feat(cors): Allowed more wildcard options (envoyproxy#2453)

* allowed more CORS wildcard options Signed-off-by: jaynis <[email protected]> * fixed quotes with wrong character encoding Signed-off-by: jaynis <[email protected]> * generated manifests Signed-off-by: jaynis <[email protected]> * gofmt Signed-off-by: jaynis <[email protected]> * fixed regex escape characters in cel validation Signed-off-by: jaynis <[email protected]> * fixed cel validation test Signed-off-by: jaynis <[email protected]> * removed wildcard port matching Signed-off-by: jaynis <[email protected]> * removed wildcard port test Signed-off-by: jaynis <[email protected]> --------- Signed-off-by: jaynis <[email protected]> Co-authored-by: Huabing Zhao <[email protected]>
zhaohuabing · Jan 20, 2024 · 3510eda · 3510eda
1 parent 20b8497
commit 3510eda
Show file tree

Hide file tree

Showing 7 changed files with 341 additions and 19 deletions.
diff --git a/api/v1alpha1/cors_types.go b/api/v1alpha1/cors_types.go
@@ -8,19 +8,22 @@ package v1alpha1
 import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 // Origin is defined by the scheme (protocol), hostname (domain), and port of
-// the URL used to access it. The hostname can be “precise” which is just the
-// domain name or “wildcard” which is a domain name prefixed with a single
-// wildcard label such as “*.example.com”.
+// the URL used to access it. The hostname can be "precise" which is just the
+// domain name or "wildcard" which is a domain name prefixed with a single
+// wildcard label such as "*.example.com".
+// In addition to that a single wildcard (with or without scheme) can be
+// configured to match any origin.
 //
 // For example, the following are valid origins:
 // - https://foo.example.com
 // - https://*.example.com
 // - http://foo.example.com:8080
 // - http://*.example.com:8080
+// - https://*
 //
 // +kubebuilder:validation:MinLength=1
 // +kubebuilder:validation:MaxLength=253
-// +kubebuilder:validation:Pattern=`^https?:\/\/(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(:[0-9]+)?$`
+// +kubebuilder:validation:Pattern=`^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$`
 type Origin string
 
 // CORS defines the configuration for Cross-Origin Resource Sharing (CORS).

diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -125,14 +125,16 @@ spec:
                     items:
                       description: "Origin is defined by the scheme (protocol), hostname
                         (domain), and port of the URL used to access it. The hostname
-                        can be “precise” which is just the domain name or “wildcard”
+                        can be \"precise\" which is just the domain name or \"wildcard\"
                         which is a domain name prefixed with a single wildcard label
-                        such as “*.example.com”. \n For example, the following are
-                        valid origins: - https://foo.example.com - https://*.example.com
-                        - http://foo.example.com:8080 - http://*.example.com:8080"
+                        such as \"*.example.com\". In addition to that a single wildcard
+                        (with or without scheme) can be configured to match any origin.
+                        \n For example, the following are valid origins: - https://foo.example.com
+                        - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080
+                        - https://*"
                       maxLength: 253
                       minLength: 1
-                      pattern: ^https?:\/\/(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*(:[0-9]+)?$
+                      pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$
                       type: string
                     minItems: 1
                     type: array

diff --git a/internal/gatewayapi/securitypolicy_test.go b/internal/gatewayapi/securitypolicy_test.go
@@ -62,6 +62,24 @@ func Test_wildcard2regex(t *testing.T) {
 			origin:   "http://foo.example.com",
 			want:     0,
 		},
+		{
+			name:     "test8",
+			wildcard: "http://*",
+			origin:   "http://foo.example.com",
+			want:     1,
+		},
+		{
+			name:     "test9",
+			wildcard: "http://*",
+			origin:   "https://foo.example.com",
+			want:     0,
+		},
+		{
+			name:     "test10",
+			wildcard: "*",
+			origin:   "http://foo.example.com",
+			want:     1,
+		},
 	}
 
 	for _, tt := range tests {

diff --git a/internal/gatewayapi/testdata/securitypolicy-with-cors.in.yaml b/internal/gatewayapi/testdata/securitypolicy-with-cors.in.yaml
@@ -27,6 +27,20 @@ gateways:
       allowedRoutes:
         namespaces:
           from: All
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-3
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
 grpcRoutes:
 - apiVersion: gateway.networking.k8s.io/v1alpha2
   kind: GRPCRoute
@@ -62,12 +76,31 @@ httpRoutes:
       backendRefs:
       - name: service-1
         port: 8080
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-2
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-3
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/"
+      backendRefs:
+      - name: service-2
+        port: 8080
 securityPolicies:
 - apiVersion: gateway.envoyproxy.io/v1alpha1
   kind: SecurityPolicy
   metadata:
     namespace: envoy-gateway
-    name: policy-for-gateway
+    name: policy-for-gateway-1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -78,6 +111,7 @@ securityPolicies:
       allowOrigins:
       - "http://*.example.com"
       - "http://foo.bar.com"
+      - "https://*"
       allowMethods:
       - GET
       - POST
@@ -92,7 +126,7 @@ securityPolicies:
   kind: SecurityPolicy
   metadata:
     namespace: default
-    name: policy-for-route
+    name: policy-for-route-1
   spec:
     targetRef:
       group: gateway.networking.k8s.io
@@ -113,3 +147,27 @@ securityPolicies:
       - "x-header-7"
       - "x-header-8"
       maxAge: 2000s
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: SecurityPolicy
+  metadata:
+    namespace: default
+    name: policy-for-route-2
+  spec:
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: HTTPRoute
+      name: httproute-2
+      namespace: default
+    cors:
+      allowOrigins:
+      - "*"
+      allowMethods:
+      - GET
+      - POST
+      allowHeaders:
+      - "x-header-5"
+      - "x-header-6"
+      exposeHeaders:
+      - "x-header-7"
+      - "x-header-8"
+      maxAge: 2000s