DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #5896 from kubernetes/revert-5691-use-regex

Browse source 
Revert "use-regex annotation should be applied to only one Location"
This commit is contained in:
Kubernetes Prow Robot 2020-07-15 11:12:37 -07:00 committed by GitHub
commit ed68e4aeb5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 55 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
internal/ingress/controller/template/template.go
View file

@ -171,6 +171,7 @@ var (
"buildOpentracing": buildOpentracing, "buildOpentracing": buildOpentracing,
"proxySetHeader": proxySetHeader, "proxySetHeader": proxySetHeader,
"buildInfluxDB": buildInfluxDB, "buildInfluxDB": buildInfluxDB,
"enforceRegexModifier": enforceRegexModifier,
"buildCustomErrorDeps": buildCustomErrorDeps, "buildCustomErrorDeps": buildCustomErrorDeps,
"buildCustomErrorLocationsPerServer": buildCustomErrorLocationsPerServer, "buildCustomErrorLocationsPerServer": buildCustomErrorLocationsPerServer,
"shouldLoadModSecurityModule": shouldLoadModSecurityModule, "shouldLoadModSecurityModule": shouldLoadModSecurityModule,
@ -372,9 +373,26 @@ func needsRewrite(location *ingress.Location) bool {
return false return false
} }
// enforceRegexModifier checks if the "rewrite-target" or "use-regex" annotation
// is used on any location path within a server
func enforceRegexModifier(input interface{}) bool {
locations, ok := input.([]*ingress.Location)
if !ok {
klog.Errorf("expected an '[]*ingress.Location' type but %T was returned", input)
return false
}
for _, location := range locations {
if needsRewrite(location) || location.Rewrite.UseRegex {
return true
}
}
return false
}
// buildLocation produces the location string, if the ingress has redirects // buildLocation produces the location string, if the ingress has redirects
// (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation) // (specified through the nginx.ingress.kubernetes.io/rewrite-target annotation)
func buildLocation(input interface{}) string { func buildLocation(input interface{}, enforceRegex bool) string {
location, ok := input.(*ingress.Location) location, ok := input.(*ingress.Location)
if !ok { if !ok {
klog.Errorf("expected an '*ingress.Location' type but %T was returned", input) klog.Errorf("expected an '*ingress.Location' type but %T was returned", input)
@ -382,7 +400,7 @@ func buildLocation(input interface{}) string {
} }
path := location.Path path := location.Path
if location.Rewrite.UseRegex { if enforceRegex {
return fmt.Sprintf(`~* "^%s"`, path) return fmt.Sprintf(`~* "^%s"`, path)
} }

34
internal/ingress/controller/template/template_test.go
View file

@ -64,7 +64,7 @@ var (
Sticky bool Sticky bool
XForwardedPrefix string XForwardedPrefix string
SecureBackend bool SecureBackend bool
UseRegex bool enforceRegex bool
}{ }{
"when secure backend enabled": { "when secure backend enabled": {
"/", "/",
@ -275,7 +275,7 @@ func TestQuote(t *testing.T) {
func TestBuildLocation(t *testing.T) { func TestBuildLocation(t *testing.T) {
invalidType := &ingress.Ingress{} invalidType := &ingress.Ingress{}
expected := "/" expected := "/"
actual := buildLocation(invalidType) actual := buildLocation(invalidType, true)
if !reflect.DeepEqual(expected, actual) { if !reflect.DeepEqual(expected, actual) {
t.Errorf("Expected '%v' but returned '%v'", expected, actual) t.Errorf("Expected '%v' but returned '%v'", expected, actual)
@ -284,10 +284,10 @@ func TestBuildLocation(t *testing.T) {
for k, tc := range tmplFuncTestcases { for k, tc := range tmplFuncTestcases {
loc := &ingress.Location{ loc := &ingress.Location{
Path: tc.Path, Path: tc.Path,
Rewrite: rewrite.Config{Target: tc.Target, UseRegex: tc.UseRegex}, Rewrite: rewrite.Config{Target: tc.Target},
} }
newLoc := buildLocation(loc) newLoc := buildLocation(loc, tc.enforceRegex)
if tc.Location != newLoc { if tc.Location != newLoc {
t.Errorf("%s: expected '%v' but returned %v", k, tc.Location, newLoc) t.Errorf("%s: expected '%v' but returned %v", k, tc.Location, newLoc)
} }
@ -1195,6 +1195,32 @@ func TestBuildOpenTracing(t *testing.T) {
} }
func TestEnforceRegexModifier(t *testing.T) {
invalidType := &ingress.Ingress{}
expected := false
actual := enforceRegexModifier(invalidType)
if expected != actual {
t.Errorf("Expected '%v' but returned '%v'", expected, actual)
}
locs := []*ingress.Location{
{
Rewrite: rewrite.Config{
Target: "/alright",
UseRegex: true,
},
Path: "/ok",
},
}
expected = true
actual = enforceRegexModifier(locs)
if expected != actual {
t.Errorf("Expected '%v' but returned '%v'", expected, actual)
}
}
func TestShouldLoadModSecurityModule(t *testing.T) { func TestShouldLoadModSecurityModule(t *testing.T) {
// ### Invalid argument type tests ### // ### Invalid argument type tests ###
// The first tests should return false. // The first tests should return false.

3
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -903,8 +903,9 @@ stream {
{{ buildMirrorLocations $server.Locations }} {{ buildMirrorLocations $server.Locations }}
{{ $enforceRegex := enforceRegexModifier $server.Locations }}
{{ range $location := $server.Locations }} {{ range $location := $server.Locations }}
{{ $path := buildLocation $location }} {{ $path := buildLocation $location $enforceRegex }}
{{ $proxySetHeader := proxySetHeader $location }} {{ $proxySetHeader := proxySetHeader $location }}
{{ $authPath := buildAuthLocation $location $all.Cfg.GlobalExternalAuth.URL }} {{ $authPath := buildAuthLocation $location $all.Cfg.GlobalExternalAuth.URL }}
{{ $applyGlobalAuth := shouldApplyGlobalAuth $location $all.Cfg.GlobalExternalAuth.URL }} {{ $applyGlobalAuth := shouldApplyGlobalAuth $location $all.Cfg.GlobalExternalAuth.URL }}

7
test/e2e/annotations/rewrite.go
View file

@ -95,8 +95,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo
f.WaitForNginxServer(host, f.WaitForNginxServer(host,
func(server string) bool { func(server string) bool {
return strings.Contains(server, `location / {`) && return strings.Contains(server, `location ~* "^/" {`) && strings.Contains(server, `location ~* "^/.well-known/acme/challenge" {`)
strings.Contains(server, `location /.well-known/acme/challenge {`)
}) })
ginkgo.By("making a second request to the non-rewritten location") ginkgo.By("making a second request to the non-rewritten location")
@ -130,7 +129,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo
f.WaitForNginxServer(host, f.WaitForNginxServer(host,
func(server string) bool { func(server string) bool {
return strings.Contains(server, `location /foo {`) && strings.Contains(server, `location ~* "^/foo.+" {`) return strings.Contains(server, `location ~* "^/foo" {`) && strings.Contains(server, `location ~* "^/foo.+" {`)
}) })
ginkgo.By("ensuring '/foo' matches '~* ^/foo'") ginkgo.By("ensuring '/foo' matches '~* ^/foo'")
@ -171,7 +170,7 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo
f.WaitForNginxServer(host, f.WaitForNginxServer(host,
func(server string) bool { func(server string) bool {
return strings.Contains(server, `location /foo/bar/bar {`) && return strings.Contains(server, `location ~* "^/foo/bar/bar" {`) &&
strings.Contains(server, `location ~* "^/foo/bar/[a-z]{3}" {`) strings.Contains(server, `location ~* "^/foo/bar/[a-z]{3}" {`)
}) })