In case of TLS errors do not allow traffic (#2146)

2018-02-25 17:20:14 -03:00 · 2018-02-25 17:20:14 -03:00 · 3c67976969
commit 3c67976969
parent 216fe01a07
5 changed files with 23 additions and 6 deletions
--- a/internal/ingress/annotations/annotations.go
+++ b/internal/ingress/annotations/annotations.go
@ -150,6 +150,14 @@ func (e Extractor) Extract(ing *extensions.Ingress) *Ingress {
 				continue
 			}

+			if name == "CertificateAuth" && data[name] == nil {
+				data[name] = authtls.Config{
+					AuthTLSError: err.Error(),
+				}
+				// avoid mapping the result from the annotation
+				val = nil
+			}
+
 			_, alreadyDenied := data[DeniedKeyName]
 			if !alreadyDenied {
 				data[DeniedKeyName] = err
--- a/internal/ingress/annotations/authtls/main.go
+++ b/internal/ingress/annotations/authtls/main.go
@ -45,6 +45,7 @@ type Config struct {
 	ValidationDepth    int    `json:"validationDepth"`
 	ErrorPage          string `json:"errorPage"`
 	PassCertToUpstream bool   `json:"passCertToUpstream"`
+	AuthTLSError       string
 }

 // Equal tests for equality between two Config types
@ -113,9 +114,8 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {

 	authCert, err := a.r.GetAuthCertificate(tlsauthsecret)
 	if err != nil {
-		return &Config{}, ing_errors.LocationDenied{
-			Reason: errors.Wrap(err, "error obtaining certificate"),
-		}
+		e := errors.Wrap(err, "error obtaining certificate")
+		return &Config{}, ing_errors.LocationDenied{Reason: e}
 	}

 	errorpage, err := parser.GetStringAnnotation("auth-tls-error-page", ing)
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -369,12 +369,14 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
 				continue
 			}

+			if server.AuthTLSError == "" && anns.CertificateAuth.AuthTLSError != "" {
+				server.AuthTLSError = anns.CertificateAuth.AuthTLSError
+			}
+
 			if server.CertificateAuth.CAFileName == "" {
-				server.CertificateAuth = anns.CertificateAuth
 				// It is possible that no CAFileName is found in the secret
 				if server.CertificateAuth.CAFileName == "" {
 					glog.V(3).Infof("secret %v does not contain 'ca.crt', mutual authentication not enabled - ingress rule %v/%v.", server.CertificateAuth.Secret, ing.Namespace, ing.Name)
-
 				}
 			} else {
 				glog.V(3).Infof("server %v already contains a mutual authentication configuration - ingress rule %v/%v", server.Hostname, ing.Namespace, ing.Name)
--- a/internal/ingress/types.go
+++ b/internal/ingress/types.go
@ -162,6 +162,8 @@ type Server struct {
 	ServerSnippet string `json:"serverSnippet"`
 	// SSLCiphers returns list of ciphers to be enabled
 	SSLCiphers string `json:"sslCiphers,omitempty"`
+	// AuthTLSError contains the reason why the access to a server should be denied
+	AuthTLSError string `json:"authTLSError,omitempty"`
 }

 // Location describes an URI inside a server.
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -622,6 +622,11 @@ stream {
        {{ end }}
        {{ end }}

+        {{ if not (empty $server.AuthTLSError) }}
+        # {{ $server.AuthTLSError }}
+        return 403;
+        {{ else }}
+
        {{ if not (empty $server.CertificateAuth.CAFileName) }}
        # PEM sha: {{ $server.CertificateAuth.PemSHA }}
        ssl_client_certificate                  {{ $server.CertificateAuth.CAFileName }};
@ -898,7 +903,7 @@ stream {
            return 503;
            {{ end }}
        }
-
+        {{ end }}
        {{ end }}

        {{ if eq $server.Hostname "_" }}