Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

align cors settings names with elasticsearch #85738

Merged
merged 2 commits into from
Dec 14, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions docs/setup/settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -453,11 +453,11 @@ deprecation warning at startup. This setting cannot end in a slash (`/`).
| `server.cors.enabled:`
| experimental[] Set to `true` to allow cross-origin API calls. *Default:* `false`

| `server.cors.credentials:`
| `server.cors.allowCredentials:`
| experimental[] Set to `true` to allow browser code to access response body whenever request performed with user credentials. *Default:* `false`

| `server.cors.origin:`
| experimental[] List of origins permitted to access resources. You must specify explicit hostnames and not use `*` for `server.cors.origin` when `server.cors.credentials: true`. *Default:* "*"
| `server.cors.allowOrigin:`
| experimental[] List of origins permitted to access resources. You must specify explicit hostnames and not use `server.cors.allowOrigin: ["*"]` when `server.cors.allowCredentials: true`. *Default:* ["*"]

| `server.compression.referrerWhitelist:`
| Specifies an array of trusted hostnames, such as the {kib} host, or a reverse
Expand Down
6 changes: 4 additions & 2 deletions src/core/server/http/__snapshots__/http_config.test.ts.snap

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

46 changes: 31 additions & 15 deletions src/core/server/http/http_config.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -331,51 +331,67 @@ describe('with compression', () => {
});

describe('cors', () => {
describe('origin', () => {
describe('allowOrigin', () => {
it('list cannot be empty', () => {
expect(() =>
config.schema.validate({
cors: {
origin: [],
allowOrigin: [],
},
})
).toThrowErrorMatchingInlineSnapshot(`
"[cors.origin]: types that failed validation:
- [cors.origin.0]: expected value to equal [*]
- [cors.origin.1]: array size is [0], but cannot be smaller than [1]"
`);
"[cors.allowOrigin]: types that failed validation:
- [cors.allowOrigin.0]: array size is [0], but cannot be smaller than [1]
- [cors.allowOrigin.1]: array size is [0], but cannot be smaller than [1]"
`);
});

it('list of valid URLs', () => {
const origin = ['http://127.0.0.1:3000', 'https://elastic.co'];
const allowOrigin = ['http://127.0.0.1:3000', 'https://elastic.co'];
expect(
config.schema.validate({
cors: { origin },
}).cors.origin
).toStrictEqual(origin);
cors: { allowOrigin },
}).cors.allowOrigin
).toStrictEqual(allowOrigin);

expect(() =>
config.schema.validate({
cors: {
origin: ['*://elastic.co/*'],
allowOrigin: ['*://elastic.co/*'],
},
})
).toThrow();
});

it('can be configured as "*" wildcard', () => {
expect(config.schema.validate({ cors: { origin: '*' } }).cors.origin).toBe('*');
expect(config.schema.validate({ cors: { allowOrigin: ['*'] } }).cors.allowOrigin).toEqual([
'*',
]);
});

it('cannot mix wildcard "*" with valid URLs', () => {
expect(
() =>
config.schema.validate({ cors: { allowOrigin: ['*', 'https://elastic.co'] } }).cors
.allowOrigin
).toThrowErrorMatchingInlineSnapshot(`
"[cors.allowOrigin]: types that failed validation:
- [cors.allowOrigin.0.0]: expected URI with scheme [http|https].
- [cors.allowOrigin.1.1]: expected value to equal [*]"
`);
});
});
describe('credentials', () => {
it('cannot use wildcard origin if "credentials: true"', () => {
it('cannot use wildcard allowOrigin if "credentials: true"', () => {
expect(
() => config.schema.validate({ cors: { credentials: true, origin: '*' } }).cors.origin
() =>
config.schema.validate({ cors: { allowCredentials: true, allowOrigin: ['*'] } }).cors
.allowOrigin
).toThrowErrorMatchingInlineSnapshot(
`"[cors]: Cannot specify wildcard origin \\"*\\" with \\"credentials: true\\". Please provide a list of allowed origins."`
);
expect(
() => config.schema.validate({ cors: { credentials: true } }).cors.origin
() => config.schema.validate({ cors: { allowCredentials: true } }).cors.allowOrigin
).toThrowErrorMatchingInlineSnapshot(
`"[cors]: Cannot specify wildcard origin \\"*\\" with \\"credentials: true\\". Please provide a list of allowed origins."`
);
Expand Down
17 changes: 10 additions & 7 deletions src/core/server/http/http_config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,17 +48,20 @@ export const config = {
cors: schema.object(
{
enabled: schema.boolean({ defaultValue: false }),
credentials: schema.boolean({ defaultValue: false }),
origin: schema.oneOf(
[schema.literal('*'), schema.arrayOf(hostURISchema, { minSize: 1 })],
allowCredentials: schema.boolean({ defaultValue: false }),
allowOrigin: schema.oneOf(
[
schema.arrayOf(hostURISchema, { minSize: 1 }),
schema.arrayOf(schema.literal('*'), { minSize: 1, maxSize: 1 }),
],
{
defaultValue: '*',
defaultValue: ['*'],
}
),
},
{
validate(value) {
if (value.credentials === true && value.origin === '*') {
if (value.allowCredentials === true && value.allowOrigin.includes('*')) {
return 'Cannot specify wildcard origin "*" with "credentials: true". Please provide a list of allowed origins.';
}
},
Expand Down Expand Up @@ -168,8 +171,8 @@ export class HttpConfig {
public port: number;
public cors: {
enabled: boolean;
credentials: boolean;
origin: '*' | string[];
allowCredentials: boolean;
allowOrigin: string[];
};
public customResponseHeaders: Record<string, string | string[]>;
public maxPayload: ByteSizeValue;
Expand Down
6 changes: 3 additions & 3 deletions src/core/server/http/http_tools.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -196,8 +196,8 @@ describe('getServerOptions', () => {
config.schema.validate({
cors: {
enabled: true,
credentials: false,
origin: '*',
allowCredentials: false,
allowOrigin: ['*'],
},
}),
{} as any,
Expand All @@ -206,7 +206,7 @@ describe('getServerOptions', () => {

expect(getServerOptions(httpConfig).routes?.cors).toEqual({
credentials: false,
origin: '*',
origin: ['*'],
headers: ['Accept', 'Authorization', 'Content-Type', 'If-None-Match', 'kbn-xsrf'],
});
});
Expand Down
4 changes: 2 additions & 2 deletions src/core/server/http/http_tools.ts
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@ const corsAllowedHeaders = ['Accept', 'Authorization', 'Content-Type', 'If-None-
export function getServerOptions(config: HttpConfig, { configureTLS = true } = {}) {
const cors: RouteOptionsCors | false = config.cors.enabled
? {
credentials: config.cors.credentials,
origin: config.cors.origin,
credentials: config.cors.allowCredentials,
origin: config.cors.allowOrigin,
headers: corsAllowedHeaders,
}
: false;
Expand Down
4 changes: 2 additions & 2 deletions x-pack/test/functional_cors/config.ts
Original file line number Diff line number Diff line change
Expand Up @@ -55,8 +55,8 @@ export default async function ({ readConfigFile }: FtrConfigProviderContext) {
`--plugin-path=${corsTestPlugin}`,
`--test.cors.port=${pluginPort}`,
'--server.cors.enabled=true',
'--server.cors.credentials=true',
`--server.cors.origin=["${originUrl}"]`,
'--server.cors.allowCredentials=true',
`--server.cors.allowOrigin=["${originUrl}"]`,
],
},
};
Expand Down
4 changes: 2 additions & 2 deletions x-pack/test/functional_cors/tests/cors.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@ export default function ({ getService, getPageObjects }: FtrProviderContext) {
describe('CORS', () => {
it('Communicates to Kibana with configured CORS', async () => {
const args: string[] = config.get('kbnTestServer.serverArgs');
const originSetting = args.find((str) => str.includes('server.cors.origin'));
const originSetting = args.find((str) => str.includes('server.cors.allowOrigin'));
if (!originSetting) {
throw new Error('Cannot find "server.cors.origin" argument');
throw new Error('Cannot find "server.cors.allowOrigin" argument');
}
const [, value] = originSetting.split('=');
const url = JSON.parse(value);
Expand Down