a342c0bce3
modified: controllers/nginx/configuration.md modified: controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl modified: core/pkg/ingress/annotations/authtls/main.go modified: core/pkg/ingress/controller/backend_ssl.go modified: core/pkg/ingress/controller/controller.go modified: core/pkg/ingress/controller/util_test.go modified: core/pkg/ingress/resolver/main.go modified: core/pkg/ingress/types.go modified: core/pkg/net/ssl/ssl.go modified: examples/PREREQUISITES.md new file: examples/auth/client-certs/nginx/README.md new file: examples/auth/client-certs/nginx/nginx-tls-auth.yaml
167 lines
4.3 KiB
Go
167 lines
4.3 KiB
Go
/*
|
|
Copyright 2015 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package controller
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"reflect"
|
|
|
|
"k8s.io/ingress/core/pkg/ingress"
|
|
"k8s.io/ingress/core/pkg/ingress/annotations/auth"
|
|
"k8s.io/ingress/core/pkg/ingress/annotations/authreq"
|
|
"k8s.io/ingress/core/pkg/ingress/annotations/authtls"
|
|
"k8s.io/ingress/core/pkg/ingress/annotations/ipwhitelist"
|
|
"k8s.io/ingress/core/pkg/ingress/annotations/proxy"
|
|
"k8s.io/ingress/core/pkg/ingress/annotations/ratelimit"
|
|
"k8s.io/ingress/core/pkg/ingress/annotations/rewrite"
|
|
"k8s.io/kubernetes/pkg/api"
|
|
"k8s.io/kubernetes/pkg/apis/extensions"
|
|
)
|
|
|
|
type fakeError struct{}
|
|
|
|
func (fe *fakeError) Error() string {
|
|
return "fakeError"
|
|
}
|
|
|
|
func TestIsValidClass(t *testing.T) {
|
|
ing := &extensions.Ingress{
|
|
ObjectMeta: api.ObjectMeta{
|
|
Name: "foo",
|
|
Namespace: api.NamespaceDefault,
|
|
},
|
|
}
|
|
|
|
b := IsValidClass(ing, "")
|
|
if !b {
|
|
t.Error("Expected a valid class (missing annotation)")
|
|
}
|
|
|
|
data := map[string]string{}
|
|
data[ingressClassKey] = "custom"
|
|
ing.SetAnnotations(data)
|
|
|
|
b = IsValidClass(ing, "custom")
|
|
if !b {
|
|
t.Errorf("Expected valid class but %v returned", b)
|
|
}
|
|
b = IsValidClass(ing, "nginx")
|
|
if b {
|
|
t.Errorf("Expected invalid class but %v returned", b)
|
|
}
|
|
b = IsValidClass(ing, "")
|
|
if !b {
|
|
t.Errorf("Expected invalid class but %v returned", b)
|
|
}
|
|
}
|
|
|
|
func TestIsHostValid(t *testing.T) {
|
|
fkCert := &ingress.SSLCert{
|
|
CAFileName: "foo",
|
|
PemFileName: "foo.cr",
|
|
PemSHA: "perha",
|
|
CN: []string{
|
|
"*.cluster.local", "default.local",
|
|
},
|
|
}
|
|
|
|
fooTests := []struct {
|
|
cr *ingress.SSLCert
|
|
host string
|
|
er bool
|
|
}{
|
|
{nil, "foo1.cluster.local", false},
|
|
{fkCert, "foo1.cluster.local", true},
|
|
{fkCert, "default.local", true},
|
|
{fkCert, "foo2.cluster.local.t", false},
|
|
{fkCert, "", false},
|
|
}
|
|
|
|
for _, foo := range fooTests {
|
|
r := isHostValid(foo.host, foo.cr)
|
|
if r != foo.er {
|
|
t.Errorf("Returned %v but expected %v for foo=%v", r, foo.er, foo)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestMatchHostnames(t *testing.T) {
|
|
fooTests := []struct {
|
|
pattern string
|
|
host string
|
|
er bool
|
|
}{
|
|
{"*.cluster.local.", "foo1.cluster.local.", true},
|
|
{"foo1.cluster.local.", "foo2.cluster.local.", false},
|
|
{"cluster.local.", "foo1.cluster.local.", false},
|
|
{".", "foo1.cluster.local.", false},
|
|
{"cluster.local.", ".", false},
|
|
}
|
|
|
|
for _, foo := range fooTests {
|
|
r := matchHostnames(foo.pattern, foo.host)
|
|
if r != foo.er {
|
|
t.Errorf("Returned %v but expected %v for foo=%v", r, foo.er, foo)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestMergeLocationAnnotations(t *testing.T) {
|
|
// initial parameters
|
|
loc := ingress.Location{}
|
|
annotations := map[string]interface{}{
|
|
"Path": "/checkpath",
|
|
"IsDefBackend": true,
|
|
"Backend": "foo_backend",
|
|
"BasicDigestAuth": auth.BasicDigest{},
|
|
DeniedKeyName: &fakeError{},
|
|
"EnableCORS": true,
|
|
"ExternalAuth": authreq.External{},
|
|
"RateLimit": ratelimit.RateLimit{},
|
|
"Redirect": rewrite.Redirect{},
|
|
"Whitelist": ipwhitelist.SourceRange{},
|
|
"Proxy": proxy.Configuration{},
|
|
"CertificateAuth": authtls.AuthSSLConfig{},
|
|
"UsePortInRedirects": true,
|
|
}
|
|
|
|
// create test table
|
|
type fooMergeLocationAnnotationsStruct struct {
|
|
fName string
|
|
er interface{}
|
|
}
|
|
fooTests := []fooMergeLocationAnnotationsStruct{}
|
|
for name, value := range annotations {
|
|
fva := fooMergeLocationAnnotationsStruct{name, value}
|
|
fooTests = append(fooTests, fva)
|
|
}
|
|
|
|
// execute test
|
|
mergeLocationAnnotations(&loc, annotations)
|
|
|
|
// check result
|
|
for _, foo := range fooTests {
|
|
fv := reflect.ValueOf(loc).FieldByName(foo.fName).Interface()
|
|
if !reflect.DeepEqual(fv, foo.er) {
|
|
t.Errorf("Returned %v but expected %v for the field %s", fv, foo.er, foo.fName)
|
|
}
|
|
}
|
|
if _, ok := annotations[DeniedKeyName]; ok {
|
|
t.Errorf("%s should be removed after mergeLocationAnnotations", DeniedKeyName)
|
|
}
|
|
}
|