DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Disable user snippets per default (#10393)

Browse source 
* Disable user snippets per default

* Enable snippet on tests
This commit is contained in:
Ricardo Katz 2023-09-11 00:02:10 -03:00 committed by GitHub
parent 2d03da6334
commit cf889c6c47
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
35 changed files with 494 additions and 288 deletions
Download patch file Download diff file Expand all files Collapse all files

26
test/e2e/admission/admission.go
View file

@ -127,6 +127,15 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller",
})
ginkgo.It("should return an error if there is an error validating the ingress definition", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := admissionTestHost
annotations := map[string]string{
@ -232,6 +241,15 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller",
})
ginkgo.It("should return an error if the Ingress V1 definition contains invalid annotations", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
out, err := createIngress(f.Namespace, invalidV1Ingress)
assert.Empty(ginkgo.GinkgoT(), out)
assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress using kubectl")
@ -243,6 +261,14 @@ var _ = framework.IngressNginxDescribeSerial("[Admission] admission controller",
})
ginkgo.It("should not return an error for an invalid Ingress when it has unknown class", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
out, err := createIngress(f.Namespace, invalidV1IngressWithOtherClass)
assert.Equal(ginkgo.GinkgoT(), "ingress.networking.k8s.io/extensions-invalid-other created\n", out)
assert.Nil(ginkgo.GinkgoT(), err, "creating an invalid ingress with unknown class using kubectl")

17
test/e2e/annotations/auth.go
View file

@ -277,6 +277,14 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
"nginx.ingress.kubernetes.io/auth-snippet": `
proxy_set_header My-Custom-Header 42;`,
}
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
@ -290,6 +298,15 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() {
host := authHost
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
annotations := map[string]string{
"nginx.ingress.kubernetes.io/auth-snippet": `
proxy_set_header My-Custom-Header 42;`,

2
test/e2e/annotations/fastcgi.go
View file

@ -82,7 +82,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() {
f.EnsureConfigMap(configuration)
host := "fastcgi-params-configmap"
host := "fastcgi-params-configmap" //#nosec G101
annotations := map[string]string{
"nginx.ingress.kubernetes.io/backend-protocol": "FCGI",

9
test/e2e/annotations/fromtowwwredirect.go
View file

@ -62,6 +62,15 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() {
})
ginkgo.It("should redirect from www HTTPS to HTTPS", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
ginkgo.By("setting up server for redirect from www")
fromHost := fmt.Sprintf("%s.nip.io", f.GetNginxIP())

9
test/e2e/annotations/grpc.go
View file

@ -189,6 +189,15 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() {
ginkgo.It("should return OK for service with backend protocol GRPCS", func() {
f.NewGRPCBinDeployment()
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := echoHost
svc := &corev1.Service{

58
test/e2e/annotations/modsecurity/modsecurity.go
View file

@ -100,6 +100,15 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
})
ginkgo.It("should enable modsecurity with snippet", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := modSecurityFooHost
nameSpace := f.Namespace
@ -164,6 +173,15 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
})
ginkgo.It("should enable modsecurity with snippet and block requests", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := modSecurityFooHost
nameSpace := f.Namespace
@ -194,6 +212,15 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
})
ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := modSecurityFooHost
nameSpace := f.Namespace
@ -224,6 +251,17 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
})
ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
"enable-modsecurity": "true",
"enable-owasp-modsecurity-crs": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := modSecurityFooHost
nameSpace := f.Namespace
@ -238,11 +276,6 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.SetNginxConfigMapData(map[string]string{
"enable-modsecurity": "true",
"enable-owasp-modsecurity-crs": "true",
})
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, "SecRuleEngine On")
@ -277,12 +310,17 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
f.EnsureIngress(ing)
expectedComment := "SecRuleEngine On"
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
"enable-modsecurity": "true",
"enable-owasp-modsecurity-crs": "true",
"modsecurity-snippet": expectedComment,
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
f.WaitForNginxServer(host,
func(server string) bool {
@ -340,6 +378,14 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
})
ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := modSecurityFooHost
nameSpace := f.Namespace

18
test/e2e/annotations/serversnippet.go
View file

@ -33,6 +33,15 @@ var _ = framework.DescribeAnnotation("server-snippet", func() {
})
ginkgo.It(`add valid directives to server via server snippet`, func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "serversnippet.foo.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/server-snippet": `
@ -59,6 +68,15 @@ var _ = framework.DescribeAnnotation("server-snippet", func() {
})
ginkgo.It(`drops server snippet if disabled by the administrator`, func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "noserversnippet.foo.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/server-snippet": `

14
test/e2e/annotations/snippet.go
View file

@ -33,6 +33,16 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() {
ginkgo.It("set snippet more_set_headers in all locations", func() {
host := "configurationsnippet.foo.com"
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
annotations := map[string]string{
"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`,
}
@ -76,10 +86,6 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() {
annotations)
f.UpdateNginxConfigMapData("allow-snippet-annotations", "false")
defer func() {
// Return to the original value
f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
}()
// Sleep a while just to guarantee that the configmap is applied
framework.Sleep()

9
test/e2e/annotations/streamsnippet.go
View file

@ -39,6 +39,15 @@ var _ = framework.DescribeSetting("stream-snippet", func() {
})
ginkgo.It("should add value of stream-snippet to nginx config", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "foo.com"
snippet := `server {listen 8000; proxy_pass 127.0.0.1:80;}`

2
test/e2e/framework/deployment.go
View file

@ -47,7 +47,7 @@ const NIPService = "external-nip"
var HTTPBunImage = os.Getenv("HTTPBUN_IMAGE")
// EchoImage is the default image to be used by the echo service
const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a"
const EchoImage = "registry.k8s.io/ingress-nginx/e2e-test-echo@sha256:4938d1d91a2b7d19454460a8c1b010b89f6ff92d2987fd889ac3e8fc3b70d91a" //#nosec G101
// TODO: change all Deployment functions to use these options
// in order to reduce complexity and have a unified API across the

9
test/e2e/ingress/multiple_rules.go
View file

@ -36,6 +36,15 @@ var _ = framework.IngressNginxDescribe("single ingress - multiple hosts", func()
})
ginkgo.It("should set the correct $service_name NGINX variable", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
annotations := map[string]string{
"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_input_headers "service-name: $service_name";`,
}

9
test/e2e/ingress/pathtype_exact.go
View file

@ -35,6 +35,15 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] exact", func() {
})
ginkgo.It("should choose exact location for /exact", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "exact.path"
annotations := map[string]string{

9
test/e2e/ingress/pathtype_mixed.go
View file

@ -37,6 +37,15 @@ var _ = framework.IngressNginxDescribe("[Ingress] [PathType] mix Exact and Prefi
exactPathType := networking.PathTypeExact
ginkgo.It("should choose the correct location", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "mixed.path"
annotations := map[string]string{

33
test/e2e/settings/badannotationvalues.go
View file

@ -34,6 +34,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
})
ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "invalid-value-test"
annotations := map[string]string{
@ -65,6 +73,15 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
})
ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "forbidden-value-test"
annotations := map[string]string{
@ -100,6 +117,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
})
ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
hostValid := "custom-allowed-value-test"
annotationsValid := map[string]string{
"nginx.ingress.kubernetes.io/configuration-snippet": `
@ -130,6 +155,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
})
ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "custom-forbidden-value-test"
annotations := map[string]string{

10
test/e2e/settings/geoip2.go
View file

@ -69,7 +69,15 @@ var _ = framework.DescribeSetting("Geoip2", func() {
ginkgo.It("should only allow requests from specific countries", func() {
ginkgo.Skip("GeoIP test are temporarily disabled")
f.UpdateNginxConfigMapData("use-geoip2", "true")
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
"use-geoip2": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
httpSnippetAllowingOnlyAustralia := `map $geoip2_city_country_code $blocked_country {
default 1;

17
test/e2e/settings/proxy_host.go
View file

@ -34,6 +34,14 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() {
})
ginkgo.It("should exist a proxy_host", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService)
annotations := map[string]string{
"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Custom-Header: $proxy_host"`,
@ -55,6 +63,15 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() {
})
ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService)
upstreamVHost := "different.host"
annotations := map[string]string{

11
test/e2e/settings/server_snippet.go
View file

@ -37,10 +37,16 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {
hostAnnots := "serverannotssnippet1.foo.com"
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
"server-snippet": `
more_set_headers "Globalfoo: Foooo";`,
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
annotations := map[string]string{
"nginx.ingress.kubernetes.io/server-snippet": `
more_set_headers "Foo: Bar";
@ -99,6 +105,11 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {
more_set_headers "Globalfoo: Foooo";`,
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
annotations := map[string]string{
"nginx.ingress.kubernetes.io/server-snippet": `
more_set_headers "Foo: Bar";

17
test/e2e/settings/validations/validations.go
View file

@ -31,6 +31,15 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() {
f := framework.NewDefaultFramework("validations")
//nolint:dupl // Ignore dupl errors for similar test case
ginkgo.It("should allow ingress based on their risk on webhooks", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "annotation-validations"
// Low and Medium Risk annotations should be allowed, the rest should be denied
@ -57,6 +66,14 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() {
})
//nolint:dupl // Ignore dupl errors for similar test case
ginkgo.It("should allow ingress based on their risk on webhooks", func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "true",
})
defer func() {
f.SetNginxConfigMapData(map[string]string{
"allow-snippet-annotations": "false",
})
}()
host := "annotation-validations"
// Low and Medium Risk annotations should be allowed, the rest should be denied