DevFW-CICD/ingress-nginx-helm
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Support cors-allow-origin with multiple origins (#7614)

Browse source 
* Add Initial support for multiple cors origins in nginx

- bump cluster version for `make dev-env`
- add buildOriginRegex function in nginx.tmpl
- add e2e 4 e2e tests for cors.go
- refers to feature request #5496

* add tests + use search to identify '*' origin

* add tests + use search to identify '*' origin

Signed-off-by: Christopher Larivière <lariviere.c@gmail.com>

* fix "should enable cors test" looking at improper values

* Modify tests and add some logic for origin validation

- add origin validation in cors ingress annotations
- add extra tests to validate regex
- properly escape regex using "QuoteMeta"
- fix some copy/paste errors

* add TrimSpace and length validation before adding a new origin

* modify documentation for cors and remove dangling comment

* add support for optional port mapping on origin

* support single-level wildcard subdomains + tests

* Remove automatic `*` fonctionality from incorrect origins

- use []string instead of basic string to avoid reparsing in template.go
- fix typo in docs
- modify template to properly enable only if the whole block is enabled
- modify cors parsing
- test properly by validating that the value returned is the proper
  origin
- update unit tests and annotation tests

* Re-add `*` when no cors origins are supplied + fix tests

- fix e2e tests to allow for `*`
- re-add `*` to cors parsing if trimmed cors-allow-origin is empty
(supplied but empty) and if it wasn't supplied at all.

* remove unecessary logic for building cors origin + remove comments

- add some edge cases in e2e tests
- rework logic for building cors origin

there was no need for logic in template.go for buildCorsOriginRegex
if there is a `*` it ill be short-circuited by first if.

if it's a wildcard domain or any domain (without a wildcard), it MUST
match the main/cors.go regex format.

if there's a star in a wildcard domain, it must be replaced with
`[A-Za-z0-9]+`

* add missing check in e2e tests
This commit is contained in:
Christopher Larivière 2021-11-02 15:31:42 -04:00 committed by GitHub
parent a5bab6a715
commit 65b8eeddec
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 570 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

471
test/e2e/annotations/cors.go
View file

@ -44,10 +44,12 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Methods: GET, PUT, POST, DELETE, PATCH, OPTIONS';") &&
strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: *';") &&
strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: $http_origin';") &&
strings.Contains(server, "more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';") &&
strings.Contains(server, "more_set_headers 'Access-Control-Max-Age: 1728000';") &&
strings.Contains(server, "more_set_headers 'Access-Control-Allow-Credentials: true';")
strings.Contains(server, "more_set_headers 'Access-Control-Allow-Credentials: true';") &&
strings.Contains(server, "set $http_origin *;") &&
strings.Contains(server, "$cors 'true';")
})
f.HTTPTestClient().
@ -107,6 +109,7 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ginkgo.It("should allow origin for cors", func() {
host := "cors.foo.com"
origin := "https://origin.cors.com:8080"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin.cors.com:8080",
@ -115,10 +118,20 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.WaitForNginxServer(host,
func(server string) bool {
return strings.Contains(server, "more_set_headers 'Access-Control-Allow-Origin: https://origin.cors.com:8080';")
})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
})
ginkgo.It("should allow headers for cors", func() {
@ -152,4 +165,450 @@ var _ = framework.DescribeAnnotation("cors-*", func() {
return strings.Contains(server, "more_set_headers 'Access-Control-Expose-Headers: X-CustomResponseHeader, X-CustomSecondHeader';")
})
})
ginkgo.It("should allow - single origin for multiple cors values", func() {
host := "cors.foo.com"
origin := "https://origin.cors.com:8080"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin.cors.com:8080, https://origin2.cors.com",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
})
ginkgo.It("should not allow - single origin for multiple cors values", func() {
host := "cors.foo.com"
origin := "http://no.origin.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin2.cors.com, https://origin.com",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should allow correct origins - single origin for multiple cors values", func() {
host := "cors.foo.com"
badOrigin := "origin.cors.com:8080"
origin1 := "https://origin2.cors.com"
origin2 := "https://origin.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "origin.cors.com:8080, https://origin2.cors.com, https://origin.com",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", badOrigin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin1).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin1).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin1})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin2).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin2).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin2})
})
ginkgo.It("should not break functionality", func() {
host := "cors.foo.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "*",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
})
ginkgo.It("should not break functionality - without `*`", func() {
host := "cors.foo.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
})
ginkgo.It("should not break functionality with extra domain", func() {
host := "cors.foo.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "*, foo.bar.com",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
})
ginkgo.It("should not match", func() {
host := "cors.foo.com"
origin := "https://fooxbar.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "https://foo.bar.com",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should allow - single origin with required port", func() {
host := "cors.foo.com"
origin := "http://origin.com:8080"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
})
ginkgo.It("should not allow - single origin with port and origin without port", func() {
host := "cors.foo.com"
origin := "http://origin.com:8080"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "https://origin2.cors.com, http://origin.com",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should not allow - single origin without port and origin with required port", func() {
host := "cors.foo.com"
origin := "http://origin.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should allow - matching origin with wildcard origin (2 subdomains)", func() {
host := "cors.foo.com"
origin := "http://foo.origin.cors.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://*.origin.cors.com, http://*.origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
})
ginkgo.It("should not allow - unmatching origin with wildcard origin (2 subdomains)", func() {
host := "cors.foo.com"
origin := "http://bar.foo.origin.cors.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://*.origin.cors.com, http://*.origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should allow - matching origin+port with wildcard origin", func() {
host := "cors.foo.com"
origin := "http://abc.origin.com:8080"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
})
ginkgo.It("should not allow - portless origin with wildcard origin", func() {
host := "cors.foo.com"
origin := "http://abc.origin.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
})
ginkgo.It("should allow correct origins - missing subdomain + origin with wildcard origin and correct origin", func() {
host := "cors.foo.com"
badOrigin := "http://origin.com:8080"
origin := "http://bar.origin.com:8080"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": "http://origin.cors.com:8080, http://*.origin.com:8080",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", badOrigin).
Expect().
Headers().NotContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{origin})
})
ginkgo.It("should allow - missing origins (should allow all origins)", func() {
host := "cors.foo.com"
origin := "http://origin.com"
origin2 := "http://book.origin.com"
origin3 := "test.origin.com"
annotations := map[string]string{
"nginx.ingress.kubernetes.io/enable-cors": "true",
"nginx.ingress.kubernetes.io/cors-allow-origin": " ",
}
ing := framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)
// the client should still receive a response but browsers should block the request
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin2).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin2).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin3).
Expect().
Headers().ContainsKey("Access-Control-Allow-Origin")
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithHeader("Origin", origin3).
Expect().
Status(http.StatusOK).Headers().
ValueEqual("Access-Control-Allow-Origin", []string{"*"})
})
})