Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cors): Allowed more wildcard options #2453

Merged
merged 9 commits into from
Jan 20, 2024
Merged

feat(cors): Allowed more wildcard options #2453

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0afcf2b
allowed more CORS wildcard options
jaynis Jan 16, 2024
a675625
fixed quotes with wrong character encoding
jaynis Jan 17, 2024
4088859
generated manifests
jaynis Jan 18, 2024
23d0e80
gofmt
jaynis Jan 18, 2024
b6e676b
fixed regex escape characters in cel validation
jaynis Jan 18, 2024
6be11e5
fixed cel validation test
jaynis Jan 18, 2024
7bd2912
Merge branch 'main' into cors-wildcard-options
zhaohuabing Jan 19, 2024
81dce3e
removed wildcard port matching
jaynis Jan 19, 2024
c4ff422
removed wildcard port test
jaynis Jan 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions api/v1alpha1/cors_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,24 @@ package v1alpha1
import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

// Origin is defined by the scheme (protocol), hostname (domain), and port of
// the URL used to access it. The hostname can be “precise” which is just the
// domain name or “wildcard” which is a domain name prefixed with a single
// wildcard label such as “*.example.com”.
// the URL used to access it. The hostname can be "precise" which is just the
// domain name or "wildcard" which is a domain name prefixed with a single
// wildcard label such as "*.example.com". The optional port can be a wildcard
// as well to allow all ports.
// In addition to that a single wildcard (with or without scheme) can be
// configured to match any origin.
//
// For example, the following are valid origins:
// - https://foo.example.com
// - https://*.example.com
// - http://foo.example.com:8080
// - http://*.example.com:8080
// - https://localhost:*
// - https://*
//
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:MaxLength=253
// +kubebuilder:validation:Pattern=`^https?:\/\/(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(:[0-9]+)?$`
// +kubebuilder:validation:Pattern=`^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:(\*|\d{1,5}))?)$`
type Origin string

// CORS defines the configuration for Cross-Origin Resource Sharing (CORS).
Expand Down
13 changes: 8 additions & 5 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,14 +125,17 @@ spec:
items:
description: "Origin is defined by the scheme (protocol), hostname
(domain), and port of the URL used to access it. The hostname
can be precise which is just the domain name or wildcard
can be \"precise\" which is just the domain name or \"wildcard\"
which is a domain name prefixed with a single wildcard label
such as “*.example.com”. \n For example, the following are
valid origins: - https://foo.example.com - https://*.example.com
- http://foo.example.com:8080 - http://*.example.com:8080"
such as \"*.example.com\". The optional port can be a wildcard
as well to allow all ports. In addition to that a single wildcard
(with or without scheme) can be configured to match any origin.
\n For example, the following are valid origins: - https://foo.example.com
- https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080
- https://localhost:* - https://*"
maxLength: 253
minLength: 1
pattern: ^https?:\/\/(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(:[0-9]+)?$
pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:(\*|\d{1,5}))?)$
type: string
minItems: 1
type: array
Expand Down
42 changes: 42 additions & 0 deletions internal/gatewayapi/securitypolicy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,48 @@ func Test_wildcard2regex(t *testing.T) {
origin: "http://foo.example.com",
want: 0,
},
{
name: "test8",
wildcard: "http://*.example.com:*",
origin: "http://foo.example.com:8080",
want: 1,
},
{
name: "test9",
wildcard: "http://*.example.com:*",
origin: "http://foo.example.com",
want: 0,
},
{
name: "test10",
wildcard: "http://*",
origin: "http://foo.example.com",
want: 1,
},
{
name: "test11",
wildcard: "http://*",
origin: "https://foo.example.com",
want: 0,
},
{
name: "test12",
wildcard: "*",
origin: "http://foo.example.com",
want: 1,
},
{
name: "test13",
wildcard: "http://localhost:*",
origin: "http://localhost:1234",
want: 1,
},
{
name: "test14",
wildcard: "http://localhost:*",
origin: "http://localhost",
want: 0,
},
}

for _, tt := range tests {
Expand Down
62 changes: 60 additions & 2 deletions internal/gatewayapi/testdata/securitypolicy-with-cors.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,20 @@ gateways:
allowedRoutes:
namespaces:
from: All
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: gateway-3
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
grpcRoutes:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GRPCRoute
Expand Down Expand Up @@ -62,12 +76,31 @@ httpRoutes:
backendRefs:
- name: service-1
port: 8080
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-2
spec:
hostnames:
- gateway.envoyproxy.io
parentRefs:
- namespace: envoy-gateway
name: gateway-3
sectionName: http
rules:
- matches:
- path:
value: "/"
backendRefs:
- name: service-2
port: 8080
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: envoy-gateway
name: policy-for-gateway
name: policy-for-gateway-1
spec:
targetRef:
group: gateway.networking.k8s.io
Expand All @@ -78,6 +111,7 @@ securityPolicies:
allowOrigins:
- "http://*.example.com"
- "http://foo.bar.com"
- "https://*"
allowMethods:
- GET
- POST
Expand All @@ -92,7 +126,7 @@ securityPolicies:
kind: SecurityPolicy
metadata:
namespace: default
name: policy-for-route
name: policy-for-route-1
spec:
targetRef:
group: gateway.networking.k8s.io
Expand All @@ -113,3 +147,27 @@ securityPolicies:
- "x-header-7"
- "x-header-8"
maxAge: 2000s
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: policy-for-route-2
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-2
namespace: default
cors:
allowOrigins:
- "*"
allowMethods:
- GET
- POST
allowHeaders:
- "x-header-5"
- "x-header-6"
exposeHeaders:
- "x-header-7"
- "x-header-8"
maxAge: 2000s
Loading
Loading