Add a Snippet for ModSecurity

Allows for the configuration of Mod Security rules via a Snippet.
2018-11-14 19:24:57 -06:00 · 2018-11-14 19:24:57 -06:00 · 95b3042b6e
commit 95b3042b6e
parent a22c656f30
5 changed files with 70 additions and 23 deletions
--- a/internal/ingress/annotations/modsecurity/main.go
+++ b/internal/ingress/annotations/modsecurity/main.go
@ -18,17 +18,16 @@ package modsecurity

 import (
 	extensions "k8s.io/api/extensions/v1beta1"
-
 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )

-// Config contains the AuthSSLCert used for mutual authentication
-// and the configured ValidationDepth
+// Config contains ModSecurity Configuration items
 type Config struct {
 	Enable        bool   `json:"enable-modsecurity"`
 	OWASPRules    bool   `json:"enable-owasp-core-rules"`
 	TransactionID string `json:"modsecurity-transaction-id"`
+	Snippet       string `json:"modsecurity-snippet"`
 }

 // Equal tests for equality between two Config types
@ -48,6 +47,9 @@ func (modsec1 *Config) Equal(modsec2 *Config) bool {
 	if modsec1.TransactionID != modsec2.TransactionID {
 		return false
 	}
+	if modsec1.Snippet != modsec2.Snippet {
+		return false
+	}

 	return true
 }
@ -80,9 +82,15 @@ func (a modSecurity) Parse(ing *extensions.Ingress) (interface{}, error) {
 		transactionID = ""
 	}

+	snippet, err := parser.GetStringAnnotation("modsecurity-snippet", ing)
+	if err != nil {
+		snippet = ""
+	}
+
 	return Config{
 		Enable:        enableModSecurity,
 		OWASPRules:    owaspRules,
 		TransactionID: transactionID,
+		Snippet:       snippet,
 	}, nil
 }
--- a/internal/ingress/annotations/modsecurity/main_test.go
+++ b/internal/ingress/annotations/modsecurity/main_test.go
@ -30,6 +30,7 @@ func TestParse(t *testing.T) {
 	enable := parser.GetAnnotationWithPrefix("enable-modsecurity")
 	owasp := parser.GetAnnotationWithPrefix("enable-owasp-core-rules")
 	transID := parser.GetAnnotationWithPrefix("modsecurity-transaction-id")
+	snippet := parser.GetAnnotationWithPrefix("modsecurity-snippet")

 	ap := NewParser(&resolver.Mock{})
 	if ap == nil {
@ -40,19 +41,22 @@ func TestParse(t *testing.T) {
 		annotations map[string]string
 		expected    Config
 	}{
-		{map[string]string{enable: "true"}, Config{true, false, ""}},
-		{map[string]string{enable: "false"}, Config{false, false, ""}},
-		{map[string]string{enable: ""}, Config{false, false, ""}},
+		{map[string]string{enable: "true"}, Config{true, false, "", ""}},
+		{map[string]string{enable: "false"}, Config{false, false, "", ""}},
+		{map[string]string{enable: ""}, Config{false, false, "", ""}},

-		{map[string]string{owasp: "true"}, Config{false, true, ""}},
-		{map[string]string{owasp: "false"}, Config{false, false, ""}},
-		{map[string]string{owasp: ""}, Config{false, false, ""}},
+		{map[string]string{owasp: "true"}, Config{false, true, "", ""}},
+		{map[string]string{owasp: "false"}, Config{false, false, "", ""}},
+		{map[string]string{owasp: ""}, Config{false, false, "", ""}},

-		{map[string]string{transID: "ok"}, Config{false, false, "ok"}},
-		{map[string]string{transID: ""}, Config{false, false, ""}},
+		{map[string]string{transID: "ok"}, Config{false, false, "ok", ""}},
+		{map[string]string{transID: ""}, Config{false, false, "", ""}},

-		{map[string]string{}, Config{false, false, ""}},
-		{nil, Config{false, false, ""}},
+		{map[string]string{snippet: "ModSecurity Rule"}, Config{false, false, "", "ModSecurity Rule"}},
+		{map[string]string{snippet: ""}, Config{false, false, "", ""}},
+
+		{map[string]string{}, Config{false, false, "", ""}},
+		{nil, Config{false, false, "", ""}},
 	}

 	ing := &extensions.Ingress{