Skip to content

conformance: add test to check for proper cors allow-credentials behvior #3990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 26, 2025
Merged

conformance: add test to check for proper cors allow-credentials behvior #3990

merged 3 commits into from
Aug 26, 2025
+141 −0

Conversation

EyalPazz
Copy link
Member

/kind test
/area conformance-test

What this PR does / why we need it:
Test for proper cors allow-credentials behavior, and add the CORS Feature
Which issue(s) this PR fixes:

Fixes #3946

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/test area/conformance-test Issues or PRs related to Conformance tests. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 13, 2025
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Aug 13, 2025
@EyalPazz
Copy link
Member Author

/retest

@EyalPazz
Copy link
Member Author

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Aug 13, 2025
@EyalPazz
Copy link
Member Author

/retest

@EyalPazz
Copy link
Member Author

/test CRD Validation / CEL (v1.33.0, experimental) (pull_request)

@k8s-ci-robot
Copy link
Contributor

@EyalPazz: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test pull-gateway-api-test

/test pull-gateway-api-verify

Use /test all to run all jobs.

In response to this:

/test CRD Validation / CEL (v1.33.0, experimental) (pull_request)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@EyalPazz
Copy link
Member Author

/test all

@shaneutt shaneutt moved this to Review in Release v1.4.0 Aug 19, 2025
@shaneutt shaneutt added this to the v1.4.0 milestone Aug 19, 2025
@shaneutt shaneutt self-assigned this Aug 19, 2025
@shaneutt shaneutt requested a review from robscott August 19, 2025 19:32
@shaneutt
Copy link
Member

/cc @lianglli

@kubernetes-sigs kubernetes-sigs deleted a comment from k8s-ci-robot Aug 19, 2025
shaneutt
shaneutt approved these changes Aug 25, 2025
View reviewed changes
Copy link
Member

@shaneutt shaneutt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good

/approve

A few minor comments. Ideally I would like to hold until we have some feedback on running the tests on at least one implementation:

/hold

/cc @robscott @lianglli

conformance/tests/cors-allow-credentials-behavior.go
origin := "https://app.example"

testCases := []http.ExpectedResponse{
{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: it's good to use the TestCaseName here when you can. We kind of (ab)use it in various places to provide a description explaining the tests intent.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pascal or Camel case?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually several of them are basically just descriptions with spaces and everything. We may even want to rename it Description (or I suppose add Description) but in the meantime, if you wanna just look how the bulk of them are done and follow that that's fine. We need to revisit these things (but that doesn't need to be done as part of this specific PR).

conformance/tests/cors-allow-credentials-behavior.go
Comment on lines +91 to +92
// Declare tc here to avoid loop variable
// reuse issues across parallel tests.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have a linter checking for this, right? 🤔

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so? are you talking about copyloopvar maybe?

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 25, 2025
@kubernetes-sigs kubernetes-sigs deleted a comment from k8s-ci-robot Aug 25, 2025
rikatz
rikatz reviewed Aug 25, 2025
View reviewed changes
rikatz
rikatz reviewed Aug 25, 2025
View reviewed changes
conformance/tests/cors-allow-credentials-behavior.go

var CORSAllowCredentialsBehavior = suite.ConformanceTest{
ShortName: "CORSAllowCredentialsBehavior",
Description: "Validate ACA-Credentials responses",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs a better description, what is it doing, what is expected, what kind of validation will happen here

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this seem ok?
Validate ACA-Credentials responses, the gateway needs to return Access-Control-Allow-Credentials: true for credentialed CORS requests when enabled on the gateway, and omit it when disabled

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

much better! thank you!

rikatz
rikatz reviewed Aug 25, 2025
View reviewed changes
conformance/tests/cors-allow-credentials-behavior.go
Features: []features.FeatureName{
features.SupportGateway,
features.SupportHTTPRoute,
features.SupportHTTPRouteCORS,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this reminds me: we don't have any other CORS test. Wouldn't be better to either add those tests as well (support Cors, then test authorization)? Maybe this test should cover the whole extension, eg.:

My point is that while the authorization test is desired, we lack some basic CORS conformance test that I think could be part of this change

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(but also, if we feel comfortable with merging this and following up, just be sure to open an issue to track the lack of basic cors tests)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't mind either way — I just don't know if I'll have time in the next few days, so it depends on whether we want to get it merged now. @shaneutt

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okie, let's wait for Shane to chime in! thanks!

rikatz
rikatz reviewed Aug 25, 2025
View reviewed changes
conformance/tests/cors-allow-credentials-behavior.go
},
Response: http.Response{
StatusCode: 200,
AbsentHeaders: []string{"Access-Control-Allow-Credentials"},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do you wanna follow the same test as bellow here and check if the Access-Control-Allow-Origin reflects what you added?

rikatz
rikatz reviewed Aug 25, 2025
View reviewed changes
@rikatz
Copy link
Member

rikatz commented Aug 25, 2025

/hold

The test is will not work as of today, because the manifest sets a nullable field as false and confuses CEL and other parts.

We may want to fix the CORS field to either be a string, or not be a bool pointer and accept it can be true or false, but not "nullable"

@rikatz
Copy link
Member

rikatz commented Aug 25, 2025

/hold cancel
@shaneutt leaving the final approval for you, I think it would be good to test other CORS cases here (eg.: different origins, different methods, etc), as we are here and it means just creating some extra path/match entries :)

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 25, 2025
shaneutt
shaneutt approved these changes Aug 26, 2025
View reviewed changes
Copy link
Member

@shaneutt shaneutt left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@EyalPazz mentioned not necessarily having any extra time in the above comments, so let's merge for now and we can follow-up 👍

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Aug 26, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: EyalPazz, shaneutt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@shaneutt shaneutt added tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. and removed do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Aug 26, 2025
@k8s-ci-robot k8s-ci-robot merged commit d28cd59 into kubernetes-sigs:main Aug 26, 2025
19 checks passed
@github-project-automation github-project-automation bot moved this from Review to Done in Release v1.4.0 Aug 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shaneutt shaneutt shaneutt approved these changes

@kflynn kflynn Awaiting requested review from kflynn

@mlavacca mlavacca Awaiting requested review from mlavacca

@robscott robscott Awaiting requested review from robscott

+1 more reviewer

@rikatz rikatz rikatz left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@shaneutt shaneutt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/conformance-test Issues or PRs related to Conformance tests. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/test lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
Release v1.4.0
Status: Done
Milestone
v1.4.0
Development

Successfully merging this pull request may close these issues.

conformance: add a test for omitted cors AllowCredentials header
4 participants
@EyalPazz @k8s-ci-robot @shaneutt @rikatz