Skip to content

Commit ae5468d

Browse files
bigkraigbigkraig
committed
AWS applies a default ssl policy if one is undefined.
1 parent 9010b54 commit ae5468d

File tree

2 files changed

+22
-13
lines changed

2 files changed

+22
-13
lines changed

pkg/annotations/annotations.go

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -705,10 +705,17 @@ func (a *Annotations) setWafACLID(annotations map[string]string, validator Valid
705705
}
706706

707707
func (a *Annotations) setSslPolicy(annotations map[string]string, validator Validator) error {
708+
if a.CertificateArn != nil {
709+
a.SslPolicy = aws.String("ELBSecurityPolicy-2016-08") // AWS default policy
710+
}
711+
708712
if sslPolicy, ok := annotations[sslPolicyKey]; ok {
709713
a.SslPolicy = aws.String(sslPolicy)
710-
if err := validator.ValidateSslPolicy(a); err != nil {
711-
return err
714+
if c := cacheLookup(sslPolicy); c == nil || c.Expired() {
715+
if err := validator.ValidateSslPolicy(a); err != nil {
716+
return err
717+
}
718+
cache.Set(sslPolicy, "success", 30*time.Minute)
712719
}
713720
}
714721
return nil

pkg/annotations/annotations_test.go

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -115,27 +115,29 @@ func TestSetIgnoreHostHeader(t *testing.T) {
115115

116116
func TestSetSslPolicy(t *testing.T) {
117117
var tests = []struct {
118-
SslPolicy string
119-
expected string
120-
pass bool
118+
Annotations map[string]string
119+
expected string
120+
pass bool
121121
}{
122-
{"", "", true}, // ip-address-type has a sane default
123-
{"ELBSecurityPolicy-TLS-1-2-2017-01", "", false},
124-
{"ELBSecurityPolicy-TLS-1-2-2017-01", "ELBSecurityPolicy-TLS-1-2-2017-01", true},
122+
{map[string]string{}, "", true}, // ssl policy has a sane default
123+
{map[string]string{sslPolicyKey: "ELBSecurityPolicy-TLS-1-2-2017-01"}, "", false},
124+
{map[string]string{certificateArnKey: "arn:aws:acm:"}, "ELBSecurityPolicy-2016-08", true}, // AWS's default policy when there is a cert assigned is 'ELBSecurityPolicy-2016-08'
125+
{map[string]string{sslPolicyKey: "ELBSecurityPolicy-TLS-1-2-2017-01"}, "ELBSecurityPolicy-TLS-1-2-2017-01", true},
125126
}
126127

127128
for _, tt := range tests {
128129
a := &Annotations{}
130+
a.setCertificateArn(tt.Annotations, fakeValidator())
129131

130-
err := a.setSslPolicy(map[string]string{sslPolicyKey: tt.SslPolicy}, fakeValidator())
132+
err := a.setSslPolicy(tt.Annotations, fakeValidator())
131133
if err != nil && tt.pass {
132-
t.Errorf("setIpAddressType(%v): expected %v, actual %v", tt.SslPolicy, tt.pass, err)
134+
t.Errorf("setSslPolicy(%v): expected %v, actual %v", tt.Annotations[sslPolicyKey], tt.pass, err)
133135
}
134-
if err == nil && tt.pass && tt.expected != *a.SslPolicy {
135-
t.Errorf("setIpAddressType(%v): expected %v, actual %v", tt.SslPolicy, tt.expected, *a.SslPolicy)
136+
if err == nil && tt.pass && a.SslPolicy != nil && tt.expected != *a.SslPolicy {
137+
t.Errorf("setSslPolicy(%v): expected %v, actual %v", tt.Annotations[sslPolicyKey], tt.expected, *a.SslPolicy)
136138
}
137139
if err == nil && !tt.pass && tt.expected == *a.SslPolicy {
138-
t.Errorf("setIpAddressType(%v): expected %v, actual %v", tt.SslPolicy, tt.expected, *a.SslPolicy)
140+
t.Errorf("setSslPolicy(%v): expected %v, actual %v", tt.Annotations[sslPolicyKey], tt.expected, *a.SslPolicy)
139141
}
140142
}
141143
}

0 commit comments

Comments
 (0)