DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor whitelist from map to standard allow directives

Browse source
This commit is contained in:
Manuel Alejandro de Brito Fontes 2019-05-27 04:55:38 -04:00
parent 24cb0e5d0b
commit c4597522bf
No known key found for this signature in database
GPG key ID: 786136016A8BA02A
2 changed files with 6 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -419,27 +419,6 @@ http {
{{ end }} {{ end }}
} }
{{/* build the maps that will be use to validate the Whitelist */}}
{{ range $server := $servers }}
{{ $enforceRegex := enforceRegexModifier $server.Locations }}
{{ range $location := $server.Locations }}
{{ $path := buildLocation $location $enforceRegex }}
{{ if isLocationAllowed $location }}
{{ if gt (len $location.Whitelist.CIDR) 0 }}
# Deny for {{ print $server.Hostname $path }}
geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_" $path) }} {
default 1;
{{ range $ip := $location.Whitelist.CIDR }}
{{ $ip }} 0;{{ end }}
}
{{ end }}
{{ end }}
{{ end }}
{{ end }}
{{ range $rl := (filterRateLimits $servers ) }} {{ range $rl := (filterRateLimits $servers ) }}
# Ratelimit {{ $rl.Name }} # Ratelimit {{ $rl.Name }}
geo $the_real_ip $whitelist_{{ $rl.ID }} { geo $the_real_ip $whitelist_{{ $rl.ID }} {
@ -1134,9 +1113,9 @@ stream {
{{ if isLocationAllowed $location }} {{ if isLocationAllowed $location }}
{{ if gt (len $location.Whitelist.CIDR) 0 }} {{ if gt (len $location.Whitelist.CIDR) 0 }}
if ({{ buildDenyVariable (print $server.Hostname "_" $path) }}) { {{ range $ip := $location.Whitelist.CIDR }}
return 403; allow {{ $ip }};{{ end }}
} deny all;
{{ end }} {{ end }}
{{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }} {{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }}

30
test/e2e/annotations/ipwhitelist.go
View file

@ -17,7 +17,6 @@ limitations under the License.
package annotations package annotations
import ( import (
"regexp"
"strings" "strings"
. "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo"
@ -46,34 +45,11 @@ var _ = framework.IngressNginxDescribe("Annotations - IPWhiteList", func() {
ing := framework.NewSingleIngress(host, "/", host, nameSpace, "http-svc", 80, &annotations) ing := framework.NewSingleIngress(host, "/", host, nameSpace, "http-svc", 80, &annotations)
f.EnsureIngress(ing) f.EnsureIngress(ing)
denyRegex := regexp.MustCompile("geo \\$the_real_ip \\$deny_[A-Za-z]{32}")
denyString := ""
f.WaitForNginxConfiguration(
func(conf string) bool {
match := denyRegex.FindStringSubmatch(conf)
// If no match found, return false
if !(len(match) > 0) {
return false
}
denyString = strings.Replace(match[0], "geo $the_real_ip ", "", -1)
return strings.Contains(conf, match[0])
})
ipOne := "18.0.0.0/8 0;"
ipTwo := "56.0.0.0/8 0;"
f.WaitForNginxConfiguration(
func(conf string) bool {
return strings.Contains(conf, ipOne) && strings.Contains(conf, ipTwo)
})
denyStatement := "if (" + denyString + ")"
f.WaitForNginxServer(host, f.WaitForNginxServer(host,
func(server string) bool { func(server string) bool {
return strings.Contains(server, denyStatement) return strings.Contains(server, "allow 18.0.0.0/8;") &&
strings.Contains(server, "allow 56.0.0.0/8;") &&
strings.Contains(server, "deny all;")
}) })
}) })
}) })