Updates e2e tests

internal/ingress/annotations/ipdenylist/main.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2016 The Kubernetes Authors.
+Copyright 2023 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

internal/ingress/annotations/ipdenylist/main_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2016 The Kubernetes Authors.
+Copyright 2023 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -93,6 +93,11 @@ func TestParseAnnotations(t *testing.T) {
 			expectErr: true,
 			errOut:    "the annotation does not contain a valid IP address or network: invalid CIDR address: ",
 		},
+		"test parse a malicious escaped string": {
+			net:       `10.0.0.0/8"rm /tmp",11.0.0.0/8`,
+			expectErr: true,
+			errOut:    "the annotation does not contain a valid IP address or network: invalid CIDR address: ",
+		},
 		"test parse multiple valid cidr": {
 			net:        "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24",
 			expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"},

test/e2e/annotations/ipdenylist.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2018 The Kubernetes Authors.
+Copyright 2023 The Kubernetes Authors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@ limitations under the License.
 package annotations
 
 import (
+	"net/http"
 	"strings"
 
 	"github.com/onsi/ginkgo/v2"
@@ -31,43 +32,116 @@ var _ = framework.DescribeAnnotation("denylist-source-range", func() {
 		f.NewEchoDeployment()
 	})
 
-	ginkgo.It("should set valid ip denylist range when whitelist", func() {
+	ginkgo.It("only deny explicitly denied IPs, allow all others", func() {
 		host := "ipdenylist.foo.com"
-		nameSpace := f.Namespace
+		namespace := f.Namespace
 
 		annotations := map[string]string{
-			"nginx.ingress.kubernetes.io/denylist-source-range": "18.0.0.0/8, 56.0.0.0/8",
+			"nginx.ingress.kubernetes.io/denylist-source-range": "18.0.0.0/8, 56.0.0.1",
 		}
 
-		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
+		ing := framework.NewSingleIngress(host, "/", host, namespace, framework.EchoService, 80, annotations)
+
+		// Temporarily trust forwarded headers so we can test IP based access control
+		f.UpdateNginxConfigMapData("use-forwarded-headers", "true")
+		defer func() {
+			// Return to the original value
+			f.UpdateNginxConfigMapData("use-forwarded-headers", "false")
+		}()
+
 		f.EnsureIngress(ing)
 
 		f.WaitForNginxServer(host,
 			func(server string) bool {
 				return strings.Contains(server, "deny 18.0.0.0/8;") &&
-					strings.Contains(server, "deny 56.0.0.0/8;")
+					strings.Contains(server, "deny 56.0.0.1;") &&
+					!strings.Contains(server, "deny all;")
 			})
+
+		ginkgo.By("sending request from an explicitly denied IP range")
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("X-Forwarded-For", "18.0.0.1").
+			Expect().
+			Status(http.StatusForbidden)
+
+		ginkgo.By("sending request from an explicitly denied IP address")
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("X-Forwarded-For", "56.0.0.1").
+			Expect().
+			Status(http.StatusForbidden)
+
+		ginkgo.By("sending request from an implicitly allowed IP range")
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("X-Forwarded-For", "56.0.0.2").
+			Expect().
+			Status(http.StatusOK)
 	})
 
-	ginkgo.It("should set valid ip denylist range when whitelist is set", func() {
+	ginkgo.It("only allow explicitly allowed IPs, deny all others", func() {
 		host := "ipdenylist.foo.com"
-		nameSpace := f.Namespace
+		namespace := f.Namespace
 
 		annotations := map[string]string{
-			"nginx.ingress.kubernetes.io/denylist-source-range":  "18.0.0.0/8, 56.0.0.0/8",
-			"nginx.ingress.kubernetes.io/whitelist-source-range": "17.0.0.0/8, 55.0.0.0/8",
+			"nginx.ingress.kubernetes.io/denylist-source-range":  "18.1.0.0/16, 56.0.0.0/8",
+			"nginx.ingress.kubernetes.io/whitelist-source-range": "18.0.0.0/8, 55.0.0.0/8",
 		}
 
-		ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
+		ing := framework.NewSingleIngress(host, "/", host, namespace, framework.EchoService, 80, annotations)
+
+		// Temporarily trust forwarded headers so we can test IP based access control
+		f.UpdateNginxConfigMapData("use-forwarded-headers", "true")
+		defer func() {
+			// Return to the original value
+			f.UpdateNginxConfigMapData("use-forwarded-headers", "false")
+		}()
+
 		f.EnsureIngress(ing)
 
 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, "deny 18.0.0.0/8;") &&
+				return strings.Contains(server, "deny 18.1.0.0/16;") &&
 					strings.Contains(server, "deny 56.0.0.0/8;") &&
-					strings.Contains(server, "allow 17.0.0.0/8;") &&
+					strings.Contains(server, "allow 18.0.0.0/8;") &&
 					strings.Contains(server, "allow 55.0.0.0/8;") &&
 					strings.Contains(server, "deny all;")
 			})
+
+		ginkgo.By("sending request from an explicitly denied IP range")
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("X-Forwarded-For", "18.1.0.1").
+			Expect().
+			Status(http.StatusForbidden)
+
+		ginkgo.By("sending request from an implicitly denied IP")
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("X-Forwarded-For", "10.10.10.10").
+			Expect().
+			Status(http.StatusForbidden)
+
+		ginkgo.By("sending request from an explicitly allowed IP range")
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("X-Forwarded-For", "18.4.0.1").
+			Expect().
+			Status(http.StatusOK)
+
+		ginkgo.By("sending request from an explicitly allowed IP range")
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			WithHeader("X-Forwarded-For", "55.55.55.55").
+			Expect().
+			Status(http.StatusOK)
 	})
 })