From 3c67976969b695f5b2968ed8804c2463809c32ac Mon Sep 17 00:00:00 2001
From: Manuel Alejandro de Brito Fontes <aledbf@gmail.com>
Date: Sun, 25 Feb 2018 17:20:14 -0300
Subject: [PATCH] In case of TLS errors do not allow traffic (#2146)

---
 internal/ingress/annotations/annotations.go  | 8 ++++++++
 internal/ingress/annotations/authtls/main.go | 6 +++---
 internal/ingress/controller/controller.go    | 6 ++++--
 internal/ingress/types.go                    | 2 ++
 rootfs/etc/nginx/template/nginx.tmpl         | 7 ++++++-
 5 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/internal/ingress/annotations/annotations.go b/internal/ingress/annotations/annotations.go
index e04e8fe59..083fc3bc5 100644
--- a/internal/ingress/annotations/annotations.go
+++ b/internal/ingress/annotations/annotations.go
@@ -150,6 +150,14 @@ func (e Extractor) Extract(ing *extensions.Ingress) *Ingress {
 				continue
 			}
 
+			if name == "CertificateAuth" && data[name] == nil {
+				data[name] = authtls.Config{
+					AuthTLSError: err.Error(),
+				}
+				// avoid mapping the result from the annotation
+				val = nil
+			}
+
 			_, alreadyDenied := data[DeniedKeyName]
 			if !alreadyDenied {
 				data[DeniedKeyName] = err
diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go
index 7c608bb53..4803e274e 100644
--- a/internal/ingress/annotations/authtls/main.go
+++ b/internal/ingress/annotations/authtls/main.go
@@ -45,6 +45,7 @@ type Config struct {
 	ValidationDepth    int    `json:"validationDepth"`
 	ErrorPage          string `json:"errorPage"`
 	PassCertToUpstream bool   `json:"passCertToUpstream"`
+	AuthTLSError       string
 }
 
 // Equal tests for equality between two Config types
@@ -113,9 +114,8 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
 
 	authCert, err := a.r.GetAuthCertificate(tlsauthsecret)
 	if err != nil {
-		return &Config{}, ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "error obtaining certificate"),
-		}
+		e := errors.Wrap(err, "error obtaining certificate")
+		return &Config{}, ing_errors.LocationDenied{Reason: e}
 	}
 
 	errorpage, err := parser.GetStringAnnotation("auth-tls-error-page", ing)
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index 3c677d7ae..9f3c7c004 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -369,12 +369,14 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
 				continue
 			}
 
+			if server.AuthTLSError == "" && anns.CertificateAuth.AuthTLSError != "" {
+				server.AuthTLSError = anns.CertificateAuth.AuthTLSError
+			}
+
 			if server.CertificateAuth.CAFileName == "" {
-				server.CertificateAuth = anns.CertificateAuth
 				// It is possible that no CAFileName is found in the secret
 				if server.CertificateAuth.CAFileName == "" {
 					glog.V(3).Infof("secret %v does not contain 'ca.crt', mutual authentication not enabled - ingress rule %v/%v.", server.CertificateAuth.Secret, ing.Namespace, ing.Name)
-
 				}
 			} else {
 				glog.V(3).Infof("server %v already contains a mutual authentication configuration - ingress rule %v/%v", server.Hostname, ing.Namespace, ing.Name)
diff --git a/internal/ingress/types.go b/internal/ingress/types.go
index bf4205781..7c84f6e70 100644
--- a/internal/ingress/types.go
+++ b/internal/ingress/types.go
@@ -162,6 +162,8 @@ type Server struct {
 	ServerSnippet string `json:"serverSnippet"`
 	// SSLCiphers returns list of ciphers to be enabled
 	SSLCiphers string `json:"sslCiphers,omitempty"`
+	// AuthTLSError contains the reason why the access to a server should be denied
+	AuthTLSError string `json:"authTLSError,omitempty"`
 }
 
 // Location describes an URI inside a server.
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
index 4c29eba50..48ec311d8 100644
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@@ -622,6 +622,11 @@ stream {
         {{ end }}
         {{ end }}
 
+        {{ if not (empty $server.AuthTLSError) }}
+        # {{ $server.AuthTLSError }}
+        return 403;
+        {{ else }}
+
         {{ if not (empty $server.CertificateAuth.CAFileName) }}
         # PEM sha: {{ $server.CertificateAuth.PemSHA }}
         ssl_client_certificate                  {{ $server.CertificateAuth.CAFileName }};
@@ -898,7 +903,7 @@ stream {
             return 503;
             {{ end }}
         }
-
+        {{ end }}
         {{ end }}
 
         {{ if eq $server.Hostname "_" }}