2016-09-22 18:00:09 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2016 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package cors
|
|
|
|
|
|
|
|
|
|
import (
|
2017-10-19 20:03:02 +00:00
|
|
|
"regexp"
|
2021-11-02 19:31:42 +00:00
|
|
|
"strings"
|
2017-10-19 20:03:02 +00:00
|
|
|
|
2021-08-21 20:42:00 +00:00
|
|
|
networking "k8s.io/api/networking/v1"
|
2021-11-02 19:31:42 +00:00
|
|
|
"k8s.io/klog/v2"
|
2016-11-16 18:24:26 +00:00
|
|
|
|
2017-11-07 22:02:12 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/annotations/parser"
|
2023-07-22 03:32:07 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/errors"
|
2017-11-08 20:58:57 +00:00
|
|
|
"k8s.io/ingress-nginx/internal/ingress/resolver"
|
2016-09-22 18:00:09 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
const (
|
2017-10-19 20:03:02 +00:00
|
|
|
// Default values
|
|
|
|
|
defaultCorsMethods = "GET, PUT, POST, DELETE, PATCH, OPTIONS"
|
2022-05-04 12:11:51 +00:00
|
|
|
defaultCorsHeaders = "DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"
|
2018-01-09 11:19:42 +00:00
|
|
|
defaultCorsMaxAge = 1728000
|
2017-10-19 20:03:02 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
// Regex are defined here to prevent information leak, if user tries to set anything not valid
|
|
|
|
|
// that could cause the Response to contain some internal value/variable (like returning $pid, $upstream_addr, etc)
|
|
|
|
|
// Origin must contain a http/s Origin (including or not the port) or the value '*'
|
2023-07-22 03:32:07 +00:00
|
|
|
// This Regex is composed of the following:
|
|
|
|
|
// * Sets a group that can be (https?://)?*?.something.com:port?
|
|
|
|
|
// * Allows this to be repeated as much as possible, and separated by comma
|
|
|
|
|
// Otherwise it should be '*'
|
|
|
|
|
corsOriginRegexValidator = regexp.MustCompile(`^((((https?://)?(\*\.)?[A-Za-z0-9\-\.]*(:[0-9]+)?,?)+)|\*)?$`)
|
|
|
|
|
// corsOriginRegex defines the regex for validation inside Parse
|
2021-11-02 19:31:42 +00:00
|
|
|
corsOriginRegex = regexp.MustCompile(`^(https?://(\*\.)?[A-Za-z0-9\-\.]*(:[0-9]+)?|\*)?$`)
|
2017-10-19 20:03:02 +00:00
|
|
|
// Method must contain valid methods list (PUT, GET, POST, BLA)
|
|
|
|
|
// May contain or not spaces between each verb
|
|
|
|
|
corsMethodsRegex = regexp.MustCompile(`^([A-Za-z]+,?\s?)+$`)
|
2020-09-23 15:41:52 +00:00
|
|
|
// Expose Headers must contain valid values only (*, X-HEADER12, X-ABC)
|
|
|
|
|
// May contain or not spaces between each Header
|
|
|
|
|
corsExposeHeadersRegex = regexp.MustCompile(`^(([A-Za-z0-9\-\_]+|\*),?\s?)+$`)
|
2016-09-22 18:00:09 +00:00
|
|
|
)
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
const (
|
|
|
|
|
corsEnableAnnotation = "enable-cors"
|
|
|
|
|
corsAllowOriginAnnotation = "cors-allow-origin"
|
|
|
|
|
corsAllowHeadersAnnotation = "cors-allow-headers"
|
|
|
|
|
corsAllowMethodsAnnotation = "cors-allow-methods"
|
|
|
|
|
corsAllowCredentialsAnnotation = "cors-allow-credentials" //#nosec G101
|
|
|
|
|
corsExposeHeadersAnnotation = "cors-expose-headers"
|
|
|
|
|
corsMaxAgeAnnotation = "cors-max-age"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var corsAnnotation = parser.Annotation{
|
|
|
|
|
Group: "cors",
|
|
|
|
|
Annotations: parser.AnnotationFields{
|
|
|
|
|
corsEnableAnnotation: {
|
|
|
|
|
Validator: parser.ValidateBool,
|
|
|
|
|
Scope: parser.AnnotationScopeIngress,
|
|
|
|
|
Risk: parser.AnnotationRiskLow,
|
|
|
|
|
Documentation: `This annotation enables Cross-Origin Resource Sharing (CORS) in an Ingress rule`,
|
|
|
|
|
},
|
|
|
|
|
corsAllowOriginAnnotation: {
|
|
|
|
|
Validator: parser.ValidateRegex(*corsOriginRegexValidator, true),
|
|
|
|
|
Scope: parser.AnnotationScopeIngress,
|
|
|
|
|
Risk: parser.AnnotationRiskMedium,
|
|
|
|
|
Documentation: `This annotation controls what's the accepted Origin for CORS.
|
|
|
|
|
This is a multi-valued field, separated by ','. It must follow this format: http(s)://origin-site.com or http(s)://origin-site.com:port
|
|
|
|
|
It also supports single level wildcard subdomains and follows this format: http(s)://*.foo.bar, http(s)://*.bar.foo:8080 or http(s)://*.abc.bar.foo:9000`,
|
|
|
|
|
},
|
|
|
|
|
corsAllowHeadersAnnotation: {
|
|
|
|
|
Validator: parser.ValidateRegex(*parser.HeadersVariable, true),
|
|
|
|
|
Scope: parser.AnnotationScopeIngress,
|
|
|
|
|
Risk: parser.AnnotationRiskMedium,
|
|
|
|
|
Documentation: `This annotation controls which headers are accepted.
|
|
|
|
|
This is a multi-valued field, separated by ',' and accepts letters, numbers, _ and -`,
|
|
|
|
|
},
|
|
|
|
|
corsAllowMethodsAnnotation: {
|
|
|
|
|
Validator: parser.ValidateRegex(*corsMethodsRegex, true),
|
|
|
|
|
Scope: parser.AnnotationScopeIngress,
|
|
|
|
|
Risk: parser.AnnotationRiskMedium,
|
|
|
|
|
Documentation: `This annotation controls which methods are accepted.
|
|
|
|
|
This is a multi-valued field, separated by ',' and accepts only letters (upper and lower case)`,
|
|
|
|
|
},
|
|
|
|
|
corsAllowCredentialsAnnotation: {
|
|
|
|
|
Validator: parser.ValidateBool,
|
|
|
|
|
Scope: parser.AnnotationScopeIngress,
|
|
|
|
|
Risk: parser.AnnotationRiskLow,
|
|
|
|
|
Documentation: `This annotation controls if credentials can be passed during CORS operations.`,
|
|
|
|
|
},
|
|
|
|
|
corsExposeHeadersAnnotation: {
|
|
|
|
|
Validator: parser.ValidateRegex(*corsExposeHeadersRegex, true),
|
|
|
|
|
Scope: parser.AnnotationScopeIngress,
|
|
|
|
|
Risk: parser.AnnotationRiskMedium,
|
|
|
|
|
Documentation: `This annotation controls which headers are exposed to response.
|
|
|
|
|
This is a multi-valued field, separated by ',' and accepts letters, numbers, _, - and *.`,
|
|
|
|
|
},
|
|
|
|
|
corsMaxAgeAnnotation: {
|
|
|
|
|
Validator: parser.ValidateInt,
|
|
|
|
|
Scope: parser.AnnotationScopeIngress,
|
|
|
|
|
Risk: parser.AnnotationRiskLow,
|
|
|
|
|
Documentation: `This annotation controls how long, in seconds, preflight requests can be cached.`,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-29 20:02:06 +00:00
|
|
|
type cors struct {
|
2023-07-22 03:32:07 +00:00
|
|
|
r resolver.Resolver
|
|
|
|
|
annotationConfig parser.Annotation
|
2016-12-29 20:02:06 +00:00
|
|
|
}
|
|
|
|
|
|
2017-11-07 16:36:51 +00:00
|
|
|
// Config contains the Cors configuration to be used in the Ingress
|
|
|
|
|
type Config struct {
|
2021-11-02 19:31:42 +00:00
|
|
|
CorsEnabled bool `json:"corsEnabled"`
|
|
|
|
|
CorsAllowOrigin []string `json:"corsAllowOrigin"`
|
|
|
|
|
CorsAllowMethods string `json:"corsAllowMethods"`
|
|
|
|
|
CorsAllowHeaders string `json:"corsAllowHeaders"`
|
|
|
|
|
CorsAllowCredentials bool `json:"corsAllowCredentials"`
|
|
|
|
|
CorsExposeHeaders string `json:"corsExposeHeaders"`
|
|
|
|
|
CorsMaxAge int `json:"corsMaxAge"`
|
2017-10-19 20:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2016-12-29 20:02:06 +00:00
|
|
|
// NewParser creates a new CORS annotation parser
|
2017-11-08 20:58:57 +00:00
|
|
|
func NewParser(r resolver.Resolver) parser.IngressAnnotation {
|
2023-07-22 03:32:07 +00:00
|
|
|
return cors{
|
|
|
|
|
r: r,
|
|
|
|
|
annotationConfig: corsAnnotation,
|
|
|
|
|
}
|
2016-12-29 20:02:06 +00:00
|
|
|
}
|
|
|
|
|
|
2017-10-19 20:03:02 +00:00
|
|
|
// Equal tests for equality between two External types
|
2017-11-07 16:36:51 +00:00
|
|
|
func (c1 *Config) Equal(c2 *Config) bool {
|
2017-10-19 20:03:02 +00:00
|
|
|
if c1 == c2 {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
if c1 == nil || c2 == nil {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2018-01-09 11:19:42 +00:00
|
|
|
if c1.CorsMaxAge != c2.CorsMaxAge {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2020-09-23 15:41:52 +00:00
|
|
|
if c1.CorsExposeHeaders != c2.CorsExposeHeaders {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2017-10-19 20:03:02 +00:00
|
|
|
if c1.CorsAllowCredentials != c2.CorsAllowCredentials {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
if c1.CorsAllowHeaders != c2.CorsAllowHeaders {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2017-10-25 22:41:29 +00:00
|
|
|
if c1.CorsAllowMethods != c2.CorsAllowMethods {
|
|
|
|
|
return false
|
|
|
|
|
}
|
2021-11-02 19:31:42 +00:00
|
|
|
if c1.CorsEnabled != c2.CorsEnabled {
|
2017-10-19 20:03:02 +00:00
|
|
|
return false
|
|
|
|
|
}
|
2021-11-02 19:31:42 +00:00
|
|
|
|
|
|
|
|
if len(c1.CorsAllowOrigin) != len(c2.CorsAllowOrigin) {
|
2017-10-19 20:03:02 +00:00
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-02 19:31:42 +00:00
|
|
|
for i, v := range c1.CorsAllowOrigin {
|
|
|
|
|
if v != c2.CorsAllowOrigin[i] {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-19 20:03:02 +00:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
|
2016-12-29 20:02:06 +00:00
|
|
|
// Parse parses the annotations contained in the ingress
|
2016-09-22 18:00:09 +00:00
|
|
|
// rule used to indicate if the location/s should allows CORS
|
2019-06-09 22:49:59 +00:00
|
|
|
func (c cors) Parse(ing *networking.Ingress) (interface{}, error) {
|
2018-11-30 22:56:11 +00:00
|
|
|
var err error
|
|
|
|
|
config := &Config{}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.CorsEnabled, err = parser.GetBoolAnnotation(corsEnableAnnotation, ing, c.annotationConfig.Annotations)
|
2017-10-19 20:03:02 +00:00
|
|
|
if err != nil {
|
2023-07-22 03:32:07 +00:00
|
|
|
if errors.IsValidationError(err) {
|
|
|
|
|
klog.Warningf("enable-cors is invalid, defaulting to 'false'")
|
|
|
|
|
}
|
2018-11-30 22:56:11 +00:00
|
|
|
config.CorsEnabled = false
|
2017-10-19 20:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2022-02-13 18:39:47 +00:00
|
|
|
config.CorsAllowOrigin = []string{}
|
2023-07-22 03:32:07 +00:00
|
|
|
unparsedOrigins, err := parser.GetStringAnnotation(corsAllowOriginAnnotation, ing, c.annotationConfig.Annotations)
|
2021-11-02 19:31:42 +00:00
|
|
|
if err == nil {
|
2022-02-13 18:39:47 +00:00
|
|
|
origins := strings.Split(unparsedOrigins, ",")
|
|
|
|
|
for _, origin := range origins {
|
2021-11-02 19:31:42 +00:00
|
|
|
origin = strings.TrimSpace(origin)
|
|
|
|
|
if origin == "*" {
|
|
|
|
|
config.CorsAllowOrigin = []string{"*"}
|
|
|
|
|
break
|
|
|
|
|
}
|
2022-02-13 18:39:47 +00:00
|
|
|
|
2021-11-02 19:31:42 +00:00
|
|
|
if !corsOriginRegex.MatchString(origin) {
|
|
|
|
|
klog.Errorf("Error parsing cors-allow-origin parameters. Supplied incorrect origin: %s. Skipping.", origin)
|
2022-02-13 18:39:47 +00:00
|
|
|
continue
|
2021-11-02 19:31:42 +00:00
|
|
|
}
|
2022-02-13 18:39:47 +00:00
|
|
|
config.CorsAllowOrigin = append(config.CorsAllowOrigin, origin)
|
2021-11-02 19:31:42 +00:00
|
|
|
klog.Infof("Current config.corsAllowOrigin %v", config.CorsAllowOrigin)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2023-07-22 03:32:07 +00:00
|
|
|
if errors.IsValidationError(err) {
|
|
|
|
|
klog.Warningf("cors-allow-origin is invalid, defaulting to '*'")
|
|
|
|
|
}
|
2021-11-02 19:31:42 +00:00
|
|
|
config.CorsAllowOrigin = []string{"*"}
|
2017-10-19 20:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.CorsAllowHeaders, err = parser.GetStringAnnotation(corsAllowHeadersAnnotation, ing, c.annotationConfig.Annotations)
|
|
|
|
|
if err != nil || !parser.HeadersVariable.MatchString(config.CorsAllowHeaders) {
|
2018-11-30 22:56:11 +00:00
|
|
|
config.CorsAllowHeaders = defaultCorsHeaders
|
2017-10-19 20:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.CorsAllowMethods, err = parser.GetStringAnnotation(corsAllowMethodsAnnotation, ing, c.annotationConfig.Annotations)
|
2018-12-02 18:35:12 +00:00
|
|
|
if err != nil || !corsMethodsRegex.MatchString(config.CorsAllowMethods) {
|
2018-11-30 22:56:11 +00:00
|
|
|
config.CorsAllowMethods = defaultCorsMethods
|
2017-10-19 20:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.CorsAllowCredentials, err = parser.GetBoolAnnotation(corsAllowCredentialsAnnotation, ing, c.annotationConfig.Annotations)
|
2017-10-19 20:03:02 +00:00
|
|
|
if err != nil {
|
2023-07-22 03:32:07 +00:00
|
|
|
if errors.IsValidationError(err) {
|
|
|
|
|
if errors.IsValidationError(err) {
|
|
|
|
|
klog.Warningf("cors-allow-credentials is invalid, defaulting to 'true'")
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-11-30 22:56:11 +00:00
|
|
|
config.CorsAllowCredentials = true
|
2017-10-19 20:03:02 +00:00
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.CorsExposeHeaders, err = parser.GetStringAnnotation(corsExposeHeadersAnnotation, ing, c.annotationConfig.Annotations)
|
2020-09-23 15:41:52 +00:00
|
|
|
if err != nil || !corsExposeHeadersRegex.MatchString(config.CorsExposeHeaders) {
|
|
|
|
|
config.CorsExposeHeaders = ""
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-22 03:32:07 +00:00
|
|
|
config.CorsMaxAge, err = parser.GetIntAnnotation(corsMaxAgeAnnotation, ing, c.annotationConfig.Annotations)
|
2018-01-09 11:19:42 +00:00
|
|
|
if err != nil {
|
2023-07-22 03:32:07 +00:00
|
|
|
if errors.IsValidationError(err) {
|
|
|
|
|
klog.Warningf("cors-max-age is invalid, defaulting to %d", defaultCorsMaxAge)
|
|
|
|
|
}
|
2018-11-30 22:56:11 +00:00
|
|
|
config.CorsMaxAge = defaultCorsMaxAge
|
2018-01-09 11:19:42 +00:00
|
|
|
}
|
|
|
|
|
|
2018-11-30 22:56:11 +00:00
|
|
|
return config, nil
|
2016-09-22 18:00:09 +00:00
|
|
|
}
|
2023-07-22 03:32:07 +00:00
|
|
|
|
|
|
|
|
func (c cors) GetDocumentation() parser.AnnotationFields {
|
|
|
|
|
return c.annotationConfig.Annotations
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a cors) Validate(anns map[string]string) error {
|
|
|
|
|
maxrisk := parser.StringRiskToRisk(a.r.GetSecurityConfiguration().AnnotationsRiskLevel)
|
|
|
|
|
return parser.CheckAnnotationRisk(anns, maxrisk, corsAnnotation.Annotations)
|
|
|
|
|
}
|
