Lua: Extract external auth into file. (kubernetes#12250)

Co-authored-by: Marco Ebert <[email protected]>
Gacko · Oct 29, 2024 · 7356c4f · 7356c4f
1 parent 6608eb2
commit 7356c4f
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 28 deletions.
diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go
@@ -602,17 +602,12 @@ func buildAuthResponseHeaders(proxySetHeader string, headers []string, lua bool)
 	return res
 }
 
-func buildAuthUpstreamLuaHeaders(headers []string) []string {
-	res := []string{}
-
+func buildAuthUpstreamLuaHeaders(headers []string) string {
 	if len(headers) == 0 {
-		return res
+		return ""
 	}
 
-	for i, h := range headers {
-		res = append(res, fmt.Sprintf("ngx.var.authHeader%d = res.header['%s']", i, h))
-	}
-	return res
+	return strings.Join(headers, ",")
 }
 
 func buildAuthProxySetHeaders(headers map[string]string) []string {

diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go
@@ -537,10 +537,7 @@ func TestBuildAuthResponseHeaders(t *testing.T) {
 
 func TestBuildAuthResponseLua(t *testing.T) {
 	externalAuthResponseHeaders := []string{"h1", "H-With-Caps-And-Dashes"}
-	expected := []string{
-		"ngx.var.authHeader0 = res.header['h1']",
-		"ngx.var.authHeader1 = res.header['H-With-Caps-And-Dashes']",
-	}
+	expected := "h1,H-With-Caps-And-Dashes"
 
 	headers := buildAuthUpstreamLuaHeaders(externalAuthResponseHeaders)
 

diff --git a/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua b/rootfs/etc/nginx/lua/nginx/ngx_conf_external_auth.lua
@@ -0,0 +1,30 @@
+local auth_path = ngx.var.auth_path
+local auth_keepalive_share_vars = ngx.var.auth_keepalive_share_vars
+local auth_response_headers = ngx.var.auth_response_headers
+local ngx_re_split = require("ngx.re").split
+local ipairs = ipairs
+local ngx_log = ngx.log
+local ngx_ERR = ngx.ERR
+
+local res = ngx.location.capture(auth_path, {
+    method = ngx.HTTP_GET, body = '',
+    share_all_vars = auth_keepalive_share_vars })
+
+if res.status == ngx.HTTP_OK then
+    local header_parts, err = ngx_re_split(auth_response_headers, ",")
+    if err then
+       ngx_log(ngx_ERR, err)
+       return
+    end
+    ngx.var.auth_cookie = res.header['Set-Cookie']
+    for i, header_name in ipairs(header_parts) do
+        local varname = "authHeader" .. tostring(i)
+        ngx.var[varname] = res.header[header_name]
+    end
+    return
+end
+
+if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
+    ngx.exit(res.status)
+end
+ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -1185,20 +1185,10 @@ stream {
             {{- end }}
             # `auth_request` module does not support HTTP keepalives in upstream block:
             # https://trac.nginx.org/nginx/ticket/1579
-            access_by_lua_block {
-                local res = ngx.location.capture('{{ $authPath }}', { method = ngx.HTTP_GET, body = '', share_all_vars = {{ $externalAuth.KeepaliveShareVars }} })
-                if res.status == ngx.HTTP_OK then
-                    ngx.var.auth_cookie = res.header['Set-Cookie']
-                    {{- range $line := buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}
-                    {{ $line }}
-                    {{- end }}
-                    return
-                end
-                if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
-                    ngx.exit(res.status)
-                end
-                ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
-            }
+            set $auth_path '{{ $authPath }}';
+            set $auth_keepalive_share_vars {{ $externalAuth.KeepaliveShareVars }};
+            set $auth_response_headers '{{ buildAuthUpstreamLuaHeaders $externalAuth.ResponseHeaders }}';
+            access_by_lua_file /etc/nginx/lua/nginx/ngx_conf_external_auth.lua;
             {{ else }}
             auth_request        {{ $authPath }};
             auth_request_set    $auth_cookie $upstream_http_set_cookie;

diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go
@@ -653,7 +653,7 @@ http {
 				func(server string) bool {
 					return strings.Contains(server, `upstream auth-external-auth`) &&
 						strings.Contains(server, `keepalive 10;`) &&
-						strings.Contains(server, `share_all_vars = false`)
+						strings.Contains(server, `set $auth_keepalive_share_vars false;`)
 				})
 		})
 
@@ -673,7 +673,7 @@ http {
 				func(server string) bool {
 					return strings.Contains(server, `upstream auth-external-auth`) &&
 						strings.Contains(server, `keepalive 10;`) &&
-						strings.Contains(server, `share_all_vars = true`)
+						strings.Contains(server, `set $auth_keepalive_share_vars true;`)
 				})
 		})
 	})