Allows ModSecurity to be configured per location

The following annotations will be added: - enable-modsecurity - enable-owasp-core-rules - modsecurity-transaction-id Fixes #3167
2018-11-03 23:14:27 -05:00 · 2018-11-03 23:14:27 -05:00 · 5195600841
commit 5195600841
parent 17cad51e47
9 changed files with 307 additions and 7 deletions
--- a/internal/ingress/annotations/modsecurity/main.go
+++ b/internal/ingress/annotations/modsecurity/main.go
@ -0,0 +1,88 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package modsecurity
+
+import (
+	extensions "k8s.io/api/extensions/v1beta1"
+
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+)
+
+// Config contains the AuthSSLCert used for mutual authentication
+// and the configured ValidationDepth
+type Config struct {
+	Enable        bool   `json:"enable-modsecurity"`
+	OWASPRules    bool   `json:"enable-owasp-core-rules"`
+	TransactionID string `json:"modsecurity-transaction-id"`
+}
+
+// Equal tests for equality between two Config types
+func (modsec1 *Config) Equal(modsec2 *Config) bool {
+	if modsec1 == modsec2 {
+		return true
+	}
+	if modsec1 == nil || modsec2 == nil {
+		return false
+	}
+	if modsec1.Enable != modsec2.Enable {
+		return false
+	}
+	if modsec1.OWASPRules != modsec2.OWASPRules {
+		return false
+	}
+	if modsec1.TransactionID != modsec2.TransactionID {
+		return false
+	}
+
+	return true
+}
+
+// NewParser creates a new ModSecurity annotation parser
+func NewParser(resolver resolver.Resolver) parser.IngressAnnotation {
+	return modSecurity{resolver}
+}
+
+type modSecurity struct {
+	r resolver.Resolver
+}
+
+// Parse parses the annotations contained in the ingress
+// rule used to enable ModSecurity in a particular location
+func (a modSecurity) Parse(ing *extensions.Ingress) (interface{}, error) {
+
+	enableModSecurity, err := parser.GetBoolAnnotation("enable-modsecurity", ing)
+	if err != nil {
+		enableModSecurity = false
+	}
+
+	owaspRules, err := parser.GetBoolAnnotation("enable-owasp-core-rules", ing)
+	if err != nil {
+		owaspRules = false
+	}
+
+	transactionID, err := parser.GetStringAnnotation("modsecurity-transaction-id", ing)
+	if err != nil {
+		transactionID = ""
+	}
+
+	return Config{
+		Enable:        enableModSecurity,
+		OWASPRules:    owaspRules,
+		TransactionID: transactionID,
+	}, nil
+}
--- a/internal/ingress/annotations/modsecurity/main_test.go
+++ b/internal/ingress/annotations/modsecurity/main_test.go
@ -0,0 +1,73 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package modsecurity
+
+import (
+	"testing"
+
+	api "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+)
+
+func TestParse(t *testing.T) {
+	enable := parser.GetAnnotationWithPrefix("enable-modsecurity")
+	owasp := parser.GetAnnotationWithPrefix("enable-owasp-core-rules")
+	transID := parser.GetAnnotationWithPrefix("modsecurity-transaction-id")
+
+	ap := NewParser(&resolver.Mock{})
+	if ap == nil {
+		t.Fatalf("expected a parser.IngressAnnotation but returned nil")
+	}
+
+	testCases := []struct {
+		annotations map[string]string
+		expected    Config
+	}{
+		{map[string]string{enable: "true"}, Config{true, false, ""}},
+		{map[string]string{enable: "false"}, Config{false, false, ""}},
+		{map[string]string{enable: ""}, Config{false, false, ""}},
+
+		{map[string]string{owasp: "true"}, Config{false, true, ""}},
+		{map[string]string{owasp: "false"}, Config{false, false, ""}},
+		{map[string]string{owasp: ""}, Config{false, false, ""}},
+
+		{map[string]string{transID: "ok"}, Config{false, false, "ok"}},
+		{map[string]string{transID: ""}, Config{false, false, ""}},
+
+		{map[string]string{}, Config{false, false, ""}},
+		{nil, Config{false, false, ""}},
+	}
+
+	ing := &extensions.Ingress{
+		ObjectMeta: meta_v1.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{},
+	}
+
+	for _, testCase := range testCases {
+		ing.SetAnnotations(testCase.annotations)
+		result, _ := ap.Parse(ing)
+		if result != testCase.expected {
+			t.Errorf("expected %v but returned %v, annotations: %s", testCase.expected, result, testCase.annotations)
+		}
+	}
+}