Documentation
¶
Overview ¶
Package validation includes validators to validate values that will propagate to the NGINX configuration.
The validation rules prevent two cases: (1) Invalid values. Such values will cause NGINX to fail to reload the configuration. (2) Malicious values. Such values will cause NGINX to succeed to reload, but will configure NGINX maliciously, outside of the NGF capabilities. For example, configuring NGINX to serve the contents of the file system of its container.
The validation rules are based on the types in the parent config package and how they are used in the NGINX configuration templates. Changes to those might require changing the validation rules.
The rules are much looser for NGINX than for the Gateway API. However, some valid Gateway API values are not valid for NGINX.
Index ¶
- type GenericValidator
- func (GenericValidator) ValidateEndpoint(endpoint string) error
- func (GenericValidator) ValidateEscapedStringNoVarExpansion(value string) error
- func (GenericValidator) ValidateNginxDuration(duration string) error
- func (GenericValidator) ValidateNginxSize(size string) error
- func (GenericValidator) ValidateServiceName(name string) error
- type HTTPHeaderValidator
- type HTTPNJSMatchValidator
- func (HTTPNJSMatchValidator) ValidateHeaderNameInMatch(name string) error
- func (HTTPNJSMatchValidator) ValidateHeaderValueInMatch(value string) error
- func (HTTPNJSMatchValidator) ValidateMethodInMatch(method string) (valid bool, supportedValues []string)
- func (HTTPNJSMatchValidator) ValidatePathInMatch(path string) error
- func (HTTPNJSMatchValidator) ValidateQueryParamNameInMatch(name string) error
- func (HTTPNJSMatchValidator) ValidateQueryParamValueInMatch(value string) error
- type HTTPPathValidator
- type HTTPRedirectValidator
- func (HTTPRedirectValidator) ValidateHostname(hostname string) error
- func (HTTPRedirectValidator) ValidateRedirectPort(_ int32) error
- func (HTTPRedirectValidator) ValidateRedirectScheme(scheme string) (valid bool, supportedValues []string)
- func (HTTPRedirectValidator) ValidateRedirectStatusCode(statusCode int) (valid bool, supportedValues []string)
- type HTTPURLRewriteValidator
- type HTTPValidator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type GenericValidator ¶
type GenericValidator struct{}
GenericValidator validates values for generic cases in the nginx conf.
func (GenericValidator) ValidateEndpoint ¶
func (GenericValidator) ValidateEndpoint(endpoint string) error
ValidateEndpoint validates an alphanumeric endpoint, with optional http scheme and port.
func (GenericValidator) ValidateEscapedStringNoVarExpansion ¶
func (GenericValidator) ValidateEscapedStringNoVarExpansion(value string) error
ValidateEscapedStringNoVarExpansion ensures that no invalid characters are included in the string value that could lead to unwanted nginx behavior.
func (GenericValidator) ValidateNginxDuration ¶
func (GenericValidator) ValidateNginxDuration(duration string) error
ValidateNginxDuration validates a duration string that nginx can understand.
func (GenericValidator) ValidateNginxSize ¶
func (GenericValidator) ValidateNginxSize(size string) error
ValidateNginxSize validates a size string that nginx can understand.
func (GenericValidator) ValidateServiceName ¶
func (GenericValidator) ValidateServiceName(name string) error
ValidateServiceName validates a service name that can only use alphanumeric characters.
type HTTPHeaderValidator ¶
type HTTPHeaderValidator struct{}
HTTPHeaderValidator validates values for request headers, which in NGINX is done with the proxy_set_header directive.
func (HTTPHeaderValidator) ValidateFilterHeaderName ¶
func (HTTPHeaderValidator) ValidateFilterHeaderName(name string) error
func (HTTPHeaderValidator) ValidateFilterHeaderValue ¶
func (HTTPHeaderValidator) ValidateFilterHeaderValue(value string) error
type HTTPNJSMatchValidator ¶
type HTTPNJSMatchValidator struct{}
HTTPNJSMatchValidator validates values used for matching a request. The matching is implemented in NJS (except for path matching), so changes to the implementation change the validation rules here.
func (HTTPNJSMatchValidator) ValidateHeaderNameInMatch ¶
func (HTTPNJSMatchValidator) ValidateHeaderNameInMatch(name string) error
func (HTTPNJSMatchValidator) ValidateHeaderValueInMatch ¶
func (HTTPNJSMatchValidator) ValidateHeaderValueInMatch(value string) error
func (HTTPNJSMatchValidator) ValidateMethodInMatch ¶
func (HTTPNJSMatchValidator) ValidateMethodInMatch(method string) (valid bool, supportedValues []string)
func (HTTPNJSMatchValidator) ValidatePathInMatch ¶
func (HTTPNJSMatchValidator) ValidatePathInMatch(path string) error
ValidatePathInMatch a path used in the location directive.
func (HTTPNJSMatchValidator) ValidateQueryParamNameInMatch ¶
func (HTTPNJSMatchValidator) ValidateQueryParamNameInMatch(name string) error
func (HTTPNJSMatchValidator) ValidateQueryParamValueInMatch ¶
func (HTTPNJSMatchValidator) ValidateQueryParamValueInMatch(value string) error
type HTTPPathValidator ¶
type HTTPPathValidator struct{}
HTTPPathValidator validates values for path used in filters.
func (HTTPPathValidator) ValidatePath ¶
func (HTTPPathValidator) ValidatePath(path string) error
ValidatePath validates a path used in filters.
type HTTPRedirectValidator ¶
type HTTPRedirectValidator struct{}
HTTPRedirectValidator validates values for a redirect, which in NGINX is done with the return directive. For example, return 302 "https://example.com:8080";
func (HTTPRedirectValidator) ValidateHostname ¶
func (HTTPRedirectValidator) ValidateHostname(hostname string) error
func (HTTPRedirectValidator) ValidateRedirectPort ¶
func (HTTPRedirectValidator) ValidateRedirectPort(_ int32) error
func (HTTPRedirectValidator) ValidateRedirectScheme ¶
func (HTTPRedirectValidator) ValidateRedirectScheme(scheme string) (valid bool, supportedValues []string)
ValidateRedirectScheme validates a scheme to be used in the return directive for a redirect. NGINX rules are not restrictive, but it is easier to validate just for two allowed values http and https, dictated by the Gateway API spec.
func (HTTPRedirectValidator) ValidateRedirectStatusCode ¶
func (HTTPRedirectValidator) ValidateRedirectStatusCode(statusCode int) (valid bool, supportedValues []string)
ValidateRedirectStatusCode validates a status code to be used in the return directive for a redirect. NGINX allows 0..999. However, let's be conservative and only allow 301 and 302 (the values allowed by the Gateway API spec). Note that in the future, we might reserve some codes for internal redirects, so better not to allow all possible code values. We can always relax the validation later in case there is a need.
type HTTPURLRewriteValidator ¶
type HTTPURLRewriteValidator struct{}
HTTPURLRewriteValidator validates values for a URL rewrite.
type HTTPValidator ¶
type HTTPValidator struct {
HTTPNJSMatchValidator
HTTPRedirectValidator
HTTPURLRewriteValidator
HTTPHeaderValidator
HTTPPathValidator
}
HTTPValidator validates values that will propagate into the NGINX configuration http context. The validation rules are based on the nginx/config/http types and how they are used in the configuration templates of the nginx/config package. Changes to those might require changing the validation rules.
func (HTTPValidator) SkipValidation ¶
func (HTTPValidator) SkipValidation() bool
Source Files