Merge pull request #6294 from ianbuss/auth-error-redirect-param

Allow customisation of redirect URL parameter in external auth redirects
2020-11-23 01:27:37 -08:00 · 2020-11-23 01:27:37 -08:00 · e3a3ea8826
commit e3a3ea8826
parent ced41245ce 41cf628bdf
11 changed files with 233 additions and 86 deletions
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -455,6 +455,83 @@ http {
 		})
 	})

+	ginkgo.Context("when external authentication is configured with a custom redirect param", func() {
+		host := "auth"
+		var annotations map[string]string
+		var ing *networking.Ingress
+
+		ginkgo.BeforeEach(func() {
+			f.NewHttpbinDeployment()
+
+			var httpbinIP string
+
+			err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			httpbinIP = e.Subsets[0].Addresses[0].IP
+
+			annotations = map[string]string{
+				"nginx.ingress.kubernetes.io/auth-url":                   fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
+				"nginx.ingress.kubernetes.io/auth-signin":                "http://$host/auth/start",
+				"nginx.ingress.kubernetes.io/auth-signin-redirect-param": "orig",
+			}
+
+			ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, "server_name auth")
+			})
+		})
+
+		ginkgo.It("should return status code 200 when signed in", func() {
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				WithBasicAuth("user", "password").
+				Expect().
+				Status(http.StatusOK)
+		})
+
+		ginkgo.It("should redirect to signin url when not signed in", func() {
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				WithQuery("a", "b").
+				WithQuery("c", "d").
+				Expect().
+				Status(http.StatusFound).
+				Header("Location").Equal(fmt.Sprintf("http://%s/auth/start?orig=http://%s%s", host, host, url.QueryEscape("/?a=b&c=d")))
+		})
+
+		ginkgo.It("keeps processing new ingresses even if one of the existing ingresses is misconfigured", func() {
+			annotations["nginx.ingress.kubernetes.io/auth-type"] = "basic"
+			annotations["nginx.ingress.kubernetes.io/auth-secret"] = "something"
+			annotations["nginx.ingress.kubernetes.io/auth-realm"] = "test auth"
+			f.UpdateIngress(ing)
+
+			anotherHost := "different"
+			anotherAnnotations := map[string]string{}
+
+			anotherIng := framework.NewSingleIngress(anotherHost, "/", anotherHost, f.Namespace, framework.EchoService, 80, anotherAnnotations)
+			f.EnsureIngress(anotherIng)
+
+			f.WaitForNginxServer(anotherHost,
+				func(server string) bool {
+					return strings.Contains(server, "server_name "+anotherHost)
+				})
+
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", anotherHost).
+				Expect().
+				Status(http.StatusOK)
+		})
+	})
+
 	ginkgo.Context("when external authentication with caching is configured", func() {
 		thisHost := "auth"
 		thatHost := "different"