ACL checks generate no failure response when fail-status <= 100.

4f28adc2 · Geoff Simmons · 65ab4547 · 4f28adc2 · 4f28adc2 · 4f28adc2
Commit 4f28adc2 authored Feb 14, 2019 by Geoff Simmons
Showing with 72 additions and 1 deletion

varnishcfg-crd.yaml deploy/varnishcfg-crd.yaml +1 -1

acl.tmpl pkg/varnish/vcl/acl.tmpl +2 -0

acl_no_fail.golden pkg/varnish/vcl/testdata/acl_no_fail.golden +18 -0

vcl_test.go pkg/varnish/vcl/vcl_test.go +51 -0

No files found.
--- a/deploy/varnishcfg-crd.yaml
+++ b/deploy/varnishcfg-crd.yaml
@@ -137,7 +137,7 @@ spec:
                    type: string
                  fail-status:
                    type: integer
-                    minimum: 100
+                    minimum: 0
                    maximum: 599
                  comparand:
                    type: string

--- a/pkg/varnish/vcl/acl.tmpl
+++ b/pkg/varnish/vcl/acl.tmpl
@@ -23,7 +23,9 @@ sub vcl_recv {
 		{{- if .ResultHdr.Header}}
 		set {{.ResultHdr.Header}} = "{{.ResultHdr.Failure}}";
 		{{- end}}
+		{{- if ge .FailStatus 100}}
 		return(synth({{.FailStatus}}));
+		{{- end}}
 	}
 	{{- if .ResultHdr.Header}}
 	else {

--- a/pkg/varnish/vcl/testdata/acl_no_fail.golden
+++ b/pkg/varnish/vcl/testdata/acl_no_fail.golden
+
+import std;
+acl vk8s_acl_no_fail_acl {
+	"192.0.2.0"/24;
+	"198.51.100.0"/24;
+	"203.0.113.0"/24;
+}
+
+sub vcl_recv {
+	if (
+	    client.ip !~ vk8s_acl_no_fail_acl
+	   ) {
+		set req.http.ACL-Whitelist = "fail";
+	}
+	else {
+		set req.http.ACL-Whitelist = "pass";
+	}
+}
--- a/pkg/varnish/vcl/vcl_test.go
+++ b/pkg/varnish/vcl/vcl_test.go
@@ -535,6 +535,57 @@ func TestAclResultHeader(t *testing.T) {
 	}
 }

+var aclNoFail = Spec{
+	ACLs: []ACL{{
+		Name:       "acl_no_fail",
+		Comparand:  "client.ip",
+		FailStatus: 0,
+		Whitelist:  true,
+		Addresses: []ACLAddress{
+			ACLAddress{
+				Addr:     "192.0.2.0",
+				MaskBits: 24,
+				Negate:   false,
+			},
+			ACLAddress{
+				Addr:     "198.51.100.0",
+				MaskBits: 24,
+				Negate:   false,
+			},
+			ACLAddress{
+				Addr:     "203.0.113.0",
+				MaskBits: 24,
+				Negate:   false,
+			},
+		},
+		ResultHdr: ResultHdrType{
+			Header:  "req.http.ACL-Whitelist",
+			Success: "pass",
+			Failure: "fail",
+		},
+	}},
+}
+
+func TestAclNoFail(t *testing.T) {
+	var buf bytes.Buffer
+	gold := "acl_no_fail.golden"
+
+	if err := aclTmpl.Execute(&buf, aclNoFail); err != nil {
+		t.Error("acls template Execute():", err)
+		return
+	}
+	ok, err := cmpGold(buf.Bytes(), gold)
+	if err != nil {
+		t.Fatalf("Reading %s: %v", gold, err)
+	}
+	if !ok {
+		t.Errorf("Generated VCL does not match gold file: %s", gold)
+		if testing.Verbose() {
+			t.Logf("Generated: %s", buf.String())
+		}
+	}
+}
+
 var customVCLSpec = Spec{
 	DefaultService: Service{},
 	Rules: []Rule{{