Fixes #242

Author: vfarcic

actions/reconfigure_test.go

@@ -287,24 +287,42 @@ backend myService-be1234
 	s.Equal(expected, actual)
 }
 
+// xxx
 func (s ReconfigureTestSuite) Test_GetTemplates_AddsHttpAuth_WhenModeIsSwarmAndUsersIsPresent() {
 	s.reconfigure.Users = []proxy.User{
 		{Username: "user-1", Password: "pass-1"},
 		{Username: "user-2", Password: "pass-2"},
 	}
 	s.reconfigure.Mode = "swarm"
-	s.reconfigure.Service.ServiceDest[0].Port = "1234"
+	s.reconfigure.HttpsPort = 3333
+	sd := []proxy.ServiceDest{
+		{Port: "1111"},
+		{Port: "2222", IgnoreAuthorization: true},
+	}
+	s.reconfigure.Service.ServiceDest = sd
 	expected := `userlist myServiceUsers
     user user-1 insecure-password pass-1
     user user-2 insecure-password pass-2
 
 
-backend myService-be1234
+backend myService-be1111
     mode http
-    server myService myService:1234
+    server myService myService:1111
     acl myServiceUsersAcl http_auth(myServiceUsers)
     http-request auth realm myServiceRealm if !myServiceUsersAcl
-    http-request del-header Authorization`
+    http-request del-header Authorization
+backend myService-be2222
+    mode http
+    server myService myService:2222
+backend https-myService-be1111
+    mode http
+    server myService myService:3333
+    acl myServiceUsersAcl http_auth(myServiceUsers)
+    http-request auth realm myServiceRealm if !myServiceUsersAcl
+    http-request del-header Authorization
+backend https-myService-be2222
+    mode http
+    server myService myService:3333`
 
 	_, actual, _ := s.reconfigure.GetTemplates()
 
@@ -316,7 +334,6 @@ func (s ReconfigureTestSuite) Test_GetTemplates_AddsHttpsPort_WhenPresent() {
 backend myService-be1234
     mode http
     server myService myService:1234
-
 backend https-myService-be1234
     mode http
     server myService myService:4321`

docs/usage.md

@@ -22,7 +22,8 @@ The following query parameters can be used to send a *reconfigure* request to *D
 |delReqHeader   |Additional headers that will be deleted in the request before forwarding it to the service. Multiple headers should be separated with comma (`,`). Please consult [Delete a header in the request](https://www.haproxy.com/doc/aloha/7.0/haproxy/http_rewriting.html#delete-a-header-in-the-request) for more info.<br>Example: `X-Forwarded-For,Cookie`| |
 |delResHeader   |Additional headers that will be deleted in the response before forwarding it to the client. Multiple headers should be separated with comma (`,`). Please consult [Delete a header in the response](https://www.haproxy.com/doc/aloha/7.0/haproxy/http_rewriting.html#delete-a-header-in-the-response) for more info.<br>Example: `X-Varnish,X-Cache`| |
 |httpsPort      |The internal HTTPS port of a service that should be reconfigured. The port is used only in the `swarm` mode. If not specified, the `port` parameter will be used instead.<br>Example: `443`| |
-|isDefaultBackend  | If true, the service will be set to the default_backend rule, meaning it will catch all requests not matching any other rules.<br>Example: `true`| |
+|ignoreAuthorization|If set to true, the service destination will not require authorization. The parameter must be prefixed with the index of the service destion that should be excluded from authorization.<br>Example: true|false|
+|isDefaultBackend  |If set to true, the service will be set to the default_backend rule, meaning it will catch all requests not matching any other rules.<br>Example: `true`|false|
 |port           |The internal port of a service that should be reconfigured. The port is used only in the `swarm` mode. The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `port.1`, `port.2`, and so on). This field is **mandatory** when running in `swarm` or `service` mode.<br>Example: `8080`| |
 |reqMode        |The request mode. The proxy should be able to work with any mode supported by HAProxy. However, actively supported and tested modes are `http`, `tcp`, and `sni`. The `sni` mode implies TCP with an SNI-based routing. The parameter can be prefixed with an index thus allowing definition of multiple modes for a single service (e.g. `http`, `tcp`, and so on).<br>Example: `tcp`|http|
 |reqPathReplace |A regular expression to apply the modification.<br>Example: `/demo/`| |
@@ -37,7 +38,7 @@ The following query parameters can be used to send a *reconfigure* request to *D
 |timeoutTunnel  |The tunnel timeout in seconds.<br>Example: `3600`                                            |3600   |
 |xForwardedProto|Whether to add "X-Forwarded-Proto https" header.<br>Example: `true`                          |false  |
 
-Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, and `ReqMode` parameters. In that case, `srcPort` is required. Defining multiple destinations is useful in cases when a service exposes multiple ports with different paths and functions.
+Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization` or `ReqMode` parameters. In that case, `srcPort` is required.
 
 ### HTTP Mode HTTP Query Parameters
 
@@ -61,7 +62,7 @@ The following query parameters can be used only when `reqMode` is set to `http`
 |usersPassEncrypted|Indicates whether passwords provided by `users` or `usersSecret` contain encrypted data. Passwords can be encrypted with the command `mkpasswd -m sha-512 password1`.<br>Example: `true`|false|
 |verifyClientSsl|Whether to verify client SSL and, if it is not valid, deny request and return 403 Forbidden status code. SSL is validated against the `ca-file` specified through the environment variable `CA_FILE`.<br>Example: true|false|
 
-Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, and `ReqMode` parameters. In that case, `srcPort` is required. Defining multiple destinations is useful in cases when a service exposes multiple ports with different paths and functions.
+Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, or `ReqMode` parameters. In that case, `srcPort` is required.
 
 ### TCP Mode HTTP Query Parameters
 

integration_tests/integration_swarm_test.go

@@ -366,8 +366,12 @@ func (s IntegrationSwarmTestSuite) Test_ServiceAuthentication() {
 		s.reconfigureGoDemo("")
 	}()
 
+	// Add authorization
+
 	s.reconfigureGoDemo("&users=admin:password")
 
+	// Proxy returns 401 when user/pass is NOT provided
+
 	resp, err := s.sendHelloRequest()
 
 	if err != nil {
@@ -376,6 +380,8 @@ func (s IntegrationSwarmTestSuite) Test_ServiceAuthentication() {
 		s.Equal(401, resp.StatusCode, s.getProxyConf())
 	}
 
+	// Proxy returns 200 when user/pass is provided
+
 	url := fmt.Sprintf("http://%s/demo/hello", s.hostIP)
 	req, err := http.NewRequest("GET", url, nil)
 	req.SetBasicAuth("admin", "password")
@@ -384,6 +390,21 @@ func (s IntegrationSwarmTestSuite) Test_ServiceAuthentication() {
 
 	s.NoError(err)
 	s.Equal(200, resp.StatusCode, s.getProxyConf())
+
+	// Add ignoreAuthorization
+
+	params := fmt.Sprintf("serviceName=go-demo&servicePath.1=/demo&port.1=8080&users=admin:password&ignoreAuthorization.1=true")
+	s.reconfigureService(params)
+
+	// Proxy returns 200 when user/pass is NOT provided
+
+	resp, err = s.sendHelloRequest()
+
+	if err != nil {
+		s.Fail(err.Error())
+	} else {
+		s.Equal(200, resp.StatusCode, s.getProxyConf())
+	}
 }
 
 func (s IntegrationSwarmTestSuite) Test_XTcp() {

proxy/template.go

@@ -58,23 +58,24 @@ backend {{$.ServiceName}}-be{{.Port}}
     server {{"{{$e.Node}}_{{$i}}_{{$e.Port}} {{$e.Address}}:{{$e.Port}}"}}
     {{"{{end}}"}}
         {{- end}}
-        {{- if $.Users}}
+        {{- if not .IgnoreAuthorization}}
+            {{- if and ($.Users) (not .IgnoreAuthorization)}}
     acl {{$.ServiceName}}UsersAcl http_auth({{$.ServiceName}}Users)
     http-request auth realm {{$.ServiceName}}Realm if !{{$.ServiceName}}UsersAcl
-        {{- end}}
-        {{- if $.UseGlobalUsers}}
+            {{- end}}
+            {{- if $.UseGlobalUsers}}
     acl defaultUsersAcl http_auth(defaultUsers)
     http-request auth realm defaultRealm if !defaultUsersAcl
-        {{- end}}
-        {{- if or ($.Users) ($.UseGlobalUsers)}}
+            {{- end}}
+            {{- if or ($.Users) ($.UseGlobalUsers)}}
     http-request del-header Authorization
+            {{- end}}
         {{- end}}
     {{- end}}
     {{- if ne $.BackendExtra ""}}
     {{ $.BackendExtra }}
     {{- end}}
     {{- if gt .HttpsPort 0}}{{range .ServiceDest}}
-
 backend https-{{$.ServiceName}}-be{{.Port}}
     mode {{.ReqModeFormatted}}
         {{- if ne $.ConnectionMode ""}}
@@ -105,21 +106,18 @@ backend https-{{$.ServiceName}}-be{{.Port}}
     server {{"{{$e.Node}}_{{$i}}_{{$e.Port}} {{$e.Address}}:{{$e.Port}}"}}
     {{"{{end}}"}}
         {{- end}}
-        {{- if $.Users}}
+        {{- if not .IgnoreAuthorization}}
+            {{- if $.Users}}
     acl {{$.ServiceName}}UsersAcl http_auth({{$.ServiceName}}Users)
     http-request auth realm {{$.ServiceName}}Realm if !{{$.ServiceName}}UsersAcl
-    http-request del-header Authorization
-        {{- end}}
-        {{- if $.Users}}
-    acl {{$.ServiceName}}UsersAcl http_auth({{$.ServiceName}}Users)
-    http-request auth realm {{$.ServiceName}}Realm if !{{$.ServiceName}}UsersAcl
-        {{- end}}
-        {{- if $.UseGlobalUsers}}
+            {{- end}}
+            {{- if $.UseGlobalUsers}}
     acl defaultUsersAcl http_auth(defaultUsers)
     http-request auth realm defaultRealm if !defaultUsersAcl
-        {{- end}}
-        {{- if or ($.Users) ($.UseGlobalUsers)}}
+            {{- end}}
+            {{- if or ($.Users) ($.UseGlobalUsers)}}
     http-request del-header Authorization
+            {{- end}}
         {{- end}}
     {{- end}}
     {{- if ne $.BackendExtra ""}}

proxy/types.go

@@ -10,6 +10,8 @@ var usersBasePath string = "/run/secrets/dfp_users_%s"
 
 // ServiceDest holds data used to generate proxy configuration. It is extracted as a separate struct since a single service can have multiple combinations.
 type ServiceDest struct {
+	// Whether to ignore authorization for this service destination.
+	IgnoreAuthorization bool
 	// The internal port of a service that should be reconfigured.
 	// The port is used only in the *swarm* mode.
 	Port string
@@ -348,16 +350,15 @@ func getServiceDest(sr *Service, provider ServiceParameterProvider, index int) S
 	if len(provider.GetString(fmt.Sprintf("reqMode%s", suffix))) > 0 {
 		reqMode = provider.GetString(fmt.Sprintf("reqMode%s", suffix))
 	}
-	port := provider.GetString(fmt.Sprintf("port%s", suffix))
 	srcPort, _ := strconv.Atoi(provider.GetString(fmt.Sprintf("srcPort%s", suffix)))
-	verifyClientSsl := getBoolParam(provider, fmt.Sprintf("verifyClientSsl%s", suffix))
 	return ServiceDest{
-		Port:            port,
-		ReqMode:         reqMode,
-		SrcPort:         srcPort,
-		ServicePath:     path,
-		VerifyClientSsl: verifyClientSsl,
-		UserAgent:       userAgent,
+		IgnoreAuthorization: getBoolParam(provider, fmt.Sprintf("ignoreAuthorization%s", suffix)),
+		Port:                provider.GetString(fmt.Sprintf("port%s", suffix)),
+		ReqMode:             reqMode,
+		SrcPort:             srcPort,
+		ServicePath:         path,
+		VerifyClientSsl:     getBoolParam(provider, fmt.Sprintf("verifyClientSsl%s", suffix)),
+		UserAgent:           userAgent,
 	}
 
 }

proxy/types_test.go

@@ -223,11 +223,12 @@ func (s *TypesTestSuite) getServiceMap(expected Service, indexSuffix string) map
 		"usersPassEncrypted":    "true",
 		"xForwardedProto":       strconv.FormatBool(expected.XForwardedProto),
 		// ServiceDest
-		"port" + indexSuffix:            expected.ServiceDest[0].Port,
-		"reqMode" + indexSuffix:         expected.ServiceDest[0].ReqMode,
-		"servicePath" + indexSuffix:     strings.Join(expected.ServiceDest[0].ServicePath, ","),
-		"userAgent" + indexSuffix:       strings.Join(expected.ServiceDest[0].UserAgent.Value, ","),
-		"verifyClientSsl" + indexSuffix: strconv.FormatBool(expected.ServiceDest[0].VerifyClientSsl),
+		"ignoreAuthorization" + indexSuffix: strconv.FormatBool(expected.ServiceDest[0].IgnoreAuthorization),
+		"port" + indexSuffix:                expected.ServiceDest[0].Port,
+		"reqMode" + indexSuffix:             expected.ServiceDest[0].ReqMode,
+		"servicePath" + indexSuffix:         strings.Join(expected.ServiceDest[0].ServicePath, ","),
+		"userAgent" + indexSuffix:           strings.Join(expected.ServiceDest[0].UserAgent.Value, ","),
+		"verifyClientSsl" + indexSuffix:     strconv.FormatBool(expected.ServiceDest[0].VerifyClientSsl),
 	}
 }
 
@@ -251,11 +252,12 @@ func (s *TypesTestSuite) getExpectedService() Service {
 		ServiceCert:           "serviceCert",
 		ServiceColor:          "serviceColor",
 		ServiceDest: []ServiceDest{{
-			ServicePath:     []string{"/"},
-			Port:            "1234",
-			ReqMode:         "reqMode",
-			UserAgent:       UserAgent{Value: []string{"agent-1", "agent-2/replace-with_"}, AclName: "agent_1_agent_2_replace_with_"},
-			VerifyClientSsl: true,
+			IgnoreAuthorization: true,
+			ServicePath:         []string{"/"},
+			Port:                "1234",
+			ReqMode:             "reqMode",
+			UserAgent:           UserAgent{Value: []string{"agent-1", "agent-2/replace-with_"}, AclName: "agent_1_agent_2_replace_with_"},
+			VerifyClientSsl:     true,
 		}},
 		ServiceDomain:         []string{"domain1", "domain2"},
 		ServiceDomainMatchAll: true,
@@ -268,7 +270,9 @@ func (s *TypesTestSuite) getExpectedService() Service {
 		TimeoutServer:         "timeoutServer",
 		TimeoutTunnel:         "timeoutTunnel",
 		XForwardedProto:       true,
-		Users: []User{{Username: "user1", Password: "pass1", PassEncrypted: true},
-			{Username: "user2", Password: "pass2", PassEncrypted: true}},
+		Users: []User{
+			{Username: "user1", Password: "pass1", PassEncrypted: true},
+			{Username: "user2", Password: "pass2", PassEncrypted: true},
+		},
 	}
 }

scripts/local-ci.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
+
 set -e
+
 if [[ ( -z ${DOCKER_HUB_USER} ) || ( -z ${HOST_IP} ) ]]; then
     echo "set DOCKER_HUB_USER variable to your docker hub account, HOST_IP to your host Ip before running"
     exit 1