Skip to content

Commit

Permalink
fix: Working authClassName filter if multiple heimdall deployments …
Browse files Browse the repository at this point in the history 
…are present in a cluster (#742)

Signed-off-by: netthier <admin@netthier.net>

The following lines are for release please:

fix: Allow url rewrites with only a subset of fields set (proxy mode)
  • Loading branch information
@netthier
netthier authored Jun 28, 2023
1 parent dff3d4d commit 109365f
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 22 deletions.
2 changes: 1 addition & 1 deletion internal/rules/provider/cloudblob/provider_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ buckets:
messages := logs.String()
assert.Contains(t, messages, "communication error")
assert.Contains(t, messages, "Failed to fetch rule set")
assert.Contains(t, messages, "name resolution")
assert.Contains(t, messages, "dial tcp")
assert.Contains(t, messages, "No updates received")
},
},
Expand Down
2 changes: 1 addition & 1 deletion internal/rules/provider/httpendpoint/provider_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,7 @@ endpoints:
time.Sleep(250 * time.Millisecond)

messages := logs.String()
assert.Contains(t, messages, "name resolution")
assert.Contains(t, messages, "dial tcp")
assert.Contains(t, messages, "No updates received")
},
},
Expand Down
42 changes: 25 additions & 17 deletions internal/rules/provider/kubernetes/provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,35 +107,19 @@ func newProvider(

func (p *provider) newController(ctx context.Context, namespace string) cache.Controller {
repository := p.cl.RuleSetRepository(namespace)
_, controller := cache.NewTransformingInformer(
_, controller := cache.NewInformer(
&cache.ListWatch{
ListFunc: func(opts metav1.ListOptions) (runtime.Object, error) { return repository.List(ctx, opts) },
WatchFunc: func(opts metav1.ListOptions) (watch.Interface, error) { return repository.Watch(ctx, opts) },
},
&v1alpha2.RuleSet{},
0,
cache.ResourceEventHandlerFuncs{AddFunc: p.addRuleSet, DeleteFunc: p.deleteRuleSet, UpdateFunc: p.updateRuleSet},
p.filterAuthClass,
)

return controller
}

func (p *provider) filterAuthClass(input any) (any, error) {
// should never be of a different type. ok if panics
rs := input.(*v1alpha2.RuleSet) // nolint: forcetypeassert

if rs.Spec.AuthClassName != p.ac {
p.l.Info().
Msgf("Ignoring ruleset due to authClassName mismatch (namespace=%s, name=%s, uid=%s)",
rs.Namespace, rs.Name, rs.UID)

return nil, ErrBadAuthClass
}

return input, nil
}

func (p *provider) Start(_ context.Context) error {
if !p.configured {
return nil
Expand Down Expand Up @@ -195,6 +179,14 @@ func (p *provider) updateRuleSet(_, newObj any) {
// should never be of a different type. ok if panics
rs := newObj.(*v1alpha2.RuleSet) // nolint: forcetypeassert

if rs.Spec.AuthClassName != p.ac {
p.l.Info().
Msgf("Ignoring ruleset creation due to authClassName mismatch (namespace=%s, name=%s, uid=%s)",
rs.Namespace, rs.Name, rs.UID)

return
}

conf := &config2.RuleSet{
MetaData: config2.MetaData{
Source: fmt.Sprintf("%s:%s:%s", ProviderType, rs.Namespace, rs.UID),
Expand All @@ -221,6 +213,14 @@ func (p *provider) addRuleSet(obj any) {
// should never be of a different type. ok if panics
rs := obj.(*v1alpha2.RuleSet) // nolint: forcetypeassert

if rs.Spec.AuthClassName != p.ac {
p.l.Info().
Msgf("Ignoring ruleset creation due to authClassName mismatch (namespace=%s, name=%s, uid=%s)",
rs.Namespace, rs.Name, rs.UID)

return
}

conf := &config2.RuleSet{
MetaData: config2.MetaData{
Source: fmt.Sprintf("%s:%s:%s", ProviderType, rs.Namespace, rs.UID),
Expand All @@ -247,6 +247,14 @@ func (p *provider) deleteRuleSet(obj any) {
// should never be of a different type. ok if panics
rs := obj.(*v1alpha2.RuleSet) // nolint: forcetypeassert

if rs.Spec.AuthClassName != p.ac {
p.l.Info().
Msgf("Ignoring ruleset creation due to authClassName mismatch (namespace=%s, name=%s, uid=%s)",
rs.Namespace, rs.Name, rs.UID)

return
}

conf := &config2.RuleSet{
MetaData: config2.MetaData{
Source: fmt.Sprintf("%s:%s:%s", ProviderType, rs.Namespace, rs.UID),
Expand Down
6 changes: 3 additions & 3 deletions internal/rules/rule_factory_impl.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,9 +235,9 @@ func checkProxyModeApplicability(srcID string, ruleConfig config2.Rule) error {
return nil
}

if len(urlRewriter.Scheme) == 0 ||
len(urlRewriter.PathPrefixToAdd) == 0 ||
len(urlRewriter.PathPrefixToCut) == 0 ||
if len(urlRewriter.Scheme) == 0 &&
len(urlRewriter.PathPrefixToAdd) == 0 &&
len(urlRewriter.PathPrefixToCut) == 0 &&
len(urlRewriter.QueryParamsToRemove) == 0 {
return errorchain.NewWithMessagef(heimdall.ErrConfiguration,
"rewrite is defined in forward_to in rule ID=%s from %s, but is empty", ruleConfig.ID, srcID)
Expand Down

0 comments on commit 109365f

Please sign in to comment.