ingress-nginx-helm/test/e2e/settings/global_access_block.go

/*
Copyright 2017 The Kubernetes Authors.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package settings

import (
	"net/http"
	"strings"

	"github.com/onsi/ginkgo/v2"

	"k8s.io/ingress-nginx/test/e2e/framework"
)

var _ = framework.DescribeSetting("[Security] block-*", func() {
	f := framework.NewDefaultFramework("global-access-block")

	host := "global-access-block"

	ginkgo.BeforeEach(func() {
		f.NewEchoDeployment()
		f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil))
	})

	ginkgo.It("should block CIDRs defined in the ConfigMap", func() {
		f.UpdateNginxConfigMapData("block-cidrs", "172.16.0.0/12,192.168.0.0/16,10.0.0.0/8")

		f.WaitForNginxConfiguration(
			func(cfg string) bool {
				return strings.Contains(cfg, "deny 172.16.0.0/12;") &&
					strings.Contains(cfg, "deny 192.168.0.0/16;") &&
					strings.Contains(cfg, "deny 10.0.0.0/8;")
			})

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			Expect().
			Status(http.StatusForbidden)
	})

	ginkgo.It("should block User-Agents defined in the ConfigMap", func() {
		f.UpdateNginxConfigMapData("block-user-agents", "~*chrome\\/68\\.0\\.3440\\.106\\ safari\\/537\\.36,AlphaBot")

		f.WaitForNginxConfiguration(
			func(cfg string) bool {
				return strings.Contains(cfg, "~*chrome\\/68\\.0\\.3440\\.106\\ safari\\/537\\.36 1;") &&
					strings.Contains(cfg, "AlphaBot 1;")
			})

		// Should be blocked
		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36").
			Expect().
			Status(http.StatusForbidden)

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "AlphaBot").
			Expect().
			Status(http.StatusForbidden)

		// Shouldn't be blocked
		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("User-Agent", "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1").
			Expect().
			Status(http.StatusOK)
	})

	ginkgo.It("should block Referers defined in the ConfigMap", func() {
		f.UpdateNginxConfigMapData("block-referers", "~*example\\.com,qwerty")

		f.WaitForNginxConfiguration(
			func(cfg string) bool {
				return strings.Contains(cfg, "~*example\\.com 1;") &&
					strings.Contains(cfg, "qwerty 1;")
			})

		// Should be blocked
		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("Referer", "example.com").
			Expect().
			Status(http.StatusForbidden)

		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("Referer", "qwerty").
			Expect().
			Status(http.StatusForbidden)

		// Shouldn't be blocked
		f.HTTPTestClient().
			GET("/").
			WithHeader("Host", host).
			WithHeader("Referer", "qwerty123").
			Expect().
			Status(http.StatusOK)
	})
})
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`/*`
			`Copyright 2017 The Kubernetes Authors.`

			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`package settings`

			`import (`
			`"net/http"`
			`"strings"`

migrate ginkgo to v2 (#8826) * Migrate ginkgo to v2 * Update test/e2e/annotations/ipwhitelist.go Co-authored-by: Jintao Zhang <tao12345666333@163.com> * Update test/e2e/annotations/modsecurity/modsecurity.go Co-authored-by: Jintao Zhang <tao12345666333@163.com> * Update test/e2e/settings/access_log.go Co-authored-by: Jintao Zhang <tao12345666333@163.com> * remove unnecessary blank line * re-order packages * less change Co-authored-by: Jintao Zhang <tao12345666333@163.com> 2022-07-31 16:16:28 +00:00			`"github.com/onsi/ginkgo/v2"`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00
			`"k8s.io/ingress-nginx/test/e2e/framework"`
			`)`

Cleanup and standardization of e2e test definitions (#5090) 2020-02-16 18:27:58 +00:00			`var _ = framework.DescribeSetting("[Security] block-*", func() {`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`f := framework.NewDefaultFramework("global-access-block")`

			`host := "global-access-block"`

Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`ginkgo.BeforeEach(func() {`
			`f.NewEchoDeployment()`
Remove hard-coded names from e2e test and use local docker dependencies (#4502) 2019-09-01 18:16:52 +00:00			`f.EnsureIngress(framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, nil))`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`})`

Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`ginkgo.It("should block CIDRs defined in the ConfigMap", func() {`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.UpdateNginxConfigMapData("block-cidrs", "172.16.0.0/12,192.168.0.0/16,10.0.0.0/8")`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.WaitForNginxConfiguration(`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`func(cfg string) bool {`
			`return strings.Contains(cfg, "deny 172.16.0.0/12;") &&`
			`strings.Contains(cfg, "deny 192.168.0.0/16;") &&`
			`strings.Contains(cfg, "deny 10.0.0.0/8;")`
			`})`

Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`f.HTTPTestClient().`
			`GET("/").`
			`WithHeader("Host", host).`
			`Expect().`
			`Status(http.StatusForbidden)`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`})`

Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`ginkgo.It("should block User-Agents defined in the ConfigMap", func() {`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.UpdateNginxConfigMapData("block-user-agents", "~*chrome\\/68\\.0\\.3440\\.106\\ safari\\/537\\.36,AlphaBot")`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.WaitForNginxConfiguration(`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`func(cfg string) bool {`
			`return strings.Contains(cfg, "~*chrome\\/68\\.0\\.3440\\.106\\ safari\\/537\\.36 1;") &&`
			`strings.Contains(cfg, "AlphaBot 1;")`
			`})`

			`// Should be blocked`
Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`f.HTTPTestClient().`
			`GET("/").`
			`WithHeader("Host", host).`
			`WithHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36").`
			`Expect().`
			`Status(http.StatusForbidden)`

			`f.HTTPTestClient().`
			`GET("/").`
			`WithHeader("Host", host).`
			`WithHeader("User-Agent", "AlphaBot").`
			`Expect().`
			`Status(http.StatusForbidden)`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00
			`// Shouldn't be blocked`
Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`f.HTTPTestClient().`
			`GET("/").`
			`WithHeader("Host", host).`
			`WithHeader("User-Agent", "Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1").`
			`Expect().`
			`Status(http.StatusOK)`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`})`

Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`ginkgo.It("should block Referers defined in the ConfigMap", func() {`
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.UpdateNginxConfigMapData("block-referers", "~*example\\.com,qwerty")`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00
Remove e2e boilerplate 2018-10-29 21:39:04 +00:00			`f.WaitForNginxConfiguration(`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`func(cfg string) bool {`
			`return strings.Contains(cfg, "~*example\\.com 1;") &&`
			`strings.Contains(cfg, "qwerty 1;")`
			`})`

			`// Should be blocked`
Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`f.HTTPTestClient().`
			`GET("/").`
			`WithHeader("Host", host).`
			`WithHeader("Referer", "example.com").`
			`Expect().`
			`Status(http.StatusForbidden)`

			`f.HTTPTestClient().`
			`GET("/").`
			`WithHeader("Host", host).`
			`WithHeader("Referer", "qwerty").`
			`Expect().`
			`Status(http.StatusForbidden)`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00
			`// Shouldn't be blocked`
Refactor e2e tests to use testify y httpexpect 2020-02-19 03:08:56 +00:00			`f.HTTPTestClient().`
			`GET("/").`
			`WithHeader("Host", host).`
			`WithHeader("Referer", "qwerty123").`
			`Expect().`
			`Status(http.StatusOK)`
Provide possibility to block CIDRs, User-Agents and Referers globally 2018-08-27 13:50:04 +00:00			`})`
			`})`