feat: auth-req caching

add a way to configure the `proxy_cache_*` [1] directive for external-auth. The user-defined cache_key may contain sensitive information (e.g. Authorization header). We want to store *only* a hash of that key, not the key itself on disk. [1] http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_key Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
2019-07-07 18:34:56 +02:00 · 2019-07-07 18:34:56 +02:00 · 23504db770
commit 23504db770
parent e0e7b57ce0
13 changed files with 583 additions and 52 deletions
--- a/test/e2e/settings/global_external_auth.go
+++ b/test/e2e/settings/global_external_auth.go
@ -19,6 +19,7 @@ package settings
 import (
 	"fmt"
 	"net/http"
+	"time"

 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -146,6 +147,52 @@ var _ = framework.IngressNginxDescribe("Global External Auth", func() {
 			Expect(barResp.StatusCode).Should(Equal(http.StatusOK))
 		})

+		It("should still return status code 200 after auth backend is deleted using cache ", func() {
+
+			globalExternalAuthCacheKeySetting := "global-auth-cache-key"
+			globalExternalAuthCacheKey := "foo"
+			globalExternalAuthCacheDurationSetting := "global-auth-cache-duration"
+			globalExternalAuthCacheDuration := "200 201 401 30m"
+			globalExternalAuthURL := fmt.Sprintf("http://httpbin.%s.svc.cluster.local:80/status/200", f.Namespace)
+
+			By("Adding a global-auth-cache-key to configMap")
+			f.UpdateNginxConfigMapData(globalExternalAuthCacheKeySetting, globalExternalAuthCacheKey)
+			f.UpdateNginxConfigMapData(globalExternalAuthCacheDurationSetting, globalExternalAuthCacheDuration)
+			f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, globalExternalAuthURL)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return Expect(server).Should(MatchRegexp(`\$cache_key.*foo`)) &&
+						Expect(server).Should(ContainSubstring(`proxy_cache_valid 200 201 401 30m;`))
+				})
+
+			resp, _, errs := gorequest.New().
+				Get(f.GetURL(framework.HTTP)+barPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", host).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+
+			err := f.DeleteDeployment("httpbin")
+			Expect(err).NotTo(HaveOccurred())
+
+			resp, _, errs = gorequest.New().
+				Get(f.GetURL(framework.HTTP)).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", host).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+		})
+
 		It(`should proxy_method method when global-auth-method is configured`, func() {

 			globalExternalAuthMethodSetting := "global-auth-method"