Merge pull request #8572 from jackyalbo/jacky_cors

Turning off CORS for 4.18
noobaa · Dec 3, 2024 · 7f676da · 7f676da
2 parents 6639c90 + 05ebfde
commit 7f676da
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 25 deletions.
diff --git a/src/endpoint/s3/s3_rest.js b/src/endpoint/s3/s3_rest.js
@@ -107,9 +107,9 @@ async function handle_request(req, res) {
     }
 
     const op_name = parse_op_name(req);
-    const cors = req.params.bucket && await req.object_sdk.read_bucket_sdk_cors_info(req.params.bucket);
+    // const cors = req.params.bucket && await req.object_sdk.read_bucket_sdk_cors_info(req.params.bucket);
 
-    http_utils.set_cors_headers_s3(req, res, cors);
+    http_utils.set_cors_headers_s3(req, res, /* cors */ undefined);
 
     if (req.method === 'OPTIONS') {
         dbg.log1('OPTIONS!');

diff --git a/src/test/system_tests/ceph_s3_tests/s3-tests-lists/nsfs_s3_tests_black_list.txt b/src/test/system_tests/ceph_s3_tests/s3-tests-lists/nsfs_s3_tests_black_list.txt
@@ -207,6 +207,10 @@ s3tests_boto3/functional/test_s3.py::test_multipart_upload_size_too_small
 s3tests_boto3/functional/test_s3.py::test_abort_multipart_upload
 s3tests_boto3/functional/test_s3.py::test_multipart_copy_improper_range
 s3tests_boto3/functional/test_s3.py::test_100_continue
+s3tests_boto3/functional/test_s3.py::test_set_cors
+s3tests_boto3/functional/test_s3.py::test_cors_origin_wildcard
+s3tests_boto3/functional/test_s3.py::test_cors_origin_response
+s3tests_boto3/functional/test_s3.py::test_cors_header_option
 s3tests_boto3/functional/test_s3.py::test_set_tagging
 s3tests_boto3/functional/test_s3.py::test_multipart_resend_first_finishes_last
 s3tests_boto3/functional/test_s3.py::test_versioned_object_acl
@@ -396,6 +400,8 @@ s3tests_boto3/functional/test_s3.py::test_sse_s3_encrypted_upload_1b
 s3tests_boto3/functional/test_s3.py::test_sse_s3_encrypted_upload_1kb
 s3tests_boto3/functional/test_s3.py::test_sse_s3_encrypted_upload_1mb
 s3tests_boto3/functional/test_s3.py::test_sse_s3_encrypted_upload_8mb
+s3tests_boto3/functional/test_s3.py::test_cors_presigned_get_object
+s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_get_object_tenant
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object_with_acl
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object_tenant

diff --git a/src/test/system_tests/ceph_s3_tests/s3-tests-lists/s3_tests_black_list.txt b/src/test/system_tests/ceph_s3_tests/s3-tests-lists/s3_tests_black_list.txt
@@ -209,6 +209,10 @@ s3tests_boto3/functional/test_s3.py::test_multipart_upload_size_too_small
 s3tests_boto3/functional/test_s3.py::test_abort_multipart_upload
 s3tests_boto3/functional/test_s3.py::test_multipart_copy_improper_range
 s3tests_boto3/functional/test_s3.py::test_100_continue
+s3tests_boto3/functional/test_s3.py::test_set_cors
+s3tests_boto3/functional/test_s3.py::test_cors_origin_wildcard
+s3tests_boto3/functional/test_s3.py::test_cors_origin_response
+s3tests_boto3/functional/test_s3.py::test_cors_header_option
 s3tests_boto3/functional/test_s3.py::test_set_tagging
 s3tests_boto3/functional/test_s3.py::test_multipart_resend_first_finishes_last
 s3tests_boto3/functional/test_s3.py::test_versioned_object_acl
@@ -350,5 +354,7 @@ s3tests_boto3/functional/test_sts.py::test_assume_role_with_web_identity_wrong_r
 s3tests_boto3/functional/test_sts.py::test_assume_role_with_web_identity_resource_tag_princ_tag
 s3tests_boto3/functional/test_sts.py::test_assume_role_with_web_identity_resource_tag_copy_obj
 s3tests_boto3/functional/test_sts.py::test_assume_role_with_web_identity_role_resource_tag
+s3tests_boto3/functional/test_s3.py::test_cors_presigned_get_object
+s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object_with_acl
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object_tenant_with_acl
diff --git a/src/util/http_utils.js b/src/util/http_utils.js
@@ -655,32 +655,42 @@ function set_cors_headers(req, res, cors) {
  * @param {CORSRule[]} cors_rules 
  */
 function set_cors_headers_s3(req, res, cors_rules) {
-    if (!config.S3_CORS_ENABLED || !cors_rules) return;
-
-    // based on https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html
-    const match_method = req.headers['access-control-request-method'] || req.method;
-    const match_origin = req.headers.origin;
-    const match_header = req.headers['access-control-request-headers']; // not a must
-    const matched_rule = req.headers.origin && ( // find the first rule with origin and method match
-        cors_rules.find(rule => {
-            const allowed_origins_regex = rule.allowed_origins.map(r => RegExp(`^${r.replace(/\*/g, '.*')}$`));
-            const allowed_headers_regex = rule.allowed_headers?.map(r => RegExp(`^${r.replace(/\*/g, '.*')}$`));
-            return allowed_origins_regex.some(r => r.test(match_origin)) &&
-                rule.allowed_methods.includes(match_method) &&
-                // we can match if no request headers or if reuqest headers match the rule allowed headers
-                (!match_header || allowed_headers_regex?.some(r => r.test(match_header)));
-        }));
-    if (matched_rule) {
-        // https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonResponseHeaders.html
+    if (config.S3_CORS_ENABLED) {
         set_cors_headers(req, res, {
-            allow_origin: matched_rule.allowed_origins.includes('*') ? '*' : req.headers.origin,
-            allow_methods: matched_rule.allowed_methods.join(','),
-            allow_headers: matched_rule.allowed_headers?.join(','),
-            expose_headers: matched_rule.expose_headers?.join(','),
-            allow_credentials: 'true',
-            max_age: matched_rule?.max_age
+            allow_origin: config.S3_CORS_ALLOW_ORIGIN,
+            allow_credentials: config.S3_CORS_ALLOW_CREDENTIAL,
+            allow_methods: config.S3_CORS_ALLOW_METHODS,
+            allow_headers: config.S3_CORS_ALLOW_HEADERS,
+            expose_headers: config.STS_CORS_EXPOSE_HEADERS,
         });
     }
+    // CORS CURRENTLY BREAKS OBJECT BROWSER - WILL ONLY SUPPORT DEFAULT HEADERS FOR NOW
+    // if (!config.S3_CORS_ENABLED || !cors_rules) return;
+
+    // // based on https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html
+    // const match_method = req.headers['access-control-request-method'] || req.method;
+    // const match_origin = req.headers.origin;
+    // const match_header = req.headers['access-control-request-headers']; // not a must
+    // const matched_rule = req.headers.origin && ( // find the first rule with origin and method match
+    //     cors_rules.find(rule => {
+    //         const allowed_origins_regex = rule.allowed_origins.map(r => RegExp(`^${r.replace(/\*/g, '.*')}$`));
+    //         const allowed_headers_regex = rule.allowed_headers?.map(r => RegExp(`^${r.replace(/\*/g, '.*')}$`));
+    //         return allowed_origins_regex.some(r => r.test(match_origin)) &&
+    //             rule.allowed_methods.includes(match_method) &&
+    //             // we can match if no request headers or if reuqest headers match the rule allowed headers
+    //             (!match_header || allowed_headers_regex?.some(r => r.test(match_header)));
+    //     }));
+    // if (matched_rule) {
+    //     // https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonResponseHeaders.html
+    //     set_cors_headers(req, res, {
+    //         allow_origin: matched_rule.allowed_origins.includes('*') ? '*' : req.headers.origin,
+    //         allow_methods: matched_rule.allowed_methods.join(','),
+    //         allow_headers: matched_rule.allowed_headers?.join(','),
+    //         expose_headers: matched_rule.expose_headers?.join(','),
+    //         allow_credentials: 'true',
+    //         max_age: matched_rule?.max_age
+    //     });
+    // }
 }
 
 /**