From b70e9ca078978fa2b93bbc0b42b475d3b0b2984a Mon Sep 17 00:00:00 2001
From: Manuel de Brito Fontes <aledbf@gmail.com>
Date: Thu, 1 Jun 2017 23:30:22 -0400
Subject: [PATCH] Fix dynamic variable name

---
 controllers/nginx/pkg/template/template.go    | 23 +++++++++++++++++++
 .../nginx/pkg/template/template_test.go       |  8 +++++++
 .../rootfs/etc/nginx/template/nginx.tmpl      |  4 ++--
 3 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
index dea4ed310..72912ca1e 100644
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@@ -24,6 +24,7 @@ import (
 	"net"
 	"os"
 	"os/exec"
+	"regexp"
 	"strings"
 	text_template "text/template"
 
@@ -31,6 +32,7 @@ import (
 
 	"github.com/golang/glog"
 
+	"github.com/pborman/uuid"
 	"k8s.io/ingress/controllers/nginx/pkg/config"
 	"k8s.io/ingress/core/pkg/ingress"
 	ing_net "k8s.io/ingress/core/pkg/net"
@@ -136,6 +138,7 @@ var (
 		"buildResolvers":           buildResolvers,
 		"isLocationAllowed":        isLocationAllowed,
 		"buildLogFormatUpstream":   buildLogFormatUpstream,
+		"buildDenyVariable":        buildDenyVariable,
 		"getenv":                   os.Getenv,
 		"contains":                 strings.Contains,
 		"hasPrefix":                strings.HasPrefix,
@@ -372,3 +375,23 @@ func isLocationAllowed(input interface{}) bool {
 
 	return loc.Denied == nil
 }
+
+var (
+	nonAlpha        = regexp.MustCompile("[^a-zA-Z0-9]+")
+	denyPathSlugMap = map[string]string{}
+)
+
+// buildDenyVariable returns a nginx variable for a location in a
+// server to be used in the whitelist check
+// This method uses a unique id generator library to reduce the
+// size of the string to be used as a variable in nginx to avoid
+// issue with the size of the variable bucket size directive
+func buildDenyVariable(a interface{}) string {
+	l := a.(string)
+
+	if _, ok := denyPathSlugMap[l]; !ok {
+		denyPathSlugMap[l] = uuid.New()
+	}
+
+	return fmt.Sprintf("$deny_%v", denyPathSlugMap[l])
+}
diff --git a/controllers/nginx/pkg/template/template_test.go b/controllers/nginx/pkg/template/template_test.go
index 7dfe83ed4..a19b6de30 100644
--- a/controllers/nginx/pkg/template/template_test.go
+++ b/controllers/nginx/pkg/template/template_test.go
@@ -198,3 +198,11 @@ func BenchmarkTemplateWithData(b *testing.B) {
 		ngxTpl.Write(dat)
 	}
 }
+
+func TestBuildDenyVariable(t *testing.T) {
+	a := buildDenyVariable("host1.example.com_/.well-known/acme-challenge")
+	b := buildDenyVariable("host1.example.com_/.well-known/acme-challenge")
+	if !reflect.DeepEqual(a, b) {
+		t.Errorf("Expected '%v' but returned '%v'", a, b)
+	}
+}
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index a472a4018..dbc30c616 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -245,7 +245,7 @@ http {
 
     {{ if isLocationAllowed $location }}
     {{ if gt (len $location.Whitelist.CIDR) 0 }}
-    geo $the_real_ip $deny_{{ $server.Hostname }}_{{ $path }} {
+    geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_"  $path) }} {
         default 1;
 
         {{ range $ip := $location.Whitelist.CIDR }}
@@ -337,7 +337,7 @@ http {
 
             {{ if isLocationAllowed $location }}
             {{ if gt (len $location.Whitelist.CIDR) 0 }}
-            if ($deny_{{ $server.Hostname }}_{{ $path }}) {
+            if ({{ buildDenyVariable (print $server.Hostname "_"  $path) }}) {
                 return 403;
             }
             {{ end }}