Authreq annotation parser wrongly applies ValidHeader() regex against header values in auth-proxy-set-headers ConfigMap

[jcrood]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): no

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): auth headers

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

NGINX Ingress controller version: 0.26.1

Kubernetes version (use kubectl version): 1.15.3

Environment:

• Cloud provider or hardware configuration: bare metal x86
• OS (e.g. from /etc/os-release): Ubuntu 18.04.3
• Kernel (e.g. uname -a): 4.15.0-64-generic
• Install tools: kubectl
• Others:

What happened:
Produced an nginx config missing all the required bits to make nginx.ingress.kubernetes.io/auth-url work, triggered by an added header trough the auth-proxy-set-headers annotation that contained value that didn't match headerRegexp. This is caused by authReq.Parse() applying ValidHeader() and its regex against the header values, rejecting apparently valid values.

What you expected to happen:
For it to freely accept header values set in the ConfigMap for auth-proxy-set-headers and produce an nginx config with an auth_request entry pointing to an internal auth location, which in turn contains proxy_set_header entries as set in this map.

How to reproduce it (as minimally and precisely as possible):
Try creating an ingress config using the following yaml then inspect the output nginx.conf. The value "Bearer $cookie_jwt_token" does not pass ^[a-zA-Z\d\-_]+$ resulting in a broken configuration.

apiVersion: v1
kind: ConfigMap
metadata:
  name: auth-headers
  namespace: archive-test
data:
  Authorization: "Bearer $cookie_jwt_token"
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: archive-dam
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "http://backend.archive-test.svc.cluster.local:4040/dam/sso"
    nginx.ingress.kubernetes.io/auth-proxy-set-headers: "archive-test/auth-headers"
spec:
  rules:
    - http:
        paths:
          - path: /dam
            backend:
              serviceName: testdam
              servicePort: 8080

Anything else we need to know:
As I mentioned above, the annotation parser seems to be in error in its treatment of header values provided in the ConfigMap. I traced this back to https://github.com/kubernetes/ingress-nginx/blob/master/internal/ingress/annotations/authreq/main.go#L223 where it checks both the header name and value with ValidHeader(), where it probably should only check the header name (and perhaps have a slightly more permissive check for the value.)

I currently work around this by using an auth-snippet to produce a working config, but it would be nice to be able to use auth-proxy-set-headers as intended:

nginx.ingress.kubernetes.io/auth-snippet: |
  proxy_set_header Authorization "Bearer $cookie_jwt_token";

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[jobevers]

/remove-lifecycle stale