Implement annotation validation (#9673)

* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
2023-07-22 00:32:07 -03:00 · 2023-07-22 00:32:07 -03:00 · c5f348ea2e
commit c5f348ea2e
parent 86c00a2310
109 changed files with 4320 additions and 586 deletions
--- a/internal/ingress/annotations/ipdenylist/main.go
+++ b/internal/ingress/annotations/ipdenylist/main.go
@ -30,6 +30,22 @@ import (
 	"k8s.io/ingress-nginx/pkg/util/sets"
 )

+const (
+	ipDenylistAnnotation = "denylist-source-range"
+)
+
+var denylistAnnotations = parser.Annotation{
+	Group: "acl",
+	Annotations: parser.AnnotationFields{
+		ipDenylistAnnotation: {
+			Validator:     parser.ValidateCIDRs,
+			Scope:         parser.AnnotationScopeLocation,
+			Risk:          parser.AnnotationRiskMedium, // Failure on parsing this may cause undesired access
+			Documentation: `This annotation allows setting a list of IPs and networks that should be blocked to access this Location`,
+		},
+	},
+}
+
 // SourceRange returns the CIDR
 type SourceRange struct {
 	CIDR []string `json:"cidr,omitempty"`
@ -48,12 +64,16 @@ func (sr1 *SourceRange) Equal(sr2 *SourceRange) bool {
 }

 type ipdenylist struct {
-	r resolver.Resolver
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
 }

 // NewParser creates a new denylist annotation parser
 func NewParser(r resolver.Resolver) parser.IngressAnnotation {
-	return ipdenylist{r}
+	return ipdenylist{
+		r:                r,
+		annotationConfig: denylistAnnotations,
+	}
 }

 // ParseAnnotations parses the annotations contained in the ingress
@ -67,10 +87,16 @@ func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) {
 	copy(defaultDenylistSourceRange, defBackend.DenylistSourceRange)
 	sort.Strings(defaultDenylistSourceRange)

-	val, err := parser.GetStringAnnotation("denylist-source-range", ing)
-	// A missing annotation is not a problem, just use the default
-	if err == ing_errors.ErrMissingAnnotations {
-		return &SourceRange{CIDR: defaultDenylistSourceRange}, nil
+	val, err := parser.GetStringAnnotation(ipDenylistAnnotation, ing, a.annotationConfig.Annotations)
+	if err != nil {
+		if err == ing_errors.ErrMissingAnnotations {
+			return &SourceRange{CIDR: defaultDenylistSourceRange}, nil
+		}
+
+		return &SourceRange{CIDR: defaultDenylistSourceRange}, ing_errors.LocationDenied{
+			Reason: err,
+		}
+
 	}

 	values := strings.Split(val, ",")
@ -93,3 +119,12 @@ func (a ipdenylist) Parse(ing *networking.Ingress) (interface{}, error) {

 	return &SourceRange{cidrs}, nil
 }
+
+func (a ipdenylist) GetDocumentation() parser.AnnotationFields {
+	return a.annotationConfig.Annotations
+}
+
+func (a ipdenylist) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, denylistAnnotations.Annotations)
+}