Implement annotation validation (#9673)

* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
2023-07-22 00:32:07 -03:00 · 2023-07-22 00:32:07 -03:00 · c5f348ea2e
commit c5f348ea2e
parent 86c00a2310
109 changed files with 4320 additions and 586 deletions
--- a/internal/ingress/annotations/authreqglobal/main.go
+++ b/internal/ingress/annotations/authreqglobal/main.go
@ -23,23 +23,52 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )

+const (
+	enableGlobalAuthAnnotation = "enable-global-auth"
+)
+
+var globalAuthAnnotations = parser.Annotation{
+	Group: "authentication",
+	Annotations: parser.AnnotationFields{
+		enableGlobalAuthAnnotation: {
+			Validator:     parser.ValidateBool,
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskLow,
+			Documentation: `Defines if the global external authentication should be enabled.`,
+		},
+	},
+}
+
 type authReqGlobal struct {
-	r resolver.Resolver
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
 }

 // NewParser creates a new authentication request annotation parser
 func NewParser(r resolver.Resolver) parser.IngressAnnotation {
-	return authReqGlobal{r}
+	return authReqGlobal{
+		r:                r,
+		annotationConfig: globalAuthAnnotations,
+	}
 }

 // ParseAnnotations parses the annotations contained in the ingress
 // rule used to enable or disable global external authentication
 func (a authReqGlobal) Parse(ing *networking.Ingress) (interface{}, error) {

-	enableGlobalAuth, err := parser.GetBoolAnnotation("enable-global-auth", ing)
+	enableGlobalAuth, err := parser.GetBoolAnnotation(enableGlobalAuthAnnotation, ing, a.annotationConfig.Annotations)
 	if err != nil {
 		enableGlobalAuth = true
 	}

 	return enableGlobalAuth, nil
 }
+
+func (a authReqGlobal) GetDocumentation() parser.AnnotationFields {
+	return a.annotationConfig.Annotations
+}
+
+func (a authReqGlobal) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, globalAuthAnnotations.Annotations)
+}