added new auth-tls-match-cn annotation (#8434)
* added new auth-tls-match-cn annotation * added few more tests
This commit is contained in:
Chris Shino
GitHub
parent
81c2afd975
commit
f9372aa495
5 changed files with 116 additions and 0 deletions
|
|
@ -18,6 +18,7 @@ package authtls
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
networking "k8s.io/api/networking/v1"
|
||||
|
||||
"regexp"
|
||||
|
|
@ -35,6 +36,7 @@ const (
|
|||
|
||||
var (
|
||||
authVerifyClientRegex = regexp.MustCompile(`on|off|optional|optional_no_ca`)
|
||||
commonNameRegex = regexp.MustCompile(`CN=`)
|
||||
)
|
||||
|
||||
// Config contains the AuthSSLCert used for mutual authentication
|
||||
|
|
@ -45,6 +47,7 @@ type Config struct {
|
|||
ValidationDepth int `json:"validationDepth"`
|
||||
ErrorPage string `json:"errorPage"`
|
||||
PassCertToUpstream bool `json:"passCertToUpstream"`
|
||||
MatchCN string `json:"matchCN"`
|
||||
AuthTLSError string
|
||||
}
|
||||
|
||||
|
|
@ -127,5 +130,10 @@ func (a authTLS) Parse(ing *networking.Ingress) (interface{}, error) {
|
|||
config.PassCertToUpstream = false
|
||||
}
|
||||
|
||||
config.MatchCN, err = parser.GetStringAnnotation("auth-tls-match-cn", ing)
|
||||
if err != nil || !commonNameRegex.MatchString(config.MatchCN) {
|
||||
config.MatchCN = ""
|
||||
}
|
||||
|
||||
return config, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -128,11 +128,15 @@ func TestAnnotations(t *testing.T) {
|
|||
if u.PassCertToUpstream != false {
|
||||
t.Errorf("expected %v but got %v", false, u.PassCertToUpstream)
|
||||
}
|
||||
if u.MatchCN != "" {
|
||||
t.Errorf("expected empty string, but got %v", u.MatchCN)
|
||||
}
|
||||
|
||||
data[parser.GetAnnotationWithPrefix("auth-tls-verify-client")] = "off"
|
||||
data[parser.GetAnnotationWithPrefix("auth-tls-verify-depth")] = "2"
|
||||
data[parser.GetAnnotationWithPrefix("auth-tls-error-page")] = "ok.com/error"
|
||||
data[parser.GetAnnotationWithPrefix("auth-tls-pass-certificate-to-upstream")] = "true"
|
||||
data[parser.GetAnnotationWithPrefix("auth-tls-match-cn")] = "CN=hello-app"
|
||||
|
||||
ing.SetAnnotations(data)
|
||||
|
||||
|
|
@ -161,6 +165,9 @@ func TestAnnotations(t *testing.T) {
|
|||
if u.PassCertToUpstream != true {
|
||||
t.Errorf("expected %v but got %v", true, u.PassCertToUpstream)
|
||||
}
|
||||
if u.MatchCN != "CN=hello-app" {
|
||||
t.Errorf("expected %v but got %v", "CN=hello-app", u.MatchCN)
|
||||
}
|
||||
}
|
||||
|
||||
func TestInvalidAnnotations(t *testing.T) {
|
||||
|
|
@ -195,6 +202,7 @@ func TestInvalidAnnotations(t *testing.T) {
|
|||
data[parser.GetAnnotationWithPrefix("auth-tls-verify-client")] = "w00t"
|
||||
data[parser.GetAnnotationWithPrefix("auth-tls-verify-depth")] = "abcd"
|
||||
data[parser.GetAnnotationWithPrefix("auth-tls-pass-certificate-to-upstream")] = "nahh"
|
||||
data[parser.GetAnnotationWithPrefix("auth-tls-match-cn")] = "<script>nope</script>"
|
||||
ing.SetAnnotations(data)
|
||||
|
||||
i, err := NewParser(fakeSecret).Parse(ing)
|
||||
|
|
@ -215,6 +223,9 @@ func TestInvalidAnnotations(t *testing.T) {
|
|||
if u.PassCertToUpstream != false {
|
||||
t.Errorf("expected %v but got %v", false, u.PassCertToUpstream)
|
||||
}
|
||||
if u.MatchCN != "" {
|
||||
t.Errorf("expected empty string but got %v", u.MatchCN)
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue