Don't pass the Authorization header to the backends

2018-07-16 13:52:03 +02:00 · 2018-07-16 13:52:03 +02:00 · 9ce444b91a
commit 9ce444b91a
parent ae8be89767
40 changed files with 445 additions and 130 deletions
--- a/provider/kubernetes/annotations.go
+++ b/provider/kubernetes/annotations.go
@ -11,6 +11,7 @@ const (
 	annotationKubernetesAuthSecret                 = "ingress.kubernetes.io/auth-secret"
 	annotationKubernetesAuthHeaderField            = "ingress.kubernetes.io/auth-header-field"
 	annotationKubernetesAuthForwardResponseHeaders = "ingress.kubernetes.io/auth-response-headers"
+	annotationKubernetesAuthRemoveHeader           = "ingress.kubernetes.io/auth-remove-header"
 	annotationKubernetesAuthForwardURL             = "ingress.kubernetes.io/auth-url"
 	annotationKubernetesAuthForwardTrustHeaders    = "ingress.kubernetes.io/auth-trust-headers"
 	annotationKubernetesAuthForwardTLSSecret       = "ingress.kubernetes.io/auth-tls-secret"
--- a/provider/kubernetes/kubernetes.go
+++ b/provider/kubernetes/kubernetes.go
@ -737,7 +737,10 @@ func getBasicAuthConfig(i *extensionsv1beta1.Ingress, k8sClient Client) (*types.
 		return nil, err
 	}

-	return &types.Basic{Users: credentials}, nil
+	return &types.Basic{
+		Users:        credentials,
+		RemoveHeader: getBoolValue(i.Annotations, annotationKubernetesAuthRemoveHeader, false),
+	}, nil
 }

 func getDigestAuthConfig(i *extensionsv1beta1.Ingress, k8sClient Client) (*types.Digest, error) {
@ -746,7 +749,9 @@ func getDigestAuthConfig(i *extensionsv1beta1.Ingress, k8sClient Client) (*types
 		return nil, err
 	}

-	return &types.Digest{Users: credentials}, nil
+	return &types.Digest{Users: credentials,
+		RemoveHeader: getBoolValue(i.Annotations, annotationKubernetesAuthRemoveHeader, false),
+	}, nil
 }

 func getAuthCredentials(i *extensionsv1beta1.Ingress, k8sClient Client) ([]string, error) {
--- a/provider/kubernetes/kubernetes_test.go
+++ b/provider/kubernetes/kubernetes_test.go
@ -2048,6 +2048,7 @@ func TestLoadIngressesBasicAuth(t *testing.T) {
 			iNamespace("testing"),
 			iAnnotation(annotationKubernetesAuthType, "basic"),
 			iAnnotation(annotationKubernetesAuthSecret, "mySecret"),
+			iAnnotation(annotationKubernetesAuthRemoveHeader, "true"),
 			iRules(
 				iRule(
 					iHost("basic"),
@ -2096,8 +2097,9 @@ func TestLoadIngressesBasicAuth(t *testing.T) {

 	actual = provider.loadConfig(*actual)
 	require.NotNil(t, actual)
-	got := actual.Frontends["basic/auth"].Auth.Basic.Users
-	assert.Equal(t, types.Users{"myUser:myEncodedPW"}, got)
+	actualBasicAuth := actual.Frontends["basic/auth"].Auth.Basic
+	assert.Equal(t, types.Users{"myUser:myEncodedPW"}, actualBasicAuth.Users)
+	assert.True(t, actualBasicAuth.RemoveHeader, "Bad RemoveHeader flag")
 }

 func TestLoadIngressesForwardAuth(t *testing.T) {