diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 7038ca90d..1a8f8572b 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -220,6 +220,7 @@ The following table shows a configuration option's name, type, and the default v |[global-auth-cache-key](#global-auth-cache-key)|string|""|| |[global-auth-cache-duration](#global-auth-cache-duration)|string|"200 202 401 5m"|| |[global-auth-always-set-cookie](#global-auth-always-set-cookie)|bool|"false"|| +|[global-auth-default-enable](#global-auth-default-enable)|bool|"true"|| |[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"|| |[block-cidrs](#block-cidrs)|[]string|""|| |[block-user-agents](#block-user-agents)|[]string|""|| @@ -1348,6 +1349,10 @@ Enables caching for global auth requests. Specify a lookup key for auth response Set a caching time for auth responses based on their response codes, e.g. `200 202 30m`. See [proxy_cache_valid](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid) for details. You may specify multiple, comma-separated values: `200 202 10m, 401 5m`. defaults to `200 202 401 5m`. +## global-auth-default-enable + +TODO : Set a caching time for auth responses based on their response codes, e.g. `200 202 30m`. See [proxy_cache_valid](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_valid) for details. You may specify multiple, comma-separated values: `200 202 10m, 401 5m`. defaults to `200 202 401 5m`. + ## global-auth-always-set-cookie Always set a cookie returned by auth request. By default, the cookie will be set only if an upstream reports with the code 200, 201, 204, 206, 301, 302, 303, 304, 307, or 308. diff --git a/internal/ingress/controller/template/configmap.go b/internal/ingress/controller/template/configmap.go index 9dc019bcc..493df7c21 100644 --- a/internal/ingress/controller/template/configmap.go +++ b/internal/ingress/controller/template/configmap.go @@ -64,6 +64,7 @@ const ( globalAuthCacheKey = "global-auth-cache-key" globalAuthCacheDuration = "global-auth-cache-duration" globalAuthAlwaysSetCookie = "global-auth-always-set-cookie" + globalAuthDefaultEnable = "global-auth-default-enable" luaSharedDictsKey = "lua-shared-dicts" plugins = "plugins" debugConnections = "debug-connections" @@ -343,6 +344,17 @@ func ReadConfig(src map[string]string) config.Configuration { to.GlobalExternalAuth.AlwaysSetCookie = alwaysSetCookie } + // Verify that the configured global external authorization default enable is valid + if val, ok := conf[globalAuthDefaultEnable]; ok { + delete(conf, globalAuthDefaultEnable) + + authDefaultEnable, err := strconv.ParseBool(val) + if err != nil { + klog.Warningf("Global auth location denied - %s", fmt.Errorf("cannot convert %s to bool: %v", globalAuthDefaultEnable, err)) + } + to.GlobalExternalAuth.DefaultEnable = authDefaultEnable + } + // Verify that the configured timeout is parsable as a duration. if not, set the default value if val, ok := conf[proxyHeaderTimeout]; ok { delete(conf, proxyHeaderTimeout) diff --git a/internal/ingress/controller/template/configmap_test.go b/internal/ingress/controller/template/configmap_test.go index dad841694..c8a6cb843 100644 --- a/internal/ingress/controller/template/configmap_test.go +++ b/internal/ingress/controller/template/configmap_test.go @@ -263,6 +263,34 @@ func TestGlobalExternalAlwaysSetCookie(t *testing.T) { } } +func TestGlobalExternalDefaultEnable(t *testing.T) { + testCases := map[string]struct { + defaultEnable string + result bool + }{ + "true": { + defaultEnable: "true", + result: true, + }, + "false": { + defaultEnable: "false", + }, + "set empty": { + defaultEnable: "true", + }, + "error": { + defaultEnable: "error string", + }, + } + + for n, tc := range testCases { + cfg := ReadConfig(map[string]string{"global-auth-default-enable": tc.defaultEnable}) + if cfg.GlobalExternalAuth.DefaultEnable != tc.result { + t.Errorf("Testing %v. Expected \"%v\" but \"%v\" was returned", n, tc.result, cfg.GlobalExternalAuth.DefaultEnable) + } + } +} + func TestGlobalExternalAuthSigninRedirectParamParsing(t *testing.T) { testCases := map[string]struct { param string