[4.0.0.1 backport] CBG-4943 obey db scope for CORS.LoginOrigin (#7834)

Co-authored-by: Ben Brooks <[email protected]>

Author: torcolvin

auth/cors.go

@@ -32,6 +32,12 @@ func (cors *CORSConfig) AddResponseHeaders(request *http.Request, response http.
 	}
 }
 
+// IsEmpty returns true if the CORS configuration is empty - used instead of a nil check since we always initialize the CORS config struct.
+func (cors *CORSConfig) IsEmpty() bool {
+	return cors == nil ||
+		(len(cors.Origin) == 0 && len(cors.LoginOrigin) == 0 && len(cors.Headers) == 0 && cors.MaxAge == 0)
+}
+
 func MatchedOrigin(allowOrigins []string, rqOrigins []string) string {
 	for _, rv := range rqOrigins {
 		for _, av := range allowOrigins {

rest/cors_test.go

@@ -9,6 +9,7 @@
 package rest
 
 import (
+	"fmt"
 	"net/http"
 	"strconv"
 	"strings"
@@ -286,6 +287,24 @@ func TestCORSUserNoAccess(t *testing.T) {
 	}
 }
 
+// TestCORSResponseHeadersEmptyConfig ensures that an empty CORS config results in no CORS headers being set on the response.
+func TestCORSResponseHeadersEmptyConfig(t *testing.T) {
+	rt := NewRestTester(t, nil)
+	// RestTester initializes using defaultTestingCORSOrigin - override to empty for this test
+	rt.ServerContext().Config.API.CORS = &auth.CORSConfig{}
+	defer rt.Close()
+
+	reqHeaders := map[string]string{
+		"Origin": "http://example.com",
+	}
+	response := rt.SendRequestWithHeaders(http.MethodGet, "/{{.db}}/", "", reqHeaders)
+	RequireStatus(t, response, http.StatusUnauthorized)
+	require.Contains(t, response.Body.String(), ErrLoginRequired.Message)
+	assert.NotContains(t, response.Header(), "Access-Control-Allow-Origin")
+	assert.NotContains(t, response.Header(), "Access-Control-Allow-Credentials")
+	assert.NotContains(t, response.Header(), "Access-Control-Allow-Headers")
+}
+
 func TestCORSOriginPerDatabase(t *testing.T) {
 	// Override the default (example.com) CORS configuration in the DbConfig for /db:
 	const perDBMaxAge = 1234
@@ -384,6 +403,74 @@ func TestCORSOriginPerDatabase(t *testing.T) {
 	}
 }
 
+func TestCORSLoginOriginPerDatabase(t *testing.T) {
+	// Override the default (example.com) CORS configuration in the DbConfig for /db:
+	rt := NewRestTesterPersistentConfigNoDB(t)
+	defer rt.Close()
+	dbConfig := rt.NewDbConfig()
+	dbConfig.CORS = &auth.CORSConfig{
+		Origin:      []string{"http://couchbase.com", "http://staging.couchbase.com"},
+		LoginOrigin: []string{"http://couchbase.com"},
+		Headers:     []string{},
+	}
+	RequireStatus(t, rt.CreateDatabase("dbloginorigin", dbConfig), http.StatusCreated)
+
+	const username = "alice"
+	rt.CreateUser(username, nil)
+
+	testCases := []struct {
+		name              string
+		origin            string
+		responseCode      int
+		responseErrorBody string
+	}{
+		{
+			name:         "CORS login origin allowed couchbase",
+			origin:       "http://couchbase.com",
+			responseCode: http.StatusOK,
+		},
+		{
+			name:              "CORS login origin not allowed staging",
+			origin:            "http://staging.couchbase.com",
+			responseCode:      http.StatusBadRequest,
+			responseErrorBody: "No CORS",
+		},
+	}
+	for _, test := range testCases {
+		rt.Run(test.name, func(t *testing.T) {
+			reqHeaders := map[string]string{
+				"Origin":        test.origin,
+				"Authorization": GetBasicAuthHeader(t, username, RestTesterDefaultUserPassword),
+			}
+			resp := rt.SendRequestWithHeaders(http.MethodPost, "/{{.db}}/_session", "", reqHeaders)
+			RequireStatus(t, resp, test.responseCode)
+			if test.responseErrorBody != "" {
+				require.Contains(t, resp.Body.String(), test.responseErrorBody)
+				// the access control headers are returned based on Origin and not LoginOrigin which could be considered a bug
+				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			} else {
+				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			}
+			if test.responseCode == http.StatusOK {
+				cookie, err := http.ParseSetCookie(resp.Header().Get("Set-Cookie"))
+				require.NoError(t, err)
+				require.NotEmpty(t, cookie.Path)
+				reqHeaders["Cookie"] = fmt.Sprintf("%s=%s", cookie.Name, cookie.Value)
+			}
+			resp = rt.SendRequestWithHeaders(http.MethodDelete, "/{{.db}}/_session", "", reqHeaders)
+			RequireStatus(t, resp, test.responseCode)
+			if test.responseErrorBody != "" {
+				require.Contains(t, resp.Body.String(), test.responseErrorBody)
+				// the access control headers are returned based on Origin and not LoginOrigin which could be considered a bug
+				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			} else {
+				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			}
+
+		})
+	}
+}
+
 func TestCORSValidation(t *testing.T) {
 	rt := NewRestTester(t, &RestTesterConfig{
 		PersistentConfig: true,

rest/facebook.go

@@ -12,7 +12,6 @@ import (
 	"net/http"
 	"net/url"
 
-	"github.com/couchbase/sync_gateway/auth"
 	"github.com/couchbase/sync_gateway/base"
 )
 
@@ -26,18 +25,14 @@ type FacebookResponse struct {
 
 // POST /_facebook creates a facebook-based login session and sets its cookie.
 func (h *handler) handleFacebookPOST() error {
-	// CORS not allowed for login #115 #762
-	originHeader := h.rq.Header["Origin"]
-	if len(originHeader) > 0 {
-		matched := auth.MatchedOrigin(h.server.Config.API.CORS.LoginOrigin, originHeader)
-		if matched == "" {
-			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
-		}
+	err := h.checkLoginCORS()
+	if err != nil {
+		return err
 	}
 	var params struct {
 		AccessToken string `json:"access_token"`
 	}
-	err := h.readJSONInto(&params)
+	err = h.readJSONInto(&params)
 	if err != nil {
 		return err
 	}

rest/google.go

@@ -13,7 +13,6 @@ package rest
 import (
 	"net/http"
 
-	"github.com/couchbase/sync_gateway/auth"
 	"github.com/couchbase/sync_gateway/base"
 )
 
@@ -28,20 +27,16 @@ type GoogleResponse struct {
 
 // POST /_google creates a google-based login session and sets its cookie.
 func (h *handler) handleGooglePOST() error {
-	// CORS not allowed for login #115 #762
-	originHeader := h.rq.Header["Origin"]
-	if len(originHeader) > 0 {
-		matched := auth.MatchedOrigin(h.server.Config.API.CORS.LoginOrigin, originHeader)
-		if matched == "" {
-			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
-		}
+	err := h.checkLoginCORS()
+	if err != nil {
+		return err
 	}
 
 	var params struct {
 		IDToken string `json:"id_token"`
 	}
 
-	err := h.readJSONInto(&params)
+	err = h.readJSONInto(&params)
 	if err != nil {
 		return err
 	}

rest/handler.go

@@ -335,11 +335,8 @@ func (h *handler) validateAndWriteHeaders(method handlerMethod, accessPermission
 	defer func() {
 		// Now that we know the DB, add CORS headers to the response:
 		if h.privs != adminPrivs && h.privs != metricsPrivs {
-			cors := h.server.Config.API.CORS
-			if h.db != nil {
-				cors = h.db.CORS
-			}
-			if cors != nil {
+			cors := h.getCORSConfig()
+			if !cors.IsEmpty() {
 				cors.AddResponseHeaders(h.rq, h.response)
 			}
 		}
@@ -1788,3 +1785,11 @@ func (h *handler) pathTemplateContains(pattern string) bool {
 	}
 	return strings.Contains(pathTemplate, pattern)
 }
+
+// getCORSConfig will return the CORS config for the handler's database if set, otherwise it will return the server CORS config
+func (h *handler) getCORSConfig() *auth.CORSConfig {
+	if h.db != nil {
+		return h.db.CORS
+	}
+	return h.server.Config.API.CORS
+}

rest/routing.go

@@ -456,7 +456,7 @@ func wrapRouter(sc *ServerContext, privs handlerPrivs, serverType serverType, ro
 					cors = db.CORS
 				}
 			}
-			if cors != nil && privs != adminPrivs && privs != metricsPrivs {
+			if !cors.IsEmpty() && privs != adminPrivs && privs != metricsPrivs {
 				cors.AddResponseHeaders(rq, response)
 			}
 			if len(options) == 0 {

rest/session_api.go

@@ -36,16 +36,9 @@ func (h *handler) handleSessionGET() error {
 
 // POST /_session creates a login session and sets its cookie
 func (h *handler) handleSessionPOST() error {
-	// CORS not allowed for login #115 #762
-	originHeader := h.rq.Header["Origin"]
-	if len(originHeader) > 0 {
-		matched := ""
-		if h.server.Config.API.CORS != nil {
-			matched = auth.MatchedOrigin(h.server.Config.API.CORS.LoginOrigin, originHeader)
-		}
-		if matched == "" {
-			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
-		}
+	err := h.checkLoginCORS()
+	if err != nil {
+		return err
 	}
 
 	// NOTE: handleSessionPOST doesn't handle creating users from OIDC - checkPublicAuth calls out into AuthenticateUntrustedJWT.
@@ -100,18 +93,10 @@ func (h *handler) getUserFromSessionRequestBody() (auth.User, error) {
 
 // DELETE /_session logs out the current session
 func (h *handler) handleSessionDELETE() error {
-	// CORS not allowed for login #115 #762
-	originHeader := h.rq.Header["Origin"]
-	if len(originHeader) > 0 {
-		matched := ""
-		if h.server.Config.API.CORS != nil {
-			matched = auth.MatchedOrigin(h.server.Config.API.CORS.LoginOrigin, originHeader)
-		}
-		if matched == "" {
-			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
-		}
+	err := h.checkLoginCORS()
+	if err != nil {
+		return err
 	}
-
 	cookie := h.db.Authenticator(h.ctx()).DeleteSessionForCookie(h.ctx(), h.rq)
 	if cookie == nil {
 		return base.HTTPErrorf(http.StatusNotFound, "no session")
@@ -340,3 +325,16 @@ func (h *handler) formatSessionResponse(user auth.User) db.Body {
 	return response
 
 }
+
+// checkLoginCORS validates the auth.CORSConfig.LoginOrigin section of CORS for requests.
+// Note: Validation of the general Origin header against auth.CORSConfig.Origin happens separately in validateAndWriteHeaders.
+func (h *handler) checkLoginCORS() error {
+	originHeader := h.rq.Header["Origin"]
+	if len(originHeader) > 0 {
+		cors := h.getCORSConfig()
+		if cors.IsEmpty() || auth.MatchedOrigin(cors.LoginOrigin, originHeader) == "" {
+			return base.HTTPErrorf(http.StatusBadRequest, "No CORS")
+		}
+	}
+	return nil
+}

rest/session_test.go

@@ -41,17 +41,16 @@ func TestCORSLoginOriginOnSessionPost(t *testing.T) {
 
 // #issue 991
 func TestCORSLoginOriginOnSessionPostNoCORSConfig(t *testing.T) {
-	rt := NewRestTester(t, nil)
+	rt := NewRestTesterPersistentConfigNoDB(t)
 	defer rt.Close()
+	// Set CORS to nil, RestTester initializes CORS by default and it is inherited when creating a DatabaseContext
+	rt.ServerContext().Config.API.CORS = nil
 
+	RequireStatus(t, rt.CreateDatabase("db", rt.NewDbConfig()), http.StatusCreated)
 	reqHeaders := map[string]string{
 		"Origin": "http://example.com",
 	}
 
-	// Set CORS to nil
-	sc := rt.ServerContext()
-	sc.Config.API.CORS = nil
-
 	response := rt.SendRequestWithHeaders("POST", "/db/_session", `{"name":"jchris","password":"secret"}`, reqHeaders)
 	RequireStatus(t, response, 400)
 }
@@ -88,17 +87,21 @@ func TestCORSLogoutOriginOnSessionDelete(t *testing.T) {
 }
 
 func TestCORSLogoutOriginOnSessionDeleteNoCORSConfig(t *testing.T) {
-	rt := NewRestTester(t, &RestTesterConfig{GuestEnabled: true})
+	rt := NewRestTesterPersistentConfigNoDB(t)
 	defer rt.Close()
 
+	// Set CORS to nil, RestTester initializes CORS by default and it is inherited when creating a DatabaseContext
+	rt.ServerContext().Config.API.CORS = nil
+
+	const username = "alice"
+	RequireStatus(t, rt.CreateDatabase("db", rt.NewDbConfig()), http.StatusCreated)
+	rt.CreateUser(username, nil)
+
 	reqHeaders := map[string]string{
-		"Origin": "http://example.com",
+		"Origin":        "http://example.com",
+		"Authorization": GetBasicAuthHeader(t, username, RestTesterDefaultUserPassword),
 	}
 
-	// Set CORS to nil
-	sc := rt.ServerContext()
-	sc.Config.API.CORS = nil
-
 	response := rt.SendRequestWithHeaders("DELETE", "/db/_session", "", reqHeaders)
 	RequireStatus(t, response, 400)