Refactor whitelist from map to standard allow directives

kubernetes · May 27, 2019 · c459752 · c459752
1 parent 24cb0e5
commit c459752
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 51 deletions.
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -419,27 +419,6 @@ http {
         {{ end }}
     }
 
-    {{/* build the maps that will be use to validate the Whitelist */}}
-    {{ range $server := $servers }}
-    {{ $enforceRegex := enforceRegexModifier $server.Locations }}
-    {{ range $location := $server.Locations }}
-    {{ $path := buildLocation $location $enforceRegex }}
-
-    {{ if isLocationAllowed $location }}
-    {{ if gt (len $location.Whitelist.CIDR) 0 }}
-
-    # Deny for {{ print $server.Hostname  $path }}
-    geo $the_real_ip {{ buildDenyVariable (print $server.Hostname "_"  $path) }} {
-        default 1;
-
-        {{ range $ip := $location.Whitelist.CIDR }}
-        {{ $ip }} 0;{{ end }}
-    }
-    {{ end }}
-    {{ end }}
-    {{ end }}
-    {{ end }}
-
     {{ range $rl := (filterRateLimits $servers ) }}
     # Ratelimit {{ $rl.Name }}
     geo $the_real_ip $whitelist_{{ $rl.ID }} {
@@ -1134,9 +1113,9 @@ stream {
 
             {{ if isLocationAllowed $location }}
             {{ if gt (len $location.Whitelist.CIDR) 0 }}
-            if ({{ buildDenyVariable (print $server.Hostname "_"  $path) }}) {
-                return 403;
-            }
+            {{ range $ip := $location.Whitelist.CIDR }}
+            allow {{ $ip }};{{ end }}
+            deny all;
             {{ end }}
 
             {{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }}

diff --git a/test/e2e/annotations/ipwhitelist.go b/test/e2e/annotations/ipwhitelist.go
@@ -17,7 +17,6 @@ limitations under the License.
 package annotations
 
 import (
-	"regexp"
 	"strings"
 
 	. "github.com/onsi/ginkgo"
@@ -46,34 +45,11 @@ var _ = framework.IngressNginxDescribe("Annotations - IPWhiteList", func() {
 		ing := framework.NewSingleIngress(host, "/", host, nameSpace, "http-svc", 80, &annotations)
 		f.EnsureIngress(ing)
 
-		denyRegex := regexp.MustCompile("geo \\$the_real_ip \\$deny_[A-Za-z]{32}")
-		denyString := ""
-
-		f.WaitForNginxConfiguration(
-			func(conf string) bool {
-
-				match := denyRegex.FindStringSubmatch(conf)
-				// If no match found, return false
-				if !(len(match) > 0) {
-					return false
-				}
-
-				denyString = strings.Replace(match[0], "geo $the_real_ip ", "", -1)
-				return strings.Contains(conf, match[0])
-			})
-
-		ipOne := "18.0.0.0/8 0;"
-		ipTwo := "56.0.0.0/8 0;"
-
-		f.WaitForNginxConfiguration(
-			func(conf string) bool {
-				return strings.Contains(conf, ipOne) && strings.Contains(conf, ipTwo)
-			})
-
-		denyStatement := "if (" + denyString + ")"
 		f.WaitForNginxServer(host,
 			func(server string) bool {
-				return strings.Contains(server, denyStatement)
+				return strings.Contains(server, "allow 18.0.0.0/8;") &&
+					strings.Contains(server, "allow 56.0.0.0/8;") &&
+					strings.Contains(server, "deny all;")
 			})
 	})
 })