CBG-2807: Allow databases to override CORS config (#6179)

* Don't set db headers unless we auth to DB
* Disallow setting max_age on database

Author: torcolvin

auth/cors.go

@@ -0,0 +1,49 @@
+// Copyright 2023-Present Couchbase, Inc.
+//
+// Use of this software is governed by the Business Source License included
+// in the file licenses/BSL-Couchbase.txt.  As of the Change Date specified
+// in that file, in accordance with the Business Source License, use of this
+// software will be governed by the Apache License, Version 2.0, included in
+// the file licenses/APL2.txt.
+
+package auth
+
+import (
+	"net/http"
+	"strings"
+)
+
+// Configuration for Cross-Origin Resource Sharing
+// <https://en.wikipedia.org/wiki/Cross-origin_resource_sharing>
+type CORSConfig struct {
+	Origin      []string `json:"origin,omitempty"       help:"List of allowed origins, use ['*'] to allow access from everywhere"`
+	LoginOrigin []string `json:"login_origin,omitempty" help:"List of allowed login origins"`
+	Headers     []string `json:"headers,omitempty"      help:"List of allowed headers"`
+	MaxAge      int      `json:"max_age,omitempty"      help:"Maximum age of the CORS Options request"`
+}
+
+// Adds Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Headers headers to an HTTP response.
+func (cors *CORSConfig) AddResponseHeaders(request *http.Request, response http.ResponseWriter) {
+	if originHeader := request.Header["Origin"]; len(originHeader) > 0 {
+		origin := MatchedOrigin(cors.Origin, originHeader)
+		response.Header().Add("Access-Control-Allow-Origin", origin)
+		response.Header().Add("Access-Control-Allow-Credentials", "true")
+		response.Header().Add("Access-Control-Allow-Headers", strings.Join(cors.Headers, ", "))
+	}
+}
+
+func MatchedOrigin(allowOrigins []string, rqOrigins []string) string {
+	for _, rv := range rqOrigins {
+		for _, av := range allowOrigins {
+			if rv == av {
+				return av
+			}
+		}
+	}
+	for _, av := range allowOrigins {
+		if av == "*" {
+			return "*"
+		}
+	}
+	return ""
+}

db/database.go

@@ -130,6 +130,7 @@ type DatabaseContext struct {
 	CollectionNames              map[string]map[string]struct{} // Map of scope, collection names
 	MetadataKeys                 *base.MetadataKeys             // Factory to generate metadata document keys
 	RequireResync                base.ScopeAndCollectionNames   // Collections requiring resync before database can go online
+	CORS                         *auth.CORSConfig               // CORS configuration
 }
 
 type Scope struct {

docs/api/components/schemas.yaml

@@ -1762,6 +1762,25 @@ Database:
         Defaults to true when running in serverless mode otherwise defaults to false.
       type: boolean
       default: false
+    cors:
+      description: CORS configuration for this database; if present, overrides server's config.
+      type: object
+      properties:
+        origin:
+          description: 'List of allowed origins, use [''*''] to allow access from everywhere'
+          type: array
+          items:
+            type: string
+        login_origin:
+          description: List of allowed login origins
+          type: array
+          items:
+            type: string
+        headers:
+          description: List of allowed headers
+          type: array
+          items:
+            type: string
   title: Database-config
 Event-config:
   type: object

rest/admin_api.go

@@ -54,7 +54,6 @@ func (h *handler) handleCreateDB() error {
 	}
 
 	config.Name = dbName
-
 	if h.server.persistentConfig {
 		if err := config.validatePersistentDbConfig(); err != nil {
 			return base.HTTPErrorf(http.StatusBadRequest, err.Error())

rest/api_test.go

@@ -229,45 +229,65 @@ func TestFunkyDocIDs(t *testing.T) {
 func TestCORSOrigin(t *testing.T) {
 	rt := NewRestTester(t, nil)
 	defer rt.Close()
+	tests := []struct {
+		origin       string
+		headerOutput string
+	}{
+		{
+			origin:       "http://example.com",
+			headerOutput: "http://example.com",
+		},
+		{
+			origin:       "http://staging.example.com",
+			headerOutput: "http://staging.example.com",
+		},
 
-	reqHeaders := map[string]string{
-		"Origin": "http://example.com",
+		{
+			origin:       "http://hack0r.com",
+			headerOutput: "*",
+		},
 	}
-	response := rt.SendRequestWithHeaders("GET", "/{{.keyspace}}/", "", reqHeaders)
-	assert.Equal(t, "http://example.com", response.Header().Get("Access-Control-Allow-Origin"))
 
-	// now test a non-listed origin
-	// b/c * is in config we get *
-	reqHeaders = map[string]string{
-		"Origin": "http://hack0r.com",
-	}
-	response = rt.SendRequestWithHeaders("GET", "/{{.keyspace}}/", "", reqHeaders)
-	assert.Equal(t, "*", response.Header().Get("Access-Control-Allow-Origin"))
+	for _, tc := range tests {
+		t.Run(tc.origin, func(t *testing.T) {
 
-	// now test another origin in config
-	reqHeaders = map[string]string{
-		"Origin": "http://staging.example.com",
-	}
-	response = rt.SendRequestWithHeaders("GET", "/{{.keyspace}}/", "", reqHeaders)
-	assert.Equal(t, "http://staging.example.com", response.Header().Get("Access-Control-Allow-Origin"))
+			invalidDatabaseName := "invalid database name"
+			reqHeaders := map[string]string{
+				"Origin": tc.origin,
+			}
+			response := rt.SendRequestWithHeaders("GET", "/{{.keyspace}}/", "", reqHeaders)
+			assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
+			RequireStatus(t, response, http.StatusBadRequest)
+			require.Contains(t, response.Body.String(), invalidDatabaseName)
+
+			response = rt.SendRequestWithHeaders("GET", "/{{.db}}/", "", reqHeaders)
+			assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
+			RequireStatus(t, response, http.StatusUnauthorized)
+			require.Contains(t, response.Body.String(), ErrLoginRequired.Message)
+
+			response = rt.SendRequestWithHeaders("GET", "/notadb/", "", reqHeaders)
+			assert.Equal(t, tc.headerOutput, response.Header().Get("Access-Control-Allow-Origin"))
+			RequireStatus(t, response, http.StatusUnauthorized)
+			require.Contains(t, response.Body.String(), ErrLoginRequired.Message)
+
+			// admin port doesn't have CORS
+			response = rt.SendAdminRequestWithHeaders("GET", "/{{.keyspace}}/_all_docs", "", reqHeaders)
+			assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
+			RequireStatus(t, response, http.StatusOK)
 
-	// test no header on _admin apis
-	reqHeaders = map[string]string{
-		"Origin": "http://example.com",
-	}
-	response = rt.SendAdminRequestWithHeaders("GET", "/{{.keyspace}}/_all_docs", "", reqHeaders)
-	assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
-
-	// test with a config without * should reject non-matches
-	sc := rt.ServerContext()
-	sc.Config.API.CORS.Origin = []string{"http://example.com", "http://staging.example.com"}
-	// now test a non-listed origin
-	// b/c * is in config we get *
-	reqHeaders = map[string]string{
-		"Origin": "http://hack0r.com",
+			// test with a config without * should reject non-matches
+			sc := rt.ServerContext()
+			defer func() {
+				sc.Config.API.CORS.Origin = defaultTestingCORSOrigin
+			}()
+
+			sc.Config.API.CORS.Origin = []string{"http://example.com", "http://staging.example.com"}
+			if !base.StringSliceContains(sc.Config.API.CORS.Origin, tc.origin) {
+				response = rt.SendRequestWithHeaders("GET", "/{{.keyspace}}/", "", reqHeaders)
+				assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
+			}
+		})
 	}
-	response = rt.SendRequestWithHeaders("GET", "/{{.keyspace}}/", "", reqHeaders)
-	assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
 }
 
 // assertGatewayStatus is like requireStatus but with StatusGatewayTimeout error checking for temporary network failures.

rest/config.go

@@ -165,6 +165,7 @@ type DbConfig struct {
 	GraphQL                          *functions.GraphQLConfig         `json:"graphql,omitempty"`                              // GraphQL configuration & resolver fns
 	UserFunctions                    *functions.FunctionsConfig       `json:"functions,omitempty"`                            // Named JS fns for clients to call
 	Suspendable                      *bool                            `json:"suspendable,omitempty"`                          // Allow the database to be suspended
+	CORS                             *auth.CORSConfig                 `json:"cors,omitempty"`
 }
 
 type ScopesConfig map[string]ScopeConfig
@@ -680,6 +681,10 @@ func (dbConfig *DbConfig) validateVersion(ctx context.Context, isEnterpriseEditi
 		}
 	}
 
+	if dbConfig.CORS != nil && dbConfig.CORS.MaxAge != 0 {
+		multiError = multiError.Append(fmt.Errorf("cors.max_age can not be set on a database level"))
+
+	}
 	if dbConfig.DeprecatedPool != nil {
 		base.WarnfCtx(ctx, `"pool" config option is not supported. The pool will be set to "default". The option should be removed from config file.`)
 	}

rest/config_legacy.go

@@ -230,7 +230,7 @@ func (lc *LegacyServerConfig) ToStartupConfig() (*StartupConfig, DbConfigMap, er
 	}
 
 	if lc.CORS != nil {
-		sc.API.CORS = &CORSConfig{
+		sc.API.CORS = &auth.CORSConfig{
 			Origin:      lc.CORS.Origin,
 			LoginOrigin: lc.CORS.LoginOrigin,
 			Headers:     lc.CORS.Headers,

rest/config_startup.go

@@ -121,8 +121,8 @@ type APIConfig struct {
 	CompressResponses  *bool `json:"compress_responses,omitempty"   help:"If false, disables compression of HTTP responses"`
 	HideProductVersion *bool `json:"hide_product_version,omitempty" help:"Whether product versions removed from Server headers and REST API responses"`
 
-	HTTPS HTTPSConfig `json:"https,omitempty"`
-	CORS  *CORSConfig `json:"cors,omitempty"`
+	HTTPS HTTPSConfig      `json:"https,omitempty"`
+	CORS  *auth.CORSConfig `json:"cors,omitempty"`
 }
 
 type HTTPSConfig struct {
@@ -131,13 +131,6 @@ type HTTPSConfig struct {
 	TLSKeyPath        string `json:"tls_key_path,omitempty"        help:"The TLS key file to use for the REST APIs"`
 }
 
-type CORSConfig struct {
-	Origin      []string `json:"origin,omitempty"       help:"List of allowed origins, use ['*'] to allow access from everywhere"`
-	LoginOrigin []string `json:"login_origin,omitempty" help:"List of allowed login origins"`
-	Headers     []string `json:"headers,omitempty"      help:"List of allowed headers"`
-	MaxAge      int      `json:"max_age,omitempty"      help:"Maximum age of the CORS Options request"`
-}
-
 type AuthConfig struct {
 	BcryptCost int `json:"bcrypt_cost,omitempty"          help:"Cost to use for bcrypt password hashes"`
 }
@@ -220,7 +213,7 @@ func LoadStartupConfigFromPath(path string) (*StartupConfig, error) {
 func NewEmptyStartupConfig() StartupConfig {
 	return StartupConfig{
 		API: APIConfig{
-			CORS: &CORSConfig{},
+			CORS: &auth.CORSConfig{},
 		},
 		Logging: base.LoggingConfig{
 			Console: &base.ConsoleLoggerConfig{},

rest/config_startup_test.go

@@ -12,6 +12,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/couchbase/sync_gateway/auth"
 	"github.com/couchbase/sync_gateway/base"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -92,15 +93,15 @@ func TestStartupConfigMerge(t *testing.T) {
 		},
 		{
 			name:     "Keep original *CORSconfig",
-			config:   StartupConfig{API: APIConfig{CORS: &CORSConfig{MaxAge: 5, Origin: []string{"Test"}}}},
-			override: StartupConfig{API: APIConfig{CORS: &CORSConfig{}}},
-			expected: StartupConfig{API: APIConfig{CORS: &CORSConfig{MaxAge: 5, Origin: []string{"Test"}}}},
+			config:   StartupConfig{API: APIConfig{CORS: &auth.CORSConfig{MaxAge: 5, Origin: []string{"Test"}}}},
+			override: StartupConfig{API: APIConfig{CORS: &auth.CORSConfig{}}},
+			expected: StartupConfig{API: APIConfig{CORS: &auth.CORSConfig{MaxAge: 5, Origin: []string{"Test"}}}},
 		},
 		{
-			name:     "Keep original *CORSConfig from override nil value",
-			config:   StartupConfig{API: APIConfig{CORS: &CORSConfig{MaxAge: 5, Origin: []string{"Test"}}}},
+			name:     "Keep original *auth.CORSConfig from override nil value",
+			config:   StartupConfig{API: APIConfig{CORS: &auth.CORSConfig{MaxAge: 5, Origin: []string{"Test"}}}},
 			override: StartupConfig{},
-			expected: StartupConfig{API: APIConfig{CORS: &CORSConfig{MaxAge: 5, Origin: []string{"Test"}}}},
+			expected: StartupConfig{API: APIConfig{CORS: &auth.CORSConfig{MaxAge: 5, Origin: []string{"Test"}}}},
 		},
 		{
 			name:     "Override unset ConfigDuration",