annotation to ignore given list of WAF rulesets (#2314)

2018-04-08 21:55:23 -04:00 · 2018-04-08 21:55:23 -04:00 · 16faf309ca
commit 16faf309ca
parent a6fe800a47
6 changed files with 59 additions and 9 deletions
--- a/internal/file/bindata.go
+++ b/internal/file/bindata.go
--- a/internal/ingress/annotations/luarestywaf/main.go
+++ b/internal/ingress/annotations/luarestywaf/main.go
@ -17,6 +17,9 @@ limitations under the License.
 package luarestywaf

 import (
+	"reflect"
+	"strings"
+
 	extensions "k8s.io/api/extensions/v1beta1"

 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
@ -25,8 +28,9 @@ import (

 // Config returns lua-resty-waf configuration for an Ingress rule
 type Config struct {
-	Enabled bool `json:"enabled"`
-	Debug   bool `json:"debug"`
+	Enabled         bool     `json:"enabled"`
+	Debug           bool     `json:"debug"`
+	IgnoredRuleSets []string `json: "ignored-rulesets"`
 }

 // Equal tests for equality between two Config types
@ -43,6 +47,9 @@ func (e1 *Config) Equal(e2 *Config) bool {
 	if e1.Debug != e2.Debug {
 		return false
 	}
+	if !reflect.DeepEqual(e1.IgnoredRuleSets, e2.IgnoredRuleSets) {
+		return false
+	}

 	return true
 }
@ -67,8 +74,15 @@ func (a luarestywaf) Parse(ing *extensions.Ingress) (interface{}, error) {

 	debug, _ := parser.GetBoolAnnotation("lua-resty-waf-debug", ing)

+	ignoredRuleSetsStr, _ := parser.GetStringAnnotation("lua-resty-waf-ignore-rulesets", ing)
+	ignoredRuleSets := strings.FieldsFunc(ignoredRuleSetsStr, func(c rune) bool {
+		strC := string(c)
+		return strC == "," || strC == " "
+	})
+
 	return &Config{
-		Enabled: enabled,
-		Debug:   debug,
+		Enabled:         enabled,
+		Debug:           debug,
+		IgnoredRuleSets: ignoredRuleSets,
 	}, nil
 }
--- a/internal/ingress/annotations/luarestywaf/main_test.go
+++ b/internal/ingress/annotations/luarestywaf/main_test.go
@ -29,6 +29,7 @@ import (
 func TestParse(t *testing.T) {
 	luaRestyWAFAnnotation := parser.GetAnnotationWithPrefix("lua-resty-waf")
 	luaRestyWAFDebugAnnotation := parser.GetAnnotationWithPrefix("lua-resty-waf-debug")
+	luaRestyWAFIgnoredRuleSetsAnnotation := parser.GetAnnotationWithPrefix("lua-resty-waf-ignore-rulesets")

 	ap := NewParser(&resolver.Mock{})
 	if ap == nil {
@ -42,12 +43,18 @@ func TestParse(t *testing.T) {
 		{nil, &Config{}},
 		{map[string]string{}, &Config{}},

-		{map[string]string{luaRestyWAFAnnotation: "true"}, &Config{Enabled: true, Debug: false}},
+		{map[string]string{luaRestyWAFAnnotation: "true"}, &Config{Enabled: true, Debug: false, IgnoredRuleSets: []string{}}},
 		{map[string]string{luaRestyWAFDebugAnnotation: "true"}, &Config{Enabled: false, Debug: false}},

-		{map[string]string{luaRestyWAFAnnotation: "true", luaRestyWAFDebugAnnotation: "true"}, &Config{Enabled: true, Debug: true}},
-		{map[string]string{luaRestyWAFAnnotation: "true", luaRestyWAFDebugAnnotation: "false"}, &Config{Enabled: true, Debug: false}},
-		{map[string]string{luaRestyWAFAnnotation: "false", luaRestyWAFDebugAnnotation: "true"}, &Config{Enabled: false, Debug: true}},
+		{map[string]string{luaRestyWAFAnnotation: "true", luaRestyWAFDebugAnnotation: "true"}, &Config{Enabled: true, Debug: true, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "true", luaRestyWAFDebugAnnotation: "false"}, &Config{Enabled: true, Debug: false, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "false", luaRestyWAFDebugAnnotation: "true"}, &Config{Enabled: false, Debug: true, IgnoredRuleSets: []string{}}},
+
+		{map[string]string{
+			luaRestyWAFAnnotation:                "true",
+			luaRestyWAFDebugAnnotation:           "true",
+			luaRestyWAFIgnoredRuleSetsAnnotation: "ruleset1, ruleset2 ruleset3,   another.ruleset"},
+			&Config{Enabled: true, Debug: true, IgnoredRuleSets: []string{"ruleset1", "ruleset2", "ruleset3", "another.ruleset"}}},
 	}

 	ing := &extensions.Ingress{