From f8afb089c3088269c557a121cb5aad7ac881de5d Mon Sep 17 00:00:00 2001 From: Ricardo Katz Date: Thu, 20 Jul 2023 15:05:03 +0000 Subject: [PATCH] Use a better name for annotation risk --- docs/user-guide/nginx-configuration/configmap.md | 4 ++-- internal/ingress/annotations/alias/main.go | 2 +- internal/ingress/annotations/auth/main.go | 2 +- internal/ingress/annotations/authreq/main.go | 2 +- internal/ingress/annotations/authreqglobal/main.go | 2 +- internal/ingress/annotations/authtls/main.go | 2 +- internal/ingress/annotations/backendprotocol/main.go | 2 +- internal/ingress/annotations/canary/main.go | 2 +- .../ingress/annotations/clientbodybuffersize/main.go | 2 +- internal/ingress/annotations/connection/main.go | 2 +- internal/ingress/annotations/cors/main.go | 2 +- internal/ingress/annotations/customhttperrors/main.go | 2 +- internal/ingress/annotations/defaultbackend/main.go | 2 +- internal/ingress/annotations/fastcgi/main.go | 2 +- internal/ingress/annotations/globalratelimit/main.go | 2 +- internal/ingress/annotations/http2pushpreload/main.go | 2 +- internal/ingress/annotations/ipallowlist/main.go | 2 +- internal/ingress/annotations/ipdenylist/main.go | 2 +- internal/ingress/annotations/loadbalancing/main.go | 2 +- internal/ingress/annotations/log/main.go | 2 +- internal/ingress/annotations/mirror/main.go | 2 +- internal/ingress/annotations/modsecurity/main.go | 2 +- internal/ingress/annotations/opentelemetry/main.go | 2 +- internal/ingress/annotations/opentracing/main.go | 2 +- internal/ingress/annotations/portinredirect/main.go | 2 +- internal/ingress/annotations/proxy/main.go | 2 +- internal/ingress/annotations/proxyssl/main.go | 2 +- internal/ingress/annotations/ratelimit/main.go | 2 +- internal/ingress/annotations/redirect/redirect.go | 2 +- internal/ingress/annotations/rewrite/main.go | 2 +- internal/ingress/annotations/satisfy/main.go | 2 +- internal/ingress/annotations/serversnippet/main.go | 2 +- internal/ingress/annotations/serviceupstream/main.go | 2 +- internal/ingress/annotations/sessionaffinity/main.go | 2 +- internal/ingress/annotations/snippet/main.go | 2 +- internal/ingress/annotations/sslcipher/main.go | 2 +- internal/ingress/annotations/sslpassthrough/main.go | 2 +- internal/ingress/annotations/streamsnippet/main.go | 2 +- internal/ingress/annotations/upstreamhashby/main.go | 2 +- internal/ingress/annotations/upstreamvhost/main.go | 2 +- internal/ingress/annotations/xforwardedprefix/main.go | 2 +- internal/ingress/controller/config/config.go | 8 ++++---- internal/ingress/controller/controller_test.go | 2 +- internal/ingress/controller/store/store.go | 2 +- internal/ingress/defaults/main.go | 4 ++-- internal/ingress/resolver/mock.go | 10 +++++----- test/e2e/settings/validations/validations.go | 4 ++-- 47 files changed, 57 insertions(+), 57 deletions(-) diff --git a/docs/user-guide/nginx-configuration/configmap.md b/docs/user-guide/nginx-configuration/configmap.md index 07da0bb77..0a7e44dce 100644 --- a/docs/user-guide/nginx-configuration/configmap.md +++ b/docs/user-guide/nginx-configuration/configmap.md @@ -31,7 +31,7 @@ The following table shows a configuration option's name, type, and the default v |[allow-backend-server-header](#allow-backend-server-header)|bool|"false"|| |[allow-cross-namespace-resources](#allow-cross-namespace-resources)|bool|"true"|| |[allow-snippet-annotations](#allow-snippet-annotations)|bool|true|| -|[annotation-risk](#annotation-risk)|string|Critical|| +|[annotations-risk-level](#annotations-risk-level)|string|Critical|| |[annotation-value-word-blocklist](#annotation-value-word-blocklist)|string array|""|| |[hide-headers](#hide-headers)|string array|empty|| |[access-log-params](#access-log-params)|string|""|| @@ -264,7 +264,7 @@ may allow a user to add restricted configurations to the final nginx.conf file **This option will be defaulted to false in the next major release** -## annotation-risk +## annotations-risk-level Represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations with risk High and Critical will not be accepted. diff --git a/internal/ingress/annotations/alias/main.go b/internal/ingress/annotations/alias/main.go index 409ed7a77..4a5e6f188 100644 --- a/internal/ingress/annotations/alias/main.go +++ b/internal/ingress/annotations/alias/main.go @@ -88,6 +88,6 @@ func (a alias) Parse(ing *networking.Ingress) (interface{}, error) { } func (a alias) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, aliasAnnotation.Annotations) } diff --git a/internal/ingress/annotations/auth/main.go b/internal/ingress/annotations/auth/main.go index 37c6a0d31..beecebdb1 100644 --- a/internal/ingress/annotations/auth/main.go +++ b/internal/ingress/annotations/auth/main.go @@ -277,6 +277,6 @@ func (a auth) GetDocumentation() parser.AnnotationFields { } func (a auth) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, authSecretAnnotations.Annotations) } diff --git a/internal/ingress/annotations/authreq/main.go b/internal/ingress/annotations/authreq/main.go index 099e1ec6d..2ab98ace0 100644 --- a/internal/ingress/annotations/authreq/main.go +++ b/internal/ingress/annotations/authreq/main.go @@ -504,6 +504,6 @@ func (a authReq) GetDocumentation() parser.AnnotationFields { } func (a authReq) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, authReqAnnotations.Annotations) } diff --git a/internal/ingress/annotations/authreqglobal/main.go b/internal/ingress/annotations/authreqglobal/main.go index 6032dc595..a1641e085 100644 --- a/internal/ingress/annotations/authreqglobal/main.go +++ b/internal/ingress/annotations/authreqglobal/main.go @@ -69,6 +69,6 @@ func (a authReqGlobal) GetDocumentation() parser.AnnotationFields { } func (a authReqGlobal) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, globalAuthAnnotations.Annotations) } diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go index 53ee83fa8..5d6763e8b 100644 --- a/internal/ingress/annotations/authtls/main.go +++ b/internal/ingress/annotations/authtls/main.go @@ -217,6 +217,6 @@ func (a authTLS) GetDocumentation() parser.AnnotationFields { } func (a authTLS) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, authTLSAnnotations.Annotations) } diff --git a/internal/ingress/annotations/backendprotocol/main.go b/internal/ingress/annotations/backendprotocol/main.go index 7060e2acd..2704ce9f6 100644 --- a/internal/ingress/annotations/backendprotocol/main.go +++ b/internal/ingress/annotations/backendprotocol/main.go @@ -83,6 +83,6 @@ func (a backendProtocol) Parse(ing *networking.Ingress) (interface{}, error) { } func (a backendProtocol) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, backendProtocolConfig.Annotations) } diff --git a/internal/ingress/annotations/canary/main.go b/internal/ingress/annotations/canary/main.go index 9e688a118..119f09181 100644 --- a/internal/ingress/annotations/canary/main.go +++ b/internal/ingress/annotations/canary/main.go @@ -190,6 +190,6 @@ func (c canary) GetDocumentation() parser.AnnotationFields { } func (a canary) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, CanaryAnnotations.Annotations) } diff --git a/internal/ingress/annotations/clientbodybuffersize/main.go b/internal/ingress/annotations/clientbodybuffersize/main.go index 61094d0c6..aa1485df2 100644 --- a/internal/ingress/annotations/clientbodybuffersize/main.go +++ b/internal/ingress/annotations/clientbodybuffersize/main.go @@ -66,6 +66,6 @@ func (cbbs clientBodyBufferSize) Parse(ing *networking.Ingress) (interface{}, er } func (a clientBodyBufferSize) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, clientBodyBufferSizeConfig.Annotations) } diff --git a/internal/ingress/annotations/connection/main.go b/internal/ingress/annotations/connection/main.go index eaf83b4e0..9e96b6ab1 100644 --- a/internal/ingress/annotations/connection/main.go +++ b/internal/ingress/annotations/connection/main.go @@ -102,6 +102,6 @@ func (a connection) GetDocumentation() parser.AnnotationFields { } func (a connection) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, connectionHeadersAnnotations.Annotations) } diff --git a/internal/ingress/annotations/cors/main.go b/internal/ingress/annotations/cors/main.go index 442e70158..cc30b8405 100644 --- a/internal/ingress/annotations/cors/main.go +++ b/internal/ingress/annotations/cors/main.go @@ -261,6 +261,6 @@ func (c cors) GetDocumentation() parser.AnnotationFields { } func (a cors) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, corsAnnotation.Annotations) } diff --git a/internal/ingress/annotations/customhttperrors/main.go b/internal/ingress/annotations/customhttperrors/main.go index b2623b023..c3c9b5be3 100644 --- a/internal/ingress/annotations/customhttperrors/main.go +++ b/internal/ingress/annotations/customhttperrors/main.go @@ -89,6 +89,6 @@ func (e customhttperrors) GetDocumentation() parser.AnnotationFields { } func (a customhttperrors) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, customHTTPErrorsAnnotations.Annotations) } diff --git a/internal/ingress/annotations/defaultbackend/main.go b/internal/ingress/annotations/defaultbackend/main.go index 0dae64905..f3ca004dd 100644 --- a/internal/ingress/annotations/defaultbackend/main.go +++ b/internal/ingress/annotations/defaultbackend/main.go @@ -77,6 +77,6 @@ func (db backend) GetDocumentation() parser.AnnotationFields { } func (a backend) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, defaultBackendAnnotations.Annotations) } diff --git a/internal/ingress/annotations/fastcgi/main.go b/internal/ingress/annotations/fastcgi/main.go index ec4feec66..96dbc7159 100644 --- a/internal/ingress/annotations/fastcgi/main.go +++ b/internal/ingress/annotations/fastcgi/main.go @@ -162,6 +162,6 @@ func (a fastcgi) GetDocumentation() parser.AnnotationFields { } func (a fastcgi) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, fastCGIAnnotations.Annotations) } diff --git a/internal/ingress/annotations/globalratelimit/main.go b/internal/ingress/annotations/globalratelimit/main.go index c8803dada..41f58fd57 100644 --- a/internal/ingress/annotations/globalratelimit/main.go +++ b/internal/ingress/annotations/globalratelimit/main.go @@ -175,6 +175,6 @@ func (a globalratelimit) GetDocumentation() parser.AnnotationFields { } func (a globalratelimit) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, globalRateLimitAnnotationConfig.Annotations) } diff --git a/internal/ingress/annotations/http2pushpreload/main.go b/internal/ingress/annotations/http2pushpreload/main.go index b7c3287e3..af9f90aa9 100644 --- a/internal/ingress/annotations/http2pushpreload/main.go +++ b/internal/ingress/annotations/http2pushpreload/main.go @@ -63,6 +63,6 @@ func (h2pp http2PushPreload) GetDocumentation() parser.AnnotationFields { } func (a http2PushPreload) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, http2PushPreloadAnnotations.Annotations) } diff --git a/internal/ingress/annotations/ipallowlist/main.go b/internal/ingress/annotations/ipallowlist/main.go index f2fb2cb81..d9d454c97 100644 --- a/internal/ingress/annotations/ipallowlist/main.go +++ b/internal/ingress/annotations/ipallowlist/main.go @@ -128,6 +128,6 @@ func (a ipallowlist) GetDocumentation() parser.AnnotationFields { } func (a ipallowlist) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, allowlistAnnotations.Annotations) } diff --git a/internal/ingress/annotations/ipdenylist/main.go b/internal/ingress/annotations/ipdenylist/main.go index 37bd7ad50..f17ce079a 100644 --- a/internal/ingress/annotations/ipdenylist/main.go +++ b/internal/ingress/annotations/ipdenylist/main.go @@ -125,6 +125,6 @@ func (a ipdenylist) GetDocumentation() parser.AnnotationFields { } func (a ipdenylist) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, denylistAnnotations.Annotations) } diff --git a/internal/ingress/annotations/loadbalancing/main.go b/internal/ingress/annotations/loadbalancing/main.go index 0191981a4..ee89d2c1b 100644 --- a/internal/ingress/annotations/loadbalancing/main.go +++ b/internal/ingress/annotations/loadbalancing/main.go @@ -69,6 +69,6 @@ func (a loadbalancing) GetDocumentation() parser.AnnotationFields { } func (a loadbalancing) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, loadBalanceAnnotations.Annotations) } diff --git a/internal/ingress/annotations/log/main.go b/internal/ingress/annotations/log/main.go index 3649ecd6a..ec08292a9 100644 --- a/internal/ingress/annotations/log/main.go +++ b/internal/ingress/annotations/log/main.go @@ -102,6 +102,6 @@ func (l log) GetDocumentation() parser.AnnotationFields { } func (a log) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, logAnnotations.Annotations) } diff --git a/internal/ingress/annotations/mirror/main.go b/internal/ingress/annotations/mirror/main.go index 14a14e324..2d417dece 100644 --- a/internal/ingress/annotations/mirror/main.go +++ b/internal/ingress/annotations/mirror/main.go @@ -163,6 +163,6 @@ func (a mirror) GetDocumentation() parser.AnnotationFields { } func (a mirror) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, mirrorAnnotation.Annotations) } diff --git a/internal/ingress/annotations/modsecurity/main.go b/internal/ingress/annotations/modsecurity/main.go index 97120eac7..5a9aaa729 100644 --- a/internal/ingress/annotations/modsecurity/main.go +++ b/internal/ingress/annotations/modsecurity/main.go @@ -155,6 +155,6 @@ func (a modSecurity) GetDocumentation() parser.AnnotationFields { } func (a modSecurity) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, modsecurityAnnotation.Annotations) } diff --git a/internal/ingress/annotations/opentelemetry/main.go b/internal/ingress/annotations/opentelemetry/main.go index 24f34ae4b..a029087da 100644 --- a/internal/ingress/annotations/opentelemetry/main.go +++ b/internal/ingress/annotations/opentelemetry/main.go @@ -151,6 +151,6 @@ func (c opentelemetry) GetDocumentation() parser.AnnotationFields { } func (a opentelemetry) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, otelAnnotations.Annotations) } diff --git a/internal/ingress/annotations/opentracing/main.go b/internal/ingress/annotations/opentracing/main.go index c8fc71d65..7c8671f9d 100644 --- a/internal/ingress/annotations/opentracing/main.go +++ b/internal/ingress/annotations/opentracing/main.go @@ -108,6 +108,6 @@ func (s opentracing) GetDocumentation() parser.AnnotationFields { } func (a opentracing) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, opentracingAnnotations.Annotations) } diff --git a/internal/ingress/annotations/portinredirect/main.go b/internal/ingress/annotations/portinredirect/main.go index 0e51ee0f4..7392ea3a6 100644 --- a/internal/ingress/annotations/portinredirect/main.go +++ b/internal/ingress/annotations/portinredirect/main.go @@ -68,6 +68,6 @@ func (a portInRedirect) GetDocumentation() parser.AnnotationFields { } func (a portInRedirect) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, portsInRedirectAnnotations.Annotations) } diff --git a/internal/ingress/annotations/proxy/main.go b/internal/ingress/annotations/proxy/main.go index 120a99830..a2d10ca90 100644 --- a/internal/ingress/annotations/proxy/main.go +++ b/internal/ingress/annotations/proxy/main.go @@ -359,6 +359,6 @@ func (a proxy) GetDocumentation() parser.AnnotationFields { } func (a proxy) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, proxyAnnotations.Annotations) } diff --git a/internal/ingress/annotations/proxyssl/main.go b/internal/ingress/annotations/proxyssl/main.go index 254996926..40ee18aa0 100644 --- a/internal/ingress/annotations/proxyssl/main.go +++ b/internal/ingress/annotations/proxyssl/main.go @@ -261,6 +261,6 @@ func (p proxySSL) GetDocumentation() parser.AnnotationFields { } func (a proxySSL) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, proxySSLAnnotation.Annotations) } diff --git a/internal/ingress/annotations/ratelimit/main.go b/internal/ingress/annotations/ratelimit/main.go index 38940203a..39161a2c0 100644 --- a/internal/ingress/annotations/ratelimit/main.go +++ b/internal/ingress/annotations/ratelimit/main.go @@ -296,6 +296,6 @@ func (a ratelimit) GetDocumentation() parser.AnnotationFields { } func (a ratelimit) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, rateLimitAnnotations.Annotations) } diff --git a/internal/ingress/annotations/redirect/redirect.go b/internal/ingress/annotations/redirect/redirect.go index 9300271eb..89513c83c 100644 --- a/internal/ingress/annotations/redirect/redirect.go +++ b/internal/ingress/annotations/redirect/redirect.go @@ -179,6 +179,6 @@ func (a redirect) GetDocumentation() parser.AnnotationFields { } func (a redirect) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, redirectAnnotations.Annotations) } diff --git a/internal/ingress/annotations/rewrite/main.go b/internal/ingress/annotations/rewrite/main.go index 1134e27b1..84dc93bf0 100644 --- a/internal/ingress/annotations/rewrite/main.go +++ b/internal/ingress/annotations/rewrite/main.go @@ -210,6 +210,6 @@ func (a rewrite) GetDocumentation() parser.AnnotationFields { } func (a rewrite) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, rewriteAnnotations.Annotations) } diff --git a/internal/ingress/annotations/satisfy/main.go b/internal/ingress/annotations/satisfy/main.go index d74fb33f5..45187fe5c 100644 --- a/internal/ingress/annotations/satisfy/main.go +++ b/internal/ingress/annotations/satisfy/main.go @@ -70,6 +70,6 @@ func (s satisfy) GetDocumentation() parser.AnnotationFields { } func (a satisfy) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, satisfyAnnotations.Annotations) } diff --git a/internal/ingress/annotations/serversnippet/main.go b/internal/ingress/annotations/serversnippet/main.go index b6693c1d9..aa15608d0 100644 --- a/internal/ingress/annotations/serversnippet/main.go +++ b/internal/ingress/annotations/serversnippet/main.go @@ -64,6 +64,6 @@ func (a serverSnippet) GetDocumentation() parser.AnnotationFields { } func (a serverSnippet) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, serverSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/serviceupstream/main.go b/internal/ingress/annotations/serviceupstream/main.go index 7692ffe86..e662f73c3 100644 --- a/internal/ingress/annotations/serviceupstream/main.go +++ b/internal/ingress/annotations/serviceupstream/main.go @@ -70,6 +70,6 @@ func (s serviceUpstream) GetDocumentation() parser.AnnotationFields { } func (a serviceUpstream) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, serviceUpstreamAnnotations.Annotations) } diff --git a/internal/ingress/annotations/sessionaffinity/main.go b/internal/ingress/annotations/sessionaffinity/main.go index 07d737de3..0a4a59dbc 100644 --- a/internal/ingress/annotations/sessionaffinity/main.go +++ b/internal/ingress/annotations/sessionaffinity/main.go @@ -299,6 +299,6 @@ func (a affinity) GetDocumentation() parser.AnnotationFields { } func (a affinity) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, sessionAffinityAnnotations.Annotations) } diff --git a/internal/ingress/annotations/snippet/main.go b/internal/ingress/annotations/snippet/main.go index 6b75ff440..2406093c5 100644 --- a/internal/ingress/annotations/snippet/main.go +++ b/internal/ingress/annotations/snippet/main.go @@ -64,6 +64,6 @@ func (a snippet) GetDocumentation() parser.AnnotationFields { } func (a snippet) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, configurationSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/sslcipher/main.go b/internal/ingress/annotations/sslcipher/main.go index a1a316d57..c30f12424 100644 --- a/internal/ingress/annotations/sslcipher/main.go +++ b/internal/ingress/annotations/sslcipher/main.go @@ -105,6 +105,6 @@ func (sc sslCipher) GetDocumentation() parser.AnnotationFields { } func (a sslCipher) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, sslCipherAnnotations.Annotations) } diff --git a/internal/ingress/annotations/sslpassthrough/main.go b/internal/ingress/annotations/sslpassthrough/main.go index 45007b7f7..1557d4243 100644 --- a/internal/ingress/annotations/sslpassthrough/main.go +++ b/internal/ingress/annotations/sslpassthrough/main.go @@ -67,6 +67,6 @@ func (a sslpt) GetDocumentation() parser.AnnotationFields { } func (a sslpt) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, sslPassthroughAnnotations.Annotations) } diff --git a/internal/ingress/annotations/streamsnippet/main.go b/internal/ingress/annotations/streamsnippet/main.go index da5a9a142..71ff3b140 100644 --- a/internal/ingress/annotations/streamsnippet/main.go +++ b/internal/ingress/annotations/streamsnippet/main.go @@ -64,6 +64,6 @@ func (a streamSnippet) GetDocumentation() parser.AnnotationFields { } func (a streamSnippet) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, streamSnippetAnnotations.Annotations) } diff --git a/internal/ingress/annotations/upstreamhashby/main.go b/internal/ingress/annotations/upstreamhashby/main.go index 825961883..bc07f70fb 100644 --- a/internal/ingress/annotations/upstreamhashby/main.go +++ b/internal/ingress/annotations/upstreamhashby/main.go @@ -109,6 +109,6 @@ func (a upstreamhashby) GetDocumentation() parser.AnnotationFields { } func (a upstreamhashby) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, upstreamHashByAnnotations.Annotations) } diff --git a/internal/ingress/annotations/upstreamvhost/main.go b/internal/ingress/annotations/upstreamvhost/main.go index 028e62939..052ca2344 100644 --- a/internal/ingress/annotations/upstreamvhost/main.go +++ b/internal/ingress/annotations/upstreamvhost/main.go @@ -65,6 +65,6 @@ func (a upstreamVhost) GetDocumentation() parser.AnnotationFields { } func (a upstreamVhost) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, upstreamVhostAnnotations.Annotations) } diff --git a/internal/ingress/annotations/xforwardedprefix/main.go b/internal/ingress/annotations/xforwardedprefix/main.go index 0986295b3..fc4d5798d 100644 --- a/internal/ingress/annotations/xforwardedprefix/main.go +++ b/internal/ingress/annotations/xforwardedprefix/main.go @@ -63,6 +63,6 @@ func (cbbs xforwardedprefix) GetDocumentation() parser.AnnotationFields { } func (a xforwardedprefix) Validate(anns map[string]string) error { - maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRisk) + maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel) return parser.CheckAnnotationRisk(anns, maxrisk, xForwardedForAnnotations.Annotations) } diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go index adecd5ddf..6e78964ed 100644 --- a/internal/ingress/controller/config/config.go +++ b/internal/ingress/controller/config/config.go @@ -103,10 +103,10 @@ type Configuration struct { // This value will default to `false` on future releases AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"` - // AnnotationsRisk represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations + // AnnotationsRiskLevel represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations // with risk High and Critical will not be accepted. // Default Risk is Critical by default, but this may be changed in future releases - AnnotationsRisk string `json:"annotations-risk"` + AnnotationsRiskLevel string `json:"annotations-risk-level"` // AnnotationValueWordBlocklist defines words that should not be part of an user annotation value // (can be used to run arbitrary code or configs, for example) and that should be dropped. @@ -719,7 +719,7 @@ type Configuration struct { // DatadogSampleRate specifies sample rate for any traces created. // Default: use a dynamic rate instead - DatadogSampleRate *float32 `json:"datadog-sample-rate",omitempty` + DatadogSampleRate *float32 `json:"datadog-sample-rate,omitempty"` // MainSnippet adds custom configuration to the main section of the nginx configuration MainSnippet string `json:"main-snippet"` @@ -867,7 +867,7 @@ func NewDefault() Configuration { AllowCrossNamespaceResources: true, AllowBackendServerHeader: false, AnnotationValueWordBlocklist: "", - AnnotationsRisk: "Critical", + AnnotationsRiskLevel: "Critical", AccessLogPath: "/var/log/nginx/access.log", AccessLogParams: "", EnableAccessLogForDefaultBackend: false, diff --git a/internal/ingress/controller/controller_test.go b/internal/ingress/controller/controller_test.go index 2e3b44406..c353d1b5e 100644 --- a/internal/ingress/controller/controller_test.go +++ b/internal/ingress/controller/controller_test.go @@ -75,7 +75,7 @@ func (fis fakeIngressStore) GetBackendConfiguration() ngx_config.Configuration { func (fis fakeIngressStore) GetSecurityConfiguration() defaults.SecurityConfiguration { return defaults.SecurityConfiguration{ - AnnotationsRisk: fis.configuration.AnnotationsRisk, + AnnotationsRiskLevel: fis.configuration.AnnotationsRiskLevel, AllowCrossNamespaceResources: fis.configuration.AllowCrossNamespaceResources, } } diff --git a/internal/ingress/controller/store/store.go b/internal/ingress/controller/store/store.go index 6f37414c2..c11e35d76 100644 --- a/internal/ingress/controller/store/store.go +++ b/internal/ingress/controller/store/store.go @@ -1145,7 +1145,7 @@ func (s *k8sStore) GetSecurityConfiguration() defaults.SecurityConfiguration { secConfig := defaults.SecurityConfiguration{ AllowCrossNamespaceResources: s.backendConfig.AllowCrossNamespaceResources, - AnnotationsRisk: s.backendConfig.AnnotationsRisk, + AnnotationsRiskLevel: s.backendConfig.AnnotationsRiskLevel, } return secConfig } diff --git a/internal/ingress/defaults/main.go b/internal/ingress/defaults/main.go index 078d50e63..8cd0e8ba5 100644 --- a/internal/ingress/defaults/main.go +++ b/internal/ingress/defaults/main.go @@ -178,7 +178,7 @@ type SecurityConfiguration struct { // This valid will default to `false` on future releases AllowCrossNamespaceResources bool `json:"allow-cross-namespace-resources"` - // AnnotationsRisk represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations + // AnnotationsRiskLevel represents the risk accepted on an annotation. If the risk is, for instance `Medium`, annotations // with risk High and Critical will not be accepted - AnnotationsRisk string `json:"annotations-risk"` + AnnotationsRiskLevel string `json:"annotations-risk-level"` } diff --git a/internal/ingress/resolver/mock.go b/internal/ingress/resolver/mock.go index 2a1c265e7..679c3b13c 100644 --- a/internal/ingress/resolver/mock.go +++ b/internal/ingress/resolver/mock.go @@ -26,9 +26,9 @@ import ( // Mock implements the Resolver interface type Mock struct { - ConfigMaps map[string]*apiv1.ConfigMap - AnnotationRisk string - AllowCrossNamespace bool + ConfigMaps map[string]*apiv1.ConfigMap + AnnotationsRiskLevel string + AllowCrossNamespace bool } // GetDefaultBackend returns the backend that must be used as default @@ -37,12 +37,12 @@ func (m Mock) GetDefaultBackend() defaults.Backend { } func (m Mock) GetSecurityConfiguration() defaults.SecurityConfiguration { - defRisk := m.AnnotationRisk + defRisk := m.AnnotationsRiskLevel if defRisk == "" { defRisk = "Critical" } return defaults.SecurityConfiguration{ - AnnotationsRisk: defRisk, + AnnotationsRiskLevel: defRisk, AllowCrossNamespaceResources: m.AllowCrossNamespace, } } diff --git a/test/e2e/settings/validations/validations.go b/test/e2e/settings/validations/validations.go index 2163ff3e1..6f1715ada 100644 --- a/test/e2e/settings/validations/validations.go +++ b/test/e2e/settings/validations/validations.go @@ -34,7 +34,7 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { host := "annotation-validations" // Low and Medium Risk annotations should be allowed, the rest should be denied - f.UpdateNginxConfigMapData("annotations-risk", "Medium") + f.UpdateNginxConfigMapData("annotations-risk-level", "Medium") // Sleep a while just to guarantee that the configmap is applied framework.Sleep() @@ -61,7 +61,7 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() { host := "annotation-validations" // Low and Medium Risk annotations should be allowed, the rest should be denied - f.UpdateNginxConfigMapData("annotations-risk", "Medium") + f.UpdateNginxConfigMapData("annotations-risk-level", "Medium") // Sleep a while just to guarantee that the configmap is applied framework.Sleep()