Allow for more CORS configuration

glbrntt · glbrntt · commit c9027f8c25b5 · 2023-05-02T10:58:58.000+01:00
Motivation: We added some level of CORS configuration support in grpc#1583. This change adds further flexibility. Modifications: - Add an 'originBased' mode where the value of the origin header is returned in the response head. - Add a custom fallback where the user can specify a callback which is passed the value of the origin header and returns the value to return in the 'access-control-allow-origin' response header (or nil, if the origin is not allowed). Result: More flexibility for CORS.
diff --git a/Sources/GRPC/Server.swift b/Sources/GRPC/Server.swift
@@ -479,7 +479,44 @@ extension Server.Configuration.CORS {
   public struct AllowedOrigins: Hashable, Sendable {
     enum Wrapped: Hashable, Sendable {
       case all
+      case originBased
       case only([String])
+      case custom(@Sendable (String) -> String?)
+
+      // Mistakes were made! CORS and AllowedOrigins were made 'Hashable' before the 'custom'
+      // option was added. Removing the conformance is an API breaking change so we have to
+      // provide a best effort implementation for Hashable and Eqatable.
+
+      static func == (lhs: Self, rhs: Self) -> Bool {
+        switch (lhs, rhs) {
+        case (.all, .all),
+             (.originBased, .originBased):
+          return true
+        case let (.only(onlyLHS), .only(onlyRHS)):
+          return onlyLHS == onlyRHS
+        case (.custom, .custom):
+          return true
+        case (.all, _),
+             (.originBased, _),
+             (.only, _),
+             (.custom, _):
+          return false
+        }
+      }
+
+      func hash(into hasher: inout Hasher) {
+        switch self {
+        case .all:
+          hasher.combine(0)
+        case .originBased:
+          hasher.combine(1)
+        case let .only(only):
+          hasher.combine(2)
+          hasher.combine(only)
+        case .custom:
+          hasher.combine(4)
+        }
+      }
     }
 
     private(set) var wrapped: Wrapped
@@ -490,10 +527,25 @@ extension Server.Configuration.CORS {
     /// Allow all origin values.
     public static let all = Self(.all)
 
+    /// Allow all origin values; similar to `all` but returns the value of the origin header field
+    /// in the 'access-control-allow-origin' response header (rather than "*").
+    public static let originBased = Self(.originBased)
+
     /// Allow only the given origin values.
     public static func only(_ allowed: [String]) -> Self {
       return Self(.only(allowed))
     }
+
+    /// Provide a custom CORS origin check.
+    ///
+    /// - Parameter checkOrigin: A closure which is called with the value of the 'origin' header
+    ///     and returns the value to use in the 'access-control-allow-origin' response header,
+    ///     or `nil` if the origin is not allowed.
+    public static func custom(
+      _ checkOrigin: @escaping @Sendable (_ origin: String) -> String?
+    ) -> Self {
+      return Self(.custom(checkOrigin))
+    }
   }
 }
 
diff --git a/Sources/GRPC/WebCORSHandler.swift b/Sources/GRPC/WebCORSHandler.swift
@@ -198,8 +198,12 @@ extension Server.Configuration.CORS.AllowedOrigins {
     switch self.wrapped {
     case .all:
       return "*"
+    case .originBased:
+      return origin
     case let .only(allowed):
       return allowed.contains(origin) ? origin : nil
+    case let .custom(custom):
+      return custom(origin)
     }
   }
 }
diff --git a/Tests/GRPCTests/WebCORSHandlerTests.swift b/Tests/GRPCTests/WebCORSHandlerTests.swift
@@ -93,6 +93,46 @@ internal final class WebCORSHandlerTests: XCTestCase {
     try self.runPreflightRequestTest(spec: spec)
   }
 
+  func testOptionsPreflightOriginBased() throws {
+    let spec = PreflightRequestSpec(
+      configuration: .init(
+        allowedOrigins: .originBased,
+        allowedHeaders: ["x-grpc-web"],
+        allowCredentialedRequests: false,
+        preflightCacheExpiration: 60
+      ),
+      requestOrigin: "foo",
+      expectOrigin: "foo",
+      expectAllowedHeaders: ["x-grpc-web"],
+      expectAllowCredentials: false,
+      expectMaxAge: "60"
+    )
+    try self.runPreflightRequestTest(spec: spec)
+  }
+
+  func testOptionsPreflightCustom() throws {
+    let spec = PreflightRequestSpec(
+      configuration: .init(
+        allowedOrigins: .custom { origin in
+          if origin == "foo" {
+            return "bar"
+          } else {
+            return nil
+          }
+        },
+        allowedHeaders: ["x-grpc-web"],
+        allowCredentialedRequests: false,
+        preflightCacheExpiration: 60
+      ),
+      requestOrigin: "foo",
+      expectOrigin: "bar",
+      expectAllowedHeaders: ["x-grpc-web"],
+      expectAllowCredentials: false,
+      expectMaxAge: "60"
+    )
+    try self.runPreflightRequestTest(spec: spec)
+  }
+
   func testOptionsPreflightAllowSomeOrigins() throws {
     let spec = PreflightRequestSpec(
       configuration: .init(

Original file line number	Diff line number	Diff line change
`@@ -198,8 +198,12 @@ extension Server.Configuration.CORS.AllowedOrigins {`
`198`	`198`	`switch self.wrapped {`
`199`	`199`	`case .all:`
`200`	`200`	`return "*"`
	`201`	`+ case .originBased:`
	`202`	`+ return origin`
`201`	`203`	`case let .only(allowed):`
`202`	`204`	`return allowed.contains(origin) ? origin : nil`
	`205`	`+ case let .custom(custom):`
	`206`	`+ return custom(origin)`
`203`	`207`	`}`
`204`	`208`	`}`
`205`	`209`	`}`