update default block list,docs, tests (#7942)

* update default block list,docs, tests * fix config for admin test * gofmt * remove the err return
2021-11-23 12:06:17 -05:00 · 2021-11-23 12:06:17 -05:00 · d4a6ade65f
commit d4a6ade65f
parent e57d2f63fa
7 changed files with 69 additions and 63 deletions
--- a/test/e2e/admission/admission.go
+++ b/test/e2e/admission/admission.go
@ -127,6 +127,9 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/connection-proxy-header": "a;}",
 		}
+
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "}")
+
 		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error")
@ -138,6 +141,9 @@ var _ = framework.IngressNginxDescribe("[Serial] admission controller", func() {
 		annotations := map[string]string{
 			"nginx.ingress.kubernetes.io/connection-proxy-header": "set_by_lua",
 		}
+
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "set_by_lua")
+
 		firstIngress := framework.NewSingleIngress("first-ingress", "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		_, err := f.KubeClientSet.NetworkingV1().Ingresses(f.Namespace).Create(context.TODO(), firstIngress, metav1.CreateOptions{})
 		assert.NotNil(ginkgo.GinkgoT(), err, "creating an ingress with invalid annotation value should return an error")
--- a/test/e2e/framework/util.go
+++ b/test/e2e/framework/util.go
@ -42,7 +42,7 @@ const (
 	Poll = 2 * time.Second

 	// DefaultTimeout time to wait for operations to complete
-	DefaultTimeout = 30 * time.Second
+	DefaultTimeout = 90 * time.Second
 )

 func nowStamp() string {
--- a/test/e2e/settings/badannotationvalues.go
+++ b/test/e2e/settings/badannotationvalues.go
@ -33,7 +33,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 		f.NewEchoDeployment()
 	})

-	ginkgo.It("should drop an ingress if there is an invalid character in some annotation", func() {
+	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is an invalid character in some annotation", func() {
 		host := "invalid-value-test"

 		annotations := map[string]string{
@ -43,6 +43,8 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {

 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,{")
+
 		f.EnsureIngress(ing)

 		f.WaitForNginxServer(host,
@ -62,7 +64,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 			Status(http.StatusNotFound)
 	})

-	ginkgo.It("should drop an ingress if there is a forbidden word in some annotation", func() {
+	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a forbidden word in some annotation", func() {
 		host := "forbidden-value-test"

 		annotations := map[string]string{
@ -75,6 +77,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {

 		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		f.UpdateNginxConfigMapData("allow-snippet-annotations", "true")
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden,content_by_lua_block")
 		// Sleep a while just to guarantee that the configmap is applied
 		framework.Sleep()
 		f.EnsureIngress(ing)
@ -96,13 +99,7 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 			Status(http.StatusNotFound)
 	})

-	ginkgo.It("should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() {
-		host := "custom-forbidden-value-test"
-
-		annotations := map[string]string{
-			"nginx.ingress.kubernetes.io/configuration-snippet": `
-			# something_forbidden`,
-		}
+	ginkgo.It("[BAD_ANNOTATIONS] should allow an ingress if there is a default blocklist config in place", func() {

 		hostValid := "custom-allowed-value-test"
 		annotationsValid := map[string]string{
@ -110,44 +107,58 @@ var _ = framework.DescribeAnnotation("Bad annotation values", func() {
 			# bla_by_lua`,
 		}

-		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
 		ingValid := framework.NewSingleIngress(hostValid, "/", hostValid, f.Namespace, framework.EchoService, 80, annotationsValid)
-		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden")
+
 		// Sleep a while just to guarantee that the configmap is applied
 		framework.Sleep()
-		f.EnsureIngress(ing)
 		f.EnsureIngress(ingValid)

-		f.WaitForNginxServer(host,
-			func(server string) bool {
-				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
-			})
-
 		f.WaitForNginxServer(hostValid,
 			func(server string) bool {
 				return strings.Contains(server, fmt.Sprintf("server_name %s ;", hostValid))
 			})

-		f.WaitForNginxServer(host,
-			func(server string) bool {
-				return !strings.Contains(server, "# something_forbidden")
-			})
-
 		f.WaitForNginxServer(hostValid,
 			func(server string) bool {
 				return strings.Contains(server, "# bla_by_lua")
 			})

-		f.HTTPTestClient().
-			GET("/").
-			WithHeader("Host", host).
-			Expect().
-			Status(http.StatusNotFound)
-
 		f.HTTPTestClient().
 			GET("/").
 			WithHeader("Host", hostValid).
 			Expect().
 			Status(http.StatusOK)
 	})
+
+	ginkgo.It("[BAD_ANNOTATIONS] should drop an ingress if there is a custom blocklist config in place and allow others to pass", func() {
+		host := "custom-forbidden-value-test"
+
+		annotations := map[string]string{
+			"nginx.ingress.kubernetes.io/configuration-snippet": `
+			# something_forbidden`,
+		}
+
+		ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+		f.UpdateNginxConfigMapData("annotation-value-word-blocklist", "something_forbidden,otherthing_forbidden")
+		// Sleep a while just to guarantee that the configmap is applied
+		framework.Sleep()
+		f.EnsureIngress(ing)
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, fmt.Sprintf("server_name %s ;", host))
+			})
+
+		f.WaitForNginxServer(host,
+			func(server string) bool {
+				return !strings.Contains(server, "# something_forbidden")
+			})
+
+		f.HTTPTestClient().
+			GET("/").
+			WithHeader("Host", host).
+			Expect().
+			Status(http.StatusNotFound)
+
+	})
 })