MINOR: switch CORS rules to http-after-response

Author: ivanmatmati

.aspell.yml

@@ -40,3 +40,5 @@ allowed:
   - configmaps
   - namespace
   - namespaces
+  - http
+  - CORS

pkg/annotations/annotations.go

@@ -141,6 +141,7 @@ func (a annImpl) Frontend(i *store.Ingress, r *rules.List, m maps.Maps) []Annota
 		resSetCORS.NewAnnotation("cors-allow-headers"),
 		resSetCORS.NewAnnotation("cors-max-age"),
 		resSetCORS.NewAnnotation("cors-allow-credentials"),
+		resSetCORS.NewAnnotation("cors-respond-to-options"),
 	}
 }
 
@@ -248,34 +249,35 @@ func Timeout(name string, annotations ...map[string]string) (out *int64, err err
 // SpecificAnnotations is a set of annotations that uses rules to produce specific configuration with rule ID in configuration file.
 // These annotations in an ingress can't be merged with other ingresses annotations when these ingresses point to the same service because specific paths must be treated specifically.
 var SpecificAnnotations = map[string]struct{}{
-	"backend-config-snippet": {},
-	"deny-list":              {},
-	"blacklist":              {},
-	"allow-list":             {},
-	"whitelist":              {},
-	"src-ip-header":          {},
-	"auth-type":              {},
-	"auth-realm":             {},
-	"auth-secret":            {},
-	"ssl-redirect":           {},
-	"ssl-redirect-port":      {},
-	"ssl-redirect-code":      {},
-	"request-redirect":       {},
-	"request-redirect-code":  {},
-	"request-capture":        {},
-	"request-capture-len":    {},
-	"path-rewrite":           {},
-	"rate-limit-requests":    {},
-	"rate-limit-period":      {},
-	"rate-limit-size":        {},
-	"rate-limit-status-code": {},
-	"request-set-header":     {},
-	"response-set-header":    {},
-	"set-host":               {},
-	"cors-enable":            {},
-	"cors-allow-origin":      {},
-	"cors-allow-methods":     {},
-	"cors-allow-headers":     {},
-	"cors-max-age":           {},
-	"cors-allow-credentials": {},
+	"backend-config-snippet":  {},
+	"deny-list":               {},
+	"blacklist":               {},
+	"allow-list":              {},
+	"whitelist":               {},
+	"src-ip-header":           {},
+	"auth-type":               {},
+	"auth-realm":              {},
+	"auth-secret":             {},
+	"ssl-redirect":            {},
+	"ssl-redirect-port":       {},
+	"ssl-redirect-code":       {},
+	"request-redirect":        {},
+	"request-redirect-code":   {},
+	"request-capture":         {},
+	"request-capture-len":     {},
+	"path-rewrite":            {},
+	"rate-limit-requests":     {},
+	"rate-limit-period":       {},
+	"rate-limit-size":         {},
+	"rate-limit-status-code":  {},
+	"request-set-header":      {},
+	"response-set-header":     {},
+	"set-host":                {},
+	"cors-enable":             {},
+	"cors-allow-origin":       {},
+	"cors-allow-methods":      {},
+	"cors-allow-headers":      {},
+	"cors-max-age":            {},
+	"cors-allow-credentials":  {},
+	"cors-respond-to-options": {},
 }

pkg/annotations/ingress/resSetCORS.go

@@ -74,11 +74,11 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 			origin = "%[var(txn." + corsVarName + ")]"
 		}
 		a.parent.rules.Add(&rules.SetHdr{
-			HdrName:   "Access-Control-Allow-Origin",
-			HdrFormat: origin,
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Allow-Origin",
+			HdrFormat:     origin,
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
 		})
 	case "cors-allow-methods":
 		if a.parent.acl == "" {
@@ -96,23 +96,23 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 			input = "\"" + strings.Join(methods, ", ") + "\""
 		}
 		a.parent.rules.Add(&rules.SetHdr{
-			HdrName:   "Access-Control-Allow-Methods",
-			HdrFormat: input,
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Allow-Methods",
+			HdrFormat:     input,
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
 		})
 	case "cors-allow-headers":
 		if a.parent.acl == "" {
 			return
 		}
 		input = strings.Join(strings.Fields(input), "") // strip spaces
 		a.parent.rules.Add(rules.SetHdr{
-			HdrName:   "Access-Control-Allow-Headers",
-			HdrFormat: "\"" + input + "\"",
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Allow-Headers",
+			HdrFormat:     "\"" + input + "\"",
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
 		})
 	case "cors-max-age":
 		if a.parent.acl == "" {
@@ -128,22 +128,29 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 			return fmt.Errorf("invalid cors-max-age value %d", maxage)
 		}
 		a.parent.rules.Add(&rules.SetHdr{
-			HdrName:   "Access-Control-Max-Age",
-			HdrFormat: fmt.Sprintf("\"%d\"", maxage),
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Max-Age",
+			HdrFormat:     fmt.Sprintf("\"%d\"", maxage),
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
 		})
 	case "cors-allow-credentials":
 		if a.parent.acl == "" || input != "true" {
 			return
 		}
 		a.parent.rules.Add(&rules.SetHdr{
-			HdrName:   "Access-Control-Allow-Credentials",
-			HdrFormat: "\"true\"",
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Allow-Credentials",
+			HdrFormat:     "\"true\"",
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
+		})
+	case "cors-respond-to-options":
+		if a.parent.acl == "" || input != "true" {
+			return
+		}
+		a.parent.rules.Add(&rules.ReqReturnStatus{
+			StatusCode: 204,
 		})
 	default:
 		err = fmt.Errorf("unknown cors annotation '%s'", a.name)

pkg/haproxy/api/api.go

@@ -169,6 +169,7 @@ type HTTPRequestRule interface {
 	HTTPRequestRulesReplace(parentType, parentName string, rules models.HTTPRequestRules) error
 	FrontendHTTPRequestRuleCreate(id int64, frontend string, rule models.HTTPRequestRule, ingressACL string) error
 	FrontendHTTPResponseRuleCreate(id int64, frontend string, rule models.HTTPResponseRule, ingressACL string) error
+	FrontendHTTPAfterResponseRuleCreate(id int64, frontend string, rule models.HTTPAfterResponseRule, ingressACL string) error
 	BackendHTTPRequestRuleCreate(id int64, backend string, rule models.HTTPRequestRule) error
 }
 

pkg/haproxy/api/frontend.go

@@ -221,6 +221,12 @@ func (c *clientNative) FrontendRuleDeleteAll(frontend string) {
 			break
 		}
 	}
+	for {
+		err := configuration.DeleteHTTPAfterResponseRule(0, string(parser.Frontends), frontend, c.activeTransaction, 0)
+		if err != nil {
+			break
+		}
+	}
 	// No usage of TCPResponseRules yet.
 }
 
@@ -251,3 +257,15 @@ func (c *clientNative) PeerEntryDelete(peerSection, entry string) error {
 	}
 	return cfg.DeletePeerEntry(entry, peerSection, c.activeTransaction, 0)
 }
+
+func (c *clientNative) FrontendHTTPAfterResponseRuleCreate(id int64, frontend string, rule models.HTTPAfterResponseRule, ingressACL string) error {
+	configuration, err := c.nativeAPI.Configuration()
+	if err != nil {
+		return err
+	}
+	if ingressACL != "" {
+		rule.Cond = "if"
+		rule.CondTest = fmt.Sprintf("%s %s", ingressACL, rule.CondTest)
+	}
+	return configuration.CreateHTTPAfterResponseRule(id, string(parser.Frontends), frontend, &rule, c.activeTransaction, 0)
+}

pkg/haproxy/rules/reqReturnStatus.go

@@ -0,0 +1,31 @@
+package rules
+
+import (
+	"errors"
+
+	"github.com/haproxytech/client-native/v6/models"
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/api"
+)
+
+//nolint:golint,stylecheck
+var MIME_TYPE_TEXT_PLAIN string = "text/plain"
+
+type ReqReturnStatus struct {
+	StatusCode int64
+}
+
+func (r ReqReturnStatus) GetType() Type {
+	return REQ_RETURN_STATUS
+}
+
+func (r ReqReturnStatus) Create(client api.HAProxyClient, frontend *models.Frontend, ingressACL string) error {
+	if frontend.Mode == "tcp" {
+		return errors.New("HTTP status cannot be set in TCP mode")
+	}
+	httpRule := models.HTTPRequestRule{
+		ReturnStatusCode: &r.StatusCode,
+		Type:             "return",
+	}
+	ingressACL += " METH_OPTIONS"
+	return client.FrontendHTTPRequestRuleCreate(0, frontend.Name, httpRule, ingressACL)
+}

pkg/haproxy/rules/setHdr.go

@@ -15,6 +15,7 @@ type SetHdr struct {
 	Cond           string
 	Type           Type
 	Response       bool
+	AfterResponse  bool
 	ForwardedProto bool
 }
 
@@ -52,6 +53,17 @@ func (r SetHdr) Create(client api.HAProxyClient, frontend *models.Frontend, ingr
 		}
 		return client.FrontendHTTPResponseRuleCreate(0, frontend.Name, httpRule, ingressACL)
 	}
+
+	if r.AfterResponse {
+		httpRule := models.HTTPAfterResponseRule{
+			Type:      "set-header",
+			HdrName:   r.HdrName,
+			HdrFormat: r.HdrFormat,
+			CondTest:  r.CondTest,
+			Cond:      r.Cond,
+		}
+		return client.FrontendHTTPAfterResponseRuleCreate(0, frontend.Name, httpRule, ingressACL)
+	}
 	// REQ_SET_HEADER
 	httpRule := models.HTTPRequestRule{
 		Type:      "set-header",

pkg/haproxy/rules/types.go

@@ -21,6 +21,7 @@ const (
 	REQ_SET_HEADER
 	REQ_SET_HOST
 	REQ_PATH_REWRITE
+	REQ_RETURN_STATUS
 	RES_SET_HEADER
 )
 
@@ -41,4 +42,5 @@ var constLookup = map[Type]string{
 	REQ_SET_HOST:        "REQ_SET_HOST",
 	REQ_PATH_REWRITE:    "REQ_PATH_REWRITE",
 	RES_SET_HEADER:      "RES_SET_HEADER",
+	REQ_RETURN_STATUS:   "REQ_RETURN_STATUS",
 }