Merge pull request #5040 from BrianKopp/samesite-followup

Update documentation and remove hack fixed by upstream cookie library
2020-02-10 10:25:53 -08:00 · 2020-02-10 10:25:53 -08:00 · 5e54f66ab2
commit 5e54f66ab2
parent 76077ac027 7c7a1b9c8b
3 changed files with 16 additions and 13 deletions
--- a/docs/user-guide/nginx-configuration/annotations.md
+++ b/docs/user-guide/nginx-configuration/annotations.md
@ -171,7 +171,7 @@ If you use the ``cookie`` affinity type you can also specify the name of the coo

 The NGINX annotation `nginx.ingress.kubernetes.io/session-cookie-path` defines the path that will be set on the cookie. This is optional unless the annotation `nginx.ingress.kubernetes.io/use-regex` is set to true; Session cookie paths do not support regex.

-Use `nginx.ingress.kubernetes.io/session-cookie-samesite` to apply a `SameSite` attribute to the sticky cookie. Browser accepted values are `None`, `Lax`, and `Strict`. Some older browsers reject cookies with the more-recently-defined `SameSite=None`. To omit `SameSite=None` from these older browsers, add the annotation `nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none: "true"`.
+Use `nginx.ingress.kubernetes.io/session-cookie-samesite` to apply a `SameSite` attribute to the sticky cookie. Browser accepted values are `None`, `Lax`, and `Strict`. Some browsers reject cookies with `SameSite=None`, including those created before the `SameSite=None` specification (e.g. Chrome 5X). Other browsers mistakenly treat `SameSite=None` cookies as `SameSite=Strict` (e.g. Safari running on OSX 14). To omit `SameSite=None` from browsers with these incompatibilities, add the annotation `nginx.ingress.kubernetes.io/session-cookie-conditional-samesite-none: "true"`.

 ### Authentication

--- a/rootfs/etc/nginx/lua/balancer/sticky.lua
+++ b/rootfs/etc/nginx/lua/balancer/sticky.lua
@ -54,15 +54,12 @@ function _M.set_cookie(self, value)
    end
  end

-  if cookie_samesite then
-    cookie_path = cookie_path .. "; SameSite=" .. cookie_samesite
-  end
-
  local cookie_data = {
    key = self:cookie_name(),
    value = value,
    path = cookie_path,
    httponly = true,
+    samesite = cookie_samesite,
    secure = ngx.var.https == "on",
  }

--- a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
+++ b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua
@ -114,6 +114,7 @@ describe("Sticky", function()
            set = function(self, payload)
              assert.equal(payload.key, test_backend.sessionAffinityConfig.cookieSessionAffinity.name)
              assert.equal(payload.path, ngx.var.location_path)
+              assert.equal(payload.samesite, nil)
              assert.equal(payload.domain, nil)
              assert.equal(payload.httponly, true)
              assert.equal(payload.secure, false)
@ -143,6 +144,7 @@ describe("Sticky", function()
            set = function(self, payload)
              assert.equal(payload.key, test_backend.sessionAffinityConfig.cookieSessionAffinity.name)
              assert.equal(payload.path, ngx.var.location_path)
+              assert.equal(payload.samesite, nil)
              assert.equal(payload.domain, nil)
              assert.equal(payload.httponly, true)
              assert.equal(payload.secure, true)
@ -185,6 +187,7 @@ describe("Sticky", function()
            set = function(self, payload)
              assert.equal(payload.key, test_backend.sessionAffinityConfig.cookieSessionAffinity.name)
              assert.equal(payload.path, ngx.var.location_path)
+              assert.equal(payload.samesite, nil)
              assert.equal(payload.domain, nil)
              assert.equal(payload.httponly, true)
              assert.equal(payload.secure, false)
@ -228,6 +231,7 @@ describe("Sticky", function()
              assert.equal(payload.path, ngx.var.location_path)
              assert.equal(payload.domain, ngx.var.host)
              assert.equal(payload.httponly, true)
+              assert.equal(payload.samesite, nil)
              return true, nil
            end,
            get = function(k) return false end,
@ -368,6 +372,7 @@ describe("Sticky", function()
          set = function(self, payload)
            assert.equal(payload.key, test_backend.sessionAffinityConfig.cookieSessionAffinity.name)
            assert.equal(payload.path, ngx.var.location_path)
+            assert.equal(payload.samesite, nil)
            assert.equal(payload.domain, nil)
            assert.equal(payload.httponly, true)
            assert.equal(payload.secure, false)
@ -405,13 +410,14 @@ describe("Sticky", function()
      cookie.new = mocked_cookie_new
    end)

-    local function test_set_cookie(sticky, samesite, conditional_samesite_none, expected_path)
+    local function test_set_cookie(sticky, samesite, conditional_samesite_none, expected_path, expected_samesite)
      local s = {}
      cookie.new = function(self)
        local cookie_instance = {
          set = function(self, payload)
            assert.equal(payload.key, test_backend.sessionAffinityConfig.cookieSessionAffinity.name)
            assert.equal(payload.path, expected_path)
+            assert.equal(payload.samesite, expected_samesite)
            assert.equal(payload.domain, nil)
            assert.equal(payload.httponly, true)
            assert.equal(payload.secure, false)
@ -433,27 +439,27 @@ describe("Sticky", function()
    end

    it("returns a cookie with SameSite=Strict when user specifies samesite strict", function()
-      test_set_cookie(sticky_balanced, "Strict", false, "/; SameSite=Strict")
+      test_set_cookie(sticky_balanced, "Strict", false, "/", "Strict")
    end)
    it("returns a cookie with SameSite=Strict when user specifies samesite strict and conditional samesite none", function()
-      test_set_cookie(sticky_balanced, "Strict", true, "/; SameSite=Strict")
+      test_set_cookie(sticky_balanced, "Strict", true, "/", "Strict")
    end)
    it("returns a cookie with SameSite=Lax when user specifies samesite lax", function()
-      test_set_cookie(sticky_balanced, "Lax", false, "/; SameSite=Lax")
+      test_set_cookie(sticky_balanced, "Lax", false, "/", "Lax")
    end)
    it("returns a cookie with SameSite=Lax when user specifies samesite lax and conditional samesite none", function()
-      test_set_cookie(sticky_balanced, "Lax", true, "/; SameSite=Lax")
+      test_set_cookie(sticky_balanced, "Lax", true, "/", "Lax")
    end)
    it("returns a cookie with SameSite=None when user specifies samesite None", function()
-      test_set_cookie(sticky_balanced, "None", false, "/; SameSite=None")
+      test_set_cookie(sticky_balanced, "None", false, "/", "None")
    end)
    it("returns a cookie with SameSite=None when user specifies samesite None and conditional samesite none with supported user agent", function()
      mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.2704.103 Safari/537.36"} })
-      test_set_cookie(sticky_balanced, "None", true, "/; SameSite=None")
+      test_set_cookie(sticky_balanced, "None", true, "/", "None")
    end)
    it("returns a cookie without SameSite=None when user specifies samesite None and conditional samesite none with unsupported user agent", function()
      mock_ngx({ var = { location_path = "/", host = "test.com" , http_user_agent = "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"} })
-      test_set_cookie(sticky_balanced, "None", true, "/")
+      test_set_cookie(sticky_balanced, "None", true, "/", nil)
    end)
  end)
 end)