Add additional default CORS headers with config

docs/source/1.0/guides/converting-to-openapi.rst

@@ -691,6 +691,24 @@ disableCloudFormationSubstitution (``boolean``)
     .. seealso:: :ref:`openapi-cfn-substitutions`
 
 
+additionalAllowedCorsHeaders (``[string]``)
+    Sets additional allowed CORS headers on the preflight requests. If this
+    option is not set, the default ``amz-sdk-invocation-id`` and ``amz-sdk-request``
+    headers will be added. By setting this option to an empty array, those default
+    headers will be omitted.
+
+    .. code-block:: json
+
+        {
+            "version": "1.0",
+            "plugins": {
+                "openapi": {
+                    "service": "smithy.example#Weather",
+                    "additionalAllowedCorsHeaders": ["foo-header", "bar-header"]
+                }
+            }
+        }
+
 Binary types
 ============
 

smithy-aws-apigateway-openapi/src/main/java/software/amazon/smithy/aws/apigateway/openapi/AddCorsPreflightIntegration.java

@@ -112,6 +112,11 @@ private static Map<CorsHeader, String> deduceCorsHeaders(
         // add headers during the Smithy to OpenAPI conversion process will need to update this
         // list of headers accordingly.
         Set<String> headerNames = new TreeSet<>(corsTrait.getAdditionalAllowedHeaders());
+
+        // Sets additional allowed headers from the API Gateway config.
+        List<String> additionalAllowedHeaders = context.getConfig().getExtensions(ApiGatewayConfig.class)
+                .getAdditionalAllowedCorsHeaders();
+        headerNames.addAll(additionalAllowedHeaders);
         headerNames.addAll(findAllHeaders(path, pathItem));
 
         // Add all headers generated by security schemes.

smithy-aws-apigateway-openapi/src/main/java/software/amazon/smithy/aws/apigateway/openapi/ApiGatewayConfig.java

@@ -15,7 +15,9 @@
 
 package software.amazon.smithy.aws.apigateway.openapi;
 
+import java.util.List;
 import java.util.Objects;
+import software.amazon.smithy.utils.ListUtils;
 
 /**
  * API Gateway OpenAPI configuration.
@@ -53,6 +55,7 @@ public enum ApiType {
 
     private ApiType apiGatewayType = ApiType.REST;
     private boolean disableCloudFormationSubstitution;
+    private List<String> additionalAllowedCorsHeaders = ListUtils.of("amz-sdk-invocation-id", "amz-sdk-request");
 
     /**
      * @return Returns true if CloudFormation substitutions are disabled.
@@ -89,4 +92,23 @@ public ApiType getApiGatewayType() {
     public void setApiGatewayType(ApiType apiGatewayType) {
         this.apiGatewayType = Objects.requireNonNull(apiGatewayType);
     }
+
+    /**
+     * @return the list of additional allowed CORS headers.
+     */
+    public List<String> getAdditionalAllowedCorsHeaders() {
+        return additionalAllowedCorsHeaders;
+    }
+
+    /**
+     * Sets the list of additional allowed CORS headers.
+     *
+     * <p>If not set, this value defaults to setting "amz-sdk-invocation-id" and
+     * "amz-sdk-request" as the additional allowed CORS headers.</p>
+     *
+     * @param additionalAllowedCorsHeaders additional cors headers to be allowed.
+     */
+    public void setAdditionalAllowedCorsHeaders(List<String> additionalAllowedCorsHeaders) {
+        this.additionalAllowedCorsHeaders = Objects.requireNonNull(additionalAllowedCorsHeaders);
+    }
 }

smithy-aws-apigateway-openapi/src/test/java/software/amazon/smithy/aws/apigateway/openapi/CorsTest.java

@@ -11,6 +11,7 @@
 import software.amazon.smithy.openapi.fromsmithy.OpenApiMapper;
 import software.amazon.smithy.openapi.model.OpenApi;
 import software.amazon.smithy.utils.IoUtils;
+import software.amazon.smithy.utils.ListUtils;
 
 public class CorsTest {
     @Test
@@ -45,6 +46,25 @@ public void skipsExplicitlyDefinedOptionsOperations() {
         Node.assertEquals(result, expectedNode);
     }
 
+    @Test
+    public void setsConfiguredAdditionalAllowedHeaders() {
+        Model model = Model.assembler(getClass().getClassLoader())
+                .discoverModels(getClass().getClassLoader())
+                .addImport(getClass().getResource("cors-model.json"))
+                .assemble()
+                .unwrap();
+        OpenApiConfig config = new OpenApiConfig();
+        config.setService(ShapeId.from("example.smithy#MyService"));
+        ApiGatewayConfig apiGatewayConfig = new ApiGatewayConfig();
+        apiGatewayConfig.setAdditionalAllowedCorsHeaders(ListUtils.of("foo","bar"));
+        config.putExtensions(apiGatewayConfig);
+        ObjectNode result = OpenApiConverter.create().config(config).convertToNode(model);
+        Node expectedNode = Node.parse(IoUtils.toUtf8String(
+                getClass().getResourceAsStream("cors-with-additional-headers.openapi.json")));
+
+        Node.assertEquals(result, expectedNode);
+    }
+
     /**
      * This test asserts two things: First, it ensures that any existing CORS headers
      * set on an explicitly added API Gateway integration are not overwritten

smithy-aws-apigateway-openapi/src/test/resources/software/amazon/smithy/aws/apigateway/openapi/cors-model.openapi.json

@@ -93,7 +93,7 @@
               "statusCode": "200",
               "responseParameters": {
                 "method.response.header.Access-Control-Max-Age": "'86400'",
-                "method.response.header.Access-Control-Allow-Headers": "'Authorization,Date,X-Amz-Date,X-Amz-Security-Token,X-Amz-Target,X-Service-Input-Metadata'",
+                "method.response.header.Access-Control-Allow-Headers": "'Authorization,Date,X-Amz-Date,X-Amz-Security-Token,X-Amz-Target,X-Service-Input-Metadata,amz-sdk-invocation-id,amz-sdk-request'",
                 "method.response.header.Access-Control-Allow-Origin": "'https://www.example.com'",
                 "method.response.header.Access-Control-Allow-Methods": "'GET'"
               }
@@ -262,7 +262,7 @@
               "statusCode": "200",
               "responseParameters": {
                 "method.response.header.Access-Control-Max-Age": "'86400'",
-                "method.response.header.Access-Control-Allow-Headers": "'Authorization,Date,X-Amz-Date,X-Amz-Security-Token,X-Amz-Target,X-EnumString,X-Foo-Header,X-Service-Input-Metadata'",
+                "method.response.header.Access-Control-Allow-Headers": "'Authorization,Date,X-Amz-Date,X-Amz-Security-Token,X-Amz-Target,X-EnumString,X-Foo-Header,X-Service-Input-Metadata,amz-sdk-invocation-id,amz-sdk-request'",
                 "method.response.header.Access-Control-Allow-Origin": "'https://www.example.com'",
                 "method.response.header.Access-Control-Allow-Methods": "'DELETE,GET,PUT'"
               }