DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Lua: Extract external auth into file. (#12250)

Browse source 
Co-authored-by: Marco Ebert <marco_ebert@icloud.com>
This commit is contained in:
Ricardo Katz 2024-10-29 10:22:54 -03:00 committed by GitHub
parent 6608eb23b0
commit 7356c4f40f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 40 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
internal/ingress/controller/template/template.go
View file

@ -602,17 +602,12 @@ func buildAuthResponseHeaders(proxySetHeader string, headers []string, lua bool)
return res return res
} }
func buildAuthUpstreamLuaHeaders(headers []string) []string { func buildAuthUpstreamLuaHeaders(headers []string) string {
res := []string{}
if len(headers) == 0 { if len(headers) == 0 {
return res return ""
} }
for i, h := range headers { return strings.Join(headers, ",")
res = append(res, fmt.Sprintf("ngx.var.authHeader%d = res.header['%s']", i, h))
}
return res
} }
func buildAuthProxySetHeaders(headers map[string]string) []string { func buildAuthProxySetHeaders(headers map[string]string) []string {

5
internal/ingress/controller/template/template_test.go
View file

@ -537,10 +537,7 @@ func TestBuildAuthResponseHeaders(t *testing.T) {
func TestBuildAuthResponseLua(t *testing.T) { func TestBuildAuthResponseLua(t *testing.T) {
externalAuthResponseHeaders := []string{"h1", "H-With-Caps-And-Dashes"} externalAuthResponseHeaders := []string{"h1", "H-With-Caps-And-Dashes"}
expected := []string{ expected := "h1,H-With-Caps-And-Dashes"
"ngx.var.authHeader0 = res.header['h1']",
"ngx.var.authHeader1 = res.header['H-With-Caps-And-Dashes']",
}
headers := buildAuthUpstreamLuaHeaders(externalAuthResponseHeaders) headers := buildAuthUpstreamLuaHeaders(externalAuthResponseHeaders)

30
rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua Normal file
View file

@ -0,0 +1,30 @@
local auth_path = ngx.var.auth_path
local auth_keepalive_share_vars = ngx.var.auth_keepalive_share_vars
local auth_response_headers = ngx.var.auth_response_headers
local ngx_re_split = require("ngx.re").split
local ipairs = ipairs
local ngx_log = ngx.log
local ngx_ERR = ngx.ERR
local res = ngx.location.capture(auth_path, {
method = ngx.HTTP_GET, body = '',
share_all_vars = auth_keepalive_share_vars })
if res.status == ngx.HTTP_OK then
local header_parts, err = ngx_re_split(auth_response_headers, ",")
if err then
ngx_log(ngx_ERR, err)
return
end
ngx.var.auth_cookie = res.header['Set-Cookie']
for i, header_name in ipairs(header_parts) do
local varname = "authHeader" .. tostring(i)
ngx.var[varname] = res.header[header_name]
end
return
end
if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
ngx.exit(res.status)
end
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)

18
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -1185,20 +1185,10 @@ stream {
{{- end }} {{- end }}
# `auth_request` module does not support HTTP keepalives in upstream block: # `auth_request` module does not support HTTP keepalives in upstream block:
# https://trac.nginx.org/nginx/ticket/1579 # https://trac.nginx.org/nginx/ticket/1579
access_by_lua_block { set $auth_path '{{ $authPath }}';
local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '', share_all_vars = {{ $externalAuth.KeepaliveShareVars }} }) set $auth_keepalive_share_vars {{ $externalAuth.KeepaliveShareVars }};
if res.status == ngx.HTTP_OK then set $auth_response_headers '{{ buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}';
ngx.var.auth_cookie = res.header['Set-Cookie'] access_by_lua_file /etc/nginx/lua/nginx/ngx_conf_external_auth.lua;
{{- range $line := buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}
{{ $line }}
{{- end }}
return
end
if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
ngx.exit(res.status)
end
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
}
{{ else }} {{ else }}
auth_request {{ $authPath }}; auth_request {{ $authPath }};
auth_request_set $auth_cookie $upstream_http_set_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie;

4
test/e2e/annotations/auth.go
View file

@ -653,7 +653,7 @@ http {
func(server string) bool { func(server string) bool {
return strings.Contains(server, `upstream auth-external-auth`) && return strings.Contains(server, `upstream auth-external-auth`) &&
strings.Contains(server, `keepalive 10;`) && strings.Contains(server, `keepalive 10;`) &&
strings.Contains(server, `share_all_vars = false`) strings.Contains(server, `set $auth_keepalive_share_vars false;`)
}) })
}) })
@ -673,7 +673,7 @@ http {
func(server string) bool { func(server string) bool {
return strings.Contains(server, `upstream auth-external-auth`) && return strings.Contains(server, `upstream auth-external-auth`) &&
strings.Contains(server, `keepalive 10;`) && strings.Contains(server, `keepalive 10;`) &&
strings.Contains(server, `share_all_vars = true`) strings.Contains(server, `set $auth_keepalive_share_vars true;`)
}) })
}) })
}) })