DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Replace CORS handling logic with NJS scripting (avoid using Nginx 'if' directives)

Browse source
This commit is contained in:
Elizabeth Martin Campos 2024-11-27 12:24:52 +01:00
parent 281be4305d
commit d18e357cb7
No known key found for this signature in database
GPG key ID: 5338FD45A0CE142D
5 changed files with 291 additions and 380 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
internal/ingress/controller/template/template.go
View file

@ -300,6 +300,7 @@ var funcMap = text_template.FuncMap{
"getenv": os.Getenv, "getenv": os.Getenv,
"contains": strings.Contains, "contains": strings.Contains,
"split": strings.Split, "split": strings.Split,
"join": strings.Join,
"hasPrefix": strings.HasPrefix, "hasPrefix": strings.HasPrefix,
"hasSuffix": strings.HasSuffix, "hasSuffix": strings.HasSuffix,
"trimSpace": strings.TrimSpace, "trimSpace": strings.TrimSpace,
@ -1675,10 +1676,10 @@ func buildOriginRegex(origin string) string {
func buildCorsOriginRegex(corsOrigins []string) string { func buildCorsOriginRegex(corsOrigins []string) string {
if len(corsOrigins) == 1 && corsOrigins[0] == "*" { if len(corsOrigins) == 1 && corsOrigins[0] == "*" {
return "set $http_origin *;\nset $cors 'true';" return ".*"
} }
originsRegex := "if ($http_origin ~* (" originsRegex := "("
for i, origin := range corsOrigins { for i, origin := range corsOrigins {
originTrimmed := strings.TrimSpace(origin) originTrimmed := strings.TrimSpace(origin)
if originTrimmed != "" { if originTrimmed != "" {
@ -1689,6 +1690,6 @@ func buildCorsOriginRegex(corsOrigins []string) string {
} }
} }
} }
originsRegex += ")$ ) { set $cors 'true'; }" originsRegex += ")"
return originsRegex return originsRegex
} }

33
internal/ingress/controller/template/template_test.go
View file

@ -1953,3 +1953,36 @@ func TestCleanConf(t *testing.T) {
t.Errorf("cleanConf result don't match with expected: %s", diff) t.Errorf("cleanConf result don't match with expected: %s", diff)
} }
} }
func TestBuildCorsOriginRegex(t *testing.T) {
origins := []string{"http://foo.bar "}
result := buildCorsOriginRegex(origins)
expected := `((http://foo\.bar))`
if result != expected {
t.Errorf("expected '%v' but returned '%v'", expected, result)
}
}
func TestBuildCorsOriginRegexWithMultipleOrigins(t *testing.T) {
origins := []string{" http://foo.bar", "http://*.bar"}
result := buildCorsOriginRegex(origins)
expected := `((http://foo\.bar)|(http://[A-Za-z0-9\-]+\.bar))`
if result != expected {
t.Errorf("expected '%v' but returned '%v'", expected, result)
}
}
func TestBuildCorsOriginRegexWithWildcard(t *testing.T) {
origins := []string{"*"}
result := buildCorsOriginRegex(origins)
expected := `.*`
if result != expected {
t.Errorf("expected '%v' but returned '%v'", expected, result)
}
}

21
rootfs/etc/nginx/js/nginx/ngx_handle_cors.js Normal file
View file

@ -0,0 +1,21 @@
function handle_cors(req) {
const originsRegex = new RegExp(`${req.variables.cors_origins_regex}$`, 'i');
if (originsRegex.test(req.headersIn['Origin'])) {
const allowedOrigins = req.variables.cors_allowed_origins.split(',');
req.headersOut['Access-Control-Allow-Origin'] = allowedOrigins.length === 1 && allowedOrigins[0] === '*' ? '*' : req.headersIn['Origin'];
req.headersOut['Access-Control-Allow-Methods'] = req.variables.cors_allow_methods;
req.headersOut['Access-Control-Allow-Headers'] = req.variables.cors_allow_headers;
req.headersOut['Access-Control-Max-Age'] = req.variables.cors_max_age;
if (req.variables.cors_allow_credentials) req.headersOut['Access-Control-Allow-Credentials'] = req.variables.cors_allow_credentials;
if (req.variables.cors_expose_headers) req.headersOut['Access-Control-Expose-Headers'] = req.variables.cors_expose_headers;
if (req.method === 'OPTIONS') {
req.headersOut['Content-Type'] = 'text/plain charset=UTF-8';
req.headersOut['Content-Length'] = '0';
}
}
}
export default {handle_cors};

40
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -12,6 +12,8 @@
# setup custom paths that do not require root access # setup custom paths that do not require root access
pid {{ .PID }}; pid {{ .PID }};
load_module /etc/nginx/modules/ngx_http_js_module.so;
{{ if $cfg.UseGeoIP2 }} {{ if $cfg.UseGeoIP2 }}
load_module /etc/nginx/modules/ngx_http_geoip2_module.so; load_module /etc/nginx/modules/ngx_http_geoip2_module.so;
{{ end }} {{ end }}
@ -74,6 +76,8 @@ http {
init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua; init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua;
js_import njs_handle_cors from /etc/nginx/js/nginx/ngx_handle_cors.js;
{{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}}
{{/* we use the value of the real IP for the geo_ip module */}} {{/* we use the value of the real IP for the geo_ip module */}}
{{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }} {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }}
@ -837,32 +841,18 @@ stream {
{{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}} {{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}}
{{ define "CORS" }} {{ define "CORS" }}
{{ $cors := .CorsConfig }} {{ $cors := .CorsConfig }}
# Cors Preflight methods needs additional options and different Return Code
{{ if $cors.CorsAllowOrigin }} set $cors_origins_regex '{{ buildCorsOriginRegex $cors.CorsAllowOrigin }}';
{{ buildCorsOriginRegex $cors.CorsAllowOrigin }} set $cors_allowed_origins '{{ join $cors.CorsAllowOrigin "," }}';
{{ end }} set $cors_allow_methods '{{ $cors.CorsAllowMethods }}';
set $cors_allow_headers '{{ $cors.CorsAllowHeaders }}';
set $cors_max_age '{{ $cors.CorsMaxAge }}';
{{ if $cors.CorsAllowCredentials }} set $cors_allow_credentials {{ $cors.CorsAllowCredentials }}; {{ end }}
{{ if not (empty $cors.CorsExposeHeaders) }} set $cors_expose_headers '{{ $cors.CorsExposeHeaders }}'; {{ end }}
js_header_filter njs_handle_cors.handle_cors;
if ($request_method = 'OPTIONS') { if ($request_method = 'OPTIONS') {
set $cors ${cors}options;
}
if ($cors = "true") {
more_set_headers 'Access-Control-Allow-Origin: $http_origin';
{{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}';
more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}';
{{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }}
more_set_headers 'Access-Control-Max-Age: {{ $cors.CorsMaxAge }}';
}
if ($cors = "trueoptions") {
more_set_headers 'Access-Control-Allow-Origin: $http_origin';
{{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }}
more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}';
more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}';
{{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }}
more_set_headers 'Access-Control-Max-Age: {{ $cors.CorsMaxAge }}';
more_set_headers 'Content-Type: text/plain charset=UTF-8';
more_set_headers 'Content-Length: 0';
return 204; return 204;
} }
{{ end }} {{ end }}

556
test/e2e/annotations/cors.go
View file

@ -46,22 +46,26 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing) f.EnsureIngress(ing)
f.WaitForNginxServer(host, f.WaitForNginxServer(host, func(server string) bool {
func(server string) bool { return strings.Contains(server, "set $cors_allow_methods 'GET, PUT, POST, DELETE, PATCH, OPTIONS';") &&
return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';") && strings.Contains(server, "set $cors_allow_headers 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';") &&
strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: $http_origin';") && strings.Contains(server, "set $cors_max_age '1728000';") &&
strings.Contains(server, "more_set_headers 'Access-Control-Allow-Headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';") && strings.Contains(server, "set $cors_allow_credentials true;")
strings.Contains(server, "more_set_headers 'Access-Control-Max-Age: 1728000';") &&
strings.Contains(server, "more_set_headers 'Access-Control-Allow-Credentials: true';") &&
strings.Contains(server, "set $http_origin *;") &&
strings.Contains(server, "$cors 'true';")
}) })
f.HTTPTestClient(). f.HTTPTestClient().
GET("/"). GET("/").
WithHeader("Host", host). WithHeader("Host", host).
Expect(). Expect().
Status(http.StatusOK) Status(http.StatusOK).
Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should set cors methods to only allow POST, GET", func() { ginkgo.It("should set cors methods to only allow POST, GET", func() {
@ -74,10 +78,23 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing) f.EnsureIngress(ing)
f.WaitForNginxServer(host, f.WaitForNginxServer(host, func(server string) bool {
func(server string) bool { return strings.Contains(server, "set $cors_allow_methods 'POST, GET';")
return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Methods: POST, GET';")
}) })
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).
Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"POST, GET"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should set cors max-age", func() { ginkgo.It("should set cors max-age", func() {
@ -90,10 +107,23 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing) f.EnsureIngress(ing)
f.WaitForNginxServer(host, f.WaitForNginxServer(host, func(server string) bool {
func(server string) bool { return strings.Contains(server, "set $cors_max_age '200';")
return strings.Contains(server, "more_set_headers 'Access-Control-Max-Age: 200';")
}) })
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).
Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"200"})
}) })
ginkgo.It("should disable cors allow credentials", func() { ginkgo.It("should disable cors allow credentials", func() {
@ -106,10 +136,23 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing) f.EnsureIngress(ing)
f.WaitForNginxServer(host, f.WaitForNginxServer(host, func(server string) bool {
func(server string) bool { return !strings.Contains(server, "set $cors_allow_credentials true;")
return !strings.Contains(server, "more_set_headers 'Access-Control-Allow-Credentials: true';")
}) })
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).
Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"}).
NotContainsKey("Access-Control-Allow-Credentials").
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should allow origin for cors", func() { ginkgo.It("should allow origin for cors", func() {
@ -128,15 +171,27 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", origin). WithHeader("Origin", origin).
Expect(). Expect().
Headers().ContainsKey("Access-Control-Allow-Origin") Status(http.StatusOK).
Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
f.HTTPTestClient(). f.HTTPTestClient().
GET("/"). GET("/").
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", origin).
Expect(). Expect().
Status(http.StatusOK).Headers(). Status(http.StatusOK).
ValueEqual("Access-Control-Allow-Origin", []string{origin}) Headers().
NotContainsKey("Access-Control-Allow-Origin").
NotContainsKey("Access-Control-Allow-Credentials").
NotContainsKey("Access-Control-Allow-Methods").
NotContainsKey("Access-Control-Allow-Headers").
NotContainsKey("Access-Control-Max-Age")
}) })
ginkgo.It("should allow headers for cors", func() { ginkgo.It("should allow headers for cors", func() {
@ -149,10 +204,23 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing) f.EnsureIngress(ing)
f.WaitForNginxServer(host, f.WaitForNginxServer(host, func(server string) bool {
func(server string) bool { return strings.Contains(server, "set $cors_allow_headers 'DNT, User-Agent';")
return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Headers: DNT, User-Agent';")
}) })
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).
Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT, User-Agent"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should expose headers for cors", func() { ginkgo.It("should expose headers for cors", func() {
@ -165,10 +233,24 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing) f.EnsureIngress(ing)
f.WaitForNginxServer(host, f.WaitForNginxServer(host, func(server string) bool {
func(server string) bool { return strings.Contains(server, "set $cors_expose_headers 'X-CustomResponseHeader, X-CustomSecondHeader';")
return strings.Contains(server, "more_set_headers 'Access-Control-Expose-Headers: X-CustomResponseHeader, X-CustomSecondHeader';")
}) })
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).
Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Expose-Headers", []string{"X-CustomResponseHeader, X-CustomSecondHeader"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should allow - single origin for multiple cors values", func() { ginkgo.It("should allow - single origin for multiple cors values", func() {
@ -187,15 +269,15 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", origin). WithHeader("Origin", origin).
Expect(). Expect().
Headers().ContainsKey("Access-Control-Allow-Origin") Status(http.StatusOK).
Headers().
f.HTTPTestClient(). ValueEqual("Access-Control-Allow-Origin", []string{origin}).
GET("/"). ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
WithHeader("Host", host). ValueEqual("Access-Control-Allow-Methods",
WithHeader("Origin", origin). []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
Expect(). ValueEqual("Access-Control-Allow-Headers",
Status(http.StatusOK).Headers(). []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Allow-Origin", []string{origin}) ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should not allow - single origin for multiple cors values", func() { ginkgo.It("should not allow - single origin for multiple cors values", func() {
@ -215,7 +297,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", origin). WithHeader("Origin", origin).
Expect(). Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin") Headers().
NotContainsKey("Access-Control-Allow-Origin").
NotContainsKey("Access-Control-Allow-Credentials").
NotContainsKey("Access-Control-Allow-Methods").
NotContainsKey("Access-Control-Allow-Headers").
NotContainsKey("Access-Control-Max-Age")
}) })
ginkgo.It("should allow correct origins - single origin for multiple cors values", func() { ginkgo.It("should allow correct origins - single origin for multiple cors values", func() {
@ -236,14 +323,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", badOrigin). WithHeader("Origin", badOrigin).
Expect(). Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin") Headers().
NotContainsKey("Access-Control-Allow-Origin").
f.HTTPTestClient(). NotContainsKey("Access-Control-Allow-Credentials").
GET("/"). NotContainsKey("Access-Control-Allow-Methods").
WithHeader("Host", host). NotContainsKey("Access-Control-Allow-Headers").
WithHeader("Origin", origin1). NotContainsKey("Access-Control-Max-Age")
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient(). f.HTTPTestClient().
GET("/"). GET("/").
@ -251,14 +336,13 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Origin", origin1). WithHeader("Origin", origin1).
Expect(). Expect().
Status(http.StatusOK).Headers(). Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin1}) ValueEqual("Access-Control-Allow-Origin", []string{origin1}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
f.HTTPTestClient(). ValueEqual("Access-Control-Allow-Methods",
GET("/"). []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
WithHeader("Host", host). ValueEqual("Access-Control-Allow-Headers",
WithHeader("Origin", origin2). []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
Expect(). ValueEqual("Access-Control-Max-Age", []string{"1728000"})
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient(). f.HTTPTestClient().
GET("/"). GET("/").
@ -266,10 +350,16 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Origin", origin2). WithHeader("Origin", origin2).
Expect(). Expect().
Status(http.StatusOK).Headers(). Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin2}) ValueEqual("Access-Control-Allow-Origin", []string{origin2}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should not break functionality", func() { ginkgo.It("should allow wildcard origin", func() {
host := corsHost host := corsHost
annotations := map[string]string{ annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/enable-cors": "true",
@ -283,40 +373,18 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
GET("/"). GET("/").
WithHeader("Host", host). WithHeader("Host", host).
Expect(). Expect().
Headers().ContainsKey("Access-Control-Allow-Origin") Status(http.StatusOK).
Headers().
f.HTTPTestClient(). ValueEqual("Access-Control-Allow-Origin", []string{"*"}).
GET("/"). ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
WithHeader("Host", host). ValueEqual("Access-Control-Allow-Methods",
Expect(). []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
Status(http.StatusOK).Headers(). ValueEqual("Access-Control-Allow-Headers",
ValueEqual("Access-Control-Allow-Origin", []string{"*"}) []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should not break functionality - without `*`", func() { ginkgo.It("should not break functionality with wildcard and extra domain", func() {
host := corsHost
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
})
ginkgo.It("should not break functionality with extra domain", func() {
host := corsHost host := corsHost
annotations := map[string]string{ annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true", "nginx.ingress.kubernetes.io/enable-cors": "true",
@ -330,62 +398,15 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
GET("/"). GET("/").
WithHeader("Host", host). WithHeader("Host", host).
Expect(). Expect().
Headers().ContainsKey("Access-Control-Allow-Origin") Status(http.StatusOK).
Headers().
f.HTTPTestClient(). ValueEqual("Access-Control-Allow-Origin", []string{"*"}).
GET("/"). ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
WithHeader("Host", host). ValueEqual("Access-Control-Allow-Methods",
Expect(). []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
Status(http.StatusOK).Headers(). ValueEqual("Access-Control-Allow-Headers",
ValueEqual("Access-Control-Allow-Origin", []string{"*"}) []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
}) ValueEqual("Access-Control-Max-Age", []string{"1728000"})
ginkgo.It("should not match", func() {
host := corsHost
origin := "https://fooxbar.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "https://foo.bar.com",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should allow - single origin with required port", func() {
host := corsHost
origin := originHost
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
}) })
ginkgo.It("should not allow - single origin with port and origin without port", func() { ginkgo.It("should not allow - single origin with port and origin without port", func() {
@ -404,7 +425,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", origin). WithHeader("Origin", origin).
Expect(). Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin") Headers().
NotContainsKey("Access-Control-Allow-Origin").
NotContainsKey("Access-Control-Allow-Credentials").
NotContainsKey("Access-Control-Allow-Methods").
NotContainsKey("Access-Control-Allow-Headers").
NotContainsKey("Access-Control-Max-Age")
}) })
ginkgo.It("should not allow - single origin without port and origin with required port", func() { ginkgo.It("should not allow - single origin without port and origin with required port", func() {
@ -424,7 +450,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", origin). WithHeader("Origin", origin).
Expect(). Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin") Headers().
NotContainsKey("Access-Control-Allow-Origin").
NotContainsKey("Access-Control-Allow-Credentials").
NotContainsKey("Access-Control-Allow-Methods").
NotContainsKey("Access-Control-Allow-Headers").
NotContainsKey("Access-Control-Max-Age")
}) })
ginkgo.It("should allow - matching origin with wildcard origin (2 subdomains)", func() { ginkgo.It("should allow - matching origin with wildcard origin (2 subdomains)", func() {
@ -439,27 +470,19 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing) f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient(). f.HTTPTestClient().
GET("/"). GET("/").
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", origin). WithHeader("Origin", origin).
Expect(). Expect().
Status(http.StatusOK).Headers(). Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin}) ValueEqual("Access-Control-Allow-Origin", []string{origin}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
f.HTTPTestClient(). ValueEqual("Access-Control-Allow-Methods",
GET("/"). []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
WithHeader("Host", host). ValueEqual("Access-Control-Allow-Headers",
WithHeader("Origin", origin2). []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
Expect(). ValueEqual("Access-Control-Max-Age", []string{"1728000"})
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient(). f.HTTPTestClient().
GET("/"). GET("/").
@ -467,7 +490,13 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Origin", origin2). WithHeader("Origin", origin2).
Expect(). Expect().
Status(http.StatusOK).Headers(). Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin2}) ValueEqual("Access-Control-Allow-Origin", []string{origin2}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
ginkgo.It("should not allow - unmatching origin with wildcard origin (2 subdomains)", func() { ginkgo.It("should not allow - unmatching origin with wildcard origin (2 subdomains)", func() {
@ -487,187 +516,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Host", host). WithHeader("Host", host).
WithHeader("Origin", origin). WithHeader("Origin", origin).
Expect(). Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should allow - matching origin+port with wildcard origin", func() {
host := corsHost
origin := "http://abc.origin.com:8080"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
})
ginkgo.It("should not allow - portless origin with wildcard origin", func() {
host := corsHost
origin := "http://abc.origin.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should allow correct origins - missing subdomain + origin with wildcard origin and correct origin", func() {
host := corsHost
badOrigin := originHost
origin := "http://bar.origin.com:8080"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", badOrigin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
})
ginkgo.It("should allow - missing origins (should allow all origins)", func() {
host := corsHost
origin := "http://origin.com"
origin2 := "http://book.origin.com"
origin3 := "test.origin.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": " ",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin2).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin2).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin3).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin3).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
})
ginkgo.It("should allow correct origin but not others - cors allow origin annotations contain trailing comma", func() {
host := corsHost
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin-123.cors.com:8080, ,https://origin-321.cors.com:8080,",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
origin1 := "https://origin-123.cors.com:8080"
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin1).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
origin2 := "https://origin-321.cors.com:8080"
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin2).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin2})
origin3 := "https://unknown.cors.com:8080"
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin3).
Expect().
Headers(). Headers().
NotContainsKey("Access-Control-Allow-Origin") NotContainsKey("Access-Control-Allow-Origin").
NotContainsKey("Access-Control-Allow-Credentials").
NotContainsKey("Access-Control-Allow-Methods").
NotContainsKey("Access-Control-Allow-Headers").
NotContainsKey("Access-Control-Max-Age")
}) })
ginkgo.It("should allow - origins with non-http[s] protocols", func() { ginkgo.It("should allow - origins with non-http[s] protocols", func() {
@ -688,7 +542,13 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Origin", origin). WithHeader("Origin", origin).
Expect(). Expect().
Status(http.StatusOK).Headers(). Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"test://localhost"}) ValueEqual("Access-Control-Allow-Origin", []string{origin}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
f.HTTPTestClient(). f.HTTPTestClient().
GET("/"). GET("/").
@ -696,6 +556,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
WithHeader("Origin", origin2). WithHeader("Origin", origin2).
Expect(). Expect().
Status(http.StatusOK).Headers(). Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"tauri://localhost:3000"}) ValueEqual("Access-Control-Allow-Origin", []string{origin2}).
ValueEqual("Access-Control-Allow-Credentials", []string{"true"}).
ValueEqual("Access-Control-Allow-Methods",
[]string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}).
ValueEqual("Access-Control-Allow-Headers",
[]string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}).
ValueEqual("Access-Control-Max-Age", []string{"1728000"})
}) })
}) })