Merge pull request #6294 from ianbuss/auth-error-redirect-param

Allow customisation of redirect URL parameter in external auth redirects
2020-11-23 01:27:37 -08:00 · 2020-11-23 01:27:37 -08:00 · e3a3ea8826
commit e3a3ea8826
parent ced41245ce 41cf628bdf
11 changed files with 233 additions and 86 deletions
--- a/internal/ingress/annotations/authreq/main.go
+++ b/internal/ingress/annotations/authreq/main.go
@ -35,15 +35,16 @@ import (
 type Config struct {
 	URL string `json:"url"`
 	// Host contains the hostname defined in the URL
-	Host              string            `json:"host"`
-	SigninURL         string            `json:"signinUrl"`
-	Method            string            `json:"method"`
-	ResponseHeaders   []string          `json:"responseHeaders,omitempty"`
-	RequestRedirect   string            `json:"requestRedirect"`
-	AuthSnippet       string            `json:"authSnippet"`
-	AuthCacheKey      string            `json:"authCacheKey"`
-	AuthCacheDuration []string          `json:"authCacheDuration"`
-	ProxySetHeaders   map[string]string `json:"proxySetHeaders,omitempty"`
+	Host                   string            `json:"host"`
+	SigninURL              string            `json:"signinUrl"`
+	SigninURLRedirectParam string            `json:"signinUrlRedirectParam,omitempty"`
+	Method                 string            `json:"method"`
+	ResponseHeaders        []string          `json:"responseHeaders,omitempty"`
+	RequestRedirect        string            `json:"requestRedirect"`
+	AuthSnippet            string            `json:"authSnippet"`
+	AuthCacheKey           string            `json:"authCacheKey"`
+	AuthCacheDuration      []string          `json:"authCacheDuration"`
+	ProxySetHeaders        map[string]string `json:"proxySetHeaders,omitempty"`
 }

 // DefaultCacheDuration is the fallback value if no cache duration is provided
@ -66,6 +67,9 @@ func (e1 *Config) Equal(e2 *Config) bool {
 	if e1.SigninURL != e2.SigninURL {
 		return false
 	}
+	if e1.SigninURLRedirectParam != e2.SigninURLRedirectParam {
+		return false
+	}
 	if e1.Method != e2.Method {
 		return false
 	}
@ -174,6 +178,11 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) {
 		klog.V(3).InfoS("auth-signin annotation is undefined and will not be set")
 	}

+	signInRedirectParam, err := parser.GetStringAnnotation("auth-signin-redirect-param", ing)
+	if err != nil {
+		klog.V(3).Infof("auth-signin-redirect-param annotation is undefined and will not be set")
+	}
+
 	authSnippet, err := parser.GetStringAnnotation("auth-snippet", ing)
 	if err != nil {
 		klog.V(3).InfoS("auth-snippet annotation is undefined and will not be set")
@ -230,16 +239,17 @@ func (a authReq) Parse(ing *networking.Ingress) (interface{}, error) {
 	requestRedirect, _ := parser.GetStringAnnotation("auth-request-redirect", ing)

 	return &Config{
-		URL:               urlString,
-		Host:              authURL.Hostname(),
-		SigninURL:         signIn,
-		Method:            authMethod,
-		ResponseHeaders:   responseHeaders,
-		RequestRedirect:   requestRedirect,
-		AuthSnippet:       authSnippet,
-		AuthCacheKey:      authCacheKey,
-		AuthCacheDuration: authCacheDuration,
-		ProxySetHeaders:   proxySetHeaders,
+		URL:                    urlString,
+		Host:                   authURL.Hostname(),
+		SigninURL:              signIn,
+		SigninURLRedirectParam: signInRedirectParam,
+		Method:                 authMethod,
+		ResponseHeaders:        responseHeaders,
+		RequestRedirect:        requestRedirect,
+		AuthSnippet:            authSnippet,
+		AuthCacheKey:           authCacheKey,
+		AuthCacheDuration:      authCacheDuration,
+		ProxySetHeaders:        proxySetHeaders,
 	}, nil
 }

--- a/internal/ingress/annotations/authreq/main_test.go
+++ b/internal/ingress/annotations/authreq/main_test.go
@ -72,30 +72,33 @@ func TestAnnotations(t *testing.T) {
 	ing.SetAnnotations(data)

 	tests := []struct {
-		title           string
-		url             string
-		signinURL       string
-		method          string
-		requestRedirect string
-		authSnippet     string
-		authCacheKey    string
-		expErr          bool
+		title                  string
+		url                    string
+		signinURL              string
+		signinURLRedirectParam string
+		method                 string
+		requestRedirect        string
+		authSnippet            string
+		authCacheKey           string
+		expErr                 bool
 	}{
-		{"empty", "", "", "", "", "", "", true},
-		{"no scheme", "bar", "bar", "", "", "", "", true},
-		{"invalid host", "http://", "http://", "", "", "", "", true},
-		{"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", "", "", "", true},
-		{"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", "", "", "", false},
-		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "POST", "", "", "", false},
-		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", "", "", "", false},
-		{"valid URL - request redirect", "http://foo.com/external-auth", "http://foo.com/external-auth", "GET", "http://foo.com/redirect-me", "", "", false},
-		{"auth snippet", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "", "proxy_set_header My-Custom-Header 42;", "", false},
-		{"auth cache ", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "", "", "$foo$bar", false},
+		{"empty", "", "", "", "", "", "", "", true},
+		{"no scheme", "bar", "bar", "", "", "", "", "", true},
+		{"invalid host", "http://", "http://", "", "", "", "", "", true},
+		{"invalid host (multiple dots)", "http://foo..bar.com", "http://foo..bar.com", "", "", "", "", "", true},
+		{"valid URL", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "", "", "", "", "", false},
+		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "POST", "", "", "", false},
+		{"valid URL - send body", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "GET", "", "", "", false},
+		{"valid URL - request redirect", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "GET", "http://foo.com/redirect-me", "", "", false},
+		{"auth snippet", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "", "", "proxy_set_header My-Custom-Header 42;", "", false},
+		{"auth cache ", "http://foo.com/external-auth", "http://foo.com/external-auth", "", "", "", "", "$foo$bar", false},
+		{"redirect param", "http://bar.foo.com/external-auth", "http://bar.foo.com/external-auth", "origUrl", "", "", "", "", false},
 	}

 	for _, test := range tests {
 		data[parser.GetAnnotationWithPrefix("auth-url")] = test.url
 		data[parser.GetAnnotationWithPrefix("auth-signin")] = test.signinURL
+		data[parser.GetAnnotationWithPrefix("auth-signin-redirect-param")] = test.signinURLRedirectParam
 		data[parser.GetAnnotationWithPrefix("auth-method")] = fmt.Sprintf("%v", test.method)
 		data[parser.GetAnnotationWithPrefix("auth-request-redirect")] = test.requestRedirect
 		data[parser.GetAnnotationWithPrefix("auth-snippet")] = test.authSnippet
@ -122,6 +125,9 @@ func TestAnnotations(t *testing.T) {
 		if u.SigninURL != test.signinURL {
 			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.signinURL, u.SigninURL)
 		}
+		if u.SigninURLRedirectParam != test.signinURLRedirectParam {
+			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.signinURLRedirectParam, u.SigninURLRedirectParam)
+		}
 		if u.Method != test.method {
 			t.Errorf("%v: expected \"%v\" but \"%v\" was returned", test.title, test.method, u.Method)
 		}