MINOR: switch CORS rules to http-after-response

Author: ivanmatmati

.aspell.yml

@@ -48,3 +48,5 @@ allowed:
   - configmaps
   - namespace
   - namespaces
+  - http
+  - CORS

pkg/annotations/annotations.go

@@ -141,6 +141,7 @@ func (a annImpl) Frontend(i *store.Ingress, r *rules.List, m maps.Maps) []Annota
 		resSetCORS.NewAnnotation("cors-allow-headers"),
 		resSetCORS.NewAnnotation("cors-max-age"),
 		resSetCORS.NewAnnotation("cors-allow-credentials"),
+		resSetCORS.NewAnnotation("cors-respond-to-options"),
 	}
 }
 

pkg/annotations/ingress/resSetCORS.go

@@ -74,11 +74,11 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 			origin = "%[var(txn." + corsVarName + ")]"
 		}
 		a.parent.rules.Add(&rules.SetHdr{
-			HdrName:   "Access-Control-Allow-Origin",
-			HdrFormat: origin,
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Allow-Origin",
+			HdrFormat:     origin,
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
 		})
 	case "cors-allow-methods":
 		if a.parent.acl == "" {
@@ -96,23 +96,23 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 			input = "\"" + strings.Join(methods, ", ") + "\""
 		}
 		a.parent.rules.Add(&rules.SetHdr{
-			HdrName:   "Access-Control-Allow-Methods",
-			HdrFormat: input,
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Allow-Methods",
+			HdrFormat:     input,
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
 		})
 	case "cors-allow-headers":
 		if a.parent.acl == "" {
 			return
 		}
 		input = strings.Join(strings.Fields(input), "") // strip spaces
 		a.parent.rules.Add(rules.SetHdr{
-			HdrName:   "Access-Control-Allow-Headers",
-			HdrFormat: "\"" + input + "\"",
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Allow-Headers",
+			HdrFormat:     "\"" + input + "\"",
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
 		})
 	case "cors-max-age":
 		if a.parent.acl == "" {
@@ -128,22 +128,29 @@ func (a ResSetCORSAnn) Process(k store.K8s, annotations ...map[string]string) (e
 			return fmt.Errorf("invalid cors-max-age value %d", maxage)
 		}
 		a.parent.rules.Add(&rules.SetHdr{
-			HdrName:   "Access-Control-Max-Age",
-			HdrFormat: fmt.Sprintf("\"%d\"", maxage),
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Max-Age",
+			HdrFormat:     fmt.Sprintf("\"%d\"", maxage),
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
 		})
 	case "cors-allow-credentials":
 		if a.parent.acl == "" || input != "true" {
 			return
 		}
 		a.parent.rules.Add(&rules.SetHdr{
-			HdrName:   "Access-Control-Allow-Credentials",
-			HdrFormat: "\"true\"",
-			Response:  true,
-			CondTest:  a.parent.acl,
-			Cond:      "if",
+			HdrName:       "Access-Control-Allow-Credentials",
+			HdrFormat:     "\"true\"",
+			AfterResponse: true,
+			CondTest:      a.parent.acl,
+			Cond:          "if",
+		})
+	case "cors-respond-to-options":
+		if a.parent.acl == "" || input != "true" {
+			return
+		}
+		a.parent.rules.Add(&rules.ReqReturnStatus{
+			StatusCode: 204,
 		})
 	default:
 		err = fmt.Errorf("unknown cors annotation '%s'", a.name)

pkg/haproxy/api/api.go

@@ -71,6 +71,7 @@ type HAProxyClient interface { //nolint:interfacebloat
 	FrontendBindDelete(frontend string, bind string) error
 	FrontendHTTPRequestRuleCreate(frontend string, rule models.HTTPRequestRule, ingressACL string) error
 	FrontendHTTPResponseRuleCreate(frontend string, rule models.HTTPResponseRule, ingressACL string) error
+	FrontendHTTPAfterResponseRuleCreate(frontend string, rule models.HTTPAfterResponseRule, ingressACL string) error
 	FrontendTCPRequestRuleCreate(frontend string, rule models.TCPRequestRule, ingressACL string) error
 	FrontendRuleDeleteAll(frontend string)
 	GlobalGetLogTargets() (models.LogTargets, error)

pkg/haproxy/api/frontend.go

@@ -3,6 +3,7 @@ package api
 import (
 	"fmt"
 
+	parser "github.com/haproxytech/client-native/v5/config-parser"
 	"github.com/haproxytech/client-native/v5/config-parser/types"
 	"github.com/haproxytech/client-native/v5/models"
 	"github.com/haproxytech/kubernetes-ingress/pkg/utils"
@@ -231,6 +232,12 @@ func (c *clientNative) FrontendRuleDeleteAll(frontend string) {
 			break
 		}
 	}
+	for {
+		err := configuration.DeleteHTTPAfterResponseRule(0, "frontend", frontend, c.activeTransaction, 0)
+		if err != nil {
+			break
+		}
+	}
 	// No usage of TCPResponseRules yet.
 }
 
@@ -263,3 +270,15 @@ func (c *clientNative) PeerEntryDelete(peerSection, entry string) error {
 	}
 	return cfg.DeletePeerEntry(entry, peerSection, c.activeTransaction, 0)
 }
+
+func (c *clientNative) FrontendHTTPAfterResponseRuleCreate(frontend string, rule models.HTTPAfterResponseRule, ingressACL string) error {
+	configuration, err := c.nativeAPI.Configuration()
+	if err != nil {
+		return err
+	}
+	if ingressACL != "" {
+		rule.Cond = "if"
+		rule.CondTest = fmt.Sprintf("%s %s", ingressACL, rule.CondTest)
+	}
+	return configuration.CreateHTTPAfterResponseRule(string(parser.Frontends), frontend, &rule, c.activeTransaction, 0)
+}

pkg/haproxy/rules/reqReturnStatus.go.go

@@ -0,0 +1,33 @@
+package rules
+
+import (
+	"errors"
+
+	"github.com/haproxytech/client-native/v5/models"
+	"github.com/haproxytech/kubernetes-ingress/pkg/haproxy/api"
+	"github.com/haproxytech/kubernetes-ingress/pkg/utils"
+)
+
+//nolint:golint,stylecheck
+var MIME_TYPE_TEXT_PLAIN string = "text/plain"
+
+type ReqReturnStatus struct {
+	StatusCode int64
+}
+
+func (r ReqReturnStatus) GetType() Type {
+	return REQ_RETURN_STATUS
+}
+
+func (r ReqReturnStatus) Create(client api.HAProxyClient, frontend *models.Frontend, ingressACL string) error {
+	if frontend.Mode == "tcp" {
+		return errors.New("HTTP status cannot be set in TCP mode")
+	}
+	httpRule := models.HTTPRequestRule{
+		Index:            utils.PtrInt64(0),
+		ReturnStatusCode: &r.StatusCode,
+		Type:             "return",
+	}
+	ingressACL += " METH_OPTIONS"
+	return client.FrontendHTTPRequestRuleCreate(frontend.Name, httpRule, ingressACL)
+}

pkg/haproxy/rules/setHdr.go

@@ -16,6 +16,7 @@ type SetHdr struct {
 	Cond           string
 	Type           Type
 	Response       bool
+	AfterResponse  bool
 	ForwardedProto bool
 }
 
@@ -55,6 +56,17 @@ func (r SetHdr) Create(client api.HAProxyClient, frontend *models.Frontend, ingr
 		}
 		return client.FrontendHTTPResponseRuleCreate(frontend.Name, httpRule, ingressACL)
 	}
+	if r.AfterResponse {
+		httpRule := models.HTTPAfterResponseRule{
+			Index:     utils.PtrInt64(0),
+			Type:      "set-header",
+			HdrName:   r.HdrName,
+			HdrFormat: r.HdrFormat,
+			CondTest:  r.CondTest,
+			Cond:      r.Cond,
+		}
+		return client.FrontendHTTPAfterResponseRuleCreate(frontend.Name, httpRule, ingressACL)
+	}
 	// REQ_SET_HEADER
 	httpRule := models.HTTPRequestRule{
 		Index:     utils.PtrInt64(0),

pkg/haproxy/rules/types.go

@@ -21,6 +21,7 @@ const (
 	REQ_SET_HEADER
 	REQ_SET_HOST
 	REQ_PATH_REWRITE
+	REQ_RETURN_STATUS
 	RES_SET_HEADER
 )
 
@@ -41,4 +42,5 @@ var constLookup = map[Type]string{
 	REQ_SET_HOST:        "REQ_SET_HOST",
 	REQ_PATH_REWRITE:    "REQ_PATH_REWRITE",
 	RES_SET_HEADER:      "RES_SET_HEADER",
+	REQ_RETURN_STATUS:   "REQ_RETURN_STATUS",
 }