[#672] Support wildcard in allowed origins and headers

Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>
2025-03-31 14:42:59 +03:00 · 2025-03-31 14:42:59 +03:00 · e45c1a2188
commit e45c1a2188
parent 2ad2531d3a
6 changed files with 724 additions and 18 deletions
--- a/api/layer/cors_test.go
+++ b/api/layer/cors_test.go
@ -6,6 +6,8 @@ import (
 	"strings"
 	"testing"

+	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
+	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"github.com/stretchr/testify/require"
 )

@ -17,7 +19,7 @@ func TestCorsCopiesNumber(t *testing.T) {
 		<AllowedMethod>GET</AllowedMethod>
 		<AllowedOrigin>http://www.example.com</AllowedOrigin>
 		<AllowedHeader>Authorization</AllowedHeader>
-		<ExposeHeader>x-amz-*</ExposeHeader>
+		<ExposeHeader>x-amz-request-id</ExposeHeader>
 	</CORSRule>
 </CORSConfiguration>
 `
@ -39,6 +41,71 @@ func TestCorsCopiesNumber(t *testing.T) {
 	require.EqualValues(t, copies, tc.testFrostFS.CopiesNumbers(addrFromObject(objs[0]).EncodeToString()))
 }

+func TestCheckCORS(t *testing.T) {
+	for _, tc := range []struct {
+		name         string
+		cfg          *data.CORSConfiguration
+		expectedCode apierr.ErrorCode
+	}{
+		{
+			name: "allowed origin wildcards",
+			cfg: &data.CORSConfiguration{
+				CORSRules: []data.CORSRule{
+					{
+						AllowedOrigins: []string{"https://*.example.*"},
+						AllowedMethods: []string{"GET"},
+					},
+				},
+			},
+			expectedCode: apierr.ErrCORSWildcardsAllowedOrigins,
+		},
+		{
+			name: "allowed header wildcards",
+			cfg: &data.CORSConfiguration{
+				CORSRules: []data.CORSRule{
+					{
+						AllowedOrigins: []string{"https://*.example.com"},
+						AllowedMethods: []string{"GET"},
+						AllowedHeaders: []string{"x-amz-*-*"},
+					},
+				},
+			},
+			expectedCode: apierr.ErrCORSWildcardsAllowedHeaders,
+		},
+		{
+			name: "invalid allowed method",
+			cfg: &data.CORSConfiguration{
+				CORSRules: []data.CORSRule{
+					{
+						AllowedOrigins: []string{"https://*.example.com"},
+						AllowedMethods: []string{"INVALID"},
+						AllowedHeaders: []string{"x-amz-*"},
+					},
+				},
+			},
+			expectedCode: apierr.ErrCORSUnsupportedMethod,
+		},
+		{
+			name: "expose header wildcard",
+			cfg: &data.CORSConfiguration{
+				CORSRules: []data.CORSRule{
+					{
+						AllowedOrigins: []string{"https://*.example.com"},
+						AllowedMethods: []string{"GET"},
+						AllowedHeaders: []string{"x-amz-*"},
+						ExposeHeaders:  []string{"x-amz-*"},
+					},
+				},
+			},
+			expectedCode: apierr.ErrCORSWildcardExposeHeaders,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			require.True(t, apierr.IsS3Error(checkCORS(tc.cfg), tc.expectedCode))
+		})
+	}
+}
+
 func NewXMLDecoder(r io.Reader, _ string) *xml.Decoder {
 	dec := xml.NewDecoder(r)