[ws-proxy] remove cors settings (#20198)

Author: mustard-mh

components/ws-proxy/go.mod

@@ -30,10 +30,8 @@ require (
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/configcat/go-sdk/v7 v7.6.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/evanphx/json-patch/v5 v5.8.0 // indirect

components/ws-proxy/go.sum

@@ -5,20 +5,14 @@
 package config
 
 import (
-	"context"
 	"encoding/json"
 	"os"
-	"time"
 
 	"golang.org/x/xerrors"
 
-	"github.com/gitpod-io/gitpod/common-go/experiments"
-	"github.com/gitpod-io/gitpod/common-go/log"
 	"github.com/gitpod-io/gitpod/ws-proxy/pkg/proxy"
 )
 
-const experimentsCorsEnabled = "ws_proxy_cors_enabled"
-
 // Config configures this service.
 type Config struct {
 	Ingress            proxy.HostBasedIngressConfig `json:"ingress"`
@@ -69,32 +63,5 @@ func GetConfig(fn string) (*Config, error) {
 	if err != nil {
 		return nil, xerrors.Errorf("config validation error: %w", err)
 	}
-
-	timeout := time.Second * 45
-	log.WithField("timeout", timeout).Info("waiting for Feature Flag")
-	experimentsClient := experiments.NewClient(experiments.WithPollInterval(time.Second * 3))
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-	ffValue := waitExperimentsStringValue(ctx, experimentsClient, experimentsCorsEnabled, "nope", experiments.Attributes{})
-	corsEnabled := ffValue == "true"
-	cfg.Proxy.CorsEnabled = corsEnabled
-	log.WithField("ffValue", ffValue).WithField("corsEnabled", cfg.Proxy.CorsEnabled).Info("feature flag final value")
-
 	return &cfg, nil
 }
-
-func waitExperimentsStringValue(ctx context.Context, client experiments.Client, experimentName, nopeValue string, attributes experiments.Attributes) string {
-	ticker := time.NewTicker(1 * time.Second)
-	defer ticker.Stop()
-	for {
-		select {
-		case <-ctx.Done():
-			return nopeValue
-		case <-ticker.C:
-			value := client.GetStringValue(ctx, experimentName, nopeValue, attributes)
-			if value != nopeValue {
-				return value
-			}
-		}
-	}
-}

components/ws-proxy/pkg/config/config.go

@@ -29,7 +29,6 @@ type Config struct {
 
 	BuiltinPages        BuiltinPagesConfig `json:"builtinPages"`
 	SSHGatewayCAKeyFile string             `json:"sshCAKeyFile"`
-	CorsEnabled         bool
 }
 
 // Validate validates the configuration to catch issues during startup and not at runtime.

components/ws-proxy/pkg/proxy/config.go

@@ -45,7 +45,6 @@ import (
 type RouteHandlerConfig struct {
 	Config               *Config
 	DefaultTransport     http.RoundTripper
-	CorsHandler          mux.MiddlewareFunc
 	WorkspaceAuthHandler mux.MiddlewareFunc
 }
 
@@ -61,14 +60,9 @@ func WithDefaultAuth(infoprov common.WorkspaceInfoProvider) RouteHandlerConfigOp
 
 // NewRouteHandlerConfig creates a new instance.
 func NewRouteHandlerConfig(config *Config, opts ...RouteHandlerConfigOpt) (*RouteHandlerConfig, error) {
-	corsHandler, err := corsHandler(config.CorsEnabled, config.GitpodInstallation.Scheme, config.GitpodInstallation.HostName)
-	if err != nil {
-		return nil, err
-	}
 	cfg := &RouteHandlerConfig{
 		Config:               config,
 		DefaultTransport:     createDefaultTransport(config.TransportConfig),
-		CorsHandler:          corsHandler,
 		WorkspaceAuthHandler: func(h http.Handler) http.Handler { return h },
 	}
 	for _, o := range opts {
@@ -185,7 +179,6 @@ func (ir *ideRoutes) HandleSSHHostKeyRoute(route *mux.Route, hostKeyList []ssh.S
 	}
 	r := route.Subrouter()
 	r.Use(logRouteHandlerHandler("HandleSSHHostKeyRoute"))
-	r.Use(ir.Config.CorsHandler)
 	r.NewRoute().HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header().Add("Content-Type", "application/json")
 		rw.Write(byt)
@@ -195,7 +188,6 @@ func (ir *ideRoutes) HandleSSHHostKeyRoute(route *mux.Route, hostKeyList []ssh.S
 func (ir *ideRoutes) HandleCreateKeyRoute(route *mux.Route, hostKeyList []ssh.Signer) {
 	r := route.Subrouter()
 	r.Use(logRouteHandlerHandler("HandleCreateKeyRoute"))
-	r.Use(ir.Config.CorsHandler)
 
 	r.Use(ir.workspaceMustExistHandler)
 	r.Use(ir.Config.WorkspaceAuthHandler)
@@ -260,7 +252,6 @@ func extractCloseErrorCode(errStr string) string {
 func (ir *ideRoutes) HandleSSHOverWebsocketTunnel(route *mux.Route, sshGatewayServer *sshproxy.Server) {
 	r := route.Subrouter()
 	r.Use(logRouteHandlerHandler("HandleSSHOverWebsocketTunnel"))
-	r.Use(ir.Config.CorsHandler)
 	r.Use(ir.workspaceMustExistHandler)
 	r.Use(ir.Config.WorkspaceAuthHandler)
 
@@ -304,7 +295,6 @@ func (ir *ideRoutes) HandleSSHOverWebsocketTunnel(route *mux.Route, sshGatewaySe
 func (ir *ideRoutes) HandleDirectSupervisorRoute(route *mux.Route, authenticated bool, proxyPassOpts ...proxyPassOpt) {
 	r := route.Subrouter()
 	r.Use(logRouteHandlerHandler(fmt.Sprintf("HandleDirectSupervisorRoute (authenticated: %v)", authenticated)))
-	r.Use(ir.Config.CorsHandler)
 	r.Use(ir.workspaceMustExistHandler)
 	if authenticated {
 		r.Use(ir.Config.WorkspaceAuthHandler)
@@ -389,7 +379,6 @@ type BlobserveInlineVars struct {
 func (ir *ideRoutes) HandleRoot(route *mux.Route) {
 	r := route.Subrouter()
 	r.Use(logRouteHandlerHandler("handleRoot"))
-	r.Use(ir.Config.CorsHandler)
 	r.Use(ir.workspaceMustExistHandler)
 
 	proxyPassWoSensitiveCookies := sensitiveCookieHandler(ir.Config.Config.GitpodInstallation.HostName)(proxyPass(ir.Config, ir.InfoProvider, workspacePodResolver))
@@ -523,7 +512,6 @@ func installDebugWorkspaceRoutes(r *mux.Router, config *RouteHandlerConfig, info
 	}
 
 	r.Use(logHandler)
-	r.Use(config.CorsHandler)
 	r.Use(config.WorkspaceAuthHandler)
 	// filter all session cookies
 	r.Use(sensitiveCookieHandler(config.Config.GitpodInstallation.HostName))
@@ -661,54 +649,6 @@ func buildWorkspacePodURL(protocol api.PortProtocol, ipAddress string, port stri
 	return url.Parse(fmt.Sprintf("%v://%v:%v", portProtocol, ipAddress, port))
 }
 
-// corsHandler produces the CORS handler for workspaces.
-func corsHandler(enabled bool, scheme, hostname string) (mux.MiddlewareFunc, error) {
-	if !enabled {
-		// empty handler
-		return func(h http.Handler) http.Handler {
-			return h
-		}, nil
-	}
-	origin := fmt.Sprintf("%s://%s", scheme, hostname)
-
-	domainRegex := strings.ReplaceAll(hostname, ".", "\\.")
-	originRegex, err := regexp.Compile(".*" + domainRegex)
-	if err != nil {
-		return nil, err
-	}
-
-	return handlers.CORS(
-		handlers.AllowedOriginValidator(func(origin string) bool {
-			// Is the origin a subdomain of the installations hostname?
-			matches := originRegex.Match([]byte(origin))
-			return matches
-		}),
-		// TODO(gpl) For domain-based workspace access with authentication (for accessing the IDE) we need to respond with the precise Origin header that was sent
-		handlers.AllowedOrigins([]string{origin}),
-		handlers.AllowedMethods([]string{
-			"GET",
-			"POST",
-			"OPTIONS",
-		}),
-		handlers.AllowedHeaders([]string{
-			// "Accept", "Accept-Language", "Content-Language" are allowed per default
-			"Cache-Control",
-			"Content-Type",
-			"DNT",
-			"If-Modified-Since",
-			"Keep-Alive",
-			"Origin",
-			"User-Agent",
-			"X-Requested-With",
-		}),
-		handlers.AllowCredentials(),
-		// required to be able to read Authorization header in frontend
-		handlers.ExposedHeaders([]string{"Authorization"}),
-		handlers.MaxAge(60),
-		handlers.OptionStatusCode(200),
-	), nil
-}
-
 type wsproxyContextKey struct{}
 
 var (

components/ws-proxy/pkg/proxy/routes.go

@@ -95,7 +95,6 @@ var (
 		BuiltinPages: BuiltinPagesConfig{
 			Location: "../../public",
 		},
-		CorsEnabled: false,
 	}
 )