diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index ed052e4ecf..5447482817 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -300,6 +300,7 @@ var funcMap = text_template.FuncMap{ "getenv": os.Getenv, "contains": strings.Contains, "split": strings.Split, + "join": strings.Join, "hasPrefix": strings.HasPrefix, "hasSuffix": strings.HasSuffix, "trimSpace": strings.TrimSpace, @@ -1675,10 +1676,10 @@ func buildOriginRegex(origin string) string { func buildCorsOriginRegex(corsOrigins []string) string { if len(corsOrigins) == 1 && corsOrigins[0] == "*" { - return "set $http_origin *;\nset $cors 'true';" + return ".*" } - originsRegex := "if ($http_origin ~* (" + originsRegex := "(" for i, origin := range corsOrigins { originTrimmed := strings.TrimSpace(origin) if originTrimmed != "" { @@ -1689,6 +1690,6 @@ func buildCorsOriginRegex(corsOrigins []string) string { } } } - originsRegex += ")$ ) { set $cors 'true'; }" + originsRegex += ")" return originsRegex } diff --git a/internal/ingress/controller/template/template_test.go b/internal/ingress/controller/template/template_test.go index 6553f5daf9..d00e2f999d 100644 --- a/internal/ingress/controller/template/template_test.go +++ b/internal/ingress/controller/template/template_test.go @@ -1953,3 +1953,36 @@ func TestCleanConf(t *testing.T) { t.Errorf("cleanConf result don't match with expected: %s", diff) } } + +func TestBuildCorsOriginRegex(t *testing.T) { + origins := []string{"http://foo.bar "} + + result := buildCorsOriginRegex(origins) + + expected := `((http://foo\.bar))` + if result != expected { + t.Errorf("expected '%v' but returned '%v'", expected, result) + } +} + +func TestBuildCorsOriginRegexWithMultipleOrigins(t *testing.T) { + origins := []string{" http://foo.bar", "http://*.bar"} + + result := buildCorsOriginRegex(origins) + + expected := `((http://foo\.bar)|(http://[A-Za-z0-9\-]+\.bar))` + if result != expected { + t.Errorf("expected '%v' but returned '%v'", expected, result) + } +} + +func TestBuildCorsOriginRegexWithWildcard(t *testing.T) { + origins := []string{"*"} + + result := buildCorsOriginRegex(origins) + + expected := `.*` + if result != expected { + t.Errorf("expected '%v' but returned '%v'", expected, result) + } +} diff --git a/rootfs/etc/nginx/js/nginx/ngx_handle_cors.js b/rootfs/etc/nginx/js/nginx/ngx_handle_cors.js new file mode 100644 index 0000000000..880590448a --- /dev/null +++ b/rootfs/etc/nginx/js/nginx/ngx_handle_cors.js @@ -0,0 +1,21 @@ +function handle_cors(req) { + const originsRegex = new RegExp(`${req.variables.cors_origins_regex}$`, 'i'); + + if (originsRegex.test(req.headersIn['Origin'])) { + const allowedOrigins = req.variables.cors_allowed_origins.split(','); + + req.headersOut['Access-Control-Allow-Origin'] = allowedOrigins.length === 1 && allowedOrigins[0] === '*' ? '*' : req.headersIn['Origin']; + req.headersOut['Access-Control-Allow-Methods'] = req.variables.cors_allow_methods; + req.headersOut['Access-Control-Allow-Headers'] = req.variables.cors_allow_headers; + req.headersOut['Access-Control-Max-Age'] = req.variables.cors_max_age; + if (req.variables.cors_allow_credentials) req.headersOut['Access-Control-Allow-Credentials'] = req.variables.cors_allow_credentials; + if (req.variables.cors_expose_headers) req.headersOut['Access-Control-Expose-Headers'] = req.variables.cors_expose_headers; + + if (req.method === 'OPTIONS') { + req.headersOut['Content-Type'] = 'text/plain charset=UTF-8'; + req.headersOut['Content-Length'] = '0'; + } + } +} + +export default {handle_cors}; diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 6b8e750b06..7b76cd5e58 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -12,6 +12,8 @@ # setup custom paths that do not require root access pid {{ .PID }}; +load_module modules/ngx_http_js_module.so; + {{ if $cfg.UseGeoIP2 }} load_module /etc/nginx/modules/ngx_http_geoip2_module.so; {{ end }} @@ -74,6 +76,8 @@ http { init_worker_by_lua_file /etc/nginx/lua/ngx_conf_init_worker.lua; + js_import njs_handle_cors from /etc/nginx/js/nginx/ngx_handle_cors.js; + {{/* Enable the real_ip module only if we use either X-Forwarded headers or Proxy Protocol. */}} {{/* we use the value of the real IP for the geo_ip module */}} {{ if or (or $cfg.UseForwardedHeaders $cfg.UseProxyProtocol) $cfg.EnableRealIP }} @@ -837,33 +841,19 @@ stream { {{/* CORS support from https://michielkalkman.com/snippets/nginx-cors-open-configuration.html */}} {{ define "CORS" }} {{ $cors := .CorsConfig }} - # Cors Preflight methods needs additional options and different Return Code - {{ if $cors.CorsAllowOrigin }} - {{ buildCorsOriginRegex $cors.CorsAllowOrigin }} - {{ end }} - if ($request_method = 'OPTIONS') { - set $cors ${cors}options; - } - if ($cors = "true") { - more_set_headers 'Access-Control-Allow-Origin: $http_origin'; - {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }} - more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}'; - more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}'; - {{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }} - more_set_headers 'Access-Control-Max-Age: {{ $cors.CorsMaxAge }}'; - } + set $cors_origins_regex '{{ buildCorsOriginRegex $cors.CorsAllowOrigin }}'; + set $cors_allowed_origins '{{ join $cors.CorsAllowOrigin "," }}'; + set $cors_allow_methods '{{ $cors.CorsAllowMethods }}'; + set $cors_allow_headers '{{ $cors.CorsAllowHeaders }}'; + set $cors_max_age '{{ $cors.CorsMaxAge }}'; + {{ if $cors.CorsAllowCredentials }} set $cors_allow_credentials {{ $cors.CorsAllowCredentials }}; {{ end }} + {{ if not (empty $cors.CorsExposeHeaders) }} set $cors_expose_headers '{{ $cors.CorsExposeHeaders }}'; {{ end }} + + js_header_filter njs_handle_cors.handle_cors; - if ($cors = "trueoptions") { - more_set_headers 'Access-Control-Allow-Origin: $http_origin'; - {{ if $cors.CorsAllowCredentials }} more_set_headers 'Access-Control-Allow-Credentials: {{ $cors.CorsAllowCredentials }}'; {{ end }} - more_set_headers 'Access-Control-Allow-Methods: {{ $cors.CorsAllowMethods }}'; - more_set_headers 'Access-Control-Allow-Headers: {{ $cors.CorsAllowHeaders }}'; - {{ if not (empty $cors.CorsExposeHeaders) }} more_set_headers 'Access-Control-Expose-Headers: {{ $cors.CorsExposeHeaders }}'; {{ end }} - more_set_headers 'Access-Control-Max-Age: {{ $cors.CorsMaxAge }}'; - more_set_headers 'Content-Type: text/plain charset=UTF-8'; - more_set_headers 'Content-Length: 0'; - return 204; + if ($request_method = 'OPTIONS') { + return 204; } {{ end }} diff --git a/test/e2e/annotations/cors.go b/test/e2e/annotations/cors.go index 58f4445f70..9e7df6c6d0 100644 --- a/test/e2e/annotations/cors.go +++ b/test/e2e/annotations/cors.go @@ -46,22 +46,26 @@ var _ = framework.DescribeAnnotation("cors-*", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';") && - strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: $http_origin';") && - strings.Contains(server, "more_set_headers 'Access-Control-Allow-Headers: DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';") && - strings.Contains(server, "more_set_headers 'Access-Control-Max-Age: 1728000';") && - strings.Contains(server, "more_set_headers 'Access-Control-Allow-Credentials: true';") && - strings.Contains(server, "set $http_origin *;") && - strings.Contains(server, "$cors 'true';") - }) + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "set $cors_allow_methods 'GET, PUT, POST, DELETE, PATCH, OPTIONS';") && + strings.Contains(server, "set $cors_allow_headers 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';") && + strings.Contains(server, "set $cors_max_age '1728000';") && + strings.Contains(server, "set $cors_allow_credentials true;") + }) f.HTTPTestClient(). GET("/"). WithHeader("Host", host). Expect(). - Status(http.StatusOK) + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"*"}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) ginkgo.It("should set cors methods to only allow POST, GET", func() { @@ -74,10 +78,23 @@ var _ = framework.DescribeAnnotation("cors-*", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Methods: POST, GET';") - }) + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "set $cors_allow_methods 'POST, GET';") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"*"}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"POST, GET"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) ginkgo.It("should set cors max-age", func() { @@ -90,10 +107,23 @@ var _ = framework.DescribeAnnotation("cors-*", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "more_set_headers 'Access-Control-Max-Age: 200';") - }) + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "set $cors_max_age '200';") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"*"}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"200"}) }) ginkgo.It("should disable cors allow credentials", func() { @@ -106,10 +136,23 @@ var _ = framework.DescribeAnnotation("cors-*", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.WaitForNginxServer(host, - func(server string) bool { - return !strings.Contains(server, "more_set_headers 'Access-Control-Allow-Credentials: true';") - }) + f.WaitForNginxServer(host, func(server string) bool { + return !strings.Contains(server, "set $cors_allow_credentials true;") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"*"}). + NotContainsKey("Access-Control-Allow-Credentials"). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) ginkgo.It("should allow origin for cors", func() { @@ -128,15 +171,27 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Host", host). WithHeader("Origin", origin). Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{origin}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) f.HTTPTestClient(). GET("/"). WithHeader("Host", host). - WithHeader("Origin", origin). Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin}) + Status(http.StatusOK). + Headers(). + NotContainsKey("Access-Control-Allow-Origin"). + NotContainsKey("Access-Control-Allow-Credentials"). + NotContainsKey("Access-Control-Allow-Methods"). + NotContainsKey("Access-Control-Allow-Headers"). + NotContainsKey("Access-Control-Max-Age") }) ginkgo.It("should allow headers for cors", func() { @@ -149,10 +204,23 @@ var _ = framework.DescribeAnnotation("cors-*", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Headers: DNT, User-Agent';") - }) + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "set $cors_allow_headers 'DNT, User-Agent';") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"*"}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT, User-Agent"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) ginkgo.It("should expose headers for cors", func() { @@ -165,10 +233,24 @@ var _ = framework.DescribeAnnotation("cors-*", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.WaitForNginxServer(host, - func(server string) bool { - return strings.Contains(server, "more_set_headers 'Access-Control-Expose-Headers: X-CustomResponseHeader, X-CustomSecondHeader';") - }) + f.WaitForNginxServer(host, func(server string) bool { + return strings.Contains(server, "set $cors_expose_headers 'X-CustomResponseHeader, X-CustomSecondHeader';") + }) + + f.HTTPTestClient(). + GET("/"). + WithHeader("Host", host). + Expect(). + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"*"}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Expose-Headers", []string{"X-CustomResponseHeader, X-CustomSecondHeader"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) ginkgo.It("should allow - single origin for multiple cors values", func() { @@ -187,15 +269,15 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Host", host). WithHeader("Origin", origin). Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin}) + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{origin}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) ginkgo.It("should not allow - single origin for multiple cors values", func() { @@ -215,7 +297,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Host", host). WithHeader("Origin", origin). Expect(). - Headers().NotContainsKey("Access-Control-Allow-Origin") + Headers(). + NotContainsKey("Access-Control-Allow-Origin"). + NotContainsKey("Access-Control-Allow-Credentials"). + NotContainsKey("Access-Control-Allow-Methods"). + NotContainsKey("Access-Control-Allow-Headers"). + NotContainsKey("Access-Control-Max-Age") }) ginkgo.It("should allow correct origins - single origin for multiple cors values", func() { @@ -236,14 +323,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Host", host). WithHeader("Origin", badOrigin). Expect(). - Headers().NotContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin1). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") + Headers(). + NotContainsKey("Access-Control-Allow-Origin"). + NotContainsKey("Access-Control-Allow-Credentials"). + NotContainsKey("Access-Control-Allow-Methods"). + NotContainsKey("Access-Control-Allow-Headers"). + NotContainsKey("Access-Control-Max-Age") f.HTTPTestClient(). GET("/"). @@ -251,14 +336,13 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Origin", origin1). Expect(). Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin1}) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin2). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") + ValueEqual("Access-Control-Allow-Origin", []string{origin1}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) f.HTTPTestClient(). GET("/"). @@ -266,10 +350,16 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Origin", origin2). Expect(). Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin2}) + ValueEqual("Access-Control-Allow-Origin", []string{origin2}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) - ginkgo.It("should not break functionality", func() { + ginkgo.It("should allow wildcard origin", func() { host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -283,40 +373,18 @@ var _ = framework.DescribeAnnotation("cors-*", func() { GET("/"). WithHeader("Host", host). Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"*"}) - }) - - ginkgo.It("should not break functionality - without `*`", func() { - host := corsHost - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"*"}) + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"*"}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) - ginkgo.It("should not break functionality with extra domain", func() { + ginkgo.It("should not break functionality with wildcard and extra domain", func() { host := corsHost annotations := map[string]string{ "nginx.ingress.kubernetes.io/enable-cors": "true", @@ -330,62 +398,15 @@ var _ = framework.DescribeAnnotation("cors-*", func() { GET("/"). WithHeader("Host", host). Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"*"}) - }) - - ginkgo.It("should not match", func() { - host := corsHost - origin := "https://fooxbar.com" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": "https://foo.bar.com", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - // the client should still receive a response but browsers should block the request - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Headers().NotContainsKey("Access-Control-Allow-Origin") - }) - - ginkgo.It("should allow - single origin with required port", func() { - host := corsHost - origin := originHost - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://origin.com:8080", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - // the client should still receive a response but browsers should block the request - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin}) + Status(http.StatusOK). + Headers(). + ValueEqual("Access-Control-Allow-Origin", []string{"*"}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) ginkgo.It("should not allow - single origin with port and origin without port", func() { @@ -404,7 +425,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Host", host). WithHeader("Origin", origin). Expect(). - Headers().NotContainsKey("Access-Control-Allow-Origin") + Headers(). + NotContainsKey("Access-Control-Allow-Origin"). + NotContainsKey("Access-Control-Allow-Credentials"). + NotContainsKey("Access-Control-Allow-Methods"). + NotContainsKey("Access-Control-Allow-Headers"). + NotContainsKey("Access-Control-Max-Age") }) ginkgo.It("should not allow - single origin without port and origin with required port", func() { @@ -424,7 +450,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Host", host). WithHeader("Origin", origin). Expect(). - Headers().NotContainsKey("Access-Control-Allow-Origin") + Headers(). + NotContainsKey("Access-Control-Allow-Origin"). + NotContainsKey("Access-Control-Allow-Credentials"). + NotContainsKey("Access-Control-Allow-Methods"). + NotContainsKey("Access-Control-Allow-Headers"). + NotContainsKey("Access-Control-Max-Age") }) ginkgo.It("should allow - matching origin with wildcard origin (2 subdomains)", func() { @@ -439,27 +470,19 @@ var _ = framework.DescribeAnnotation("cors-*", func() { ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) f.EnsureIngress(ing) - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - f.HTTPTestClient(). GET("/"). WithHeader("Host", host). WithHeader("Origin", origin). Expect(). Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin}) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin2). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") + ValueEqual("Access-Control-Allow-Origin", []string{origin}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) f.HTTPTestClient(). GET("/"). @@ -467,7 +490,13 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Origin", origin2). Expect(). Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin2}) + ValueEqual("Access-Control-Allow-Origin", []string{origin2}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) ginkgo.It("should not allow - unmatching origin with wildcard origin (2 subdomains)", func() { @@ -487,187 +516,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Host", host). WithHeader("Origin", origin). Expect(). - Headers().NotContainsKey("Access-Control-Allow-Origin") - }) - - ginkgo.It("should allow - matching origin+port with wildcard origin", func() { - host := corsHost - origin := "http://abc.origin.com:8080" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin}) - }) - - ginkgo.It("should not allow - portless origin with wildcard origin", func() { - host := corsHost - origin := "http://abc.origin.com" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - // the client should still receive a response but browsers should block the request - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Headers().NotContainsKey("Access-Control-Allow-Origin") - }) - - ginkgo.It("should allow correct origins - missing subdomain + origin with wildcard origin and correct origin", func() { - host := corsHost - badOrigin := originHost - origin := "http://bar.origin.com:8080" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - // the client should still receive a response but browsers should block the request - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", badOrigin). - Expect(). - Headers().NotContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin}) - }) - - ginkgo.It("should allow - missing origins (should allow all origins)", func() { - host := corsHost - origin := "http://origin.com" - origin2 := "http://book.origin.com" - origin3 := "test.origin.com" - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": " ", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - // the client should still receive a response but browsers should block the request - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"*"}) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin2). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin2). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"*"}) - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin3). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin3). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"*"}) - }) - - ginkgo.It("should allow correct origin but not others - cors allow origin annotations contain trailing comma", func() { - host := corsHost - annotations := map[string]string{ - "nginx.ingress.kubernetes.io/enable-cors": "true", - "nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin-123.cors.com:8080, ,https://origin-321.cors.com:8080,", - } - - ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations) - f.EnsureIngress(ing) - - origin1 := "https://origin-123.cors.com:8080" - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin1). - Expect(). - Headers().ContainsKey("Access-Control-Allow-Origin") - - origin2 := "https://origin-321.cors.com:8080" - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin2). - Expect(). - Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{origin2}) - - origin3 := "https://unknown.cors.com:8080" - f.HTTPTestClient(). - GET("/"). - WithHeader("Host", host). - WithHeader("Origin", origin3). - Expect(). Headers(). - NotContainsKey("Access-Control-Allow-Origin") + NotContainsKey("Access-Control-Allow-Origin"). + NotContainsKey("Access-Control-Allow-Credentials"). + NotContainsKey("Access-Control-Allow-Methods"). + NotContainsKey("Access-Control-Allow-Headers"). + NotContainsKey("Access-Control-Max-Age") }) ginkgo.It("should allow - origins with non-http[s] protocols", func() { @@ -688,7 +542,13 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Origin", origin). Expect(). Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"test://localhost"}) + ValueEqual("Access-Control-Allow-Origin", []string{origin}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) f.HTTPTestClient(). GET("/"). @@ -696,6 +556,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() { WithHeader("Origin", origin2). Expect(). Status(http.StatusOK).Headers(). - ValueEqual("Access-Control-Allow-Origin", []string{"tauri://localhost:3000"}) + ValueEqual("Access-Control-Allow-Origin", []string{origin2}). + ValueEqual("Access-Control-Allow-Credentials", []string{"true"}). + ValueEqual("Access-Control-Allow-Methods", + []string{"GET, PUT, POST, DELETE, PATCH, OPTIONS"}). + ValueEqual("Access-Control-Allow-Headers", + []string{"DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"}). + ValueEqual("Access-Control-Max-Age", []string{"1728000"}) }) })