAuthAnnotation := "nginx.ingress.kubernetes.io/enable-global-auth"`

			`BeforeEach(func() {`
			`f.NewEchoDeployment()`
			`f.NewHttpbinDeployment()`
			`})`

			`Context("when global external authentication is configured", func() {`

			`BeforeEach(func() {`
Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/401", framework.HTTPBinService, f.Namespace)`
Added Global External Authentication settings to configmap parameters incl. addons 2018-11-27 16:12:17 +00:00
			`By("Adding an ingress rule for /foo")`
			`fooIng := framework.NewSingleIngress("foo-ingress", fooPath, host, f.Namespace, echoServiceName, 80, nil)`
			`f.EnsureIngress(fooIng)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring("location /foo"))`
			`})`

			`By("Adding an ingress rule for /bar")`
			`barIng := framework.NewSingleIngress("bar-ingress", barPath, host, f.Namespace, echoServiceName, 80, nil)`
			`f.EnsureIngress(barIng)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring("location /bar"))`
			`})`

			`By("Adding a global-auth-url to configMap")`
			`f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, globalExternalAuthURL)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring(globalExternalAuthURL))`
			`})`
			`})`

			`It("should return status code 401 when request any protected service", func() {`

			`By("Sending a request to protected service /foo")`
			`fooResp, _, _ := gorequest.New().`
			`Get(f.GetURL(framework.HTTP)+fooPath).`
			`Set("Host", host).`
			`End()`
			`Expect(fooResp.StatusCode).Should(Equal(http.StatusUnauthorized))`

			`By("Sending a request to protected service /bar")`
			`barResp, _, _ := gorequest.New().`
			`Get(f.GetURL(framework.HTTP)+barPath).`
			`Set("Host", host).`
			`End()`
			`Expect(barResp.StatusCode).Should(Equal(http.StatusUnauthorized))`
			`})`

			`It("should return status code 200 when request whitelisted (via no-auth-locations) service and 401 when request protected service", func() {`

			`By("Adding a no-auth-locations for /bar to configMap")`
			`f.UpdateNginxConfigMapData(noAuthSetting, noAuthLocations)`

			`By("Sending a request to protected service /foo")`
			`fooResp, _, _ := gorequest.New().`
			`Get(f.GetURL(framework.HTTP)+fooPath).`
			`Set("Host", host).`
			`End()`
			`Expect(fooResp.StatusCode).Should(Equal(http.StatusUnauthorized))`

			`By("Sending a request to whitelisted service /bar")`
			`barResp, _, _ := gorequest.New().`
			`Get(f.GetURL(framework.HTTP)+barPath).`
			`Set("Host", host).`
			`End()`
			`Expect(barResp.StatusCode).Should(Equal(http.StatusOK))`
			`})`

			`It("should return status code 200 when request whitelisted (via ingress annotation) service and 401 when request protected service", func() {`

			`By("Adding an ingress rule for /bar with annotation enable-global-auth = false")`
			`annotations := map[string]string{`
			`enableGlobalExternalAuthAnnotation: "false",`
			`}`
Remove hard-coded annotation and don't use map pointers 2019-12-13 05:47:11 +00:00			`barIng := framework.NewSingleIngress("bar-ingress", barPath, host, f.Namespace, echoServiceName, 80, annotations)`
Added Global External Authentication settings to configmap parameters incl. addons 2018-11-27 16:12:17 +00:00			`f.EnsureIngress(barIng)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring("location /bar"))`
			`})`

			`By("Sending a request to protected service /foo")`
			`fooResp, _, _ := gorequest.New().`
			`Get(f.GetURL(framework.HTTP)+fooPath).`
			`Set("Host", host).`
			`End()`
			`Expect(fooResp.StatusCode).Should(Equal(http.StatusUnauthorized))`

			`By("Sending a request to whitelisted service /bar")`
			`barResp, _, _ := gorequest.New().`
			`Get(f.GetURL(framework.HTTP)+barPath).`
			`Set("Host", host).`
			`End()`
			`Expect(barResp.StatusCode).Should(Equal(http.StatusOK))`
			`})`

feat: auth-req caching add a way to configure the `proxy_cache_` [1] directive for external-auth. The user-defined cache_key may contain sensitive information (e.g. Authorization header). We want to store only* a hash of that key, not the key itself on disk. [1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2019-07-07 16:34:56 +00:00			`It("should still return status code 200 after auth backend is deleted using cache ", func() {`

			`globalExternalAuthCacheKeySetting := "global-auth-cache-key"`
			`globalExternalAuthCacheKey := "foo"`
			`globalExternalAuthCacheDurationSetting := "global-auth-cache-duration"`
			`globalExternalAuthCacheDuration := "200 201 401 30m"`
Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`globalExternalAuthURL := fmt.Sprintf("http://%s.%s.svc.cluster.local:80/status/200", framework.HTTPBinService, f.Namespace)`
feat: auth-req caching add a way to configure the `proxy_cache_` [1] directive for external-auth. The user-defined cache_key may contain sensitive information (e.g. Authorization header). We want to store only* a hash of that key, not the key itself on disk. [1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2019-07-07 16:34:56 +00:00
			`By("Adding a global-auth-cache-key to configMap")`
			`f.UpdateNginxConfigMapData(globalExternalAuthCacheKeySetting, globalExternalAuthCacheKey)`
			`f.UpdateNginxConfigMapData(globalExternalAuthCacheDurationSetting, globalExternalAuthCacheDuration)`
			`f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, globalExternalAuthURL)`

			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			return Expect(server).Should(MatchRegexp(`\$cache_key.*foo`)) &&
			Expect(server).Should(ContainSubstring(`proxy_cache_valid 200 201 401 30m;`))
			`})`

			`resp, _, errs := gorequest.New().`
			`Get(f.GetURL(framework.HTTP)+barPath).`
			`Retry(10, 1*time.Second, http.StatusNotFound).`
			`Set("Host", host).`
			`SetBasicAuth("user", "password").`
			`End()`

			`for _, err := range errs {`
			`Expect(err).NotTo(HaveOccurred())`
			`}`
			`Expect(resp.StatusCode).Should(Equal(http.StatusOK))`

Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`err := f.DeleteDeployment(framework.HTTPBinService)`
feat: auth-req caching add a way to configure the `proxy_cache_` [1] directive for external-auth. The user-defined cache_key may contain sensitive information (e.g. Authorization header). We want to store only* a hash of that key, not the key itself on disk. [1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2019-07-07 16:34:56 +00:00			`Expect(err).NotTo(HaveOccurred())`

Lint code using staticcheck (#4471) 2019-08-23 16:08:40 +00:00			`_, _, errs = gorequest.New().`
feat: auth-req caching add a way to configure the `proxy_cache_` [1] directive for external-auth. The user-defined cache_key may contain sensitive information (e.g. Authorization header). We want to store only* a hash of that key, not the key itself on disk. [1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key Signed-off-by: Moritz Johner <beller.moritz@googlemail.com> 2019-07-07 16:34:56 +00:00			`Get(f.GetURL(framework.HTTP)).`
			`Retry(10, 1*time.Second, http.StatusNotFound).`
			`Set("Host", host).`
			`SetBasicAuth("user", "password").`
			`End()`

			`for _, err := range errs {`
			`Expect(err).NotTo(HaveOccurred())`
			`}`
			`})`

Added Global External Authentication settings to configmap parameters incl. addons 2018-11-27 16:12:17 +00:00			It(`should proxy_method method when global-auth-method is configured`, func() {

			`globalExternalAuthMethodSetting := "global-auth-method"`
			`globalExternalAuthMethod := "GET"`

			`By("Adding a global-auth-method to configMap")`
			`f.UpdateNginxConfigMapData(globalExternalAuthMethodSetting, globalExternalAuthMethod)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring("proxy_method"))`
			`})`
			`})`

			It(`should add custom error page when global-auth-signin url is configured`, func() {

			`globalExternalAuthSigninSetting := "global-auth-signin"`
			`globalExternalAuthSignin := "http://foo.com/global-error-page"`

			`By("Adding a global-auth-signin to configMap")`
			`f.UpdateNginxConfigMapData(globalExternalAuthSigninSetting, globalExternalAuthSignin)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring("error_page 401 = "))`
			`})`
			`})`

			It(`should add auth headers when global-auth-response-headers is configured`, func() {

			`globalExternalAuthResponseHeadersSetting := "global-auth-response-headers"`
			`globalExternalAuthResponseHeaders := "Foo, Bar"`

			`By("Adding a global-auth-response-headers to configMap")`
			`f.UpdateNginxConfigMapData(globalExternalAuthResponseHeadersSetting, globalExternalAuthResponseHeaders)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring("auth_request_set $authHeader0 $upstream_http_foo;")) &&`
			`Expect(server).Should(ContainSubstring("auth_request_set $authHeader1 $upstream_http_bar;"))`
			`})`
			`})`

			It(`should set request-redirect when global-auth-request-redirect is configured`, func() {

			`globalExternalAuthRequestRedirectSetting := "global-auth-request-redirect"`
			`globalExternalAuthRequestRedirect := "Foo-Redirect"`

			`By("Adding a global-auth-request-redirect to configMap")`
			`f.UpdateNginxConfigMapData(globalExternalAuthRequestRedirectSetting, globalExternalAuthRequestRedirect)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring(globalExternalAuthRequestRedirect))`
			`})`
			`})`

			It(`should set snippet when global external auth is configured`, func() {

			`globalExternalAuthSnippetSetting := "global-auth-snippet"`
			`globalExternalAuthSnippet := "proxy_set_header My-Custom-Header 42;"`

			`By("Adding a global-auth-snippet to configMap")`
			`f.UpdateNginxConfigMapData(globalExternalAuthSnippetSetting, globalExternalAuthSnippet)`
			`f.WaitForNginxServer(host,`
			`func(server string) bool {`
			`return Expect(server).Should(ContainSubstring(globalExternalAuthSnippet))`
			`})`
			`})`

			`})`

			`})`