From 5cb483a4bc7bb74170d22d1392256df471df25aa Mon Sep 17 00:00:00 2001 From: Wouter Dullaert Date: Thu, 28 Mar 2024 14:07:50 +0100 Subject: [PATCH] fix: Ensure changes in MatchCN annotation are detected --- internal/ingress/annotations/authtls/main.go | 3 ++ .../ingress/annotations/authtls/main_test.go | 9 ++++ test/e2e/annotations/authtls.go | 43 +++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/internal/ingress/annotations/authtls/main.go b/internal/ingress/annotations/authtls/main.go index e288d82c97..b331a215e9 100644 --- a/internal/ingress/annotations/authtls/main.go +++ b/internal/ingress/annotations/authtls/main.go @@ -122,6 +122,9 @@ func (assl1 *Config) Equal(assl2 *Config) bool { if assl1.PassCertToUpstream != assl2.PassCertToUpstream { return false } + if assl1.MatchCN != assl2.MatchCN { + return false + } return true } diff --git a/internal/ingress/annotations/authtls/main_test.go b/internal/ingress/annotations/authtls/main_test.go index 0dd442e4f6..37342e513a 100644 --- a/internal/ingress/annotations/authtls/main_test.go +++ b/internal/ingress/annotations/authtls/main_test.go @@ -333,6 +333,15 @@ func TestEquals(t *testing.T) { } cfg2.PassCertToUpstream = true + // Different MatchCN + cfg1.MatchCN = "CN=(hello-app|goodbye)" + cfg2.MatchCN = "CN=(hello-app)" + result = cfg1.Equal(cfg2) + if result != false { + t.Errorf("Expected false") + } + cfg2.MatchCN = "CN=(hello-app|goodbye)" + // Equal Configs result = cfg1.Equal(cfg2) if result != true { diff --git a/test/e2e/annotations/authtls.go b/test/e2e/annotations/authtls.go index c7a05c053d..3315065f1c 100644 --- a/test/e2e/annotations/authtls.go +++ b/test/e2e/annotations/authtls.go @@ -322,6 +322,49 @@ var _ = framework.DescribeAnnotation("auth-tls-*", func() { Status(http.StatusOK) }) + ginkgo.It("should reload the nginx config when auth-tls-match-cn is updated", func() { + host := authTLSFooHost + nameSpace := f.Namespace + + clientConfig, err := framework.CreateIngressMASecret( + f.KubeClientSet, + host, + host, + nameSpace) + assert.Nil(ginkgo.GinkgoT(), err) + + // First add an annotation that forbids our connection + annotations := map[string]string{ + "nginx.ingress.kubernetes.io/auth-tls-secret": nameSpace + "/" + host, + "nginx.ingress.kubernetes.io/auth-tls-verify-client": "on", + "nginx.ingress.kubernetes.io/auth-tls-match-cn": "CN=notvalid", + } + + ingress := f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, nameSpace, framework.EchoService, 80, annotations)) + + assertSslClientCertificateConfig(f, host, "on", "1") + + f.HTTPTestClientWithTLSConfig(clientConfig). + GET("/"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + Expect(). + Status(http.StatusForbidden) + + // Update the annotation to something that allows the connection + ingress.Annotations["nginx.ingress.kubernetes.io/auth-tls-match-cn"] = "CN=authtls" + f.UpdateIngress(ingress) + + assertSslClientCertificateConfig(f, host, "on", "1") + + f.HTTPTestClientWithTLSConfig(clientConfig). + GET("/"). + WithURL(f.GetURL(framework.HTTPS)). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK) + }) + ginkgo.It("should return 200 using auth-tls-match-cn where atleast one of the regex options matches CN from client", func() { host := authTLSFooHost nameSpace := f.Namespace