diff --git a/api/v1alpha1/cors_types.go b/api/v1alpha1/cors_types.go index c3d2067511..dd72eda095 100644 --- a/api/v1alpha1/cors_types.go +++ b/api/v1alpha1/cors_types.go @@ -10,7 +10,8 @@ import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" // Origin is defined by the scheme (protocol), hostname (domain), and port of // the URL used to access it. The hostname can be "precise" which is just the // domain name or "wildcard" which is a domain name prefixed with a single -// wildcard label such as "*.example.com". +// wildcard label such as "*.example.com". The optional port can be a wildcard +// as well to allow all ports. // In addition to that a single wildcard (with or without scheme) can be // configured to match any origin. // @@ -19,11 +20,12 @@ import gwapiv1 "sigs.k8s.io/gateway-api/apis/v1" // - https://*.example.com // - http://foo.example.com:8080 // - http://*.example.com:8080 +// - https://localhost:* // - https://* // // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=253 -// +kubebuilder:validation:Pattern=`^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$` +// +kubebuilder:validation:Pattern=`^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:(\*|\d{1,5}))?)$` type Origin string // CORS defines the configuration for Cross-Origin Resource Sharing (CORS). diff --git a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml index 21f522c267..5a93c893e9 100644 --- a/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -587,7 +587,8 @@ spec: Origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. The hostname can be "precise" which is just the domain name or "wildcard" which is a domain name prefixed with a single - wildcard label such as "*.example.com". + wildcard label such as "*.example.com". The optional port can be a wildcard + as well to allow all ports. In addition to that a single wildcard (with or without scheme) can be configured to match any origin. @@ -596,10 +597,11 @@ spec: - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080 + - https://localhost:* - https://* maxLength: 253 minLength: 1 - pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$ + pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:(\*|\d{1,5}))?)$ type: string type: array exposeHeaders: diff --git a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 3d839207a6..13bbb5a278 100644 --- a/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -586,7 +586,8 @@ spec: Origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. The hostname can be "precise" which is just the domain name or "wildcard" which is a domain name prefixed with a single - wildcard label such as "*.example.com". + wildcard label such as "*.example.com". The optional port can be a wildcard + as well to allow all ports. In addition to that a single wildcard (with or without scheme) can be configured to match any origin. @@ -595,10 +596,11 @@ spec: - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080 + - https://localhost:* - https://* maxLength: 253 minLength: 1 - pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$ + pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:(\*|\d{1,5}))?)$ type: string type: array exposeHeaders: diff --git a/internal/gatewayapi/securitypolicy_test.go b/internal/gatewayapi/securitypolicy_test.go index 19ce7f08c5..9ac5b1f270 100644 --- a/internal/gatewayapi/securitypolicy_test.go +++ b/internal/gatewayapi/securitypolicy_test.go @@ -94,6 +94,30 @@ func Test_wildcard2regex(t *testing.T) { origin: "http://foo.example.com", want: 1, }, + { + name: "test11", + wildcard: "http://*.example.com:*", + origin: "http://foo.example.com:8080", + want: 1, + }, + { + name: "test12", + wildcard: "http://*.example.com:*", + origin: "http://foo.example.com", + want: 0, + }, + { + name: "test13", + wildcard: "http://localhost:*", + origin: "http://localhost:1234", + want: 1, + }, + { + name: "test14", + wildcard: "http://localhost:*", + origin: "http://localhost", + want: 0, + }, } for _, tt := range tests { diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 603e91f330..87fbe344c3 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -4215,7 +4215,8 @@ _Underlying type:_ _string_ Origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. The hostname can be "precise" which is just the domain name or "wildcard" which is a domain name prefixed with a single -wildcard label such as "*.example.com". +wildcard label such as "*.example.com". The optional port can be a wildcard +as well to allow all ports. In addition to that a single wildcard (with or without scheme) can be configured to match any origin. @@ -4224,6 +4225,7 @@ For example, the following are valid origins: - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080 +- https://localhost:* - https://* _Appears in:_ diff --git a/test/cel-validation/securitypolicy_test.go b/test/cel-validation/securitypolicy_test.go index e750cbf9d7..02837bb4f3 100644 --- a/test/cel-validation/securitypolicy_test.go +++ b/test/cel-validation/securitypolicy_test.go @@ -405,7 +405,7 @@ func TestSecurityPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.cors.allowOrigins[0]: Invalid value: \"https://foo.*.com\": spec.cors.allowOrigins[0] in body should match '^(\\*|https?:\\/\\/(\\*|(\\*\\.)?(([\\w-]+\\.?)+)?[\\w-]+)(:\\d{1,5})?)$'", + "spec.cors.allowOrigins[0]: Invalid value: \"https://foo.*.com\": spec.cors.allowOrigins[0] in body should match '^(\\*|https?:\\/\\/(\\*|(\\*\\.)?(([\\w-]+\\.?)+)?[\\w-]+)(:(\\*|\\d{1,5}))?)$'", }, }, { @@ -429,7 +429,7 @@ func TestSecurityPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.cors.allowOrigins[0]: Invalid value: \"foo.bar.com\": spec.cors.allowOrigins[0] in body should match '^(\\*|https?:\\/\\/(\\*|(\\*\\.)?(([\\w-]+\\.?)+)?[\\w-]+)(:\\d{1,5})?)$'", + "spec.cors.allowOrigins[0]: Invalid value: \"foo.bar.com\": spec.cors.allowOrigins[0] in body should match '^(\\*|https?:\\/\\/(\\*|(\\*\\.)?(([\\w-]+\\.?)+)?[\\w-]+)(:(\\*|\\d{1,5}))?)$'", }, }, { @@ -453,7 +453,7 @@ func TestSecurityPolicyTarget(t *testing.T) { } }, wantErrors: []string{ - "spec.cors.allowOrigins[0]: Invalid value: \"grpc://foo.bar.com\": spec.cors.allowOrigins[0] in body should match '^(\\*|https?:\\/\\/(\\*|(\\*\\.)?(([\\w-]+\\.?)+)?[\\w-]+)(:\\d{1,5})?)$'", + "spec.cors.allowOrigins[0]: Invalid value: \"grpc://foo.bar.com\": spec.cors.allowOrigins[0] in body should match '^(\\*|https?:\\/\\/(\\*|(\\*\\.)?(([\\w-]+\\.?)+)?[\\w-]+)(:(\\*|\\d{1,5}))?)$'", }, }, diff --git a/test/helm/gateway-crds-helm/all.out.yaml b/test/helm/gateway-crds-helm/all.out.yaml index 62a9ad77db..53d247d194 100644 --- a/test/helm/gateway-crds-helm/all.out.yaml +++ b/test/helm/gateway-crds-helm/all.out.yaml @@ -49982,7 +49982,8 @@ spec: Origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. The hostname can be "precise" which is just the domain name or "wildcard" which is a domain name prefixed with a single - wildcard label such as "*.example.com". + wildcard label such as "*.example.com". The optional port can be a wildcard + as well to allow all ports. In addition to that a single wildcard (with or without scheme) can be configured to match any origin. @@ -49991,10 +49992,11 @@ spec: - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080 + - https://localhost:* - https://* maxLength: 253 minLength: 1 - pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$ + pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:(\*|\d{1,5}))?)$ type: string type: array exposeHeaders: diff --git a/test/helm/gateway-crds-helm/e2e.out.yaml b/test/helm/gateway-crds-helm/e2e.out.yaml index b12c9c057c..15b71476ff 100644 --- a/test/helm/gateway-crds-helm/e2e.out.yaml +++ b/test/helm/gateway-crds-helm/e2e.out.yaml @@ -27955,7 +27955,8 @@ spec: Origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. The hostname can be "precise" which is just the domain name or "wildcard" which is a domain name prefixed with a single - wildcard label such as "*.example.com". + wildcard label such as "*.example.com". The optional port can be a wildcard + as well to allow all ports. In addition to that a single wildcard (with or without scheme) can be configured to match any origin. @@ -27964,10 +27965,11 @@ spec: - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080 + - https://localhost:* - https://* maxLength: 253 minLength: 1 - pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$ + pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:(\*|\d{1,5}))?)$ type: string type: array exposeHeaders: diff --git a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml index 3ef90d7083..7192e1ac02 100644 --- a/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml +++ b/test/helm/gateway-crds-helm/envoy-gateway-crds.out.yaml @@ -27955,7 +27955,8 @@ spec: Origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it. The hostname can be "precise" which is just the domain name or "wildcard" which is a domain name prefixed with a single - wildcard label such as "*.example.com". + wildcard label such as "*.example.com". The optional port can be a wildcard + as well to allow all ports. In addition to that a single wildcard (with or without scheme) can be configured to match any origin. @@ -27964,10 +27965,11 @@ spec: - https://*.example.com - http://foo.example.com:8080 - http://*.example.com:8080 + - https://localhost:* - https://* maxLength: 253 minLength: 1 - pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:\d{1,5})?)$ + pattern: ^(\*|https?:\/\/(\*|(\*\.)?(([\w-]+\.?)+)?[\w-]+)(:(\*|\d{1,5}))?)$ type: string type: array exposeHeaders: