[#158] Support cors

Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>

CHANGELOG.md

@@ -7,6 +7,7 @@ This document outlines major changes between releases.
 ### Added
 - Support percent-encoding for GET queries (#134)
 - Add `trace_id` to logs (#148)
+- Add `cors` config params (#158)
 
 ### Changed
 - Update go version to 1.22 (#132)

cmd/http-gw/app.go

@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"errors"
 	"fmt"
-	"io"
 	"net/http"
 	"os"
 	"os/signal"
@@ -98,6 +97,21 @@ type (
 		bufferMaxSizeForPut  uint64
 		namespaceHeader      string
 		defaultNamespaces    []string
+		corsAllowOrigin      string
+		corsAllowMethods     []string
+		corsAllowHeaders     []string
+		corsExposeHeaders    []string
+		corsAllowCredentials bool
+		corsMaxAge           int
+	}
+
+	CORS struct {
+		AllowOrigin      string
+		AllowMethods     []string
+		AllowHeaders     []string
+		ExposeHeaders    []string
+		AllowCredentials bool
+		MaxAge           int
 	}
 )
 
@@ -159,23 +173,59 @@ func newApp(ctx context.Context, opt ...Option) App {
 	a.initResolver()
 	a.initMetrics()
 	a.initTracing(ctx)
-	a.loadIndexPageTemplate()
 
 	return a
 }
 
+func (a *app) initAppSettings() {
+	a.settings = &appSettings{
+		reconnectInterval: fetchReconnectInterval(a.cfg),
+	}
+	a.settings.update(a.cfg, a.log)
+}
+
+func (s *appSettings) update(v *viper.Viper, l *zap.Logger) {
+	defaultTimestamp := v.GetBool(cfgUploaderHeaderEnableDefaultTimestamp)
+	zipCompression := v.GetBool(cfgZipCompression)
+	returnIndexPage := v.GetBool(cfgIndexPageEnabled)
+	clientCut := v.GetBool(cfgClientCut)
+	bufferMaxSizeForPut := v.GetUint64(cfgBufferMaxSizeForPut)
+	namespaceHeader := v.GetString(cfgResolveNamespaceHeader)
+	defaultNamespaces := v.GetStringSlice(cfgResolveDefaultNamespaces)
+	indexPage, indexEnabled := fetchIndexPageTemplate(v, l)
+	corsAllowOrigin := v.GetString(cfgCORSAllowOrigin)
+	corsAllowMethods := v.GetStringSlice(cfgCORSAllowMethods)
+	corsAllowHeaders := v.GetStringSlice(cfgCORSAllowHeaders)
+	corsExposeHeaders := v.GetStringSlice(cfgCORSExposeHeaders)
+	corsAllowCredentials := v.GetBool(cfgCORSAllowCredentials)
+	corsMaxAge := fetchCORSMaxAge(v)
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	s.defaultTimestamp = defaultTimestamp
+	s.zipCompression = zipCompression
+	s.returnIndexPage = returnIndexPage
+	s.clientCut = clientCut
+	s.bufferMaxSizeForPut = bufferMaxSizeForPut
+	s.namespaceHeader = namespaceHeader
+	s.defaultNamespaces = defaultNamespaces
+	s.returnIndexPage = indexEnabled
+	s.indexPageTemplate = indexPage
+	s.corsAllowOrigin = corsAllowOrigin
+	s.corsAllowMethods = corsAllowMethods
+	s.corsAllowHeaders = corsAllowHeaders
+	s.corsExposeHeaders = corsExposeHeaders
+	s.corsAllowCredentials = corsAllowCredentials
+	s.corsMaxAge = corsMaxAge
+}
+
 func (s *appSettings) DefaultTimestamp() bool {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	return s.defaultTimestamp
 }
 
-func (s *appSettings) setDefaultTimestamp(val bool) {
-	s.mu.Lock()
-	s.defaultTimestamp = val
-	s.mu.Unlock()
-}
-
 func (s *appSettings) ZipCompression() bool {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
@@ -197,42 +247,27 @@ func (s *appSettings) IndexPageTemplate() string {
 	return s.indexPageTemplate
 }
 
-func (s *appSettings) setZipCompression(val bool) {
-	s.mu.Lock()
-	s.zipCompression = val
-	s.mu.Unlock()
-}
+func (s *appSettings) CORS() CORS {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
 
-func (s *appSettings) setReturnIndexPage(val bool) {
-	s.mu.Lock()
-	s.returnIndexPage = val
-	s.mu.Unlock()
-}
+	allowMethods := make([]string, len(s.corsAllowMethods))
+	copy(allowMethods, s.corsAllowMethods)
 
-func (s *appSettings) setIndexTemplate(val string) {
-	s.mu.Lock()
-	s.indexPageTemplate = val
-	s.mu.Unlock()
-}
+	allowHeaders := make([]string, len(s.corsAllowHeaders))
+	copy(allowHeaders, s.corsAllowHeaders)
 
-func (a *app) loadIndexPageTemplate() {
-	if !a.settings.IndexPageEnabled() {
-		return
+	exposeHeaders := make([]string, len(s.corsExposeHeaders))
+	copy(exposeHeaders, s.corsExposeHeaders)
+
+	return CORS{
+		AllowOrigin:      s.corsAllowOrigin,
+		AllowMethods:     allowMethods,
+		AllowHeaders:     allowHeaders,
+		ExposeHeaders:    exposeHeaders,
+		AllowCredentials: s.corsAllowCredentials,
+		MaxAge:           s.corsMaxAge,
 	}
-	reader, err := os.Open(a.cfg.GetString(cfgIndexPageTemplatePath))
-	if err != nil {
-		a.settings.setIndexTemplate("")
-		a.log.Warn(logs.FailedToReadIndexPageTemplate, zap.Error(err))
-		return
-	}
-	tmpl, err := io.ReadAll(reader)
-	if err != nil {
-		a.settings.setIndexTemplate("")
-		a.log.Warn(logs.FailedToReadIndexPageTemplate, zap.Error(err))
-		return
-	}
-	a.settings.setIndexTemplate(string(tmpl))
-	a.log.Info(logs.SetCustomIndexPageTemplate)
 }
 
 func (s *appSettings) ClientCut() bool {
@@ -241,31 +276,12 @@ func (s *appSettings) ClientCut() bool {
 	return s.clientCut
 }
 
-func (s *appSettings) setClientCut(val bool) {
-	s.mu.Lock()
-	s.clientCut = val
-	s.mu.Unlock()
-}
-
 func (s *appSettings) BufferMaxSizeForPut() uint64 {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	return s.bufferMaxSizeForPut
 }
 
-func (s *appSettings) setBufferMaxSizeForPut(val uint64) {
-	s.mu.Lock()
-	s.bufferMaxSizeForPut = val
-	s.mu.Unlock()
-}
-
-func (a *app) initAppSettings() {
-	a.settings = &appSettings{
-		reconnectInterval: fetchReconnectInterval(a.cfg),
-	}
-	a.updateSettings()
-}
-
 func (a *app) initResolver() {
 	var err error
 	a.resolver, err = resolver.NewContainerResolver(a.getResolverConfig())
@@ -539,26 +555,15 @@ func (a *app) configReload(ctx context.Context) {
 	a.stopServices()
 	a.startServices()
 
-	a.updateSettings()
+	a.settings.update(a.cfg, a.log)
 
 	a.metrics.SetEnabled(a.cfg.GetBool(cfgPrometheusEnabled))
 	a.initTracing(ctx)
-	a.loadIndexPageTemplate()
 	a.setHealthStatus()
 
 	a.log.Info(logs.SIGHUPConfigReloadCompleted)
 }
 
-func (a *app) updateSettings() {
-	a.settings.setDefaultTimestamp(a.cfg.GetBool(cfgUploaderHeaderEnableDefaultTimestamp))
-	a.settings.setZipCompression(a.cfg.GetBool(cfgZipCompression))
-	a.settings.setReturnIndexPage(a.cfg.GetBool(cfgIndexPageEnabled))
-	a.settings.setClientCut(a.cfg.GetBool(cfgClientCut))
-	a.settings.setBufferMaxSizeForPut(a.cfg.GetUint64(cfgBufferMaxSizeForPut))
-	a.settings.setNamespaceHeader(a.cfg.GetString(cfgResolveNamespaceHeader))
-	a.settings.setDefaultNamespaces(a.cfg.GetStringSlice(cfgResolveDefaultNamespaces))
-}
-
 func (a *app) startServices() {
 	pprofConfig := metrics.Config{Enabled: a.cfg.GetBool(cfgPprofEnabled), Address: a.cfg.GetString(cfgPprofAddress)}
 	pprofService := metrics.NewPprofService(a.log, pprofConfig)

cmd/http-gw/integration_test.go

@@ -102,7 +102,7 @@ func runServer(pathToWallet string) (App, context.CancelFunc) {
 	v.Set(cfgWalletPath, pathToWallet)
 	v.Set(cfgWalletPassphrase, "")
 
-	l, lvl := newStdoutLogger(zapcore.DebugLevel)
+	l, lvl := newStdoutLogger(v, zapcore.DebugLevel)
 	application := newApp(cancelCtx, WithConfig(v), WithLogger(l, lvl))
 	go application.Serve()
 
@@ -525,7 +525,7 @@ func putObject(ctx context.Context, t *testing.T, clientPool *pool.Pool, ownerID
 	id, err := clientPool.PutObject(ctx, prm)
 	require.NoError(t, err)
 
-	return id
+	return id.ObjectID
 }
 
 func makeBearerToken(t *testing.T, key *keys.PrivateKey, ownerID user.ID, version string) string {

cmd/http-gw/settings.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/hex"
 	"fmt"
+	"io"
 	"math"
 	"os"
 	"path"
@@ -55,6 +56,8 @@ const (
 
 	defaultReconnectInterval = time.Minute
 
+	defaultCORSMaxAge = 600 // seconds
+
 	cfgServer      = "server"
 	cfgTLSEnabled  = "tls.enabled"
 	cfgTLSCertFile = "tls.cert_file"
@@ -140,6 +143,14 @@ const (
 	cfgResolveNamespaceHeader   = "resolve_bucket.namespace_header"
 	cfgResolveDefaultNamespaces = "resolve_bucket.default_namespaces"
 
+	// CORS.
+	cfgCORSAllowOrigin      = "cors.allow_origin"
+	cfgCORSAllowMethods     = "cors.allow_methods"
+	cfgCORSAllowHeaders     = "cors.allow_headers"
+	cfgCORSExposeHeaders    = "cors.expose_headers"
+	cfgCORSAllowCredentials = "cors.allow_credentials"
+	cfgCORSMaxAge           = "cors.max_age"
+
 	// Command line args.
 	cmdHelp          = "help"
 	cmdVersion       = "version"
@@ -505,6 +516,36 @@ func fetchReconnectInterval(cfg *viper.Viper) time.Duration {
 	return reconnect
 }
 
+func fetchIndexPageTemplate(v *viper.Viper, l *zap.Logger) (string, bool) {
+	if !v.GetBool(cfgIndexPageEnabled) {
+		return "", false
+	}
+
+	reader, err := os.Open(v.GetString(cfgIndexPageTemplatePath))
+	if err != nil {
+		l.Warn(logs.FailedToReadIndexPageTemplate, zap.Error(err))
+		return "", true
+	}
+
+	tmpl, err := io.ReadAll(reader)
+	if err != nil {
+		l.Warn(logs.FailedToReadIndexPageTemplate, zap.Error(err))
+		return "", true
+	}
+
+	l.Info(logs.SetCustomIndexPageTemplate)
+	return string(tmpl), true
+}
+
+func fetchCORSMaxAge(v *viper.Viper) int {
+	maxAge := v.GetInt(cfgCORSMaxAge)
+	if maxAge <= 0 {
+		maxAge = defaultCORSMaxAge
+	}
+
+	return maxAge
+}
+
 func fetchServers(v *viper.Viper, log *zap.Logger) []ServerInfo {
 	var servers []ServerInfo
 	seen := make(map[string]struct{})
@@ -589,18 +630,12 @@ func getPools(ctx context.Context, logger *zap.Logger, cfg *viper.Viper) (*pool.
 
 	prmTree.SetMaxRequestAttempts(cfg.GetInt(cfgTreePoolMaxAttempts))
 
-	var apiGRPCDialOpts []grpc.DialOption
-	var treeGRPCDialOpts []grpc.DialOption
-	if cfg.GetBool(cfgTracingEnabled) {
 	interceptors := []grpc.DialOption{
 		grpc.WithUnaryInterceptor(grpctracing.NewUnaryClientInteceptor()),
 		grpc.WithStreamInterceptor(grpctracing.NewStreamClientInterceptor()),
 	}
-		treeGRPCDialOpts = append(treeGRPCDialOpts, interceptors...)
-		apiGRPCDialOpts = append(apiGRPCDialOpts, interceptors...)
-	}
-	prm.SetGRPCDialOptions(apiGRPCDialOpts...)
-	prmTree.SetGRPCDialOptions(treeGRPCDialOpts...)
+	prm.SetGRPCDialOptions(interceptors...)
+	prmTree.SetGRPCDialOptions(interceptors...)
 
 	p, err := pool.NewPool(prm)
 	if err != nil {

config/config.env

@@ -126,3 +126,10 @@ HTTP_GW_RESOLVE_BUCKET_DEFAULT_NAMESPACES="" "root"
 # Max attempt to make successful tree request.
 # default value is 0 that means the number of attempts equals to number of nodes in pool.
 HTTP_GW_FROSTFS_TREE_POOL_MAX_ATTEMPTS=0
+
+HTTP_GW_CORS_ALLOW_ORIGIN="*"
+HTTP_GW_CORS_ALLOW_METHODS="GET" "POST"
+HTTP_GW_CORS_ALLOW_HEADERS="*"
+HTTP_GW_CORS_EXPOSE_HEADERS="*"
+HTTP_GW_CORS_ALLOW_CREDENTIALS=false
+HTTP_GW_CORS_MAX_AGE=600

config/config.yaml

@@ -138,3 +138,11 @@ cache:
 resolve_bucket:
   namespace_header: X-Frostfs-Namespace
   default_namespaces: [ "", "root" ]
+
+cors:
+  allow_origin: ""
+  allow_methods: []
+  allow_headers: []
+  expose_headers: []
+  allow_credentials: false
+  max_age: 600

docs/gate-configuration.md

@@ -271,7 +271,7 @@ tracing:
 
 | Parameter    | Type     | SIGHUP reload | Default value | Description                                                                                                                     |
 |--------------|----------|---------------|---------------|---------------------------------------------------------------------------------------------------------------------------------|
-| `enabled`    | `bool`   | no            | `false`       | Flag to enable the tracing.                                                                                                     |
+| `enabled`    | `bool`   | yes           | `false`       | Flag to enable the tracing.                                                                                                     |
 | `exporter`   | `string` | yes           |               | Trace collector type (`stdout` or `otlp_grpc` are supported).                                                                   |
 | `endpoint`   | `string` | yes           |               | Address of collector endpoint for OTLP exporters.                                                                               |
 | `trusted_ca` | `string` | yes           |               | Path to certificate of a certification authority in pem format, that issued the TLS certificate of the telemetry remote server. |
@@ -363,3 +363,27 @@ index_page:
 |-----------------|----------|---------------|---------------|---------------------------------------------------------------------------------|
 | `enabled`       | `bool`   | yes           | `false`       | Flag to enable index_page return if no object with specified S3-name was found. |
 | `template_path` | `string` | yes           | `""`          | Path to .gotmpl file with html template for index_page.                         |
+
+# `cors` section
+
+Parameters for CORS (used in OPTIONS requests and responses in all handlers).
+If values are not set, headers will not be included to response.
+
+```yaml
+cors:
+  allow_origin: "*"
+  allow_methods: ["GET", "HEAD"]
+  allow_headers: ["Authorization"]
+  expose_headers: ["*"]
+  allow_credentials: false
+  max_age: 600
+```
+
+| Parameter           | Type       | SIGHUP reload | Default value | Description                                            |
+|---------------------|------------|---------------|---------------|--------------------------------------------------------|
+| `allow_origin`      | `string`   | yes           |               | Values for `Access-Control-Allow-Origin` headers.      |
+| `allow_methods`     | `[]string` | yes           |               | Values for `Access-Control-Allow-Methods` headers.     |
+| `allow_headers`     | `[]string` | yes           |               | Values for `Access-Control-Allow-Headers` headers.     |
+| `expose_headers`    | `[]string` | yes           |               | Values for `Access-Control-Expose-Headers` headers.    |
+| `allow_credentials` | `bool`     | yes           | `false`       | Values for `Access-Control-Allow-Credentials` headers. |
+| `max_age`           | `int`      | yes           | `600`         | Values for `Access-Control-Max-Age ` headers.          |