fix undefined variable $auth_cookie error when location is denied

(add) isLocationAllowed check before setting the cookie
2020-06-08 11:18:53 -04:00 · 2020-06-08 11:18:53 -04:00 · 7767230e6a
commit 7767230e6a
parent 99aad291a5
2 changed files with 31 additions and 3 deletions
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -1018,7 +1018,7 @@ stream {
        }
        {{ end }}

-
+        {{ if isLocationAllowed $location }}
        {{ if $externalAuth.SigninURL }}
        location {{ buildAuthSignURLLocation $location.Path $externalAuth.SigninURL }} {
            internal;
@ -1028,6 +1028,7 @@ stream {
            return 302 {{ buildAuthSignURL $externalAuth.SigninURL }};
        }
        {{ end }}
+        {{ end }}

        location {{ $path }} {
            {{ $ing := (getIngressInformation $location.Ingress $server.Hostname $location.Path) }}
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -29,6 +29,7 @@ import (
 	"github.com/stretchr/testify/assert"

 	corev1 "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"k8s.io/ingress-nginx/test/e2e/framework"
@ -353,6 +354,8 @@ var _ = framework.DescribeAnnotation("auth-*", func() {

 	ginkgo.Context("when external authentication is configured", func() {
 		host := "auth"
+		var annotations map[string]string
+		var ing *networking.Ingress

 		ginkgo.BeforeEach(func() {
 			f.NewHttpbinDeployment()
@ -367,12 +370,12 @@ var _ = framework.DescribeAnnotation("auth-*", func() {

 			httpbinIP = e.Subsets[0].Addresses[0].IP

-			annotations := map[string]string{
+			annotations = map[string]string{
 				"nginx.ingress.kubernetes.io/auth-url":    fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
 				"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
 			}

-			ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+			ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 			f.EnsureIngress(ing)

 			f.WaitForNginxServer(host, func(server string) bool {
@ -399,6 +402,30 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
 				Status(http.StatusFound).
 				Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d")))
 		})
+
+		ginkgo.It("keeps processing new ingresses even if one of the existing ingresses is misconfigured", func() {
+			annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+			annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something"
+			annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
+			f.UpdateIngress(ing)
+
+			anotherHost := "different"
+			anotherAnnotations := map[string]string{}
+
+			anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations)
+			f.EnsureIngress(anotherIng)
+
+			f.WaitForNginxServer(anotherHost,
+				func(server string) bool {
+					return strings.Contains(server, "server_name "+anotherHost)
+				})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", anotherHost).
+				Expect().
+				Status(http.StatusOK)
+		})
 	})

 	ginkgo.Context("when external authentication with caching is configured", func() {