If server_tokens is disabled remove the Server header (kubernetes#1903)

* If server_tokens is disabled remove the Server header * Add server-tokens tests * Fix tests
aledbf · Jan 18, 2018 · a07a563 · a07a563
1 parent eea9e8f
commit a07a563
Show file tree

Hide file tree

Showing 3 changed files with 145 additions and 1 deletion.
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -135,6 +135,9 @@ http {
     {{ end }}
 
     server_tokens {{ if $cfg.ShowServerTokens }}on{{ else }}off{{ end }};
+    {{ if not $cfg.ShowServerTokens }}
+    more_set_headers "Server: ";
+    {{ end }}
 
     # disable warnings
     uninitialized_variable_warn off;

diff --git a/test/e2e/framework/framework.go b/test/e2e/framework/framework.go
@@ -173,6 +173,13 @@ func (f *Framework) WaitForNginxServer(name string, matcher func(cfg string) boo
 	return wait.PollImmediate(Poll, time.Minute*2, f.matchNginxConditions(name, matcher))
 }
 
+// WaitForNginxConfiguration waits until the nginx configuration contains a particular configuration
+func (f *Framework) WaitForNginxConfiguration(matcher func(cfg string) bool) error {
+	// initial wait to allow the update of the ingress controller
+	time.Sleep(5 * time.Second)
+	return wait.PollImmediate(Poll, time.Minute*2, f.matchNginxConditions("", matcher))
+}
+
 // NginxLogs returns the logs of the nginx ingress controller pod running
 func (f *Framework) NginxLogs() (string, error) {
 	l, err := f.KubeClientSet.CoreV1().Pods("ingress-nginx").List(metav1.ListOptions{
@@ -210,7 +217,13 @@ func (f *Framework) matchNginxConditions(name string, matcher func(cfg string) b
 			return false, fmt.Errorf("unexpected number of nginx ingress controller pod is running (%v)", len(l.Items))
 		}
 
-		cmd := fmt.Sprintf("cat /etc/nginx/nginx.conf | awk '/## start server %v/,/## end server %v/'", name, name)
+		var cmd string
+		if name == "" {
+			cmd = fmt.Sprintf("cat /etc/nginx/nginx.conf")
+		} else {
+			cmd = fmt.Sprintf("cat /etc/nginx/nginx.conf | awk '/## start server %v/,/## end server %v/'", name, name)
+		}
+
 		o, err := f.ExecCommand(&l.Items[0], cmd)
 		if err != nil {
 			return false, err

diff --git a/test/e2e/settings/server_tokens.go b/test/e2e/settings/server_tokens.go
@@ -0,0 +1,128 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package setting
+
+import (
+	"strings"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"k8s.io/api/extensions/v1beta1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/ingress-nginx/test/e2e/framework"
+)
+
+var _ = framework.IngressNginxDescribe("Server Tokens", func() {
+	f := framework.NewDefaultFramework("server-tokens")
+
+	BeforeEach(func() {
+		err := f.NewEchoDeployment()
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	AfterEach(func() {
+	})
+
+	It("should not exists Server header in the response", func() {
+		serverTokens := "server-tokens"
+		updateConfigmap(serverTokens, "false", f.KubeClientSet)
+		defer updateConfigmap(serverTokens, "false", f.KubeClientSet)
+
+		ing, err := f.EnsureIngress(&v1beta1.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:        serverTokens,
+				Namespace:   f.Namespace.Name,
+				Annotations: map[string]string{},
+			},
+			Spec: v1beta1.IngressSpec{
+				Rules: []v1beta1.IngressRule{
+					{
+						Host: serverTokens,
+						IngressRuleValue: v1beta1.IngressRuleValue{
+							HTTP: &v1beta1.HTTPIngressRuleValue{
+								Paths: []v1beta1.HTTPIngressPath{
+									{
+										Path: "/",
+										Backend: v1beta1.IngressBackend{
+											ServiceName: "http-svc",
+											ServicePort: intstr.FromInt(80),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		})
+
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		err = f.WaitForNginxConfiguration(
+			func(server string) bool {
+				return strings.Contains(server, "server_tokens off") &&
+					strings.Contains(server, "more_set_headers \"Server: \"")
+			})
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	It("should exists Server header in the response when is enabled", func() {
+		serverTokens := "server-tokens"
+		updateConfigmap(serverTokens, "true", f.KubeClientSet)
+		defer updateConfigmap(serverTokens, "false", f.KubeClientSet)
+
+		ing, err := f.EnsureIngress(&v1beta1.Ingress{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:        serverTokens,
+				Namespace:   f.Namespace.Name,
+				Annotations: map[string]string{},
+			},
+			Spec: v1beta1.IngressSpec{
+				Rules: []v1beta1.IngressRule{
+					{
+						Host: serverTokens,
+						IngressRuleValue: v1beta1.IngressRuleValue{
+							HTTP: &v1beta1.HTTPIngressRuleValue{
+								Paths: []v1beta1.HTTPIngressPath{
+									{
+										Path: "/",
+										Backend: v1beta1.IngressBackend{
+											ServiceName: "http-svc",
+											ServicePort: intstr.FromInt(80),
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		})
+
+		Expect(err).NotTo(HaveOccurred())
+		Expect(ing).NotTo(BeNil())
+
+		err = f.WaitForNginxConfiguration(
+			func(server string) bool {
+				return strings.Contains(server, "server_tokens on")
+			})
+		Expect(err).NotTo(HaveOccurred())
+	})
+})