ingress-nginx-helm/test/e2e/annotations/auth.go

935 lines
29 KiB
Go
Raw Normal View History

2017-11-12 16:52:55 +00:00
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
2017-11-10 02:00:38 +00:00
package annotations
2017-11-12 16:52:55 +00:00
import (
"context"
2017-11-12 16:52:55 +00:00
"fmt"
"net/http"
2018-07-19 13:37:28 +00:00
"net/url"
2017-11-12 16:52:55 +00:00
"os/exec"
"regexp"
"strings"
2020-08-09 12:13:24 +00:00
"time"
2017-11-12 16:52:55 +00:00
"github.com/onsi/ginkgo/v2"
"github.com/stretchr/testify/assert"
2017-11-12 16:52:55 +00:00
corev1 "k8s.io/api/core/v1"
Release v1 (#7470) * Drop v1beta1 from ingress nginx (#7156) * Drop v1beta1 from ingress nginx Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix intorstr logic in controller Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * fixing admission Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * more intorstr fixing * correct template rendering Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix e2e tests for v1 api Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix gofmt errors * This is finally working...almost there... Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Re-add removed validation of AdmissionReview * Prepare for v1.0.0-alpha.1 release Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Update changelog and matrix table for v1.0.0-alpha.1 (#7274) Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * add docs for syslog feature (#7219) * Fix link to e2e-tests.md in developer-guide (#7201) * Use ENV expansion for namespace in args (#7146) Update the DaemonSet namespace references to use the `POD_NAMESPACE` environment variable in the same way that the Deployment does. * chart: using Helm builtin capabilities check (#7190) Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> * Update proper default value for HTTP2MaxConcurrentStreams in Docs (#6944) It should be 128 as documented in https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/controller/config/config.go#L780 * Fix MaxWorkerOpenFiles calculation on high cores nodes (#7107) * Fix MaxWorkerOpenFiles calculation on high cores nodes * Add e2e test for rlimit_nofile * Fix doc for max-worker-open-files * ingress/tcp: add additional error logging on failed (#7208) * Add file containing stable release (#7313) * Handle named (non-numeric) ports correctly (#7311) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Updated v1beta1 to v1 as its deprecated (#7308) * remove mercurial from build (#7031) * Retry to download maxmind DB if it fails (#7242) * Retry to download maxmind DB if it fails. Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Add retries count arg, move retry logic into DownloadGeoLite2DB function Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Reorder parameters in DownloadGeoLite2DB Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Remove hardcoded value Signed-off-by: Sergey Shakuto <sshakuto@infoblox.com> * Release v1.0.0-alpha.1 * Add changelog for v1.0.0-alpha.2 * controller: ignore non-service backends (#7332) * controller: ignore non-service backends Signed-off-by: Carlos Panato <ctadeu@gmail.com> * update per feedback Signed-off-by: Carlos Panato <ctadeu@gmail.com> * fix: allow scope/tcp/udp configmap namespace to altered (#7161) * Lower webhook timeout for digital ocean (#7319) * Lower webhook timeout for digital ocean * Set Digital Ocean value controller.admissionWebhooks.timeoutSeconds to 29 * update OWNERS and aliases files (#7365) (#7366) Signed-off-by: Carlos Panato <ctadeu@gmail.com> * Downgrade Lua modules for s390x (#7355) Downgrade Lua modules to last known working version. * Fix IngressClass logic for newer releases (#7341) * Fix IngressClass logic for newer releases Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Change e2e tests for the new IngressClass presence * Fix chart and admission tests Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix helm chart test Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com> * Fix reviews * Remove ingressclass code from admission * update tag to v1.0.0-beta.1 * update readme and changelog for v1.0.0-beta.1 * Release v1.0.0-beta.1 - helm and manifests (#7422) * Change the order of annotation just to trigger a new helm release (#7425) * [cherry-pick] Add dev-v1 branch into helm releaser (#7428) * Add dev-v1 branch into helm releaser (#7424) * chore: add link for artifacthub.io/prerelease annotations Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> * k8s job ci pipeline for dev-v1 br v1.22.0 (#7453) * k8s job ci pipeline for dev-v1 br v1.22.0 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * k8s job ci pipeline for dev-v1 br v1.21.2 Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * remove v1.21.1 version Signed-off-by: Neha Lohia <nehapithadiya444@gmail.com> * Add controller.watchIngressWithoutClass config option (#7459) Signed-off-by: Akshit Grover <akshit.grover2016@gmail.com> * Release new helm chart with certgen fixed (#7478) * Update go version, modules and remove ioutil * Release new helm chart with certgen fixed * changed appversion, chartversion, TAG, image (#7490) * Fix CI conflict * Fix CI conflict * Fix build.sh from rebase process * Fix controller_test post rebase Co-authored-by: Tianhao Guo <rggth09@gmail.com> Co-authored-by: Ray <61553+rctay@users.noreply.github.com> Co-authored-by: Bill Cassidy <cassid4@gmail.com> Co-authored-by: Jintao Zhang <tao12345666333@163.com> Co-authored-by: Sathish Ramani <rsathishx87@gmail.com> Co-authored-by: Mansur Marvanov <nanorobocop@gmail.com> Co-authored-by: Matt1360 <568198+Matt1360@users.noreply.github.com> Co-authored-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com> Co-authored-by: Kundan Kumar <kundan.kumar@india.nec.com> Co-authored-by: Tom Hayward <thayward@infoblox.com> Co-authored-by: Sergey Shakuto <sshakuto@infoblox.com> Co-authored-by: Tore <tore.lonoy@gmail.com> Co-authored-by: Bouke Versteegh <info@boukeversteegh.nl> Co-authored-by: Shahid <shahid@us.ibm.com> Co-authored-by: James Strong <strong.james.e@gmail.com> Co-authored-by: Long Wu Yuan <longwuyuan@gmail.com> Co-authored-by: Jintao Zhang <zhangjintao9020@gmail.com> Co-authored-by: Neha Lohia <nehapithadiya444@gmail.com> Co-authored-by: Akshit Grover <akshit.grover2016@gmail.com>
2021-08-21 20:42:00 +00:00
networking "k8s.io/api/networking/v1"
2017-11-12 16:52:55 +00:00
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/ingress-nginx/test/e2e/framework"
)
var _ = framework.DescribeAnnotation("auth-*", func() {
f := framework.NewDefaultFramework("auth")
2017-11-12 16:52:55 +00:00
ginkgo.BeforeEach(func() {
2018-10-29 21:39:04 +00:00
f.NewEchoDeployment()
2017-11-12 16:52:55 +00:00
})
ginkgo.It("should return status code 200 when no authentication is configured", func() {
2017-11-12 16:52:55 +00:00
host := "auth"
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil)
2018-10-29 21:39:04 +00:00
f.EnsureIngress(ing)
2017-11-12 16:52:55 +00:00
2018-10-29 21:39:04 +00:00
f.WaitForNginxServer(host,
2017-11-12 16:52:55 +00:00
func(server string) bool {
return strings.Contains(server, "server_name auth")
2017-11-12 16:52:55 +00:00
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).
Body().Contains(fmt.Sprintf("host=%v", host))
2017-11-12 16:52:55 +00:00
})
ginkgo.It("should return status code 503 when authentication is configured with an invalid secret", func() {
2017-11-12 16:52:55 +00:00
host := "auth"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-type": "basic",
"nginx.ingress.kubernetes.io/auth-secret": "something",
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
}
2017-11-12 16:52:55 +00:00
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
2018-10-29 21:39:04 +00:00
f.EnsureIngress(ing)
2017-11-12 16:52:55 +00:00
2018-10-29 21:39:04 +00:00
f.WaitForNginxServer(host,
2017-11-12 16:52:55 +00:00
func(server string) bool {
return strings.Contains(server, "server_name auth")
2017-11-12 16:52:55 +00:00
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusServiceUnavailable).
Body().Contains("503 Service Temporarily Unavailable")
2017-11-12 16:52:55 +00:00
})
ginkgo.It("should return status code 401 when authentication is configured but Authorization header is not configured", func() {
2017-11-12 16:52:55 +00:00
host := "auth"
s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace))
2017-11-12 16:52:55 +00:00
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-type": "basic",
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
2018-10-29 21:39:04 +00:00
f.EnsureIngress(ing)
2017-11-12 16:52:55 +00:00
2018-10-29 21:39:04 +00:00
f.WaitForNginxServer(host,
2017-11-12 16:52:55 +00:00
func(server string) bool {
return strings.Contains(server, "server_name auth")
2017-11-12 16:52:55 +00:00
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusUnauthorized).
Body().Contains("401 Authorization Required")
2017-11-12 16:52:55 +00:00
})
ginkgo.It("should return status code 401 when authentication is configured and Authorization header is sent with invalid credentials", func() {
2017-11-12 16:52:55 +00:00
host := "auth"
s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace))
2017-11-12 16:52:55 +00:00
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-type": "basic",
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
2018-10-29 21:39:04 +00:00
f.EnsureIngress(ing)
2017-11-12 16:52:55 +00:00
2018-10-29 21:39:04 +00:00
f.WaitForNginxServer(host,
2017-11-12 16:52:55 +00:00
func(server string) bool {
return strings.Contains(server, "server_name auth")
2017-11-12 16:52:55 +00:00
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithBasicAuth("user", "pass").
Expect().
Status(http.StatusUnauthorized).
Body().Contains("401 Authorization Required")
2017-11-12 16:52:55 +00:00
})
ginkgo.It("should return status code 401 and cors headers when authentication and cors is configured but Authorization header is not configured", func() {
host := "auth"
s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace))
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-type": "basic",
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
"nginx.ingress.kubernetes.io/enable-cors": "true",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, "server_name auth")
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusUnauthorized).
Header("Access-Control-Allow-Origin").Equal("*")
})
ginkgo.It("should return status code 200 when authentication is configured and Authorization header is sent", func() {
2017-11-12 16:52:55 +00:00
host := "auth"
s := f.EnsureSecret(buildSecret("foo", "bar", "test", f.Namespace))
2017-11-12 16:52:55 +00:00
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-type": "basic",
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
2018-10-29 21:39:04 +00:00
f.EnsureIngress(ing)
2017-11-12 16:52:55 +00:00
2018-10-29 21:39:04 +00:00
f.WaitForNginxServer(host,
2017-11-12 16:52:55 +00:00
func(server string) bool {
return strings.Contains(server, "server_name auth")
2017-11-12 16:52:55 +00:00
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithBasicAuth("foo", "bar").
Expect().
Status(http.StatusOK)
2017-11-12 16:52:55 +00:00
})
ginkgo.It("should return status code 200 when authentication is configured with a map and Authorization header is sent", func() {
host := "auth"
s := f.EnsureSecret(buildMapSecret("foo", "bar", "test", f.Namespace))
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-type": "basic",
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
"nginx.ingress.kubernetes.io/auth-secret-type": "auth-map",
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, "server_name auth")
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithBasicAuth("foo", "bar").
Expect().
Status(http.StatusOK)
})
ginkgo.It("should return status code 401 when authentication is configured with invalid content and Authorization header is sent", func() {
2017-11-12 16:52:55 +00:00
host := "auth"
2018-10-29 21:39:04 +00:00
s := f.EnsureSecret(
2017-11-12 16:52:55 +00:00
&corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "test",
Namespace: f.Namespace,
2017-11-12 16:52:55 +00:00
},
Data: map[string][]byte{
// invalid content
"auth": []byte("foo:"),
},
Type: corev1.SecretTypeOpaque,
},
)
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-type": "basic",
"nginx.ingress.kubernetes.io/auth-secret": s.Name,
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
2018-10-29 21:39:04 +00:00
f.EnsureIngress(ing)
2017-11-12 16:52:55 +00:00
2018-10-29 21:39:04 +00:00
f.WaitForNginxServer(host,
2017-11-12 16:52:55 +00:00
func(server string) bool {
return strings.Contains(server, "server_name auth")
2017-11-12 16:52:55 +00:00
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithBasicAuth("foo", "bar").
Expect().
Status(http.StatusUnauthorized)
2017-11-12 16:52:55 +00:00
})
2018-07-19 13:37:28 +00:00
ginkgo.It(`should set snippet "proxy_set_header My-Custom-Header 42;" when external auth is configured`, func() {
host := "auth"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password",
"nginx.ingress.kubernetes.io/auth-snippet": `
proxy_set_header My-Custom-Header 42;`,
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, `proxy_set_header My-Custom-Header 42;`)
})
})
ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() {
host := "auth"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-snippet": `
proxy_set_header My-Custom-Header 42;`,
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host,
func(server string) bool {
return !strings.Contains(server, `proxy_set_header My-Custom-Header 42;`)
})
})
ginkgo.It(`should set "proxy_set_header 'My-Custom-Header' '42';" when auth-headers are set`, func() {
host := "auth"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password",
"nginx.ingress.kubernetes.io/auth-proxy-set-headers": f.Namespace + "/auth-headers",
}
f.CreateConfigMap("auth-headers", map[string]string{
"My-Custom-Header": "42",
})
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, `proxy_set_header 'My-Custom-Header' '42';`)
})
})
ginkgo.It(`should set cache_key when external auth cache is configured`, func() {
host := "auth"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-url": "http://foo.bar/basic-auth/user/password",
"nginx.ingress.kubernetes.io/auth-cache-key": "foo",
"nginx.ingress.kubernetes.io/auth-cache-duration": "200 202 401 30m",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
cacheRegex := regexp.MustCompile(`\$cache_key.*foo`)
f.WaitForNginxServer(host,
func(server string) bool {
return cacheRegex.MatchString(server) &&
strings.Contains(server, `proxy_cache_valid 200 202 401 30m;`)
})
})
ginkgo.Context("cookie set by external authentication server", func() {
2020-11-12 22:36:48 +00:00
host := "auth-check-cookies"
var annotations map[string]string
var ing1, ing2 *networking.Ingress
2020-11-12 22:36:48 +00:00
cfg := `#
events {
worker_connections 1024;
multi_accept on;
}
2020-11-12 22:36:48 +00:00
http {
default_type 'text/plain';
client_max_body_size 0;
2020-11-12 22:36:48 +00:00
server {
access_log on;
access_log /dev/stdout;
listen 80;
location ~ ^/cookies/set/(?<key>.*)/(?<value>.*) {
content_by_lua_block {
ngx.header['Set-Cookie'] = {ngx.var.key.."="..ngx.var.value}
ngx.say("OK")
}
}
location / {
return 200;
}
location /error {
return 503;
}
2020-11-12 22:36:48 +00:00
}
}
`
ginkgo.BeforeEach(func() {
f.NGINXWithConfigDeployment("http-cookie-with-error", cfg)
2020-11-12 22:36:48 +00:00
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), "http-cookie-with-error", metav1.GetOptions{})
assert.Nil(ginkgo.GinkgoT(), err)
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint")
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint")
httpbinIP := e.Subsets[0].Addresses[0].IP
annotations = map[string]string{
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/cookies/set/alma/armud", httpbinIP),
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
}
ing1 = framework.NewSingleIngress(host, "/", host, f.Namespace, "http-cookie-with-error", 80, annotations)
f.EnsureIngress(ing1)
ing2 = framework.NewSingleIngress(host+"-error", "/error", host, f.Namespace, "http-cookie-with-error", 80, annotations)
f.EnsureIngress(ing2)
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "server_name "+host)
})
})
ginkgo.It("user retains cookie by default", func() {
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithQuery("a", "b").
WithQuery("c", "d").
Expect().
Status(http.StatusOK).
Header("Set-Cookie").Contains("alma=armud")
})
ginkgo.It("user does not retain cookie if upstream returns error status code", func() {
f.HTTPTestClient().
GET("/error").
WithHeader("Host", host).
WithQuery("a", "b").
WithQuery("c", "d").
Expect().
Status(http.StatusServiceUnavailable).
Header("Set-Cookie").Contains("")
})
ginkgo.It("user with annotated ingress retains cookie if upstream returns error status code", func() {
annotations["nginx.ingress.kubernetes.io/auth-always-set-cookie"] = "true"
f.UpdateIngress(ing1)
f.UpdateIngress(ing2)
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "server_name "+host)
})
f.HTTPTestClient().
GET("/error").
WithHeader("Host", host).
WithQuery("a", "b").
WithQuery("c", "d").
Expect().
Status(http.StatusServiceUnavailable).
Header("Set-Cookie").Contains("alma=armud")
})
})
ginkgo.Context("when external authentication is configured", func() {
2018-07-19 13:37:28 +00:00
host := "auth"
var annotations map[string]string
var ing *networking.Ingress
2018-07-19 13:37:28 +00:00
ginkgo.BeforeEach(func() {
2018-10-29 21:39:04 +00:00
f.NewHttpbinDeployment()
2018-07-19 13:37:28 +00:00
err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
assert.Nil(ginkgo.GinkgoT(), err)
2018-07-19 13:37:28 +00:00
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
assert.Nil(ginkgo.GinkgoT(), err)
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint")
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint")
httpbinIP := e.Subsets[0].Addresses[0].IP
annotations = map[string]string{
2018-07-19 13:37:28 +00:00
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
}
ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
2018-10-29 21:39:04 +00:00
f.EnsureIngress(ing)
2018-10-29 21:39:04 +00:00
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "server_name auth")
2018-07-19 13:37:28 +00:00
})
})
ginkgo.It("should return status code 200 when signed in", func() {
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK)
2018-07-19 13:37:28 +00:00
})
ginkgo.It("should redirect to signin url when not signed in", func() {
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithQuery("a", "b").
WithQuery("c", "d").
Expect().
Status(http.StatusFound).
Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d")))
2018-07-19 13:37:28 +00:00
})
ginkgo.It("keeps processing new ingresses even if one of the existing ingresses is misconfigured", func() {
annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something"
annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
f.UpdateIngress(ing)
anotherHost := "different"
anotherAnnotations := map[string]string{}
anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations)
f.EnsureIngress(anotherIng)
f.WaitForNginxServer(anotherHost,
func(server string) bool {
return strings.Contains(server, "server_name "+anotherHost)
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", anotherHost).
Expect().
Status(http.StatusOK)
})
ginkgo.It("should overwrite Foo header with auth response", func() {
var (
rewriteHeader = "Foo"
rewriteVal = "bar"
)
annotations["nginx.ingress.kubernetes.io/auth-response-headers"] = rewriteHeader
f.UpdateIngress(ing)
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, fmt.Sprintf("proxy_set_header '%s' $authHeader0;", rewriteHeader))
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader(rewriteHeader, rewriteVal).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK).
Body().
NotContainsFold(fmt.Sprintf("%s=%s", rewriteHeader, rewriteVal))
})
ginkgo.It(`should not create additional upstream block when auth-keepalive is not set`, func() {
f.UpdateNginxConfigMapData("use-http2", "false")
defer func() {
f.UpdateNginxConfigMapData("use-http2", "true")
}()
// Sleep a while just to guarantee that the configmap is applied
framework.Sleep()
annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path"
f.UpdateIngress(ing)
f.WaitForNginxServer("",
func(server string) bool {
return strings.Contains(server, "http://foo.bar.baz:5000/path") &&
!strings.Contains(server, `upstream auth-external-auth`)
})
})
ginkgo.It(`should not create additional upstream block when host part of auth-url contains a variable`, func() {
f.UpdateNginxConfigMapData("use-http2", "false")
defer func() {
f.UpdateNginxConfigMapData("use-http2", "true")
}()
// Sleep a while just to guarantee that the configmap is applied
framework.Sleep()
annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://$host/path"
annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "123"
f.UpdateIngress(ing)
f.WaitForNginxServer("",
func(server string) bool {
return strings.Contains(server, "http://$host/path") &&
!strings.Contains(server, `upstream auth-external-auth`) &&
!strings.Contains(server, `keepalive 123;`)
})
})
ginkgo.It(`should not create additional upstream block when auth-keepalive is negative`, func() {
f.UpdateNginxConfigMapData("use-http2", "false")
defer func() {
f.UpdateNginxConfigMapData("use-http2", "true")
}()
// Sleep a while just to guarantee that the configmap is applied
framework.Sleep()
annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path"
annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "-1"
f.UpdateIngress(ing)
f.WaitForNginxServer("",
func(server string) bool {
return strings.Contains(server, "http://foo.bar.baz:5000/path") &&
!strings.Contains(server, `upstream auth-external-auth`)
})
})
ginkgo.It(`should not create additional upstream block when auth-keepalive is set with HTTP/2`, func() {
annotations["nginx.ingress.kubernetes.io/auth-url"] = "http://foo.bar.baz:5000/path"
annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "123"
annotations["nginx.ingress.kubernetes.io/auth-keepalive-requests"] = "456"
annotations["nginx.ingress.kubernetes.io/auth-keepalive-timeout"] = "789"
f.UpdateIngress(ing)
f.WaitForNginxServer("",
func(server string) bool {
return strings.Contains(server, "http://foo.bar.baz:5000/path") &&
!strings.Contains(server, `upstream auth-external-auth`)
})
})
ginkgo.It(`should create additional upstream block when auth-keepalive is set with HTTP/1.x`, func() {
f.UpdateNginxConfigMapData("use-http2", "false")
defer func() {
f.UpdateNginxConfigMapData("use-http2", "true")
}()
// Sleep a while just to guarantee that the configmap is applied
framework.Sleep()
annotations["nginx.ingress.kubernetes.io/auth-keepalive"] = "123"
annotations["nginx.ingress.kubernetes.io/auth-keepalive-requests"] = "456"
annotations["nginx.ingress.kubernetes.io/auth-keepalive-timeout"] = "789"
f.UpdateIngress(ing)
f.WaitForNginxServer("",
func(server string) bool {
return strings.Contains(server, `upstream auth-external-auth`) &&
strings.Contains(server, `keepalive 123;`) &&
strings.Contains(server, `keepalive_requests 456;`) &&
strings.Contains(server, `keepalive_timeout 789s;`)
})
})
})
ginkgo.Context("when external authentication is configured with a custom redirect param", func() {
host := "auth"
var annotations map[string]string
var ing *networking.Ingress
ginkgo.BeforeEach(func() {
f.NewHttpbinDeployment()
var httpbinIP string
err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
assert.Nil(ginkgo.GinkgoT(), err)
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
assert.Nil(ginkgo.GinkgoT(), err)
httpbinIP = e.Subsets[0].Addresses[0].IP
annotations = map[string]string{
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
"nginx.ingress.kubernetes.io/auth-signin-redirect-param": "orig",
}
ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "server_name auth")
})
})
ginkgo.It("should return status code 200 when signed in", func() {
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK)
})
ginkgo.It("should redirect to signin url when not signed in", func() {
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithQuery("a", "b").
WithQuery("c", "d").
Expect().
Status(http.StatusFound).
Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?orig=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d")))
})
ginkgo.It("keeps processing new ingresses even if one of the existing ingresses is misconfigured", func() {
annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something"
annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
f.UpdateIngress(ing)
anotherHost := "different"
anotherAnnotations := map[string]string{}
anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations)
f.EnsureIngress(anotherIng)
f.WaitForNginxServer(anotherHost,
func(server string) bool {
return strings.Contains(server, "server_name "+anotherHost)
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", anotherHost).
Expect().
Status(http.StatusOK)
})
2018-07-19 13:37:28 +00:00
})
ginkgo.Context("when external authentication with caching is configured", func() {
thisHost := "auth"
thatHost := "different"
fooPath := "/foo"
barPath := "/bar"
ginkgo.BeforeEach(func() {
f.NewHttpbinDeployment()
err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
assert.Nil(ginkgo.GinkgoT(), err)
2020-08-09 12:13:24 +00:00
framework.Sleep(1 * time.Second)
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
assert.Nil(ginkgo.GinkgoT(), err)
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets), 1, "expected at least one endpoint")
assert.GreaterOrEqual(ginkgo.GinkgoT(), len(e.Subsets[0].Addresses), 1, "expected at least one address ready in the endpoint")
httpbinIP := e.Subsets[0].Addresses[0].IP
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
"nginx.ingress.kubernetes.io/auth-cache-key": "fixed",
"nginx.ingress.kubernetes.io/auth-cache-duration": "200 201 401 30m",
}
for _, host := range []string{thisHost, thatHost} {
ginkgo.By("Adding an ingress rule for /foo")
fooIng := framework.NewSingleIngress(fmt.Sprintf("foo-%s-ing", host), fooPath, host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(fooIng)
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "location /foo")
})
ginkgo.By("Adding an ingress rule for /bar")
barIng := framework.NewSingleIngress(fmt.Sprintf("bar-%s-ing", host), barPath, host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(barIng)
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "location /bar")
})
}
framework.Sleep()
})
ginkgo.It("should return status code 200 when signed in after auth backend is deleted ", func() {
f.HTTPTestClient().
GET(fooPath).
WithHeader("Host", thisHost).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK)
err := f.DeleteDeployment(framework.HTTPBinService)
assert.Nil(ginkgo.GinkgoT(), err)
framework.Sleep()
f.HTTPTestClient().
GET(fooPath).
WithHeader("Host", thisHost).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK)
})
ginkgo.It("should deny login for different location on same server", func() {
f.HTTPTestClient().
GET(fooPath).
WithHeader("Host", thisHost).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK)
err := f.DeleteDeployment(framework.HTTPBinService)
assert.Nil(ginkgo.GinkgoT(), err)
framework.Sleep()
f.HTTPTestClient().
GET(fooPath).
WithHeader("Host", thisHost).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK)
ginkgo.By("receiving an internal server error without cache on location /bar")
f.HTTPTestClient().
GET(barPath).
WithHeader("Host", thisHost).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusInternalServerError)
})
ginkgo.It("should deny login for different servers", func() {
ginkgo.By("logging into server thisHost /foo")
f.HTTPTestClient().
GET(fooPath).
WithHeader("Host", thisHost).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK)
err := f.DeleteDeployment(framework.HTTPBinService)
assert.Nil(ginkgo.GinkgoT(), err)
framework.Sleep()
ginkgo.By("receiving an internal server error without cache on thisHost location /bar")
f.HTTPTestClient().
GET(fooPath).
WithHeader("Host", thisHost).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusOK)
f.HTTPTestClient().
GET(fooPath).
WithHeader("Host", thatHost).
WithBasicAuth("user", "password").
Expect().
Status(http.StatusInternalServerError)
})
ginkgo.It("should redirect to signin url when not signed in", func() {
f.HTTPTestClient().
GET("/").
WithHeader("Host", thisHost).
WithQuery("a", "b").
WithQuery("c", "d").
Expect().
Status(http.StatusFound).
Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", thisHost, thisHost, url.QueryEscape("/?a=b&c=d")))
})
})
ginkgo.Context("with invalid auth-url should deny whole location", func() {
host := "auth"
var annotations map[string]string
var ing *networking.Ingress
ginkgo.BeforeEach(func() {
annotations = map[string]string{
"nginx.ingress.kubernetes.io/auth-url": "https://invalid..auth.url",
}
ing = framework.NewSingleIngress(host, "/denied-auth", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "server_name auth")
})
})
ginkgo.It("should return 503 (location was denied)", func() {
f.HTTPTestClient().
GET("/denied-auth").
WithHeader("Host", host).
Expect().
Status(http.StatusServiceUnavailable)
})
ginkgo.It("should add error to the config", func() {
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "could not parse auth-url annotation: invalid url host")
})
})
})
2017-11-12 16:52:55 +00:00
})
// TODO: test Digest Auth
2017-11-10 02:00:38 +00:00
// 401
// Realm name
// Auth ok
// Auth error
2017-11-12 16:52:55 +00:00
func buildSecret(username, password, name, namespace string) *corev1.Secret {
out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput()
encpass := fmt.Sprintf("%v:%s\n", username, out)
assert.Nil(ginkgo.GinkgoT(), err)
2017-11-12 16:52:55 +00:00
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
DeletionGracePeriodSeconds: framework.NewInt64(1),
},
Data: map[string][]byte{
"auth": []byte(encpass),
},
Type: corev1.SecretTypeOpaque,
}
}
func buildMapSecret(username, password, name, namespace string) *corev1.Secret {
out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput()
assert.Nil(ginkgo.GinkgoT(), err)
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
DeletionGracePeriodSeconds: framework.NewInt64(1),
},
Data: map[string][]byte{
username: []byte(out),
},
Type: corev1.SecretTypeOpaque,
}
}