fix: support list of cors origins (#1262)

Author: plyr4

cmd/vela-server/main.go

@@ -75,6 +75,11 @@ func main() {
 			Usage:   "web ui oauth callback path",
 			Value:   "/account/authenticate",
 		},
+		&cli.StringSliceFlag{
+			EnvVars: []string{"VELA_CORS_ALLOW_ORIGINS", "VELA_CORS_ALLOWED_ORIGINS"},
+			Name:    "cors-allow-origins",
+			Usage:   "list of origins a cross-domain request can be executed from",
+		},
 		&cli.StringFlag{
 			EnvVars: []string{"VELA_SECRET"},
 			Name:    "vela-secret",

cmd/vela-server/metadata.go

@@ -109,6 +109,10 @@ func metadataVela(c *cli.Context) (*internal.Vela, error) {
 		vela.WebAddress = c.String("webui-addr")
 	}
 
+	if len(c.StringSlice("cors-allow-origins")) > 0 {
+		vela.CorsAllowOrigins = c.StringSlice("cors-allow-origins")
+	}
+
 	if len(c.String("webui-oauth-callback")) > 0 {
 		vela.WebOauthCallbackPath = c.String("webui-oauth-callback")
 	}

internal/metadata.go

@@ -32,6 +32,7 @@ type (
 		AccessTokenDuration  time.Duration `json:"access_token_duration"`
 		RefreshTokenDuration time.Duration `json:"refresh_token_duration"`
 		OpenIDIssuer         string        `json:"oidc_issuer"`
+		CorsAllowOrigins     []string      `json:"cors_allow_origins"`
 	}
 
 	// Metadata is the extra set of data passed to the compiler for

router/middleware/header.go

@@ -32,8 +32,9 @@ func Options(c *gin.Context) {
 	} else {
 		c.Header("Access-Control-Allow-Origin", "*")
 
-		if len(m.Vela.WebAddress) > 0 {
-			c.Header("Access-Control-Allow-Origin", m.Vela.WebAddress)
+		origin := CorsAllowOrigin(c, m)
+		if len(origin) > 0 {
+			c.Header("Access-Control-Allow-Origin", origin)
 			c.Header("Access-Control-Allow-Credentials", "true")
 		}
 
@@ -65,14 +66,31 @@ func Cors(c *gin.Context) {
 
 	c.Header("Access-Control-Allow-Origin", "*")
 
-	if len(m.Vela.WebAddress) > 0 {
-		c.Header("Access-Control-Allow-Origin", m.Vela.WebAddress)
+	origin := CorsAllowOrigin(c, m)
+	if len(origin) > 0 {
+		c.Header("Access-Control-Allow-Origin", origin)
 		c.Header("Access-Control-Allow-Credentials", "true")
 	}
 
 	c.Header("Access-Control-Expose-Headers", "link, x-total-count")
 }
 
+// CorsAllowOrigin is a helper function that returns the
+// allowed origin for CORS requests by checking the
+// request origin against the allowed origins in the
+// Vela metadata.
+func CorsAllowOrigin(c *gin.Context, m *internal.Metadata) string {
+	origin := c.Request.Header.Get("Origin")
+	for _, domain := range m.Vela.CorsAllowOrigins {
+		if domain == origin {
+			return domain
+		}
+	}
+
+	// return the Vela web address as the default to preserve functionality
+	return m.Vela.WebAddress
+}
+
 // RequestVersion is a middleware function that injects the Vela API version
 // information into the request so it will be logged. This is
 // intended for debugging and troubleshooting.

router/middleware/header_test.go

@@ -176,45 +176,102 @@ func TestMiddleware_Options_InvalidMethod(t *testing.T) {
 }
 
 func TestMiddleware_Cors(t *testing.T) {
-	// setup types
-	wantOrigin := "*"
-	wantExposeHeaders := "link, x-total-count"
-	m := &internal.Metadata{
-		Vela: &internal.Vela{
-			Address: "http://localhost:8080",
+	tests := []struct {
+		name                  string
+		m                     *internal.Metadata
+		origin                string
+		expectedOrigin        string
+		expectedCredentials   string
+		expectedExposeHeaders string
+	}{
+		{
+			name: "*",
+			m: &internal.Metadata{
+				Vela: &internal.Vela{
+					Address:          "http://localhost:8080",
+					CorsAllowOrigins: []string{},
+				},
+			},
+			origin:                "http://localhost:8888",
+			expectedOrigin:        "*",
+			expectedCredentials:   "",
+			expectedExposeHeaders: "link, x-total-count",
+		},
+		{
+			name: "WebAddress is origin",
+			m: &internal.Metadata{
+				Vela: &internal.Vela{
+					WebAddress:       "http://localhost:8888",
+					CorsAllowOrigins: []string{},
+				},
+			},
+			origin:                "http://localhost:8888",
+			expectedOrigin:        "http://localhost:8888",
+			expectedCredentials:   "true",
+			expectedExposeHeaders: "link, x-total-count",
+		},
+		{
+			name: "CORSAllowOrigins origin is web address",
+			m: &internal.Metadata{
+				Vela: &internal.Vela{
+					WebAddress:       "http://localhost:8888",
+					CorsAllowOrigins: []string{"http://localhost:3000", "http://localhost:3001"},
+				},
+			},
+			origin:                "http://localhost:8888",
+			expectedOrigin:        "http://localhost:8888",
+			expectedCredentials:   "true",
+			expectedExposeHeaders: "link, x-total-count",
+		},
+		{
+			name: "CORSAllowOrigins origin is in list",
+			m: &internal.Metadata{
+				Vela: &internal.Vela{
+					WebAddress:       "",
+					CorsAllowOrigins: []string{"http://localhost:3000", "http://localhost:3001", "http://localhost:8888"},
+				},
+			},
+			origin:                "http://localhost:8888",
+			expectedOrigin:        "http://localhost:8888",
+			expectedCredentials:   "true",
+			expectedExposeHeaders: "link, x-total-count",
 		},
 	}
 
-	// setup context
-	gin.SetMode(gin.TestMode)
-
-	resp := httptest.NewRecorder()
-	context, engine := gin.CreateTestContext(resp)
-	context.Request, _ = http.NewRequest(http.MethodGet, "/health", nil)
-
-	// setup mock server
-	engine.Use(Metadata(m))
-	engine.Use(Cors)
-	engine.GET("/health", func(c *gin.Context) {
-		c.Status(http.StatusOK)
-	})
-
-	// run test
-	engine.ServeHTTP(context.Writer, context.Request)
-
-	gotOrigin := context.Writer.Header().Get("Access-Control-Allow-Origin")
-	gotExposeHeaders := context.Writer.Header().Get("Access-Control-Expose-Headers")
-
-	if resp.Code != http.StatusOK {
-		t.Errorf("CORS returned %v, want %v", resp.Code, http.StatusOK)
-	}
-
-	if !reflect.DeepEqual(gotOrigin, wantOrigin) {
-		t.Errorf("CORS Access-Control-Allow-Origin is %v, want %v", gotOrigin, wantOrigin)
-	}
-
-	if !reflect.DeepEqual(gotExposeHeaders, wantExposeHeaders) {
-		t.Errorf("CORS Access-Control-Expose-Headers is %v, want %v", gotExposeHeaders, wantExposeHeaders)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gin.SetMode(gin.TestMode)
+			resp := httptest.NewRecorder()
+			context, engine := gin.CreateTestContext(resp)
+			context.Request, _ = http.NewRequest(http.MethodGet, "/health", nil)
+			context.Request.Header.Add("Origin", tt.origin)
+
+			// inject metadata
+			engine.Use(func(c *gin.Context) {
+				c.Set("metadata", tt.m)
+				c.Next()
+			})
+			engine.Use(Cors)
+			engine.GET("/health", func(c *gin.Context) {
+				c.Status(http.StatusOK)
+			})
+			engine.ServeHTTP(context.Writer, context.Request)
+
+			gotOrigin := context.Writer.Header().Get("Access-Control-Allow-Origin")
+			if gotOrigin != tt.expectedOrigin {
+				t.Errorf("Access-Control-Allow-Origin is %v; want %v", gotOrigin, tt.expectedOrigin)
+			}
+
+			gotCredentials := context.Writer.Header().Get("Access-Control-Allow-Credentials")
+			if gotCredentials != tt.expectedCredentials {
+				t.Errorf("Access-Control-Allow-Credentials is %v; want %v", gotCredentials, tt.expectedCredentials)
+			}
+
+			gotExposeHeaders := context.Writer.Header().Get("Access-Control-Expose-Headers")
+			if gotExposeHeaders != tt.expectedExposeHeaders {
+				t.Errorf("Access-Control-Expose-Headers is %v; want %v", gotExposeHeaders, tt.expectedExposeHeaders)
+			}
+		})
 	}
 }