Merge pull request #809 from aledbf/fix-variables-map
Fix dynamic variable name
This commit is contained in:
Manuel Alejandro de Brito Fontes
GitHub
commit
66b4c2606b
3 changed files with 33 additions and 2 deletions
|
|
@ -24,6 +24,7 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"os"
|
"os"
|
||||||
"os/exec"
|
"os/exec"
|
||||||
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
text_template "text/template"
|
text_template "text/template"
|
||||||
|
|
||||||
|
|
@ -31,6 +32,7 @@ import (
|
||||||
|
|
||||||
"github.com/golang/glog"
|
"github.com/golang/glog"
|
||||||
|
|
||||||
|
"github.com/pborman/uuid"
|
||||||
"k8s.io/ingress/controllers/nginx/pkg/config"
|
"k8s.io/ingress/controllers/nginx/pkg/config"
|
||||||
"k8s.io/ingress/core/pkg/ingress"
|
"k8s.io/ingress/core/pkg/ingress"
|
||||||
ing_net "k8s.io/ingress/core/pkg/net"
|
ing_net "k8s.io/ingress/core/pkg/net"
|
||||||
|
|
@ -136,6 +138,7 @@ var (
|
||||||
"buildResolvers": buildResolvers,
|
"buildResolvers": buildResolvers,
|
||||||
"isLocationAllowed": isLocationAllowed,
|
"isLocationAllowed": isLocationAllowed,
|
||||||
"buildLogFormatUpstream": buildLogFormatUpstream,
|
"buildLogFormatUpstream": buildLogFormatUpstream,
|
||||||
|
"buildDenyVariable": buildDenyVariable,
|
||||||
"getenv": os.Getenv,
|
"getenv": os.Getenv,
|
||||||
"contains": strings.Contains,
|
"contains": strings.Contains,
|
||||||
"hasPrefix": strings.HasPrefix,
|
"hasPrefix": strings.HasPrefix,
|
||||||
|
|
@ -372,3 +375,23 @@ func isLocationAllowed(input interface{}) bool {
|
||||||
|
|
||||||
return loc.Denied == nil
|
return loc.Denied == nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var (
|
||||||
|
nonAlpha = regexp.MustCompile("[^a-zA-Z0-9]+")
|
||||||
|
denyPathSlugMap = map[string]string{}
|
||||||
|
)
|
||||||
|
|
||||||
|
// buildDenyVariable returns a nginx variable for a location in a
|
||||||
|
// server to be used in the whitelist check
|
||||||
|
// This method uses a unique id generator library to reduce the
|
||||||
|
// size of the string to be used as a variable in nginx to avoid
|
||||||
|
// issue with the size of the variable bucket size directive
|
||||||
|
func buildDenyVariable(a interface{}) string {
|
||||||
|
l := a.(string)
|
||||||
|
|
||||||
|
if _, ok := denyPathSlugMap[l]; !ok {
|
||||||
|
denyPathSlugMap[l] = uuid.New()
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Sprintf("$deny_%v", denyPathSlugMap[l])
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -198,3 +198,11 @@ func BenchmarkTemplateWithData(b *testing.B) {
|
||||||
ngxTpl.Write(dat)
|
ngxTpl.Write(dat)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestBuildDenyVariable(t *testing.T) {
|
||||||
|
a := buildDenyVariable("host1.example.com_/.well-known/acme-challenge")
|
||||||
|
b := buildDenyVariable("host1.example.com_/.well-known/acme-challenge")
|
||||||
|
if !reflect.DeepEqual(a, b) {
|
||||||
|
t.Errorf("Expected '%v' but returned '%v'", a, b)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -245,7 +245,7 @@ http {
|
||||||
|
|
||||||
{{ if isLocationAllowed $location }}
|
{{ if isLocationAllowed $location }}
|
||||||
{{ if gt (len $location.Whitelist.CIDR) 0 }}
|
{{ if gt (len $location.Whitelist.CIDR) 0 }}
|
||||||
geo $the_real_ip $deny_{{ $server.Hostname }}_{{ $path }} {
|
geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_" $path) }} {
|
||||||
default 1;
|
default 1;
|
||||||
|
|
||||||
{{ range $ip := $location.Whitelist.CIDR }}
|
{{ range $ip := $location.Whitelist.CIDR }}
|
||||||
|
|
@ -337,7 +337,7 @@ http {
|
||||||
|
|
||||||
{{ if isLocationAllowed $location }}
|
{{ if isLocationAllowed $location }}
|
||||||
{{ if gt (len $location.Whitelist.CIDR) 0 }}
|
{{ if gt (len $location.Whitelist.CIDR) 0 }}
|
||||||
if ($deny_{{ $server.Hostname }}_{{ $path }}) {
|
if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) {
|
||||||
return 403;
|
return 403;
|
||||||
}
|
}
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue