Implement annotation validation (#9673)

* Add validation to all annotations

* Add annotation validation for fcgi

* Fix reviews and fcgi e2e

* Add flag to disable cross namespace validation

* Add risk, flag for validation, tests

* Add missing formating

* Enable validation by default on tests

* Test validation flag

* remove ajp from list

* Finalize validation changes

* Add validations to CI

* Update helm docs

* Fix code review

* Use a better name for annotation risk
This commit is contained in:
Ricardo Katz 2023-07-22 00:32:07 -03:00 committed by GitHub
parent 86c00a2310
commit c5f348ea2e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
109 changed files with 4320 additions and 586 deletions

View file

@ -23,18 +23,40 @@ import (
"k8s.io/ingress-nginx/internal/ingress/resolver"
)
const (
satisfyAnnotation = "satisfy"
)
var satisfyAnnotations = parser.Annotation{
Group: "authentication",
Annotations: parser.AnnotationFields{
satisfyAnnotation: {
Validator: parser.ValidateOptions([]string{"any", "all"}, true, true),
Scope: parser.AnnotationScopeLocation,
Risk: parser.AnnotationRiskLow,
Documentation: `By default, a request would need to satisfy all authentication requirements in order to be allowed.
By using this annotation, requests that satisfy either any or all authentication requirements are allowed, based on the configuration value.
Valid options are "all" and "any"`,
},
},
}
type satisfy struct {
r resolver.Resolver
r resolver.Resolver
annotationConfig parser.Annotation
}
// NewParser creates a new SATISFY annotation parser
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
return satisfy{r}
return satisfy{
r: r,
annotationConfig: satisfyAnnotations,
}
}
// Parse parses annotation contained in the ingress
func (s satisfy) Parse(ing *networking.Ingress) (interface{}, error) {
satisfy, err := parser.GetStringAnnotation("satisfy", ing)
satisfy, err := parser.GetStringAnnotation(satisfyAnnotation, ing, s.annotationConfig.Annotations)
if err != nil || (satisfy != "any" && satisfy != "all") {
satisfy = ""
@ -42,3 +64,12 @@ func (s satisfy) Parse(ing *networking.Ingress) (interface{}, error) {
return satisfy, nil
}
func (s satisfy) GetDocumentation() parser.AnnotationFields {
return s.annotationConfig.Annotations
}
func (a satisfy) Validate(anns map[string]string) error {
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
return parser.CheckAnnotationRisk(anns, maxrisk, satisfyAnnotations.Annotations)
}

View file

@ -83,7 +83,7 @@ func TestSatisfyParser(t *testing.T) {
annotations := map[string]string{}
for input, expected := range data {
annotations[parser.GetAnnotationWithPrefix("satisfy")] = input
annotations[parser.GetAnnotationWithPrefix(satisfyAnnotation)] = input
ing.SetAnnotations(annotations)
satisfyt, err := NewParser(&resolver.Mock{}).Parse(ing)