Merge pull request #17767 from vespa-engine/freva/allow-wildcard-in-cors-preflight

Allow wildcard in allowedUrls for CorsPreflightRequestFilter
author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2021-05-07 09:27:25 +0200
committer: GitHub <noreply@github.com> 2021-05-07 09:27:25 +0200
commit: d4eebbf6d9b6a30e1c08896c64c5256b05c9d265 (patch)
tree: cadae6419bb751e96d76af10179d45cf4ac79a09 /jdisc-security-filters
parent: 989c8ffe4eb4fcea733731f89fbb389cf12c2370 (diff)
parent: df2417ec2047cc39be89c250d41c23b78032a3d0 (diff)
2 files changed, 13 insertions, 2 deletions
diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
index 3d8a661d5d1..d0722cae5ac 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/cors/CorsLogic.java
@@ -38,8 +38,10 @@ class CorsLogic {
 
     static Map<String, String> createCorsPreflightResponseHeaders(String requestOriginHeader,
                                                                   Set<String> allowedOrigins) {
+        if (requestOriginHeader == null) return ACCESS_CONTROL_HEADERS;
+
         TreeMap<String, String> headers = new TreeMap<>();
-        if (requestOriginHeader != null && allowedOrigins.contains(requestOriginHeader))
+        if (allowedOrigins.stream().anyMatch(allowedUrl -> matchesRequestOrigin(requestOriginHeader, allowedUrl)))
             headers.put(ALLOW_ORIGIN_HEADER, requestOriginHeader);
         ACCESS_CONTROL_HEADERS.forEach(headers::put);
         return headers;
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java
index 2486bc444c8..8b77fc0abbd 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/cors/CorsPreflightRequestFilterTest.java
@@ -15,7 +15,9 @@ import java.util.Arrays;
 import static com.yahoo.jdisc.http.HttpRequest.Method.OPTIONS;
 import static com.yahoo.jdisc.http.filter.security.cors.CorsLogic.ACCESS_CONTROL_HEADERS;
 import static com.yahoo.jdisc.http.filter.security.cors.CorsLogic.ALLOW_ORIGIN_HEADER;
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -41,6 +43,13 @@ public class CorsPreflightRequestFilterTest {
     }
 
     @Test
+    public void allowed_wildcard_origin_yields_origin_header_in_response() {
+        final String ALLOWED_ORIGIN = "http://allowed.origin";
+        HeaderFields headers = doFilterRequest(newRequestFilter("*"), ALLOWED_ORIGIN);
+        assertEquals(ALLOWED_ORIGIN, headers.getFirst(ALLOW_ORIGIN_HEADER));
+    }
+
+    @Test
     public void disallowed_request_origin_does_not_yield_allow_origin_header_in_response() {
         HeaderFields headers = doFilterRequest(newRequestFilter("http://allowed.origin"), "http://disallowed.origin");
         assertNull(headers.getFirst(ALLOW_ORIGIN_HEADER));
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2021-05-07 09:27:25 +0200
committer	GitHub <noreply@github.com>	2021-05-07 09:27:25 +0200
commit	d4eebbf6d9b6a30e1c08896c64c5256b05c9d265 (patch)
tree	cadae6419bb751e96d76af10179d45cf4ac79a09 /jdisc-security-filters
parent	989c8ffe4eb4fcea733731f89fbb389cf12c2370 (diff)
parent	df2417ec2047cc39be89c250d41c23b78032a3d0 (diff)