Add CORS template check inside location for externalAuth.SignURL (#8814)

* Add CORS template check inside location for externalAuth.SignURL * Add testcase for CORS header for auth-signin redirect with CORS enabled.
2023-01-19 22:58:36 +08:00 · 2023-01-19 22:58:36 +08:00 · 82720c8e1d
commit 82720c8e1d
parent 87a9f1e007
2 changed files with 49 additions and 0 deletions
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -1180,6 +1180,10 @@ stream {

            add_header Set-Cookie $auth_cookie;

+            {{ if $location.CorsConfig.CorsEnabled }}
+            {{ template "CORS" $location }}
+            {{ end }}
+
            # Ensure that modsecurity will not run on an internal location as this is not accessible from outside
            {{ if $all.Cfg.EnableModsecurity }}
            modsecurity off;
--- a/test/e2e/annotations/auth.go
+++ b/test/e2e/annotations/auth.go
@ -720,6 +720,51 @@ http {
 		})
 	})

+	ginkgo.Context("when external authentication is configured along with CORS enabled", func() {
+		host := "auth"
+		var annotations map[string]string
+		var ing *networking.Ingress
+
+		ginkgo.BeforeEach(func() {
+			f.NewHttpbinDeployment()
+
+			var httpbinIP string
+
+			err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			httpbinIP = e.Subsets[0].Addresses[0].IP
+
+			annotations = map[string]string{
+				"nginx.ingress.kubernetes.io/auth-url":    fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
+				"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
+				"nginx.ingress.kubernetes.io/enable-cors": "true",
+			}
+
+			ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, "server_name auth")
+			})
+		})
+
+		ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() {
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				WithQuery("a", "b").
+				WithQuery("c", "d").
+				Expect().
+				Status(http.StatusFound).
+				Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*"))
+
+		})
+	})
+
 	ginkgo.Context("when external authentication with caching is configured", func() {
 		thisHost := "auth"
 		thatHost := "different"