Update dependencies

2017-10-06 17:33:32 -03:00 · 2017-10-06 17:33:32 -03:00 · d6d374b28d
commit d6d374b28d
parent bf5616c65b
13962 changed files with 48226 additions and 3618880 deletions
--- a/pkg/ingress/annotations/authreq/main.go
+++ b/pkg/ingress/annotations/authreq/main.go
@ -0,0 +1,183 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authreq
+
+import (
+	"net/url"
+	"regexp"
+	"strings"
+
+	extensions "k8s.io/api/extensions/v1beta1"
+
+	"k8s.io/ingress-nginx/pkg/ingress/annotations/parser"
+	ing_errors "k8s.io/ingress-nginx/pkg/ingress/errors"
+)
+
+const (
+	// external URL that provides the authentication
+	authURL       = "ingress.kubernetes.io/auth-url"
+	authSigninURL = "ingress.kubernetes.io/auth-signin"
+	authMethod    = "ingress.kubernetes.io/auth-method"
+	authBody      = "ingress.kubernetes.io/auth-send-body"
+	authHeaders   = "ingress.kubernetes.io/auth-response-headers"
+)
+
+// External returns external authentication configuration for an Ingress rule
+type External struct {
+	URL string `json:"url"`
+	// Host contains the hostname defined in the URL
+	Host            string   `json:"host"`
+	SigninURL       string   `json:"signinUrl"`
+	Method          string   `json:"method"`
+	SendBody        bool     `json:"sendBody"`
+	ResponseHeaders []string `json:"responseHeaders,omitEmpty"`
+}
+
+// Equal tests for equality between two External types
+func (e1 *External) Equal(e2 *External) bool {
+	if e1 == e2 {
+		return true
+	}
+	if e1 == nil || e2 == nil {
+		return false
+	}
+	if e1.URL != e2.URL {
+		return false
+	}
+	if e1.Host != e2.Host {
+		return false
+	}
+	if e1.SigninURL != e2.SigninURL {
+		return false
+	}
+	if e1.Method != e2.Method {
+		return false
+	}
+	if e1.SendBody != e2.SendBody {
+		return false
+	}
+	if e1.Method != e2.Method {
+		return false
+	}
+
+	for _, ep1 := range e1.ResponseHeaders {
+		found := false
+		for _, ep2 := range e2.ResponseHeaders {
+			if ep1 == ep2 {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return false
+		}
+	}
+
+	return true
+}
+
+var (
+	methods      = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "CONNECT", "OPTIONS", "TRACE"}
+	headerRegexp = regexp.MustCompile(`^[a-zA-Z\d\-_]+$`)
+)
+
+func validMethod(method string) bool {
+	if len(method) == 0 {
+		return false
+	}
+
+	for _, m := range methods {
+		if method == m {
+			return true
+		}
+	}
+	return false
+}
+
+func validHeader(header string) bool {
+	return headerRegexp.Match([]byte(header))
+}
+
+type authReq struct {
+}
+
+// NewParser creates a new authentication request annotation parser
+func NewParser() parser.IngressAnnotation {
+	return authReq{}
+}
+
+// ParseAnnotations parses the annotations contained in the ingress
+// rule used to use an external URL as source for authentication
+func (a authReq) Parse(ing *extensions.Ingress) (interface{}, error) {
+	str, err := parser.GetStringAnnotation(authURL, ing)
+	if err != nil {
+		return nil, err
+	}
+
+	if str == "" {
+		return nil, ing_errors.NewLocationDenied("an empty string is not a valid URL")
+	}
+
+	signin, _ := parser.GetStringAnnotation(authSigninURL, ing)
+
+	ur, err := url.Parse(str)
+	if err != nil {
+		return nil, err
+	}
+	if ur.Scheme == "" {
+		return nil, ing_errors.NewLocationDenied("url scheme is empty")
+	}
+	if ur.Host == "" {
+		return nil, ing_errors.NewLocationDenied("url host is empty")
+	}
+
+	if strings.Contains(ur.Host, "..") {
+		return nil, ing_errors.NewLocationDenied("invalid url host")
+	}
+
+	m, _ := parser.GetStringAnnotation(authMethod, ing)
+	if len(m) != 0 && !validMethod(m) {
+		return nil, ing_errors.NewLocationDenied("invalid HTTP method")
+	}
+
+	h := []string{}
+	hstr, _ := parser.GetStringAnnotation(authHeaders, ing)
+	if len(hstr) != 0 {
+
+		harr := strings.Split(hstr, ",")
+		for _, header := range harr {
+			header = strings.TrimSpace(header)
+			if len(header) > 0 {
+				if !validHeader(header) {
+					return nil, ing_errors.NewLocationDenied("invalid headers list")
+				}
+				h = append(h, header)
+			}
+		}
+	}
+
+	sb, _ := parser.GetBoolAnnotation(authBody, ing)
+
+	return &External{
+		URL:             str,
+		Host:            ur.Hostname(),
+		SigninURL:       signin,
+		Method:          m,
+		SendBody:        sb,
+		ResponseHeaders: h,
+	}, nil
+}
--- a/pkg/ingress/annotations/authreq/main_test.go
+++ b/pkg/ingress/annotations/authreq/main_test.go
@ -0,0 +1,167 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authreq
+
+import (
+	"fmt"
+	"reflect"
+	"testing"
+
+	api "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: meta_v1.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestAnnotations(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+
+	tests := []struct {
+		title     string
+		url       string
+		signinURL string
+		method    string
+		sendBody  bool
+		expErr    bool
+	}{
+		{"empty", "", "", "", false, true},
+		{"no scheme", "bar", "bar", "", false, true},
+		{"invalid host", "http://", "http://", "", false, true},
+		{"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", false, true},
+		{"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", false, false},
+		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", true, false},
+		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", true, false},
+	}
+
+	for _, test := range tests {
+		data[authURL] = test.url
+		data[authSigninURL] = test.signinURL
+		data[authBody] = fmt.Sprintf("%v", test.sendBody)
+		data[authMethod] = fmt.Sprintf("%v", test.method)
+
+		i, err := NewParser().Parse(ing)
+		if test.expErr {
+			if err == nil {
+				t.Errorf("%v: expected error but retuned nil", test.title)
+			}
+			continue
+		}
+		u, ok := i.(*External)
+		if !ok {
+			t.Errorf("%v: expected an External type", test.title)
+		}
+		if u.URL != test.url {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL)
+		}
+		if u.SigninURL != test.signinURL {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.signinURL, u.SigninURL)
+		}
+		if u.Method != test.method {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
+		}
+		if u.SendBody != test.sendBody {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.sendBody, u.SendBody)
+		}
+	}
+}
+
+func TestHeaderAnnotations(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+
+	tests := []struct {
+		title         string
+		url           string
+		headers       string
+		parsedHeaders []string
+		expErr        bool
+	}{
+		{"single header", "http://goog.url", "h1", []string{"h1"}, false},
+		{"nothing", "http://goog.url", "", []string{}, false},
+		{"spaces", "http://goog.url", "  ", []string{}, false},
+		{"two headers", "http://goog.url", "1,2", []string{"1", "2"}, false},
+		{"two headers and empty entries", "http://goog.url", ",1,,2,", []string{"1", "2"}, false},
+		{"header with spaces", "http://goog.url", "1 2", []string{}, true},
+		{"header with other bad symbols", "http://goog.url", "1+2", []string{}, true},
+	}
+
+	for _, test := range tests {
+		data[authURL] = test.url
+		data[authHeaders] = test.headers
+		data[authMethod] = "GET"
+
+		i, err := NewParser().Parse(ing)
+		if test.expErr {
+			if err == nil {
+				t.Errorf("%v: expected error but retuned nil", err.Error())
+			}
+			continue
+		}
+
+		t.Log(i)
+		u, ok := i.(*External)
+		if !ok {
+			t.Errorf("%v: expected an External type", test.title)
+			continue
+		}
+
+		if !reflect.DeepEqual(u.ResponseHeaders, test.parsedHeaders) {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.headers, u.ResponseHeaders)
+		}
+	}
+}