all unsupported db option for samesite

Author: torcolvin

db/database.go

@@ -154,7 +154,6 @@ type DatabaseContext struct {
 	MetadataKeys                 *base.MetadataKeys             // Factory to generate metadata document keys
 	RequireResync                base.ScopeAndCollectionNames   // Collections requiring resync before database can go online
 	RequireAttachmentMigration   base.ScopeAndCollectionNames   // Collections that require the attachment migration background task to run against
-	CORS                         *auth.CORSConfig               // CORS configuration
 	EnableMou                    bool                           // Write _mou xattr when performing metadata-only update.  Set based on bucket capability on connect
 	WasInitializedSynchronously  bool                           // true if the database was initialized synchronously
 	BroadcastSlowMode            atomic.Bool                    // bool to indicate if a slower ticker value should be used to notify changes feeds of changes
@@ -164,6 +163,7 @@ type DatabaseContext struct {
 	CachedCCVStartingCas         *base.VBucketCAS               // If set, the cached value of the CCV starting CAS value to avoid repeated lookups
 	CachedCCVEnabled             atomic.Bool                    // If set, the cached value of the CCV Enabled flag (this is not expected to transition from true->false, but could go false->true)
 	numVBuckets                  uint16                         // Number of vbuckets in the bucket
+	sameSiteCookieMode           http.SameSite
 }
 
 type Scope struct {
@@ -216,6 +216,7 @@ type DatabaseContextOptions struct {
 	ImportVersion                    uint64            // Version included in import DCP checkpoints, incremented when collections added to db
 	DisablePublicAllDocs             bool              // Disable public access to the _all_docs endpoint for this database
 	StoreLegacyRevTreeData           *bool             // Whether to store additional data for legacy rev tree support in delta sync and replication backup revs
+	CORS                             auth.CORSConfig   // An empty CORS configuration is considered to have no CORS enabled
 }
 
 type ConfigPrincipals struct {
@@ -278,6 +279,7 @@ type UnsupportedOptions struct {
 	KVBufferSize                     int                      `json:"kv_buffer,omitempty"`                            // Enables user to set their own KV pool buffer
 	BlipSendDocsWithChannelRemoval   bool                     `json:"blip_send_docs_with_channel_removal,omitempty"`  // Enables sending docs with channel removals using channel filters
 	RejectWritesWithSkippedSequences bool                     `json:"reject_writes_with_skipped_sequences,omitempty"` // Reject writes if there are skipped sequences in the database
+	SameSiteCookie                   *string                  `json:"same_site_cookie,omitempty"`                     // Sets the SameSite attribute on session cookies.
 }
 
 type WarningThresholds struct {
@@ -433,6 +435,7 @@ func NewDatabaseContext(ctx context.Context, dbName string, bucket base.Bucket,
 		ServerUUID:           serverUUID,
 		UserFunctionTimeout:  defaultUserFunctionTimeout,
 		CachedCCVStartingCas: &base.VBucketCAS{},
+		sameSiteCookieMode:   http.SameSiteDefaultMode,
 	}
 	dbContext.numVBuckets, err = bucket.GetMaxVbno()
 	if err != nil {
@@ -443,6 +446,17 @@ func NewDatabaseContext(ctx context.Context, dbName string, bucket base.Bucket,
 		return nil, err
 	}
 
+	if !dbContext.CORS().IsEmpty() {
+		dbContext.sameSiteCookieMode = http.SameSiteNoneMode
+	}
+	if dbContext.Options.UnsupportedOptions != nil {
+		var err error
+		dbContext.sameSiteCookieMode, err = dbContext.Options.UnsupportedOptions.GetSameSiteCookieMode()
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	// set up cancellable context based on the background context (context lifecycle for the database
 	// must be distinct from the request context associated with the db create/update).  Used to trigger
 	// teardown of connected replications on database close.
@@ -2585,3 +2599,28 @@ func PurgeDCPCheckpoints(ctx context.Context, database *DatabaseContext, checkpo
 func (db *DatabaseContext) EnableAllowConflicts(tb testing.TB) {
 	db.Options.AllowConflicts = base.Ptr(true)
 }
+
+// CORS returns the CORS configuration for the database.
+func (db *DatabaseContext) CORS() *auth.CORSConfig {
+	return &db.Options.CORS
+}
+
+// GetSameSiteCookieMode returns the http.SameSite mode based on the unsupported database options. Returns an error if
+// an invalid string is set.
+func (o *UnsupportedOptions) GetSameSiteCookieMode() (http.SameSite, error) {
+	if o == nil || o.SameSiteCookie == nil {
+		return http.SameSiteDefaultMode, nil
+	}
+	switch *o.SameSiteCookie {
+	case "Lax":
+		return http.SameSiteLaxMode, nil
+	case "Strict":
+		return http.SameSiteStrictMode, nil
+	case "None":
+		return http.SameSiteNoneMode, nil
+	case "Default":
+		return http.SameSiteDefaultMode, nil
+	default:
+		return http.SameSiteDefaultMode, fmt.Errorf("unsupported_options.same_site_cookie option %q is not valid, choices are \"Lax\", \"Strict\", and \"None", *o.SameSiteCookie)
+	}
+}

docs/api/components/schemas.yaml

@@ -1698,6 +1698,15 @@ Database:
         remote_config_tls_skip_verify:
           description: Enable self-signed certificates for external JavaScript load.
           type: boolean
+        same_site_cookie:
+          description: |-
+            Override the session cookie SameSite behavior. By default, if CORS is enabled, a session cookie will have SameSite:None. `Default` will omit any SameSite option from the cookie.
+          type: string
+          enum:
+            - "Default"
+            - "Lax"
+            - "None"
+            - "Strict"
         sgr_tls_skip_verify:
           description: Enable self-signed certificates for SG-replicate testing.
           type: boolean

rest/api_test.go

@@ -381,12 +381,15 @@ func TestCORSOrigin(t *testing.T) {
 			sc := rt.ServerContext()
 			defer func() {
 				sc.Config.API.CORS.Origin = defaultTestingCORSOrigin
+				rt.GetDatabase().Options.CORS.Origin = defaultTestingCORSOrigin
 			}()
 
-			sc.Config.API.CORS.Origin = []string{"http://example.com", "http://staging.example.com"}
+			updatedOrigin := []string{"http://example.com", "http://staging.example.com"}
+			sc.Config.API.CORS.Origin = updatedOrigin
+			rt.GetDatabase().Options.CORS.Origin = updatedOrigin
 			if !base.StringSliceContains(sc.Config.API.CORS.Origin, tc.origin) {
 				for _, method := range []string{http.MethodGet, http.MethodOptions} {
-					response := rt.SendRequestWithHeaders(method, "/{{.keyspace}}/", "", reqHeaders)
+					response := rt.SendRequestWithHeaders(method, "/{{.db}}/", "", reqHeaders)
 					assert.Equal(t, "", response.Header().Get("Access-Control-Allow-Origin"))
 				}
 			}

rest/blip_sync.go

@@ -49,7 +49,7 @@ func (h *handler) handleBLIPSync() error {
 	}
 
 	// error is checked at the time of database load, and ignored at this time
-	originPatterns, _ := hostOnlyCORS(h.db.CORS.Origin)
+	originPatterns, _ := hostOnlyCORS(h.db.CORS().Origin)
 
 	cancelCtx, cancelCtxFunc := context.WithCancel(h.db.DatabaseContext.CancelContext)
 	// Create a BLIP context:

rest/config.go

@@ -1083,6 +1083,13 @@ func (dbConfig *DbConfig) validateVersion(ctx context.Context, isEnterpriseEditi
 		}
 	}
 
+	if dbConfig.Unsupported != nil {
+		_, err := dbConfig.Unsupported.GetSameSiteCookieMode()
+		if err != nil {
+			multiError = multiError.Append(err)
+		}
+	}
+
 	if validateReplications {
 		for name, r := range dbConfig.Replications {
 			if name == "" {

rest/config_test.go

@@ -3378,3 +3378,62 @@ func TestConfigUserXattrKeyValidation(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateUnsupportedSameSiteCookies(t *testing.T) {
+	tests := []struct {
+		name                string
+		unsupportedSettings *db.UnsupportedOptions
+		error               string
+	}{
+		{
+			name:                "no unsupportedSettings present",
+			unsupportedSettings: &db.UnsupportedOptions{},
+			error:               "",
+		},
+		{
+			name:                "no samesite, unsupportedSettings present",
+			unsupportedSettings: &db.UnsupportedOptions{},
+			error:               "",
+		},
+		{
+			name:                "valid value Lax",
+			unsupportedSettings: &db.UnsupportedOptions{SameSiteCookie: base.Ptr("Lax")},
+			error:               "",
+		},
+		{
+			name:                "valid value Strict",
+			unsupportedSettings: &db.UnsupportedOptions{SameSiteCookie: base.Ptr("Strict")},
+			error:               "",
+		},
+		{
+			name:                "valid value None",
+			unsupportedSettings: &db.UnsupportedOptions{SameSiteCookie: base.Ptr("None")},
+			error:               "",
+		},
+		{
+			name:                "invalid value",
+			unsupportedSettings: &db.UnsupportedOptions{SameSiteCookie: base.Ptr("invalid value")},
+			error:               "unsupported_options.same_site_cookie option",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			dbConfig := DbConfig{
+				Name:        "db",
+				Unsupported: test.unsupportedSettings,
+			}
+
+			validateReplications := false
+			validateOIDC := false
+			ctx := base.TestCtx(t)
+			err := dbConfig.validate(ctx, validateOIDC, validateReplications)
+			if test.error != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), test.error)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

rest/cors_test.go

@@ -17,6 +17,7 @@ import (
 
 	"github.com/couchbase/sync_gateway/auth"
 	"github.com/couchbase/sync_gateway/base"
+	"github.com/couchbase/sync_gateway/db"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -409,67 +410,90 @@ func TestCORSLoginOriginPerDatabase(t *testing.T) {
 	// Override the default (example.com) CORS configuration in the DbConfig for /db:
 	rt := NewRestTesterPersistentConfigNoDB(t)
 	defer rt.Close()
-	dbConfig := rt.NewDbConfig()
-	dbConfig.CORS = &auth.CORSConfig{
-		Origin:      []string{"http://couchbase.com", "http://staging.couchbase.com"},
-		LoginOrigin: []string{"http://couchbase.com"},
-		Headers:     []string{},
-	}
-	RequireStatus(t, rt.CreateDatabase("dbloginorigin", dbConfig), http.StatusCreated)
-
-	const username = "alice"
-	rt.CreateUser(username, nil)
-
 	testCases := []struct {
-		name              string
-		origin            string
-		responseCode      int
-		responseErrorBody string
+		name               string
+		unsupportedOptions *db.UnsupportedOptions
 	}{
 		{
-			name:         "CORS login origin allowed couchbase",
-			origin:       "http://couchbase.com",
-			responseCode: http.StatusOK,
+			name:               "No unsupported options",
+			unsupportedOptions: nil,
 		},
 		{
-			name:              "CORS login origin not allowed staging",
-			origin:            "http://staging.couchbase.com",
-			responseCode:      http.StatusBadRequest,
-			responseErrorBody: "No CORS",
+			name: "With unsupported options",
+			unsupportedOptions: &db.UnsupportedOptions{
+				SameSiteCookie: base.Ptr("Strict"),
+			},
 		},
 	}
 	for _, test := range testCases {
 		rt.Run(test.name, func(t *testing.T) {
-			reqHeaders := map[string]string{
-				"Origin":        test.origin,
-				"Authorization": GetBasicAuthHeader(t, username, RestTesterDefaultUserPassword),
+			// Override the default (example.com) CORS configuration in the DbConfig for /db:
+			rt := NewRestTesterPersistentConfigNoDB(t)
+			defer rt.Close()
+
+			dbConfig := rt.NewDbConfig()
+			dbConfig.Unsupported = test.unsupportedOptions
+			dbConfig.CORS = &auth.CORSConfig{
+				Origin:      []string{"http://couchbase.com", "http://staging.couchbase.com"},
+				LoginOrigin: []string{"http://couchbase.com"},
+				Headers:     []string{},
 			}
-			resp := rt.SendRequestWithHeaders(http.MethodPost, "/{{.db}}/_session", "", reqHeaders)
-			RequireStatus(t, resp, test.responseCode)
-			if test.responseErrorBody != "" {
-				require.Contains(t, resp.Body.String(), test.responseErrorBody)
-				// the access control headers are returned based on Origin and not LoginOrigin which could be considered a bug
-				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
-			} else {
-				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
-			}
-			if test.responseCode == http.StatusOK {
-				cookie, err := http.ParseSetCookie(resp.Header().Get("Set-Cookie"))
-				require.NoError(t, err)
-				require.NotEmpty(t, cookie.Path)
-				require.Equal(t, http.SameSiteNoneMode, cookie.SameSite)
-				reqHeaders["Cookie"] = fmt.Sprintf("%s=%s", cookie.Name, cookie.Value)
-			}
-			resp = rt.SendRequestWithHeaders(http.MethodDelete, "/{{.db}}/_session", "", reqHeaders)
-			RequireStatus(t, resp, test.responseCode)
-			if test.responseErrorBody != "" {
-				require.Contains(t, resp.Body.String(), test.responseErrorBody)
-				// the access control headers are returned based on Origin and not LoginOrigin which could be considered a bug
-				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
-			} else {
-				require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+			RequireStatus(t, rt.CreateDatabase(SafeDatabaseName(t, test.name), dbConfig), http.StatusCreated)
+			const username = "alice"
+			rt.CreateUser(username, nil)
+
+			testCases := []struct {
+				name              string
+				origin            string
+				responseCode      int
+				responseErrorBody string
+			}{
+				{
+					name:         "CORS login origin allowed couchbase",
+					origin:       "http://couchbase.com",
+					responseCode: http.StatusOK,
+				},
+				{
+					name:              "CORS login origin not allowed staging",
+					origin:            "http://staging.couchbase.com",
+					responseCode:      http.StatusBadRequest,
+					responseErrorBody: "No CORS",
+				},
 			}
+			for _, test := range testCases {
+				rt.Run(test.name, func(t *testing.T) {
+					reqHeaders := map[string]string{
+						"Origin":        test.origin,
+						"Authorization": GetBasicAuthHeader(t, username, RestTesterDefaultUserPassword),
+					}
+					resp := rt.SendRequestWithHeaders(http.MethodPost, "/{{.db}}/_session", "", reqHeaders)
+					RequireStatus(t, resp, test.responseCode)
+					if test.responseErrorBody != "" {
+						require.Contains(t, resp.Body.String(), test.responseErrorBody)
+						// the access control headers are returned based on Origin and not LoginOrigin which could be considered a bug
+						require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+					} else {
+						require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+					}
+					if test.responseCode == http.StatusOK {
+						cookie, err := http.ParseSetCookie(resp.Header().Get("Set-Cookie"))
+						require.NoError(t, err)
+						require.NotEmpty(t, cookie.Path)
+						require.Equal(t, http.SameSiteNoneMode, cookie.SameSite)
+						reqHeaders["Cookie"] = fmt.Sprintf("%s=%s", cookie.Name, cookie.Value)
+					}
+					resp = rt.SendRequestWithHeaders(http.MethodDelete, "/{{.db}}/_session", "", reqHeaders)
+					RequireStatus(t, resp, test.responseCode)
+					if test.responseErrorBody != "" {
+						require.Contains(t, resp.Body.String(), test.responseErrorBody)
+						// the access control headers are returned based on Origin and not LoginOrigin which could be considered a bug
+						require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+					} else {
+						require.Equal(t, test.origin, resp.Header().Get(accessControlAllowOrigin))
+					}
 
+				})
+			}
 		})
 	}
 }

rest/handler.go

@@ -1785,7 +1785,7 @@ func (h *handler) pathTemplateContains(pattern string) bool {
 // getCORSConfig will return the CORS config for the handler's database if set, otherwise it will return the server CORS config
 func (h *handler) getCORSConfig() *auth.CORSConfig {
 	if h.db != nil {
-		return h.db.CORS
+		return h.db.CORS()
 	}
 	return h.server.Config.API.CORS
 }

rest/routing.go

@@ -453,7 +453,7 @@ func wrapRouter(sc *ServerContext, privs handlerPrivs, serverType serverType, ro
 			if dbName != "" {
 				db, err := h.server.GetActiveDatabase(dbName)
 				if err == nil {
-					cors = db.CORS
+					cors = db.CORS()
 				}
 			}
 			if !cors.IsEmpty() && privs != adminPrivs && privs != metricsPrivs {

rest/server_context.go

@@ -942,12 +942,6 @@ func (sc *ServerContext) _getOrAddDatabaseFromConfig(ctx context.Context, config
 	dbcontext.RequireResync = collectionsRequiringResync
 	dbcontext.RequireAttachmentMigration = collectionsRequiringAttachmentMigration
 
-	if config.CORS != nil {
-		dbcontext.CORS = config.DbConfig.CORS
-	} else {
-		dbcontext.CORS = sc.Config.API.CORS
-	}
-
 	if config.RevsLimit != nil {
 		dbcontext.RevsLimit = *config.RevsLimit
 		if dbcontext.AllowConflicts() {
@@ -1442,6 +1436,12 @@ func dbcOptionsFromConfig(ctx context.Context, sc *ServerContext, config *DbConf
 		StoreLegacyRevTreeData:      base.Ptr(base.ValDefault(config.StoreLegacyRevTreeData, db.DefaultStoreLegacyRevTreeData)),
 	}
 
+	if config.CORS != nil {
+		contextOptions.CORS = *config.CORS
+	} else if sc.Config.API.CORS != nil {
+		contextOptions.CORS = *sc.Config.API.CORS
+	}
+
 	if config.Index != nil && config.Index.NumPartitions != nil {
 		contextOptions.NumIndexPartitions = config.Index.NumPartitions
 	}