DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add NoAuthLocations and default it to "/.well-known/acme-challenge" (#2243)

Browse source 
* Add NoAuthLocations and default it to "/.well-known/acme-challenge"

* Add e2e tests for no-auth-location

* Improve wording of no-auth-location tests
This commit is contained in:
Alvaro Aleman 2018-04-02 02:02:34 +02:00 committed by Manuel Alejandro de Brito Fontes
parent 9b4d7f28d0
commit e7aa74b5d4
6 changed files with 192 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
docs/user-guide/configmap.md
View file

@ -137,6 +137,7 @@ The following table shows a configuration option's name, type, and the default v
|[proxy-buffering](#proxy-buffering)|string|"off"|
|[limit-req-status-code](#limit-req-status-code)|int|503|
|[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"|
|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"|
## add-headers
@ -745,3 +746,8 @@ Sets the [status code to return in response to rejected requests](http://nginx.o
A comma-separated list of locations on which http requests will never get redirected to their https counterpart.
Default: "/.well-known/acme-challenge"
## no-auth-locations
A comma-separated list of locations that should not get authenticated.
Default: "/.well-known/acme-challenge"

0
hack/verify-bindata.sh Normal file → Executable file
View file

2
internal/file/bindata.go
View file

File diff suppressed because one or more lines are too long

5
internal/ingress/controller/config/config.go
View file

@ -499,6 +499,10 @@ type Configuration struct {
// NoTLSRedirectLocations is a comma-separated list of locations
// that should not get redirected to TLS
NoTLSRedirectLocations string `json:"no-tls-redirect-locations"`
// NoAuthLocations is a comma-separated list of locations that
// should not get authenticated
NoAuthLocations string `json:"no-auth-locations"`
}
// NewDefault returns the default nginx configuration
@ -606,6 +610,7 @@ func NewDefault() Configuration {
LimitReqStatusCode: 503,
SyslogPort: 514,
NoTLSRedirectLocations: "/.well-known/acme-challenge",
NoAuthLocations: "/.well-known/acme-challenge",
}
if glog.V(5) {

12
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -845,6 +845,7 @@ stream {
}
{{ end }}
{{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }}
{{ if $authPath }}
# this location requires authentication
auth_request {{ $authPath }};
@ -859,11 +860,6 @@ stream {
error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
{{ end }}
{{/* if the location contains a rate limit annotation, create one */}}
{{ $limits := buildRateLimit $location }}
{{ range $limit := $limits }}
{{ $limit }}{{ end }}
{{ if $location.BasicDigestAuth.Secured }}
{{ if eq $location.BasicDigestAuth.Type "basic" }}
auth_basic "{{ $location.BasicDigestAuth.Realm }}";
@ -874,6 +870,12 @@ stream {
{{ end }}
proxy_set_header Authorization "";
{{ end }}
{{ end }}
{{/* if the location contains a rate limit annotation, create one */}}
{{ $limits := buildRateLimit $location }}
{{ range $limit := $limits }}
{{ $limit }}{{ end }}
{{ if $location.CorsConfig.CorsEnabled }}
{{ template "CORS" $location }}

173
test/e2e/settings/no_auth_locations.go Normal file
View file

@ -0,0 +1,173 @@
/*
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package setting
import (
"fmt"
"net/http"
"os/exec"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/parnurzeal/gorequest"
corev1 "k8s.io/api/core/v1"
"k8s.io/api/extensions/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/ingress-nginx/test/e2e/framework"
)
var _ = framework.IngressNginxDescribe("No Auth locations", func() {
f := framework.NewDefaultFramework("no-auth-locations")
setting := "no-auth-locations"
username := "foo"
password := "bar"
secretName := "test-secret"
host := "no-auth-locations"
noAuthPath := "/noauth"
BeforeEach(func() {
err := f.NewEchoDeployment()
Expect(err).NotTo(HaveOccurred())
s, err := f.EnsureSecret(buildSecret(username, password, secretName, f.Namespace.Name))
Expect(err).NotTo(HaveOccurred())
Expect(s).NotTo(BeNil())
Expect(s.ObjectMeta).NotTo(BeNil())
updateConfigmap(setting, noAuthPath, f.KubeClientSet)
bi := buildBasicAuthIngressWithSecondPath(host, f.Namespace.Name, s.Name, noAuthPath)
ing, err := f.EnsureIngress(bi)
Expect(err).NotTo(HaveOccurred())
Expect(ing).NotTo(BeNil())
})
AfterEach(func() {
updateConfigmap(setting, "/.well-known/acme-challenge", f.KubeClientSet)
})
It("should return status code 401 when accessing '/' unauthentication", func() {
err := f.WaitForNginxServer(host,
func(server string) bool {
return Expect(server).Should(ContainSubstring("test auth"))
})
Expect(err).NotTo(HaveOccurred())
resp, body, errs := gorequest.New().
Get(f.NginxHTTPURL).
Set("Host", host).
End()
Expect(len(errs)).Should(BeNumerically("==", 0))
Expect(resp.StatusCode).Should(Equal(http.StatusUnauthorized))
Expect(body).Should(ContainSubstring("401 Authorization Required"))
})
It("should return status code 200 when accessing '/' authentication", func() {
err := f.WaitForNginxServer(host,
func(server string) bool {
return Expect(server).Should(ContainSubstring("test auth"))
})
Expect(err).NotTo(HaveOccurred())
resp, _, errs := gorequest.New().
Get(f.NginxHTTPURL).
Set("Host", host).
SetBasicAuth(username, password).
End()
Expect(len(errs)).Should(BeNumerically("==", 0))
Expect(resp.StatusCode).Should(Equal(http.StatusOK))
})
It("should return status code 200 when accessing '/noauth' unauthenticated", func() {
err := f.WaitForNginxServer(host,
func(server string) bool {
return Expect(server).Should(ContainSubstring("test auth"))
})
Expect(err).NotTo(HaveOccurred())
resp, _, errs := gorequest.New().
Get(fmt.Sprintf("%s/noauth", f.NginxHTTPURL)).
Set("Host", host).
End()
Expect(len(errs)).Should(BeNumerically("==", 0))
Expect(resp.StatusCode).Should(Equal(http.StatusOK))
})
})
func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName string) *v1beta1.Ingress {
return &v1beta1.Ingress{
ObjectMeta: metav1.ObjectMeta{
Name: host,
Namespace: namespace,
Annotations: map[string]string{"nginx.ingress.kubernetes.io/auth-type": "basic",
"nginx.ingress.kubernetes.io/auth-secret": secretName,
"nginx.ingress.kubernetes.io/auth-realm": "test auth",
},
},
Spec: v1beta1.IngressSpec{
Rules: []v1beta1.IngressRule{
{
Host: host,
IngressRuleValue: v1beta1.IngressRuleValue{
HTTP: &v1beta1.HTTPIngressRuleValue{
Paths: []v1beta1.HTTPIngressPath{
{
Path: "/",
Backend: v1beta1.IngressBackend{
ServiceName: "http-svc",
ServicePort: intstr.FromInt(80),
},
},
{
Path: pathName,
Backend: v1beta1.IngressBackend{
ServiceName: "http-svc",
ServicePort: intstr.FromInt(80),
},
},
},
},
},
},
},
},
}
}
func buildSecret(username, password, name, namespace string) *corev1.Secret {
out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput()
encpass := fmt.Sprintf("%v:%s\n", username, out)
Expect(err).NotTo(HaveOccurred())
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: name,
Namespace: namespace,
DeletionGracePeriodSeconds: framework.NewInt64(1),
},
Data: map[string][]byte{
"auth": []byte(encpass),
},
Type: corev1.SecretTypeOpaque,
}
}