2016-05-25 21:04:34 +00:00
|
|
|
/*
|
2016-09-08 11:02:39 +00:00
|
|
|
Copyright 2015 The Kubernetes Authors.
|
2016-05-25 21:04:34 +00:00
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
2016-08-07 22:53:08 +00:00
|
|
|
package template
|
2016-05-25 21:04:34 +00:00
|
|
|
|
|
|
|
|
import (
|
2016-11-16 18:24:26 +00:00
|
|
|
"encoding/json"
|
2017-08-19 21:13:02 +00:00
|
|
|
"io/ioutil"
|
2017-09-17 18:42:31 +00:00
|
|
|
"net"
|
2016-11-16 18:24:26 +00:00
|
|
|
"os"
|
|
|
|
|
"path"
|
2017-02-04 00:43:15 +00:00
|
|
|
"reflect"
|
2017-04-02 14:07:07 +00:00
|
|
|
"strings"
|
2016-05-25 21:04:34 +00:00
|
|
|
"testing"
|
|
|
|
|
|
2018-01-28 00:32:08 +00:00
|
|
|
"encoding/base64"
|
|
|
|
|
"fmt"
|
2018-02-02 19:53:28 +00:00
|
|
|
|
2017-11-22 13:40:54 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/file"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/authreq"
|
2018-04-08 20:37:13 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/luarestywaf"
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/rewrite"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress/controller/config"
|
2016-05-25 21:04:34 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
2018-03-18 13:13:41 +00:00
|
|
|
// TODO: add tests for SSLPassthrough
|
2016-05-25 21:04:34 +00:00
|
|
|
tmplFuncTestcases = map[string]struct {
|
2018-03-18 13:13:41 +00:00
|
|
|
Path string
|
|
|
|
|
Target string
|
|
|
|
|
Location string
|
|
|
|
|
ProxyPass string
|
|
|
|
|
AddBaseURL bool
|
|
|
|
|
BaseURLScheme string
|
|
|
|
|
Sticky bool
|
|
|
|
|
XForwardedPrefix bool
|
|
|
|
|
DynamicConfigurationEnabled bool
|
|
|
|
|
SecureBackend bool
|
2016-05-25 21:04:34 +00:00
|
|
|
}{
|
2018-03-18 13:13:41 +00:00
|
|
|
"when secure backend enabled": {
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"proxy_pass https://upstream-name;",
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
true},
|
|
|
|
|
"when secure backend and stickeness enabled": {
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"proxy_pass https://sticky-upstream-name;",
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
true,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
true},
|
|
|
|
|
"when secure backend and dynamic config enabled": {
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"proxy_pass https://upstream_balancer;",
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
true,
|
|
|
|
|
true},
|
|
|
|
|
"when secure backend, stickeness and dynamic config enabled": {
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"proxy_pass https://upstream_balancer;",
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
true,
|
|
|
|
|
false,
|
|
|
|
|
true,
|
|
|
|
|
true},
|
|
|
|
|
"invalid redirect / to / with dynamic config enabled": {
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"proxy_pass http://upstream_balancer;",
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
true,
|
|
|
|
|
false},
|
|
|
|
|
"invalid redirect / to /": {
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"/",
|
|
|
|
|
"proxy_pass http://upstream-name;",
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect / to /jenkins": {
|
|
|
|
|
"/",
|
|
|
|
|
"/jenkins",
|
|
|
|
|
"~* /",
|
2016-05-27 14:58:13 +00:00
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /(.*) /jenkins/$1 break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect /something to /": {
|
|
|
|
|
"/something",
|
|
|
|
|
"/",
|
|
|
|
|
`~* ^/something\/?(?<baseuri>.*)`,
|
|
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /something/(.*) /$1 break;
|
|
|
|
|
rewrite /something / break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect /end-with-slash/ to /not-root": {
|
|
|
|
|
"/end-with-slash/",
|
|
|
|
|
"/not-root",
|
|
|
|
|
"~* ^/end-with-slash/(?<baseuri>.*)",
|
|
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /end-with-slash/(.*) /not-root/$1 break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect /something-complex to /not-root": {
|
|
|
|
|
"/something-complex",
|
|
|
|
|
"/not-root",
|
|
|
|
|
`~* ^/something-complex\/?(?<baseuri>.*)`,
|
|
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /something-complex/(.*) /not-root/$1 break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
false,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect / to /jenkins and rewrite": {
|
|
|
|
|
"/",
|
|
|
|
|
"/jenkins",
|
|
|
|
|
"~* /",
|
|
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /(.*) /jenkins/$1 break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2017-09-27 21:48:52 +00:00
|
|
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/$baseuri">' ro;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
true,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect /something to / and rewrite": {
|
|
|
|
|
"/something",
|
|
|
|
|
"/",
|
|
|
|
|
`~* ^/something\/?(?<baseuri>.*)`,
|
|
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /something/(.*) /$1 break;
|
|
|
|
|
rewrite /something / break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2017-09-27 21:48:52 +00:00
|
|
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something/$baseuri">' ro;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
true,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect /end-with-slash/ to /not-root and rewrite": {
|
|
|
|
|
"/end-with-slash/",
|
|
|
|
|
"/not-root",
|
|
|
|
|
`~* ^/end-with-slash/(?<baseuri>.*)`,
|
|
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /end-with-slash/(.*) /not-root/$1 break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2017-09-27 21:48:52 +00:00
|
|
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/end-with-slash/$baseuri">' ro;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
true,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect /something-complex to /not-root and rewrite": {
|
|
|
|
|
"/something-complex",
|
|
|
|
|
"/not-root",
|
|
|
|
|
`~* ^/something-complex\/?(?<baseuri>.*)`,
|
|
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /something-complex/(.*) /not-root/$1 break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2017-09-27 21:48:52 +00:00
|
|
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="$scheme://$http_host/something-complex/$baseuri">' ro;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
true,
|
|
|
|
|
"",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect /something to / and rewrite with specific scheme": {
|
|
|
|
|
"/something",
|
|
|
|
|
"/",
|
|
|
|
|
`~* ^/something\/?(?<baseuri>.*)`,
|
|
|
|
|
`
|
2017-08-31 06:58:01 +00:00
|
|
|
rewrite /something/(.*) /$1 break;
|
|
|
|
|
rewrite /something / break;
|
|
|
|
|
proxy_pass http://upstream-name;
|
2017-09-27 21:48:52 +00:00
|
|
|
subs_filter '(<(?:H|h)(?:E|e)(?:A|a)(?:D|d)(?:[^">]|"[^"]*")*>)' '$1<base href="http://$http_host/something/$baseuri">' ro;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
true,
|
|
|
|
|
"http",
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect / to /something with sticky enabled": {
|
|
|
|
|
"/",
|
|
|
|
|
"/something",
|
|
|
|
|
`~* /`,
|
|
|
|
|
`
|
2017-08-23 16:11:33 +00:00
|
|
|
rewrite /(.*) /something/$1 break;
|
|
|
|
|
proxy_pass http://sticky-upstream-name;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
false,
|
|
|
|
|
"http",
|
|
|
|
|
true,
|
|
|
|
|
false,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
|
|
|
|
"redirect / to /something with sticky and dynamic config enabled": {
|
|
|
|
|
"/",
|
|
|
|
|
"/something",
|
|
|
|
|
`~* /`,
|
|
|
|
|
`
|
|
|
|
|
rewrite /(.*) /something/$1 break;
|
|
|
|
|
proxy_pass http://upstream_balancer;
|
|
|
|
|
`,
|
|
|
|
|
false,
|
|
|
|
|
"http",
|
|
|
|
|
true,
|
|
|
|
|
false,
|
|
|
|
|
true,
|
|
|
|
|
false},
|
|
|
|
|
"add the X-Forwarded-Prefix header": {
|
|
|
|
|
"/there",
|
|
|
|
|
"/something",
|
|
|
|
|
`~* ^/there\/?(?<baseuri>.*)`,
|
|
|
|
|
`
|
2017-12-06 20:11:18 +00:00
|
|
|
rewrite /there/(.*) /something/$1 break;
|
|
|
|
|
proxy_set_header X-Forwarded-Prefix "/there/";
|
|
|
|
|
proxy_pass http://sticky-upstream-name;
|
2018-03-18 13:13:41 +00:00
|
|
|
`,
|
|
|
|
|
false,
|
|
|
|
|
"http",
|
|
|
|
|
true,
|
|
|
|
|
true,
|
|
|
|
|
false,
|
|
|
|
|
false},
|
2016-05-25 21:04:34 +00:00
|
|
|
}
|
|
|
|
|
)
|
|
|
|
|
|
2018-04-08 20:37:13 +00:00
|
|
|
func TestBuildLuaSharedDictionaries(t *testing.T) {
|
|
|
|
|
servers := []*ingress.Server{
|
|
|
|
|
{
|
|
|
|
|
Hostname: "foo.bar",
|
|
|
|
|
Locations: []*ingress.Location{{Path: "/", LuaRestyWAF: luarestywaf.Config{}}},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
Hostname: "another.host",
|
|
|
|
|
Locations: []*ingress.Location{{Path: "/", LuaRestyWAF: luarestywaf.Config{}}},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config := buildLuaSharedDictionaries(servers, false, false)
|
|
|
|
|
if config != "" {
|
|
|
|
|
t.Errorf("expected to not configure any lua shared dictionary, but generated %s", config)
|
|
|
|
|
}
|
|
|
|
|
config = buildLuaSharedDictionaries(servers, true, false)
|
|
|
|
|
if !strings.Contains(config, "lua_shared_dict configuration_data") {
|
|
|
|
|
t.Errorf("expected to include 'configuration_data' but got %s", config)
|
|
|
|
|
}
|
|
|
|
|
if strings.Contains(config, "waf_storage") {
|
|
|
|
|
t.Errorf("expected to not include 'waf_storage' but got %s", config)
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-09 12:19:13 +00:00
|
|
|
servers[1].Locations[0].LuaRestyWAF = luarestywaf.Config{Mode: "ACTIVE"}
|
2018-04-08 20:37:13 +00:00
|
|
|
config = buildLuaSharedDictionaries(servers, false, false)
|
|
|
|
|
if !strings.Contains(config, "lua_shared_dict waf_storage") {
|
|
|
|
|
t.Errorf("expected to configure 'waf_storage', but got %s", config)
|
|
|
|
|
}
|
|
|
|
|
config = buildLuaSharedDictionaries(servers, true, false)
|
|
|
|
|
if !strings.Contains(config, "lua_shared_dict waf_storage") {
|
|
|
|
|
t.Errorf("expected to configure 'waf_storage', but got %s", config)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config = buildLuaSharedDictionaries(servers, false, true)
|
|
|
|
|
if config != "" {
|
|
|
|
|
t.Errorf("expected to not configure any lua shared dictionary, but generated %s", config)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-09 03:11:00 +00:00
|
|
|
func TestFormatIP(t *testing.T) {
|
|
|
|
|
cases := map[string]struct {
|
|
|
|
|
Input, Output string
|
|
|
|
|
}{
|
|
|
|
|
"ipv4-localhost": {"127.0.0.1", "127.0.0.1"},
|
|
|
|
|
"ipv4-internet": {"8.8.8.8", "8.8.8.8"},
|
|
|
|
|
"ipv6-localhost": {"::1", "[::1]"},
|
|
|
|
|
"ipv6-internet": {"2001:4860:4860::8888", "[2001:4860:4860::8888]"},
|
|
|
|
|
"invalid-ip": {"nonsense", "nonsense"},
|
|
|
|
|
"empty-ip": {"", ""},
|
|
|
|
|
}
|
|
|
|
|
for k, tc := range cases {
|
|
|
|
|
res := formatIP(tc.Input)
|
|
|
|
|
if res != tc.Output {
|
|
|
|
|
t.Errorf("%s: called formatIp('%s'); expected '%v' but returned '%v'", k, tc.Input, tc.Output, res)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-25 21:04:34 +00:00
|
|
|
func TestBuildLocation(t *testing.T) {
|
|
|
|
|
for k, tc := range tmplFuncTestcases {
|
2016-08-07 22:53:08 +00:00
|
|
|
loc := &ingress.Location{
|
2017-08-19 21:13:02 +00:00
|
|
|
Path: tc.Path,
|
2017-11-07 16:36:51 +00:00
|
|
|
Rewrite: rewrite.Config{Target: tc.Target, AddBaseURL: tc.AddBaseURL},
|
2016-05-25 21:04:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newLoc := buildLocation(loc)
|
|
|
|
|
if tc.Location != newLoc {
|
2016-05-27 14:58:13 +00:00
|
|
|
t.Errorf("%s: expected '%v' but returned %v", k, tc.Location, newLoc)
|
2016-05-25 21:04:34 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestBuildProxyPass(t *testing.T) {
|
2017-08-23 16:11:33 +00:00
|
|
|
defaultBackend := "upstream-name"
|
|
|
|
|
defaultHost := "example.com"
|
|
|
|
|
|
2016-05-25 21:04:34 +00:00
|
|
|
for k, tc := range tmplFuncTestcases {
|
2016-08-07 22:53:08 +00:00
|
|
|
loc := &ingress.Location{
|
2017-12-06 20:11:18 +00:00
|
|
|
Path: tc.Path,
|
|
|
|
|
Rewrite: rewrite.Config{Target: tc.Target, AddBaseURL: tc.AddBaseURL, BaseURLScheme: tc.BaseURLScheme},
|
|
|
|
|
Backend: defaultBackend,
|
|
|
|
|
XForwardedPrefix: tc.XForwardedPrefix,
|
2017-08-23 16:11:33 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-18 13:13:41 +00:00
|
|
|
backend := &ingress.Backend{
|
|
|
|
|
Name: defaultBackend,
|
|
|
|
|
Secure: tc.SecureBackend,
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-23 16:11:33 +00:00
|
|
|
if tc.Sticky {
|
2018-03-18 13:13:41 +00:00
|
|
|
backend.SessionAffinity = ingress.SessionAffinityConfig{
|
|
|
|
|
AffinityType: "cookie",
|
|
|
|
|
CookieSessionAffinity: ingress.CookieSessionAffinity{
|
|
|
|
|
Locations: map[string][]string{
|
|
|
|
|
defaultHost: {tc.Path},
|
2017-08-23 16:11:33 +00:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
2016-05-25 21:04:34 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-18 13:13:41 +00:00
|
|
|
backends := []*ingress.Backend{backend}
|
|
|
|
|
|
|
|
|
|
pp := buildProxyPass(defaultHost, backends, loc, tc.DynamicConfigurationEnabled)
|
2016-05-27 14:58:13 +00:00
|
|
|
if !strings.EqualFold(tc.ProxyPass, pp) {
|
|
|
|
|
t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, tc.ProxyPass, pp)
|
2016-05-25 21:04:34 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-11-16 18:24:26 +00:00
|
|
|
|
2018-01-28 00:32:08 +00:00
|
|
|
func TestBuildAuthLocation(t *testing.T) {
|
|
|
|
|
authURL := "foo.com/auth"
|
|
|
|
|
|
|
|
|
|
loc := &ingress.Location{
|
|
|
|
|
ExternalAuth: authreq.Config{
|
|
|
|
|
URL: authURL,
|
|
|
|
|
},
|
|
|
|
|
Path: "/cat",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
str := buildAuthLocation(loc)
|
|
|
|
|
|
|
|
|
|
encodedAuthURL := strings.Replace(base64.URLEncoding.EncodeToString([]byte(loc.Path)), "=", "", -1)
|
|
|
|
|
expected := fmt.Sprintf("/_external-auth-%v", encodedAuthURL)
|
|
|
|
|
|
|
|
|
|
if str != expected {
|
|
|
|
|
t.Errorf("Expected \n'%v'\nbut returned \n'%v'", expected, str)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-04 00:43:15 +00:00
|
|
|
func TestBuildAuthResponseHeaders(t *testing.T) {
|
|
|
|
|
loc := &ingress.Location{
|
2017-11-07 16:36:51 +00:00
|
|
|
ExternalAuth: authreq.Config{ResponseHeaders: []string{"h1", "H-With-Caps-And-Dashes"}},
|
2017-02-04 00:43:15 +00:00
|
|
|
}
|
|
|
|
|
headers := buildAuthResponseHeaders(loc)
|
|
|
|
|
expected := []string{
|
|
|
|
|
"auth_request_set $authHeader0 $upstream_http_h1;",
|
|
|
|
|
"proxy_set_header 'h1' $authHeader0;",
|
|
|
|
|
"auth_request_set $authHeader1 $upstream_http_h_with_caps_and_dashes;",
|
|
|
|
|
"proxy_set_header 'H-With-Caps-And-Dashes' $authHeader1;",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(expected, headers) {
|
|
|
|
|
t.Errorf("Expected \n'%v'\nbut returned \n'%v'", expected, headers)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-11-16 18:24:26 +00:00
|
|
|
func TestTemplateWithData(t *testing.T) {
|
|
|
|
|
pwd, _ := os.Getwd()
|
2017-11-05 01:18:28 +00:00
|
|
|
f, err := os.Open(path.Join(pwd, "../../../../test/data/config.json"))
|
2016-11-16 18:24:26 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("unexpected error reading json file: %v", err)
|
|
|
|
|
}
|
|
|
|
|
defer f.Close()
|
|
|
|
|
data, err := ioutil.ReadFile(f.Name())
|
|
|
|
|
if err != nil {
|
|
|
|
|
t.Error("unexpected error reading json file: ", err)
|
|
|
|
|
}
|
|
|
|
|
var dat config.TemplateConfig
|
|
|
|
|
if err := json.Unmarshal(data, &dat); err != nil {
|
|
|
|
|
t.Errorf("unexpected error unmarshalling json: %v", err)
|
|
|
|
|
}
|
2017-08-24 13:33:26 +00:00
|
|
|
if dat.ListenPorts == nil {
|
|
|
|
|
dat.ListenPorts = &config.ListenPorts{}
|
|
|
|
|
}
|
2017-11-22 13:40:54 +00:00
|
|
|
|
|
|
|
|
fs, err := file.NewFakeFS()
|
2016-11-16 18:24:26 +00:00
|
|
|
if err != nil {
|
2017-11-22 13:40:54 +00:00
|
|
|
t.Fatalf("unexpected error: %v", err)
|
2016-11-16 18:24:26 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-22 13:40:54 +00:00
|
|
|
ngxTpl, err := NewTemplate("/etc/nginx/template/nginx.tmpl", fs)
|
2016-11-16 18:24:26 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("invalid NGINX template: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-20 02:34:05 +00:00
|
|
|
_, err = ngxTpl.Write(dat)
|
2016-11-16 18:24:26 +00:00
|
|
|
if err != nil {
|
|
|
|
|
t.Errorf("invalid NGINX template: %v", err)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func BenchmarkTemplateWithData(b *testing.B) {
|
|
|
|
|
pwd, _ := os.Getwd()
|
2017-11-05 01:18:28 +00:00
|
|
|
f, err := os.Open(path.Join(pwd, "../../../../test/data/config.json"))
|
2016-11-16 18:24:26 +00:00
|
|
|
if err != nil {
|
|
|
|
|
b.Errorf("unexpected error reading json file: %v", err)
|
|
|
|
|
}
|
|
|
|
|
defer f.Close()
|
|
|
|
|
data, err := ioutil.ReadFile(f.Name())
|
|
|
|
|
if err != nil {
|
|
|
|
|
b.Error("unexpected error reading json file: ", err)
|
|
|
|
|
}
|
|
|
|
|
var dat config.TemplateConfig
|
|
|
|
|
if err := json.Unmarshal(data, &dat); err != nil {
|
|
|
|
|
b.Errorf("unexpected error unmarshalling json: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-22 13:40:54 +00:00
|
|
|
fs, err := file.NewFakeFS()
|
2016-11-16 18:24:26 +00:00
|
|
|
if err != nil {
|
2017-11-22 13:40:54 +00:00
|
|
|
b.Fatalf("unexpected error: %v", err)
|
2016-11-16 18:24:26 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-22 13:40:54 +00:00
|
|
|
ngxTpl, err := NewTemplate("/etc/nginx/template/nginx.tmpl", fs)
|
2016-11-16 18:24:26 +00:00
|
|
|
if err != nil {
|
|
|
|
|
b.Errorf("invalid NGINX template: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for i := 0; i < b.N; i++ {
|
2017-02-20 02:34:05 +00:00
|
|
|
ngxTpl.Write(dat)
|
2016-11-16 18:24:26 +00:00
|
|
|
}
|
|
|
|
|
}
|
2017-06-02 03:30:22 +00:00
|
|
|
|
|
|
|
|
func TestBuildDenyVariable(t *testing.T) {
|
|
|
|
|
a := buildDenyVariable("host1.example.com_/.well-known/acme-challenge")
|
|
|
|
|
b := buildDenyVariable("host1.example.com_/.well-known/acme-challenge")
|
|
|
|
|
if !reflect.DeepEqual(a, b) {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", a, b)
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-08-23 04:57:35 +00:00
|
|
|
|
|
|
|
|
func TestBuildClientBodyBufferSize(t *testing.T) {
|
|
|
|
|
a := isValidClientBodyBufferSize("1000")
|
|
|
|
|
if a != true {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", true, a)
|
|
|
|
|
}
|
|
|
|
|
b := isValidClientBodyBufferSize("1000k")
|
|
|
|
|
if b != true {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", true, b)
|
|
|
|
|
}
|
|
|
|
|
c := isValidClientBodyBufferSize("1000m")
|
|
|
|
|
if c != true {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", true, c)
|
|
|
|
|
}
|
|
|
|
|
d := isValidClientBodyBufferSize("1000km")
|
|
|
|
|
if d != false {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", false, d)
|
|
|
|
|
}
|
|
|
|
|
e := isValidClientBodyBufferSize("1000mk")
|
|
|
|
|
if e != false {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", false, e)
|
|
|
|
|
}
|
|
|
|
|
f := isValidClientBodyBufferSize("1000kk")
|
|
|
|
|
if f != false {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", false, f)
|
|
|
|
|
}
|
|
|
|
|
g := isValidClientBodyBufferSize("1000mm")
|
|
|
|
|
if g != false {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", false, g)
|
|
|
|
|
}
|
|
|
|
|
h := isValidClientBodyBufferSize(nil)
|
|
|
|
|
if h != false {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", false, h)
|
|
|
|
|
}
|
|
|
|
|
i := isValidClientBodyBufferSize("")
|
|
|
|
|
if i != false {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", false, i)
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-09-09 05:10:38 +00:00
|
|
|
|
|
|
|
|
func TestIsLocationAllowed(t *testing.T) {
|
|
|
|
|
loc := ingress.Location{
|
|
|
|
|
Denied: nil,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
isAllowed := isLocationAllowed(&loc)
|
|
|
|
|
if !isAllowed {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", true, isAllowed)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestBuildForwardedFor(t *testing.T) {
|
|
|
|
|
inputStr := "X-Forwarded-For"
|
|
|
|
|
outputStr := buildForwardedFor(inputStr)
|
|
|
|
|
|
|
|
|
|
validStr := "$http_x_forwarded_for"
|
|
|
|
|
|
|
|
|
|
if outputStr != validStr {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", validStr, outputStr)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestBuildResolvers(t *testing.T) {
|
|
|
|
|
ipOne := net.ParseIP("192.0.0.1")
|
|
|
|
|
ipTwo := net.ParseIP("2001:db8:1234:0000:0000:0000:0000:0000")
|
|
|
|
|
ipList := []net.IP{ipOne, ipTwo}
|
|
|
|
|
|
|
|
|
|
validResolver := "resolver 192.0.0.1 [2001:db8:1234::] valid=30s;"
|
2018-02-02 19:53:28 +00:00
|
|
|
resolver := buildResolvers(ipList, false)
|
|
|
|
|
|
|
|
|
|
if resolver != validResolver {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
validResolver = "resolver 192.0.0.1 valid=30s ipv6=off;"
|
|
|
|
|
resolver = buildResolvers(ipList, true)
|
2017-09-09 05:10:38 +00:00
|
|
|
|
|
|
|
|
if resolver != validResolver {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", validResolver, resolver)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestBuildNextUpstream(t *testing.T) {
|
2017-10-10 10:18:45 +00:00
|
|
|
cases := map[string]struct {
|
|
|
|
|
NextUpstream string
|
|
|
|
|
NonIdempotent bool
|
|
|
|
|
Output string
|
|
|
|
|
}{
|
|
|
|
|
"default": {
|
|
|
|
|
"timeout http_500 http_502",
|
|
|
|
|
false,
|
|
|
|
|
"timeout http_500 http_502",
|
|
|
|
|
},
|
|
|
|
|
"global": {
|
|
|
|
|
"timeout http_500 http_502",
|
|
|
|
|
true,
|
|
|
|
|
"timeout http_500 http_502 non_idempotent",
|
|
|
|
|
},
|
|
|
|
|
"local": {
|
|
|
|
|
"timeout http_500 http_502 non_idempotent",
|
|
|
|
|
false,
|
|
|
|
|
"timeout http_500 http_502 non_idempotent",
|
|
|
|
|
},
|
|
|
|
|
}
|
2017-09-09 05:10:38 +00:00
|
|
|
|
2017-10-10 10:18:45 +00:00
|
|
|
for k, tc := range cases {
|
|
|
|
|
nextUpstream := buildNextUpstream(tc.NextUpstream, tc.NonIdempotent)
|
|
|
|
|
if nextUpstream != tc.Output {
|
|
|
|
|
t.Errorf(
|
|
|
|
|
"%s: called buildNextUpstream('%s', %v); expected '%v' but returned '%v'",
|
|
|
|
|
k,
|
|
|
|
|
tc.NextUpstream,
|
|
|
|
|
tc.NonIdempotent,
|
|
|
|
|
tc.Output,
|
|
|
|
|
nextUpstream,
|
|
|
|
|
)
|
|
|
|
|
}
|
2017-09-09 05:10:38 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestBuildRateLimit(t *testing.T) {
|
2017-10-01 00:48:14 +00:00
|
|
|
loc := &ingress.Location{}
|
2017-09-09 05:10:38 +00:00
|
|
|
|
|
|
|
|
loc.RateLimit.Connections.Name = "con"
|
|
|
|
|
loc.RateLimit.Connections.Limit = 1
|
|
|
|
|
|
|
|
|
|
loc.RateLimit.RPS.Name = "rps"
|
|
|
|
|
loc.RateLimit.RPS.Limit = 1
|
|
|
|
|
loc.RateLimit.RPS.Burst = 1
|
|
|
|
|
|
|
|
|
|
loc.RateLimit.RPM.Name = "rpm"
|
|
|
|
|
loc.RateLimit.RPM.Limit = 2
|
|
|
|
|
loc.RateLimit.RPM.Burst = 2
|
|
|
|
|
|
|
|
|
|
loc.RateLimit.LimitRateAfter = 1
|
|
|
|
|
loc.RateLimit.LimitRate = 1
|
|
|
|
|
|
|
|
|
|
validLimits := []string{
|
|
|
|
|
"limit_conn con 1;",
|
|
|
|
|
"limit_req zone=rps burst=1 nodelay;",
|
|
|
|
|
"limit_req zone=rpm burst=2 nodelay;",
|
|
|
|
|
"limit_rate_after 1k;",
|
|
|
|
|
"limit_rate 1k;",
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
limits := buildRateLimit(loc)
|
|
|
|
|
|
|
|
|
|
for i, limit := range limits {
|
|
|
|
|
if limit != validLimits[i] {
|
|
|
|
|
t.Errorf("Expected '%v' but returned '%v'", validLimits, limits)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-10-05 04:55:42 +00:00
|
|
|
|
|
|
|
|
func TestBuildAuthSignURL(t *testing.T) {
|
|
|
|
|
cases := map[string]struct {
|
|
|
|
|
Input, Output string
|
|
|
|
|
}{
|
2017-10-25 20:41:49 +00:00
|
|
|
"default url": {"http://google.com", "http://google.com?rd=$pass_access_scheme://$http_host$request_uri"},
|
|
|
|
|
"with random field": {"http://google.com?cat=0", "http://google.com?cat=0&rd=$pass_access_scheme://$http_host$request_uri"},
|
2017-10-05 04:55:42 +00:00
|
|
|
"with rd field": {"http://google.com?cat&rd=$request", "http://google.com?cat&rd=$request"},
|
|
|
|
|
}
|
|
|
|
|
for k, tc := range cases {
|
|
|
|
|
res := buildAuthSignURL(tc.Input)
|
|
|
|
|
if res != tc.Output {
|
|
|
|
|
t.Errorf("%s: called buildAuthSignURL('%s'); expected '%v' but returned '%v'", k, tc.Input, tc.Output, res)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-03-18 20:44:59 +00:00
|
|
|
|
|
|
|
|
func TestIsLocationInLocationList(t *testing.T) {
|
|
|
|
|
|
|
|
|
|
testCases := []struct {
|
|
|
|
|
location *ingress.Location
|
|
|
|
|
rawLocationList string
|
|
|
|
|
expected bool
|
|
|
|
|
}{
|
|
|
|
|
{&ingress.Location{Path: "/match"}, "/match", true},
|
|
|
|
|
{&ingress.Location{Path: "/match"}, ",/match", true},
|
|
|
|
|
{&ingress.Location{Path: "/match"}, "/dontmatch", false},
|
|
|
|
|
{&ingress.Location{Path: "/match"}, ",/dontmatch", false},
|
|
|
|
|
{&ingress.Location{Path: "/match"}, "/dontmatch,/match", true},
|
|
|
|
|
{&ingress.Location{Path: "/match"}, "/dontmatch,/dontmatcheither", false},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, testCase := range testCases {
|
|
|
|
|
result := isLocationInLocationList(testCase.location, testCase.rawLocationList)
|
|
|
|
|
if result != testCase.expected {
|
|
|
|
|
t.Errorf(" expected %v but return %v, path: '%s', rawLocation: '%s'", testCase.expected, result, testCase.location.Path, testCase.rawLocationList)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-04-12 18:01:46 +00:00
|
|
|
|
|
|
|
|
func TestBuildUpstreamName(t *testing.T) {
|
|
|
|
|
defaultBackend := "upstream-name"
|
|
|
|
|
defaultHost := "example.com"
|
|
|
|
|
|
|
|
|
|
for k, tc := range tmplFuncTestcases {
|
|
|
|
|
loc := &ingress.Location{
|
|
|
|
|
Path: tc.Path,
|
|
|
|
|
Rewrite: rewrite.Config{Target: tc.Target, AddBaseURL: tc.AddBaseURL, BaseURLScheme: tc.BaseURLScheme},
|
|
|
|
|
Backend: defaultBackend,
|
|
|
|
|
XForwardedPrefix: tc.XForwardedPrefix,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
backend := &ingress.Backend{
|
|
|
|
|
Name: defaultBackend,
|
|
|
|
|
Secure: tc.SecureBackend,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
expected := defaultBackend
|
|
|
|
|
|
|
|
|
|
if tc.Sticky {
|
|
|
|
|
if !tc.DynamicConfigurationEnabled{
|
|
|
|
|
expected = fmt.Sprintf("sticky-" + expected)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
backend.SessionAffinity = ingress.SessionAffinityConfig{
|
|
|
|
|
AffinityType: "cookie",
|
|
|
|
|
CookieSessionAffinity: ingress.CookieSessionAffinity{
|
|
|
|
|
Locations: map[string][]string{
|
|
|
|
|
defaultHost: {tc.Path},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
backends := []*ingress.Backend{backend}
|
|
|
|
|
|
|
|
|
|
pp := buildUpstreamName(defaultHost, backends, loc, tc.DynamicConfigurationEnabled)
|
|
|
|
|
if !strings.EqualFold(expected, pp) {
|
|
|
|
|
t.Errorf("%s: expected \n'%v'\nbut returned \n'%v'", k, expected, pp)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
