Skip to content

Commit

Permalink
fix: when path=('/', '/*', ''), set the waf policy to listener (#863)
Browse files Browse the repository at this point in the history
  • Loading branch information
@akshaysngupta
akshaysngupta authored May 19, 2020
1 parent 5195fbc commit 082bf0f
Show file tree
Hide file tree
Showing 4 changed files with 116 additions and 17 deletions.
47 changes: 46 additions & 1 deletion functional_tests/functional_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -701,6 +701,49 @@ var _ = ginkgo.Describe("Tests `appgw.ConfigBuilder`", func() {
},
}

ingressSlashNothingSlashSomething := &v1beta1.Ingress{
Spec: v1beta1.IngressSpec{
Rules: []v1beta1.IngressRule{
{
// This one has no host
IngressRuleValue: v1beta1.IngressRuleValue{
HTTP: &v1beta1.HTTPIngressRuleValue{
Paths: []v1beta1.HTTPIngressPath{
{
Path: "/",
Backend: v1beta1.IngressBackend{
ServiceName: serviceNameB,
ServicePort: intstr.IntOrString{
Type: intstr.Int,
IntVal: 80,
},
},
},
{
Path: "/A",
Backend: v1beta1.IngressBackend{
ServiceName: serviceNameA,
ServicePort: intstr.IntOrString{
Type: intstr.Int,
IntVal: 80,
},
},
},
},
},
},
},
},
},
ObjectMeta: metav1.ObjectMeta{
Annotations: map[string]string{
annotations.IngressClassKey: annotations.ApplicationGatewayIngressClass,
},
Namespace: tests.Namespace,
Name: tests.Name,
},
}

ginkgo.It("THREE Ingress Resources", func() {
cbCtx := &ConfigBuilderContext{
IngressList: []*v1beta1.Ingress{
Expand Down Expand Up @@ -851,7 +894,7 @@ var _ = ginkgo.Describe("Tests `appgw.ConfigBuilder`", func() {
})

ginkgo.It("WAF Annotation", func() {
annotatedIngress := ingressB
annotatedIngress := ingressSlashNothingSlashSomething
annotatedIngress.Annotations[annotations.FirewallPolicy] = "/some/policy/here"

cbCtx := &ConfigBuilderContext{
Expand All @@ -863,6 +906,8 @@ var _ = ginkgo.Describe("Tests `appgw.ConfigBuilder`", func() {
ExistingPortsByNumber: map[Port]n.ApplicationGatewayFrontendPort{
Port(80): fixtures.GetDefaultPort(),
},
DefaultAddressPoolID: to.StringPtr("xx"),
DefaultHTTPSettingsID: to.StringPtr("yy"),
}
check(cbCtx, "waf_annotation.json", stopChannel, ctxt, configBuilder)
})
Expand Down
69 changes: 61 additions & 8 deletions functional_tests/waf_annotation.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,23 @@
"backendAddresses": []
}
},
{
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendAddressPools/pool---namespace---hello-world-a-80-bp-80",
"name": "pool---namespace---hello-world-a-80-bp-80",
"properties": {
"backendAddresses": [
{
"ipAddress": "1.1.1.1"
},
{
"ipAddress": "1.1.1.2"
},
{
"ipAddress": "1.1.1.3"
}
]
}
},
{
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendAddressPools/pool---namespace---hello-world-b-80-bp-80",
"name": "pool---namespace---hello-world-b-80-bp-80",
Expand All @@ -27,6 +44,20 @@
}
],
"backendHttpSettingsCollection": [
{
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendHttpSettingsCollection/bp---namespace---hello-world-a-80-80---name--",
"name": "bp---namespace---hello-world-a-80-80---name--",
"properties": {
"cookieBasedAffinity": "Disabled",
"pickHostNameFromBackendAddress": false,
"port": 80,
"probe": {
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/probes/pb---namespace---hello-world-a-80---name--"
},
"protocol": "Http",
"requestTimeout": 30
}
},
{
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendHttpSettingsCollection/bp---namespace---hello-world-b-80-80---name--",
"name": "bp---namespace---hello-world-b-80-80---name--",
Expand Down Expand Up @@ -88,6 +119,9 @@
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/httpListeners/fl-e1903c8aa3446b7b3207aec6d6ecba8a",
"name": "fl-e1903c8aa3446b7b3207aec6d6ecba8a",
"properties": {
"firewallPolicy": {
"id": "/some/policy/here"
},
"frontendIPConfiguration": {
"id": "--front-end-ip-id-1--"
},
Expand Down Expand Up @@ -131,6 +165,21 @@
"unhealthyThreshold": 3
}
},
{
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/probes/pb---namespace---hello-world-a-80---name--",
"name": "pb---namespace---hello-world-a-80---name--",
"properties": {
"host": "localhost",
"interval": 30,
"match": {},
"minServers": 0,
"path": "/A",
"pickHostNameFromBackendHttpSettings": false,
"protocol": "Http",
"timeout": 30,
"unhealthyThreshold": 3
}
},
{
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/probes/pb---namespace---hello-world-b-80---name--",
"name": "pb---namespace---hello-world-b-80---name--",
Expand All @@ -139,7 +188,7 @@
"interval": 30,
"match": {},
"minServers": 0,
"path": "/B/",
"path": "/",
"pickHostNameFromBackendHttpSettings": false,
"protocol": "Http",
"timeout": 30,
Expand Down Expand Up @@ -174,24 +223,28 @@
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/urlPathMaps/url-e1903c8aa3446b7b3207aec6d6ecba8a",
"name": "url-e1903c8aa3446b7b3207aec6d6ecba8a",
"properties": {
"defaultBackendAddressPool": {},
"defaultBackendHttpSettings": {},
"defaultBackendAddressPool": {
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendAddressPools/pool---namespace---hello-world-b-80-bp-80"
},
"defaultBackendHttpSettings": {
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendHttpSettingsCollection/bp---namespace---hello-world-b-80-80---name--"
},
"pathRules": [
{
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/urlPathMaps/url-e1903c8aa3446b7b3207aec6d6ecba8a/pathRules/pr---namespace-----name---0",
"name": "pr---namespace-----name---0",
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/urlPathMaps/url-e1903c8aa3446b7b3207aec6d6ecba8a/pathRules/pr---namespace-----name---1",
"name": "pr---namespace-----name---1",
"properties": {
"backendAddressPool": {
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendAddressPools/pool---namespace---hello-world-b-80-bp-80"
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendAddressPools/pool---namespace---hello-world-a-80-bp-80"
},
"backendHttpSettings": {
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendHttpSettingsCollection/bp---namespace---hello-world-b-80-80---name--"
"id": "/subscriptions/--subscription--/resourceGroups/--resource-group--/providers/Microsoft.Network/applicationGateways/--app-gw-name--/backendHttpSettingsCollection/bp---namespace---hello-world-a-80-80---name--"
},
"firewallPolicy": {
"id": "/some/policy/here"
},
"paths": [
"/B/"
"/A"
]
}
}
Expand Down
9 changes: 4 additions & 5 deletions pkg/appgw/ingress_rules.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,12 @@ func (c *appGwConfigBuilder) getListenersFromIngress(ingress *v1beta1.Ingress, e
func (c *appGwConfigBuilder) applyToListener(rule *v1beta1.IngressRule) bool {
for pathIdx := range rule.HTTP.Paths {
path := &rule.HTTP.Paths[pathIdx]
// if path is specified, apply waf policy to the pathRule, otherwise apply to a listener, listener is per ingress host
if len(path.Path) != 0 && path.Path != "/" && path.Path != "/*" {
// apply to path rule instead of listener
return false
// if there is path that is /, /* , empty string, then apply the waf policy to the listener.
if len(path.Path) == 0 || path.Path == "/" || path.Path == "/*" {
return true
}
}
return true
return false
}

func (c *appGwConfigBuilder) processIngressRuleWithTLS(rule *v1beta1.IngressRule, ingress *v1beta1.Ingress, env environment.EnvVariables) (map[Port]interface{}, map[listenerIdentifier]listenerAzConfig) {
Expand Down
8 changes: 5 additions & 3 deletions scripts/e2e/cmd/runner/testdata/one-namespace-one-ingress/ssl-e2e-redirect/app.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,19 +70,21 @@ metadata:
appgw.ingress.kubernetes.io/ssl-redirect: "true"
appgw.ingress.kubernetes.io/backend-hostname: "test"
appgw.ingress.kubernetes.io/appgw-trusted-root-certificate: "test"
appgw.ingress.kubernetes.io/waf-policy-for-path : "/subscriptions/2ce9a29e-219e-422b-b9f8-5c5e54d5439e/resourceGroups/agic-e2e/providers/Microsoft.Network/applicationGatewayWebApplicationFirewallPolicies/waf-policy"
spec:
tls:
- secretName: testsecret-tls
backend:
serviceName: ssl-redirect-service
servicePort: 443
rules:
- http:
paths:
- path: /index.html
backend:
serviceName: ssl-redirect-service
servicePort: 443
- path: /*
backend:
serviceName: ssl-redirect-service
servicePort: 443
---
apiVersion: v1
kind: Secret
Expand Down

0 comments on commit 082bf0f

Please sign in to comment.