run lua-resty-waf in different modes (#2317)

* run lua-resty-waf in different modes * update docs
2018-04-09 08:19:13 -04:00 · 2018-04-09 08:19:13 -04:00 · d6eb44376d
commit d6eb44376d
parent bad8295a42
8 changed files with 75 additions and 34 deletions
--- a/internal/file/bindata.go
+++ b/internal/file/bindata.go
--- a/internal/ingress/annotations/luarestywaf/main.go
+++ b/internal/ingress/annotations/luarestywaf/main.go
@ -23,12 +23,15 @@ import (
 	extensions "k8s.io/api/extensions/v1beta1"

 	"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
+	"k8s.io/ingress-nginx/internal/ingress/errors"
 	"k8s.io/ingress-nginx/internal/ingress/resolver"
 )

+var luaRestyWAFModes = map[string]bool{"ACTIVE": true, "INACTIVE": true, "SIMULATE": true}
+
 // Config returns lua-resty-waf configuration for an Ingress rule
 type Config struct {
-	Enabled            bool     `json:"enabled"`
+	Mode               string   `json:"mode"`
 	Debug              bool     `json:"debug"`
 	IgnoredRuleSets    []string `json: "ignored-rulesets"`
 	ExtraRulesetString string   `json: "extra-ruleset-string"`
@ -42,7 +45,7 @@ func (e1 *Config) Equal(e2 *Config) bool {
 	if e1 == nil || e2 == nil {
 		return false
 	}
-	if e1.Enabled != e2.Enabled {
+	if e1.Mode != e2.Mode {
 		return false
 	}
 	if e1.Debug != e2.Debug {
@ -71,11 +74,16 @@ func NewParser(r resolver.Resolver) parser.IngressAnnotation {
 // used to indicate if the location/s contains a fragment of
 // configuration to be included inside the paths of the rules
 func (a luarestywaf) Parse(ing *extensions.Ingress) (interface{}, error) {
-	enabled, err := parser.GetBoolAnnotation("lua-resty-waf", ing)
+	mode, err := parser.GetStringAnnotation("lua-resty-waf", ing)
 	if err != nil {
 		return &Config{}, err
 	}

+	mode = strings.ToUpper(mode)
+	if _, ok := luaRestyWAFModes[mode]; !ok {
+		return &Config{}, errors.NewInvalidAnnotationContent("lua-resty-waf", mode)
+	}
+
 	debug, _ := parser.GetBoolAnnotation("lua-resty-waf-debug", ing)

 	ignoredRuleSetsStr, _ := parser.GetStringAnnotation("lua-resty-waf-ignore-rulesets", ing)
@ -88,7 +96,7 @@ func (a luarestywaf) Parse(ing *extensions.Ingress) (interface{}, error) {
 	extraRulesetString, _ := parser.GetStringAnnotation("lua-resty-waf-extra-rules", ing)

 	return &Config{
-		Enabled:            enabled,
+		Mode:               mode,
 		Debug:              debug,
 		IgnoredRuleSets:    ignoredRuleSets,
 		ExtraRulesetString: extraRulesetString,
--- a/internal/ingress/annotations/luarestywaf/main_test.go
+++ b/internal/ingress/annotations/luarestywaf/main_test.go
@ -43,18 +43,21 @@ func TestParse(t *testing.T) {
 		{nil, &Config{}},
 		{map[string]string{}, &Config{}},

-		{map[string]string{luaRestyWAFAnnotation: "true"}, &Config{Enabled: true, Debug: false, IgnoredRuleSets: []string{}}},
-		{map[string]string{luaRestyWAFDebugAnnotation: "true"}, &Config{Enabled: false, Debug: false}},
+		{map[string]string{luaRestyWAFAnnotation: "active"}, &Config{Mode: "ACTIVE", Debug: false, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFDebugAnnotation: "true"}, &Config{Debug: false}},

-		{map[string]string{luaRestyWAFAnnotation: "true", luaRestyWAFDebugAnnotation: "true"}, &Config{Enabled: true, Debug: true, IgnoredRuleSets: []string{}}},
-		{map[string]string{luaRestyWAFAnnotation: "true", luaRestyWAFDebugAnnotation: "false"}, &Config{Enabled: true, Debug: false, IgnoredRuleSets: []string{}}},
-		{map[string]string{luaRestyWAFAnnotation: "false", luaRestyWAFDebugAnnotation: "true"}, &Config{Enabled: false, Debug: true, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "active", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "ACTIVE", Debug: true, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "active", luaRestyWAFDebugAnnotation: "false"}, &Config{Mode: "ACTIVE", Debug: false, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "inactive", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "INACTIVE", Debug: true, IgnoredRuleSets: []string{}}},

 		{map[string]string{
-			luaRestyWAFAnnotation:                "true",
+			luaRestyWAFAnnotation:                "active",
 			luaRestyWAFDebugAnnotation:           "true",
 			luaRestyWAFIgnoredRuleSetsAnnotation: "ruleset1, ruleset2 ruleset3,   another.ruleset"},
-			&Config{Enabled: true, Debug: true, IgnoredRuleSets: []string{"ruleset1", "ruleset2", "ruleset3", "another.ruleset"}}},
+			&Config{Mode: "ACTIVE", Debug: true, IgnoredRuleSets: []string{"ruleset1", "ruleset2", "ruleset3", "another.ruleset"}}},
+
+		{map[string]string{luaRestyWAFAnnotation: "siMulate", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "SIMULATE", Debug: true, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "siMulateX", luaRestyWAFDebugAnnotation: "true"}, &Config{Debug: false}},
 	}

 	ing := &extensions.Ingress{
--- a/internal/ingress/controller/template/template.go
+++ b/internal/ingress/controller/template/template.go
@ -119,6 +119,7 @@ var (
 			}
 			return true
 		},
+		"shouldConfigureLuaRestyWAF": shouldConfigureLuaRestyWAF,
 		"buildLuaSharedDictionaries": buildLuaSharedDictionaries,
 		"buildLocation":              buildLocation,
 		"buildAuthLocation":          buildAuthLocation,
@ -168,6 +169,14 @@ func formatIP(input string) string {
 	return fmt.Sprintf("[%s]", input)
 }

+func shouldConfigureLuaRestyWAF(disableLuaRestyWAF bool, mode string) bool {
+	if !disableLuaRestyWAF && len(mode) > 0 {
+		return true
+	}
+
+	return false
+}
+
 func buildLuaSharedDictionaries(s interface{}, dynamicConfigurationEnabled bool, disableLuaRestyWAF bool) string {
 	servers, ok := s.([]*ingress.Server)
 	if !ok {
@ -191,7 +200,7 @@ func buildLuaSharedDictionaries(s interface{}, dynamicConfigurationEnabled bool,
 		luaRestyWAFEnabled := func() bool {
 			for _, server := range servers {
 				for _, location := range server.Locations {
-					if location.LuaRestyWAF.Enabled {
+					if len(location.LuaRestyWAF.Mode) > 0 {
 						return true
 					}
 				}
--- a/internal/ingress/controller/template/template_test.go
+++ b/internal/ingress/controller/template/template_test.go
@ -321,7 +321,7 @@ func TestBuildLuaSharedDictionaries(t *testing.T) {
 		t.Errorf("expected to not include 'waf_storage' but got %s", config)
 	}

-	servers[1].Locations[0].LuaRestyWAF = luarestywaf.Config{Enabled: true}
+	servers[1].Locations[0].LuaRestyWAF = luarestywaf.Config{Mode: "ACTIVE"}
 	config = buildLuaSharedDictionaries(servers, false, false)
 	if !strings.Contains(config, "lua_shared_dict waf_storage") {
 		t.Errorf("expected to configure 'waf_storage', but got %s", config)