Use authentication and add example

2016-05-11 02:22:17 -03:00 · 2016-05-11 02:22:17 -03:00 · 221b823ca7
commit 221b823ca7
parent 8fd6ec61fe
5 changed files with 284 additions and 56 deletions
--- a/controllers/nginx/auth/main.go
+++ b/controllers/nginx/auth/main.go
@ -17,10 +17,13 @@ limitations under the License.
 package auth

 import (
-	"bytes"
 	"errors"
 	"fmt"
 	"io/ioutil"
+	"os"
+	"regexp"
+
+	"github.com/golang/glog"

 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@ -33,11 +36,19 @@ const (
 	authRealm  = "ingress-nginx.kubernetes.io/auth-realm"

 	defAuthRealm = "Authentication Required"
+
+	// DefAuthDirectory default directory used to store files
+	// to authenticate request in NGINX
+	DefAuthDirectory = "/etc/nginx/auth"
 )

+func init() {
+	// TODO: check permissions required
+	os.MkdirAll(DefAuthDirectory, 0655)
+}
+
 var (
-	authTypeRegex = "basic|digest"
-	authDir       = "/etc/nginx/auth"
+	authTypeRegex = regexp.MustCompile(`basic|digest`)

 	// ErrInvalidAuthType is return in case of unsupported authentication type
 	ErrInvalidAuthType = errors.New("invalid authentication type")
@ -47,14 +58,27 @@ var (

 	// ErrMissingSecretName is returned when the name of the secret is missing
 	ErrMissingSecretName = errors.New("secret name is missing")
+
+	// ErrMissingAuthInSecret is returned when there is no auth key in secret data
+	ErrMissingAuthInSecret = errors.New("the secret does not contains the auth key")
 )

+// ErrMissingAnnotations is returned when the ingress rule
+// does not contains annotations related with authentication
+type ErrMissingAnnotations struct {
+	msg string
+}
+
+func (e ErrMissingAnnotations) Error() string {
+	return e.msg
+}
+
 // Nginx returns authentication configuration for an Ingress rule
 type Nginx struct {
-	Type   string
-	Secret *api.Secret
-	Realm  string
-	File   string
+	Type    string
+	Realm   string
+	File    string
+	Secured bool
 }

 type ingAnnotations map[string]string
@ -65,7 +89,8 @@ func (a ingAnnotations) authType() (string, error) {
 		return "", ErrMissingAuthType
 	}

-	if val != "basic" || val != "digest" {
+	if !authTypeRegex.MatchString(val) {
+		glog.Warningf("%v is not a valid authentication type", val)
 		return "", ErrInvalidAuthType
 	}

@ -90,52 +115,59 @@ func (a ingAnnotations) secretName() (string, error) {
 	return val, nil
 }

-// Parse parses the annotations contained in the ingress rule
-// used to add authentication in the paths defined in the rule
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to add authentication in the paths defined in the rule
 // and generated an htpasswd compatible file to be used as source
 // during the authentication process
-func Parse(kubeClient client.Interface, ing *extensions.Ingress) (*Nginx, error) {
+func ParseAnnotations(kubeClient client.Interface, ing *extensions.Ingress, authDir string) (*Nginx, error) {
+	if ing.GetAnnotations() == nil {
+		return &Nginx{}, ErrMissingAnnotations{"missing authentication annotations"}
+	}
+
 	at, err := ingAnnotations(ing.GetAnnotations()).authType()
 	if err != nil {
-		return nil, err
+		return &Nginx{}, err
 	}

 	s, err := ingAnnotations(ing.GetAnnotations()).secretName()
 	if err != nil {
-		return nil, err
+		return &Nginx{}, err
 	}

 	secret, err := kubeClient.Secrets(ing.Namespace).Get(s)
 	if err != nil {
-		return nil, err
+		return &Nginx{}, err
 	}

 	realm := ingAnnotations(ing.GetAnnotations()).realm()

 	passFile := fmt.Sprintf("%v/%v-%v.passwd", authDir, ing.GetNamespace(), ing.GetName())
-	err = dumpSecret(passFile, at, secret)
+	err = dumpSecret(passFile, secret)
 	if err != nil {
-		return nil, err
+		return &Nginx{}, err
 	}

-	n := &Nginx{
-		Type:   at,
-		Secret: secret,
-		Realm:  realm,
-		File:   passFile,
-	}
-
-	return n, nil
+	return &Nginx{
+		Type:    at,
+		Realm:   realm,
+		File:    passFile,
+		Secured: true,
+	}, nil
 }

 // dumpSecret dumps the content of a secret into a file
 // in the expected format for the specified authorization
-func dumpSecret(filename, auth string, secret *api.Secret) error {
-	buf := bytes.NewBuffer([]byte{})
-
-	for key, value := range secret.Data {
-		fmt.Fprintf(buf, "%v:%s\n", key, value)
+func dumpSecret(filename string, secret *api.Secret) error {
+	val, ok := secret.Data["auth"]
+	if !ok {
+		return ErrMissingAuthInSecret
 	}

-	return ioutil.WriteFile(filename, buf.Bytes(), 600)
+	// TODO: check permissions required
+	err := ioutil.WriteFile(filename, val, 0777)
+	if err != nil {
+		return err
+	}
+
+	return nil
 }
--- a/controllers/nginx/auth/main_test.go
+++ b/controllers/nginx/auth/main_test.go
@ -17,7 +17,11 @@ limitations under the License.
 package auth

 import (
+	"fmt"
+	"io/ioutil"
+	"os"
 	"testing"
+	"time"

 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apis/extensions"
@ -65,15 +69,20 @@ type secretsClient struct {
 	unversioned.Interface
 }

-func mockClient() *testclient.Fake {
-	secretObj := &api.Secret{
+// dummySecret generates a secret with one user inside the auth key
+// foo:md5(bar)
+func dummySecret() *api.Secret {
+	return &api.Secret{
 		ObjectMeta: api.ObjectMeta{
 			Namespace: api.NamespaceDefault,
 			Name:      "demo-secret",
 		},
+		Data: map[string][]byte{"auth": []byte("foo:$apr1$OFG3Xybp$ckL0FHDAkoXYIlH9.cysT0")},
 	}
+}

-	return testclient.NewSimpleFake(secretObj)
+func mockClient() *testclient.Fake {
+	return testclient.NewSimpleFake(dummySecret())
 }

 func TestAnnotations(t *testing.T) {
@ -121,21 +130,77 @@ func TestAnnotations(t *testing.T) {
 func TestIngressWithoutAuth(t *testing.T) {
 	ing := buildIngress()
 	client := mockClient()
-	_, err := Parse(client, ing)
+	_, err := ParseAnnotations(client, ing, "")
 	if err == nil {
 		t.Error("Expected error with ingress without annotations")
 	}

-	if err != ErrMissingAuthType {
+	if err == ErrMissingAuthType {
 		t.Errorf("Expected MissingAuthType error but returned %v", err)
 	}
 }

-func TestIngressBasicAuth(t *testing.T) {
+func TestIngressAuth(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	data[authType] = "basic"
+	data[authSecret] = "demo-secret"
+	data[authRealm] = "-realm-"
+	ing.SetAnnotations(data)
+
+	_, dir, _ := dummySecretContent(t)
+	defer os.RemoveAll(dir)
+
+	client := mockClient()
+	nginxAuth, err := ParseAnnotations(client, ing, dir)
+	if err != nil {
+		t.Errorf("Uxpected error with ingress: %v", err)
+	}
+
+	if nginxAuth.Type != "basic" {
+		t.Errorf("Expected basic as auth type but returned %s", nginxAuth.Type)
+	}
+	if nginxAuth.Realm != "-realm-" {
+		t.Errorf("Expected -realm- as realm but returned %s", nginxAuth.Realm)
+	}
+	if nginxAuth.Secured != true {
+		t.Errorf("Expected true as secured but returned %v", nginxAuth.Secured)
+	}
 }

-func TestIngressDigestAuth(t *testing.T) {
+func dummySecretContent(t *testing.T) (string, string, *api.Secret) {
+	dir, err := ioutil.TempDir("", fmt.Sprintf("%v", time.Now().Unix()))
+	if err != nil {
+		t.Error(err)
+	}
+
+	tmpfile, err := ioutil.TempFile("", "example-")
+	if err != nil {
+		t.Error(err)
+	}
+	defer tmpfile.Close()
+
+	s := dummySecret()
+
+	return tmpfile.Name(), dir, s
 }

-func TestIngressMissingAnnotation(t *testing.T) {
+func TestDumpSecret(t *testing.T) {
+	tmpfile, dir, s := dummySecretContent(t)
+	defer os.RemoveAll(dir)
+
+	sd := s.Data
+	s.Data = nil
+
+	err := dumpSecret(tmpfile, s)
+	if err == nil {
+		t.Errorf("Expected error with secret without auth")
+	}
+
+	s.Data = sd
+	err = dumpSecret(tmpfile, s)
+	if err != nil {
+		t.Errorf("Unexpected error creating htpasswd file %v: %v", tmpfile, err)
+	}
 }