Merge pull request #4826 from ElvinEfendi/fix-duplicate-hsts

regression test and fix for duplicate hsts bug
2019-12-12 11:10:32 -08:00 · 2019-12-12 11:10:32 -08:00 · cf03ae39c2
commit cf03ae39c2
parent d5e197c3e2 162ecb97e9
6 changed files with 25 additions and 1 deletions
--- a/build/dev-env.sh
+++ b/build/dev-env.sh
@ -36,7 +36,8 @@ DEV_IMAGE=${REGISTRY}/nginx-ingress-controller:${TAG}
 { [ "$(minikube status | grep -c Running)" -ge 2 ] && minikube status | grep -qE ': Configured$|Correctly Configured'; } \
  || minikube start \
    --extra-config=kubelet.sync-frequency=1s \
-    --extra-config=apiserver.authorization-mode=RBAC
+    --extra-config=apiserver.authorization-mode=RBAC \
+    --kubernetes-version=v1.15.0

 # shellcheck disable=SC2046
 eval $(minikube docker-env --shell bash)
--- a/build/run-e2e-suite.sh
+++ b/build/run-e2e-suite.sh
@ -69,6 +69,8 @@ until kubectl get secret | grep -q -e ^ingress-nginx-e2e-token; do \
  sleep 3; \
 done

+echo -e "Starting the e2e test pod"
+
 kubectl run --rm \
  --attach \
  --restart=Never \
--- a/rootfs/etc/nginx/lua/lua_ingress.lua
+++ b/rootfs/etc/nginx/lua/lua_ingress.lua
@ -142,7 +142,9 @@ function _M.rewrite(location_config)

    ngx_redirect(uri, config.http_redirect_code)
  end
+end

+function _M.header()
  if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_current_request then
    local value = "max-age=" .. config.hsts_max_age
    if config.hsts_include_subdomains then
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -991,6 +991,7 @@ stream {
            #}

            header_filter_by_lua_block {
+                lua_ingress.header()
                plugins.run()
            }

--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@ -127,6 +127,12 @@ Request Body:
 		location / {
 			lua_need_request_body on;

+			header_filter_by_lua_block {
+				if ngx.var.arg_hsts == "true" then
+					ngx.header["Strict-Transport-Security"] = "max-age=3600; preload"
+				end
+			}
+
 			content_by_lua_block {
 				ngx.header["Server"] = "echoserver"

--- a/test/e2e/settings/tls.go
+++ b/test/e2e/settings/tls.go
@ -154,6 +154,18 @@ var _ = framework.IngressNginxDescribe("Settings - TLS)", func() {
 		Expect(errs).Should(BeEmpty())
 		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
 		Expect(resp.Header.Get("Strict-Transport-Security")).Should(Equal("max-age=86400; preload"))
+
+		By("overriding what's set from the upstream")
+
+		// we can not use gorequest here because it flattens the duplicate headers
+		// and specifically in case of Strict-Transport-Security it ignore extra headers
+		// intead of concatenating, rightfully. And I don't know of any API it provides for getting raw headers.
+		curlCmd := fmt.Sprintf("curl -I -k --fail --silent --resolve settings-tls:443:127.0.0.1 https://settings-tls/%v", "?hsts=true")
+		output, err := f.ExecIngressPod(curlCmd)
+		Expect(err).ToNot(HaveOccurred())
+		Expect(output).Should(ContainSubstring("strict-transport-security: max-age=86400; preload"))
+		// this is what the upstream sets
+		Expect(output).ShouldNot(ContainSubstring("strict-transport-security: max-age=3600; preload"))
 	})

 	It("should not use ports during the HTTP to HTTPS redirection", func() {