Added snippet check to transport server validation

soneillf5 · soneillf5 · commit a16540382c12 · 2021-03-10T19:27:42.000Z
diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go
@@ -604,7 +604,7 @@ func main() {
 		templateExecutorV2, *nginxPlus, isWildcardEnabled, plusCollector, *enablePrometheusMetrics, latencyCollector, *enableLatencyMetrics)
 	controllerNamespace := os.Getenv("POD_NAMESPACE")
 
-	transportServerValidator := cr_validation.NewTransportServerValidator(*enableTLSPassthrough)
+	transportServerValidator := cr_validation.NewTransportServerValidator(*enableTLSPassthrough, *enableSnippets)
 	virtualServerValidator := cr_validation.NewVirtualServerValidator(*nginxPlus)
 
 	lbcInput := k8s.NewLoadBalancerControllerInput{
diff --git a/examples-of-custom-resources/basic-tcp-udp/transport-server-tcp.yaml b/examples-of-custom-resources/basic-tcp-udp/transport-server-tcp.yaml
@@ -3,6 +3,7 @@ kind: TransportServer
 metadata:
   name: dns-tcp
 spec:
+  serverSnippets: "deny 192.168.123.123;"
   listener:
     name: dns-tcp 
     protocol: TCP
diff --git a/internal/configs/transportserver.go b/internal/configs/transportserver.go
@@ -60,9 +60,6 @@ func generateTransportServerConfig(transportServerEx *TransportServerEx, listene
 	}
 
 	serverSnippets := generateSnippets(snippetsEnabled, transportServerEx.TransportServer.Spec.ServerSnippets, []string{})
-	if !snippetsEnabled && (transportServerEx.TransportServer.Spec.ServerSnippets != "") {
-		return nil, fmt.Errorf("snippet specified but snippets feature is not enabled")
-	}
 
 	statusZone := transportServerEx.TransportServer.Spec.Listener.Name
 	if transportServerEx.TransportServer.Spec.Listener.Name == conf_v1alpha1.TLSPassthroughListenerName {
diff --git a/internal/k8s/configuration_test.go b/internal/k8s/configuration_test.go
@@ -22,6 +22,7 @@ func createTestConfiguration() *Configuration {
 	appProtectEnabled := false
 	internalRoutesEnabled := false
 	isTLSPassthroughEnabled := true
+	snippetsEnabled := true
 	return NewConfiguration(
 		lbc.HasCorrectIngressClass,
 		isPlus,
@@ -32,7 +33,7 @@ func createTestConfiguration() *Configuration {
 			80:  true,
 			443: true,
 		}),
-		validation.NewTransportServerValidator(isTLSPassthroughEnabled),
+		validation.NewTransportServerValidator(isTLSPassthroughEnabled, snippetsEnabled),
 		isTLSPassthroughEnabled,
 	)
 }
diff --git a/pkg/apis/configuration/validation/transportserver.go b/pkg/apis/configuration/validation/transportserver.go
@@ -11,13 +11,15 @@ import (
 
 // TransportServerValidator validates a TransportServer resource.
 type TransportServerValidator struct {
-	tlsPassthrough bool
+	tlsPassthrough  bool
+	snippetsEnabled bool
 }
 
 // NewTransportServerValidator creates a new TransportServerValidator.
-func NewTransportServerValidator(tlsPassthrough bool) *TransportServerValidator {
+func NewTransportServerValidator(tlsPassthrough bool, snippetsEnabled bool) *TransportServerValidator {
 	return &TransportServerValidator{
-		tlsPassthrough: tlsPassthrough,
+		tlsPassthrough:  tlsPassthrough,
+		snippetsEnabled: snippetsEnabled,
 	}
 }
 
@@ -48,6 +50,17 @@ func (tsv *TransportServerValidator) validateTransportServerSpec(spec *v1alpha1.
 		allErrs = append(allErrs, validateTransportServerAction(spec.Action, fieldPath.Child("action"), upstreamNames)...)
 	}
 
+	allErrs = append(allErrs, validateSnippets(spec.ServerSnippets, fieldPath.Child("serverSnippets"), tsv.snippetsEnabled)...)
+
+	return allErrs
+}
+
+func validateSnippets(serverSnippet string, fieldPath *field.Path, snippetsEnabled bool) field.ErrorList {
+	allErrs := field.ErrorList{}
+	if !snippetsEnabled && serverSnippet != "" {
+		return append(allErrs, field.Forbidden(fieldPath, "snippet specified but snippets feature is not enabled"))
+	}
+
 	return allErrs
 }
 
diff --git a/pkg/apis/configuration/validation/transportserver_test.go b/pkg/apis/configuration/validation/transportserver_test.go
@@ -206,6 +206,43 @@ func TestValidateTransportServerHost(t *testing.T) {
 	}
 }
 
+func TestValidateTransportServerSnippet(t *testing.T) {
+	tests := []struct {
+		snippet           string
+		isSnippetsEnabled bool
+		expectError       bool
+	}{
+		{
+			snippet:           "",
+			isSnippetsEnabled: false,
+			expectError:       false,
+		},
+		{
+			snippet:           "deny 192.168.1.1;",
+			isSnippetsEnabled: false,
+			expectError:       true,
+		},
+		{
+			snippet:           "deny 192.168.1.1;",
+			isSnippetsEnabled: true,
+			expectError:       false,
+		},
+	}
+
+	for _, test := range tests {
+		allErrs := validateSnippets(test.snippet, field.NewPath("serverSnippet"), test.isSnippetsEnabled)
+		if test.expectError {
+			if len(allErrs) < 1 {
+				t.Errorf("validateSnippets(%q, %v) failed to return an error for invalid input", test.snippet, test.isSnippetsEnabled)
+			}
+		} else {
+			if len(allErrs) > 0 {
+				t.Errorf("validateSnippets(%q, %v) returned errors %v for valid input", test.snippet, test.isSnippetsEnabled, allErrs)
+			}
+		}
+	}
+}
+
 func TestValidateTransportServerHostFails(t *testing.T) {
 	tests := []struct {
 		host                     string

Original file line number	Diff line number	Diff line change
`@@ -60,9 +60,6 @@ func generateTransportServerConfig(transportServerEx *TransportServerEx, listene`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`serverSnippets := generateSnippets(snippetsEnabled, transportServerEx.TransportServer.Spec.ServerSnippets, []string{})`
`63`		`- if !snippetsEnabled && (transportServerEx.TransportServer.Spec.ServerSnippets != "") {`
`64`		`- return nil, fmt.Errorf("snippet specified but snippets feature is not enabled")`
`65`		`- }`
`66`	`63`
`67`	`64`	`statusZone := transportServerEx.TransportServer.Spec.Listener.Name`
`68`	`65`	`if transportServerEx.TransportServer.Spec.Listener.Name == conf_v1alpha1.TLSPassthroughListenerName {`