Merge pull request #8573 from jackyalbo/jacky_cors

Turning CORS back on for master

Author: jackyalbo

src/endpoint/s3/s3_rest.js

@@ -107,9 +107,9 @@ async function handle_request(req, res) {
     }
 
     const op_name = parse_op_name(req);
-    // const cors = req.params.bucket && await req.object_sdk.read_bucket_sdk_cors_info(req.params.bucket);
+    const cors = req.params.bucket && await req.object_sdk.read_bucket_sdk_cors_info(req.params.bucket);
 
-    http_utils.set_cors_headers_s3(req, res, /* cors */ undefined);
+    http_utils.set_cors_headers_s3(req, res, cors);
 
     if (req.method === 'OPTIONS') {
         dbg.log1('OPTIONS!');

src/test/system_tests/ceph_s3_tests/s3-tests-lists/nsfs_s3_tests_black_list.txt

@@ -207,10 +207,6 @@ s3tests_boto3/functional/test_s3.py::test_multipart_upload_size_too_small
 s3tests_boto3/functional/test_s3.py::test_abort_multipart_upload
 s3tests_boto3/functional/test_s3.py::test_multipart_copy_improper_range
 s3tests_boto3/functional/test_s3.py::test_100_continue
-s3tests_boto3/functional/test_s3.py::test_set_cors
-s3tests_boto3/functional/test_s3.py::test_cors_origin_wildcard
-s3tests_boto3/functional/test_s3.py::test_cors_origin_response
-s3tests_boto3/functional/test_s3.py::test_cors_header_option
 s3tests_boto3/functional/test_s3.py::test_set_tagging
 s3tests_boto3/functional/test_s3.py::test_multipart_resend_first_finishes_last
 s3tests_boto3/functional/test_s3.py::test_versioned_object_acl
@@ -400,8 +396,6 @@ s3tests_boto3/functional/test_s3.py::test_sse_s3_encrypted_upload_1b
 s3tests_boto3/functional/test_s3.py::test_sse_s3_encrypted_upload_1kb
 s3tests_boto3/functional/test_s3.py::test_sse_s3_encrypted_upload_1mb
 s3tests_boto3/functional/test_s3.py::test_sse_s3_encrypted_upload_8mb
-s3tests_boto3/functional/test_s3.py::test_cors_presigned_get_object
-s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_get_object_tenant
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object_with_acl
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object_tenant

src/test/system_tests/ceph_s3_tests/s3-tests-lists/s3_tests_black_list.txt

@@ -209,10 +209,6 @@ s3tests_boto3/functional/test_s3.py::test_multipart_upload_size_too_small
 s3tests_boto3/functional/test_s3.py::test_abort_multipart_upload
 s3tests_boto3/functional/test_s3.py::test_multipart_copy_improper_range
 s3tests_boto3/functional/test_s3.py::test_100_continue
-s3tests_boto3/functional/test_s3.py::test_set_cors
-s3tests_boto3/functional/test_s3.py::test_cors_origin_wildcard
-s3tests_boto3/functional/test_s3.py::test_cors_origin_response
-s3tests_boto3/functional/test_s3.py::test_cors_header_option
 s3tests_boto3/functional/test_s3.py::test_set_tagging
 s3tests_boto3/functional/test_s3.py::test_multipart_resend_first_finishes_last
 s3tests_boto3/functional/test_s3.py::test_versioned_object_acl
@@ -354,7 +350,5 @@ s3tests_boto3/functional/test_sts.py::test_assume_role_with_web_identity_wrong_r
 s3tests_boto3/functional/test_sts.py::test_assume_role_with_web_identity_resource_tag_princ_tag
 s3tests_boto3/functional/test_sts.py::test_assume_role_with_web_identity_resource_tag_copy_obj
 s3tests_boto3/functional/test_sts.py::test_assume_role_with_web_identity_role_resource_tag
-s3tests_boto3/functional/test_s3.py::test_cors_presigned_get_object
-s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object_with_acl
 s3tests_boto3/functional/test_s3.py::test_cors_presigned_put_object_tenant_with_acl

src/util/http_utils.js

@@ -655,42 +655,32 @@ function set_cors_headers(req, res, cors) {
  * @param {CORSRule[]} cors_rules 
  */
 function set_cors_headers_s3(req, res, cors_rules) {
-    if (config.S3_CORS_ENABLED) {
+    if (!config.S3_CORS_ENABLED || !cors_rules) return;
+
+    // based on https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html
+    const match_method = req.headers['access-control-request-method'] || req.method;
+    const match_origin = req.headers.origin;
+    const match_header = req.headers['access-control-request-headers']; // not a must
+    const matched_rule = req.headers.origin && ( // find the first rule with origin and method match
+        cors_rules.find(rule => {
+            const allowed_origins_regex = rule.allowed_origins.map(r => RegExp(`^${r.replace(/\*/g, '.*')}$`));
+            const allowed_headers_regex = rule.allowed_headers?.map(r => RegExp(`^${r.replace(/\*/g, '.*')}$`));
+            return allowed_origins_regex.some(r => r.test(match_origin)) &&
+                rule.allowed_methods.includes(match_method) &&
+                // we can match if no request headers or if reuqest headers match the rule allowed headers
+                (!match_header || allowed_headers_regex?.some(r => r.test(match_header)));
+        }));
+    if (matched_rule) {
+        // https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonResponseHeaders.html
         set_cors_headers(req, res, {
-            allow_origin: config.S3_CORS_ALLOW_ORIGIN,
-            allow_credentials: config.S3_CORS_ALLOW_CREDENTIAL,
-            allow_methods: config.S3_CORS_ALLOW_METHODS,
-            allow_headers: config.S3_CORS_ALLOW_HEADERS,
-            expose_headers: config.STS_CORS_EXPOSE_HEADERS,
+            allow_origin: matched_rule.allowed_origins.includes('*') ? '*' : req.headers.origin,
+            allow_methods: matched_rule.allowed_methods.join(','),
+            allow_headers: matched_rule.allowed_headers?.join(','),
+            expose_headers: matched_rule.expose_headers?.join(','),
+            allow_credentials: 'true',
+            max_age: matched_rule?.max_age
         });
     }
-    // CORS CURRENTLY BREAKS OBJECT BROWSER - WILL ONLY SUPPORT DEFAULT HEADERS FOR NOW
-    // if (!config.S3_CORS_ENABLED || !cors_rules) return;
-
-    // // based on https://docs.aws.amazon.com/AmazonS3/latest/userguide/cors.html
-    // const match_method = req.headers['access-control-request-method'] || req.method;
-    // const match_origin = req.headers.origin;
-    // const match_header = req.headers['access-control-request-headers']; // not a must
-    // const matched_rule = req.headers.origin && ( // find the first rule with origin and method match
-    //     cors_rules.find(rule => {
-    //         const allowed_origins_regex = rule.allowed_origins.map(r => RegExp(`^${r.replace(/\*/g, '.*')}$`));
-    //         const allowed_headers_regex = rule.allowed_headers?.map(r => RegExp(`^${r.replace(/\*/g, '.*')}$`));
-    //         return allowed_origins_regex.some(r => r.test(match_origin)) &&
-    //             rule.allowed_methods.includes(match_method) &&
-    //             // we can match if no request headers or if reuqest headers match the rule allowed headers
-    //             (!match_header || allowed_headers_regex?.some(r => r.test(match_header)));
-    //     }));
-    // if (matched_rule) {
-    //     // https://docs.aws.amazon.com/AmazonS3/latest/API/RESTCommonResponseHeaders.html
-    //     set_cors_headers(req, res, {
-    //         allow_origin: matched_rule.allowed_origins.includes('*') ? '*' : req.headers.origin,
-    //         allow_methods: matched_rule.allowed_methods.join(','),
-    //         allow_headers: matched_rule.allowed_headers?.join(','),
-    //         expose_headers: matched_rule.expose_headers?.join(','),
-    //         allow_credentials: 'true',
-    //         max_age: matched_rule?.max_age
-    //     });
-    // }
 }
 
 /**