cors filter: use typed_per_filter_config to configure cors filter (#23280)

Signed-off-by: wbpcode <wangbaiping@corp.netease.com> Mirrored from https://github.com/envoyproxy/envoy @ 4bfa03391b71b5b7f65b54e28f9e8f4cf63efc62
3 years ago · 51bdec0cb3
parent 7d8efae7d3
commit 51bdec0cb3
3 changed files with 87 additions and 5 deletions
--- a/envoy/config/route/v3/route_components.proto
+++ b/envoy/config/route/v3/route_components.proto
@ -142,8 +142,16 @@ message VirtualHost {
    items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
  }];

-  // Indicates that the virtual host has a CORS policy.
-  CorsPolicy cors = 8;
+  // Indicates that the virtual host has a CORS policy. This field is ignored if related cors policy is
+  // found in the
+  // :ref:`VirtualHost.typed_per_filter_config<envoy_v3_api_field_config.route.v3.VirtualHost.typed_per_filter_config>`.
+  //
+  // .. attention::
+  //
+  //   This option has been deprecated. Please use
+  //   :ref:`VirtualHost.typed_per_filter_config<envoy_v3_api_field_config.route.v3.VirtualHost.typed_per_filter_config>`
+  //   to configure the CORS HTTP filter.
+  CorsPolicy cors = 8 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

  // The per_filter_config field can be used to provide virtual host-specific configurations for filters.
  // The key should match the :ref:`filter config name
@ -641,6 +649,14 @@ message RouteMatch {
  repeated type.matcher.v3.MetadataMatcher dynamic_metadata = 13;
 }

+// Cors policy configuration.
+//
+// .. attention::
+//
+//   This message has been deprecated. Please use
+//   :ref:`CorsPolicy in filter extension <envoy_v3_api_msg_extensions.filters.http.cors.v3.CorsPolicy>`
+//   as as alternative.
+//
 // [#next-free-field: 13]
 message CorsPolicy {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy";
@ -1252,8 +1268,17 @@ message RouteAction {
  // ignoring the rest of the hash policy list.
  repeated HashPolicy hash_policy = 15;

-  // Indicates that the route has a CORS policy.
-  CorsPolicy cors = 17;
+  // Indicates that the route has a CORS policy. This field is ignored if related cors policy is
+  // found in the :ref:`Route.typed_per_filter_config<envoy_v3_api_field_config.route.v3.Route.typed_per_filter_config>` or
+  // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config<envoy_v3_api_field_config.route.v3.WeightedCluster.ClusterWeight.typed_per_filter_config>`.
+  //
+  // .. attention::
+  //
+  //   This option has been deprecated. Please use
+  //   :ref:`Route.typed_per_filter_config<envoy_v3_api_field_config.route.v3.Route.typed_per_filter_config>` or
+  //   :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config<envoy_v3_api_field_config.route.v3.WeightedCluster.ClusterWeight.typed_per_filter_config>`
+  //   to configure the CORS HTTP filter.
+  CorsPolicy cors = 17 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

  // Deprecated by :ref:`grpc_timeout_header_max <envoy_v3_api_field_config.route.v3.RouteAction.MaxStreamDuration.grpc_timeout_header_max>`
  // If present, and the request is a gRPC request, use the
--- a/envoy/extensions/filters/http/cors/v3/BUILD
+++ b/envoy/extensions/filters/http/cors/v3/BUILD
@ -5,5 +5,9 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2

 api_proto_package(
-    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "//envoy/type/matcher/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
 )
--- a/envoy/extensions/filters/http/cors/v3/cors.proto
+++ b/envoy/extensions/filters/http/cors/v3/cors.proto
@ -2,6 +2,11 @@ syntax = "proto3";

 package envoy.extensions.filters.http.cors.v3;

+import "envoy/config/core/v3/base.proto";
+import "envoy/type/matcher/v3/string.proto";
+
+import "google/protobuf/wrappers.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";

@ -20,3 +25,51 @@ message Cors {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.cors.v2.Cors";
 }
+
+// [#next-free-field: 10]
+message CorsPolicy {
+  // Specifies string patterns that match allowed origins. An origin is allowed if any of the
+  // string matchers match.
+  repeated type.matcher.v3.StringMatcher allow_origin_string_match = 1;
+
+  // Specifies the content for the ``access-control-allow-methods`` header.
+  string allow_methods = 2;
+
+  // Specifies the content for the ``access-control-allow-headers`` header.
+  string allow_headers = 3;
+
+  // Specifies the content for the ``access-control-expose-headers`` header.
+  string expose_headers = 4;
+
+  // Specifies the content for the ``access-control-max-age`` header.
+  string max_age = 5;
+
+  // Specifies whether the resource allows credentials.
+  google.protobuf.BoolValue allow_credentials = 6;
+
+  // Specifies the % of requests for which the CORS filter is enabled.
+  //
+  // If neither ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS
+  // filter will be enabled for 100% of the requests.
+  //
+  // If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is
+  // specified, Envoy will lookup the runtime key to get the percentage of requests to filter.
+  config.core.v3.RuntimeFractionalPercent filter_enabled = 7;
+
+  // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not
+  // enforced.
+  //
+  // This field is intended to be used when ``filter_enabled`` is off. That field have to explicitly disable
+  // the filter in order for this setting to take effect.
+  //
+  // If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
+  // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate
+  // and track the request's ``Origin`` to determine if it's valid but will not enforce any policies.
+  config.core.v3.RuntimeFractionalPercent shadow_enabled = 8;
+
+  // Specify whether allow requests whose target server's IP address is more private than that from
+  // which the request initiator was fetched.
+  //
+  // More details refer to https://developer.chrome.com/blog/private-network-access-preflight.
+  google.protobuf.BoolValue allow_private_network_access = 9;
+}