Fix cors allow origins by regex (#67)

* cors allow_origins, allow_origins_by_regex 只能一个有效 * 更新翻译
TencentBlueKing · Jun 27, 2023 · 3e678a9 · 3e678a9
1 parent 6e6adba
commit 3e678a9
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 8 deletions.
diff --git a/src/dashboard/apigateway/apigateway/apps/plugin/plugin/checker.py b/src/dashboard/apigateway/apigateway/apps/plugin/plugin/checker.py
@@ -56,6 +56,9 @@ def check(self, yaml_: str):
         if not (loaded_data.get("allow_origins") or loaded_data.get("allow_origins_by_regex")):
             raise ValueError(_("allow_origins, allow_origins_by_regex 不能同时为空。"))
 
+        if loaded_data.get("allow_origins") and loaded_data.get("allow_origins_by_regex"):
+            raise ValueError(_("allow_origins, allow_origins_by_regex 只能一个有效。"))
+
     def _check_allow_origins(self, allow_origins: Optional[str]):
         if not allow_origins:
             return

diff --git a/src/dashboard/apigateway/apigateway/fixtures/plugins.yaml b/src/dashboard/apigateway/apigateway/fixtures/plugins.yaml
@@ -122,14 +122,14 @@
           ],
           "properties": {
             "allow_origins": {
-              "description": "允许跨域访问的 Origin，格式为 scheme://host:port，示例如 https://example.com:8081。如果你有多个 Origin，请使用 , 分隔。当 allow_credential 为 false 时，可以使用 * 来表示允许所有 Origin 通过。你也可以在启用了 allow_credential 后使用 ** 强制允许所有 Origin 均通过，但请注意这样存在安全隐患。",
+              "description": "允许跨域访问的 Origin，格式为 scheme://host:port，示例如 https://example.com:8081。如果你有多个 Origin，请使用 , 分隔。当 allow_credential 为 false 时，可以使用 * 来表示允许所有 Origin 通过。你也可以在启用了 allow_credential 后使用 ** 强制允许所有 Origin 均通过，但请注意这样存在安全隐患。allow_origins、allow_origins_by_regex 只能一个有效。",
               "type": "string",
               "pattern": "^(|\\*|\\*\\*|null|http(s)?://[-a-zA-Z0-9:\\[\\]\\.]+(,http(s)?://[-a-zA-Z0-9:\\[\\]\\.]+)*)$",
               "maxLength": 4096,
               "default": ""
             },
             "allow_origins_by_regex": {
-              "description": "使用正则表示的允许跨域访问的 Origin，示例如 '^https://.*\\.example\\.com:8081$'，此正则允许 https://a.example.com:8081, https://b.example.com:8081。",
+              "description": "使用正则表示的允许跨域访问的 Origin，示例如 '^https://.*\\.example\\.com:8081$'，此正则允许 https://a.example.com:8081, https://b.example.com:8081。allow_origins、allow_origins_by_regex 只能一个有效。",
               "type": "array",
               "uniqueItems": true,
               "items": {
@@ -214,13 +214,13 @@
           ],
           "properties": {
             "allow_origins": {
-              "description": "Origins to allow CORS. Use the scheme://host:port format. For example, https://example.com:8081. If you have multiple origins, use a , to list them. If allow_credential is set to false, you can enable CORS for all origins by using *. If allow_credential is set to true, you can forcefully allow CORS on all origins by using ** but it will pose some security issues.",
+              "description": "Origins to allow CORS. Use the scheme://host:port format. For example, https://example.com:8081. If you have multiple origins, use a , to list them. If allow_credential is set to false, you can enable CORS for all origins by using *. If allow_credential is set to true, you can forcefully allow CORS on all origins by using ** but it will pose some security issues. allow_origins, allow_origins_by_regex can only be one valid at a time.",
               "type": "string",
               "pattern": "^(|\\*|\\*\\*|null|http(s)?://[-a-zA-Z0-9:\\[\\]\\.]+(,http(s)?://[-a-zA-Z0-9:\\[\\]\\.]+)*)$",
               "default": ""
             },
             "allow_origins_by_regex": {
-              "description": "Origin that allows CORS using regular expressions. You can use regex to allow specific origins when no credentials, for example, '^https://.*\\.example\\.com:8081$', this regular expression allows https://a.example.com:8081, https://b.example.com:8081.",
+              "description": "Origin that allows CORS using regular expressions. You can use regex to allow specific origins when no credentials, for example, '^https://.*\\.example\\.com:8081$', this regular expression allows https://a.example.com:8081, https://b.example.com:8081. allow_origins, allow_origins_by_regex can only be one valid at a time.",
               "type": "array",
               "uniqueItems": true,
               "items": {

diff --git a/src/dashboard/apigateway/apigateway/locale/en/LC_MESSAGES/django.mo b/src/dashboard/apigateway/apigateway/locale/en/LC_MESSAGES/django.mo
diff --git a/src/dashboard/apigateway/apigateway/locale/en/LC_MESSAGES/django.po b/src/dashboard/apigateway/apigateway/locale/en/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-06-21 15:03+0800\n"
+"POT-Creation-Date: 2023-06-27 11:06+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1036,13 +1036,18 @@ msgid "allow_origins, allow_origins_by_regex 不能同时为空。"
 msgstr ""
 "allow_origins, allow_origins_by_regex cannot be empty at the same time."
 
-#: apigateway/apps/plugin/plugin/checker.py:79
+#: apigateway/apps/plugin/plugin/checker.py:60
+msgid "allow_origins, allow_origins_by_regex 只能一个有效。"
+msgstr ""
+"allow_origins, allow_origins_by_regex can only be one valid at a time."
+
+#: apigateway/apps/plugin/plugin/checker.py:82
 #, python-brace-format
 msgid "allow_origins_by_regex 中数据 '{re_rule}' 不是合法的正则表达式。"
 msgstr ""
 "The '{re_rule}' in allow_origins_by_regex is not a legal regex expression."
 
-#: apigateway/apps/plugin/plugin/checker.py:84
+#: apigateway/apps/plugin/plugin/checker.py:87
 msgid "{} 存在重复的元素：{}。"
 msgstr "Duplicate element in {}: {}."
 

diff --git a/src/dashboard/apigateway/apigateway/tests/apps/plugin/plugin/test_checker.py b/src/dashboard/apigateway/apigateway/tests/apps/plugin/plugin/test_checker.py
@@ -27,6 +27,13 @@ class TestBkCorsChecker:
         [
             {
                 "allow_origins": "**",
+                "allow_methods": "**",
+                "allow_headers": "**",
+                "expose_headers": "",
+                "max_age": 100,
+                "allow_credential": True,
+            },
+            {
                 "allow_origins_by_regex": ["^http://.*\\.example\\.com$"],
                 "allow_methods": "**",
                 "allow_headers": "**",
@@ -61,14 +68,22 @@ def test_check(self, data):
                 "allow_credential": True,
             },
             {
-                "allow_origins": "*",
                 "allow_origins_by_regex": ["\\"],
                 "allow_methods": "*",
                 "allow_headers": "*",
                 "expose_headers": "*",
                 "max_age": 100,
                 "allow_credential": False,
             },
+            {
+                "allow_origins": "*",
+                "allow_origins_by_regex": "http://.*.example.com",
+                "allow_methods": "*",
+                "allow_headers": "*",
+                "expose_headers": "*",
+                "max_age": 100,
+                "allow_credential": False,
+            },
             {
                 "allow_origins": "",
                 "allow_origins_by_regex": [],