Skip to content

Commit

Permalink
convert hsts to the new per path config
Browse files Browse the repository at this point in the history
  • Loading branch information
@jcmoraisjr
jcmoraisjr committed Sep 10, 2020
1 parent 9aa50f9 commit 837a6ba
Show file tree
Hide file tree
Showing 6 changed files with 78 additions and 110 deletions.
21 changes: 6 additions & 15 deletions pkg/converters/ingress/annotations/backend.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -530,21 +530,12 @@ func (c *updater) buildBackendHeaders(d *backData) {
}

func (c *updater) buildBackendHSTS(d *backData) {
rawHSTSList := d.mapper.GetBackendConfig(
d.backend,
[]string{ingtypes.BackHSTS, ingtypes.BackHSTSMaxAge, ingtypes.BackHSTSPreload, ingtypes.BackHSTSIncludeSubdomains},
nil,
)
for _, cfg := range rawHSTSList {
d.backend.HSTS = append(d.backend.HSTS, &hatypes.BackendConfigHSTS{
Paths: cfg.Paths,
Config: hatypes.HSTS{
Enabled: cfg.Get(ingtypes.BackHSTS).Bool(),
MaxAge: cfg.Get(ingtypes.BackHSTSMaxAge).Int(),
Subdomains: cfg.Get(ingtypes.BackHSTSIncludeSubdomains).Bool(),
Preload: cfg.Get(ingtypes.BackHSTSPreload).Bool(),
},
})
for _, path := range d.backend.Paths {
config := d.mapper.GetConfig(path.Link)
path.HSTS.Enabled = config.Get(ingtypes.BackHSTS).Bool()
path.HSTS.MaxAge = config.Get(ingtypes.BackHSTSMaxAge).Int()
path.HSTS.Subdomains = config.Get(ingtypes.BackHSTSIncludeSubdomains).Bool()
path.HSTS.Preload = config.Get(ingtypes.BackHSTSPreload).Bool()
}
}

Expand Down
58 changes: 25 additions & 33 deletions pkg/converters/ingress/annotations/backend_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1007,7 +1007,7 @@ func TestHSTS(t *testing.T) {
source Source
annDefault map[string]string
ann map[string]map[string]string
expected []*hatypes.BackendConfigHSTS
expected map[string]hatypes.HSTS
logging string
}{
// 0
Expand All @@ -1024,24 +1024,18 @@ func TestHSTS(t *testing.T) {
ingtypes.BackHSTSPreload: "true",
},
},
expected: []*hatypes.BackendConfigHSTS{
{
Paths: createBackendPaths("/"),
Config: hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Subdomains: false,
Preload: false,
},
expected: map[string]hatypes.HSTS{
"/": {
Enabled: true,
MaxAge: 15768000,
Subdomains: false,
Preload: false,
},
{
Paths: createBackendPaths("/url"),
Config: hatypes.HSTS{
Enabled: true,
MaxAge: 50,
Subdomains: false,
Preload: true,
},
"/url": {
Enabled: true,
MaxAge: 50,
Subdomains: false,
Preload: true,
},
},
},
Expand All @@ -1059,15 +1053,12 @@ func TestHSTS(t *testing.T) {
ingtypes.BackHSTSIncludeSubdomains: "true",
},
},
expected: []*hatypes.BackendConfigHSTS{
{
Paths: createBackendPaths("/"),
Config: hatypes.HSTS{
Enabled: true,
MaxAge: 50,
Subdomains: true,
Preload: false,
},
expected: map[string]hatypes.HSTS{
"/": {
Enabled: true,
MaxAge: 50,
Subdomains: true,
Preload: false,
},
},
source: Source{Namespace: "default", Name: "ing1", Type: "ingress"},
Expand All @@ -1076,11 +1067,8 @@ func TestHSTS(t *testing.T) {
// 2
{
paths: []string{"/"},
expected: []*hatypes.BackendConfigHSTS{
{
Paths: createBackendPaths("/"),
Config: hatypes.HSTS{},
},
expected: map[string]hatypes.HSTS{
"/": {},
},
},
}
Expand All @@ -1089,7 +1077,11 @@ func TestHSTS(t *testing.T) {
d := c.createBackendMappingData("default/app", &test.source, test.annDefault, test.ann, test.paths)
u := c.createUpdater()
u.buildBackendHSTS(d)
c.compareObjects("hsts", i, d.backend.HSTS, test.expected)
actual := map[string]hatypes.HSTS{}
for _, path := range d.backend.Paths {
actual[path.Path()] = path.HSTS
}
c.compareObjects("hsts", i, actual, test.expected)
c.logger.CompareLogging(test.logging)
c.teardown()
}
Expand Down
66 changes: 27 additions & 39 deletions pkg/haproxy/instance_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,25 +146,23 @@ d1.local/ path01`,
},
{
doconfig: func(g *hatypes.Global, h *hatypes.Host, b *hatypes.Backend) {
b.HSTS = []*hatypes.BackendConfigHSTS{
{
Paths: createBackendPaths(b, "d1.local/"),
Config: hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Preload: true,
Subdomains: true,
},
},
{
Paths: createBackendPaths(b, "d1.local/path", "d1.local/uri"),
Config: hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Preload: false,
Subdomains: false,
},
},
b.FindBackendPath(h.FindPath("/").Link).HSTS = hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Preload: true,
Subdomains: true,
}
b.FindBackendPath(h.FindPath("/path").Link).HSTS = hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Preload: false,
Subdomains: false,
}
b.FindBackendPath(h.FindPath("/uri").Link).HSTS = hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Preload: false,
Subdomains: false,
}
},
path: []string{"/", "/path", "/uri"},
Expand Down Expand Up @@ -1034,16 +1032,11 @@ func TestInstanceFrontingProxyUseProto(t *testing.T) {
h = c.config.Hosts().AcquireHost(test.domain)
h.AddPath(b, "/", hatypes.MatchBegin)
b.Endpoints = []*hatypes.Endpoint{endpointS1}
b.HSTS = []*hatypes.BackendConfigHSTS{
{
Paths: createBackendPaths(b, test.domain+"/"),
Config: hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Subdomains: true,
Preload: true,
},
},
b.FindBackendPath(h.FindPath("/").Link).HSTS = hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Subdomains: true,
Preload: true,
}
h.TLS.CAHash = "1"
h.TLS.CAFilename = "/var/haproxy/ssl/ca.pem"
Expand Down Expand Up @@ -1196,16 +1189,11 @@ func TestInstanceFrontingProxyIgnoreProto(t *testing.T) {
h = c.config.Hosts().AcquireHost(test.domain)
h.AddPath(b, "/", hatypes.MatchBegin)
b.Endpoints = []*hatypes.Endpoint{endpointS1}
b.HSTS = []*hatypes.BackendConfigHSTS{
{
Paths: createBackendPaths(b, test.domain+"/"),
Config: hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Subdomains: true,
Preload: true,
},
},
b.FindBackendPath(h.FindPath("/").Link).HSTS = hatypes.HSTS{
Enabled: true,
MaxAge: 15768000,
Subdomains: true,
Preload: true,
}
h.TLS.CAHash = "1"
h.TLS.CAFilename = "/var/haproxy/ssl/ca.pem"
Expand Down
22 changes: 13 additions & 9 deletions pkg/haproxy/types/backend.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,16 @@ func (b *Backend) HasCorsEnabled() bool {
return false
}

// HasHSTS ...
func (b *Backend) HasHSTS() bool {
for _, path := range b.Paths {
if path.HSTS.Enabled {
return true
}
}
return false
}

// HasModsec is a method to verify if a Backend has ModSecurity Enabled
func (b *Backend) HasModsec() bool {
for _, waf := range b.WAF {
Expand Down Expand Up @@ -224,8 +234,8 @@ func (b *Backend) LinkHasSSLRedirect(link PathLink) bool {
}

// HasSSLRedirectPaths ...
func (b *Backend) HasSSLRedirectPaths(paths *BackendPaths) bool {
for _, path := range paths.Items {
func (b *Backend) HasSSLRedirectPaths(paths []*BackendPath) bool {
for _, path := range paths {
if b.LinkHasSSLRedirect(path.Link) {
return true
}
Expand All @@ -247,8 +257,7 @@ func (b *Backend) NeedACL() bool {
return true
}
}
return len(b.HSTS) > 1 ||
len(b.MaxBodySize) > 1 || len(b.RewriteURL) > 1 || len(b.WhitelistHTTP) > 1 ||
return len(b.MaxBodySize) > 1 || len(b.RewriteURL) > 1 || len(b.WhitelistHTTP) > 1 ||
len(b.Cors) > 1 || len(b.AuthHTTP) > 1 || len(b.WAF) > 1
}

Expand Down Expand Up @@ -406,11 +415,6 @@ func (b *BackendConfigCors) String() string {
return fmt.Sprintf("%+v", *b)
}

// String ...
func (b *BackendConfigHSTS) String() string {
return fmt.Sprintf("%+v", *b)
}

// String ...
func (b *BackendConfigWhitelist) String() string {
return fmt.Sprintf("%+v", *b)
Expand Down
7 changes: 0 additions & 7 deletions pkg/haproxy/types/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -490,7 +490,6 @@ type Backend struct {
//
AuthHTTP []*BackendConfigAuth
Cors []*BackendConfigCors
HSTS []*BackendConfigHSTS
MaxBodySize []*BackendConfigInt
RewriteURL []*BackendConfigStr
SSLRedirect []*BackendConfigBool
Expand Down Expand Up @@ -595,12 +594,6 @@ type BackendConfigWAF struct {
Config WAF
}

// BackendConfigHSTS ...
type BackendConfigHSTS struct {
Paths BackendPaths
Config HSTS
}

// BackendConfigWhitelist ...
type BackendConfigWhitelist struct {
Paths BackendPaths
Expand Down
14 changes: 7 additions & 7 deletions rootfs/etc/templates/haproxy/haproxy.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -349,7 +349,7 @@ backend {{ $backend.ID }}
{{- $hasFrontingProxy := $global.Bind.HasFrontingProxy }}
{{- $frontingUseProto := and $hasFrontingProxy $global.Bind.FrontingUseProto }}
{{- $frontingIgnoreProto := and $hasFrontingProxy (not $global.Bind.FrontingUseProto) }}
{{- if and $backend.HSTS (not $frontingIgnoreProto) }}
{{- if and $backend.HasHSTS (not $frontingIgnoreProto) }}
acl https-request ssl_fc
{{- if $frontingUseProto }}
acl https-request var(txn.proto) https
Expand All @@ -360,7 +360,7 @@ backend {{ $backend.ID }}
{{- end }}

{{- /*------------------------------------*/}}
{{- if and $frontingUseProto $backend.HSTS }}
{{- if and $frontingUseProto $backend.HasHSTS }}
http-request set-var(txn.proto) hdr(X-Forwarded-Proto)
{{- end }}

Expand Down Expand Up @@ -536,18 +536,18 @@ backend {{ $backend.ID }}
{{- end }}

{{- /*------------------------------------*/}}
{{- $needACL := gt (len $backend.HSTS) 1 }}
{{- range $hstsCfg := $backend.HSTS }}
{{- $hsts := $hstsCfg.Config }}
{{- $hstsCfg := $backend.PathConfig "HSTS" }}
{{- $needACL := $hstsCfg.NeedACL }}
{{- range $i, $hsts := $hstsCfg.Items }}
{{- if $hsts.Enabled }}
{{- $paths := $hstsCfg.Paths }}
{{- $paths := $hstsCfg.Paths $i }}
{{- $needSSLACL := and (not $frontingIgnoreProto) (not ($backend.HasSSLRedirectPaths $paths)) }}
http-response set-header Strict-Transport-Security "max-age={{ $hsts.MaxAge }}
{{- if $hsts.Subdomains }}; includeSubDomains{{ end }}
{{- if $hsts.Preload }}; preload{{ end }}"
{{- if or $needSSLACL $needACL }} if
{{- if $needSSLACL }} https-request{{ end }}
{{- if $needACL }} { var(txn.pathID) {{ $paths.IDList }} }{{ end }}
{{- if $needACL }} { var(txn.pathID) {{ $hstsCfg.PathIDs $i }} }{{ end }}
{{- end }}
{{- end }}
{{- end }}
Expand Down

0 comments on commit 837a6ba

Please sign in to comment.