Disable user snippets per default (#10393)

* Disable user snippets per default * Enable snippet on tests
2023-09-11 00:02:10 -03:00 · 2023-09-11 00:02:10 -03:00 · cf889c6c47
commit cf889c6c47
parent 2d03da6334
35 changed files with 494 additions and 288 deletions
--- a/test/e2e/settings/badannotationvalues.go
+++ b/test/e2e/settings/badannotationvalues.go
@ -34,6 +34,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 	})

 	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
 		host := "invalid-value-test"

 		annotations := map[string]string{
@ -65,6 +73,15 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 	})

 	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
+
 		host := "forbidden-value-test"

 		annotations := map[string]string{
@ -100,6 +117,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 	})

 	ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
 		hostValid := "custom-allowed-value-test"
 		annotationsValid := map[string]string{
 			"nginx.ingress.kubernetes.io/configuration-snippet": `
@ -130,6 +155,14 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 	})

 	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
 		host := "custom-forbidden-value-test"

 		annotations := map[string]string{
--- a/test/e2e/settings/geoip2.go
+++ b/test/e2e/settings/geoip2.go
@ -69,7 +69,15 @@ var _ = framework.DescribeSetting("Geoip2", func() {
 	ginkgo.It("should only allow requests from specific countries", func() {
 		ginkgo.Skip("GeoIP test are temporarily disabled")

-		f.UpdateNginxConfigMapData("use-geoip2", "true")
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+			"use-geoip2":                "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()

 		httpSnippetAllowingOnlyAustralia := `map $geoip2_city_country_code $blocked_country {
  default 1;
--- a/test/e2e/settings/proxy_host.go
+++ b/test/e2e/settings/proxy_host.go
@ -34,6 +34,14 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() {
 	})

 	ginkgo.It("should exist a proxy_host", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
 		upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService)
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/configuration-snippet": `more_set_headers "Custom-Header: $proxy_host"`,
@ -55,6 +63,15 @@ var _ = framework.IngressNginxDescribe("Dynamic $proxy_host", func() {
 	})

 	ginkgo.It("should exist a proxy_host using the upstream-vhost annotation value", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
+
 		upstreamName := fmt.Sprintf("%v-%v-80", f.Namespace, framework.EchoService)
 		upstreamVHost := "different.host"
 		annotations := map[string]string{
--- a/test/e2e/settings/server_snippet.go
+++ b/test/e2e/settings/server_snippet.go
@ -37,10 +37,16 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {
 		hostAnnots := "serverannotssnippet1.foo.com"

 		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
 			"server-snippet": `
 			more_set_headers "Globalfoo: Foooo";`,
 		})

+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/server-snippet": `
 				more_set_headers "Foo: Bar";
@ -99,6 +105,11 @@ var _ = framework.DescribeSetting("configmap server-snippet", func() {
 			more_set_headers "Globalfoo: Foooo";`,
 		})

+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/server-snippet": `
 				more_set_headers "Foo: Bar";
--- a/test/e2e/settings/validations/validations.go
+++ b/test/e2e/settings/validations/validations.go
@ -31,6 +31,15 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() {
 	f := framework.NewDefaultFramework("validations")
 	//nolint:dupl // Ignore dupl errors for similar test case
 	ginkgo.It("should allow ingress based on their risk on webhooks", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
+
 		host := "annotation-validations"

 		// Low and Medium Risk annotations should be allowed, the rest should be denied
@ -57,6 +66,14 @@ var _ = framework.IngressNginxDescribeSerial("annotation validations", func() {
 	})
 	//nolint:dupl // Ignore dupl errors for similar test case
 	ginkgo.It("should allow ingress based on their risk on webhooks", func() {
+		f.SetNginxConfigMapData(map[string]string{
+			"allow-snippet-annotations": "true",
+		})
+		defer func() {
+			f.SetNginxConfigMapData(map[string]string{
+				"allow-snippet-annotations": "false",
+			})
+		}()
 		host := "annotation-validations"

 		// Low and Medium Risk annotations should be allowed, the rest should be denied