Skip to content

Commit

Permalink
allows to configure auth-url globally
Browse files Browse the repository at this point in the history 
Adds the option to configure auth-url globally. Global configurations
don't rely on a namespace name, so the only change in the configuration
is that a service url needs to add the namespace of the service when
configured globally.
  • Loading branch information
@jcmoraisjr
jcmoraisjr committed May 5, 2024
1 parent 51b2f31 commit 8f855cc
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 14 deletions.
30 changes: 18 additions & 12 deletions pkg/converters/ingress/annotations/backend.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ func (c *updater) buildBackendAuthExternal(d *backData) {
for _, path := range d.backend.Paths {
config := d.mapper.GetConfig(path.Link)
url := config.Get(ingtypes.BackAuthURL)
if url.Source == nil || url.Value == "" {
if url.Value == "" {
continue
}

Expand All @@ -128,13 +128,13 @@ func (c *updater) buildBackendAuthExternal(d *backData) {

external := c.haproxy.Global().External
if external.IsExternal && !external.HasLua {
c.logger.Warn("external authentication on %v needs Lua json module, install lua-json4 and enable 'external-has-lua' global config", url.Source)
c.logger.Warn("external authentication on %s needs Lua json module, install lua-json4 and enable 'external-has-lua' global config", url.Source.String())
continue
}

urlProto, urlHost, urlPort, urlPath, err := ingutils.ParseURL(url.Value)
if err != nil {
c.logger.Warn("ignoring URL on %v: %v", url.Source, err)
c.logger.Warn("ignoring URL on %s: %v", url.Source.String(), err)
continue
}

Expand All @@ -149,7 +149,7 @@ func (c *updater) buildBackendAuthExternal(d *backData) {
} else {
var err error
if ipList, err = lookupHost(urlHost); err != nil {
c.logger.Warn("ignoring auth URL with an invalid domain on %v: %v", url.Source, err)
c.logger.Warn("ignoring auth URL with an invalid domain on %s: %v", url.Source.String(), err)
continue
}
hostname = urlHost
Expand All @@ -170,27 +170,33 @@ func (c *updater) buildBackendAuthExternal(d *backData) {
}
case "service", "svc":
if urlPort == "" {
c.logger.Warn("skipping auth-url on %v: missing service port: %s", url.Source, url.Value)
c.logger.Warn("skipping auth-url on %s: missing service port: %s", url.Source.String(), url.Value)
continue
}
ssvc := strings.Split(urlHost, "/")
namespace := url.Source.Namespace
var namespace string
name := ssvc[0]
if len(ssvc) == 2 {
namespace = ssvc[0]
name = ssvc[1]
} else if url.Source != nil {
namespace = url.Source.Namespace
}
if namespace == "" {
c.logger.Warn("skipping auth-url on %s: a globally configured auth-url is missing the namespace", url.Source.String())
continue
}
backend = c.haproxy.Backends().FindBackend(namespace, name, urlPort)
if backend == nil {
// warn was already logged in the ingress if a service couldn't be found,
// but we still need to add a warning here because, in the current code base,
// a valid named service can lead to a broken configuration. See ingress'
// counterpart code.
c.logger.Warn("skipping auth-url on %v: service '%s:%s' was not found", url.Source, name, urlPort)
c.logger.Warn("skipping auth-url on %s: service '%s:%s' was not found", url.Source.String(), name, urlPort)
continue
}
default:
c.logger.Warn("ignoring auth URL with an invalid protocol on %v: %s", url.Source, urlProto)
c.logger.Warn("ignoring auth URL with an invalid protocol on %s: %s", url.Source.String(), urlProto)
continue
}
// TODO track
Expand All @@ -202,22 +208,22 @@ func (c *updater) buildBackendAuthExternal(d *backData) {
authBackendName, err = c.haproxy.Frontend().AcquireAuthBackendName(backend.BackendID())
if err != nil {
// TODO remove backend if not used elsewhere
c.logger.Warn("ignoring auth URL on %v: %v", url.Source, err)
c.logger.Warn("ignoring auth URL on %s: %v", url.Source.String(), err)
continue
}
}

m := config.Get(ingtypes.BackAuthMethod)
method := m.Value
if !validMethodRegex.MatchString(method) {
c.logger.Warn("invalid request method '%s' on %s, using GET instead", method, m.Source)
c.logger.Warn("invalid request method '%s' on %s, using GET instead", method, m.Source.String())
method = "GET"
}

s := config.Get(ingtypes.BackAuthSignin)
signin := s.Value
if signin != "" && !validURLRegex.MatchString(signin) {
c.logger.Warn("ignoring invalid sign-in URL in %v: %s", s.Source, signin)
c.logger.Warn("ignoring invalid sign-in URL on %s: %s", s.Source.String(), signin)
signin = ""
}

Expand All @@ -239,7 +245,7 @@ func (c *updater) buildBackendAuthExternal(d *backData) {

if signin != "" {
if !reflect.DeepEqual(hdrFail, []string{"*"}) {
c.logger.Warn("ignoring '%s' on %v due to signin (redirect) configuration", ingtypes.BackAuthHeadersFail, s.Source)
c.logger.Warn("ignoring '%s' on %s due to signin (redirect) configuration", ingtypes.BackAuthHeadersFail, s.Source.String())
}
// `-` instructs auth-request to not terminate the transaction,
// so HAProxy has the chance to configure the redirect.
Expand Down
36 changes: 34 additions & 2 deletions pkg/converters/ingress/annotations/backend_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,7 @@ func TestAffinity(t *testing.T) {

func TestAuthExternal(t *testing.T) {
testCase := []struct {
global bool
url string
signin string
method string
Expand Down Expand Up @@ -290,7 +291,7 @@ func TestAuthExternal(t *testing.T) {
AuthPath: "/app",
},
expIP: []string{"10.0.0.200:8080"},
logging: `WARN ignoring invalid sign-in URL in ingress 'default/ing1': http://invalid'`,
logging: `WARN ignoring invalid sign-in URL on ingress 'default/ing1': http://invalid'`,
},
// 10
{
Expand Down Expand Up @@ -478,8 +479,35 @@ func TestAuthExternal(t *testing.T) {
},
expIP: []string{"10.0.0.2:80"},
},
// 28
{
global: true,
url: "http://app1.local",
expBack: hatypes.AuthExternal{
AuthBackendName: "_auth_4001",
AuthPath: "/",
},
expIP: []string{"10.0.0.2:80"},
},
// 29
{
global: true,
url: "svc://authservice:80/auth",
expBack: hatypes.AuthExternal{AlwaysDeny: true},
logging: `WARN skipping auth-url on <global>: a globally configured auth-url is missing the namespace`,
},
// 30
{
global: true,
url: "svc://default/authservice:80/auth",
expBack: hatypes.AuthExternal{
AuthBackendName: "_auth_4001",
AuthPath: "/auth",
},
expIP: []string{"10.0.0.11:8080"},
},
}
source := &Source{
defaultSource := &Source{
Namespace: "default",
Name: "ing1",
Type: "ingress",
Expand Down Expand Up @@ -529,6 +557,10 @@ func TestAuthExternal(t *testing.T) {
ingtypes.BackAuthHeadersFail: "*",
ingtypes.BackAuthMethod: "GET",
}
var source *Source
if !test.global {
source = defaultSource
}
d := c.createBackendMappingData("default/app", source, defaults, ann, []string{"/"})
u.buildBackendAuthExternal(d)
back := d.backend.Paths[0].AuthExternal
Expand Down

0 comments on commit 8f855cc

Please sign in to comment.