From 109365f7f4fecabfd7ee5abb112f0338af23ce13 Mon Sep 17 00:00:00 2001 From: nett_hier <66856670+netthier@users.noreply.github.com> Date: Wed, 28 Jun 2023 19:47:48 +0200 Subject: [PATCH] fix: Working `authClassName` filter if multiple heimdall deployments are present in a cluster (#742) Signed-off-by: netthier The following lines are for release please: fix: Allow url rewrites with only a subset of fields set (proxy mode) --- .../rules/provider/cloudblob/provider_test.go | 2 +- .../provider/httpendpoint/provider_test.go | 2 +- .../rules/provider/kubernetes/provider.go | 42 +++++++++++-------- internal/rules/rule_factory_impl.go | 6 +-- 4 files changed, 30 insertions(+), 22 deletions(-) diff --git a/internal/rules/provider/cloudblob/provider_test.go b/internal/rules/provider/cloudblob/provider_test.go index 17e41999a..095b78019 100644 --- a/internal/rules/provider/cloudblob/provider_test.go +++ b/internal/rules/provider/cloudblob/provider_test.go @@ -199,7 +199,7 @@ buckets: messages := logs.String() assert.Contains(t, messages, "communication error") assert.Contains(t, messages, "Failed to fetch rule set") - assert.Contains(t, messages, "name resolution") + assert.Contains(t, messages, "dial tcp") assert.Contains(t, messages, "No updates received") }, }, diff --git a/internal/rules/provider/httpendpoint/provider_test.go b/internal/rules/provider/httpendpoint/provider_test.go index af5a47030..b593903f6 100644 --- a/internal/rules/provider/httpendpoint/provider_test.go +++ b/internal/rules/provider/httpendpoint/provider_test.go @@ -204,7 +204,7 @@ endpoints: time.Sleep(250 * time.Millisecond) messages := logs.String() - assert.Contains(t, messages, "name resolution") + assert.Contains(t, messages, "dial tcp") assert.Contains(t, messages, "No updates received") }, }, diff --git a/internal/rules/provider/kubernetes/provider.go b/internal/rules/provider/kubernetes/provider.go index dba0889bc..65f783892 100644 --- a/internal/rules/provider/kubernetes/provider.go +++ b/internal/rules/provider/kubernetes/provider.go @@ -107,7 +107,7 @@ func newProvider( func (p *provider) newController(ctx context.Context, namespace string) cache.Controller { repository := p.cl.RuleSetRepository(namespace) - _, controller := cache.NewTransformingInformer( + _, controller := cache.NewInformer( &cache.ListWatch{ ListFunc: func(opts metav1.ListOptions) (runtime.Object, error) { return repository.List(ctx, opts) }, WatchFunc: func(opts metav1.ListOptions) (watch.Interface, error) { return repository.Watch(ctx, opts) }, @@ -115,27 +115,11 @@ func (p *provider) newController(ctx context.Context, namespace string) cache.Co &v1alpha2.RuleSet{}, 0, cache.ResourceEventHandlerFuncs{AddFunc: p.addRuleSet, DeleteFunc: p.deleteRuleSet, UpdateFunc: p.updateRuleSet}, - p.filterAuthClass, ) return controller } -func (p *provider) filterAuthClass(input any) (any, error) { - // should never be of a different type. ok if panics - rs := input.(*v1alpha2.RuleSet) // nolint: forcetypeassert - - if rs.Spec.AuthClassName != p.ac { - p.l.Info(). - Msgf("Ignoring ruleset due to authClassName mismatch (namespace=%s, name=%s, uid=%s)", - rs.Namespace, rs.Name, rs.UID) - - return nil, ErrBadAuthClass - } - - return input, nil -} - func (p *provider) Start(_ context.Context) error { if !p.configured { return nil @@ -195,6 +179,14 @@ func (p *provider) updateRuleSet(_, newObj any) { // should never be of a different type. ok if panics rs := newObj.(*v1alpha2.RuleSet) // nolint: forcetypeassert + if rs.Spec.AuthClassName != p.ac { + p.l.Info(). + Msgf("Ignoring ruleset creation due to authClassName mismatch (namespace=%s, name=%s, uid=%s)", + rs.Namespace, rs.Name, rs.UID) + + return + } + conf := &config2.RuleSet{ MetaData: config2.MetaData{ Source: fmt.Sprintf("%s:%s:%s", ProviderType, rs.Namespace, rs.UID), @@ -221,6 +213,14 @@ func (p *provider) addRuleSet(obj any) { // should never be of a different type. ok if panics rs := obj.(*v1alpha2.RuleSet) // nolint: forcetypeassert + if rs.Spec.AuthClassName != p.ac { + p.l.Info(). + Msgf("Ignoring ruleset creation due to authClassName mismatch (namespace=%s, name=%s, uid=%s)", + rs.Namespace, rs.Name, rs.UID) + + return + } + conf := &config2.RuleSet{ MetaData: config2.MetaData{ Source: fmt.Sprintf("%s:%s:%s", ProviderType, rs.Namespace, rs.UID), @@ -247,6 +247,14 @@ func (p *provider) deleteRuleSet(obj any) { // should never be of a different type. ok if panics rs := obj.(*v1alpha2.RuleSet) // nolint: forcetypeassert + if rs.Spec.AuthClassName != p.ac { + p.l.Info(). + Msgf("Ignoring ruleset creation due to authClassName mismatch (namespace=%s, name=%s, uid=%s)", + rs.Namespace, rs.Name, rs.UID) + + return + } + conf := &config2.RuleSet{ MetaData: config2.MetaData{ Source: fmt.Sprintf("%s:%s:%s", ProviderType, rs.Namespace, rs.UID), diff --git a/internal/rules/rule_factory_impl.go b/internal/rules/rule_factory_impl.go index 2ce877bf6..cc541f993 100644 --- a/internal/rules/rule_factory_impl.go +++ b/internal/rules/rule_factory_impl.go @@ -235,9 +235,9 @@ func checkProxyModeApplicability(srcID string, ruleConfig config2.Rule) error { return nil } - if len(urlRewriter.Scheme) == 0 || - len(urlRewriter.PathPrefixToAdd) == 0 || - len(urlRewriter.PathPrefixToCut) == 0 || + if len(urlRewriter.Scheme) == 0 && + len(urlRewriter.PathPrefixToAdd) == 0 && + len(urlRewriter.PathPrefixToCut) == 0 && len(urlRewriter.QueryParamsToRemove) == 0 { return errorchain.NewWithMessagef(heimdall.ErrConfiguration, "rewrite is defined in forward_to in rule ID=%s from %s, but is empty", ruleConfig.ID, srcID)