add policy

nginx · May 12, 2022 · e4d4519 · e4d4519
1 parent 700836c
commit e4d4519
Show file tree

Hide file tree

Showing 10 changed files with 108 additions and 57 deletions.
diff --git a/deployments/common/crds/k8s.nginx.org_policies.yaml b/deployments/common/crds/k8s.nginx.org_policies.yaml
@@ -116,6 +116,8 @@ spec:
                       type: string
                     tokenEndpoint:
                       type: string
+                    zoneSyncLeeway:
+                      type: integer
                 rateLimit:
                   description: RateLimit defines a rate limit policy.
                   type: object

diff --git a/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml b/deployments/helm-chart/crds/k8s.nginx.org_policies.yaml
@@ -116,6 +116,8 @@ spec:
                       type: string
                     tokenEndpoint:
                       type: string
+                    zoneSyncLeeway:
+                      type: integer
                 rateLimit:
                   description: RateLimit defines a rate limit policy.
                   type: object

diff --git a/internal/configs/version2/http.go b/internal/configs/version2/http.go
@@ -109,13 +109,14 @@ type EgressMTLS struct {
 
 // OIDC holds OIDC configuration data.
 type OIDC struct {
-	AuthEndpoint  string
-	ClientID      string
-	ClientSecret  string
-	JwksURI       string
-	Scope         string
-	TokenEndpoint string
-	RedirectURI   string
+	AuthEndpoint   string
+	ClientID       string
+	ClientSecret   string
+	JwksURI        string
+	Scope          string
+	TokenEndpoint  string
+	RedirectURI    string
+	ZoneSyncLeeway int
 }
 
 // WAF defines WAF configuration.

diff --git a/internal/configs/version2/nginx-plus.virtualserver.tmpl b/internal/configs/version2/nginx-plus.virtualserver.tmpl
@@ -71,9 +71,9 @@ server {
     include oidc/oidc.conf;
 
     set $oidc_pkce_enable 0;
-    set $zone_sync_leeway 0;
     set $oidc_logout_redirect "/_logout";
     set $oidc_hmac_key "{{ $s.VSName }}";
+    set $zone_sync_leeway {{ $oidc.ZoneSyncLeeway }};
 
     set $oidc_authz_endpoint "{{ $oidc.AuthEndpoint }}";
     set $oidc_token_endpoint "{{ $oidc.TokenEndpoint }}";

diff --git a/internal/configs/virtualserver.go b/internal/configs/virtualserver.go
@@ -991,13 +991,14 @@ func (p *policiesCfg) addOIDCConfig(
 		}
 
 		oidcPolCfg.oidc = &version2.OIDC{
-			AuthEndpoint:  oidc.AuthEndpoint,
-			TokenEndpoint: oidc.TokenEndpoint,
-			JwksURI:       oidc.JWKSURI,
-			ClientID:      oidc.ClientID,
-			ClientSecret:  string(clientSecret),
-			Scope:         scope,
-			RedirectURI:   redirectURI,
+			AuthEndpoint:   oidc.AuthEndpoint,
+			TokenEndpoint:  oidc.TokenEndpoint,
+			JwksURI:        oidc.JWKSURI,
+			ClientID:       oidc.ClientID,
+			ClientSecret:   string(clientSecret),
+			Scope:          scope,
+			RedirectURI:    redirectURI,
+			ZoneSyncLeeway: generateIntFromPointer(oidc.ZoneSyncLeeway, 0),
 		}
 		oidcPolCfg.key = polKey
 	}

diff --git a/internal/configs/virtualserver_test.go b/internal/configs/virtualserver_test.go
@@ -2894,13 +2894,14 @@ func TestGeneratePolicies(t *testing.T) {
 					},
 					Spec: conf_v1.PolicySpec{
 						OIDC: &conf_v1.OIDC{
-							AuthEndpoint:  "http://example.com/auth",
-							TokenEndpoint: "http://example.com/token",
-							JWKSURI:       "http://example.com/jwks",
-							ClientID:      "client-id",
-							ClientSecret:  "oidc-secret",
-							Scope:         "scope",
-							RedirectURI:   "/redirect",
+							AuthEndpoint:   "http://example.com/auth",
+							TokenEndpoint:  "http://example.com/token",
+							JWKSURI:        "http://example.com/jwks",
+							ClientID:       "client-id",
+							ClientSecret:   "oidc-secret",
+							Scope:          "scope",
+							RedirectURI:    "/redirect",
+							ZoneSyncLeeway: createPointerFromInt(20),
 						},
 					},
 				},
@@ -3891,13 +3892,14 @@ func TestGeneratePoliciesFails(t *testing.T) {
 			context: "route",
 			oidcPolCfg: &oidcPolicyCfg{
 				oidc: &version2.OIDC{
-					AuthEndpoint:  "https://foo.com/auth",
-					TokenEndpoint: "https://foo.com/token",
-					JwksURI:       "https://foo.com/certs",
-					ClientID:      "foo",
-					ClientSecret:  "super_secret_123",
-					RedirectURI:   "/_codexch",
-					Scope:         "openid",
+					AuthEndpoint:   "https://foo.com/auth",
+					TokenEndpoint:  "https://foo.com/token",
+					JwksURI:        "https://foo.com/certs",
+					ClientID:       "foo",
+					ClientSecret:   "super_secret_123",
+					RedirectURI:    "/_codexch",
+					Scope:          "openid",
+					ZoneSyncLeeway: 0,
 				},
 				key: "default/oidc-policy-1",
 			},
@@ -3991,13 +3993,14 @@ func TestGeneratePoliciesFails(t *testing.T) {
 			},
 			expectedOidc: &oidcPolicyCfg{
 				&version2.OIDC{
-					AuthEndpoint:  "https://foo.com/auth",
-					TokenEndpoint: "https://foo.com/token",
-					JwksURI:       "https://foo.com/certs",
-					ClientID:      "foo",
-					ClientSecret:  "super_secret_123",
-					RedirectURI:   "/_codexch",
-					Scope:         "openid",
+					AuthEndpoint:   "https://foo.com/auth",
+					TokenEndpoint:  "https://foo.com/token",
+					JwksURI:        "https://foo.com/certs",
+					ClientID:       "foo",
+					ClientSecret:   "super_secret_123",
+					RedirectURI:    "/_codexch",
+					Scope:          "openid",
+					ZoneSyncLeeway: 0,
 				},
 				"default/oidc-policy",
 			},

diff --git a/pkg/apis/configuration/v1/types.go b/pkg/apis/configuration/v1/types.go
@@ -434,13 +434,14 @@ type EgressMTLS struct {
 
 // OIDC defines an Open ID Connect policy.
 type OIDC struct {
-	AuthEndpoint  string `json:"authEndpoint"`
-	TokenEndpoint string `json:"tokenEndpoint"`
-	JWKSURI       string `json:"jwksURI"`
-	ClientID      string `json:"clientID"`
-	ClientSecret  string `json:"clientSecret"`
-	Scope         string `json:"scope"`
-	RedirectURI   string `json:"redirectURI"`
+	AuthEndpoint   string `json:"authEndpoint"`
+	TokenEndpoint  string `json:"tokenEndpoint"`
+	JWKSURI        string `json:"jwksURI"`
+	ClientID       string `json:"clientID"`
+	ClientSecret   string `json:"clientSecret"`
+	Scope          string `json:"scope"`
+	RedirectURI    string `json:"redirectURI"`
+	ZoneSyncLeeway *int   `json:"zoneSyncLeeway"`
 }
 
 // WAF defines an WAF policy.

diff --git a/pkg/apis/configuration/v1/zz_generated.deepcopy.go b/pkg/apis/configuration/v1/zz_generated.deepcopy.go
diff --git a/pkg/apis/configuration/validation/policy.go b/pkg/apis/configuration/validation/policy.go
@@ -222,6 +222,10 @@ func validateOIDC(oidc *v1.OIDC, fieldPath *field.Path) field.ErrorList {
 		allErrs = append(allErrs, validatePath(oidc.RedirectURI, fieldPath.Child("redirectURI"))...)
 	}
 
+	if oidc.ZoneSyncLeeway != nil {
+		allErrs = append(allErrs, validatePositiveIntOrZero(*oidc.ZoneSyncLeeway, fieldPath.Child("zoneSyncLeeway"))...)
+	}
+
 	allErrs = append(allErrs, validateURL(oidc.AuthEndpoint, fieldPath.Child("authEndpoint"))...)
 	allErrs = append(allErrs, validateURL(oidc.TokenEndpoint, fieldPath.Child("tokenEndpoint"))...)
 	allErrs = append(allErrs, validateURL(oidc.JWKSURI, fieldPath.Child("jwksURI"))...)

diff --git a/pkg/apis/configuration/validation/policy_test.go b/pkg/apis/configuration/validation/policy_test.go
@@ -46,12 +46,13 @@ func TestValidatePolicy(t *testing.T) {
 			policy: &v1.Policy{
 				Spec: v1.PolicySpec{
 					OIDC: &v1.OIDC{
-						AuthEndpoint:  "https://foo.bar/auth",
-						TokenEndpoint: "https://foo.bar/token",
-						JWKSURI:       "https://foo.bar/certs",
-						ClientID:      "random-string",
-						ClientSecret:  "random-secret",
-						Scope:         "openid",
+						AuthEndpoint:   "https://foo.bar/auth",
+						TokenEndpoint:  "https://foo.bar/token",
+						JWKSURI:        "https://foo.bar/certs",
+						ClientID:       "random-string",
+						ClientSecret:   "random-secret",
+						Scope:          "openid",
+						ZoneSyncLeeway: createPointerFromInt(10),
 					},
 				},
 			},
@@ -191,6 +192,24 @@ func TestValidatePolicyFails(t *testing.T) {
 			enableAppProtect: false,
 			msg:              "WAF policy with AP disabled",
 		},
+		{
+			policy: &v1.Policy{
+				Spec: v1.PolicySpec{
+					OIDC: &v1.OIDC{
+						AuthEndpoint:   "https://foo.bar/auth",
+						TokenEndpoint:  "https://foo.bar/token",
+						JWKSURI:        "https://foo.bar/certs",
+						ClientID:       "random-string",
+						ClientSecret:   "random-secret",
+						Scope:          "openid",
+						ZoneSyncLeeway: createPointerFromInt(-1),
+					},
+				},
+			},
+			isPlus:     true,
+			enableOIDC: true,
+			msg:        "OIDC policy with invalid ZoneSyncLeeway",
+		},
 	}
 	for _, test := range tests {
 		err := ValidatePolicy(test.policy, test.isPlus, test.enableOIDC, test.enableAppProtect)
@@ -852,13 +871,14 @@ func TestValidateOIDCValid(t *testing.T) {
 	}{
 		{
 			oidc: &v1.OIDC{
-				AuthEndpoint:  "https://accounts.google.com/o/oauth2/v2/auth",
-				TokenEndpoint: "https://oauth2.googleapis.com/token",
-				JWKSURI:       "https://www.googleapis.com/oauth2/v3/certs",
-				ClientID:      "random-string",
-				ClientSecret:  "random-secret",
-				Scope:         "openid",
-				RedirectURI:   "/foo",
+				AuthEndpoint:   "https://accounts.google.com/o/oauth2/v2/auth",
+				TokenEndpoint:  "https://oauth2.googleapis.com/token",
+				JWKSURI:        "https://www.googleapis.com/oauth2/v3/certs",
+				ClientID:       "random-string",
+				ClientSecret:   "random-secret",
+				Scope:          "openid",
+				RedirectURI:    "/foo",
+				ZoneSyncLeeway: createPointerFromInt(20),
 			},
 			msg: "verify full oidc",
 		},
@@ -992,6 +1012,18 @@ func TestValidateOIDCInvalid(t *testing.T) {
 			},
 			msg: "invalid chars in clientID",
 		},
+		{
+			oidc: &v1.OIDC{
+				AuthEndpoint:   "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/auth",
+				TokenEndpoint:  "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/token",
+				JWKSURI:        "http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/certs",
+				ClientID:       "foobar",
+				ClientSecret:   "secret",
+				Scope:          "openid",
+				ZoneSyncLeeway: createPointerFromInt(-1),
+			},
+			msg: "invalid zoneSyncLeeway value",
+		},
 	}
 
 	for _, test := range tests {