Update dependencies

2017-10-06 17:33:32 -03:00 · 2017-10-06 17:33:32 -03:00 · d6d374b28d
commit d6d374b28d
parent bf5616c65b
13962 changed files with 48226 additions and 3618880 deletions
--- a/pkg/ingress/annotations/authtls/main.go
+++ b/pkg/ingress/annotations/authtls/main.go
@ -0,0 +1,131 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authtls
+
+import (
+	"github.com/pkg/errors"
+	extensions "k8s.io/api/extensions/v1beta1"
+
+	"k8s.io/ingress-nginx/pkg/ingress/annotations/parser"
+	ing_errors "k8s.io/ingress-nginx/pkg/ingress/errors"
+	"k8s.io/ingress-nginx/pkg/ingress/resolver"
+	"k8s.io/ingress-nginx/pkg/k8s"
+	"regexp"
+)
+
+const (
+	// name of the secret
+	annotationAuthTLSSecret    = "ingress.kubernetes.io/auth-tls-secret"
+	annotationAuthVerifyClient = "ingress.kubernetes.io/auth-tls-verify-client"
+	annotationAuthTLSDepth     = "ingress.kubernetes.io/auth-tls-verify-depth"
+	annotationAuthTLSErrorPage = "ingress.kubernetes.io/auth-tls-error-page"
+	defaultAuthTLSDepth        = 1
+	defaultAuthVerifyClient    = "on"
+)
+
+var (
+	authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`)
+)
+
+// AuthSSLConfig contains the AuthSSLCert used for muthual autentication
+// and the configured ValidationDepth
+type AuthSSLConfig struct {
+	resolver.AuthSSLCert
+	VerifyClient    string `json:"verify_client"`
+	ValidationDepth int    `json:"validationDepth"`
+	ErrorPage       string `json:"errorPage"`
+}
+
+// Equal tests for equality between two AuthSSLConfig types
+func (assl1 *AuthSSLConfig) Equal(assl2 *AuthSSLConfig) bool {
+	if assl1 == assl2 {
+		return true
+	}
+	if assl1 == nil || assl2 == nil {
+		return false
+	}
+	if !(&assl1.AuthSSLCert).Equal(&assl2.AuthSSLCert) {
+		return false
+	}
+	if assl1.VerifyClient != assl2.VerifyClient {
+		return false
+	}
+	if assl1.ValidationDepth != assl2.ValidationDepth {
+		return false
+	}
+	if assl1.ErrorPage != assl2.ErrorPage {
+		return false
+	}
+	return true
+}
+
+// NewParser creates a new TLS authentication annotation parser
+func NewParser(resolver resolver.AuthCertificate) parser.IngressAnnotation {
+	return authTLS{resolver}
+}
+
+type authTLS struct {
+	certResolver resolver.AuthCertificate
+}
+
+// Parse parses the annotations contained in the ingress
+// rule used to use a Certificate as authentication method
+func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {
+
+	tlsauthsecret, err := parser.GetStringAnnotation(annotationAuthTLSSecret, ing)
+	if err != nil {
+		return &AuthSSLConfig{}, err
+	}
+
+	if tlsauthsecret == "" {
+		return &AuthSSLConfig{}, ing_errors.NewLocationDenied("an empty string is not a valid secret name")
+	}
+
+	_, _, err = k8s.ParseNameNS(tlsauthsecret)
+	if err != nil {
+		return &AuthSSLConfig{}, ing_errors.NewLocationDenied(err.Error())
+	}
+
+	tlsVerifyClient, err := parser.GetStringAnnotation(annotationAuthVerifyClient, ing)
+	if err != nil || !authVerifyClientRegex.MatchString(tlsVerifyClient) {
+		tlsVerifyClient = defaultAuthVerifyClient
+	}
+
+	tlsdepth, err := parser.GetIntAnnotation(annotationAuthTLSDepth, ing)
+	if err != nil || tlsdepth == 0 {
+		tlsdepth = defaultAuthTLSDepth
+	}
+
+	authCert, err := a.certResolver.GetAuthCertificate(tlsauthsecret)
+	if err != nil {
+		return &AuthSSLConfig{}, ing_errors.LocationDenied{
+			Reason: errors.Wrap(err, "error obtaining certificate"),
+		}
+	}
+
+	errorpage, err := parser.GetStringAnnotation(annotationAuthTLSErrorPage, ing)
+	if err != nil || errorpage == "" {
+		errorpage = ""
+	}
+
+	return &AuthSSLConfig{
+		AuthSSLCert:     *authCert,
+		VerifyClient:    tlsVerifyClient,
+		ValidationDepth: tlsdepth,
+		ErrorPage:       errorpage,
+	}, nil
+}
--- a/pkg/ingress/annotations/authtls/main_test.go
+++ b/pkg/ingress/annotations/authtls/main_test.go
@ -0,0 +1,108 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package authtls
+
+import (
+	"testing"
+
+	api "k8s.io/api/core/v1"
+	extensions "k8s.io/api/extensions/v1beta1"
+	meta_v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+func buildIngress() *extensions.Ingress {
+	defaultBackend := extensions.IngressBackend{
+		ServiceName: "default-backend",
+		ServicePort: intstr.FromInt(80),
+	}
+
+	return &extensions.Ingress{
+		ObjectMeta: meta_v1.ObjectMeta{
+			Name:      "foo",
+			Namespace: api.NamespaceDefault,
+		},
+		Spec: extensions.IngressSpec{
+			Backend: &extensions.IngressBackend{
+				ServiceName: "default-backend",
+				ServicePort: intstr.FromInt(80),
+			},
+			Rules: []extensions.IngressRule{
+				{
+					Host: "foo.bar.com",
+					IngressRuleValue: extensions.IngressRuleValue{
+						HTTP: &extensions.HTTPIngressRuleValue{
+							Paths: []extensions.HTTPIngressPath{
+								{
+									Path:    "/foo",
+									Backend: defaultBackend,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func TestAnnotations(t *testing.T) {
+	ing := buildIngress()
+
+	data := map[string]string{}
+	ing.SetAnnotations(data)
+	/*
+		tests := []struct {
+			title    string
+			url      string
+			method   string
+			sendBody bool
+			expErr   bool
+		}{
+			{"empty", "", "", false, true},
+			{"no scheme", "bar", "", false, true},
+			{"invalid host", "http://", "", false, true},
+			{"invalid host (multiple dots)", "http://foo..bar.com", "", false, true},
+			{"valid URL", "http://bar.foo.com/external-auth", "", false, false},
+			{"valid URL - send body", "http://foo.com/external-auth", "POST", true, false},
+			{"valid URL - send body", "http://foo.com/external-auth", "GET", true, false},
+		}
+
+		for _, test := range tests {
+			data[authTLSSecret] = ""
+			test.title
+
+				u, err := ParseAnnotations(ing)
+
+				if test.expErr {
+					if err == nil {
+						t.Errorf("%v: expected error but retuned nil", test.title)
+					}
+					continue
+				}
+
+				if u.URL != test.url {
+					t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.url, u.URL)
+				}
+				if u.Method != test.method {
+					t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
+				}
+				if u.SendBody != test.sendBody {
+					t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.sendBody, u.SendBody)
+				}
+		}*/
+}