MINOR: switch CORS rules to http-after-response

Author: ivanmatmati

.aspell.yml

@@ -40,3 +40,5 @@ allowed:
  - configmaps
  - namespace
  - namespaces
+ - http
+ - CORS

pkg/annotations/annotations.go

@@ -141,6 +141,7 @@ func (a annImpl) Frontend(i *store.Ingress, r *rules.List, m maps.Maps) []Annota
 resSetCORS.NewAnnotation("cors-allow-headers"),
 resSetCORS.NewAnnotation("cors-max-age"),
 resSetCORS.NewAnnotation("cors-allow-credentials"),
+resSetCORS.NewAnnotation("cors-respond-to-options"),
 }
 }
 
@@ -248,34 +249,35 @@ func Timeout(name string, annotations ...map[string]string) (out *int64, err err
 // SpecificAnnotations is a set of annotations that uses rules to produce specific configuration with rule ID in configuration file.
 // These annotations in an ingress can't be merged with other ingresses annotations when these ingresses point to the same service because specific paths must be treated specifically.
 var SpecificAnnotations = map[string]struct{}{
-"backend-config-snippet": {},
-"deny-list": {},
-"blacklist": {},
-"allow-list": {},
-"whitelist": {},
-"src-ip-header": {},
-"auth-type": {},
-"auth-realm": {},
-"auth-secret": {},
-"ssl-redirect": {},
-"ssl-redirect-port": {},
-"ssl-redirect-code": {},
-"request-redirect": {},
-"request-redirect-code": {},
-"request-capture": {},
-"request-capture-len": {},
-"path-rewrite": {},
-"rate-limit-requests": {},
-"rate-limit-period": {},
-"rate-limit-size": {},
-"rate-limit-status-code": {},
-"request-set-header": {},
-"response-set-header": {},
-"set-host": {},
-"cors-enable": {},
-"cors-allow-origin": {},
-"cors-allow-methods": {},
-"cors-allow-headers": {},
-"cors-max-age": {},
-"cors-allow-credentials": {},
+"backend-config-snippet": {},
+"deny-list": {},
+"blacklist": {},
+"allow-list": {},
+"whitelist": {},
+"src-ip-header": {},
+"auth-type": {},
+"auth-realm": {},
+"auth-secret": {},
+"ssl-redirect": {},
+"ssl-redirect-port": {},
+"ssl-redirect-code": {},
+"request-redirect": {},
+"request-redirect-code": {},
+"request-capture": {},
+"request-capture-len": {},
+"path-rewrite": {},
+"rate-limit-requests": {},
+"rate-limit-period": {},
+"rate-limit-size": {},
+"rate-limit-status-code": {},
+"request-set-header": {},
+"response-set-header": {},
+"set-host": {},
+"cors-enable": {},
+"cors-allow-origin": {},
+"cors-allow-methods": {},
+"cors-allow-headers": {},
+"cors-max-age": {},
+"cors-allow-credentials": {},
+"cors-respond-to-options": {},
 }

pkg/annotations/ingress/resSetCORS.go

@@ -74,11 +74,11 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 origin = "%[var(txn." + corsVarName + ")]"
 }
 a.parent.rules.Add(&rules.SetHdr{
-HdrName: "Access-Control-Allow-Origin",
-HdrFormat: origin,
-Response:  true,
-CondTest: a.parent.acl,
-Cond: "if",
+HdrName:  "Access-Control-Allow-Origin",
+HdrFormat:  origin,
+AfterResponse: true,
+CondTest:  a.parent.acl,
+Cond:  "if",
 })
 case "cors-allow-methods":
 if a.parent.acl == "" {
@@ -96,23 +96,23 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 input = "\"" + strings.Join(methods, ", ") + "\""
 }
 a.parent.rules.Add(&rules.SetHdr{
-HdrName: "Access-Control-Allow-Methods",
-HdrFormat: input,
-Response:  true,
-CondTest: a.parent.acl,
-Cond: "if",
+HdrName:  "Access-Control-Allow-Methods",
+HdrFormat:  input,
+AfterResponse: true,
+CondTest:  a.parent.acl,
+Cond:  "if",
 })
 case "cors-allow-headers":
 if a.parent.acl == "" {
 return
 }
 input = strings.Join(strings.Fields(input), "") // strip spaces
 a.parent.rules.Add(rules.SetHdr{
-HdrName: "Access-Control-Allow-Headers",
-HdrFormat: "\"" + input + "\"",
-Response:  true,
-CondTest: a.parent.acl,
-Cond: "if",
+HdrName:  "Access-Control-Allow-Headers",
+HdrFormat:  "\"" + input + "\"",
+AfterResponse: true,
+CondTest:  a.parent.acl,
+Cond:  "if",
 })
 case "cors-max-age":
 if a.parent.acl == "" {
@@ -128,22 +128,29 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 return fmt.Errorf("invalid cors-max-age value %d", maxage)
 }
 a.parent.rules.Add(&rules.SetHdr{
-HdrName: "Access-Control-Max-Age",
-HdrFormat: fmt.Sprintf("\"%d\"", maxage),
-Response:  true,
-CondTest: a.parent.acl,
-Cond: "if",
+HdrName:  "Access-Control-Max-Age",
+HdrFormat:  fmt.Sprintf("\"%d\"", maxage),
+AfterResponse: true,
+CondTest:  a.parent.acl,
+Cond:  "if",
 })
 case "cors-allow-credentials":
 if a.parent.acl == "" || input != "true" {
 return
 }
 a.parent.rules.Add(&rules.SetHdr{
-HdrName: "Access-Control-Allow-Credentials",
-HdrFormat: "\"true\"",
-Response: true,
-CondTest: a.parent.acl,
-Cond: "if",
+HdrName: "Access-Control-Allow-Credentials",
+HdrFormat: "\"true\"",
+AfterResponse: true,
+CondTest: a.parent.acl,
+Cond: "if",
+})
+case "cors-respond-to-options":
+if a.parent.acl == "" || input != "true" {
+return
+}
+a.parent.rules.Add(&rules.ReqReturnStatus{
+StatusCode: 204,
 })
 default:
 err = fmt.Errorf("unknown cors annotation '%s'", a.name)

pkg/haproxy/api/api.go

@@ -169,6 +169,7 @@ type HTTPRequestRule interface {
 HTTPRequestRulesReplace(parentType, parentName string, rules models.HTTPRequestRules) error
 FrontendHTTPRequestRuleCreate(id int64, frontend string, rule models.HTTPRequestRule, ingressACL string) error
 FrontendHTTPResponseRuleCreate(id int64, frontend string, rule models.HTTPResponseRule, ingressACL string) error
+FrontendHTTPAfterResponseRuleCreate(id int64, frontend string, rule models.HTTPAfterResponseRule, ingressACL string) error
 BackendHTTPRequestRuleCreate(id int64, backend string, rule models.HTTPRequestRule) error
 }
 

pkg/haproxy/api/frontend.go

@@ -221,6 +221,12 @@ func (c *clientNative) FrontendRuleDeleteAll(frontend string) {
 break
 }
 }
+for {
+err := configuration.DeleteHTTPAfterResponseRule(0, string(parser.Frontends), frontend, c.activeTransaction, 0)
+if err != nil {
+break
+}
+}
 // No usage of TCPResponseRules yet.
 }
 
@@ -251,3 +257,15 @@ func (c *clientNative) PeerEntryDelete(peerSection, entry string) error {
 }
 return cfg.DeletePeerEntry(entry, peerSection, c.activeTransaction, 0)
 }
+
+func (c *clientNative) FrontendHTTPAfterResponseRuleCreate(id int64, frontend string, rule models.HTTPAfterResponseRule, ingressACL string) error {
+configuration, err := c.nativeAPI.Configuration()
+if err != nil {
+return err
+}
+if ingressACL != "" {
+rule.Cond = "if"
+rule.CondTest = fmt.Sprintf("%s %s", ingressACL, rule.CondTest)
+}
+return configuration.CreateHTTPAfterResponseRule(id, string(parser.Frontends), frontend, &rule, c.activeTransaction, 0)
+}

pkg/haproxy/rules/reqReturnStatus.go

@@ -0,0 +1,31 @@
+package rules
+
+import (
+"errors"
+
+"github.com/haproxytech/client-native/v6/models"
+"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/api"
+)
+
+//nolint:golint,stylecheck
+var MIME_TYPE_TEXT_PLAIN string = "text/plain"
+
+type ReqReturnStatus struct {
+StatusCode int64
+}
+
+func (r ReqReturnStatus) GetType() Type {
+return REQ_RETURN_STATUS
+}
+
+func (r ReqReturnStatus) Create(client api.HAProxyClient, frontend *models.Frontend, ingressACL string) error {
+if frontend.Mode == "tcp" {
+return errors.New("HTTP status cannot be set in TCP mode")
+}
+httpRule := models.HTTPRequestRule{
+ReturnStatusCode: &r.StatusCode,
+Type: "return",
+}
+ingressACL += " METH_OPTIONS"
+return client.FrontendHTTPRequestRuleCreate(0, frontend.Name, httpRule, ingressACL)
+}

pkg/haproxy/rules/setHdr.go

@@ -15,6 +15,7 @@ type SetHdr struct {
 Cond string
 Type Type
 Response bool
+AfterResponse bool
 ForwardedProto bool
 }
 
@@ -52,6 +53,17 @@ func (r SetHdr) Create(client api.HAProxyClient, frontend *models.Frontend, ingr
 }
 return client.FrontendHTTPResponseRuleCreate(0, frontend.Name, httpRule, ingressACL)
 }
+
+if r.AfterResponse {
+httpRule := models.HTTPAfterResponseRule{
+Type: "set-header",
+HdrName: r.HdrName,
+HdrFormat: r.HdrFormat,
+CondTest: r.CondTest,
+Cond: r.Cond,
+}
+return client.FrontendHTTPAfterResponseRuleCreate(0, frontend.Name, httpRule, ingressACL)
+}
 // REQ_SET_HEADER
 httpRule := models.HTTPRequestRule{
 Type: "set-header",

pkg/haproxy/rules/types.go

@@ -21,6 +21,7 @@ const (
 REQ_SET_HEADER
 REQ_SET_HOST
 REQ_PATH_REWRITE
+REQ_RETURN_STATUS
 RES_SET_HEADER
 )
 
@@ -41,4 +42,5 @@ var constLookup = map[Type]string{
 REQ_SET_HOST: "REQ_SET_HOST",
 REQ_PATH_REWRITE: "REQ_PATH_REWRITE",
 RES_SET_HEADER: "RES_SET_HEADER",
+REQ_RETURN_STATUS: "REQ_RETURN_STATUS",
 }