Merge pull request #4101 from aledbf/reftactor-whitelist
Refactor whitelist from map to standard allow directives
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
bf11e2ef63
3 changed files with 7 additions and 53 deletions
|
|
@ -419,27 +419,6 @@ http {
|
|||
{{ end }}
|
||||
}
|
||||
|
||||
{{/* build the maps that will be use to validate the Whitelist */}}
|
||||
{{ range $server := $servers }}
|
||||
{{ $enforceRegex := enforceRegexModifier $server.Locations }}
|
||||
{{ range $location := $server.Locations }}
|
||||
{{ $path := buildLocation $location $enforceRegex }}
|
||||
|
||||
{{ if isLocationAllowed $location }}
|
||||
{{ if gt (len $location.Whitelist.CIDR) 0 }}
|
||||
|
||||
# Deny for {{ print $server.Hostname $path }}
|
||||
geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_" $path) }} {
|
||||
default 1;
|
||||
|
||||
{{ range $ip := $location.Whitelist.CIDR }}
|
||||
{{ $ip }} 0;{{ end }}
|
||||
}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
{{ end }}
|
||||
|
||||
{{ range $rl := (filterRateLimits $servers ) }}
|
||||
# Ratelimit {{ $rl.Name }}
|
||||
geo $the_real_ip $whitelist_{{ $rl.ID }} {
|
||||
|
|
@ -1134,9 +1113,9 @@ stream {
|
|||
|
||||
{{ if isLocationAllowed $location }}
|
||||
{{ if gt (len $location.Whitelist.CIDR) 0 }}
|
||||
if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) {
|
||||
return 403;
|
||||
}
|
||||
{{ range $ip := $location.Whitelist.CIDR }}
|
||||
allow {{ $ip }};{{ end }}
|
||||
deny all;
|
||||
{{ end }}
|
||||
|
||||
{{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }}
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ limitations under the License.
|
|||
package annotations
|
||||
|
||||
import (
|
||||
"regexp"
|
||||
"strings"
|
||||
|
||||
. "github.com/onsi/ginkgo"
|
||||
|
|
@ -46,34 +45,11 @@ var _ = framework.IngressNginxDescribe("Annotations - IPWhiteList", func() {
|
|||
ing := framework.NewSingleIngress(host, "/", host, nameSpace, "http-svc", 80, &annotations)
|
||||
f.EnsureIngress(ing)
|
||||
|
||||
denyRegex := regexp.MustCompile("geo \\$the_real_ip \\$deny_[A-Za-z]{32}")
|
||||
denyString := ""
|
||||
|
||||
f.WaitForNginxConfiguration(
|
||||
func(conf string) bool {
|
||||
|
||||
match := denyRegex.FindStringSubmatch(conf)
|
||||
// If no match found, return false
|
||||
if !(len(match) > 0) {
|
||||
return false
|
||||
}
|
||||
|
||||
denyString = strings.Replace(match[0], "geo $the_real_ip ", "", -1)
|
||||
return strings.Contains(conf, match[0])
|
||||
})
|
||||
|
||||
ipOne := "18.0.0.0/8 0;"
|
||||
ipTwo := "56.0.0.0/8 0;"
|
||||
|
||||
f.WaitForNginxConfiguration(
|
||||
func(conf string) bool {
|
||||
return strings.Contains(conf, ipOne) && strings.Contains(conf, ipTwo)
|
||||
})
|
||||
|
||||
denyStatement := "if (" + denyString + ")"
|
||||
f.WaitForNginxServer(host,
|
||||
func(server string) bool {
|
||||
return strings.Contains(server, denyStatement)
|
||||
return strings.Contains(server, "allow 18.0.0.0/8;") &&
|
||||
strings.Contains(server, "allow 56.0.0.0/8;") &&
|
||||
strings.Contains(server, "deny all;")
|
||||
})
|
||||
})
|
||||
})
|
||||
|
|
|
|||
|
|
@ -60,8 +60,7 @@ var _ = framework.IngressNginxDescribe("Configmap change", func() {
|
|||
checksum = match[1]
|
||||
}
|
||||
|
||||
return strings.Contains(cfg, "geo $the_real_ip $deny_") &&
|
||||
strings.Contains(cfg, "1.1.1.1 0")
|
||||
return strings.Contains(cfg, "allow 1.1.1.1;")
|
||||
})
|
||||
Expect(checksum).NotTo(BeEmpty())
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue