DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add CORS template check inside location for externalAuth.SignURL (#8814)

Browse source 
* Add CORS template check inside location for externalAuth.SignURL

* Add testcase for CORS header for auth-signin redirect with CORS enabled.
This commit is contained in:
Harpreet singh 2023-01-19 22:58:36 +08:00 committed by James Strong
parent 87a9f1e007
commit 82720c8e1d
Failed to extract signature
2 changed files with 49 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -1180,6 +1180,10 @@ stream {
add_header Set-Cookie $auth_cookie; add_header Set-Cookie $auth_cookie;
{{ if $location.CorsConfig.CorsEnabled }}
{{ template "CORS" $location }}
{{ end }}
# Ensure that modsecurity will not run on an internal location as this is not accessible from outside # Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $all.Cfg.EnableModsecurity }} {{ if $all.Cfg.EnableModsecurity }}
modsecurity off; modsecurity off;

45
test/e2e/annotations/auth.go
View file

@ -720,6 +720,51 @@ http {
}) })
}) })
ginkgo.Context("when external authentication is configured along with CORS enabled", func() {
host := "auth"
var annotations map[string]string
var ing *networking.Ingress
ginkgo.BeforeEach(func() {
f.NewHttpbinDeployment()
var httpbinIP string
err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
assert.Nil(ginkgo.GinkgoT(), err)
e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
assert.Nil(ginkgo.GinkgoT(), err)
httpbinIP = e.Subsets[0].Addresses[0].IP
annotations = map[string]string{
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
"nginx.ingress.kubernetes.io/enable-cors": "true",
}
ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "server_name auth")
})
})
ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() {
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithQuery("a", "b").
WithQuery("c", "d").
Expect().
Status(http.StatusFound).
Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*"))
})
})
ginkgo.Context("when external authentication with caching is configured", func() { ginkgo.Context("when external authentication with caching is configured", func() {
thisHost := "auth" thisHost := "auth"
thatHost := "different" thatHost := "different"