From 59ef06ae2a70fcb1800fcc1f40eec671c77440f0 Mon Sep 17 00:00:00 2001
From: cm-iwata <38879253+cm-iwata@users.noreply.github.com>
Date: Fri, 25 Feb 2022 07:59:14 +0900
Subject: [PATCH] fix(apigateway): fix strange vtl template for cors preflight
 request (#19104)

CDK will create this VTL template for OPTIONS method.

```
#set($origin = $input.params("Origin"))
#if($origin == "") #set($origin = $input.params("origin")) #end
#if($origin.matches("https://www.test-cors.org"))
  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)
#end
```

This VTL template use `$input.params` for get origin information.

But it's references request parameter from these values

- path
- query string
- header

[`$input` Variables](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#input-variable-reference)


So, this template cause  strange behavier like this.

```
$ curl -XOPTIONS https://xxx.execute-api.ap-northeast-1.amazonaws.com/prod/twitch?origin=https://www.test-cors.org -i

HTTP/2 204
date: Wed, 23 Feb 2022 06:32:39 GMT
x-amzn-requestid: df42e9de-80a4-4db5-985d-5ed8adc40b99
access-control-allow-origin: https://www.test-cors.org
```



[RFC6454](https://datatracker.ietf.org/doc/html/rfc6454#section-7.2) says

>the Origin header field indicates
>   the origin(s) that "caused" the user agent to issue the request

its not mention path and querystrings.

So  VTL template should use only request header for check origin information.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
---
 packages/@aws-cdk/aws-apigateway/lib/resource.ts            | 4 ++--
 packages/@aws-cdk/aws-apigateway/test/cors.test.ts          | 2 +-
 .../@aws-cdk/aws-apigateway/test/integ.cors.expected.json   | 6 +++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/@aws-cdk/aws-apigateway/lib/resource.ts b/packages/@aws-cdk/aws-apigateway/lib/resource.ts
index 714e99bce7a0b..f843ee1b5e25a 100644
--- a/packages/@aws-cdk/aws-apigateway/lib/resource.ts
+++ b/packages/@aws-cdk/aws-apigateway/lib/resource.ts
@@ -311,8 +311,8 @@ export abstract class ResourceBase extends ResourceConstruct implements IResourc
 
       const template = new Array<string>();
 
-      template.push('#set($origin = $input.params("Origin"))');
-      template.push('#if($origin == "") #set($origin = $input.params("origin")) #end');
+      template.push('#set($origin = $input.params().header.get("Origin"))');
+      template.push('#if($origin == "") #set($origin = $input.params().header.get("origin")) #end');
 
       const condition = origins.map(o => `$origin.matches("${o}")`).join(' || ');
 
diff --git a/packages/@aws-cdk/aws-apigateway/test/cors.test.ts b/packages/@aws-cdk/aws-apigateway/test/cors.test.ts
index 581b8af3e6c53..c573e6302589e 100644
--- a/packages/@aws-cdk/aws-apigateway/test/cors.test.ts
+++ b/packages/@aws-cdk/aws-apigateway/test/cors.test.ts
@@ -290,7 +290,7 @@ describe('cors', () => {
               'method.response.header.Access-Control-Allow-Methods': "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'",
             },
             ResponseTemplates: {
-              'application/json': '#set($origin = $input.params("Origin"))\n#if($origin == "") #set($origin = $input.params("origin")) #end\n#if($origin.matches("https://amazon.com") || $origin.matches("https://aws.amazon.com"))\n  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end',
+              'application/json': '#set($origin = $input.params().header.get("Origin"))\n#if($origin == "") #set($origin = $input.params().header.get("origin")) #end\n#if($origin.matches("https://amazon.com") || $origin.matches("https://aws.amazon.com"))\n  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end',
             },
             StatusCode: '204',
           },
diff --git a/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json b/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json
index 22b5c45a87b53..02d757e898afe 100644
--- a/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json
+++ b/packages/@aws-cdk/aws-apigateway/test/integ.cors.expected.json
@@ -51,7 +51,7 @@
         "corsapitest8682546E"
       ]
     },
-    "corsapitestDeployment2BF1633A228079ea05e5799220dd4ca13512b92d": {
+    "corsapitestDeployment2BF1633A51392cbce1ac2785bd0e53063423e203": {
       "Type": "AWS::ApiGateway::Deployment",
       "Properties": {
         "RestApiId": {
@@ -74,7 +74,7 @@
           "Ref": "corsapitest8682546E"
         },
         "DeploymentId": {
-          "Ref": "corsapitestDeployment2BF1633A228079ea05e5799220dd4ca13512b92d"
+          "Ref": "corsapitestDeployment2BF1633A51392cbce1ac2785bd0e53063423e203"
         },
         "StageName": "prod"
       },
@@ -472,7 +472,7 @@
                 "method.response.header.Access-Control-Allow-Methods": "'OPTIONS,GET,PUT,POST,DELETE,PATCH,HEAD'"
               },
               "ResponseTemplates": {
-                "application/json": "#set($origin = $input.params(\"Origin\"))\n#if($origin == \"\") #set($origin = $input.params(\"origin\")) #end\n#if($origin.matches(\"https://www.test-cors.org\"))\n  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end"
+                "application/json": "#set($origin = $input.params().header.get(\"Origin\"))\n#if($origin == \"\") #set($origin = $input.params().header.get(\"origin\")) #end\n#if($origin.matches(\"https://www.test-cors.org\"))\n  #set($context.responseOverride.header.Access-Control-Allow-Origin = $origin)\n#end"
               },
               "StatusCode": "204"
             }