Skip to content

Commit

Permalink
Add CORS template check inside location for externalAuth.SignURL (kub…
Browse files Browse the repository at this point in the history
…ernetes#8814)

* Add CORS template check inside location for externalAuth.SignURL

* Add testcase for CORS header for auth-signin redirect with CORS enabled.
  • Loading branch information
harry1064 authored and James Strong committed Feb 7, 2023
1 parent 87a9f1e commit 82720c8
Show file tree
Hide file tree
Showing 2 changed files with 49 additions and 0 deletions.
4 changes: 4 additions & 0 deletions rootfs/etc/nginx/template/nginx.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -1180,6 +1180,10 @@ stream {

add_header Set-Cookie $auth_cookie;

{{ if $location.CorsConfig.CorsEnabled }}
{{ template "CORS" $location }}
{{ end }}

# Ensure that modsecurity will not run on an internal location as this is not accessible from outside
{{ if $all.Cfg.EnableModsecurity }}
modsecurity off;
Expand Down
45 changes: 45 additions & 0 deletions test/e2e/annotations/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -720,6 +720,51 @@ http {
})
})

ginkgo.Context("when external authentication is configured along with CORS enabled", func() {
host := "auth"
var annotations map[string]string
var ing *networking.Ingress

ginkgo.BeforeEach(func() {
f.NewHttpbinDeployment()

var httpbinIP string

err := framework.WaitForEndpoints(f.KubeClientSet, framework.DefaultTimeout, framework.HTTPBinService, f.Namespace, 1)
assert.Nil(ginkgo.GinkgoT(), err)

e, err := f.KubeClientSet.CoreV1().Endpoints(f.Namespace).Get(context.TODO(), framework.HTTPBinService, metav1.GetOptions{})
assert.Nil(ginkgo.GinkgoT(), err)

httpbinIP = e.Subsets[0].Addresses[0].IP

annotations = map[string]string{
"nginx.ingress.kubernetes.io/auth-url": fmt.Sprintf("http://%s/basic-auth/user/password", httpbinIP),
"nginx.ingress.kubernetes.io/auth-signin": "http://$host/auth/start",
"nginx.ingress.kubernetes.io/enable-cors": "true",
}

ing = framework.NewSingleIngress(host, "/", host, f.Namespace, framework.EchoService, 80, annotations)
f.EnsureIngress(ing)

f.WaitForNginxServer(host, func(server string) bool {
return strings.Contains(server, "server_name auth")
})
})

ginkgo.It("should redirect to signin url when not signed in along With CORS headers in response", func() {
f.HTTPTestClient().
GET("/").
WithHeader("Host", host).
WithQuery("a", "b").
WithQuery("c", "d").
Expect().
Status(http.StatusFound).
Header("Access-Control-Allow-Origin").Equal(fmt.Sprintf("*"))

})
})

ginkgo.Context("when external authentication with caching is configured", func() {
thisHost := "auth"
thatHost := "different"
Expand Down

0 comments on commit 82720c8

Please sign in to comment.