MINOR: deprecate whitelist and black list in favor of allow-list and deny-list

vgramer · vgramer · commit b4fd28c0d137 · 2023-07-12T09:57:07.000+02:00
occurrences of whitelist and blacklist in code have been renamed to allow-list and deny-list

Signed-off-by: Vincent Gramer &lt;vgramer@haproxy.com&gt;
diff --git a/deploy/tests/e2e/access-control/access_control_test.go b/deploy/tests/e2e/access-control/access_control_test.go
@@ -41,7 +41,7 @@ func (suite *AccessControlSuite) Test_Whitelist() {
 	suite.Run("Inline", func() {
 		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
 			{"src-ip-header", " X-Client-IP"},
-			{"whitelist", " 192.168.2.0/24"},
+			{"allow-list", " 192.168.2.0/24"},
 		}
 
 		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
@@ -50,10 +50,62 @@ func (suite *AccessControlSuite) Test_Whitelist() {
 		suite.eventuallyReturns("192.168.5.3", http.StatusForbidden)
 	})
 
+	suite.Run("Inline deprecated annotation name", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"whitelist", "192.168.4.0/24"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+
+		suite.eventuallyReturns("192.168.4.3", http.StatusOK)
+		suite.eventuallyReturns("192.168.5.3", http.StatusForbidden)
+	})
+
+	suite.Run("Inline: when new and deprecated annotation names are defined then only new name is considered", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"whitelist", "192.168.4.0/24"},
+			{"allow-list", "192.168.5.0/24"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+
+		suite.eventuallyReturns("192.168.5.3", http.StatusOK)
+		suite.eventuallyReturns("192.168.4.3", http.StatusForbidden)
+	})
+
 	suite.Run("Patternfile", func() {
 		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
 			{"src-ip-header", " X-Client-IP"},
-			{"whitelist", " patterns/ips"},
+			{"allow-list", " patterns/ips"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+		suite.NoError(suite.test.Apply("config/patternfile-a.yml", "", nil))
+
+		suite.eventuallyReturns("192.168.0.3", http.StatusOK)
+		suite.eventuallyReturns("192.168.2.3", http.StatusForbidden)
+	})
+
+	suite.Run("Patternfile deprecated annotation name", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"whitelist", " patterns/ips2"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+		suite.NoError(suite.test.Apply("config/patternfile-a.yml", "", nil))
+
+		suite.eventuallyReturns("192.169.0.3", http.StatusOK)
+		suite.eventuallyReturns("192.168.2.3", http.StatusForbidden)
+	})
+
+	suite.Run("Patternfile: when new and deprecated annotation names are defined then only new name is considered", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"whitelist", " patterns/ips2"},
+			{"allow-list", " patterns/ips"},
 		}
 
 		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
@@ -68,7 +120,7 @@ func (suite *AccessControlSuite) Test_Blacklist() {
 	suite.Run("Inline", func() {
 		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
 			{"src-ip-header", " X-Client-IP"},
-			{"blacklist", " 192.168.2.0/24"},
+			{"deny-list", " 192.168.2.0/24"},
 		}
 
 		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
@@ -77,10 +129,35 @@ func (suite *AccessControlSuite) Test_Blacklist() {
 		suite.eventuallyReturns("192.168.5.3", http.StatusOK)
 	})
 
+	suite.Run("Inline deprecated annotation name", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"blacklist", "192.168.4.0/24"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+
+		suite.eventuallyReturns("192.168.4.3", http.StatusForbidden)
+		suite.eventuallyReturns("192.168.5.3", http.StatusOK)
+	})
+
+	suite.Run("Inline: when new and deprecated annotation names are defined then only new name is considered", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"blacklist", "192.168.4.0/24"},
+			{"deny-list", "192.168.5.0/24"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+
+		suite.eventuallyReturns("192.168.5.3", http.StatusForbidden)
+		suite.eventuallyReturns("192.168.4.3", http.StatusOK)
+	})
+
 	suite.Run("Patternfile", func() {
 		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
 			{"src-ip-header", " X-Client-IP"},
-			{"blacklist", " patterns/ips"},
+			{"deny-list", "patterns/ips"},
 		}
 
 		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
@@ -89,4 +166,30 @@ func (suite *AccessControlSuite) Test_Blacklist() {
 		suite.eventuallyReturns("192.168.0.3", http.StatusForbidden)
 		suite.eventuallyReturns("192.168.2.3", http.StatusOK)
 	})
+
+	suite.Run("Patternfile deprecated annotation name", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"blacklist", " patterns/ips2"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+		suite.NoError(suite.test.Apply("config/patternfile-a.yml", "", nil))
+
+		suite.eventuallyReturns("192.169.0.3", http.StatusForbidden)
+		suite.eventuallyReturns("192.168.2.3", http.StatusOK)
+	})
+	suite.Run("Patternfile: when new and deprecated annotation names are defined then only new name is considered", func() {
+		suite.tmplData.IngAnnotations = []struct{ Key, Value string }{
+			{"src-ip-header", " X-Client-IP"},
+			{"blacklist", "patterns/ips2"},
+			{"deny-list", "patterns/ips"},
+		}
+
+		suite.NoError(suite.test.Apply("config/deploy.yaml.tmpl", suite.test.GetNS(), suite.tmplData))
+		suite.NoError(suite.test.Apply("config/patternfile-a.yml", "", nil))
+
+		suite.eventuallyReturns("192.168.0.3", http.StatusForbidden)
+		suite.eventuallyReturns("192.169.2.3", http.StatusOK)
+	})
 }
diff --git a/deploy/tests/e2e/access-control/config/patternfile-a.yml b/deploy/tests/e2e/access-control/config/patternfile-a.yml
@@ -7,3 +7,6 @@ data:
   ips: |
     192.168.0.0/24
     192.168.1.0/24
+  ips2: |
+    192.169.0.0/24
+    192.169.1.0/24
diff --git a/pkg/annotations/annotations.go b/pkg/annotations/annotations.go
@@ -98,8 +98,8 @@ func (a annImpl) Frontend(i *store.Ingress, r *rules.List, m maps.Maps) []Annota
 	resSetCORS := ingress.NewResSetCORS(r)
 	return []Annotation{
 		// Simple annoations
-		ingress.NewBlackList("blacklist", r, m),
-		ingress.NewWhiteList("whitelist", r, m),
+		ingress.NewDenyList("deny-list", r, m),
+		ingress.NewAllowList("allow-list", r, m),
 		ingress.NewSrcIPHdr("src-ip-header", r),
 		ingress.NewReqSetHost("set-host", r),
 		ingress.NewReqPathRewrite("path-rewrite", r),
diff --git a/pkg/annotations/ingress/accessControl.go b/pkg/annotations/ingress/accessControl.go
@@ -12,45 +12,53 @@ import (
 	"github.com/haproxytech/kubernetes-ingress/pkg/utils"
 )
 
+var logger = utils.GetLogger()
+
 type AccessControl struct {
-	maps      maps.Maps
-	rules     *rules.List
-	name      string
-	whitelist bool
+	maps  maps.Maps
+	rules *rules.List
+
+	// name of the annotation managing the access control (either allow-list or deny-list)
+	name string
+
+	// deprecatedName is the deprecated annotation's name managing the access control (either whitelist or blacklist).
+	// It will be removed in a future version in favor name.
+	deprecatedName string
+	allowList      bool
 }
 
-func NewBlackList(n string, r *rules.List, m maps.Maps) *AccessControl {
-	return &AccessControl{name: n, rules: r, maps: m}
+func NewDenyList(n string, r *rules.List, m maps.Maps) *AccessControl {
+	return &AccessControl{name: n, deprecatedName: "blacklist", rules: r, maps: m}
 }
 
-func NewWhiteList(n string, r *rules.List, m maps.Maps) *AccessControl {
-	return &AccessControl{name: n, rules: r, maps: m, whitelist: true}
+func NewAllowList(n string, r *rules.List, m maps.Maps) *AccessControl {
+	return &AccessControl{name: n, deprecatedName: "whitelist", rules: r, maps: m, allowList: true}
 }
 
 func (a *AccessControl) GetName() string {
 	return a.name
 }
 
 func (a *AccessControl) Process(k store.K8s, annotations ...map[string]string) (err error) {
-	input := common.GetValue(a.GetName(), annotations...)
+	input := a.GetAnnotationValue(annotations...)
 	if input == "" {
 		return
 	}
 
 	if strings.HasPrefix(input, "patterns/") {
 		a.rules.Add(&rules.ReqDeny{
 			SrcIPsMap: maps.Path(input),
-			Whitelist: a.whitelist,
+			AllowList: a.allowList,
 		})
 
 		return
 	}
 
 	var mapName maps.Name
-	if a.whitelist {
-		mapName = maps.Name("whitelist-" + utils.Hash([]byte(input)))
+	if a.allowList {
+		mapName = maps.Name("allowlist-" + utils.Hash([]byte(input)))
 	} else {
-		mapName = maps.Name("blacklist-" + utils.Hash([]byte(input)))
+		mapName = maps.Name("denylist-" + utils.Hash([]byte(input)))
 	}
 
 	if !a.maps.MapExists(mapName) {
@@ -66,7 +74,21 @@ func (a *AccessControl) Process(k store.K8s, annotations ...map[string]string) (
 	}
 	a.rules.Add(&rules.ReqDeny{
 		SrcIPsMap: maps.GetPath(mapName),
-		Whitelist: a.whitelist,
+		AllowList: a.allowList,
 	})
 	return
 }
+
+// GetAnnotationValue returns the annotation value of the AccessControl. If the annotation is not defined, it returns an empty string.
+// If the "new" annotation's name is not defined, it falls back to the deprecated name and logs a warning.
+// Deprecated: remove this function when the deprecated annotation name will not be supported anymore.
+func (a *AccessControl) GetAnnotationValue(annotations ...map[string]string) string {
+	value := common.GetValue(a.name, annotations...)
+	if value == "" { // fallback to deprecated annotation name
+		value = common.GetValue(a.deprecatedName, annotations...)
+		if value != "" {
+			logger.Warningf("annotation %q is deprecated and will be removed in a future version. Please use %q instead.", a.deprecatedName, a.name)
+		}
+	}
+	return value
+}
diff --git a/pkg/haproxy/rules/reqDeny.go b/pkg/haproxy/rules/reqDeny.go
@@ -12,7 +12,7 @@ import (
 
 type ReqDeny struct {
 	SrcIPsMap maps.Path
-	Whitelist bool
+	AllowList bool
 }
 
 func (r ReqDeny) GetType() Type {
@@ -21,7 +21,7 @@ func (r ReqDeny) GetType() Type {
 
 func (r ReqDeny) Create(client api.HAProxyClient, frontend *models.Frontend, ingressACL string) error {
 	not := ""
-	if r.Whitelist {
+	if r.AllowList {
 		not = "!"
 	}
 	if frontend.Mode == "tcp" {

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ import (`
`12`	`12`
`13`	`13`	`type ReqDeny struct {`
`14`	`14`	`SrcIPsMap maps.Path`
`15`		`- Whitelist bool`
	`15`	`+ AllowList bool`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`func (r ReqDeny) GetType() Type {`
`@@ -21,7 +21,7 @@ func (r ReqDeny) GetType() Type {`
`21`	`21`
`22`	`22`	`func (r ReqDeny) Create(client api.HAProxyClient, frontend *models.Frontend, ingressACL string) error {`
`23`	`23`	`not := ""`
`24`		`- if r.Whitelist {`
	`24`	`+ if r.AllowList {`
`25`	`25`	`not = "!"`
`26`	`26`	`}`
`27`	`27`	`if frontend.Mode == "tcp" {`