From 7767230e6a6cd8372eca98c08c59a09441fd1b40 Mon Sep 17 00:00:00 2001 From: Jeff Hui Date: Mon, 8 Jun 2020 11:18:53 -0400 Subject: [PATCH] fix undefined variable $auth_cookie error when location is denied (add) isLocationAllowed check before setting the cookie --- rootfs/etc/nginx/template/nginx.tmpl | 3 ++- test/e2e/annotations/auth.go | 31 ++++++++++++++++++++++++++-- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 29546a989..f828b1a17 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1018,7 +1018,7 @@ stream { } {{ end }} - + {{ if isLocationAllowed $location }} {{ if $externalAuth.SigninURL }} location {{ buildAuthSignURLLocation $location.Path $externalAuth.SigninURL }} { internal; @@ -1028,6 +1028,7 @@ stream { return 302 {{ buildAuthSignURL $externalAuth.SigninURL }}; } {{ end }} + {{ end }} location {{ $path }} { {{ $ing := (getIngressInformation $location.Ingress $server.Hostname $location.Path) }} diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index b97ebcef8..11e4807b9 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -29,6 +29,7 @@ import ( "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" + networking "k8s.io/api/networking/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/ingress-nginx/test/e2e/framework" @@ -353,6 +354,8 @@ var _ = framework.DescribeAnnotation("auth-*", func() { ginkgo.Context("when external authentication is configured", func() { host := "auth" + var annotations map[string]string + var ing *networking.Ingress ginkgo.BeforeEach(func() { f.NewHttpbinDeployment() @@ -367,12 +370,12 @@ var _ = framework.DescribeAnnotation("auth-*", func() { httpbinIP = e.Subsets[0].Addresses[0].IP - annotations := map[string]string{ + annotations = map[string]string{ "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", } - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) f.WaitForNginxServer(host, func(server string) bool { @@ -399,6 +402,30 @@ var _ = framework.DescribeAnnotation("auth-*", func() { Status(http.StatusFound). Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d"))) }) + + ginkgo.It("keeps processing new ingresses even if one of the existing ingresses is misconfigured", func() { + annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic" + annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something" + annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth" + f.UpdateIngress(ing) + + anotherHost := "different" + anotherAnnotations := map[string]string{} + + anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations) + f.EnsureIngress(anotherIng) + + f.WaitForNginxServer(anotherHost, + func(server string) bool { + return strings.Contains(server, "server_name "+anotherHost) + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", anotherHost). + Expect(). + Status(http.StatusOK) + }) }) ginkgo.Context("when external authentication with caching is configured", func() {