Disable user snippets per default (#10393)
* Disable user snippets per default * Enable snippet on tests
This commit is contained in:
Ricardo Katz
GitHub
parent
2d03da6334
commit
cf889c6c47
35 changed files with 494 additions and 288 deletions
|
|
@ -277,6 +277,14 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
|
|||
"nginx.ingress.kubernetes.io/auth-snippet": `
|
||||
proxy_set_header My-Custom-Header 42;`,
|
||||
}
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
|
||||
f.EnsureIngress(ing)
|
||||
|
|
@ -290,6 +298,15 @@ var _ = framework.DescribeAnnotation("auth-*", func() {
|
|||
ginkgo.It(`should not set snippet "proxy_set_header My-Custom-Header 42;" when external auth is not configured`, func() {
|
||||
host := authHost
|
||||
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
annotations := map[string]string{
|
||||
"nginx.ingress.kubernetes.io/auth-snippet": `
|
||||
proxy_set_header My-Custom-Header 42;`,
|
||||
|
|
|
|||
|
|
@ -82,7 +82,7 @@ var _ = framework.DescribeAnnotation("backend-protocol - FastCGI", func() {
|
|||
|
||||
f.EnsureConfigMap(configuration)
|
||||
|
||||
host := "fastcgi-params-configmap"
|
||||
host := "fastcgi-params-configmap" //#nosec G101
|
||||
|
||||
annotations := map[string]string{
|
||||
"nginx.ingress.kubernetes.io/backend-protocol": "FCGI",
|
||||
|
|
|
|||
|
|
@ -62,6 +62,15 @@ var _ = framework.DescribeAnnotation("from-to-www-redirect", func() {
|
|||
})
|
||||
|
||||
ginkgo.It("should redirect from www HTTPS to HTTPS", func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
ginkgo.By("setting up server for redirect from www")
|
||||
|
||||
fromHost := fmt.Sprintf("%s.nip.io", f.GetNginxIP())
|
||||
|
|
|
|||
|
|
@ -189,6 +189,15 @@ var _ = framework.DescribeAnnotation("backend-protocol - GRPC", func() {
|
|||
ginkgo.It("should return OK for service with backend protocol GRPCS", func() {
|
||||
f.NewGRPCBinDeployment()
|
||||
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
host := echoHost
|
||||
|
||||
svc := &corev1.Service{
|
||||
|
|
|
|||
|
|
@ -100,6 +100,15 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
|
|||
})
|
||||
|
||||
ginkgo.It("should enable modsecurity with snippet", func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
host := modSecurityFooHost
|
||||
nameSpace := f.Namespace
|
||||
|
||||
|
|
@ -164,6 +173,15 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
|
|||
})
|
||||
|
||||
ginkgo.It("should enable modsecurity with snippet and block requests", func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
host := modSecurityFooHost
|
||||
nameSpace := f.Namespace
|
||||
|
||||
|
|
@ -194,6 +212,15 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
|
|||
})
|
||||
|
||||
ginkgo.It("should enable modsecurity globally and with modsecurity-snippet block requests", func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
host := modSecurityFooHost
|
||||
nameSpace := f.Namespace
|
||||
|
||||
|
|
@ -224,6 +251,17 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
|
|||
})
|
||||
|
||||
ginkgo.It("should enable modsecurity when enable-owasp-modsecurity-crs is set to true", func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
"enable-modsecurity": "true",
|
||||
"enable-owasp-modsecurity-crs": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
host := modSecurityFooHost
|
||||
nameSpace := f.Namespace
|
||||
|
||||
|
|
@ -238,11 +276,6 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
|
|||
ing := framework.NewSingleIngress(host, "/", host, nameSpace, framework.EchoService, 80, annotations)
|
||||
f.EnsureIngress(ing)
|
||||
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"enable-modsecurity": "true",
|
||||
"enable-owasp-modsecurity-crs": "true",
|
||||
})
|
||||
|
||||
f.WaitForNginxServer(host,
|
||||
func(server string) bool {
|
||||
return strings.Contains(server, "SecRuleEngine On")
|
||||
|
|
@ -277,12 +310,17 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
|
|||
f.EnsureIngress(ing)
|
||||
|
||||
expectedComment := "SecRuleEngine On"
|
||||
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
"enable-modsecurity": "true",
|
||||
"enable-owasp-modsecurity-crs": "true",
|
||||
"modsecurity-snippet": expectedComment,
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
f.WaitForNginxServer(host,
|
||||
func(server string) bool {
|
||||
|
|
@ -340,6 +378,14 @@ var _ = framework.DescribeAnnotation("modsecurity owasp", func() {
|
|||
})
|
||||
|
||||
ginkgo.It("should disable default modsecurity conf setting when modsecurity-snippet is specified", func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
host := modSecurityFooHost
|
||||
nameSpace := f.Namespace
|
||||
|
||||
|
|
|
|||
|
|
@ -33,6 +33,15 @@ var _ = framework.DescribeAnnotation("server-snippet", func() {
|
|||
})
|
||||
|
||||
ginkgo.It(`add valid directives to server via server snippet`, func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
host := "serversnippet.foo.com"
|
||||
annotations := map[string]string{
|
||||
"nginx.ingress.kubernetes.io/server-snippet": `
|
||||
|
|
@ -59,6 +68,15 @@ var _ = framework.DescribeAnnotation("server-snippet", func() {
|
|||
})
|
||||
|
||||
ginkgo.It(`drops server snippet if disabled by the administrator`, func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
host := "noserversnippet.foo.com"
|
||||
annotations := map[string]string{
|
||||
"nginx.ingress.kubernetes.io/server-snippet": `
|
||||
|
|
|
|||
|
|
@ -33,6 +33,16 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() {
|
|||
|
||||
ginkgo.It("set snippet more_set_headers in all locations", func() {
|
||||
host := "configurationsnippet.foo.com"
|
||||
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
annotations := map[string]string{
|
||||
"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Foo1: Bar1";`,
|
||||
}
|
||||
|
|
@ -76,10 +86,6 @@ var _ = framework.DescribeAnnotation("configuration-snippet", func() {
|
|||
annotations)
|
||||
|
||||
f.UpdateNginxConfigMapData("allow-snippet-annotations", "false")
|
||||
defer func() {
|
||||
// Return to the original value
|
||||
f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
|
||||
}()
|
||||
|
||||
// Sleep a while just to guarantee that the configmap is applied
|
||||
framework.Sleep()
|
||||
|
|
|
|||
|
|
@ -39,6 +39,15 @@ var _ = framework.DescribeSetting("stream-snippet", func() {
|
|||
})
|
||||
|
||||
ginkgo.It("should add value of stream-snippet to nginx config", func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "true",
|
||||
})
|
||||
defer func() {
|
||||
f.SetNginxConfigMapData(map[string]string{
|
||||
"allow-snippet-annotations": "false",
|
||||
})
|
||||
}()
|
||||
|
||||
host := "foo.com"
|
||||
|
||||
snippet := `server {listen 8000; proxy_pass 127.0.0.1:80;}`
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue