Merge pull request #135 from bcgov/dev

Custom domains

Author: ikethecoder

microservices/gatewayApi/README.md

@@ -53,7 +53,8 @@ The `data_planes_config.json` example:
   "data_planes": {
     "dp-silver-kong-proxy": {
       "kube-api": "https://api.cloud",
-      "kube-ns": "xxxxxx-dev"
+      "kube-ns": "xxxxxx-dev",
+      "validate-upstreams": false
     }
   }
 }

microservices/gatewayApi/clients/kong.py

@@ -29,6 +29,9 @@ def get_service_routes (service_id):
 def get_local_certs_by_ns (ns):
     return recurse_get_records ([], "/certificates?tags=gwa.ns.%s" % ns)
 
+def get_public_certs_by_ns (ns):
+    return recurse_get_records ([], "/certificates?tags=ns.%s" % ns)
+
 def get_acls ():
     return recurse_get_records ([], "/acls")
 

microservices/gatewayApi/config/test.json

@@ -19,10 +19,15 @@
     "test-default-dp": {
       "kube-api": "http://kube-api",
       "kube-ns": "abcd-1234"
+    },
+    "strict-dp": {
+      "kube-api": "http://kube-api",
+      "kube-ns": "abcd-1234",
+      "validate-upstreams": true
     }
   },
   "kubeApiCreds": {
     "kubeApiPass": "password",
     "kubeApiUser": "username"
   }
-}
+}

microservices/gatewayApi/tests/conftest.py

@@ -60,15 +60,46 @@ def decorated_function(*args, **kwargs):
 def mock_keycloak(mocker):
     class mock_kc_admin:
         def get_group_by_path(path, search_in_subgroups):
-            return {
-                "id": "g001"
-            }
+            if path == "/ns/mytest":
+                return {"id": "g001"}
+            elif path == "/ns/mytest2":
+                return {"id": "g002"}
+            elif path == "/ns/mytest3":
+                return {"id": "g003"}
+            elif path == "/ns/customcert":
+                return {"id": "g004"}
+            else:
+                return {"id": "g001"}
         def get_group(id):
-            return {
-                "attributes": {
-                    "perm-domains": [ ".api.gov.bc.ca", ".cluster.local" ]
+            if id == "g001":
+                return {
+                    "attributes": {
+                        "perm-domains": [ ".api.gov.bc.ca", ".cluster.local" ]
+                    }
                 }
-            }
+            elif id == "g002":
+                return {
+                    "attributes": {
+                        "perm-data-plane": ["strict-dp"],
+                        "perm-upstreams": [],
+                        "perm-domains": [ ".api.gov.bc.ca", ".cluster.local" ]
+                    }
+                }
+            elif id == "g003":
+                return {
+                    "attributes": {
+                        "perm-data-plane": ["strict-dp"],
+                        "perm-upstreams": ['ns1'],
+                        "perm-domains": [ ".api.gov.bc.ca", ".cluster.local" ]
+                    }
+                }
+            elif id == "g004":
+                return {
+                    "attributes": {
+                        "perm-domains": [ ".api.gov.bc.ca", ".custom.gov.bc.ca" ]
+                    }
+                }
+
     mocker.patch("v2.services.namespaces.admin_api", return_value=mock_kc_admin)
 
 def mock_kong(mocker):
@@ -92,14 +123,35 @@ def json():
             return Response
         elif (path == 'http://kong/certificates?tags=gwa.ns.mytest' or
               path == 'http://kong/certificates?tags=gwa.ns.sescookie' or
-              path == 'http://kong/certificates?tags=gwa.ns.dclass'):
+              path == 'http://kong/certificates?tags=gwa.ns.dclass' or
+              path == 'http://kong/certificates?tags=gwa.ns.customcert'):
             class Response:
                 def json():
                     return {
                         "data": [],
                         "next": None
                     }
             return Response
+        elif (path == 'http://kong/certificates?tags=ns.customcert'):
+            class Response:
+                def json():
+                    return {
+                        "next": None,
+                        "data": [
+                            {
+                                "id": "41d14845-669f-4dcd-aff2-926fb32a4b25",
+                                "snis": [
+                                    "test.custom.gov.bc.ca"
+                                ],
+                                "tags": [
+                                    "ns.customcert",
+                                ],
+                                "cert": "CERT",
+                                "key": "KEY"
+                            }
+                        ]
+                    }
+            return Response
 
         else:
             raise Exception(path)
@@ -157,7 +209,8 @@ class Response:
                     "aps.route.dataclass.high": [],
                     "aps.route.dataclass.public": []
                 }, 
-                'select_tag': 'ns.sescookie.dev'
+                'select_tag': 'ns.sescookie.dev',
+                'certificates': []
             }
 
             assert json.dumps(kwargs['json'], sort_keys=True) == json.dumps(matched, sort_keys=True)
@@ -175,7 +228,39 @@ class Response:
                     "aps.route.dataclass.high": ['myapi.api.gov.bc.ca'],
                     "aps.route.dataclass.public": []
                 }, 
-                'select_tag': 'ns.dclass.dev'
+                'select_tag': 'ns.dclass.dev',
+                'certificates': []
+            }
+
+            assert json.dumps(kwargs['json'], sort_keys=True) == json.dumps(matched, sort_keys=True)
+            return Response
+        elif (url == 'http://kube-api/namespaces/customcert/routes'):
+            class Response:
+                status_code = 201
+            matched = {
+                'hosts': ['test.custom.gov.bc.ca'], 
+                'ns_attributes': {'perm-domains': ['.api.gov.bc.ca', '.custom.gov.bc.ca']}, 
+                'overrides': {
+                    'aps.route.session.cookie.enabled': [],
+                    "aps.route.dataclass.low": [],
+                    "aps.route.dataclass.medium": [],
+                    "aps.route.dataclass.high": [],
+                    "aps.route.dataclass.public": []
+                }, 
+                'select_tag': 'ns.customcert',
+                'certificates': [
+                    {
+                        "id": "41d14845-669f-4dcd-aff2-926fb32a4b25",
+                        "snis": [
+                            "test.custom.gov.bc.ca"
+                        ],
+                        "tags": [
+                            "ns.customcert",
+                        ],
+                        "cert": "CERT",
+                        "key": "KEY"
+                    }
+                ]
             }
 
             assert json.dumps(kwargs['json'], sort_keys=True) == json.dumps(matched, sort_keys=True)
@@ -190,24 +275,16 @@ class Response:
             raise Exception(url)
 
     def mock_requests_get(self, url, **kwards):
-        if (url == 'http://kube-api/namespaces/mytest/local_tls'):
-            class Response:
-                status_code = 200
-                def json():
-                    return {}
-            return Response
-        elif (url == 'http://kube-api/namespaces/sescookie/local_tls'):
-            class Response:
-                status_code = 200
-                def json():
-                    return {}
-            return Response
-        elif (url == 'http://kube-api/namespaces/dclass/local_tls'):
+        if (url == 'http://kube-api/namespaces/mytest/local_tls' or
+            url == 'http://kube-api/namespaces/sescookie/local_tls' or
+            url == 'http://kube-api/namespaces/dclass/local_tls' or
+            url == 'http://kube-api/namespaces/customcert/local_tls'):
             class Response:
                 status_code = 200
                 def json():
                     return {}
             return Response
+
         else:
             raise Exception(url)
 

microservices/gatewayApi/tests/routes/v2/test_gateway.py

@@ -121,6 +121,31 @@ def test_happy_with_data_class_gateway_call(client):
     assert response.status_code == 200
     assert json.dumps(response.json) == '{"message": "Sync successful.", "results": "Deck reported no changes"}'
 
+def test_happy_with_custom_domain_gateway_call(client):
+    configFile = '''
+        services:
+        - name: my-service
+          host: myupstream.local
+          ca_certificates: [ "0000-0000-0000-0000" ]
+          certificate: "41d14845-669f-4dcd-aff2-926fb32a4b25"
+          tags: ["ns.customcert"]
+          routes:
+          - name: route-1
+            hosts: [ test.custom.gov.bc.ca ]
+            tags: ["ns.customcert"]
+            plugins:
+            - name: acl-auth
+              tags: ["ns.customcert"]
+        '''
+
+    data={
+        "configFile": configFile,
+        "dryRun": False
+    }
+    response = client.put('/v2/namespaces/customcert/gateway', json=data)
+    assert response.status_code == 200
+    assert json.dumps(response.json) == '{"message": "Sync successful.", "results": "Deck reported no changes"}'
+
 def test_success_mtls_reference(client):
     configFile = '''
         services:

microservices/gatewayApi/tests/routes/v2/test_gateway_err_validations.py

@@ -114,3 +114,34 @@ def test_invalid_upstream(client):
     response = client.put('/v2/namespaces/mytest/gateway', json=data)
     assert response.status_code == 400
     assert json.dumps(response.json) == '{"error": "Validation Errors:\\nservice upstream is invalid (e1)"}'
+
+def test_invalid_strict_dp_upstream(client):
+    configFile = '''
+        services:
+        - name: my-service
+          host: myservice.ns1.svc
+          tags: ["ns.mytest2", "another"]
+        '''
+
+    data={
+        "configFile": configFile,
+        "dryRun": True
+    }
+    response = client.put('/v2/namespaces/mytest2/gateway', json=data)
+    assert response.status_code == 400
+    assert json.dumps(response.json) == '{"error": "Validation Errors:\\nservice upstream is invalid (e6)"}'
+
+def test_valid_strict_dp_upstream(client):
+    configFile = '''
+        services:
+        - name: my-service
+          host: myservice.ns1.svc
+          tags: ["ns.mytest3", "another"]
+        '''
+
+    data={
+        "configFile": configFile,
+        "dryRun": True
+    }
+    response = client.put('/v2/namespaces/mytest3/gateway', json=data)
+    assert response.status_code == 200

microservices/gatewayApi/tests/routes/v1/test_validate_upstream.py renamed to microservices/gatewayApi/tests/utils/test_validate_upstream.py

@@ -6,7 +6,7 @@
 
 import yaml
 import pytest
-from v1.routes.gateway import validate_upstream
+from utils.validators import validate_upstream
 
 def test_upstream_good(app):
     payload = '''
@@ -126,3 +126,31 @@ def test_upstream_protected_service_allow(app):
     y = yaml.load(payload, Loader=yaml.FullLoader)
     validate_upstream (y, { "perm-protected-ns": ["deny"]}, ['my-namespace']) 
 
+def test_upstream_pass_validation(app):
+    payload = '''
+services:
+  - name: my-service
+    tags: ["ns.mytest", "another"]
+    host: myapi.my-namespace.svc
+'''
+    y = yaml.load(payload, Loader=yaml.FullLoader)
+
+    validate_upstream (y, { "perm-upstreams": ["my-namespace"]}, [], True) 
+
+def test_upstream_fail_validation(app):
+    payload = '''
+services:
+  - name: my-service
+    tags: ["ns.mytest", "another"]
+    host: myapi.my-namespace.svc
+'''
+    y = yaml.load(payload, Loader=yaml.FullLoader)
+
+    with pytest.raises(Exception, match=r"service upstream is invalid \(e6\)"):
+        validate_upstream (y, {}, [], True)
+
+    with pytest.raises(Exception, match=r"service upstream is invalid \(e6\)"):
+        validate_upstream (y, { "perm-upstreams": ["other-namespace"]}, [], True)
+
+    with pytest.raises(Exception, match=r"service upstream is invalid \(e6\)"):
+        validate_upstream (y, { "perm-upstreams": [""]}, [], True)

microservices/gatewayApi/utils/validators.py

@@ -1,5 +1,6 @@
 
 import re
+from urllib.parse import urlparse
 
 namespace_validation_rule='^[a-z][a-z0-9-]{4,14}$'
 
@@ -16,3 +17,58 @@ def host_valid(input_string):
     # match = regex.match(str(input_string))
     # return bool(match is not None)
 
+def validate_upstream(yaml, ns_attributes, protected_kube_namespaces, do_validate_upstreams: bool = False):
+    errors = []
+
+    perm_upstreams = ns_attributes.get('perm-upstreams', [])
+
+    allow_protected_ns = ns_attributes.get('perm-protected-ns', ['deny'])[0] == 'allow'
+
+    # A service host must not contain a list of protected
+    if 'services' in yaml:
+        for service in yaml['services']:
+            if 'url' in service:
+                try:
+                    u = urlparse(service["url"])
+                    if u.hostname is None:
+                        errors.append("service upstream has invalid url specified (e1)")
+                    else:
+                        validate_upstream_host(u.hostname, errors, allow_protected_ns, protected_kube_namespaces, do_validate_upstreams, perm_upstreams)
+                except Exception as e:
+                    errors.append("service upstream has invalid url specified (e2)")
+
+            if 'host' in service:
+                host = service["host"]
+                validate_upstream_host(host, errors, allow_protected_ns, protected_kube_namespaces, do_validate_upstreams, perm_upstreams)
+
+    if len(errors) != 0:
+        raise Exception('\n'.join(errors))
+
+
+def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_namespaces, do_validate_upstreams, perm_upstreams):
+    host = _host.lower()
+
+    restricted = ['localhost', '127.0.0.1', '0.0.0.0']
+
+    if host in restricted:
+        errors.append("service upstream is invalid (e1)")
+    elif host.endswith('svc'):
+        partials = host.split('.')
+        # get the namespace, and make sure it is not in the protected_kube_namespaces list
+        if len(partials) != 3:
+            errors.append("service upstream is invalid (e2)")
+        elif partials[1] in protected_kube_namespaces and allow_protected_ns is False:
+            errors.append("service upstream is invalid (e3)")
+        elif do_validate_upstreams and (partials[1] in perm_upstreams) is False:
+            errors.append("service upstream is invalid (e6)")
+    elif host.endswith('svc.cluster.local'):
+        partials = host.split('.')
+        # get the namespace, and make sure it is not in the protected_kube_namespaces list
+        if len(partials) != 5:
+            errors.append("service upstream is invalid (e4)")
+        elif partials[1] in protected_kube_namespaces and allow_protected_ns is False:
+            errors.append("service upstream is invalid (e5)")
+        elif do_validate_upstreams and (partials[1] in perm_upstreams) is False:
+            errors.append("service upstream is invalid (e6)")
+    elif do_validate_upstreams:
+        errors.append("service upstream is invalid (e6)")