Merge pull request #8518 from dragonchaser/cors-issues

[full-ci] adapt cors headers

changelog/unreleased/improve-cors.md

@@ -0,0 +1,7 @@
+Enhancement: Change Cors default settings
+
+We have changed the default CORS settings to set `Access-Control-Allow-Origin` to the `OCIS_URL` if not explicitely set
+and `Access-Control-Allow-Credentials` to `false` if not explicitely set.
+
+https://github.com/owncloud/ocis/pull/8518
+https://github.com/owncloud/ocis/issues/8514

ocis-pkg/config/config.go

@@ -68,7 +68,7 @@ type Config struct {
 
 	Mode    Mode // DEPRECATED
 	File    string
-	OcisURL string `yaml:"ocis_url" desc:"URL, where oCIS is reachable for users."`
+	OcisURL string `yaml:"ocis_url" env:"OCIS_URL" desc:"URL, where oCIS is reachable for users." introductionVersion:"pre5.0"`
 
 	Registry          string               `yaml:"registry"`
 	TokenManager      *shared.TokenManager `yaml:"token_manager"`

services/frontend/pkg/config/defaults/defaultconfig.go

@@ -31,7 +31,7 @@ func DefaultConfig() *config.Config {
 			Protocol:  "tcp",
 			Prefix:    "",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"OPTIONS",
 					"HEAD",
@@ -73,7 +73,7 @@ func DefaultConfig() *config.Config {
 					"X-HTTP-Method-Override",
 					"Cache-Control",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 			},
 		},
 		Service: config.Service{
@@ -185,6 +185,12 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
 	}
 
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") &&
+		(cfg.HTTP.CORS.AllowedOrigins == nil ||
+			len(cfg.HTTP.CORS.AllowedOrigins) == 1 &&
+				cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }
 
 // Sanitize sanitized the configuration

services/invitations/pkg/config/defaults/defaultconfig.go

@@ -26,7 +26,7 @@ func DefaultConfig() *config.Config {
 			Root:      "/graph/v1.0",
 			Namespace: "com.owncloud.graph",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 			},
 		},
 		Service: config.Service{
@@ -77,6 +77,13 @@ func EnsureDefaults(cfg *config.Config) {
 	} else if cfg.TokenManager == nil {
 		cfg.TokenManager = &config.TokenManager{}
 	}
+
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") &&
+		(cfg.HTTP.CORS.AllowedOrigins == nil ||
+			len(cfg.HTTP.CORS.AllowedOrigins) == 1 &&
+				cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }
 
 func Sanitize(cfg *config.Config) {

services/ocdav/pkg/config/defaults/defaultconfig.go

@@ -30,7 +30,7 @@ func DefaultConfig() *config.Config {
 			Protocol:  "tcp",
 			Prefix:    "",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"OPTIONS",
 					"HEAD",
@@ -71,7 +71,7 @@ func DefaultConfig() *config.Config {
 					"X-HTTP-Method-Override",
 					"Cache-Control",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 			},
 		},
 		Service: config.Service{
@@ -137,6 +137,13 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.MachineAuthAPIKey == "" && cfg.Commons != nil && cfg.Commons.MachineAuthAPIKey != "" {
 		cfg.MachineAuthAPIKey = cfg.Commons.MachineAuthAPIKey
 	}
+
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") &&
+		(cfg.HTTP.CORS.AllowedOrigins == nil ||
+			len(cfg.HTTP.CORS.AllowedOrigins) == 1 &&
+				cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }
 
 // Sanitize sanitizes the configuration

services/ocm/pkg/config/defaults/defaultconfig.go

@@ -32,7 +32,7 @@ func DefaultConfig() *config.Config {
 			Protocol:  "tcp",
 			Prefix:    "",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"OPTIONS",
 					"HEAD",
@@ -73,7 +73,7 @@ func DefaultConfig() *config.Config {
 					"X-HTTP-Method-Override",
 					"Cache-Control",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 			},
 		},
 		GRPC: config.GRPCConfig{
@@ -165,6 +165,13 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.GRPC.TLS == nil && cfg.Commons != nil {
 		cfg.GRPC.TLS = structs.CopyOrZeroValue(cfg.Commons.GRPCServiceTLS)
 	}
+
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") &&
+		(cfg.HTTP.CORS.AllowedOrigins == nil ||
+			len(cfg.HTTP.CORS.AllowedOrigins) == 1 &&
+				cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }
 
 // Sanitize sanitizes the config

services/storage-users/pkg/config/defaults/defaultconfig.go

@@ -38,7 +38,7 @@ func DefaultConfig() *config.Config {
 			Protocol:  "tcp",
 			Prefix:    "data",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"POST",
 					"HEAD",
@@ -63,7 +63,7 @@ func DefaultConfig() *config.Config {
 					"Upload-Incomplete",
 					"Upload-Draft-Interop-Version",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 				ExposedHeaders: []string{
 					"Upload-Offset",
 					"Location",
@@ -208,6 +208,13 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Tasks.PurgeTrashBin.UserID == "" && cfg.Commons != nil {
 		cfg.Tasks.PurgeTrashBin.UserID = cfg.Commons.AdminUserID
 	}
+
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") &&
+		(cfg.HTTP.CORS.AllowedOrigins == nil ||
+			len(cfg.HTTP.CORS.AllowedOrigins) == 1 &&
+				cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }
 
 // Sanitize sanitized the configuration

services/web/pkg/config/defaults/defaultconfig.go

@@ -32,7 +32,7 @@ func DefaultConfig() *config.Config {
 			CacheTTL:  604800, // 7 days
 
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins: []string{"https://localhost:9200"},
 				AllowedMethods: []string{
 					"OPTIONS",
 					"HEAD",
@@ -73,7 +73,7 @@ func DefaultConfig() *config.Config {
 					"Upload-Offset",
 					"X-HTTP-Method-Override",
 				},
-				AllowCredentials: true,
+				AllowCredentials: false,
 			},
 		},
 		Service: config.Service{
@@ -173,6 +173,13 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Commons != nil {
 		cfg.HTTP.TLS = cfg.Commons.HTTPServiceTLS
 	}
+
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") &&
+		(cfg.HTTP.CORS.AllowedOrigins == nil ||
+			len(cfg.HTTP.CORS.AllowedOrigins) == 1 &&
+				cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }
 
 // Sanitize sanitized the configuration

services/webfinger/pkg/config/defaults/defaultconfig.go

@@ -29,7 +29,8 @@ func DefaultConfig() *config.Config {
 			Root:      "/",
 			Namespace: "com.owncloud.web",
 			CORS: config.CORS{
-				AllowedOrigins: []string{"*"},
+				AllowedOrigins:   []string{"https://localhost:9200"},
+				AllowCredentials: false,
 			},
 		},
 		Service: config.Service{
@@ -81,6 +82,13 @@ func EnsureDefaults(cfg *config.Config) {
 	if cfg.Commons != nil {
 		cfg.HTTP.TLS = cfg.Commons.HTTPServiceTLS
 	}
+
+	if (cfg.Commons != nil && cfg.Commons.OcisURL != "") &&
+		(cfg.HTTP.CORS.AllowedOrigins == nil ||
+			len(cfg.HTTP.CORS.AllowedOrigins) == 1 &&
+				cfg.HTTP.CORS.AllowedOrigins[0] == "https://localhost:9200") {
+		cfg.HTTP.CORS.AllowedOrigins = []string{cfg.Commons.OcisURL}
+	}
 }
 
 // Sanitize sanitized the configuration

sonar-project.properties

@@ -35,7 +35,7 @@ sonar.go.golangci-lint.reportPaths=cache/checkstyle/checkstyle.xml
 # Exclude files
 sonar.exclusions=**/third_party,docs/**,changelog/**,**/package.json,**/rollup.config.js,CHANGELOG.md,deployments/**,tests/**,vendor/**,vendor-bin/**,README.md,**/mocks/**,/protogen/**,**/*_gen.go
 sonar.coverage.exclusions=**/*_test.go,**mocks/**,/protogen/**,**/*_gen.go
-sonar.cpd.exclusions=**/*_test.go,**/revaconfig/**,services/settings/pkg/store/defaults/defaults.go
+sonar.cpd.exclusions=**/defaultconfig.go,**/*_test.go,**/revaconfig/**,services/settings/pkg/store/defaults/defaults.go
 
 # Rule exclusions
 sonar.issue.ignore.multicriteria=g1,g2

tests/acceptance/features/apiContract/copy.feature

@@ -22,6 +22,6 @@ Feature: Copy test
     Then the HTTP status code should be "201"
     And the following headers should match these regular expressions
       | Oc-Fileid                   | /^[a-f0-9!\$\-]{110}$/                       |
-      | Access-Control-Allow-Origin | /^[*]{1}$/                                   |
+      | Access-Control-Allow-Origin | /^%base_url%$/                               |
       | X-Request-Id                | /^[a-zA-Z]+\/[a-zA-Z]+\.feature:\d+(-\d+)?$/ |
 

tests/acceptance/features/apiCors/cors.feature

@@ -21,7 +21,6 @@ Feature: CORS headers
       | header                           | value               |
       | Access-Control-Expose-Headers    | Location            |
       | Access-Control-Allow-Origin      | https://aphno.badal |
-      | Access-Control-Allow-Credentials | true                |
     Examples:
       | ocs-api-version | endpoint                          | ocs-status-code | http-status-code |
       | 1               | /config                           | 100             | 200              |