Skip to content

Commit

Permalink
In case of TLS errors do not allow traffic (#2146)
Browse files Browse the repository at this point in the history
  • Loading branch information
aledbf authored Feb 25, 2018
1 parent 216fe01 commit 3c67976
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 6 deletions.
8 changes: 8 additions & 0 deletions internal/ingress/annotations/annotations.go
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,14 @@ func (e Extractor) Extract(ing *extensions.Ingress) *Ingress {
continue
}

if name == "CertificateAuth" && data[name] == nil {
data[name] = authtls.Config{
AuthTLSError: err.Error(),
}
// avoid mapping the result from the annotation
val = nil
}

_, alreadyDenied := data[DeniedKeyName]
if !alreadyDenied {
data[DeniedKeyName] = err
Expand Down
6 changes: 3 additions & 3 deletions internal/ingress/annotations/authtls/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ type Config struct {
ValidationDepth int `json:"validationDepth"`
ErrorPage string `json:"errorPage"`
PassCertToUpstream bool `json:"passCertToUpstream"`
AuthTLSError string
}

// Equal tests for equality between two Config types
Expand Down Expand Up @@ -113,9 +114,8 @@ func (a authTLS) Parse(ing *extensions.Ingress) (interface{}, error) {

authCert, err := a.r.GetAuthCertificate(tlsauthsecret)
if err != nil {
return &Config{}, ing_errors.LocationDenied{
Reason: errors.Wrap(err, "error obtaining certificate"),
}
e := errors.Wrap(err, "error obtaining certificate")
return &Config{}, ing_errors.LocationDenied{Reason: e}
}

errorpage, err := parser.GetStringAnnotation("auth-tls-error-page", ing)
Expand Down
6 changes: 4 additions & 2 deletions internal/ingress/controller/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -369,12 +369,14 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
continue
}

if server.AuthTLSError == "" && anns.CertificateAuth.AuthTLSError != "" {
server.AuthTLSError = anns.CertificateAuth.AuthTLSError
}

if server.CertificateAuth.CAFileName == "" {
server.CertificateAuth = anns.CertificateAuth
// It is possible that no CAFileName is found in the secret
if server.CertificateAuth.CAFileName == "" {
glog.V(3).Infof("secret %v does not contain 'ca.crt', mutual authentication not enabled - ingress rule %v/%v.", server.CertificateAuth.Secret, ing.Namespace, ing.Name)

}
} else {
glog.V(3).Infof("server %v already contains a mutual authentication configuration - ingress rule %v/%v", server.Hostname, ing.Namespace, ing.Name)
Expand Down
2 changes: 2 additions & 0 deletions internal/ingress/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,8 @@ type Server struct {
ServerSnippet string `json:"serverSnippet"`
// SSLCiphers returns list of ciphers to be enabled
SSLCiphers string `json:"sslCiphers,omitempty"`
// AuthTLSError contains the reason why the access to a server should be denied
AuthTLSError string `json:"authTLSError,omitempty"`
}

// Location describes an URI inside a server.
Expand Down
7 changes: 6 additions & 1 deletion rootfs/etc/nginx/template/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -622,6 +622,11 @@ stream {
{{ end }}
{{ end }}

{{ if not (empty $server.AuthTLSError) }}
# {{ $server.AuthTLSError }}
return 403;
{{ else }}

{{ if not (empty $server.CertificateAuth.CAFileName) }}
# PEM sha: {{ $server.CertificateAuth.PemSHA }}
ssl_client_certificate {{ $server.CertificateAuth.CAFileName }};
Expand Down Expand Up @@ -898,7 +903,7 @@ stream {
return 503;
{{ end }}
}

{{ end }}
{{ end }}

{{ if eq $server.Hostname "_" }}
Expand Down

0 comments on commit 3c67976

Please sign in to comment.