Add NoAuthLocations and default it to "/.well-known/acme-challenge" (#…

…2243) * Add NoAuthLocations and default it to "/.well-known/acme-challenge" * Add e2e tests for no-auth-location * Improve wording of no-auth-location tests
kubernetes · Apr 2, 2018 · e7aa74b · e7aa74b
1 parent 9b4d7f2
commit e7aa74b
Show file tree

Hide file tree

Showing 6 changed files with 192 additions and 6 deletions.
diff --git a/docs/user-guide/configmap.md b/docs/user-guide/configmap.md
@@ -137,6 +137,7 @@ The following table shows a configuration option's name, type, and the default v
 |[proxy-buffering](#proxy-buffering)|string|"off"|
 |[limit-req-status-code](#limit-req-status-code)|int|503|
 |[no-tls-redirect-locations](#no-tls-redirect-locations)|string|"/.well-known/acme-challenge"|
+|[no-auth-locations](#no-auth-locations)|string|"/.well-known/acme-challenge"|
 
 ## add-headers
 
@@ -745,3 +746,8 @@ Sets the [status code to return in response to rejected requests](http://nginx.o
 
 A comma-separated list of locations on which http requests will never get redirected to their https counterpart.
 Default: "/.well-known/acme-challenge"
+
+## no-auth-locations
+
+A comma-separated list of locations that should not get authenticated.
+Default: "/.well-known/acme-challenge"
diff --git a/hack/verify-bindata.sh b/hack/verify-bindata.sh
diff --git a/internal/file/bindata.go b/internal/file/bindata.go
diff --git a/internal/ingress/controller/config/config.go b/internal/ingress/controller/config/config.go
@@ -499,6 +499,10 @@ type Configuration struct {
 	// NoTLSRedirectLocations is a comma-separated list of locations
 	// that should not get redirected to TLS
 	NoTLSRedirectLocations string `json:"no-tls-redirect-locations"`
+
+	// NoAuthLocations is a comma-separated list of locations that
+	// should not get authenticated
+	NoAuthLocations string `json:"no-auth-locations"`
 }
 
 // NewDefault returns the default nginx configuration
@@ -606,6 +610,7 @@ func NewDefault() Configuration {
 		LimitReqStatusCode:           503,
 		SyslogPort:                   514,
 		NoTLSRedirectLocations:       "/.well-known/acme-challenge",
+		NoAuthLocations:              "/.well-known/acme-challenge",
 	}
 
 	if glog.V(5) {

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -845,6 +845,7 @@ stream {
             }
             {{ end }}
 
+            {{ if not (isLocationInLocationList $location $all.Cfg.NoAuthLocations) }}
             {{ if $authPath }}
             # this location requires authentication
             auth_request        {{ $authPath }};
@@ -859,11 +860,6 @@ stream {
             error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
             {{ end }}
 
-            {{/* if the location contains a rate limit annotation, create one */}}
-            {{ $limits := buildRateLimit $location }}
-            {{ range $limit := $limits }}
-            {{ $limit }}{{ end }}
-
             {{ if $location.BasicDigestAuth.Secured }}
             {{ if eq $location.BasicDigestAuth.Type "basic" }}
             auth_basic "{{ $location.BasicDigestAuth.Realm }}";
@@ -874,6 +870,12 @@ stream {
             {{ end }}
             proxy_set_header Authorization "";
             {{ end }}
+            {{ end }}
+
+            {{/* if the location contains a rate limit annotation, create one */}}
+            {{ $limits := buildRateLimit $location }}
+            {{ range $limit := $limits }}
+            {{ $limit }}{{ end }}
 
             {{ if $location.CorsConfig.CorsEnabled }}
             {{ template "CORS" $location }}

diff --git a/test/e2e/settings/no_auth_locations.go b/test/e2e/settings/no_auth_locations.go
@@ -0,0 +1,173 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package setting
+
+import (
+	"fmt"
+	"net/http"
+	"os/exec"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/parnurzeal/gorequest"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/api/extensions/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("No Auth locations", func() {
+	f := framework.NewDefaultFramework("no-auth-locations")
+
+	setting := "no-auth-locations"
+	username := "foo"
+	password := "bar"
+	secretName := "test-secret"
+	host := "no-auth-locations"
+	noAuthPath := "/noauth"
+
+	BeforeEach(func() {
+		err := f.NewEchoDeployment()
+		Expect(err).NotTo(HaveOccurred())
+
+		s, err := f.EnsureSecret(buildSecret(username, password, secretName, f.Namespace.Name))
+		Expect(err).NotTo(HaveOccurred())
+		Expect(s).NotTo(BeNil())
+		Expect(s.ObjectMeta).NotTo(BeNil())
+
+		updateConfigmap(setting, noAuthPath, f.KubeClientSet)
+
+		bi := buildBasicAuthIngressWithSecondPath(host, f.Namespace.Name, s.Name, noAuthPath)
+		ing, err := f.EnsureIngress(bi)
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+	})
+
+	AfterEach(func() {
+		updateConfigmap(setting, "/.well-known/acme-challenge", f.KubeClientSet)
+	})
+
+	It("should return status code 401 when accessing '/' unauthentication", func() {
+		err := f.WaitForNginxServer(host,
+			func(server string) bool {
+				return Expect(server).Should(ContainSubstring("test auth"))
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, body, errs := gorequest.New().
+			Get(f.NginxHTTPURL).
+			Set("Host", host).
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusUnauthorized))
+		Expect(body).Should(ContainSubstring("401 Authorization Required"))
+	})
+
+	It("should return status code 200 when accessing '/'  authentication", func() {
+		err := f.WaitForNginxServer(host,
+			func(server string) bool {
+				return Expect(server).Should(ContainSubstring("test auth"))
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, _, errs := gorequest.New().
+			Get(f.NginxHTTPURL).
+			Set("Host", host).
+			SetBasicAuth(username, password).
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+	})
+
+	It("should return status code 200 when accessing '/noauth' unauthenticated", func() {
+		err := f.WaitForNginxServer(host,
+			func(server string) bool {
+				return Expect(server).Should(ContainSubstring("test auth"))
+			})
+		Expect(err).NotTo(HaveOccurred())
+
+		resp, _, errs := gorequest.New().
+			Get(fmt.Sprintf("%s/noauth", f.NginxHTTPURL)).
+			Set("Host", host).
+			End()
+
+		Expect(len(errs)).Should(BeNumerically("==", 0))
+		Expect(resp.StatusCode).Should(Equal(http.StatusOK))
+	})
+})
+
+func buildBasicAuthIngressWithSecondPath(host, namespace, secretName, pathName string) *v1beta1.Ingress {
+	return &v1beta1.Ingress{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      host,
+			Namespace: namespace,
+			Annotations: map[string]string{"nginx.ingress.kubernetes.io/auth-type": "basic",
+				"nginx.ingress.kubernetes.io/auth-secret": secretName,
+				"nginx.ingress.kubernetes.io/auth-realm":  "test auth",
+			},
+		},
+		Spec: v1beta1.IngressSpec{
+			Rules: []v1beta1.IngressRule{
+				{
+					Host: host,
+					IngressRuleValue: v1beta1.IngressRuleValue{
+						HTTP: &v1beta1.HTTPIngressRuleValue{
+							Paths: []v1beta1.HTTPIngressPath{
+								{
+									Path: "/",
+									Backend: v1beta1.IngressBackend{
+										ServiceName: "http-svc",
+										ServicePort: intstr.FromInt(80),
+									},
+								},
+								{
+									Path: pathName,
+									Backend: v1beta1.IngressBackend{
+										ServiceName: "http-svc",
+										ServicePort: intstr.FromInt(80),
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func buildSecret(username, password, name, namespace string) *corev1.Secret {
+	out, err := exec.Command("openssl", "passwd", "-crypt", password).CombinedOutput()
+	encpass := fmt.Sprintf("%v:%s\n", username, out)
+	Expect(err).NotTo(HaveOccurred())
+
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:                       name,
+			Namespace:                  namespace,
+			DeletionGracePeriodSeconds: framework.NewInt64(1),
+		},
+		Data: map[string][]byte{
+			"auth": []byte(encpass),
+		},
+		Type: corev1.SecretTypeOpaque,
+	}
+}