Implement annotation validation (#9673)
* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
This commit is contained in:
Ricardo Katz
GitHub
parent
86c00a2310
commit
c5f348ea2e
109 changed files with 4320 additions and 586 deletions
|
|
@ -23,18 +23,40 @@ import (
|
|||
"k8s.io/ingress-nginx/internal/ingress/resolver"
|
||||
)
|
||||
|
||||
const (
|
||||
satisfyAnnotation = "satisfy"
|
||||
)
|
||||
|
||||
var satisfyAnnotations = parser.Annotation{
|
||||
Group: "authentication",
|
||||
Annotations: parser.AnnotationFields{
|
||||
satisfyAnnotation: {
|
||||
Validator: parser.ValidateOptions([]string{"any", "all"}, true, true),
|
||||
Scope: parser.AnnotationScopeLocation,
|
||||
Risk: parser.AnnotationRiskLow,
|
||||
Documentation: `By default, a request would need to satisfy all authentication requirements in order to be allowed.
|
||||
By using this annotation, requests that satisfy either any or all authentication requirements are allowed, based on the configuration value.
|
||||
Valid options are "all" and "any"`,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
type satisfy struct {
|
||||
r resolver.Resolver
|
||||
r resolver.Resolver
|
||||
annotationConfig parser.Annotation
|
||||
}
|
||||
|
||||
// NewParser creates a new SATISFY annotation parser
|
||||
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
|
||||
return satisfy{r}
|
||||
return satisfy{
|
||||
r: r,
|
||||
annotationConfig: satisfyAnnotations,
|
||||
}
|
||||
}
|
||||
|
||||
// Parse parses annotation contained in the ingress
|
||||
func (s satisfy) Parse(ing *networking.Ingress) (interface{}, error) {
|
||||
satisfy, err := parser.GetStringAnnotation("satisfy", ing)
|
||||
satisfy, err := parser.GetStringAnnotation(satisfyAnnotation, ing, s.annotationConfig.Annotations)
|
||||
|
||||
if err != nil || (satisfy != "any" && satisfy != "all") {
|
||||
satisfy = ""
|
||||
|
|
@ -42,3 +64,12 @@ func (s satisfy) Parse(ing *networking.Ingress) (interface{}, error) {
|
|||
|
||||
return satisfy, nil
|
||||
}
|
||||
|
||||
func (s satisfy) GetDocumentation() parser.AnnotationFields {
|
||||
return s.annotationConfig.Annotations
|
||||
}
|
||||
|
||||
func (a satisfy) Validate(anns map[string]string) error {
|
||||
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
||||
return parser.CheckAnnotationRisk(anns, maxrisk, satisfyAnnotations.Annotations)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -83,7 +83,7 @@ func TestSatisfyParser(t *testing.T) {
|
|||
annotations := map[string]string{}
|
||||
|
||||
for input, expected := range data {
|
||||
annotations[parser.GetAnnotationWithPrefix("satisfy")] = input
|
||||
annotations[parser.GetAnnotationWithPrefix(satisfyAnnotation)] = input
|
||||
ing.SetAnnotations(annotations)
|
||||
|
||||
satisfyt, err := NewParser(&resolver.Mock{}).Parse(ing)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue