From cbe55ecedac88f19564f5181a4432f13a0c521b2 Mon Sep 17 00:00:00 2001 From: Flynn Date: Wed, 13 Feb 2019 11:02:15 -0500 Subject: [PATCH] Fix #1202. Note that you can't mix and match HTTP auth services and HTTPS auth services. Hmmmm. --- ambassador/ambassador/ir/irauth.py | 3 +++ ambassador/ambassador/ir/ircluster.py | 7 ++++++- ambassador/schemas/v1/AuthService.schema | 9 ++++++--- ambassador/tests/kat/t_extauth.py | 10 +++++++++- 4 files changed, 24 insertions(+), 5 deletions(-) diff --git a/ambassador/ambassador/ir/irauth.py b/ambassador/ambassador/ir/irauth.py index 00ab6519ac..bef1302a03 100644 --- a/ambassador/ambassador/ir/irauth.py +++ b/ambassador/ambassador/ir/irauth.py @@ -65,6 +65,9 @@ def add_mappings(self, ir: 'IR', aconf: Config): for service, params in cluster_hosts.items(): weight, grpc, ctx_name, location = params + self.logger.debug("IRAuth: svc %s, weight %s, grpc %s, ctx_name %s, location %s" % + (service, weight, grpc, ctx_name, location)) + cluster = IRCluster( ir=ir, aconf=aconf, location=location, service=service, diff --git a/ambassador/ambassador/ir/ircluster.py b/ambassador/ambassador/ir/ircluster.py index 4d6052ef83..994ed453d5 100644 --- a/ambassador/ambassador/ir/ircluster.py +++ b/ambassador/ambassador/ir/ircluster.py @@ -104,12 +104,17 @@ def __init__(self, ir: 'IR', aconf: Config, # If we have a ctx_name, does it match a real context? if ctx_name: if ctx_name is True: + ir.logger.debug("using null context") ctx = IRTLSContext.null_context(ir=ir) else: + ir.logger.debug("seeking named context %s" % ctx_name) ctx = ir.get_tls_context(typecast(str, ctx_name)) if not ctx: + ir.logger.debug("no named context %s" % ctx_name) errors.append("Originate-TLS context %s is not defined" % ctx_name) + else: + ir.logger.debug("found context %s" % ctx) # TODO: lots of duplication of here, need to replace with broken down functions @@ -155,7 +160,7 @@ def __init__(self, ir: 'IR', aconf: Config, # Parse the service as a URL. Note that we have to supply a scheme to urllib's # parser, because it's kind of stupid. - ir.logger.debug("cluster %s service %s" % (name, service)) + ir.logger.debug("cluster %s service %s otls %s ctx %s" % (name, service, originate_tls, ctx)) p = urllib.parse.urlparse('random://' + service) # Is there any junk after the host? diff --git a/ambassador/schemas/v1/AuthService.schema b/ambassador/schemas/v1/AuthService.schema index 7116fe055b..7679d3d23f 100644 --- a/ambassador/schemas/v1/AuthService.schema +++ b/ambassador/schemas/v1/AuthService.schema @@ -12,16 +12,19 @@ { "type": "array", "items": { "type": "string" } } ] }, - "proto": { + + "auth_service": { "type": "string" }, + "path_prefix": { "type": "string" }, + "tls": { "type": [ "string", "boolean" ] }, + + "proto": { "oneOf" : [ { "enum": [ "http" ] }, { "enum": [ "grpc" ] } ] }, "allow_request_body": { "type": "boolean" }, - "auth_service": { "type": "string" }, "timeout_ms": { "type": "integer" }, - "path_prefix": { "type": "string" }, "allowed_request_headers": { "type": "array", "items": { "type": "string" } diff --git a/ambassador/tests/kat/t_extauth.py b/ambassador/tests/kat/t_extauth.py index 2a5047ef01..51277c9f15 100644 --- a/ambassador/tests/kat/t_extauth.py +++ b/ambassador/tests/kat/t_extauth.py @@ -105,6 +105,13 @@ def config(self): buffer: max_request_bytes: 16384 max_request_time: 5000 + +--- +apiVersion: ambassador/v1 +kind: TLSContext +name: {self.name}-same-context-1 +secret: same-secret-1.secret-namespace + --- apiVersion: ambassador/v1 kind: AuthService @@ -112,6 +119,7 @@ def config(self): auth_service: "{self.auth.path.k8s}" path_prefix: "/extauth" timeout_ms: 5000 +tls: {self.name}-same-context-1 allowed_request_headers: - X-Foo @@ -265,7 +273,7 @@ def config(self): prefix: /target/ service: {self.target.path.k8s} --- -apiVersion: ambassador/v0 +apiVersion: ambassador/v1 kind: Mapping name: {self.target.path.k8s}-unauthed prefix: /target/unauthed/