From c4597522bf3e8cab779fc798dbbf4e5989126a29 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Mon, 27 May 2019 04:55:38 -0400 Subject: [PATCH 1/2] Refactor whitelist from map to standard allow directives --- rootfs/etc/nginx/template/nginx.tmpl | 27 +++---------------------- test/e2e/annotations/ipwhitelist.go | 30 +++------------------------- 2 files changed, 6 insertions(+), 51 deletions(-) diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index ebdfcde5d..fccb83cca 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -419,27 +419,6 @@ http { {{ end }} } - {{/* build the maps that will be use to validate the Whitelist */}} - {{ range $server := $servers }} - {{ $enforceRegex := enforceRegexModifier $server.Locations }} - {{ range $location := $server.Locations }} - {{ $path := buildLocation $location $enforceRegex }} - - {{ if isLocationAllowed $location }} - {{ if gt (len $location.Whitelist.CIDR) 0 }} - - # Deny for {{ print $server.Hostname $path }} - geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_" $path) }} { - default 1; - - {{ range $ip := $location.Whitelist.CIDR }} - {{ $ip }} 0;{{ end }} - } - {{ end }} - {{ end }} - {{ end }} - {{ end }} - {{ range $rl := (filterRateLimits $servers ) }} # Ratelimit {{ $rl.Name }} geo $the_real_ip $whitelist_{{ $rl.ID }} { @@ -1134,9 +1113,9 @@ stream { {{ if isLocationAllowed $location }} {{ if gt (len $location.Whitelist.CIDR) 0 }} - if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) { - return 403; - } + {{ range $ip := $location.Whitelist.CIDR }} + allow {{ $ip }};{{ end }} + deny all; {{ end }} {{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }} diff --git a/test/e2e/annotations/ipwhitelist.go b/test/e2e/annotations/ipwhitelist.go index 321ca236d..74fd12d0f 100644 --- a/test/e2e/annotations/ipwhitelist.go +++ b/test/e2e/annotations/ipwhitelist.go @@ -17,7 +17,6 @@ limitations under the License. package annotations import ( - "regexp" "strings" . "github.com/onsi/ginkgo" @@ -46,34 +45,11 @@ var _ = framework.IngressNginxDescribe("Annotations - IPWhiteList", func() { ing := framework.NewSingleIngress(host, "/", host, nameSpace, "http-svc", 80, &annotations) f.EnsureIngress(ing) - denyRegex := regexp.MustCompile("geo \\$the_real_ip \\$deny_[A-Za-z]{32}") - denyString := "" - - f.WaitForNginxConfiguration( - func(conf string) bool { - - match := denyRegex.FindStringSubmatch(conf) - // If no match found, return false - if !(len(match) > 0) { - return false - } - - denyString = strings.Replace(match[0], "geo $the_real_ip ", "", -1) - return strings.Contains(conf, match[0]) - }) - - ipOne := "18.0.0.0/8 0;" - ipTwo := "56.0.0.0/8 0;" - - f.WaitForNginxConfiguration( - func(conf string) bool { - return strings.Contains(conf, ipOne) && strings.Contains(conf, ipTwo) - }) - - denyStatement := "if (" + denyString + ")" f.WaitForNginxServer(host, func(server string) bool { - return strings.Contains(server, denyStatement) + return strings.Contains(server, "allow 18.0.0.0/8;") && + strings.Contains(server, "allow 56.0.0.0/8;") && + strings.Contains(server, "deny all;") }) }) }) From c2227a058dbfc350dd00949e022d890858b7b4f1 Mon Sep 17 00:00:00 2001 From: Manuel Alejandro de Brito Fontes Date: Mon, 27 May 2019 06:31:01 -0400 Subject: [PATCH 2/2] Refactor e2e test --- test/e2e/settings/configmap_change.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/test/e2e/settings/configmap_change.go b/test/e2e/settings/configmap_change.go index e19fdf319..bacb90c21 100644 --- a/test/e2e/settings/configmap_change.go +++ b/test/e2e/settings/configmap_change.go @@ -60,8 +60,7 @@ var _ = framework.IngressNginxDescribe("Configmap change", func() { checksum = match[1] } - return strings.Contains(cfg, "geo $the_real_ip $deny_") && - strings.Contains(cfg, "1.1.1.1 0") + return strings.Contains(cfg, "allow 1.1.1.1;") }) Expect(checksum).NotTo(BeEmpty())