Skip to content

Commit

Permalink
Add AllowCredentials knob to CORS setting (envoyproxy#2307)
Browse files Browse the repository at this point in the history
add AllowCredentials knob to CORS setting

Signed-off-by: huabing zhao <[email protected]>
  • Loading branch information
zhaohuabing authored Dec 15, 2023
1 parent 9aebfdc commit 52946be
Show file tree
Hide file tree
Showing 9 changed files with 25 additions and 5 deletions.
3 changes: 3 additions & 0 deletions api/v1alpha1/cors_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,7 @@ type CORS struct {
ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"`
// MaxAge defines how long the results of a preflight request can be cached.
MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"`
// AllowCredentials indicates whether a request can include user credentials
// like cookies, authentication headers, or TLS client certificates.
AllowCredentials *bool `json:"allowCredentials,omitempty" yaml:"allowCredentials,omitempty"`
}
5 changes: 5 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,11 @@ spec:
description: CORS defines the configuration for Cross-Origin Resource
Sharing (CORS).
properties:
allowCredentials:
description: AllowCredentials indicates whether a request can
include user credentials like cookies, authentication headers,
or TLS client certificates.
type: boolean
allowHeaders:
description: AllowHeaders defines the headers that are allowed
to be sent with requests.
Expand Down
11 changes: 6 additions & 5 deletions internal/gatewayapi/securitypolicy.go
Original file line number Diff line number Diff line change
Expand Up @@ -413,11 +413,12 @@ func (t *Translator) buildCORS(cors *egv1a1.CORS) (*ir.CORS, error) {
}

return &ir.CORS{
AllowOrigins: allowOrigins,
AllowMethods: cors.AllowMethods,
AllowHeaders: cors.AllowHeaders,
ExposeHeaders: cors.ExposeHeaders,
MaxAge: cors.MaxAge,
AllowOrigins: allowOrigins,
AllowMethods: cors.AllowMethods,
AllowHeaders: cors.AllowHeaders,
ExposeHeaders: cors.ExposeHeaders,
MaxAge: cors.MaxAge,
AllowCredentials: cors.AllowCredentials != nil && *cors.AllowCredentials,
}, nil
}

Expand Down
2 changes: 2 additions & 0 deletions internal/ir/xds.go
Original file line number Diff line number Diff line change
Expand Up @@ -328,6 +328,8 @@ type CORS struct {
ExposeHeaders []string `json:"exposeHeaders,omitempty" yaml:"exposeHeaders,omitempty"`
// MaxAge defines how long the results of a preflight request can be cached.
MaxAge *metav1.Duration `json:"maxAge,omitempty" yaml:"maxAge,omitempty"`
// AllowCredentials indicates whether a request can include user credentials.
AllowCredentials bool `json:"allowCredentials,omitempty" yaml:"allowCredentials,omitempty"`
}

// JWT defines the schema for authenticating HTTP requests using
Expand Down
1 change: 1 addition & 0 deletions internal/xds/translator/cors.go
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ func (*cors) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
if irRoute.CORS.MaxAge != nil {
maxAge = strconv.Itoa(int(irRoute.CORS.MaxAge.Seconds()))
}
allowCredentials = &wrappers.BoolValue{Value: irRoute.CORS.AllowCredentials}

routeCfgProto := &corsv3.CorsPolicy{
AllowOriginStringMatch: allowOrigins,
Expand Down
1 change: 1 addition & 0 deletions internal/xds/translator/testdata/in/xds-ir/cors.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,4 +32,5 @@ http:
exposeHeaders:
- "x-header-3"
- "x-header-4"
allowCredentials: true
maxAge: 1000s
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
typedPerFilterConfig:
envoy.filters.http.cors:
'@type': type.googleapis.com/envoy.extensions.filters.http.cors.v3.CorsPolicy
allowCredentials: true
allowHeaders: x-header-1, x-header-2
allowMethods: GET, POST
allowOriginStringMatch:
Expand Down
1 change: 1 addition & 0 deletions site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ _Appears in:_
| `allowHeaders` _string array_ | AllowHeaders defines the headers that are allowed to be sent with requests. |
| `exposeHeaders` _string array_ | ExposeHeaders defines the headers that can be exposed in the responses. |
| `maxAge` _[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#duration-v1-meta)_ | MaxAge defines how long the results of a preflight request can be cached. |
| `allowCredentials` _boolean_ | AllowCredentials indicates whether a request can include user credentials like cookies, authentication headers, or TLS client certificates. |


#### ClaimToHeader
Expand Down

0 comments on commit 52946be

Please sign in to comment.