Implement annotation validation (#9673)

* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
2023-07-22 00:32:07 -03:00 · 2023-07-22 00:32:07 -03:00 · c5f348ea2e
commit c5f348ea2e
parent 86c00a2310
109 changed files with 4320 additions and 586 deletions
--- a/internal/ingress/annotations/ipallowlist/main.go
+++ b/internal/ingress/annotations/ipallowlist/main.go
@ -0,0 +1,133 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ipallowlist
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+
+	networking "k8s.io/api/networking/v1"
+	"k8s.io/ingress-nginx/internal/net"
+
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	ing_errors "k8s.io/ingress-nginx/internal/ingress/errors"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+	"k8s.io/ingress-nginx/pkg/util/sets"
+)
+
+const (
+	ipWhitelistAnnotation = "whitelist-source-range"
+	ipAllowlistAnnotation = "allowlist-source-range"
+)
+
+var allowlistAnnotations = parser.Annotation{
+	Group: "acl",
+	Annotations: parser.AnnotationFields{
+		ipAllowlistAnnotation: {
+			Validator:         parser.ValidateCIDRs,
+			Scope:             parser.AnnotationScopeLocation,
+			Risk:              parser.AnnotationRiskMedium, // Failure on parsing this may cause undesired access
+			Documentation:     `This annotation allows setting a list of IPs and networks allowed to access this Location`,
+			AnnotationAliases: []string{ipWhitelistAnnotation},
+		},
+	},
+}
+
+// SourceRange returns the CIDR
+type SourceRange struct {
+	CIDR []string `json:"cidr,omitempty"`
+}
+
+// Equal tests for equality between two SourceRange types
+func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool {
+	if sr1 == sr2 {
+		return true
+	}
+	if sr1 == nil || sr2 == nil {
+		return false
+	}
+
+	return sets.StringElementsMatch(sr1.CIDR, sr2.CIDR)
+}
+
+type ipallowlist struct {
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
+}
+
+// NewParser creates a new ipallowlist annotation parser
+func NewParser(r resolver.Resolver) parser.IngressAnnotation {
+	return ipallowlist{
+		r:                r,
+		annotationConfig: allowlistAnnotations,
+	}
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to limit access to certain client addresses or networks.
+// Multiple ranges can specified using commas as separator
+// e.g. `18.0.0.0/8,56.0.0.0/8`
+func (a ipallowlist) Parse(ing *networking.Ingress) (interface{}, error) {
+	defBackend := a.r.GetDefaultBackend()
+
+	defaultAllowlistSourceRange := make([]string, len(defBackend.WhitelistSourceRange))
+	copy(defaultAllowlistSourceRange, defBackend.WhitelistSourceRange)
+	sort.Strings(defaultAllowlistSourceRange)
+
+	val, err := parser.GetStringAnnotation(ipAllowlistAnnotation, ing, a.annotationConfig.Annotations)
+	// A missing annotation is not a problem, just use the default
+	if err != nil {
+		if err == ing_errors.ErrMissingAnnotations {
+			return &SourceRange{CIDR: defaultAllowlistSourceRange}, nil
+		}
+
+		return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDenied{
+			Reason: err,
+		}
+
+	}
+
+	values := strings.Split(val, ",")
+	ipnets, ips, err := net.ParseIPNets(values...)
+	if err != nil && len(ips) == 0 {
+		return &SourceRange{CIDR: defaultAllowlistSourceRange}, ing_errors.LocationDenied{
+			Reason: fmt.Errorf("the annotation does not contain a valid IP address or network: %w", err),
+		}
+	}
+
+	cidrs := []string{}
+	for k := range ipnets {
+		cidrs = append(cidrs, k)
+	}
+	for k := range ips {
+		cidrs = append(cidrs, k)
+	}
+
+	sort.Strings(cidrs)
+
+	return &SourceRange{cidrs}, nil
+}
+
+func (a ipallowlist) GetDocumentation() parser.AnnotationFields {
+	return a.annotationConfig.Annotations
+}
+
+func (a ipallowlist) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, allowlistAnnotations.Annotations)
+}
--- a/internal/ingress/annotations/ipallowlist/main_test.go
+++ b/internal/ingress/annotations/ipallowlist/main_test.go
@ -0,0 +1,262 @@
+/*
+Copyright 2016 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package ipallowlist
+
+import (
+	"testing"
+
+	api "k8s.io/api/core/v1"
+	networking "k8s.io/api/networking/v1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/defaults"
+	"k8s.io/ingress-nginx/internal/ingress/resolver"
+)
+
+func buildIngress() *networking.Ingress {
+	defaultBackend := networking.IngressBackend{
+		Service: &networking.IngressServiceBackend{
+			Name: "default-backend",
+			Port: networking.ServiceBackendPort{
+				Number: 80,
+			},
+		},
+	}
+
+	return &networking.Ingress{
+		ObjectMeta: meta_v1.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: networking.IngressSpec{
+			DefaultBackend: &networking.IngressBackend{
+				Service: &networking.IngressServiceBackend{
+					Name: "default-backend",
+					Port: networking.ServiceBackendPort{
+						Number: 80,
+					},
+				},
+			},
+			Rules: []networking.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: networking.IngressRuleValue{
+						HTTP: &networking.HTTPIngressRuleValue{
+							Paths: []networking.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestParseAnnotations(t *testing.T) {
+	ing := buildIngress()
+	tests := map[string]struct {
+		net        string
+		expectCidr []string
+		expectErr  bool
+		errOut     string
+	}{
+		"test parse a valid net": {
+			net:        "10.0.0.0/24",
+			expectCidr: []string{"10.0.0.0/24"},
+			expectErr:  false,
+		},
+		"test parse a invalid net": {
+			net:       "ww",
+			expectErr: true,
+			errOut:    "annotation nginx.ingress.kubernetes.io/allowlist-source-range contains invalid value",
+		},
+		"test parse a empty net": {
+			net:       "",
+			expectErr: true,
+			errOut:    "the annotation nginx.ingress.kubernetes.io/allowlist-source-range does not contain a valid value ()",
+		},
+		"test parse multiple valid cidr": {
+			net:        "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24",
+			expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"},
+			expectErr:  false,
+		},
+	}
+
+	for testName, test := range tests {
+		data := map[string]string{}
+		data[parser.GetAnnotationWithPrefix(ipAllowlistAnnotation)] = test.net
+		ing.SetAnnotations(data)
+		p := NewParser(&resolver.Mock{})
+		i, err := p.Parse(ing)
+		if (err != nil) != test.expectErr {
+			t.Errorf("%s expected error: %t got error: %t err value: %s. %+v", testName, test.expectErr, err != nil, err, i)
+		}
+		if test.expectErr && err != nil {
+			if err.Error() != test.errOut {
+				t.Errorf("expected error %s but got %s", test.errOut, err)
+			}
+		}
+		if !test.expectErr {
+			sr, ok := i.(*SourceRange)
+			if !ok {
+				t.Errorf("%v:expected a SourceRange type", testName)
+			}
+			if !strsEquals(sr.CIDR, test.expectCidr) {
+				t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR)
+			}
+		}
+	}
+}
+
+type mockBackend struct {
+	resolver.Mock
+}
+
+// GetDefaultBackend returns the backend that must be used as default
+func (m mockBackend) GetDefaultBackend() defaults.Backend {
+	return defaults.Backend{
+		WhitelistSourceRange: []string{"4.4.4.0/24", "1.2.3.4/32"},
+	}
+}
+
+// Test that when we have a allowlist set on the Backend that is used when we
+// don't have the annotation
+func TestParseAnnotationsWithDefaultConfig(t *testing.T) {
+	ing := buildIngress()
+
+	mockBackend := mockBackend{}
+
+	tests := map[string]struct {
+		net        string
+		expectCidr []string
+		expectErr  bool
+		errOut     string
+	}{
+		"test parse a valid net": {
+			net:        "10.0.0.0/24",
+			expectCidr: []string{"10.0.0.0/24"},
+			expectErr:  false,
+		},
+		"test parse a invalid net": {
+			net:       "ww",
+			expectErr: true,
+			errOut:    "annotation nginx.ingress.kubernetes.io/allowlist-source-range contains invalid value",
+		},
+		"test parse a empty net": {
+			net:       "",
+			expectErr: true,
+			errOut:    "the annotation nginx.ingress.kubernetes.io/allowlist-source-range does not contain a valid value ()",
+		},
+		"test parse multiple valid cidr": {
+			net:        "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24",
+			expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"},
+			expectErr:  false,
+		},
+	}
+
+	for testName, test := range tests {
+		data := map[string]string{}
+		data[parser.GetAnnotationWithPrefix(ipAllowlistAnnotation)] = test.net
+		ing.SetAnnotations(data)
+		p := NewParser(mockBackend)
+		i, err := p.Parse(ing)
+		if (err != nil) != test.expectErr {
+			t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i)
+		}
+		if test.expectErr && err != nil {
+			if err.Error() != test.errOut {
+				t.Errorf("expected error %s but got %s", test.errOut, err)
+			}
+		}
+		if !test.expectErr {
+			sr, ok := i.(*SourceRange)
+			if !ok {
+				t.Errorf("%v:expected a SourceRange type", testName)
+			}
+			if !strsEquals(sr.CIDR, test.expectCidr) {
+				t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR)
+			}
+		}
+	}
+}
+
+// Test that when we have a whitelist set on the Backend that is used when we
+// don't have the annotation
+func TestLegacyAnnotation(t *testing.T) {
+	ing := buildIngress()
+
+	mockBackend := mockBackend{}
+
+	tests := map[string]struct {
+		net        string
+		expectCidr []string
+		expectErr  bool
+		errOut     string
+	}{
+		"test parse a valid net": {
+			net:        "10.0.0.0/24",
+			expectCidr: []string{"10.0.0.0/24"},
+			expectErr:  false,
+		},
+		"test parse multiple valid cidr": {
+			net:        "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24",
+			expectCidr: []string{"1.1.1.1/32", "2.2.2.2/32", "3.3.3.0/24"},
+			expectErr:  false,
+		},
+	}
+
+	for testName, test := range tests {
+		data := map[string]string{}
+		data[parser.GetAnnotationWithPrefix(ipWhitelistAnnotation)] = test.net
+		ing.SetAnnotations(data)
+		p := NewParser(mockBackend)
+		i, err := p.Parse(ing)
+		if (err != nil) != test.expectErr {
+			t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i)
+		}
+		if test.expectErr && err != nil {
+			if err.Error() != test.errOut {
+				t.Errorf("expected error %s but got %s", test.errOut, err)
+			}
+		}
+		if !test.expectErr {
+			sr, ok := i.(*SourceRange)
+			if !ok {
+				t.Errorf("%v:expected a SourceRange type", testName)
+			}
+			if !strsEquals(sr.CIDR, test.expectCidr) {
+				t.Errorf("%v:expected %v CIDR but %v returned", testName, test.expectCidr, sr.CIDR)
+			}
+		}
+	}
+}
+
+func strsEquals(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i, v := range a {
+		if v != b[i] {
+			return false
+		}
+	}
+	return true
+}