[SCB-2861]able to add multiple origins for CORS configuration (#4233)

Author: liubao68

demo/demo-crossapp/crossapp-client/src/main/java/org/apache/servicecomb/demo/crossapp/CrossappClient.java

@@ -32,6 +32,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
+import org.springframework.web.client.HttpServerErrorException;
 import org.springframework.web.client.RestOperations;
 import org.springframework.web.client.RestTemplate;
 
@@ -62,28 +63,84 @@ public static void run() {
     result = helloWorld.sayHello();
     TestMgr.check("hello world", result);
 
-    testCorsHandler();
+    testCorsHandlerOptions();
+    testCorsHandlerGet();
 
     TestMgr.summary();
     System.setProperty("sun.net.http.allowRestrictedHeaders", "false");
   }
 
-  private static void testCorsHandler() {
+  private static void testCorsHandlerOptions() {
+    // first domain
     RestOperations springRestTemplate = new RestTemplate();
     MultiValueMap<String, String> requestHeaders = new LinkedMultiValueMap<>();
-    requestHeaders.put("Origin", Collections.singletonList("http://localhost:8080"));
+    requestHeaders.put("Origin", Collections.singletonList("http://test.domain:8080"));
     requestHeaders.put("Access-Control-Request-Method", Collections.singletonList("PUT"));
-
     HttpEntity<Object> requestEntity = new HttpEntity<>(requestHeaders);
     ResponseEntity<String> responseEntity = springRestTemplate
         .exchange("http://127.0.0.1:8080/helloworld/hello", HttpMethod.OPTIONS, requestEntity,
             String.class);
-
     TestMgr.check("204", responseEntity.getStatusCode().value());
     TreeSet<String> sortedSet = new TreeSet<>(responseEntity.getHeaders().get("Access-Control-Allow-Methods"));
     TestMgr.check("[DELETE,POST,GET,PUT]", sortedSet);
     sortedSet = new TreeSet<>(responseEntity.getHeaders().get("Access-Control-Allow-Headers"));
     TestMgr.check("[abc,def]", sortedSet);
-    TestMgr.check("*", responseEntity.getHeaders().getFirst("Access-Control-Allow-Origin"));
+    TestMgr.check("http://test.domain:8080",
+        responseEntity.getHeaders().getFirst("Access-Control-Allow-Origin"));
+
+    // second domain
+    requestHeaders = new LinkedMultiValueMap<>();
+    requestHeaders.put("Origin", Collections.singletonList("http://test.domain:9090"));
+    requestHeaders.put("Access-Control-Request-Method", Collections.singletonList("PUT"));
+    requestEntity = new HttpEntity<>(requestHeaders);
+    responseEntity = springRestTemplate
+        .exchange("http://127.0.0.1:8080/helloworld/hello", HttpMethod.OPTIONS, requestEntity,
+            String.class);
+    TestMgr.check("204", responseEntity.getStatusCode().value());
+    sortedSet = new TreeSet<>(responseEntity.getHeaders().get("Access-Control-Allow-Methods"));
+    TestMgr.check("[DELETE,POST,GET,PUT]", sortedSet);
+    sortedSet = new TreeSet<>(responseEntity.getHeaders().get("Access-Control-Allow-Headers"));
+    TestMgr.check("[abc,def]", sortedSet);
+    TestMgr.check("http://test.domain:9090",
+        responseEntity.getHeaders().getFirst("Access-Control-Allow-Origin"));
+  }
+
+  private static void testCorsHandlerGet() {
+    // allowed origin
+    RestOperations springRestTemplate = new RestTemplate();
+    MultiValueMap<String, String> requestHeaders = new LinkedMultiValueMap<>();
+    requestHeaders.put("Origin", Collections.singletonList("http://test.domain:8080"));
+    HttpEntity<Object> requestEntity = new HttpEntity<>(requestHeaders);
+    ResponseEntity<String> responseEntity = springRestTemplate
+        .exchange("http://127.0.0.1:8080/helloworld/hello", HttpMethod.GET, requestEntity,
+            String.class);
+
+    TestMgr.check("200", responseEntity.getStatusCode().value());
+    TestMgr.check("hello world", responseEntity.getBody());
+
+    // allowed origin
+    requestHeaders = new LinkedMultiValueMap<>();
+    requestHeaders.put("Origin", Collections.singletonList("http://test.domain:9090"));
+    requestEntity = new HttpEntity<>(requestHeaders);
+    responseEntity = springRestTemplate
+        .exchange("http://127.0.0.1:8080/helloworld/hello", HttpMethod.GET, requestEntity,
+            String.class);
+
+    TestMgr.check("200", responseEntity.getStatusCode().value());
+    TestMgr.check("hello world", responseEntity.getBody());
+
+    // not allowed origin
+    try {
+      requestHeaders = new LinkedMultiValueMap<>();
+      requestHeaders.put("Origin", Collections.singletonList("http://test.domain:7070"));
+      requestEntity = new HttpEntity<>(requestHeaders);
+      springRestTemplate
+          .exchange("http://127.0.0.1:8080/helloworld/hello", HttpMethod.GET, requestEntity,
+              String.class);
+      TestMgr.fail("must throw");
+    } catch (HttpServerErrorException e) {
+      TestMgr.check(500, e.getStatusCode().value());
+      TestMgr.check(true, e.getMessage().contains("500 CORS Rejected"));
+    }
   }
 }

demo/demo-crossapp/crossapp-server/src/main/resources/microservice.yaml

@@ -30,7 +30,7 @@ servicecomb:
     address: 0.0.0.0:8080
   cors:
     enabled: true
-    origin: "*"
+    origin: "http://test.domain:8080,http://test.domain:9090"
     allowedHeader: abc,def
     allowedMethod: GET,PUT,POST,DELETE
     exposedHeader: abc,def

transports/transport-rest/transport-rest-vertx/src/main/java/org/apache/servicecomb/transport/rest/vertx/RestServerVerticle.java

@@ -188,7 +188,7 @@ void mountCorsHandler(Router mainRouter) {
       return;
     }
 
-    CorsHandler corsHandler = getCorsHandler(TransportConfig.getCorsAllowedOrigin());
+    CorsHandler corsHandler = getCorsHandler();
     // Access-Control-Allow-Credentials
     corsHandler.allowCredentials(TransportConfig.isCorsAllowCredentials());
     // Access-Control-Allow-Headers
@@ -210,8 +210,17 @@ void mountCorsHandler(Router mainRouter) {
     mainRouter.route().handler(corsHandler);
   }
 
-  private CorsHandler getCorsHandler(String corsAllowedOrigin) {
-    return CorsHandler.create().addOrigin(corsAllowedOrigin);
+  private CorsHandler getCorsHandler() {
+    CorsHandler handler = CorsHandler.create();
+    String[] origin = TransportConfig.getCorsAllowedOrigin();
+    if (origin == null) {
+      handler.addOrigin("*");
+    } else {
+      for (String item : origin) {
+        handler.addOrigin(item);
+      }
+    }
+    return handler;
   }
 
   private void initDispatcher(Router mainRouter) {

transports/transport-rest/transport-rest-vertx/src/main/java/org/apache/servicecomb/transport/rest/vertx/TransportConfig.java

@@ -165,9 +165,9 @@ public static boolean isCorsEnabled() {
         .getBooleanProperty(SERVICECOMB_CORS_CONFIG_BASE + ".enabled", false);
   }
 
-  public static String getCorsAllowedOrigin() {
+  public static String[] getCorsAllowedOrigin() {
     return LegacyPropertyFactory
-        .getStringProperty(SERVICECOMB_CORS_CONFIG_BASE + ".origin", "*");
+        .getProperty(SERVICECOMB_CORS_CONFIG_BASE + ".origin", String[].class);
   }
 
   public static boolean isCorsAllowCredentials() {

transports/transport-rest/transport-rest-vertx/src/test/java/org/apache/servicecomb/transport/rest/vertx/TestRestServerVerticle.java

@@ -267,8 +267,8 @@ public void testMountCorsHandler() {
             false))
         .thenReturn(true);
     Mockito.when(environment.getProperty("servicecomb.cors.origin",
-            "*"))
-        .thenReturn("*");
+            String[].class))
+        .thenReturn(null);
     Mockito.when(environment.getProperty("servicecomb.cors.allowedMethod"))
         .thenReturn("GET,PUT,POST");
     Mockito.when(environment.getProperty("servicecomb.cors.allowedHeader"))
@@ -326,8 +326,7 @@ CorsHandler maxAgeSeconds(int maxAgeSeconds) {
 
     new MockUp<RestServerVerticle>() {
       @Mock
-      CorsHandler getCorsHandler(String corsAllowedOrigin) {
-        Assertions.assertEquals("*", corsAllowedOrigin);
+      CorsHandler getCorsHandler() {
         return corsHandler;
       }
     };