Implement annotation validation (#9673)

* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
2023-07-22 00:32:07 -03:00 · 2023-07-22 00:32:07 -03:00 · c5f348ea2e
commit c5f348ea2e
parent 86c00a2310
109 changed files with 4320 additions and 586 deletions
--- a/internal/ingress/annotations/ipdenylist/main.go
+++ b/internal/ingress/annotations/ipdenylist/main.go
@ -30,6 +30,22 @@ import (
 	"k8s.io/ingress-nginx/pkg/util/sets"
 )

+const (
+	ipDenylistAnnotation = "denylist-source-range"
+)
+
+var denylistAnnotations = parser.Annotation{
+	Group: "acl",
+	Annotations: parser.AnnotationFields{
+		ipDenylistAnnotation: {
+			Validator:     parser.ValidateCIDRs,
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskMedium, // Failure on parsing this may cause undesired access
+			Documentation: `This annotation allows setting a list of IPs and networks that should be blocked to access this Location`,
+		},
+	},
+}
+
 // SourceRange returns the CIDR
 type SourceRange struct {
 	CIDR []string `json:"cidr,omitempty"`
@ -48,12 +64,16 @@ func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool {
 }

 type ipdenylist struct {
-	r resolver.Resolver
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
 }

 // NewParser creates a new denylist annotation parser
 func NewParser(r resolver.Resolver) parser.IngressAnnotation {
-	return ipdenylist{r}
+	return ipdenylist{
+		r:                r,
+		annotationConfig: denylistAnnotations,
+	}
 }

 // ParseAnnotations parses the annotations contained in the ingress
@ -67,10 +87,16 @@ func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) {
 	copy(defaultDenylistSourceRange, defBackend.DenylistSourceRange)
 	sort.Strings(defaultDenylistSourceRange)

-	val, err := parser.GetStringAnnotation("denylist-source-range", ing)
-	// A missing annotation is not a problem, just use the default
-	if err == ing_errors.ErrMissingAnnotations {
-		return &SourceRange{CIDR: defaultDenylistSourceRange}, nil
+	val, err := parser.GetStringAnnotation(ipDenylistAnnotation, ing, a.annotationConfig.Annotations)
+	if err != nil {
+		if err == ing_errors.ErrMissingAnnotations {
+			return &SourceRange{CIDR: defaultDenylistSourceRange}, nil
+		}
+
+		return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDenied{
+			Reason: err,
+		}
+
 	}

 	values := strings.Split(val, ",")
@ -93,3 +119,12 @@ func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) {

 	return &SourceRange{cidrs}, nil
 }
+
+func (a ipdenylist) GetDocumentation() parser.AnnotationFields {
+	return a.annotationConfig.Annotations
+}
+
+func (a ipdenylist) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, denylistAnnotations.Annotations)
+}
--- a/internal/ingress/annotations/ipdenylist/main_test.go
+++ b/internal/ingress/annotations/ipdenylist/main_test.go
@ -86,17 +86,17 @@ func TestParseAnnotations(t *testing.T) {
 		"test parse a invalid net": {
 			net:       "ww",
 			expectErr: true,
-			errOut:    "the annotation does not contain a valid IP address or network: invalid CIDR address: ww",
+			errOut:    "annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value",
 		},
 		"test parse a empty net": {
 			net:       "",
 			expectErr: true,
-			errOut:    "the annotation does not contain a valid IP address or network: invalid CIDR address: ",
+			errOut:    "the annotation nginx.ingress.kubernetes.io/denylist-source-range does not contain a valid value ()",
 		},
 		"test parse a malicious escaped string": {
 			net:       `10.0.0.0/8"rm /tmp",11.0.0.0/8`,
 			expectErr: true,
-			errOut:    `the annotation does not contain a valid IP address or network: invalid CIDR address: 10.0.0.0/8"rm /tmp"`,
+			errOut:    `annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value`,
 		},
 		"test parse multiple valid cidr": {
 			net:        "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24",
@ -107,16 +107,16 @@ func TestParseAnnotations(t *testing.T) {

 	for testName, test := range tests {
 		data := map[string]string{}
-		data[parser.GetAnnotationWithPrefix("denylist-source-range")] = test.net
+		data[parser.GetAnnotationWithPrefix(ipDenylistAnnotation)] = test.net
 		ing.SetAnnotations(data)
 		p := NewParser(&resolver.Mock{})
 		i, err := p.Parse(ing)
-		if err != nil && !test.expectErr {
-			t.Errorf("%v:unexpected error: %v", testName, err)
+		if (err != nil) != test.expectErr {
+			t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i)
 		}
-		if test.expectErr {
+		if test.expectErr && err != nil {
 			if err.Error() != test.errOut {
-				t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error())
+				t.Errorf("expected error %s but got %s", test.errOut, err)
 			}
 		}
 		if !test.expectErr {
@ -163,12 +163,12 @@ func TestParseAnnotationsWithDefaultConfig(t *testing.T) {
 		"test parse a invalid net": {
 			net:       "ww",
 			expectErr: true,
-			errOut:    "the annotation does not contain a valid IP address or network: invalid CIDR address: ww",
+			errOut:    "annotation nginx.ingress.kubernetes.io/denylist-source-range contains invalid value",
 		},
 		"test parse a empty net": {
 			net:       "",
 			expectErr: true,
-			errOut:    "the annotation does not contain a valid IP address or network: invalid CIDR address: ",
+			errOut:    "the annotation nginx.ingress.kubernetes.io/denylist-source-range does not contain a valid value ()",
 		},
 		"test parse multiple valid cidr": {
 			net:        "2.2.2.2/32,1.1.1.1/32,3.3.3.0/24",
@ -179,16 +179,16 @@ func TestParseAnnotationsWithDefaultConfig(t *testing.T) {

 	for testName, test := range tests {
 		data := map[string]string{}
-		data[parser.GetAnnotationWithPrefix("denylist-source-range")] = test.net
+		data[parser.GetAnnotationWithPrefix(ipDenylistAnnotation)] = test.net
 		ing.SetAnnotations(data)
 		p := NewParser(mockBackend)
 		i, err := p.Parse(ing)
-		if err != nil && !test.expectErr {
-			t.Errorf("%v:unexpected error: %v", testName, err)
+		if (err != nil) != test.expectErr {
+			t.Errorf("expected error: %t got error: %t err value: %s. %+v", test.expectErr, err != nil, err, i)
 		}
-		if test.expectErr {
+		if test.expectErr && err != nil {
 			if err.Error() != test.errOut {
-				t.Errorf("%v:expected error: %v but %v return", testName, test.errOut, err.Error())
+				t.Errorf("expected error %s but got %s", test.errOut, err)
 			}
 		}
 		if !test.expectErr {