Implement annotation validation (#9673)

* Add validation to all annotations * Add annotation validation for fcgi * Fix reviews and fcgi e2e * Add flag to disable cross namespace validation * Add risk, flag for validation, tests * Add missing formating * Enable validation by default on tests * Test validation flag * remove ajp from list * Finalize validation changes * Add validations to CI * Update helm docs * Fix code review * Use a better name for annotation risk
2023-07-22 00:32:07 -03:00 · 2023-07-22 00:32:07 -03:00 · c5f348ea2e
commit c5f348ea2e
parent 86c00a2310
109 changed files with 4320 additions and 586 deletions
--- a/internal/ingress/annotations/streamsnippet/main.go
+++ b/internal/ingress/annotations/streamsnippet/main.go
@ -23,18 +23,47 @@ import (
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )

+const (
+	streamSnippetAnnotation = "stream-snippet"
+)
+
+var streamSnippetAnnotations = parser.Annotation{
+	Group: "snippets",
+	Annotations: parser.AnnotationFields{
+		streamSnippetAnnotation: {
+			Validator:     parser.ValidateNull,
+			Scope:         parser.AnnotationScopeIngress,
+			Risk:          parser.AnnotationRiskCritical, // Critical, this annotation is not validated at all and allows arbitrary configutations
+			Documentation: `This annotation allows setting a custom NGINX configuration on a stream block. This annotation does not contain any validation and it's usage is not recommended!`,
+		},
+	},
+}
+
 type streamSnippet struct {
-	r resolver.Resolver
+	r                resolver.Resolver
+	annotationConfig parser.Annotation
 }

 // NewParser creates a new server snippet annotation parser
 func NewParser(r resolver.Resolver) parser.IngressAnnotation {
-	return streamSnippet{r}
+	return streamSnippet{
+		r:                r,
+		annotationConfig: streamSnippetAnnotations,
+	}
 }

 // Parse parses the annotations contained in the ingress rule
 // used to indicate if the location/s contains a fragment of
 // configuration to be included inside the paths of the rules
 func (a streamSnippet) Parse(ing *networking.Ingress) (interface{}, error) {
-	return parser.GetStringAnnotation("stream-snippet", ing)
+	return parser.GetStringAnnotation("stream-snippet", ing, a.annotationConfig.Annotations)
+}
+
+func (a streamSnippet) GetDocumentation() parser.AnnotationFields {
+	return a.annotationConfig.Annotations
+}
+
+func (a streamSnippet) Validate(anns map[string]string) error {
+	maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
+	return parser.CheckAnnotationRisk(anns, maxrisk, streamSnippetAnnotations.Annotations)
 }
--- a/internal/ingress/annotations/streamsnippet/main_test.go
+++ b/internal/ingress/annotations/streamsnippet/main_test.go
@ -27,7 +27,7 @@ import (
 )

 func TestParse(t *testing.T) {
-	annotation := parser.GetAnnotationWithPrefix("stream-snippet")
+	annotation := parser.GetAnnotationWithPrefix(streamSnippetAnnotation)

 	ap := NewParser(&resolver.Mock{})
 	if ap == nil {