Add CORS template check inside location for externalAuth.SignURL (#8814)

* Add CORS template check inside location for externalAuth.SignURL * Add testcase for CORS header for auth-signin redirect with CORS enabled.
kubernetes · Jan 19, 2023 · d1af3b5 · d1af3b5
1 parent 8c4cd87
commit d1af3b5
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 0 deletions.
diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -1180,6 +1180,10 @@ stream {
 
             add_header Set-Cookie $auth_cookie;
 
+            {{ if $location.CorsConfig.CorsEnabled }}
+            {{ template "CORS" $location }}
+            {{ end }}
+
             # Ensure that modsecurity will not run on an internal location as this is not accessible from outside
             {{ if $all.Cfg.EnableModsecurity }}
             modsecurity off;

diff --git a/test/e2e/annotations/auth.go b/test/e2e/annotations/auth.go
@@ -720,6 +720,51 @@ http {
 		})
 	})
 
+	ginkgo.Context("when external authentication is configured along with CORS enabled", func() {
+		host := "auth"
+		var annotations map[string]string
+		var ing *networking.Ingress
+
+		ginkgo.BeforeEach(func() {
+			f.NewHttpbinDeployment()
+
+			var httpbinIP string
+
+			err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
+			assert.Nil(ginkgo.GinkgoT(), err)
+
+			httpbinIP = e.Subsets[0].Addresses[0].IP
+
+			annotations = map[string]string{
+				"nginx.ingress.kubernetes.io/auth-url":    fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
+				"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
+				"nginx.ingress.kubernetes.io/enable-cors": "true",
+			}
+
+			ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
+			f.EnsureIngress(ing)
+
+			f.WaitForNginxServer(host, func(server string) bool {
+				return strings.Contains(server, "server_name auth")
+			})
+		})
+
+		ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() {
+			f.HTTPTestClient().
+				GET("/").
+				WithHeader("Host", host).
+				WithQuery("a", "b").
+				WithQuery("c", "d").
+				Expect().
+				Status(http.StatusFound).
+				Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*"))
+
+		})
+	})
+
 	ginkgo.Context("when external authentication with caching is configured", func() {
 		thisHost := "auth"
 		thatHost := "different"