Fix cors cel (kubernetes-sigs#4032)

* CORS: support a single wildcard entry as origin

* CORS: Add test for CRD validations

Author: rikatz

apis/v1/httproute_types.go

@@ -1404,8 +1404,9 @@ type HTTPCORSFilter struct {
 	// Support: Extended
 	// +listType=set
 	// +kubebuilder:validation:MaxItems=64
+	// +kubebuilder:validation:XValidation:message="AllowOrigins cannot contain '*' alongside other origins",rule="!('*' in self && self.size() > 1)"
 	// +optional
-	AllowOrigins []AbsoluteURI `json:"allowOrigins,omitempty"`
+	AllowOrigins []CORSOrigin `json:"allowOrigins,omitempty"`
 
 	// AllowCredentials indicates whether the actual cross-origin request allows
 	// to include credentials.

apis/v1/shared_types.go

@@ -608,6 +608,17 @@ type PreciseHostname string
 // +kubebuilder:validation:Pattern=`^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))?`
 type AbsoluteURI string
 
+// The CORSOrigin MUST NOT be a relative URI, and it MUST follow the URI syntax and
+// encoding rules specified in RFC3986.  The CORSOrigin MUST include both a
+// scheme (e.g., "http" or "spiffe") and a scheme-specific-part, or it should be a single '*' character.
+// URIs that include an authority MUST include a fully qualified domain name or
+// IP address as the host.
+// <gateway:util:excludeFromCRD> The below regex was generated to simplify the assertion of scheme://host:<port> being port optional </gateway:util:excludeFromCRD>
+// +kubebuilder:validation:MinLength=1
+// +kubebuilder:validation:MaxLength=253
+// +kubebuilder:validation:Pattern=`(^\*$)|(^([a-zA-Z][a-zA-Z0-9+\-.]+):\/\/([^:/?#]+)(:([0-9]{1,5}))?$)`
+type CORSOrigin string
+
 // Group refers to a Kubernetes Group. It must either be an empty string or a
 // RFC 1123 subdomain.
 //

apis/v1/zz_generated.deepcopy.go

@@ -241,6 +241,135 @@ func toDuration(durationString string) *gatewayv1.Duration {
 	return (*gatewayv1.Duration)(&durationString)
 }
 
+func TestHTTPRouteCORS(t *testing.T) {
+	tests := []struct {
+		name       string
+		wantErrors []string
+		corsfilter *gatewayv1.HTTPCORSFilter
+	}{
+		{
+			name:       "Valid cors should be accepted",
+			wantErrors: nil,
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowOrigins: []gatewayv1.CORSOrigin{
+					"https://xpto.com",
+					"http://*.abcd.com",
+					"http://*.abcd.com:12345",
+				},
+			},
+		},
+		{
+			name:       "Using wildcard only is accepted",
+			wantErrors: nil,
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowOrigins: []gatewayv1.CORSOrigin{
+					"*",
+				},
+			},
+		},
+		{
+			name:       "Wildcard and other hosts on the same origin list should be denied",
+			wantErrors: []string{"AllowOrigins cannot contain '*' alongside other origins"},
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowOrigins: []gatewayv1.CORSOrigin{
+					"*",
+					"https://xpto.com",
+				},
+			},
+		},
+		{
+			name:       "An origin without the format scheme://host should be denied",
+			wantErrors: []string{"Invalid value: \"xpto.com\": spec.rules[0].filters[0].cors.allowOrigins[1] in body should match"},
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowOrigins: []gatewayv1.CORSOrigin{
+					"https://xpto.com",
+					"xpto.com",
+				},
+			},
+		},
+		{
+			name:       "An origin as http://*.com should be accepted",
+			wantErrors: nil,
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowOrigins: []gatewayv1.CORSOrigin{
+					"https://*.com",
+				},
+			},
+		},
+		{
+			name:       "An origin with an invalid port should be denied",
+			wantErrors: []string{"Invalid value: \"https://xpto.com:notaport\": spec.rules[0].filters[0].cors.allowOrigins[0] in body should match"},
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowOrigins: []gatewayv1.CORSOrigin{
+					"https://xpto.com:notaport",
+				},
+			},
+		},
+		{
+			name:       "An origin with an value before the scheme definition should be denied",
+			wantErrors: []string{"Invalid value: \"xpto/https://xpto.com\""},
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowOrigins: []gatewayv1.CORSOrigin{
+					"xpto/https://xpto.com",
+				},
+			},
+		},
+		{
+			name:       "Using an invalid HTTP method should be denied",
+			wantErrors: []string{"Unsupported value: \"BAZINGA\""},
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowMethods: []gatewayv1.HTTPMethodWithWildcard{
+					"BAZINGA",
+				},
+			},
+		},
+		{
+			name:       "Using wildcard and a valid method should be denied",
+			wantErrors: []string{"AllowMethods cannot contain '*' alongside other methods"},
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowMethods: []gatewayv1.HTTPMethodWithWildcard{
+					"GET",
+					"*",
+					"POST",
+				},
+			},
+		},
+		{
+			name:       "Using an array of valid methods should be accepted",
+			wantErrors: nil,
+			corsfilter: &gatewayv1.HTTPCORSFilter{
+				AllowMethods: []gatewayv1.HTTPMethodWithWildcard{
+					"GET",
+					"OPTIONS",
+					"POST",
+				},
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			route := &gatewayv1.HTTPRoute{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      fmt.Sprintf("foo-%v", time.Now().UnixNano()),
+					Namespace: metav1.NamespaceDefault,
+				},
+				Spec: gatewayv1.HTTPRouteSpec{Rules: []gatewayv1.HTTPRouteRule{
+					{
+						Filters: []gatewayv1.HTTPRouteFilter{
+							{
+								Type: gatewayv1.HTTPRouteFilterCORS,
+								CORS: tc.corsfilter,
+							},
+						},
+					},
+				}},
+			}
+			validateHTTPRoute(t, route, tc.wantErrors)
+		})
+	}
+}
+
 func TestHTTPRouteTimeouts(t *testing.T) {
 	tests := []struct {
 		name       string