diff --git a/api/handler/cors.go b/api/handler/cors.go index 69684fa6b..0ddec96aa 100644 --- a/api/handler/cors.go +++ b/api/handler/cors.go @@ -187,8 +187,8 @@ func (h *handler) Preflight(w http.ResponseWriter, r *http.Request) { if !checkSubslice(rule.AllowedHeaders, headers) { continue } - w.Header().Set(api.AccessControlAllowOrigin, o) - w.Header().Set(api.AccessControlAllowMethods, strings.Join(rule.AllowedMethods, ", ")) + w.Header().Set(api.AccessControlAllowOrigin, origin) + w.Header().Set(api.AccessControlAllowMethods, method) if headers != nil { w.Header().Set(api.AccessControlAllowHeaders, requestHeaders) } diff --git a/api/handler/cors_test.go b/api/handler/cors_test.go index 1c4bd9edc..42008d767 100644 --- a/api/handler/cors_test.go +++ b/api/handler/cors_test.go @@ -7,6 +7,7 @@ import ( "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api" "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware" + "github.com/stretchr/testify/require" ) func TestCORSOriginWildcard(t *testing.T) { @@ -39,3 +40,181 @@ func TestCORSOriginWildcard(t *testing.T) { hc.Handler().GetBucketCorsHandler(w, r) assertStatus(t, w, http.StatusOK) } + +func TestPreflight(t *testing.T) { + body := ` + + + GET + http://www.example.com + Authorization + x-amz-* + X-Amz-* + 600 + + +` + hc := prepareHandlerContext(t) + + bktName := "bucket-preflight-test" + box, _ := createAccessBox(t) + w, r := prepareTestRequest(hc, bktName, "", nil) + ctx := middleware.SetBox(r.Context(), &middleware.Box{AccessBox: box}) + r = r.WithContext(ctx) + hc.Handler().CreateBucketHandler(w, r) + assertStatus(t, w, http.StatusOK) + + w, r = prepareTestPayloadRequest(hc, bktName, "", strings.NewReader(body)) + ctx = middleware.SetBox(r.Context(), &middleware.Box{AccessBox: box}) + r = r.WithContext(ctx) + hc.Handler().PutBucketCorsHandler(w, r) + assertStatus(t, w, http.StatusOK) + + for _, tc := range []struct { + name string + origin string + method string + headers string + expectedStatus int + }{ + { + name: "Valid", + origin: "http://www.example.com", + method: "GET", + headers: "Authorization", + expectedStatus: http.StatusOK, + }, + { + name: "Empty origin", + method: "GET", + headers: "Authorization", + expectedStatus: http.StatusBadRequest, + }, + { + name: "Empty request method", + origin: "http://www.example.com", + headers: "Authorization", + expectedStatus: http.StatusBadRequest, + }, + { + name: "Not allowed method", + origin: "http://www.example.com", + method: "PUT", + headers: "Authorization", + expectedStatus: http.StatusForbidden, + }, + { + name: "Not allowed headers", + origin: "http://www.example.com", + method: "GET", + headers: "Authorization, Last-Modified", + expectedStatus: http.StatusForbidden, + }, + } { + t.Run(tc.name, func(t *testing.T) { + w, r = prepareTestPayloadRequest(hc, bktName, "", nil) + r.Header.Set(api.Origin, tc.origin) + r.Header.Set(api.AccessControlRequestMethod, tc.method) + r.Header.Set(api.AccessControlRequestHeaders, tc.headers) + hc.Handler().Preflight(w, r) + assertStatus(t, w, tc.expectedStatus) + + if tc.expectedStatus == http.StatusOK { + require.Equal(t, tc.origin, w.Header().Get(api.AccessControlAllowOrigin)) + require.Equal(t, tc.method, w.Header().Get(api.AccessControlAllowMethods)) + require.Equal(t, tc.headers, w.Header().Get(api.AccessControlAllowHeaders)) + require.Equal(t, "x-amz-*, X-Amz-*", w.Header().Get(api.AccessControlExposeHeaders)) + require.Equal(t, "true", w.Header().Get(api.AccessControlAllowCredentials)) + require.Equal(t, "600", w.Header().Get(api.AccessControlMaxAge)) + } + }) + } +} + +func TestPreflightWildcardOrigin(t *testing.T) { + body := ` + + + GET + PUT + * + * + + +` + hc := prepareHandlerContext(t) + + bktName := "bucket-preflight-wildcard-test" + box, _ := createAccessBox(t) + w, r := prepareTestRequest(hc, bktName, "", nil) + ctx := middleware.SetBox(r.Context(), &middleware.Box{AccessBox: box}) + r = r.WithContext(ctx) + hc.Handler().CreateBucketHandler(w, r) + assertStatus(t, w, http.StatusOK) + + w, r = prepareTestPayloadRequest(hc, bktName, "", strings.NewReader(body)) + ctx = middleware.SetBox(r.Context(), &middleware.Box{AccessBox: box}) + r = r.WithContext(ctx) + hc.Handler().PutBucketCorsHandler(w, r) + assertStatus(t, w, http.StatusOK) + + for _, tc := range []struct { + name string + origin string + method string + headers string + expectedStatus int + }{ + { + name: "Valid get", + origin: "http://www.example.com", + method: "GET", + headers: "Authorization, Last-Modified", + expectedStatus: http.StatusOK, + }, + { + name: "Valid put", + origin: "http://example.com", + method: "PUT", + headers: "Authorization, Content-Type", + expectedStatus: http.StatusOK, + }, + { + name: "Empty origin", + method: "GET", + headers: "Authorization, Last-Modified", + expectedStatus: http.StatusBadRequest, + }, + { + name: "Empty request method", + origin: "http://www.example.com", + headers: "Authorization, Last-Modified", + expectedStatus: http.StatusBadRequest, + }, + { + name: "Not allowed method", + origin: "http://www.example.com", + method: "DELETE", + headers: "Authorization, Last-Modified", + expectedStatus: http.StatusForbidden, + }, + } { + t.Run(tc.name, func(t *testing.T) { + w, r = prepareTestPayloadRequest(hc, bktName, "", nil) + r.Header.Set(api.Origin, tc.origin) + r.Header.Set(api.AccessControlRequestMethod, tc.method) + r.Header.Set(api.AccessControlRequestHeaders, tc.headers) + hc.Handler().Preflight(w, r) + assertStatus(t, w, tc.expectedStatus) + + if tc.expectedStatus == http.StatusOK { + require.Equal(t, tc.origin, w.Header().Get(api.AccessControlAllowOrigin)) + require.Equal(t, tc.method, w.Header().Get(api.AccessControlAllowMethods)) + require.Equal(t, tc.headers, w.Header().Get(api.AccessControlAllowHeaders)) + require.Empty(t, w.Header().Get(api.AccessControlExposeHeaders)) + require.Empty(t, w.Header().Get(api.AccessControlAllowCredentials)) + require.Equal(t, "0", w.Header().Get(api.AccessControlMaxAge)) + } + }) + } +} diff --git a/api/middleware/constants.go b/api/middleware/constants.go index 47f653242..a52b93a8d 100644 --- a/api/middleware/constants.go +++ b/api/middleware/constants.go @@ -5,7 +5,7 @@ const ( // bucket operations. - OptionsOperation = "Options" + OptionsBucketOperation = "OptionsBucket" HeadBucketOperation = "HeadBucket" ListMultipartUploadsOperation = "ListMultipartUploads" GetBucketLocationOperation = "GetBucketLocation" @@ -51,6 +51,7 @@ const ( // object operations. + OptionsObjectOperation = "OptionsObject" HeadObjectOperation = "HeadObject" ListPartsOperation = "ListParts" GetObjectACLOperation = "GetObjectACL" diff --git a/api/middleware/metrics.go b/api/middleware/metrics.go index c72c59d03..fca113a38 100644 --- a/api/middleware/metrics.go +++ b/api/middleware/metrics.go @@ -103,7 +103,7 @@ func stats(f http.HandlerFunc, resolveCID cidResolveFunc, appMetrics *metrics.Ap func requestTypeFromAPI(api string) metrics.RequestType { switch api { - case OptionsOperation, HeadObjectOperation, HeadBucketOperation: + case OptionsBucketOperation, OptionsObjectOperation, HeadObjectOperation, HeadBucketOperation: return metrics.HEADRequest case CreateMultipartUploadOperation, UploadPartCopyOperation, UploadPartOperation, CompleteMultipartUploadOperation, PutObjectACLOperation, PutObjectTaggingOperation, CopyObjectOperation, PutObjectRetentionOperation, PutObjectLegalHoldOperation, diff --git a/api/middleware/policy.go b/api/middleware/policy.go index f1c1f320d..5a7142a29 100644 --- a/api/middleware/policy.go +++ b/api/middleware/policy.go @@ -253,7 +253,7 @@ func determineBucketOperation(r *http.Request) string { query := r.URL.Query() switch r.Method { case http.MethodOptions: - return OptionsOperation + return OptionsBucketOperation case http.MethodHead: return HeadBucketOperation case http.MethodGet: @@ -356,6 +356,8 @@ func determineBucketOperation(r *http.Request) string { func determineObjectOperation(r *http.Request) string { query := r.URL.Query() switch r.Method { + case http.MethodOptions: + return OptionsObjectOperation case http.MethodHead: return HeadObjectOperation case http.MethodGet: diff --git a/api/middleware/policy_test.go b/api/middleware/policy_test.go index 34d3a9c56..0c6f12821 100644 --- a/api/middleware/policy_test.go +++ b/api/middleware/policy_test.go @@ -91,9 +91,9 @@ func TestDetermineBucketOperation(t *testing.T) { expected string }{ { - name: "OptionsOperation", + name: "OptionsBucketOperation", method: http.MethodOptions, - expected: OptionsOperation, + expected: OptionsBucketOperation, }, { name: "HeadBucketOperation", @@ -367,6 +367,11 @@ func TestDetermineObjectOperation(t *testing.T) { headerKeys []string expected string }{ + { + name: "OptionsObjectOperation", + method: http.MethodOptions, + expected: OptionsObjectOperation, + }, { name: "HeadObjectOperation", method: http.MethodHead, diff --git a/api/router.go b/api/router.go index a6dfa0a52..0f86e2e57 100644 --- a/api/router.go +++ b/api/router.go @@ -223,7 +223,7 @@ func bucketRouter(h Handler, log *zap.Logger) chi.Router { bktRouter.Mount("/", objectRouter(h, log)) - bktRouter.Options("/", h.Preflight) + bktRouter.Options("/", named(s3middleware.OptionsBucketOperation, h.Preflight)) bktRouter.Head("/", named(s3middleware.HeadBucketOperation, h.HeadBucketHandler)) @@ -372,6 +372,8 @@ func objectRouter(h Handler, l *zap.Logger) chi.Router { objRouter := chi.NewRouter() objRouter.Use(s3middleware.AddObjectName(l)) + objRouter.Options("/*", named(s3middleware.OptionsObjectOperation, h.Preflight)) + objRouter.Head("/*", named(s3middleware.HeadObjectOperation, h.HeadObjectHandler)) // GET method handlers