Enable security features by default (#11819)

2024-08-23 00:45:51 -03:00 · 2024-08-23 00:45:51 -03:00 · 7b4e4e2fa1
commit 7b4e4e2fa1
parent b79551287e
28 changed files with 103 additions and 262 deletions
--- a/test/e2e/settings/badannotationvalues.go
+++ b/test/e2e/settings/badannotationvalues.go
@ -34,14 +34,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 	})

 	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()
 		host := "invalid-value-test"

 		annotations := map[string]string{
@ -50,7 +44,6 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 		}

 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
-		f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
 		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,{")

 		f.EnsureIngress(ing)
@ -73,14 +66,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 	})

 	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()

 		host := "forbidden-value-test"

@ -93,7 +80,6 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 		}

 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
-		f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
 		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,content_by_lua_block")
 		// Sleep a while just to guarantee that the configmap is applied
 		framework.Sleep()
@ -117,14 +103,9 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 	})

 	ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()
+
 		hostValid := "custom-allowed-value-test"
 		annotationsValid := map[string]string{
 			"nginx.ingress.kubernetes.io/configuration-snippet": `
@ -155,14 +136,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 	})

 	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()
 		host := "custom-forbidden-value-test"

 		annotations := map[string]string{
--- a/test/e2e/settings/geoip2.go
+++ b/test/e2e/settings/geoip2.go
@ -69,15 +69,9 @@ var _ = framework.DescribeSetting("Geoip2", func() {
 	ginkgo.It("should only allow requests from specific countries", func() {
 		ginkgo.Skip("GeoIP test are temporarily disabled")

-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-			"use-geoip2":                "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()
+		f.UpdateNginxConfigMapData("use-geoip2", "true")

 		httpSnippetAllowingOnlyAustralia := `map $geoip2_city_country_code $blocked_country {
  default 1;
--- a/test/e2e/settings/proxy_host.go
+++ b/test/e2e/settings/proxy_host.go
@ -34,14 +34,9 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() {
 	})

 	ginkgo.It("should exist a proxy_host", func() {
-		f.SetNginxConfigMapData(map[string]string{
-			"allow-snippet-annotations": "true",
-		})
-		defer func() {
-			f.SetNginxConfigMapData(map[string]string{
-				"allow-snippet-annotations": "false",
-			})
-		}()
+		disableSnippet := f.AllowSnippetConfiguration()
+		defer disableSnippet()
+
 		upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService)
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Custom-Header: $proxy_host"`,
@ -65,10 +60,12 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() {
 	ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() {
 		f.SetNginxConfigMapData(map[string]string{
 			"allow-snippet-annotations": "true",
+			"annotations-risk-level":    "Critical", // To allow Configuration Snippet
 		})
 		defer func() {
 			f.SetNginxConfigMapData(map[string]string{
 				"allow-snippet-annotations": "false",
+				"annotations-risk-level":    "High",
 			})
 		}()

--- a/test/e2e/settings/server_snippet.go
+++ b/test/e2e/settings/server_snippet.go
@ -38,6 +38,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {

 		f.SetNginxConfigMapData(map[string]string{
 			"allow-snippet-annotations": "true",
+			"annotations-risk-level":    "Critical",
 			"server-snippet": `
 			more_set_headers "Globalfoo: Foooo";`,
 		})
@ -45,6 +46,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {
 		defer func() {
 			f.SetNginxConfigMapData(map[string]string{
 				"allow-snippet-annotations": "false",
+				"annotations-risk-level":    "High",
 			})
 		}()
 		annotations := map[string]string{
@ -101,6 +103,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {

 		f.SetNginxConfigMapData(map[string]string{
 			"allow-snippet-annotations": "false",
+			"annotations-risk-level":    "Critical", // To allow Configuration Snippet
 			"server-snippet": `
 			more_set_headers "Globalfoo: Foooo";`,
 		})
@ -108,6 +111,7 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {
 		defer func() {
 			f.SetNginxConfigMapData(map[string]string{
 				"allow-snippet-annotations": "false",
+				"annotations-risk-level":    "High",
 			})
 		}()
 		annotations := map[string]string{
--- a/test/e2e/settings/validations/validations.go
+++ b/test/e2e/settings/validations/validations.go
@ -48,8 +48,8 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() {
 		framework.Sleep()

 		annotations := map[string]string{
-			"nginx.ingress.kubernetes.io/default-backend":       "default/bla", // low risk
-			"nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32",  // medium risk
+			"nginx.ingress.kubernetes.io/default-backend":       "bla",        // low risk
+			"nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk
 		}

 		ginkgo.By("allow ingress with low/medium risk annotations")
@ -82,8 +82,8 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() {
 		framework.Sleep()

 		annotations := map[string]string{
-			"nginx.ingress.kubernetes.io/default-backend":       "default/bla", // low risk
-			"nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32",  // medium risk
+			"nginx.ingress.kubernetes.io/default-backend":       "bla",        // low risk
+			"nginx.ingress.kubernetes.io/denylist-source-range": "1.1.1.1/32", // medium risk
 		}

 		ginkgo.By("allow ingress with low/medium risk annotations")