DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Implement annotation validation (#9673)

Browse source 
* Add validation to all annotations

* Add annotation validation for fcgi

* Fix reviews and fcgi e2e

* Add flag to disable cross namespace validation

* Add risk, flag for validation, tests

* Add missing formating

* Enable validation by default on tests

* Test validation flag

* remove ajp from list

* Finalize validation changes

* Add validations to CI

* Update helm docs

* Fix code review

* Use a better name for annotation risk
This commit is contained in:
Ricardo Katz 2023-07-22 00:32:07 -03:00 committed by GitHub
parent 86c00a2310
commit c5f348ea2e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
109 changed files with 4320 additions and 586 deletions
Download patch file Download diff file Expand all files Collapse all files

310
internal/ingress/annotations/parser/validators_test.go Normal file
View file

@ -0,0 +1,310 @@
/*
Copyright 2023 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package parser
import (
"fmt"
"testing"
networking "k8s.io/api/networking/v1"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
func TestValidateArrayOfServerName(t *testing.T) {
tests := []struct {
name string
value string
wantErr bool
}{
{
name: "should accept common name",
value: "something.com,anything.com",
wantErr: false,
},
{
name: "should accept wildcard name",
value: "*.something.com,otherthing.com",
wantErr: false,
},
{
name: "should allow names with spaces between array and some regexes",
value: `~^www\d+\.example\.com$,something.com`,
wantErr: false,
},
{
name: "should allow names with regexes",
value: `http://some.test.env.com:2121/$someparam=1&$someotherparam=2`,
wantErr: false,
},
{
name: "should allow names with wildcard in middle common name",
value: "*.so*mething.com,bla.com",
wantErr: false,
},
{
name: "should deny names with weird characters",
value: "something.com,lolo;xpto.com,nothing.com",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := ValidateArrayOfServerName(tt.value); (err != nil) != tt.wantErr {
t.Errorf("ValidateArrayOfServerName() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}
func Test_checkAnnotation(t *testing.T) {
type args struct {
name string
ing *networking.Ingress
fields AnnotationFields
}
tests := []struct {
name string
args args
want string
wantErr bool
}{
{
name: "null ingress should error",
want: "",
args: args{
name: "some-random-annotation",
},
wantErr: true,
},
{
name: "not having a validator for a specific annotation is a bug",
want: "",
args: args{
name: "some-new-invalid-annotation",
ing: &networking.Ingress{
ObjectMeta: v1.ObjectMeta{
Annotations: map[string]string{
GetAnnotationWithPrefix("some-new-invalid-annotation"): "xpto",
},
},
},
fields: AnnotationFields{
"otherannotation": AnnotationConfig{
Validator: func(value string) error { return nil },
},
},
},
wantErr: true,
},
{
name: "annotationconfig found and no validation func defined on annotation is a bug",
want: "",
args: args{
name: "some-new-invalid-annotation",
ing: &networking.Ingress{
ObjectMeta: v1.ObjectMeta{
Annotations: map[string]string{
GetAnnotationWithPrefix("some-new-invalid-annotation"): "xpto",
},
},
},
fields: AnnotationFields{
"some-new-invalid-annotation": AnnotationConfig{},
},
},
wantErr: true,
},
{
name: "no annotation can turn into a null pointer and should fail",
want: "",
args: args{
name: "some-new-invalid-annotation",
ing: &networking.Ingress{
ObjectMeta: v1.ObjectMeta{},
},
fields: AnnotationFields{
"some-new-invalid-annotation": AnnotationConfig{},
},
},
wantErr: true,
},
{
name: "no AnnotationField config should bypass validations",
want: GetAnnotationWithPrefix("some-valid-annotation"),
args: args{
name: "some-valid-annotation",
ing: &networking.Ingress{
ObjectMeta: v1.ObjectMeta{
Annotations: map[string]string{
GetAnnotationWithPrefix("some-valid-annotation"): "xpto",
},
},
},
},
wantErr: false,
},
{
name: "annotation with invalid value should fail",
want: "",
args: args{
name: "some-new-annotation",
ing: &networking.Ingress{
ObjectMeta: v1.ObjectMeta{
Annotations: map[string]string{
GetAnnotationWithPrefix("some-new-annotation"): "xpto1",
},
},
},
fields: AnnotationFields{
"some-new-annotation": AnnotationConfig{
Validator: func(value string) error {
if value != "xpto" {
return fmt.Errorf("this is an error")
}
return nil
},
},
},
},
wantErr: true,
},
{
name: "annotation with valid value should pass",
want: GetAnnotationWithPrefix("some-other-annotation"),
args: args{
name: "some-other-annotation",
ing: &networking.Ingress{
ObjectMeta: v1.ObjectMeta{
Annotations: map[string]string{
GetAnnotationWithPrefix("some-other-annotation"): "xpto",
},
},
},
fields: AnnotationFields{
"some-other-annotation": AnnotationConfig{
Validator: func(value string) error {
if value != "xpto" {
return fmt.Errorf("this is an error")
}
return nil
},
},
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got, err := checkAnnotation(tt.args.name, tt.args.ing, tt.args.fields)
if (err != nil) != tt.wantErr {
t.Errorf("checkAnnotation() error = %v, wantErr %v", err, tt.wantErr)
return
}
if got != tt.want {
t.Errorf("checkAnnotation() = %v, want %v", got, tt.want)
}
})
}
}
func TestCheckAnnotationRisk(t *testing.T) {
tests := []struct {
name string
annotations map[string]string
maxrisk AnnotationRisk
config AnnotationFields
wantErr bool
}{
{
name: "high risk should not be accepted with maximum medium",
maxrisk: AnnotationRiskMedium,
annotations: map[string]string{
"nginx.ingress.kubernetes.io/bla": "blo",
"nginx.ingress.kubernetes.io/bli": "bl3",
},
config: AnnotationFields{
"bla": {
Risk: AnnotationRiskHigh,
},
"bli": {
Risk: AnnotationRiskMedium,
},
},
wantErr: true,
},
{
name: "high risk should be accepted with maximum critical",
maxrisk: AnnotationRiskCritical,
annotations: map[string]string{
"nginx.ingress.kubernetes.io/bla": "blo",
"nginx.ingress.kubernetes.io/bli": "bl3",
},
config: AnnotationFields{
"bla": {
Risk: AnnotationRiskHigh,
},
"bli": {
Risk: AnnotationRiskMedium,
},
},
wantErr: false,
},
{
name: "low risk should be accepted with maximum low",
maxrisk: AnnotationRiskLow,
annotations: map[string]string{
"nginx.ingress.kubernetes.io/bla": "blo",
"nginx.ingress.kubernetes.io/bli": "bl3",
},
config: AnnotationFields{
"bla": {
Risk: AnnotationRiskLow,
},
"bli": {
Risk: AnnotationRiskLow,
},
},
wantErr: false,
},
{
name: "critical risk should be accepted with maximum critical",
maxrisk: AnnotationRiskCritical,
annotations: map[string]string{
"nginx.ingress.kubernetes.io/bla": "blo",
"nginx.ingress.kubernetes.io/bli": "bl3",
},
config: AnnotationFields{
"bla": {
Risk: AnnotationRiskCritical,
},
"bli": {
Risk: AnnotationRiskCritical,
},
},
wantErr: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if err := CheckAnnotationRisk(tt.annotations, tt.maxrisk, tt.config); (err != nil) != tt.wantErr {
t.Errorf("CheckAnnotationRisk() error = %v, wantErr %v", err, tt.wantErr)
}
})
}
}