feat: auth-req caching

add a way to configure the `proxy_cache_*` [1] directive for external-auth. The user-defined cache_key may contain sensitive information (e.g. Authorization header). We want to store *only* a hash of that key, not the key itself on disk. [1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2019-07-07 18:34:56 +02:00 · 2019-07-07 18:34:56 +02:00 · 23504db770
commit 23504db770
parent e0e7b57ce0
13 changed files with 583 additions and 52 deletions
--- a/internal/ingress/controller/template/configmap.go
+++ b/internal/ingress/controller/template/configmap.go
@ -57,6 +57,8 @@ const (
 	globalAuthResponseHeaders = "global-auth-response-headers"
 	globalAuthRequestRedirect = "global-auth-request-redirect"
 	globalAuthSnippet         = "global-auth-snippet"
+	globalAuthCacheKey        = "global-auth-cache-key"
+	globalAuthCacheDuration   = "global-auth-cache-duration"
 )

 var (
@ -226,6 +228,23 @@ func ReadConfig(src map[string]string) config.Configuration {
 		to.GlobalExternalAuth.AuthSnippet = val
 	}

+	if val, ok := conf[globalAuthCacheKey]; ok {
+		delete(conf, globalAuthCacheKey)
+
+		to.GlobalExternalAuth.AuthCacheKey = val
+	}
+
+	// Verify that the configured global external authorization cache duration is valid
+	if val, ok := conf[globalAuthCacheDuration]; ok {
+		delete(conf, globalAuthCacheDuration)
+
+		cacheDurations, err := authreq.ParseStringToCacheDurations(val)
+		if err != nil {
+			klog.Warningf("Global auth location denied - %s", err)
+		}
+		to.GlobalExternalAuth.AuthCacheDuration = cacheDurations
+	}
+
 	// Verify that the configured timeout is parsable as a duration. if not, set the default value
 	if val, ok := conf[proxyHeaderTimeout]; ok {
 		delete(conf, proxyHeaderTimeout)