UPT: updated e2e test and default true for process-multipart-body ann…

…otation
kubernetes · Oct 25, 2018 · bf03046 · bf03046
1 parent 3c2c0d0
commit bf03046
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 11 deletions.
diff --git a/docs/user-guide/nginx-configuration/annotations.md b/docs/user-guide/nginx-configuration/annotations.md
@@ -578,6 +578,9 @@ nginx.ingress.kubernetes.io/lua-resty-waf-score-threshold: "10"
 
 When you enabled HTTPS in the endpoint and since resty-lua will return 500 error when processing "multipart" contents
 Reference for this [issue](https://github.com/p0pr0ck5/lua-resty-waf/issues/166)
+
+By default, it will be "true"
+
 You may enable the following annotation for work around:
 
 ```yaml

diff --git a/internal/ingress/annotations/luarestywaf/main.go b/internal/ingress/annotations/luarestywaf/main.go
@@ -111,7 +111,10 @@ func (a luarestywaf) Parse(ing *extensions.Ingress) (interface{}, error) {
 
 	allowUnknownContentTypes, _ := parser.GetBoolAnnotation("lua-resty-waf-allow-unknown-content-types", ing)
 
-	processMultipartBody, _ := parser.GetBoolAnnotation("lua-resty-waf-process-multipart-body", ing)
+	processMultipartBody, err := parser.GetBoolAnnotation("lua-resty-waf-process-multipart-body", ing)
+	if err != nil {
+		processMultipartBody = true
+	}
 
 	return &Config{
 		Mode:                     mode,

diff --git a/internal/ingress/annotations/luarestywaf/main_test.go b/internal/ingress/annotations/luarestywaf/main_test.go
@@ -46,22 +46,22 @@ func TestParse(t *testing.T) {
 		{nil, &Config{}},
 		{map[string]string{}, &Config{}},
 
-		{map[string]string{luaRestyWAFAnnotation: "active"}, &Config{Mode: "ACTIVE", Debug: false, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "active"}, &Config{Mode: "ACTIVE", Debug: false, IgnoredRuleSets: []string{}, ProcessMultipartBody: true}},
 		{map[string]string{luaRestyWAFDebugAnnotation: "true"}, &Config{Debug: false}},
 
-		{map[string]string{luaRestyWAFAnnotation: "active", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "ACTIVE", Debug: true, IgnoredRuleSets: []string{}}},
-		{map[string]string{luaRestyWAFAnnotation: "active", luaRestyWAFDebugAnnotation: "false"}, &Config{Mode: "ACTIVE", Debug: false, IgnoredRuleSets: []string{}}},
-		{map[string]string{luaRestyWAFAnnotation: "inactive", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "INACTIVE", Debug: true, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "active", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "ACTIVE", Debug: true, IgnoredRuleSets: []string{}, ProcessMultipartBody: true}},
+		{map[string]string{luaRestyWAFAnnotation: "active", luaRestyWAFDebugAnnotation: "false"}, &Config{Mode: "ACTIVE", Debug: false, IgnoredRuleSets: []string{}, ProcessMultipartBody: true}},
+		{map[string]string{luaRestyWAFAnnotation: "inactive", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "INACTIVE", Debug: true, IgnoredRuleSets: []string{}, ProcessMultipartBody: true}},
 
 		{map[string]string{
 			luaRestyWAFAnnotation:                         "active",
 			luaRestyWAFDebugAnnotation:                    "true",
 			luaRestyWAFIgnoredRuleSetsAnnotation:          "ruleset1, ruleset2 ruleset3,   another.ruleset",
 			luaRestyWAFScoreThresholdAnnotation:           "10",
 			luaRestyWAFAllowUnknownContentTypesAnnotation: "true"},
-			&Config{Mode: "ACTIVE", Debug: true, IgnoredRuleSets: []string{"ruleset1", "ruleset2", "ruleset3", "another.ruleset"}, ScoreThreshold: 10, AllowUnknownContentTypes: true}},
+			&Config{Mode: "ACTIVE", Debug: true, IgnoredRuleSets: []string{"ruleset1", "ruleset2", "ruleset3", "another.ruleset"}, ScoreThreshold: 10, AllowUnknownContentTypes: true, ProcessMultipartBody: true}},
 
-		{map[string]string{luaRestyWAFAnnotation: "siMulate", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "SIMULATE", Debug: true, IgnoredRuleSets: []string{}}},
+		{map[string]string{luaRestyWAFAnnotation: "siMulate", luaRestyWAFDebugAnnotation: "true"}, &Config{Mode: "SIMULATE", Debug: true, IgnoredRuleSets: []string{}, ProcessMultipartBody: true}},
 		{map[string]string{luaRestyWAFAnnotation: "siMulateX", luaRestyWAFDebugAnnotation: "true"}, &Config{Debug: false}},
 
 		{map[string]string{luaRestyWAFAnnotation: "active", luaRestyWAFProcessMultipartBody: "false"}, &Config{Mode: "ACTIVE", ProcessMultipartBody: false, IgnoredRuleSets: []string{}}},

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -906,8 +906,6 @@ stream {
 
                 {{ if not $location.LuaRestyWAF.ProcessMultipartBody }}
                 waf:set_option("process_multipart_body", false)
-                {{ else }}
-                waf:set_option("process_multipart_body", true)
                 {{ end }}
 
                 {{ if $location.LuaRestyWAF.Debug }}

diff --git a/test/e2e/annotations/luarestywaf.go b/test/e2e/annotations/luarestywaf.go
@@ -97,9 +97,9 @@ var _ = framework.IngressNginxDescribe("Annotations - lua-resty-waf", func() {
 			Expect(len(errs)).Should(Equal(0))
 			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
 		})
-		It("should allow the multipart content type", func() {
-			host := "foo"
+		It("should not fail a request with multipart content type when multipart body processing disabled", func() {
 			contenttype := "multipart/form-data; boundary=alamofire.boundary.3fc2e849279e18fc"
+			host := "foo"
 			createIngress(f, host, "http-svc", 80, map[string]string{
 				"nginx.ingress.kubernetes.io/lua-resty-waf-process-multipart-body": "false",
 				"nginx.ingress.kubernetes.io/lua-resty-waf":                        "active"})
@@ -114,6 +114,22 @@ var _ = framework.IngressNginxDescribe("Annotations - lua-resty-waf", func() {
 			Expect(len(errs)).Should(Equal(0))
 			Expect(resp.StatusCode).Should(Equal(http.StatusOK))
 		})
+		It("should fail a request with multipart content type when multipart body processing enabled by default", func() {
+			contenttype := "multipart/form-data; boundary=alamofire.boundary.3fc2e849279e18fc"
+			host := "foo"
+			createIngress(f, host, "http-svc", 80, map[string]string{
+				"nginx.ingress.kubernetes.io/lua-resty-waf": "active"})
+
+			url := fmt.Sprintf("%s?msg=my-message", f.IngressController.HTTPURL)
+			resp, _, errs := gorequest.New().
+				Get(url).
+				Set("Host", host).
+				Set("Content-Type", contenttype).
+				End()
+
+			Expect(len(errs)).Should(Equal(0))
+			Expect(resp.StatusCode).Should(Equal(http.StatusBadRequest))
+		})
 		It("should apply configured extra rules", func() {
 			host := "foo"
 			createIngress(f, host, "http-svc", 80, map[string]string{