Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix api key policy undefined routes #5838

Merged
merged 6 commits into from
Jun 25, 2024
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions internal/configs/version2/nginx-plus.virtualserver.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,7 @@ server {
{{- end }}

{{- with $s.APIKey}}
js_var $header_query_value {{ makeHeaderQueryValue $s.APIKey | printf }};
js_var $apikey_auth_local_map "{{ .MapName}}";
js_var $apikey_auth_token $apikey_auth_hash;
auth_request /_validate_apikey_njs;
Expand Down
1 change: 1 addition & 0 deletions internal/configs/version2/nginx.virtualserver.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ server {
{{- end }}

{{- with $s.APIKey}}
js_var $header_query_value {{ makeHeaderQueryValue $s.APIKey | printf }};
js_var $apikey_auth_local_map "{{ .MapName}}";
js_var $apikey_auth_token $apikey_auth_hash;
auth_request /_validate_apikey_njs;
Expand Down
45 changes: 45 additions & 0 deletions tests/suite/test_apikey_auth_policies.py
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,18 @@ def test_apikey_auth_policy_vs(self, kube_apis, crd_ingress_controller, virtual_
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
wait_before_test()

# /undefined path (is not a route defined in the VirtualServer)
undefined_without_auth_headers = {"host": host}
undefined_with_wrong_auth_header = {"host": host, apikey_policy_details.headers[0]: "wrongpassword"}
undefined_with_auth_headers = {"host": host, apikey_policy_details.headers[0]: apikey_policy_details.apikeys[0]}
undefined_path = (
f"http://{virtual_server_setup.public_endpoint.public_ip}"
f":{virtual_server_setup.public_endpoint.port}/undefined"
)
undefined_resp_no_auth_header = requests.get(undefined_path, headers=undefined_without_auth_headers)
undefined_resp_with_wrong_auth_header = requests.get(undefined_path, headers=undefined_with_wrong_auth_header)
undefined_resp_with_auth_header = requests.get(undefined_path, headers=undefined_with_auth_headers)

# /no-auth path
no_auth_headers = {"host": host}
no_auth_path = (
Expand Down Expand Up @@ -221,6 +233,15 @@ def test_apikey_auth_policy_vs(self, kube_apis, crd_ingress_controller, virtual_
virtual_server_setup.namespace,
)

# /undefined (without an auth header)
assert undefined_resp_no_auth_header.status_code == 401

# /undefined (with wrong password in header)
assert undefined_resp_with_wrong_auth_header.status_code == 403

# /undefined (with an auth header)
assert undefined_resp_with_auth_header.status_code == 404

# /no-auth (snippet to turn off auth_request on this route)
assert no_auth_resp.status_code == 200

Expand Down Expand Up @@ -302,6 +323,21 @@ def test_apikey_auth_policy_vs_and_vsr(
wait_until_all_pods_are_ready(kube_apis.v1, test_namespace)
wait_before_test(5)

# /undefined path (is not a route defined in the VirtualServer)
undefined_without_auth_headers = {"host": host}
undefined_with_wrong_auth_header = {"host": host, apikey_policy_details_server.headers[0]: "wrongpassword"}
undefined_with_auth_headers = {
"host": host,
apikey_policy_details_server.headers[0]: apikey_policy_details_server.apikeys[0],
}
undefined_path = (
f"http://{virtual_server_setup.public_endpoint.public_ip}"
f":{virtual_server_setup.public_endpoint.port}/undefined"
)
undefined_resp_no_auth_header = requests.get(undefined_path, headers=undefined_without_auth_headers)
undefined_resp_with_wrong_auth_header = requests.get(undefined_path, headers=undefined_with_wrong_auth_header)
undefined_resp_with_auth_header = requests.get(undefined_path, headers=undefined_with_auth_headers)

# /no-auth path
no_auth_path_server = (
f"http://{virtual_server_setup.public_endpoint.public_ip}"
Expand Down Expand Up @@ -409,6 +445,15 @@ def test_apikey_auth_policy_vs_and_vsr(
virtual_server_setup.namespace,
)

# /undefined (without an auth header)
assert undefined_resp_no_auth_header.status_code == 401

# /undefined (with wrong password in header)
assert undefined_resp_with_wrong_auth_header.status_code == 403

# /undefined (with an auth header)
assert undefined_resp_with_auth_header.status_code == 404

# /no-auth (snippet to turn off auth_request on this route)
assert no_auth_server_resp.status_code == 200

Expand Down
Loading