From 1e31767b511502190f217e3f1aec6ce74e245d63 Mon Sep 17 00:00:00 2001 From: Fabian Topfstedt Date: Tue, 4 Dec 2018 10:51:52 +0100 Subject: [PATCH 1/3] [1759] Ingress affinity session cookie with Secure flag for HTTPS Signed-off-by: Fabian Topfstedt --- rootfs/etc/nginx/lua/balancer/sticky.lua | 1 + rootfs/etc/nginx/lua/test/balancer/sticky_test.lua | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rootfs/etc/nginx/lua/balancer/sticky.lua b/rootfs/etc/nginx/lua/balancer/sticky.lua index b12252b676..1b82e5efd8 100644 --- a/rootfs/etc/nginx/lua/balancer/sticky.lua +++ b/rootfs/etc/nginx/lua/balancer/sticky.lua @@ -54,6 +54,7 @@ local function set_cookie(self, value) path = cookie_path, domain = ngx.var.host, httponly = true, + secure = ngx.var.https == "on", } if self.cookie_expires and self.cookie_expires ~= "" then diff --git a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua index 469d823468..ed2040b20e 100644 --- a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua +++ b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua @@ -40,7 +40,7 @@ end describe("Sticky", function() before_each(function() - mock_ngx({ var = { location_path = "/", host = "test.com" } }) + mock_ngx({ var = { location_path = "/", host = "test.com", https = "on" } }) end) after_each(function() @@ -102,7 +102,6 @@ describe("Sticky", function() cookie.new = mocked_cookie_new end) - context("when client doesn't have a cookie set and location is in cookie_locations", function() it("picks an endpoint for the client", function() local sticky_balancer_instance = sticky:new(test_backend) @@ -122,6 +121,7 @@ describe("Sticky", function() assert.equal(payload.path, ngx.var.location_path) assert.equal(payload.domain, ngx.var.host) assert.equal(payload.httponly, true) + assert.equal(payload.secure, true) return true, nil end, get = function(k) return false end, From 6c46adf2b7fd7b7f0824de077456bdc4ae188a67 Mon Sep 17 00:00:00 2001 From: Fabian Topfstedt Date: Thu, 6 Dec 2018 09:01:08 +0100 Subject: [PATCH 2/3] reverted changing $https globally in the unit tests Signed-off-by: Fabian Topfstedt --- rootfs/etc/nginx/lua/test/balancer/sticky_test.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua index ed2040b20e..478e431b8a 100644 --- a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua +++ b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua @@ -40,7 +40,7 @@ end describe("Sticky", function() before_each(function() - mock_ngx({ var = { location_path = "/", host = "test.com", https = "on" } }) + mock_ngx({ var = { location_path = "/", host = "test.com" } }) end) after_each(function() @@ -121,7 +121,7 @@ describe("Sticky", function() assert.equal(payload.path, ngx.var.location_path) assert.equal(payload.domain, ngx.var.host) assert.equal(payload.httponly, true) - assert.equal(payload.secure, true) + assert.equal(payload.secure, false) return true, nil end, get = function(k) return false end, From f03c8a85443b6429d18d717bb232278f19a397e3 Mon Sep 17 00:00:00 2001 From: Fabian Topfstedt Date: Thu, 6 Dec 2018 09:08:25 +0100 Subject: [PATCH 3/3] testing that a secure cookie gets set when being in ssl mode Signed-off-by: Fabian Topfstedt --- .../nginx/lua/test/balancer/sticky_test.lua | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua index 478e431b8a..d1dc969396 100644 --- a/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua +++ b/rootfs/etc/nginx/lua/test/balancer/sticky_test.lua @@ -136,6 +136,35 @@ describe("Sticky", function() assert.has_no.errors(function() sticky_balancer_instance:balance() end) assert.spy(s).was_called() end) + + it("sets a secure cookie on the client when being in ssl mode", function() + ngx.var.https = "on" + local s = {} + cookie.new = function(self) + local test_backend_hash_fn = test_backend.sessionAffinityConfig.cookieSessionAffinity.hash + local cookie_instance = { + set = function(self, payload) + assert.equal(payload.key, test_backend.sessionAffinityConfig.cookieSessionAffinity.name) + local expected_len = #util[test_backend_hash_fn .. "_digest"]("anything") + assert.equal(#payload.value, expected_len) + assert.equal(payload.path, ngx.var.location_path) + assert.equal(payload.domain, ngx.var.host) + assert.equal(payload.httponly, true) + assert.equal(payload.secure, true) + return true, nil + end, + get = function(k) return false end, + } + s = spy.on(cookie_instance, "set") + return cookie_instance, false + end + local b = get_test_backend() + b.sessionAffinityConfig.cookieSessionAffinity.locations = {} + b.sessionAffinityConfig.cookieSessionAffinity.locations["test.com"] = {"/"} + local sticky_balancer_instance = sticky:new(b) + assert.has_no.errors(function() sticky_balancer_instance:balance() end) + assert.spy(s).was_called() + end) end) context("when client doesn't have a cookie set and location not in cookie_locations", function()