Lua: Extract external auth into file. (#12250)

Co-authored-by: Marco Ebert <marco_ebert@icloud.com>
2024-10-29 10:22:54 -03:00 · 2024-10-29 10:22:54 -03:00 · 7356c4f40f
commit 7356c4f40f
parent 6608eb23b0
5 changed files with 40 additions and 28 deletions
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@ -602,17 +602,12 @@ func buildAuthResponseHeaders(proxySetHeader string, headers []string, lua bool)
 	return res
 }

-func buildAuthUpstreamLuaHeaders(headers []string) []string {
-	res := []string{}
-
+func buildAuthUpstreamLuaHeaders(headers []string) string {
 	if len(headers) == 0 {
-		return res
+		return ""
 	}

-	for i, h := range headers {
-		res = append(res, fmt.Sprintf("ngx.var.authHeader%d = res.header['%s']", i, h))
-	}
-	return res
+	return strings.Join(headers, ",")
 }

 func buildAuthProxySetHeaders(headers map[string]string) []string {
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@ -537,10 +537,7 @@ func TestBuildAuthResponseHeaders(t *testing.T) {

 func TestBuildAuthResponseLua(t *testing.T) {
 	externalAuthResponseHeaders := []string{"h1", "H-With-Caps-And-Dashes"}
-	expected := []string{
-		"ngx.var.authHeader0 = res.header['h1']",
-		"ngx.var.authHeader1 = res.header['H-With-Caps-And-Dashes']",
-	}
+	expected := "h1,H-With-Caps-And-Dashes"

 	headers := buildAuthUpstreamLuaHeaders(externalAuthResponseHeaders)

--- a/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua
+++ b/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua
@ -0,0 +1,30 @@
+local auth_path = ngx.var.auth_path
+local auth_keepalive_share_vars = ngx.var.auth_keepalive_share_vars
+local auth_response_headers = ngx.var.auth_response_headers
+local ngx_re_split = require("ngx.re").split
+local ipairs = ipairs
+local ngx_log = ngx.log
+local ngx_ERR = ngx.ERR
+
+local res = ngx.location.capture(auth_path, {
+    method = ngx.HTTP_GET, body = '',
+    share_all_vars = auth_keepalive_share_vars })
+
+if res.status == ngx.HTTP_OK then
+    local header_parts, err = ngx_re_split(auth_response_headers, ",")
+    if err then
+       ngx_log(ngx_ERR, err)
+       return
+    end
+    ngx.var.auth_cookie = res.header['Set-Cookie']
+    for i, header_name in ipairs(header_parts) do
+        local varname = "authHeader" .. tostring(i)
+        ngx.var[varname] = res.header[header_name]
+    end
+    return
+end
+
+if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
+    ngx.exit(res.status)
+end
+ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -1185,20 +1185,10 @@ stream {
            {{- end }}
            # `auth_request` module does not support HTTP keepalives in upstream block:
            # https://trac.nginx.org/nginx/ticket/1579
-            access_by_lua_block {
-                local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '', share_all_vars = {{ $externalAuth.KeepaliveShareVars }} })
-                if res.status == ngx.HTTP_OK then
-                    ngx.var.auth_cookie = res.header['Set-Cookie']
-                    {{- range $line := buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}
-                    {{ $line }}
-                    {{- end }}
-                    return
-                end
-                if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
-                    ngx.exit(res.status)
-                end
-                ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
-            }
+            set $auth_path '{{ $authPath }}';
+            set $auth_keepalive_share_vars {{ $externalAuth.KeepaliveShareVars }};
+            set $auth_response_headers '{{ buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}';
+            access_by_lua_file /etc/nginx/lua/nginx/ngx_conf_external_auth.lua;
            {{ else }}
            auth_request        {{ $authPath }};
            auth_request_set    $auth_cookie $upstream_http_set_cookie;
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -653,7 +653,7 @@ http {
 				func(server string) bool {
 					return strings.Contains(server, `upstream auth-external-auth`) &&
 						strings.Contains(server, `keepalive 10;`) &&
-						strings.Contains(server, `share_all_vars = false`)
+						strings.Contains(server, `set $auth_keepalive_share_vars false;`)
 				})
 		})

@ -673,7 +673,7 @@ http {
 				func(server string) bool {
 					return strings.Contains(server, `upstream auth-external-auth`) &&
 						strings.Contains(server, `keepalive 10;`) &&
-						strings.Contains(server, `share_all_vars = true`)
+						strings.Contains(server, `set $auth_keepalive_share_vars true;`)
 				})
 		})
 	})