ingress-nginx-helm/test/e2e/settings/tls.go

/*
Copyright 2018 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package settings

import (
	"crypto/tls"
	"fmt"
	"net/http"
	"strings"
	"time"

	. "github.com/onsi/ginkgo"
	. "github.com/onsi/gomega"
	"github.com/parnurzeal/gorequest"

	"k8s.io/ingress-nginx/test/e2e/framework"
)

func noRedirectPolicyFunc(gorequest.Request, []gorequest.Request) error {
	return http.ErrUseLastResponse
}

var _ = framework.IngressNginxDescribe("Settings - TLS)", func() {
	f := framework.NewDefaultFramework("settings-tls")
	host := "settings-tls"

	BeforeEach(func() {
		f.NewEchoDeployment()
		f.UpdateNginxConfigMapData("use-forwarded-headers", "false")
	})

	AfterEach(func() {
	})

	It("should configure TLS protocol", func() {
		sslCiphers := "ssl-ciphers"
		sslProtocols := "ssl-protocols"

		// Two ciphers supported by each of TLSv1.2 and TLSv1.
		// https://www.openssl.org/docs/man1.1.0/apps/ciphers.html - "CIPHER SUITE NAMES"
		testCiphers := "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA"

		ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
		tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
			ing.Spec.TLS[0].Hosts,
			ing.Spec.TLS[0].SecretName,
			ing.Namespace)
		Expect(err).NotTo(HaveOccurred())

		framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)

		By("setting cipher suite")
		f.UpdateNginxConfigMapData(sslCiphers, testCiphers)

		f.WaitForNginxConfiguration(
			func(cfg string) bool {
				return strings.Contains(cfg, fmt.Sprintf("ssl_ciphers '%s';", testCiphers))
			})

		resp, _, errs := gorequest.New().
			Get(f.GetURL(framework.HTTPS)).
			TLSClientConfig(tlsConfig).
			Set("Host", host).
			End()

		Expect(errs).Should(BeEmpty())
		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
		Expect(resp.TLS.Version).Should(BeNumerically("==", tls.VersionTLS12))
		Expect(resp.TLS.CipherSuite).Should(BeNumerically("==", tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384))

		By("enforcing TLS v1.0")
		f.UpdateNginxConfigMapData(sslProtocols, "TLSv1")

		f.WaitForNginxConfiguration(
			func(cfg string) bool {
				return strings.Contains(cfg, "ssl_protocols TLSv1;")
			})

		resp, _, errs = gorequest.New().
			Get(f.GetURL(framework.HTTPS)).
			TLSClientConfig(tlsConfig).
			Set("Host", host).
			End()

		Expect(errs).Should(BeEmpty())
		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
		Expect(resp.TLS.Version).Should(BeNumerically("==", tls.VersionTLS10))
		Expect(resp.TLS.CipherSuite).Should(BeNumerically("==", tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA))
	})

	It("should configure HSTS policy header", func() {
		hstsMaxAge := "hsts-max-age"
		hstsIncludeSubdomains := "hsts-include-subdomains"
		hstsPreload := "hsts-preload"

		ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
		tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
			ing.Spec.TLS[0].Hosts,
			ing.Spec.TLS[0].SecretName,
			ing.Namespace)
		Expect(err).NotTo(HaveOccurred())

		framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)

		By("setting max-age parameter")
		f.UpdateNginxConfigMapData(hstsMaxAge, "86400")

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "Strict-Transport-Security: max-age=86400; includeSubDomains\"")
			})

		resp, _, errs := gorequest.New().
			Get(f.GetURL(framework.HTTPS)).
			TLSClientConfig(tlsConfig).
			Set("Host", host).
			End()

		Expect(errs).Should(BeEmpty())
		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
		Expect(resp.Header.Get("Strict-Transport-Security")).Should(ContainSubstring("max-age=86400"))

		By("setting includeSubDomains parameter")
		f.UpdateNginxConfigMapData(hstsIncludeSubdomains, "false")

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "Strict-Transport-Security: max-age=86400\"")
			})

		resp, _, errs = gorequest.New().
			Get(f.GetURL(framework.HTTPS)).
			TLSClientConfig(tlsConfig).
			Set("Host", host).
			End()

		Expect(errs).Should(BeEmpty())
		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
		Expect(resp.Header.Get("Strict-Transport-Security")).ShouldNot(ContainSubstring("includeSubDomains"))

		By("setting preload parameter")
		f.UpdateNginxConfigMapData(hstsPreload, "true")

		f.WaitForNginxServer(host,
			func(server string) bool {
				return strings.Contains(server, "Strict-Transport-Security: max-age=86400; preload\"")
			})

		resp, _, errs = gorequest.New().
			Get(f.GetURL(framework.HTTPS)).
			TLSClientConfig(tlsConfig).
			Set("Host", host).
			End()

		Expect(errs).Should(BeEmpty())
		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
		Expect(resp.Header.Get("Strict-Transport-Security")).Should(ContainSubstring("preload"))
	})

	It("should not use ports during the HTTP to HTTPS redirection", func() {
		ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
		tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
			ing.Spec.TLS[0].Hosts,
			ing.Spec.TLS[0].SecretName,
			ing.Namespace)
		Expect(err).NotTo(HaveOccurred())

		framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)

		resp, _, errs := gorequest.New().
			Get(f.GetURL(framework.HTTP)).
			Retry(10, 1*time.Second, http.StatusNotFound).
			RedirectPolicy(noRedirectPolicyFunc).
			Set("Host", host).
			End()

		Expect(errs).Should(BeEmpty())
		Expect(resp.StatusCode).Should(Equal(http.StatusPermanentRedirect))
		Expect(resp.Header.Get("Location")).Should(Equal(fmt.Sprintf("https://%v/", host)))
	})

	It("should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection", func() {
		f.UpdateNginxConfigMapData("use-forwarded-headers", "true")

		ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))
		tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,
			ing.Spec.TLS[0].Hosts,
			ing.Spec.TLS[0].SecretName,
			ing.Namespace)
		Expect(err).NotTo(HaveOccurred())

		framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)

		resp, _, errs := gorequest.New().
			Get(f.GetURL(framework.HTTP)).
			Retry(10, 1*time.Second, http.StatusNotFound).
			RedirectPolicy(noRedirectPolicyFunc).
			Set("Host", host).
			Set("X-Forwarded-Host", "example.com:80").
			End()

		Expect(errs).Should(BeEmpty())
		Expect(resp.StatusCode).Should(Equal(http.StatusPermanentRedirect))
		Expect(resp.Header.Get("Location")).Should(Equal("https://example.com/"))
	})
})
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`/*`
			`Copyright 2018 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package settings`

			`import (`
			`"crypto/tls"`
			`"fmt"`
			`"net/http"`
			`"strings"`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00			`"time"`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00
			`. "github.com/onsi/ginkgo"`
			`. "github.com/onsi/gomega"`
			`"github.com/parnurzeal/gorequest"`

			`"k8s.io/ingress-nginx/test/e2e/framework"`
			`)`

Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00			`func noRedirectPolicyFunc(gorequest.Request, []gorequest.Request) error {`
			`return http.ErrUseLastResponse`
			`}`

Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`var _ = framework.IngressNginxDescribe("Settings - TLS)", func() {`
			`f := framework.NewDefaultFramework("settings-tls")`
			`host := "settings-tls"`

			`BeforeEach(func() {`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.NewEchoDeployment()`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00			`f.UpdateNginxConfigMapData("use-forwarded-headers", "false")`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`})`

			`AfterEach(func() {`
			`})`

			`It("should configure TLS protocol", func() {`
			`sslCiphers := "ssl-ciphers"`
			`sslProtocols := "ssl-protocols"`

			`// Two ciphers supported by each of TLSv1.2 and TLSv1.`
			`// https://www.openssl.org/docs/man1.1.0/apps/ciphers.html - "CIPHER SUITE NAMES"`
			`testCiphers := "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA"`

Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))`
Refactor e2e tls helper 2019-01-09 19:13:17 +00:00			`tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,`
			`ing.Spec.TLS[0].Hosts,`
			`ing.Spec.TLS[0].SecretName,`
			`ing.Namespace)`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`Expect(err).NotTo(HaveOccurred())`

Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00
			`By("setting cipher suite")`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.UpdateNginxConfigMapData(sslCiphers, testCiphers)`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.WaitForNginxConfiguration(`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`func(cfg string) bool {`
			`return strings.Contains(cfg, fmt.Sprintf("ssl_ciphers '%s';", testCiphers))`
			`})`

			`resp, _, errs := gorequest.New().`
Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`Get(f.GetURL(framework.HTTPS)).`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`TLSClientConfig(tlsConfig).`
			`Set("Host", host).`
			`End()`

Refactor assertions 2018-11-18 13:53:05 +00:00			`Expect(errs).Should(BeEmpty())`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`Expect(resp.StatusCode).Should(Equal(http.StatusOK))`
			`Expect(resp.TLS.Version).Should(BeNumerically("==", tls.VersionTLS12))`
			`Expect(resp.TLS.CipherSuite).Should(BeNumerically("==", tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384))`

			`By("enforcing TLS v1.0")`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.UpdateNginxConfigMapData(sslProtocols, "TLSv1")`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.WaitForNginxConfiguration(`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`func(cfg string) bool {`
			`return strings.Contains(cfg, "ssl_protocols TLSv1;")`
			`})`

			`resp, _, errs = gorequest.New().`
Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`Get(f.GetURL(framework.HTTPS)).`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`TLSClientConfig(tlsConfig).`
			`Set("Host", host).`
			`End()`

Refactor assertions 2018-11-18 13:53:05 +00:00			`Expect(errs).Should(BeEmpty())`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`Expect(resp.StatusCode).Should(Equal(http.StatusOK))`
			`Expect(resp.TLS.Version).Should(BeNumerically("==", tls.VersionTLS10))`
			`Expect(resp.TLS.CipherSuite).Should(BeNumerically("==", tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA))`
			`})`

			`It("should configure HSTS policy header", func() {`
			`hstsMaxAge := "hsts-max-age"`
			`hstsIncludeSubdomains := "hsts-include-subdomains"`
			`hstsPreload := "hsts-preload"`

Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))`
Refactor e2e tls helper 2019-01-09 19:13:17 +00:00			`tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,`
			`ing.Spec.TLS[0].Hosts,`
			`ing.Spec.TLS[0].SecretName,`
			`ing.Namespace)`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`Expect(err).NotTo(HaveOccurred())`

Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00
			`By("setting max-age parameter")`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.UpdateNginxConfigMapData(hstsMaxAge, "86400")`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.WaitForNginxServer(host,`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`func(server string) bool {`
			`return strings.Contains(server, "Strict-Transport-Security: max-age=86400; includeSubDomains\"")`
			`})`

			`resp, _, errs := gorequest.New().`
Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`Get(f.GetURL(framework.HTTPS)).`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`TLSClientConfig(tlsConfig).`
			`Set("Host", host).`
			`End()`

Refactor assertions 2018-11-18 13:53:05 +00:00			`Expect(errs).Should(BeEmpty())`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`Expect(resp.StatusCode).Should(Equal(http.StatusOK))`
			`Expect(resp.Header.Get("Strict-Transport-Security")).Should(ContainSubstring("max-age=86400"))`

			`By("setting includeSubDomains parameter")`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.UpdateNginxConfigMapData(hstsIncludeSubdomains, "false")`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.WaitForNginxServer(host,`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`func(server string) bool {`
			`return strings.Contains(server, "Strict-Transport-Security: max-age=86400\"")`
			`})`

			`resp, _, errs = gorequest.New().`
Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`Get(f.GetURL(framework.HTTPS)).`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`TLSClientConfig(tlsConfig).`
			`Set("Host", host).`
			`End()`

Refactor assertions 2018-11-18 13:53:05 +00:00			`Expect(errs).Should(BeEmpty())`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`Expect(resp.StatusCode).Should(Equal(http.StatusOK))`
			`Expect(resp.Header.Get("Strict-Transport-Security")).ShouldNot(ContainSubstring("includeSubDomains"))`

			`By("setting preload parameter")`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.UpdateNginxConfigMapData(hstsPreload, "true")`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.WaitForNginxServer(host,`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`func(server string) bool {`
			`return strings.Contains(server, "Strict-Transport-Security: max-age=86400; preload\"")`
			`})`

			`resp, _, errs = gorequest.New().`
Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`Get(f.GetURL(framework.HTTPS)).`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`TLSClientConfig(tlsConfig).`
			`Set("Host", host).`
			`End()`

Refactor assertions 2018-11-18 13:53:05 +00:00			`Expect(errs).Should(BeEmpty())`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`Expect(resp.StatusCode).Should(Equal(http.StatusOK))`
			`Expect(resp.Header.Get("Strict-Transport-Security")).Should(ContainSubstring("preload"))`
			`})`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00
			`It("should not use ports during the HTTP to HTTPS redirection", func() {`
Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00			`tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,`
			`ing.Spec.TLS[0].Hosts,`
			`ing.Spec.TLS[0].SecretName,`
			`ing.Namespace)`
			`Expect(err).NotTo(HaveOccurred())`

Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00
			`resp, _, errs := gorequest.New().`
Lint code using staticcheck (#4471) 2019-08-23 16:08:40 +00:00			`Get(f.GetURL(framework.HTTP)).`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00			`Retry(10, 1*time.Second, http.StatusNotFound).`
			`RedirectPolicy(noRedirectPolicyFunc).`
			`Set("Host", host).`
			`End()`

			`Expect(errs).Should(BeEmpty())`
			`Expect(resp.StatusCode).Should(Equal(http.StatusPermanentRedirect))`
			`Expect(resp.Header.Get("Location")).Should(Equal(fmt.Sprintf("https://%v/", host)))`
			`})`

			`It("should not use ports or X-Forwarded-Host during the HTTP to HTTPS redirection", func() {`
			`f.UpdateNginxConfigMapData("use-forwarded-headers", "true")`

Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`ing := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil))`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00			`tlsConfig, err := framework.CreateIngressTLSSecret(f.KubeClientSet,`
			`ing.Spec.TLS[0].Hosts,`
			`ing.Spec.TLS[0].SecretName,`
			`ing.Namespace)`
			`Expect(err).NotTo(HaveOccurred())`

Refactor e2e tests to use the service ClusterIP 2019-02-22 14:03:42 +00:00			`framework.WaitForTLS(f.GetURL(framework.HTTPS), tlsConfig)`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00
			`resp, _, errs := gorequest.New().`
Lint code using staticcheck (#4471) 2019-08-23 16:08:40 +00:00			`Get(f.GetURL(framework.HTTP)).`
Use UsePortInRedirects only if enabled 2019-02-20 19:34:51 +00:00			`Retry(10, 1*time.Second, http.StatusNotFound).`
			`RedirectPolicy(noRedirectPolicyFunc).`
			`Set("Host", host).`
			`Set("X-Forwarded-Host", "example.com:80").`
			`End()`

			`Expect(errs).Should(BeEmpty())`
			`Expect(resp.StatusCode).Should(Equal(http.StatusPermanentRedirect))`
			`Expect(resp.Header.Get("Location")).Should(Equal("https://example.com/"))`
			`})`
Add tests for global TLS settings 2018-04-27 18:36:22 +00:00			`})`