diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 911cf75ea..958397dd5 100755 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -1180,6 +1180,10 @@ stream { add_header Set-Cookie $auth_cookie; + {{ if $location.CorsConfig.CorsEnabled }} + {{ template "CORS" $location }} + {{ end }} + # Ensure that modsecurity will not run on an internal location as this is not accessible from outside {{ if $all.Cfg.EnableModsecurity }} modsecurity off; diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go index 1f0f4c3b2..e26fcbd46 100644 --- a/test/e2e/annotations/auth.go +++ b/test/e2e/annotations/auth.go @@ -720,6 +720,51 @@ http { }) }) + ginkgo.Context("when external authentication is configured along with CORS enabled", func() { + host := "auth" + var annotations map[string]string + var ing *networking.Ingress + + ginkgo.BeforeEach(func() { + f.NewHttpbinDeployment() + + var httpbinIP string + + err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1) + assert.Nil(ginkgo.GinkgoT(), err) + + e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{}) + assert.Nil(ginkgo.GinkgoT(), err) + + httpbinIP = e.Subsets[0].Addresses[0].IP + + annotations = map[string]string{ + "nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP), + "nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start", + "nginx.ingress.kubernetes.io/enable-cors": "true", + } + + ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) + f.EnsureIngress(ing) + + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "server_name auth") + }) + }) + + ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() { + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + WithQuery("a", "b"). + WithQuery("c", "d"). + Expect(). + Status(http.StatusFound). + Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*")) + + }) + }) + ginkgo.Context("when external authentication with caching is configured", func() { thisHost := "auth" thatHost := "different"