Fixes #379

vfarcic · vfarcic · commit 3862cc497d2f · 2017-12-02T22:39:31.000+01:00
diff --git a/docs/usage.md b/docs/usage.md
@@ -23,7 +23,7 @@ The following query parameters can be used to send a *reconfigure* request to *D
 |delResHeader   |Additional headers that will be deleted in the response before forwarding it to the client. Multiple headers should be separated with comma (`,`). Change the environment variable `SEPARATOR` if comma is to be used for other purposes. Please consult [Delete a header in the response](https://www.haproxy.com/doc/aloha/7.0/haproxy/http_rewriting.html#delete-a-header-in-the-response) for more info.<br>**Example:** `X-Varnish,X-Cache`|
 |distribute   |Whether to distribute a request to all the instances of the proxy. Used only in the *swarm* mode.<br>**Example:** `true`|false|
 |httpsPort      |The internal HTTPS port of a service that should be reconfigured. The port is used only in the `swarm` mode. If not specified, the `port` parameter will be used instead.<br>**Example:** `443`|
-|ignoreAuthorization|If set to true, the service destination will not require authorization. The parameter must be prefixed with the index of the service destion that should be excluded from authorization.<br>**Default:** `false`<br>**Example:** `true`|
+|ignoreAuthorization|If set to true, the service destination will not require authorization. The parameter must be prefixed with the index of the service destination that should be excluded from authorization.<br>**Default:** `false`<br>**Example:** `true`|
 |isDefaultBackend  |If set to true, the service will be set to the default_backend rule, meaning it will catch all requests not matching any other rules.<br>**Default:** `false`<br>**Example:** `true`|
 |port           |The internal port of a service that should be reconfigured. The port is used only in the `swarm` mode. The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `port.1`, `port.2`, and so on). This field is **mandatory** when running in `swarm` or `service` mode.<br>**Example:** `8080`|
 |reqMode        |The request mode. The proxy should be able to work with any mode supported by HAProxy. However, actively supported and tested modes are `http`, `tcp`, and `sni`. The `sni` mode implies TCP with an SNI-based routing. The parameter can be prefixed with an index thus allowing definition of multiple modes for a single service (e.g. `http`, `tcp`, and so on).<br>**Default:** value of the `DEFAULT_REQ_MODE` environment variable.<br>**Example:** `tcp`|
@@ -36,7 +36,7 @@ The following query parameters can be used to send a *reconfigure* request to *D
 |timeoutServer  |The server timeout in seconds.<br>**Default:** `20`<br>**Example:** `60`|
 |timeoutTunnel  |The tunnel timeout in seconds.<br>**Default:** `3600`<br>**Example:** `3600`|
 
-Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, `serviceDomain``allowedMethods`, `deniedMethods`, `denyHttp`, `httpsOnly`, `redirectFromDomain`, `ReqMode`, or `outboundHostname` parameters. In that case, `srcPort` is required.
+Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `servicePathExclude`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, `serviceDomain``allowedMethods`, `deniedMethods`, `denyHttp`, `httpsOnly`, `redirectFromDomain`, `ReqMode`, or `outboundHostname` parameters. In that case, `srcPort` is required.
 
 ### HTTP Mode Query Parameters
 
@@ -60,6 +60,7 @@ The following query parameters can be used only when `reqMode` is set to `http`
 |serviceDomainAlgo|Algorithm that should be applied to domain ACLs. Any ACL works only with one flag: `-i : ignore case during matching of all subsequent patterns`. If not set, the value of the environment variable `SERVICE_DOMAIN_ALGO` will be used instead. If defaults to `hdr_beg(host)`<br>**Examples:**<br>`hdr(host)`: matches only if domain is the same as `serviceDomain`<br>`hdr_dom(host)`: matches the specified `serviceDomain` and any subdomain (a string either isolated or delimited by dots). **Example:** if `hdr_dom(host)` contains `www.ecme.com` and `serviceDomain` equals `ecme.com` the rule will be passed.<br>`req.ssl_sni`: matches Server Name TLS extension|
 |serviceHeader|Headers used to filter requests. If set, the proxy will allow access only to requests that contain specified headers. A header consists of a key and value separated with colon (e.g. `X-Version:3`). Multiple headers can be separated with comma (e.g. `X-Version:3,name:viktor`). The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `serviceHeader.1`, `serviceHeader.2`, and so on). <br>**Example:** `X-Version:3,name:viktor`|
 |servicePath  |The URL path of the service. Multiple values should be separated with comma (`,`). The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `servicePath.1`, `servicePath.2`, and so on). This parameter **is mandatory** unless `serviceDomain` is specified.<br>**Example:** `/api/v1/books`|
+|servicePathExclude|The URL path that should be excluded from the rules. Multiple values should be separated with comma (`,`). The parameter can be prefixed with an index thus allowing definition of multiple destinations for a single service (e.g. `servicePathExclude.1`, `servicePathExclude.2`, and so on).<br>**Example:** `/metrics`|
 |sessionType  |Determines the type of sticky sessions. If set to `sticky-server`, session cookie will be set by the proxy. Any other value means that sticky sessions are not used and load balancing is performed by Docker's Overlay network.<br>**Example:** `sticky-server`|
 |sslVerifyNone|If set to true, backend server certificates are not verified. This flag should be set for SSL enabled backend services.<br>**Example:** `true`<br>**Default Value:** `false`|
 |templateBePath|The path to the template representing a snippet of the backend configuration. If specified, the backend template will be loaded from the specified file. See the [Templates](#templates) section for more info.<br>**Example:** `/tmpl/be.tmpl`|
@@ -70,7 +71,7 @@ The following query parameters can be used only when `reqMode` is set to `http`
 |usersPassEncrypted|Indicates whether passwords provided by `users` or `usersSecret` contain encrypted data. Passwords can be encrypted with the command `mkpasswd -m sha-512 password1`.<br>**Example:** `true`<br>**Default Value:** `false`|
 |verifyClientSsl|Whether to verify client SSL and, if it is not valid, deny request and return 403 Forbidden status code. SSL is validated against the `ca-file` specified through the environment variable `CA_FILE`.<br>**Example:** true<br>**Default Value:** `false`|
 
-Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, `serviceDomain`, `allowedMethods`, `deniedMethods`, `denyHttp`, `httpsOnly`, `redirectFromDomain`, `ReqMode`, or `outboundHostname` parameters. In that case, `srcPort` is required.
+Multiple destinations for a single service can be specified by adding index as a suffix to `servicePath`, `servicePathExclude`, `srcPort`, `port`, `userAgent`, `ignoreAuthorization`, `serviceDomain`, `allowedMethods`, `deniedMethods`, `denyHttp`, `httpsOnly`, `redirectFromDomain`, `ReqMode`, or `outboundHostname` parameters. In that case, `srcPort` is required.
 
 ### TCP Mode HTTP Query Parameters
 
@@ -132,6 +133,7 @@ The map between the HTTP query parameters and environment variables is as follow
 |serviceDomain        |SERVICE_DOMAIN          |
 |serviceName          |SERVICE_NAME            |
 |servicePath          |SERVICE_PATH            |
+|servicePathExclude   |SERVICE_PATH_EXCLUDE    |
 |setReqHeader         |SET_REQ_HEADER          |
 |setResHeader         |SET_RES_HEADER          |
 |srcPort              |SRC_PORT                |
diff --git a/integration_tests/integration_swarm_test.go b/integration_tests/integration_swarm_test.go
@@ -2,7 +2,6 @@ package integration_test
 
 import (
 	"fmt"
-	"github.com/stretchr/testify/suite"
 	"io/ioutil"
 	"log"
 	"net/http"
@@ -11,6 +10,8 @@ import (
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/stretchr/testify/suite"
 )
 
 // Setup
@@ -73,6 +74,7 @@ func TestGeneralIntegrationSwarmTestSuite(t *testing.T) {
 	suite.Run(t, s)
 
 	s.removeServices("go-demo-api", "go-demo-db", "proxy", "proxy-env", "redis")
+	exec.Command("/bin/sh", "-c", "docker network rm proxy").Output()
 	exec.Command("/bin/sh", "-c", "docker system prune -f").Output()
 }
 
@@ -89,6 +91,17 @@ func (s IntegrationSwarmTestSuite) Test_Reconfigure() {
 	}
 }
 
+func (s IntegrationSwarmTestSuite) Test_ExcludePaths() {
+	s.reconfigureGoDemo("&servicePathExclude=/demo/hello")
+
+	resp, err := s.sendHelloRequest()
+
+	s.NoError(err)
+	if resp != nil {
+		s.Equal(503, resp.StatusCode, s.getProxyConf(""))
+	}
+}
+
 func (s IntegrationSwarmTestSuite) Test_Domain() {
 	s.reconfigureGoDemo("&serviceDomain=my-domain.com")
 
diff --git a/main.go b/main.go
@@ -1,12 +1,11 @@
 package main
 
 import (
-	"./logging"
 	"log"
 	"os"
 	"strings"
-	//	"sync"
-	//	"github.com/hashicorp/go-reap"
+
+	"./logging"
 )
 
 func main() {
diff --git a/proxy/ha_proxy_test.go b/proxy/ha_proxy_test.go
@@ -740,6 +740,39 @@ func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsContentFrontEnd() {
 	s.Equal(expectedData, actualData)
 }
 
+func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsServicePathExclude() {
+	var actualData string
+	tmpl := s.TemplateContent
+	expectedData := fmt.Sprintf(
+		`%s
+    acl url_my-service-11111_0 path_beg /path-1
+    acl url_exclude_my-service-11111_0 path_beg /path-2 path_beg /path-3
+    acl http_my-service-1 dst_port 80
+    acl https_my-service-1 dst_port 443
+    use_backend my-service-1-be1111_0 if url_my-service-11111_0 !url_exclude_my-service-11111_0 http_my-service-1
+    use_backend https-my-service-1-be1111_0 if url_my-service-11111_0 !url_exclude_my-service-11111_0 https_my-service-1%s`,
+		tmpl,
+		s.ServicesContent,
+	)
+	writeFile = func(filename string, data []byte, perm os.FileMode) error {
+		actualData = string(data)
+		return nil
+	}
+	p := NewHaProxy(s.TemplatesPath, s.ConfigsPath)
+	dataInstance.Services["my-service-1"] = Service{
+		ServiceName: "my-service-1",
+		PathType:    "path_beg",
+		HttpsPort:   2222,
+		ServiceDest: []ServiceDest{
+			{Port: "1111", ServicePath: []string{"/path-1"}, ServicePathExclude: []string{"/path-2", "/path-3"}},
+		},
+	}
+
+	p.CreateConfigFromTemplates()
+
+	s.Equal(expectedData, actualData)
+}
+
 func (s HaProxyTestSuite) Test_CreateConfigFromTemplates_AddsSortedContentFrontEnd() {
 	var actualData string
 	tmpl := s.TemplateContent
diff --git a/proxy/template.go b/proxy/template.go
@@ -21,6 +21,9 @@ func getFrontTemplate(s Service) string {
         {{- end}}
         {{- if ne .Port ""}}
     acl url_{{$.AclName}}{{.Port}}_{{.Index}}{{range .ServicePath}} {{if eq $.PathType ""}}path_beg{{end}}{{if ne $.PathType ""}}{{$.PathType}}{{end}} {{.}}{{end}}{{.SrcPortAcl}}
+        {{- end}}
+        {{- if .ServicePathExclude}}
+    acl url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{range .ServicePathExclude}} {{if eq $.PathType ""}}path_beg{{end}}{{if ne $.PathType ""}}{{$.PathType}}{{end}} {{.}}{{end}}{{.SrcPortAcl}}
         {{- end}}
         {{- $length := len .UserAgent.Value}}{{if gt $length 0}}
     acl user_agent_{{$.AclName}}_{{.UserAgent.AclName}}_{{.Index}} hdr_sub(User-Agent) -i{{range .UserAgent.Value}} {{.}}{{end}}
@@ -58,9 +61,9 @@ func getFrontTemplate(s Service) string {
 {{- end}}
 {{- range $sd := .ServiceDest}}
     {{- if eq .ReqMode "http"}}{{- if ne .Port ""}}
-    use_backend {{$.ServiceName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceHeader}}{{resetIndex}}{{range $key, $value := .ServiceHeader}} hdr_{{$.AclName}}{{$sd.Port}}_{{incIndex}}{{end}}{{end}}{{.SrcPortAclName}}
+    use_backend {{$.ServiceName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceHeader}}{{resetIndex}}{{range $key, $value := .ServiceHeader}} hdr_{{$.AclName}}{{$sd.Port}}_{{incIndex}}{{end}}{{end}}{{.SrcPortAclName}}
 	    {{- if gt $.HttpsPort 0 }} http_{{$.ServiceName}}
-    use_backend https-{{$.ServiceName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}} https_{{$.ServiceName}}
+    use_backend https-{{$.ServiceName}}-be{{.Port}}_{{.Index}} if url_{{$.AclName}}{{.Port}}_{{.Index}}{{if .ServicePathExclude}} !url_exclude_{{$.AclName}}{{.Port}}_{{.Index}}{{end}}{{if .ServiceDomain}} domain_{{$.AclName}}{{.Port}}_{{.Index}}{{end}} https_{{$.ServiceName}}
         {{- end}}
     {{- $length := len .UserAgent.Value}}{{if gt $length 0}} user_agent_{{$.AclName}}_{{.UserAgent.AclName}}_{{.Index}}{{end}}
         {{- if $.IsDefaultBackend}}
diff --git a/proxy/types.go b/proxy/types.go
@@ -43,6 +43,8 @@ type ServiceDest struct {
 	ServiceHeader map[string]string
 	// The URL path of the service.
 	ServicePath []string
+	// The URL path that should be excluded from the rules.
+	ServicePathExclude []string
 	// The source (entry) port of a service.
 	// Useful only when specifying multiple destinations of a single service.
 	SrcPort int
@@ -408,6 +410,7 @@ func getServiceDest(sr *Service, provider ServiceParameterProvider, index int) S
 		ServiceDomain:       getSliceFromString(provider, fmt.Sprintf("serviceDomain%s", suffix)),
 		ServiceHeader:       header,
 		ServicePath:         getSliceFromString(provider, fmt.Sprintf("servicePath%s", suffix)),
+		ServicePathExclude:  getSliceFromString(provider, fmt.Sprintf("servicePathExclude%s", suffix)),
 		SrcPort:             srcPort,
 		VerifyClientSsl:     getBoolParam(provider, fmt.Sprintf("verifyClientSsl%s", suffix)),
 		UserAgent:           userAgent,
diff --git a/proxy/types_test.go b/proxy/types_test.go
@@ -237,6 +237,7 @@ func (s *TypesTestSuite) Test_GetServiceFromProvider_MovesServiceDomainToIndexed
 			ServiceDomain:      []string{"domain1", "domain2"},
 			ServiceHeader:      map[string]string{},
 			ServicePath:        []string{"/"},
+			ServicePathExclude: []string{},
 		}},
 		ServiceName: "serviceName",
 	}
@@ -265,6 +266,7 @@ func (s *TypesTestSuite) Test_GetServiceFromProvider_UsesNonIndexedOutboundHostn
 			ServiceDomain:      []string{},
 			ServiceHeader:      map[string]string{},
 			ServicePath:        []string{"/"},
+			ServicePathExclude: []string{},
 		}},
 		ServiceName: "serviceName",
 	}
@@ -293,6 +295,7 @@ func (s *TypesTestSuite) Test_GetServiceFromProvider_MovesHttpsOnlyToIndexedEntr
 			ServiceDomain:      []string{},
 			ServiceHeader:      map[string]string{},
 			ServicePath:        []string{"/"},
+			ServicePathExclude: []string{},
 		}},
 		ServiceName: "serviceName",
 	}
@@ -322,6 +325,7 @@ func (s *TypesTestSuite) Test_GetServiceFromProvider_UsesHttpsOnlyFromEnvVar() {
 			ServiceDomain:      []string{},
 			ServiceHeader:      map[string]string{},
 			ServicePath:        []string{"/"},
+			ServicePathExclude: []string{},
 		}},
 		ServiceName: "serviceName",
 	}
@@ -421,6 +425,7 @@ func (s *TypesTestSuite) getExpectedService() Service {
 			ServiceDomain:       []string{"domain1", "domain2"},
 			ServiceHeader:       map[string]string{"X-Version": "3", "name": "Viktor"},
 			ServicePath:         []string{"/"},
+			ServicePathExclude:  []string{},
 			ReqMode:             "reqMode",
 			UserAgent:           UserAgent{Value: []string{"agent-1", "agent-2/replace-with_"}, AclName: "agent_1_agent_2_replace_with_"},
 			VerifyClientSsl:     true,
diff --git a/server/server_test.go b/server/server_test.go
@@ -1,17 +1,18 @@
 package server
 
 import (
-	"../actions"
-	"../proxy"
 	"encoding/json"
 	"fmt"
-	"github.com/stretchr/testify/mock"
-	"github.com/stretchr/testify/suite"
 	"net/http"
 	"os"
 	"strconv"
 	"strings"
 	"testing"
+
+	"../actions"
+	"../proxy"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/suite"
 )
 
 type ServerTestSuite struct {
@@ -544,6 +545,7 @@ func (s *ServerTestSuite) Test_GetServiceFromUrl_ReturnsProxyService() {
 			ServiceDomain:      []string{"domain1", "domain2"},
 			ServiceHeader:      map[string]string{"X-Version": "3", "name": "Viktor"},
 			ServicePath:        []string{"/"},
+			ServicePathExclude: []string{"/excluded-path"},
 		}},
 		ServiceDomainAlgo: "hdr_dom",
 		ServiceName:       "serviceName",
@@ -558,7 +560,7 @@ func (s *ServerTestSuite) Test_GetServiceFromUrl_ReturnsProxyService() {
 			{Username: "user2", Password: "pass2", PassEncrypted: true}},
 	}
 	addr := fmt.Sprintf(
-		"%s?serviceName=%s&users=%s&usersPassEncrypted=%t&aclName=%s&serviceCert=%s&outboundHostname=%s&pathType=%s&reqPathSearch=%s&reqPathReplace=%s&templateFePath=%s&templateBePath=%s&timeoutServer=%s&timeoutTunnel=%s&reqMode=%s&httpsOnly=%t&httpsRedirectCode=%s&isDefaultBackend=%t&redirectWhenHttpProto=%t&httpsPort=%d&serviceDomain=%s&redirectFromDomain=%s&distribute=%t&sslVerifyNone=%t&serviceDomainAlgo=%s&addReqHeader=%s&addResHeader=%s&setReqHeader=%s&setResHeader=%s&delReqHeader=%s&delResHeader=%s&servicePath=/&port=1234&connectionMode=%s&serviceHeader=X-Version:3,name:Viktor&allowedMethods=GET,DELETE&deniedMethods=PUT,POST&compressionAlgo=%s&compressionType=%s",
+		"%s?serviceName=%s&users=%s&usersPassEncrypted=%t&aclName=%s&serviceCert=%s&outboundHostname=%s&pathType=%s&reqPathSearch=%s&reqPathReplace=%s&templateFePath=%s&templateBePath=%s&timeoutServer=%s&timeoutTunnel=%s&reqMode=%s&httpsOnly=%t&httpsRedirectCode=%s&isDefaultBackend=%t&redirectWhenHttpProto=%t&httpsPort=%d&serviceDomain=%s&redirectFromDomain=%s&distribute=%t&sslVerifyNone=%t&serviceDomainAlgo=%s&addReqHeader=%s&addResHeader=%s&setReqHeader=%s&setResHeader=%s&delReqHeader=%s&delResHeader=%s&servicePath=/&servicePathExclude=%s&port=1234&connectionMode=%s&serviceHeader=X-Version:3,name:Viktor&allowedMethods=GET,DELETE&deniedMethods=PUT,POST&compressionAlgo=%s&compressionType=%s",
 		s.BaseUrl,
 		expected.ServiceName,
 		"user1:pass1,user2:pass2",
@@ -590,6 +592,7 @@ func (s *ServerTestSuite) Test_GetServiceFromUrl_ReturnsProxyService() {
 		strings.Join(expected.SetResHeader, ","),
 		strings.Join(expected.DelReqHeader, ","),
 		strings.Join(expected.DelResHeader, ","),
+		strings.Join(expected.ServiceDest[0].ServicePathExclude, ","),
 		expected.ConnectionMode,
 		expected.CompressionAlgo,
 		expected.CompressionType,
@@ -633,6 +636,7 @@ func (s *ServerTestSuite) Test_GetServiceFromUrl_SetsServicePathToSlash_WhenDoma
 				ServiceDomain:      []string{"domain1", "domain2"},
 				ServiceHeader:      map[string]string{},
 				ServicePath:        []string{"/"},
+				ServicePathExclude: []string{},
 				Index:              0,
 			},
 		},
