feat: add CORS to SecurityPolicy

[zhaohuabing]

What this PR does:

• Adds CORS to SecurityPolicy.
• Follow Golang name convention to rename IR type "Cors" to "CORS"

Relate issues:

• proposal: SecurityPolicy #1845
• Enabling CORS for a HTTPRoute  #567

Related PRs:

• feat: init SecurityPolicy #1957
• feat: CORS ir and xds translation #2016

BTW, the string match types are a bit messy. They're defined in multiple APIs but look similar. For most of EG APIs(Ratelimit and CORS for now, more in the future), the match types are just used to represent the StringMatcher XDS API. I think we can have one common string match structure used by all the EG APIs. I would like to raise a PR to refactor it if it makes sense.

[codecov]

Codecov Report

Merging #2065 (5210f73) into main (e83e076) will increase coverage by 0.12%.
The diff coverage is 74.35%.

@@            Coverage Diff             @@
##             main    #2065      +/-   ##
==========================================
+ Coverage   65.01%   65.13%   +0.12%     
==========================================
  Files          99       99              
  Lines       14536    14598      +62     
==========================================
+ Hits         9450     9509      +59     
- Misses       4498     4502       +4     
+ Partials      588      587       -1     

Files	Coverage Δ
internal/gatewayapi/securitypolicy.go	76.25% <100.00%> (+7.77%)	⬆️
internal/gatewayapi/translator.go	98.50% <100.00%> (ø)
internal/ir/xds.go	74.10% <ø> (ø)
internal/xds/translator/cors.go	65.97% <100.00%> (ø)
internal/xds/translator/httpfilters.go	78.26% <0.00%> (ø)
internal/status/securitypolicy.go	0.00% <0.00%> (ø)
internal/ir/zz_generated.deepcopy.go	11.97% <0.00%> (ø)

... and 2 files with indirect coverage changes

[arkodg]

min length for AllowOrigins should be 1

[zhaohuabing]

I think an empty AllowOrigins could be useful if the backend service allows CORS but we want to explicitly disable it at the Gateway.

I remember we discussed this at the ir PR.

[arkodg]

not setting CORS disables CORS :)

[zhaohuabing]

Yes, it's a bit tricky. Maybe we should add some comments on the API.

[arkodg]

what happens when AllowMethods is empty ?
are all requests types allowed or none ?

[zhaohuabing]

None, just like empty AllowOrigins.

[zhaohuabing]

I did some experiments, the CORS filter won't set "Access-Control-Request-Headers" in the preflight response if AllowMethods is empty. So it means none Method Types are allowed.

curl -H "Origin: http://example.com" \
  -H "Access-Control-Request-Method: GET" \
  -H "Access-Control-Request-Headers: X-Requested-With" \
  -X OPTIONS --verbose \
  http://localhost:8002/cors/open
*   Trying 127.0.0.1:8002...
* Connected to localhost (127.0.0.1) port 8002 (#0)
> OPTIONS /cors/open HTTP/1.1
> Host: localhost:8002
> User-Agent: curl/8.1.2
> Accept: */*
> Origin: http://example.com
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: X-Requested-With
> 
< HTTP/1.1 200 OK
< access-control-allow-origin: http://example.com
< date: Wed, 25 Oct 2023 17:32:39 GMT
< server: envoy
< content-length: 0
< 
* Connection #0 to host localhost left intact

[arkodg]

cool, so its opt in, thanks for running the test

[arkodg]

looking good @zhaohuabing ! added some comments

[arkodg]

LGTM thanks !

[zhaohuabing]

Need to retrigger the coverage-test.

[arkodg]

/retest

[zirain]

can you open an issue to track this?

[zhaohuabing]

#2067