Revert Implement pathType validation (#9511) (#9607)

Signed-off-by: James Strong <strong.james.e@gmail.com>
2023-02-13 07:57:29 +01:00 · 2023-02-13 07:57:29 +01:00 · 01c9a2bf25
commit 01c9a2bf25
parent 59d247dd74
16 changed files with 211 additions and 426 deletions
--- a/test/e2e/admission/admission.go
+++ b/test/e2e/admission/admission.go
@ -30,14 +30,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"k8s.io/ingress-nginx/test/e2e/framework"
-
-	networkingv1 "k8s.io/api/networking/v1"
-)
-
-var (
-	pathExact        = networkingv1.PathTypeExact
-	pathPrefix       = networkingv1.PathTypePrefix
-	pathImplSpecific = networkingv1.PathTypeImplementationSpecific
 )

 var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
@ -160,35 +152,7 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error")
 	})

-	ginkgo.It("ADMISSION should not validate characters on ingress when validation of pathType is disabled", func() {
-		host := "admission-test"
-
-		f.UpdateNginxConfigMapData("enable-pathtype-validation", "false")
-
-		firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil)
-		firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix
-		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex chars on path and pathType validation disabled should be accepted")
-	})
-
-	ginkgo.It("ADMISSION should reject ingress with bad characters and pathType != ImplementationSpecific", func() {
-		host := "admission-test"
-
-		f.UpdateNginxConfigMapData("enable-pathtype-validation", "true")
-
-		firstIngress := framework.NewSingleIngress("first-ingress", "/xpto*", host, f.Namespace, framework.EchoService, 80, nil)
-		firstIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathPrefix
-		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
-		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid path value should return an error")
-
-		secondIngress := framework.NewSingleIngress("second-ingress", "/abc123*", host, f.Namespace, framework.EchoService, 80, nil)
-		secondIngress.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImplSpecific
-		_, err = f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), secondIngress, metav1.CreateOptions{})
-		assert.Nil(ginkgo.GinkgoT(), err, "creating an ingress with regex on path and pathType ImplementationSpecific should not return an error")
-
-	})
-
-	ginkgo.It("ADMISSION should return an error if there is a forbidden value in some annotation", func() {
+	ginkgo.It("should return an error if there is a forbidden value in some annotation", func() {
 		host := "admission-test"

 		annotations := map[string]string{
--- a/test/e2e/annotations/affinity.go
+++ b/test/e2e/annotations/affinity.go
@ -35,8 +35,6 @@ import (
 var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 	f := framework.NewDefaultFramework("affinity")

-	pathImpl := networking.PathTypeImplementationSpecific
-
 	ginkgo.BeforeEach(func() {
 		f.NewEchoDeployment(framework.WithDeploymentReplicas(2))
 	})
@ -278,8 +276,6 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 		annotations["nginx.ingress.kubernetes.io/session-cookie-path"] = "/foo/bar"

 		ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations)
-		ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl
-
 		f.EnsureIngress(ing)

 		f.WaitForNginxServer(host,
@ -303,8 +299,6 @@ var _ = framework.DescribeAnnotation("affinity session-cookie-name", func() {
 		annotations["nginx.ingress.kubernetes.io/use-regex"] = "true"

 		ing := framework.NewSingleIngress(host, "/foo/.*", host, f.Namespace, framework.EchoService, 80, annotations)
-		ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl
-
 		f.EnsureIngress(ing)

 		f.WaitForNginxServer(host,
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -720,51 +720,6 @@ http {
 		})
 	})

-	ginkgo.Context("when external authentication is configured along with CORS enabled", func() {
-		host := "auth"
-		var annotations map[string]string
-		var ing *networking.Ingress
-
-		ginkgo.BeforeEach(func() {
-			f.NewHttpbinDeployment()
-
-			var httpbinIP string
-
-			err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
-			assert.Nil(ginkgo.GinkgoT(), err)
-
-			e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
-			assert.Nil(ginkgo.GinkgoT(), err)
-
-			httpbinIP = e.Subsets[0].Addresses[0].IP
-
-			annotations = map[string]string{
-				"nginx.ingress.kubernetes.io/auth-url":    fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
-				"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
-				"nginx.ingress.kubernetes.io/enable-cors": "true",
-			}
-
-			ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
-			f.EnsureIngress(ing)
-
-			f.WaitForNginxServer(host, func(server string) bool {
-				return strings.Contains(server, "server_name auth")
-			})
-		})
-
-		ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() {
-			f.HTTPTestClient().
-				GET("/").
-				WithHeader("Host", host).
-				WithQuery("a", "b").
-				WithQuery("c", "d").
-				Expect().
-				Status(http.StatusFound).
-				Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*"))
-
-		})
-	})
-
 	ginkgo.Context("when external authentication with caching is configured", func() {
 		thisHost := "auth"
 		thatHost := "different"
--- a/test/e2e/annotations/rewrite.go
+++ b/test/e2e/annotations/rewrite.go
@ -24,15 +24,12 @@ import (
 	"github.com/onsi/ginkgo/v2"
 	"github.com/stretchr/testify/assert"

-	networking "k8s.io/api/networking/v1"
 	"k8s.io/ingress-nginx/test/e2e/framework"
 )

 var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-log", func() {
 	f := framework.NewDefaultFramework("rewrite")

-	pathImpl := networking.PathTypeImplementationSpecific
-
 	ginkgo.BeforeEach(func() {
 		f.NewEchoDeployment()
 	})
@ -129,7 +126,6 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo
 			"nginx.ingress.kubernetes.io/rewrite-target": "/new/backend",
 		}
 		ing = framework.NewSingleIngress("regex", "/foo.+", host, f.Namespace, framework.EchoService, 80, annotations)
-		ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl
 		f.EnsureIngress(ing)

 		f.WaitForNginxServer(host,
@ -172,8 +168,6 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo
 			"nginx.ingress.kubernetes.io/rewrite-target": "/new/backend",
 		}
 		ing = framework.NewSingleIngress("regex", "/foo/bar/[a-z]{3}", host, f.Namespace, framework.EchoService, 80, annotations)
-		ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl
-
 		f.EnsureIngress(ing)

 		f.WaitForNginxServer(host,
@ -202,8 +196,6 @@ var _ = framework.DescribeAnnotation("rewrite-target use-regex enable-rewrite-lo
 			"nginx.ingress.kubernetes.io/rewrite-target": "/new/backend/$1",
 		}
 		ing := framework.NewSingleIngress("regex", "/foo/bar/(.+)", host, f.Namespace, framework.EchoService, 80, annotations)
-		ing.Spec.Rules[0].IngressRuleValue.HTTP.Paths[0].PathType = &pathImpl
-
 		f.EnsureIngress(ing)

 		f.WaitForNginxServer(host,
--- a/test/e2e/security/invalid_paths.go
+++ b/test/e2e/security/invalid_paths.go
@ -0,0 +1,134 @@
+/*
+Copyright 2022 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package security
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/onsi/ginkgo/v2"
+
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+const (
+	validPath   = "/xpto/~user/t-e_st.exe"
+	invalidPath = "/foo/bar/;xpto"
+	regexPath   = "/foo/bar/(.+)"
+	host        = "securitytest.com"
+)
+
+var (
+	annotationRegex = map[string]string{
+		"nginx.ingress.kubernetes.io/use-regex": "true",
+	}
+)
+
+var _ = framework.IngressNginxDescribe("[Security] validate path fields", func() {
+	f := framework.NewDefaultFramework("validate-path")
+
+	ginkgo.BeforeEach(func() {
+		f.NewEchoDeployment()
+	})
+
+	ginkgo.It("should accept an ingress with valid path", func() {
+
+		ing := framework.NewSingleIngress(host, validPath, host, f.Namespace, framework.EchoService, 80, nil)
+
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.HTTPTestClient().
+			GET(validPath).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
+	})
+
+	ginkgo.It("should drop an ingress with invalid path", func() {
+
+		ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, nil)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.HTTPTestClient().
+			GET(invalidPath).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusNotFound)
+	})
+
+	ginkgo.It("should drop an ingress with regex path and regex disabled", func() {
+
+		ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, nil)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.HTTPTestClient().
+			GET("/foo/bar/lalala").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusNotFound)
+	})
+
+	ginkgo.It("should accept an ingress with regex path and regex enabled", func() {
+
+		ing := framework.NewSingleIngress(host, regexPath, host, f.Namespace, framework.EchoService, 80, annotationRegex)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.HTTPTestClient().
+			GET("/foo/bar/lalala").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusOK)
+	})
+
+	ginkgo.It("should reject an ingress with invalid path and regex enabled", func() {
+
+		ing := framework.NewSingleIngress(host, invalidPath, host, f.Namespace, framework.EchoService, 80, annotationRegex)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.HTTPTestClient().
+			GET(invalidPath).
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusNotFound)
+	})
+})