DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add signin url req support

Browse source
This commit is contained in:
Cole Mickens 2017-01-29 13:52:50 -08:00
parent b9d272acf4
commit b9d0878ed2
5 changed files with 79 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
controllers/nginx/Makefile
View file

@ -6,6 +6,7 @@ BUILDTAGS=
RELEASE?=0.9.0-beta.1 RELEASE?=0.9.0-beta.1
PREFIX?=gcr.io/google_containers/nginx-ingress-controller PREFIX?=gcr.io/google_containers/nginx-ingress-controller
GOOS?=linux GOOS?=linux
DOCKER?=gcloud docker
REPO_INFO=$(shell git config --get remote.origin.url) REPO_INFO=$(shell git config --get remote.origin.url)
@ -20,11 +21,11 @@ build: clean
-ldflags "-s -w -X ${PKG}/pkg/version.RELEASE=${RELEASE} -X ${PKG}/pkg/version.COMMIT=${COMMIT} -X ${PKG}/pkg/version.REPO=${REPO_INFO}" \ -ldflags "-s -w -X ${PKG}/pkg/version.RELEASE=${RELEASE} -X ${PKG}/pkg/version.COMMIT=${COMMIT} -X ${PKG}/pkg/version.REPO=${REPO_INFO}" \
-o rootfs/nginx-ingress-controller ${PKG}/pkg/cmd/controller -o rootfs/nginx-ingress-controller ${PKG}/pkg/cmd/controller
container: build container:
docker build -t $(PREFIX):$(RELEASE) rootfs $(DOCKER) build -t $(PREFIX):$(RELEASE) rootfs
push: container push:
gcloud docker push $(PREFIX):$(RELEASE) $(DOCKER) push $(PREFIX):$(RELEASE)
fmt: fmt:
@echo "+ $@" @echo "+ $@"

8
controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
View file

@ -235,6 +235,8 @@ http {
{{ end }} {{ end }}
{{ if not (empty $location.ExternalAuth.Method) }} {{ if not (empty $location.ExternalAuth.Method) }}
proxy_method {{ $location.ExternalAuth.Method }}; proxy_method {{ $location.ExternalAuth.Method }};
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $scheme;
{{ end }} {{ end }}
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_pass_request_headers on; proxy_pass_request_headers on;
@ -260,6 +262,10 @@ http {
auth_request {{ $authPath }}; auth_request {{ $authPath }};
{{ end }} {{ end }}
{{ if not (empty $location.ExternalAuth.SigninURL) }}
error_page 401 = {{ $location.ExternalAuth.SigninURL }};
{{ end }}
{{ if (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect) }} {{ if (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect) }}
# enforce ssl on server side # enforce ssl on server side
if ($scheme = http) { if ($scheme = http) {
@ -301,6 +307,8 @@ http {
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $pass_port; proxy_set_header X-Forwarded-Port $pass_port;
proxy_set_header X-Forwarded-Proto $pass_access_scheme; proxy_set_header X-Forwarded-Proto $pass_access_scheme;
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Scheme $scheme;
# mitigate HTTPoxy Vulnerability # mitigate HTTPoxy Vulnerability
# https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/

26
core/pkg/ingress/annotations/authreq/main.go
View file

@ -17,9 +17,6 @@ limitations under the License.
package authreq package authreq
import ( import (
"net/url"
"strings"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/ingress/core/pkg/ingress/annotations/parser" "k8s.io/ingress/core/pkg/ingress/annotations/parser"
@ -29,6 +26,7 @@ import (
const ( const (
// external URL that provides the authentication // external URL that provides the authentication
authURL = "ingress.kubernetes.io/auth-url" authURL = "ingress.kubernetes.io/auth-url"
authSigninURL = "ingress.kubernetes.io/auth-signin"
authMethod = "ingress.kubernetes.io/auth-method" authMethod = "ingress.kubernetes.io/auth-method"
authBody = "ingress.kubernetes.io/auth-send-body" authBody = "ingress.kubernetes.io/auth-send-body"
) )
@ -36,6 +34,7 @@ const (
// External returns external authentication configuration for an Ingress rule // External returns external authentication configuration for an Ingress rule
type External struct { type External struct {
URL string `json:"url"` URL string `json:"url"`
SigninURL string `json:"signinUrl"`
Method string `json:"method"` Method string `json:"method"`
SendBody bool `json:"sendBody"` SendBody bool `json:"sendBody"`
} }
@ -68,29 +67,15 @@ func NewParser() parser.IngressAnnotation {
// ParseAnnotations parses the annotations contained in the ingress // ParseAnnotations parses the annotations contained in the ingress
// rule used to use an external URL as source for authentication // rule used to use an external URL as source for authentication
func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) { func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
str, err := parser.GetStringAnnotation(authURL, ing) auth, err := parser.GetURLAnnotation(authURL, ing)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if str == "" { signin, err := parser.GetURLAnnotation(authSigninURL, ing)
return nil, ing_errors.NewLocationDenied("an empty string is not a valid URL")
}
ur, err := url.Parse(str)
if err != nil { if err != nil {
return nil, err return nil, err
} }
if ur.Scheme == "" {
return nil, ing_errors.NewLocationDenied("url scheme is empty")
}
if ur.Host == "" {
return nil, ing_errors.NewLocationDenied("url host is empty")
}
if strings.Contains(ur.Host, "..") {
return nil, ing_errors.NewLocationDenied("invalid url host")
}
m, _ := parser.GetStringAnnotation(authMethod, ing) m, _ := parser.GetStringAnnotation(authMethod, ing)
if len(m) != 0 && !validMethod(m) { if len(m) != 0 && !validMethod(m) {
@ -100,7 +85,8 @@ func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
sb, _ := parser.GetBoolAnnotation(authBody, ing) sb, _ := parser.GetBoolAnnotation(authBody, ing)
return &External{ return &External{
URL: str, URL: auth.String(),
SigninURL: signin.String(),
Method: m, Method: m,
SendBody: sb, SendBody: sb,
}, nil }, nil

19
core/pkg/ingress/annotations/authreq/main_test.go
View file

@ -69,21 +69,23 @@ func TestAnnotations(t *testing.T) {
tests := []struct { tests := []struct {
title string title string
url string url string
signinURL string
method string method string
sendBody bool sendBody bool
expErr bool expErr bool
}{ }{
{"empty", "", "", false, true}, {"empty", "", "", "", false, true},
{"no scheme", "bar", "", false, true}, {"no scheme", "bar", "bar", "", false, true},
{"invalid host", "http://", "", false, true}, {"invalid host", "http://", "http://", "", false, true},
{"invalid host (multiple dots)", "http://foo..bar.com", "", false, true}, {"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", false, true},
{"valid URL", "http://bar.foo.com/external-auth", "", false, false}, {"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false, false},
{"valid URL - send body", "http://foo.com/external-auth", "POST", true, false}, {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", true, false},
{"valid URL - send body", "http://foo.com/external-auth", "GET", true, false}, {"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", true, false},
} }
for _, test := range tests { for _, test := range tests {
data[authURL] = test.url data[authURL] = test.url
data[authSigninURL] = test.signinURL
data[authBody] = fmt.Sprintf("%v", test.sendBody) data[authBody] = fmt.Sprintf("%v", test.sendBody)
data[authMethod] = fmt.Sprintf("%v", test.method) data[authMethod] = fmt.Sprintf("%v", test.method)
@ -101,6 +103,9 @@ func TestAnnotations(t *testing.T) {
if u.URL != test.url { if u.URL != test.url {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL) t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL)
} }
if u.SigninURL != test.signinURL {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.signinURL, u.SigninURL)
}
if u.Method != test.method { if u.Method != test.method {
t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method) t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
} }

35
core/pkg/ingress/annotations/parser/main.go
View file

@ -17,7 +17,9 @@ limitations under the License.
package parser package parser
import ( import (
"net/url"
"strconv" "strconv"
"strings"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/extensions"
@ -51,6 +53,30 @@ func (a ingAnnotations) parseString(name string) (string, error) {
return "", errors.ErrMissingAnnotations return "", errors.ErrMissingAnnotations
} }
func (a ingAnnotations) parseURL(name string) (*url.URL, error) {
val, ok := a[name]
if ok {
ur, err := url.Parse(val)
if err != nil {
return nil, err
}
if ur.Scheme == "" {
return nil, errors.NewLocationDenied("url scheme is empty")
}
if ur.Host == "" {
return nil, errors.NewLocationDenied("url host is empty")
}
if val == "" {
return nil, errors.NewLocationDenied("an empty string is not a valid URL")
}
if strings.Contains(ur.Host, "..") {
return nil, errors.NewLocationDenied("invalid url host")
}
return ur, nil
}
return nil, errors.ErrMissingAnnotations
}
func (a ingAnnotations) parseInt(name string) (int, error) { func (a ingAnnotations) parseInt(name string) (int, error) {
val, ok := a[name] val, ok := a[name]
if ok { if ok {
@ -100,3 +126,12 @@ func GetIntAnnotation(name string, ing *extensions.Ingress) (int, error) {
} }
return ingAnnotations(ing.GetAnnotations()).parseInt(name) return ingAnnotations(ing.GetAnnotations()).parseInt(name)
} }
// GetUrlAnnotation extracts a URL from an Ingress annotation
func GetURLAnnotation(name string, ing *extensions.Ingress) (*url.URL, error) {
err := checkAnnotation(name, ing)
if err != nil {
return nil, err
}
return ingAnnotations(ing.GetAnnotations()).parseURL(name)
}