DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add signin url req support

Browse source
This commit is contained in:
Cole Mickens 2017-01-29 13:52:50 -08:00
parent ba8aea4642
commit 2b05c90428
3 changed files with 42 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
View file

@ -245,6 +245,8 @@ http {
{{ end }} {{ end }}
{{ if not (empty $location.ExternalAuth.Method) }} {{ if not (empty $location.ExternalAuth.Method) }}
proxy_method {{ $location.ExternalAuth.Method }}; proxy_method {{ $location.ExternalAuth.Method }};
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $pass_access_scheme;
{{ end }} {{ end }}
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_pass_request_headers on; proxy_pass_request_headers on;
@ -270,6 +272,10 @@ http {
auth_request {{ $authPath }}; auth_request {{ $authPath }};
{{ end }} {{ end }}
{{ if not (empty $location.ExternalAuth.SigninURL) }}
error_page 401 = {{ $location.ExternalAuth.SigninURL }};
{{ end }}
{{ if (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect) }} {{ if (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect) }}
# enforce ssl on server side # enforce ssl on server side
if ($scheme = http) { if ($scheme = http) {
@ -316,6 +322,8 @@ http {
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $pass_access_scheme;
# mitigate HTTPoxy Vulnerability # mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/

26
core/pkg/ingress/annotations/authreq/main.go
View file

@ -25,16 +25,18 @@ import (
const ( const (
// external URL that provides the authentication // external URL that provides the authentication
authURL = "ingress.kubernetes.io/auth-url" authURL = "ingress.kubernetes.io/auth-url"
authMethod = "ingress.kubernetes.io/auth-method" authSigninURL = "ingress.kubernetes.io/auth-signin"
authBody = "ingress.kubernetes.io/auth-send-body" authMethod = "ingress.kubernetes.io/auth-method"
authBody = "ingress.kubernetes.io/auth-send-body"
) )
// External returns external authentication configuration for an Ingress rule // External returns external authentication configuration for an Ingress rule
type External struct { type External struct {
URL string `json:"url"` URL string `json:"url"`
Method string `json:"method"` SigninURL string `json:"signinUrl"`
SendBody bool `json:"sendBody"` Method string `json:"method"`
SendBody bool `json:"sendBody"`
} }
var ( var (
@ -70,6 +72,11 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
return nil, err return nil, err
} }
signin, err := parser.GetURLAnnotation(authSigninURL, ing)
if err != nil {
return nil, err
}
m, err := parser.GetStringAnnotation(authMethod, ing) m, err := parser.GetStringAnnotation(authMethod, ing)
if err != nil { if err != nil {
return nil, err return nil, err
@ -82,8 +89,9 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
sb, _ := parser.GetBoolAnnotation(authBody, ing) sb, _ := parser.GetBoolAnnotation(authBody, ing)
return &External{ return &External{
URL: auth.String(), URL: auth.String(),
Method: m, SigninURL: signin.String(),
SendBody: sb, Method: m,
SendBody: sb,
}, nil }, nil
} }

29
core/pkg/ingress/annotations/authreq/main_test.go
View file

@ -67,23 +67,25 @@ func TestAnnotations(t *testing.T) {
ing.SetAnnotations(data) ing.SetAnnotations(data)
tests := []struct { tests := []struct {
title string title string
url string url string
method string signinURL string
sendBody bool method string
expErr bool sendBody bool
expErr bool
}{ }{
{"empty", "", "", false, true}, {"empty", "", "", "", false, true},
{"no scheme", "bar", "", false, true}, {"no scheme", "bar", "bar", "", false, true},
{"invalid host", "http://", "", false, true}, {"invalid host", "http://", "http://", "", false, true},
{"invalid host (multiple dots)", "http://foo..bar.com", "", false, true}, {"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", false, true},
{"valid URL", "http://bar.foo.com/external-auth", "", false, false}, {"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false, false},
{"valid URL - send body", "http://foo.com/external-auth", "POST", true, false}, {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", true, false},
{"valid URL - send body", "http://foo.com/external-auth", "GET", true, false}, {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", true, false},
} }
for _, test := range tests { for _, test := range tests {
data[authURL] = test.url data[authURL] = test.url
data[authSigninURL] = test.signinURL
data[authBody] = fmt.Sprintf("%v", test.sendBody) data[authBody] = fmt.Sprintf("%v", test.sendBody)
data[authMethod] = fmt.Sprintf("%v", test.method) data[authMethod] = fmt.Sprintf("%v", test.method)
@ -101,6 +103,9 @@ func TestAnnotations(t *testing.T) {
if u.URL != test.url { if u.URL != test.url {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL) t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL)
} }
if u.SigninURL != test.signinURL {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.signinURL, u.SigninURL)
}
if u.Method != test.method { if u.Method != test.method {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method) t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
} }