DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add signin url req support

Browse source
This commit is contained in:
Cole Mickens 2017-01-29 13:52:50 -08:00
parent 3cdbc4120b
commit a4429c70b9
6 changed files with 78 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
controllers/nginx/Makefile
View file

@ -6,6 +6,7 @@ BUILDTAGS=
RELEASE?=0.8.4
PREFIX?=gcr.io/google_containers/nginx-ingress-controller
GOOS?=linux
DOCKER?=gcloud docker
REPO_INFO=$(shell git config --get remote.origin.url)
@ -21,10 +22,10 @@ build: clean
-o rootfs/nginx-ingress-controller ${PKG}/pkg/cmd/controller
container:
docker build -t $(PREFIX):$(RELEASE) rootfs
$(DOCKER) build -t $(PREFIX):$(RELEASE) rootfs
push:
gcloud docker push $(PREFIX):$(RELEASE)
$(DOCKER) push $(PREFIX):$(RELEASE)
fmt:
@echo "+ $@"

2
controllers/nginx/rootfs/Dockerfile
View file

@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
FROM gcr.io/google_containers/nginx-slim:0.13
FROM gcr.io/google_containers/nginx-slim:0.12
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
diffutils \

8
controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
View file

@ -235,6 +235,8 @@ http {
{{ end }}
{{ if not (empty $location.ExternalAuth.Method) }}
proxy_method {{ $location.ExternalAuth.Method }};
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $scheme;
{{ end }}
proxy_set_header Host $host;
proxy_pass_request_headers on;
@ -259,6 +261,10 @@ http {
# this location requires authentication
auth_request {{ $authPath }};
{{ end }}
{{ if not (empty $location.ExternalAuth.SigninURL) }}
error_page 401 = {{ $location.ExternalAuth.SigninURL }};
{{ end }}
{{ if (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect) }}
# enforce ssl on server side
@ -301,6 +307,8 @@ http {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $scheme;
# mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/

42
core/pkg/ingress/annotations/authreq/main.go
View file

@ -17,9 +17,6 @@ limitations under the License.
package authreq
import (
"net/url"
"strings"
"k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/ingress/core/pkg/ingress/annotations/parser"
@ -28,16 +25,18 @@ import (
const (
// external URL that provides the authentication
authURL = "ingress.kubernetes.io/auth-url"
authMethod = "ingress.kubernetes.io/auth-method"
authBody = "ingress.kubernetes.io/auth-send-body"
authURL = "ingress.kubernetes.io/auth-url"
authSigninURL = "ingress.kubernetes.io/auth-signin"
authMethod = "ingress.kubernetes.io/auth-method"
authBody = "ingress.kubernetes.io/auth-send-body"
)
// External returns external authentication configuration for an Ingress rule
type External struct {
URL string `json:"url"`
Method string `json:"method"`
SendBody bool `json:"sendBody"`
URL string `json:"url"`
SigninURL string `json:"signinUrl"`
Method string `json:"method"`
SendBody bool `json:"sendBody"`
}
var (
@ -68,29 +67,15 @@ func NewParser() parser.IngressAnnotation {
// ParseAnnotations parses the annotations contained in the ingress
// rule used to use an external URL as source for authentication
func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
str, err := parser.GetStringAnnotation(authURL, ing)
auth, err := parser.GetURLAnnotation(authURL, ing)
if err != nil {
return nil, err
}
if str == "" {
return nil, ing_errors.NewLocationDenied("an empty string is not a valid URL")
}
ur, err := url.Parse(str)
signin, err := parser.GetURLAnnotation(authSigninURL, ing)
if err != nil {
return nil, err
}
if ur.Scheme == "" {
return nil, ing_errors.NewLocationDenied("url scheme is empty")
}
if ur.Host == "" {
return nil, ing_errors.NewLocationDenied("url host is empty")
}
if strings.Contains(ur.Host, "..") {
return nil, ing_errors.NewLocationDenied("invalid url host")
}
m, _ := parser.GetStringAnnotation(authMethod, ing)
if len(m) != 0 && !validMethod(m) {
@ -100,8 +85,9 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
sb, _ := parser.GetBoolAnnotation(authBody, ing)
return &External{
URL: str,
Method: m,
SendBody: sb,
URL: auth.String(),
SigninURL: signin.String(),
Method: m,
SendBody: sb,
}, nil
}

29
core/pkg/ingress/annotations/authreq/main_test.go
View file

@ -67,23 +67,25 @@ func TestAnnotations(t *testing.T) {
ing.SetAnnotations(data)
tests := []struct {
title string
url string
method string
sendBody bool
expErr bool
title string
url string
signinURL string
method string
sendBody bool
expErr bool
}{
{"empty", "", "", false, true},
{"no scheme", "bar", "", false, true},
{"invalid host", "http://", "", false, true},
{"invalid host (multiple dots)", "http://foo..bar.com", "", false, true},
{"valid URL", "http://bar.foo.com/external-auth", "", false, false},
{"valid URL - send body", "http://foo.com/external-auth", "POST", true, false},
{"valid URL - send body", "http://foo.com/external-auth", "GET", true, false},
{"empty", "", "", "", false, true},
{"no scheme", "bar", "bar", "", false, true},
{"invalid host", "http://", "http://", "", false, true},
{"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", false, true},
{"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false, false},
{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", true, false},
{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", true, false},
}
for _, test := range tests {
data[authURL] = test.url
data[authSigninURL] = test.signinURL
data[authBody] = fmt.Sprintf("%v", test.sendBody)
data[authMethod] = fmt.Sprintf("%v", test.method)
@ -101,6 +103,9 @@ func TestAnnotations(t *testing.T) {
if u.URL != test.url {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL)
}
if u.SigninURL != test.signinURL {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.signinURL, u.SigninURL)
}
if u.Method != test.method {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
}

35
core/pkg/ingress/annotations/parser/main.go
View file

@ -17,7 +17,9 @@ limitations under the License.
package parser
import (
"net/url"
"strconv"
"strings"
"k8s.io/kubernetes/pkg/apis/extensions"
@ -51,6 +53,30 @@ func (a ingAnnotations) parseString(name string) (string, error) {
return "", errors.ErrMissingAnnotations
}
func (a ingAnnotations) parseURL(name string) (*url.URL, error) {
val, ok := a[name]
if ok {
ur, err := url.Parse(val)
if err != nil {
return nil, err
}
if ur.Scheme == "" {
return nil, errors.NewLocationDenied("url scheme is empty")
}
if ur.Host == "" {
return nil, errors.NewLocationDenied("url host is empty")
}
if val == "" {
return nil, errors.NewLocationDenied("an empty string is not a valid URL")
}
if strings.Contains(ur.Host, "..") {
return nil, errors.NewLocationDenied("invalid url host")
}
return ur, nil
}
return nil, errors.ErrMissingAnnotations
}
func (a ingAnnotations) parseInt(name string) (int, error) {
val, ok := a[name]
if ok {
@ -100,3 +126,12 @@ func GetIntAnnotation(name string, ing *extensions.Ingress) (int, error) {
}
return ingAnnotations(ing.GetAnnotations()).parseInt(name)
}
// GetUrlAnnotation extracts a URL from an Ingress annotation
func GetURLAnnotation(name string, ing *extensions.Ingress) (*url.URL, error) {
err := checkAnnotation(name, ing)
if err != nil {
return nil, err
}
return ingAnnotations(ing.GetAnnotations()).parseURL(name)
}