Merge pull request #4278 from moolen/feat/auth-req-cache

feat: auth-req caching
2019-07-17 12:06:12 -07:00 · 2019-07-17 12:06:12 -07:00 · 589c9a20f9
commit 589c9a20f9
parent 84af99b512 23504db770
13 changed files with 583 additions and 52 deletions
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -260,6 +260,26 @@ var _ = framework.IngressNginxDescribe("Annotations - Auth", func() {
 			})
 	})

+	It(`should set cache_key when external auth cache is configured`, func() {
+		host := "auth"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/auth-url":            "http://foo.bar/basic-auth/user/password",
+			"nginx.ingress.kubernetes.io/auth-cache-key":      "foo",
+			"nginx.ingress.kubernetes.io/auth-cache-duration": "200 202 401 30m",
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, "http-svc", 80, &annotations)
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return Expect(server).Should(MatchRegexp(`\$cache_key.*foo`)) &&
+					Expect(server).Should(ContainSubstring(`proxy_cache_valid 200 202 401 30m;`))
+
+			})
+	})
+
 	Context("when external authentication is configured", func() {
 		host := "auth"

@ -322,6 +342,185 @@ var _ = framework.IngressNginxDescribe("Annotations - Auth", func() {
 			Expect(resp.Header.Get("Location")).Should(Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d"))))
 		})
 	})
+
+	Context("when external authentication with caching is configured", func() {
+		thisHost := "auth"
+		thatHost := "different"
+
+		fooPath := "/foo"
+		barPath := "/bar"
+
+		BeforeEach(func() {
+			f.NewHttpbinDeployment()
+
+			var httpbinIP string
+
+			err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, "httpbin", f.Namespace, 1)
+			Expect(err).NotTo(HaveOccurred())
+
+			e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get("httpbin", metav1.GetOptions{})
+			Expect(err).NotTo(HaveOccurred())
+
+			httpbinIP = e.Subsets[0].Addresses[0].IP
+
+			annotations := map[string]string{
+				"nginx.ingress.kubernetes.io/auth-url":            fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
+				"nginx.ingress.kubernetes.io/auth-signin":         "http://$host/auth/start",
+				"nginx.ingress.kubernetes.io/auth-cache-key":      "fixed",
+				"nginx.ingress.kubernetes.io/auth-cache-duration": "200 201 401 30m",
+			}
+
+			for _, host := range []string{thisHost, thatHost} {
+				By("Adding an ingress rule for /foo")
+				fooIng := framework.NewSingleIngress(fmt.Sprintf("foo-%s-ing", host), fooPath, host, f.Namespace, "http-svc", 80, &annotations)
+				f.EnsureIngress(fooIng)
+				f.WaitForNginxServer(host, func(server string) bool {
+					return Expect(server).Should(ContainSubstring("location /foo"))
+				})
+
+				By("Adding an ingress rule for /bar")
+				barIng := framework.NewSingleIngress(fmt.Sprintf("bar-%s-ing", host), barPath, host, f.Namespace, "http-svc", 80, &annotations)
+				f.EnsureIngress(barIng)
+				f.WaitForNginxServer(host, func(server string) bool {
+					return Expect(server).Should(ContainSubstring("location /bar"))
+				})
+			}
+		})
+
+		It("should return status code 200 when signed in after auth backend is deleted ", func() {
+			resp, _, errs := gorequest.New().
+				Get(f.GetURL(framework.HTTP)+fooPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thisHost).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+
+			err := f.DeleteDeployment("httpbin")
+			Expect(err).NotTo(HaveOccurred())
+
+			resp, _, errs = gorequest.New().
+				Get(f.GetURL(framework.HTTP)+fooPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thisHost).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+		})
+
+		It("should deny login for different location on same server", func() {
+			resp, _, errs := gorequest.New().
+				Get(f.GetURL(framework.HTTP)+fooPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thisHost).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+
+			err := f.DeleteDeployment("httpbin")
+			Expect(err).NotTo(HaveOccurred())
+
+			resp, _, errs = gorequest.New().
+				Get(f.GetURL(framework.HTTP)+fooPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thisHost).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+
+			resp, _, errs = gorequest.New().
+				Get(f.GetURL(framework.HTTP)+barPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thisHost).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+
+			By("receiving an internal server error without cache on location /bar")
+			Expect(resp.StatusCode).Should(Equal(http.StatusInternalServerError))
+		})
+
+		It("should deny login for different servers", func() {
+			By("logging into server thisHost /foo")
+			resp, _, errs := gorequest.New().
+				Get(f.GetURL(framework.HTTP)+fooPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thisHost).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+
+			err := f.DeleteDeployment("httpbin")
+			Expect(err).NotTo(HaveOccurred())
+
+			resp, _, errs = gorequest.New().
+				Get(f.GetURL(framework.HTTP)+fooPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thisHost).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+
+			resp, _, errs = gorequest.New().
+				Get(f.GetURL(framework.HTTP)+fooPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thatHost).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+
+			By("receiving an internal server error without cache on thisHost location /bar")
+			Expect(resp.StatusCode).Should(Equal(http.StatusInternalServerError))
+		})
+
+		It("should redirect to signin url when not signed in", func() {
+			resp, _, errs := gorequest.New().
+				Get(f.GetURL(framework.HTTP)).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", thisHost).
+				RedirectPolicy(func(req gorequest.Request, via []gorequest.Request) error {
+					return http.ErrUseLastResponse
+				}).
+				Param("a", "b").
+				Param("c", "d").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+			Expect(resp.StatusCode).Should(Equal(http.StatusFound))
+			Expect(resp.Header.Get("Location")).Should(Equal(fmt.Sprintf("http://%s/auth/start?rd=http://%s%s", thisHost, thisHost, url.QueryEscape("/?a=b&c=d"))))
+		})
+	})
 })

 // TODO: test Digest Auth
--- a/test/e2e/framework/deployment.go
+++ b/test/e2e/framework/deployment.go
@ -17,6 +17,8 @@ limitations under the License.
 package framework

 import (
+	"time"
+
 	. "github.com/onsi/gomega"

 	appsv1 "k8s.io/api/apps/v1"
@ -138,3 +140,14 @@ func (f *Framework) NewDeployment(name, image string, port int32, replicas int32
 	err = WaitForEndpoints(f.KubeClientSet, DefaultTimeout, name, f.Namespace, int(replicas))
 	Expect(err).NotTo(HaveOccurred(), "failed to wait for endpoints to become ready")
 }
+
+// DeleteDeployment deletes a deployment with a particular name and waits for the pods to be deleted
+func (f *Framework) DeleteDeployment(name string) error {
+	d, err := f.KubeClientSet.AppsV1().Deployments(f.Namespace).Get(name, metav1.GetOptions{})
+	Expect(err).NotTo(HaveOccurred(), "failed to get a deployment")
+	err = f.KubeClientSet.AppsV1().Deployments(f.Namespace).Delete(name, &metav1.DeleteOptions{})
+	Expect(err).NotTo(HaveOccurred(), "failed to delete a deployment")
+	return WaitForPodsDeleted(f.KubeClientSet, time.Second*60, f.Namespace, metav1.ListOptions{
+		LabelSelector: labelSelectorToString(d.Spec.Selector.MatchLabels),
+	})
+}
--- a/test/e2e/framework/k8s.go
+++ b/test/e2e/framework/k8s.go
@ -143,6 +143,21 @@ func WaitForPodsReady(kubeClientSet kubernetes.Interface, timeout time.Duration,
 	})
 }

+// WaitForPodsDeleted waits for a given amount of time until a group of Pods are deleted in the given namespace.
+func WaitForPodsDeleted(kubeClientSet kubernetes.Interface, timeout time.Duration, namespace string, opts metav1.ListOptions) error {
+	return wait.Poll(2*time.Second, timeout, func() (bool, error) {
+		pl, err := kubeClientSet.CoreV1().Pods(namespace).List(opts)
+		if err != nil {
+			return false, nil
+		}
+
+		if len(pl.Items) == 0 {
+			return true, nil
+		}
+		return false, nil
+	})
+}
+
 // WaitForEndpoints waits for a given amount of time until an endpoint contains.
 func WaitForEndpoints(kubeClientSet kubernetes.Interface, timeout time.Duration, name, ns string, expectedEndpoints int) error {
 	if expectedEndpoints == 0 {
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@ -288,6 +288,14 @@ func podRunning(c kubernetes.Interface, podName, namespace string) wait.Conditio
 	}
 }

+func labelSelectorToString(labels map[string]string) string {
+	var str string
+	for k, v := range labels {
+		str += fmt.Sprintf("%s=%s,", k, v)
+	}
+	return str[:len(str)-1]
+}
+
 // NewInt32 converts int32 to a pointer
 func NewInt32(val int32) *int32 {
 	p := new(int32)
--- a/test/e2e/settings/global_external_auth.go
+++ b/test/e2e/settings/global_external_auth.go
@ -19,6 +19,7 @@ package settings
 import (
 	"fmt"
 	"net/http"
+	"time"

 	. "github.com/onsi/ginkgo"
 	. "github.com/onsi/gomega"
@ -146,6 +147,52 @@ var _ = framework.IngressNginxDescribe("Global External Auth", func() {
 			Expect(barResp.StatusCode).Should(Equal(http.StatusOK))
 		})

+		It("should still return status code 200 after auth backend is deleted using cache ", func() {
+
+			globalExternalAuthCacheKeySetting := "global-auth-cache-key"
+			globalExternalAuthCacheKey := "foo"
+			globalExternalAuthCacheDurationSetting := "global-auth-cache-duration"
+			globalExternalAuthCacheDuration := "200 201 401 30m"
+			globalExternalAuthURL := fmt.Sprintf("http://httpbin.%s.svc.cluster.local:80/status/200", f.Namespace)
+
+			By("Adding a global-auth-cache-key to configMap")
+			f.UpdateNginxConfigMapData(globalExternalAuthCacheKeySetting, globalExternalAuthCacheKey)
+			f.UpdateNginxConfigMapData(globalExternalAuthCacheDurationSetting, globalExternalAuthCacheDuration)
+			f.UpdateNginxConfigMapData(globalExternalAuthURLSetting, globalExternalAuthURL)
+
+			f.WaitForNginxServer(host,
+				func(server string) bool {
+					return Expect(server).Should(MatchRegexp(`\$cache_key.*foo`)) &&
+						Expect(server).Should(ContainSubstring(`proxy_cache_valid 200 201 401 30m;`))
+				})
+
+			resp, _, errs := gorequest.New().
+				Get(f.GetURL(framework.HTTP)+barPath).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", host).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+
+			err := f.DeleteDeployment("httpbin")
+			Expect(err).NotTo(HaveOccurred())
+
+			resp, _, errs = gorequest.New().
+				Get(f.GetURL(framework.HTTP)).
+				Retry(10, 1*time.Second, http.StatusNotFound).
+				Set("Host", host).
+				SetBasicAuth("user", "password").
+				End()
+
+			for _, err := range errs {
+				Expect(err).NotTo(HaveOccurred())
+			}
+		})
+
 		It(`should proxy_method method when global-auth-method is configured`, func() {

 			globalExternalAuthMethodSetting := "global-auth-method"