[#225] Support wildcard in allowed origins and headers

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
2025-04-07 16:50:48 +03:00 · 2025-04-07 16:50:48 +03:00 · 273459e090
commit 273459e090
parent cb72d11515
2 changed files with 510 additions and 9 deletions
--- a/internal/handler/cors_test.go
+++ b/internal/handler/cors_test.go
@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"encoding/xml"
 	"fmt"
+	"net/http"
 	"testing"

 	"git.frostfs.info/TrueCloudLab/frostfs-http-gw/internal/data"
@ -407,6 +408,12 @@ func TestCheckSubslice(t *testing.T) {
 			actual:   []string{"str1", "str5"},
 			expected: false,
 		},
+		{
+			name:     "wildcard in allowed",
+			allowed:  []string{"str*"},
+			actual:   []string{"str", "str5"},
+			expected: true,
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			require.Equal(t, tc.expected, checkSubslice(tc.allowed, tc.actual))
@ -414,6 +421,489 @@ func TestCheckSubslice(t *testing.T) {
 	}
 }

+func TestAllowedOriginWildcards(t *testing.T) {
+	hc := prepareHandlerContext(t)
+	bktName := "bucket-allowed-origin-wildcards"
+	cnrID, cnr, err := hc.prepareContainer(bktName, acl.Private)
+	require.NoError(t, err)
+	hc.frostfs.SetContainer(cnrID, cnr)
+
+	cfg := &data.CORSConfiguration{
+		CORSRules: []data.CORSRule{
+			{
+				AllowedOrigins: []string{"*suffix.example"},
+				AllowedMethods: []string{"GET"},
+			},
+			{
+				AllowedOrigins: []string{"https://*example"},
+				AllowedMethods: []string{"GET"},
+			},
+			{
+				AllowedOrigins: []string{"prefix.example*"},
+				AllowedMethods: []string{"GET"},
+			},
+		},
+	}
+	setCORSObject(t, hc, cnrID, cfg, 1)
+
+	for _, tc := range []struct {
+		name            string
+		handler         func(*fasthttp.RequestCtx)
+		requestHeaders  map[string]string
+		expectedHeaders map[string]string
+		expectedStatus  int
+	}{
+		{
+			name:    "set cors headers, empty request cors headers",
+			handler: hc.Handler().SetCORSHeaders,
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+		},
+		{
+			name:    "set cors headers, invalid origin",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "https://origin.com",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+		},
+		{
+			name:    "set cors headers, first rule, no symbols in place of wildcard",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "suffix.example",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "suffix.example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "set cors headers, first rule, valid origin",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "http://suffix.example",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "http://suffix.example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "set cors headers, first rule, invalid origin",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "http://suffix-example",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+		},
+		{
+			name:    "set cors headers, second rule, no symbols in place of wildcard",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "https://example",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "https://example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "set cors headers, second rule, valid origin",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "https://www.example",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "https://www.example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "set cors headers, second rule, invalid origin",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "https://www.example.com",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+		},
+		{
+			name:    "set cors headers, third rule, no symbols in place of wildcard",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "prefix.example",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "prefix.example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "set cors headers, third rule, valid origin",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "prefix.example.com",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "prefix.example.com",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "set cors headers, third rule, invalid origin",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin: "www.prefix.example",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+		},
+		{
+			name:    "set cors headers, third rule, invalid request method in header",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "prefix.example.com",
+				fasthttp.HeaderAccessControlRequestMethod: "PUT",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+		},
+		{
+			name:    "set cors headers, third rule, valid request method in header",
+			handler: hc.Handler().SetCORSHeaders,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "prefix.example.com",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "prefix.example.com",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "preflight, empty request cors headers",
+			handler: hc.Handler().Preflight,
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+			expectedStatus: http.StatusBadRequest,
+		},
+		{
+			name:    "preflight, invalid origin",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "https://origin.com",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name:    "preflight, first rule, no symbols in place of wildcard",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "suffix.example",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "suffix.example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "prelight, first rule, valid origin",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "http://suffix.example",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "http://suffix.example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "preflight, first rule, invalid origin",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "http://suffix-example",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name:    "preflight, second rule, no symbols in place of wildcard",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "https://example",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "https://example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "preflight, second rule, valid origin",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "https://www.example",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "https://www.example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "preflight, second rule, invalid origin",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "https://www.example.com",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name:    "preflight, third rule, no symbols in place of wildcard",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "prefix.example",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "prefix.example",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "preflight, third rule, valid origin",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "prefix.example.com",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "prefix.example.com",
+				fasthttp.HeaderAccessControlAllowMethods: "GET",
+			},
+		},
+		{
+			name:    "preflight, third rule, invalid origin",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "www.prefix.example",
+				fasthttp.HeaderAccessControlRequestMethod: "GET",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name:    "preflight, third rule, invalid request method in header",
+			handler: hc.Handler().Preflight,
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                     "prefix.example.com",
+				fasthttp.HeaderAccessControlRequestMethod: "PUT",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			r := prepareCORSRequest(t, bktName, tc.requestHeaders)
+			tc.handler(r)
+
+			expectedStatus := fasthttp.StatusOK
+			if tc.expectedStatus != 0 {
+				expectedStatus = tc.expectedStatus
+			}
+			require.Equal(t, expectedStatus, r.Response.StatusCode())
+			for k, v := range tc.expectedHeaders {
+				require.Equal(t, v, string(r.Response.Header.Peek(k)))
+			}
+		})
+	}
+}
+
+func TestAllowedHeaderWildcards(t *testing.T) {
+	hc := prepareHandlerContext(t)
+	bktName := "bucket-allowed-header-wildcards"
+	cnrID, cnr, err := hc.prepareContainer(bktName, acl.Private)
+	require.NoError(t, err)
+	hc.frostfs.SetContainer(cnrID, cnr)
+
+	cfg := &data.CORSConfiguration{
+		CORSRules: []data.CORSRule{
+			{
+				AllowedOrigins: []string{"https://www.example.com"},
+				AllowedMethods: []string{"HEAD"},
+				AllowedHeaders: []string{"*-suffix"},
+			},
+			{
+				AllowedOrigins: []string{"https://www.example.com"},
+				AllowedMethods: []string{"HEAD"},
+				AllowedHeaders: []string{"start-*-end"},
+			},
+			{
+				AllowedOrigins: []string{"https://www.example.com"},
+				AllowedMethods: []string{"HEAD"},
+				AllowedHeaders: []string{"X-Amz-*"},
+			},
+		},
+	}
+	setCORSObject(t, hc, cnrID, cfg, 1)
+
+	for _, tc := range []struct {
+		name            string
+		requestHeaders  map[string]string
+		expectedHeaders map[string]string
+		expectedStatus  int
+	}{
+		{
+			name: "first rule, valid headers",
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                      "https://www.example.com",
+				fasthttp.HeaderAccessControlRequestMethod:  "HEAD",
+				fasthttp.HeaderAccessControlRequestHeaders: "header-suffix, -suffix",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "https://www.example.com",
+				fasthttp.HeaderAccessControlAllowMethods: "HEAD",
+				fasthttp.HeaderAccessControlAllowHeaders: "header-suffix, -suffix",
+			},
+		},
+		{
+			name: "first rule, invalid headers",
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                      "https://www.example.com",
+				fasthttp.HeaderAccessControlRequestMethod:  "HEAD",
+				fasthttp.HeaderAccessControlRequestHeaders: "header-suffix-*",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+				fasthttp.HeaderAccessControlAllowHeaders: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name: "second rule, valid headers",
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                      "https://www.example.com",
+				fasthttp.HeaderAccessControlRequestMethod:  "HEAD",
+				fasthttp.HeaderAccessControlRequestHeaders: "start--end, start-header-end",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "https://www.example.com",
+				fasthttp.HeaderAccessControlAllowMethods: "HEAD",
+				fasthttp.HeaderAccessControlAllowHeaders: "start--end, start-header-end",
+			},
+		},
+		{
+			name: "second rule, invalid header ending",
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                      "https://www.example.com",
+				fasthttp.HeaderAccessControlRequestMethod:  "HEAD",
+				fasthttp.HeaderAccessControlRequestHeaders: "start-header-end-*",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+				fasthttp.HeaderAccessControlAllowHeaders: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name: "second rule, invalid header beginning",
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                      "https://www.example.com",
+				fasthttp.HeaderAccessControlRequestMethod:  "HEAD",
+				fasthttp.HeaderAccessControlRequestHeaders: "*-start-header-end",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+				fasthttp.HeaderAccessControlAllowHeaders: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+		{
+			name: "third rule, valid headers",
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                      "https://www.example.com",
+				fasthttp.HeaderAccessControlRequestMethod:  "HEAD",
+				fasthttp.HeaderAccessControlRequestHeaders: "X-Amz-Date, X-Amz-Content-Sha256",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "https://www.example.com",
+				fasthttp.HeaderAccessControlAllowMethods: "HEAD",
+				fasthttp.HeaderAccessControlAllowHeaders: "X-Amz-Date, X-Amz-Content-Sha256",
+			},
+		},
+		{
+			name: "third rule, invalid headers",
+			requestHeaders: map[string]string{
+				fasthttp.HeaderOrigin:                      "https://www.example.com",
+				fasthttp.HeaderAccessControlRequestMethod:  "HEAD",
+				fasthttp.HeaderAccessControlRequestHeaders: "Authorization",
+			},
+			expectedHeaders: map[string]string{
+				fasthttp.HeaderAccessControlAllowOrigin:  "",
+				fasthttp.HeaderAccessControlAllowMethods: "",
+				fasthttp.HeaderAccessControlAllowHeaders: "",
+			},
+			expectedStatus: http.StatusForbidden,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			r := prepareCORSRequest(t, bktName, tc.requestHeaders)
+			hc.Handler().Preflight(r)
+
+			expectedStatus := http.StatusOK
+			if tc.expectedStatus != 0 {
+				expectedStatus = tc.expectedStatus
+			}
+			require.Equal(t, expectedStatus, r.Response.StatusCode())
+			for k, v := range tc.expectedHeaders {
+				require.Equal(t, v, string(r.Response.Header.Peek(k)))
+			}
+		})
+	}
+}
+
 func setCORSObject(t *testing.T, hc *handlerContext, cnrID cid.ID, corsConfig *data.CORSConfiguration, epoch uint64) {
 	payload, err := xml.Marshal(corsConfig)
 	require.NoError(t, err)