Merge pull request #1435 from aledbf/master

Add header to upstream server for external authentication
2017-09-28 15:46:31 -07:00 · 2017-09-28 15:46:31 -07:00 · cb77efeb02
commit cb77efeb02
parent d514eb61da 8fc6101d3b
3 changed files with 4 additions and 37 deletions
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@ -22,7 +22,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
 	"net/url"
 	"os"
 	"os/exec"
 	"strconv"
@ -150,7 +149,6 @@ var (
 		"serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} {
 			return struct{ First, Second interface{} }{all, server}
 		},
 		"buildAuthSignURL":            buildAuthSignURL,
 		"isValidClientBodyBufferSize": isValidClientBodyBufferSize,
 		"buildForwardedFor":           buildForwardedFor,
 	}
@ -567,22 +565,6 @@ func buildNextUpstream(input interface{}) string {
 	return strings.Join(nextUpstreamCodes, " ")
 }
 func buildAuthSignURL(input interface{}) string {
 	s, ok := input.(string)
 	if !ok {
 		glog.Errorf("expected an 'string' type but %T was returned", input)
 		return ""
 	}
 	u, _ := url.Parse(s)
 	q := u.Query()
 	if len(q) == 0 {
 		return fmt.Sprintf("%v?rd=$request_uri", s)
 	}
 	return fmt.Sprintf("%v&rd=$request_uri", s)
 }
 // buildRandomUUID return a random string to be used in the template
 func buildRandomUUID() string {
 	s := uuid.New()
--- a/controllers/nginx/pkg/template/template_test.go
+++ b/controllers/nginx/pkg/template/template_test.go
@ -310,24 +310,6 @@ func TestBuildResolvers(t *testing.T) {
 	}
 }
 func TestBuildAuthSignURL(t *testing.T) {
 	urlOne := "http://google.com"
 	validUrlOne := "http://google.com?rd=$request_uri"
 	urlTwo := "http://google.com?cat"
 	validUrlTwo := "http://google.com?cat&rd=$request_uri"
 	authSignURLOne := buildAuthSignURL(urlOne)
 	if authSignURLOne != validUrlOne {
 		t.Errorf("Expected '%v' but returned '%v'", validUrlOne, authSignURLOne)
 	}
 	authSignURLTwo := buildAuthSignURL(urlTwo)
 	if authSignURLTwo != validUrlTwo {
 		t.Errorf("Expected '%v' but returned '%v'", validUrlTwo, authSignURLTwo)
 	}
 }
 func TestBuildNextUpstream(t *testing.T) {
 	nextUpstream := "timeout http_500 http_502 non_idempotent"
 	validNextUpstream := "timeout http_500 http_502"
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -687,7 +687,7 @@ stream {
            {{ end }}
            {{ if not (empty $location.ExternalAuth.SigninURL) }}
-            error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
+            error_page 401 = $location.ExternalAuth.SigninURL;
            {{ end }}
            {{/* if the location contains a rate limit annotation, create one */}}
@ -746,6 +746,9 @@ stream {
            proxy_set_header X-Original-URI         $request_uri;
            proxy_set_header X-Scheme               $pass_access_scheme;
            {{/* This header is used for external authentication */}}
            proxy_set_header X-Auth-Request-Redirect $request_uri;
            # mitigate HTTPoxy Vulnerability
            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
            proxy_set_header Proxy                  "";