feat(gateway): support Private Network Access (PNA) in CORS preflight

[wbabyte]

Summary

• Add allowPrivateNetwork boolean to CORS config model (default false)
• When enabled, gateway responds with Access-Control-Allow-Private-Network: true to preflight requests containing Access-Control-Request-Private-Network: true
• Both v3 (legacy) and v4 (reactive) preflight processors updated
• Console UI: new toggle in CORS settings page for both V2 and V4 APIs
• OpenAPI spec, serializer/deserializer, mapper tests, and fixtures updated

Fixes APIM-13215

Test plan

• Unit tests: 3 new tests (enabled+present, enabled+absent, disabled+present)
• Mapper round-trip assertions for allowPrivateNetwork
• Console UI: toggle appears, persists on save, disabled when CORS is off
• Manual gateway test: preflight with PNA header returns correct response

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces support for Private Network Access (PNA) within the API Gateway's CORS preflight handling. By adding a new configuration option, allowPrivateNetwork, users can now enable their APIs to properly respond to PNA requests, facilitating secure communication between public websites and private network resources. This enhancement ensures compliance with modern web security standards and improves the flexibility of API deployments.

Highlights

• CORS Configuration Model Update: The CORS configuration model has been extended to include a new allowPrivateNetwork boolean property, defaulting to false.
• Gateway Preflight Response: When allowPrivateNetwork is enabled, the gateway will now respond with Access-Control-Allow-Private-Network: true to preflight requests that include Access-Control-Request-Private-Network: true.
• Gateway Processor Updates: Both the v3 (legacy) and v4 (reactive) CORS preflight processors have been updated to handle the new Private Network Access (PNA) header.
• Console UI Integration: A new toggle for Access-Control-Allow-Private-Network has been added to the CORS settings page in the Console UI for both V2 and V4 APIs.
• API and Data Model Updates: The OpenAPI specification, serializer/deserializer logic, mapper tests, and various fixtures have been updated to support the new allowPrivateNetwork property.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for Private Network Access (PNA) in CORS preflight requests. This involves adding an allowPrivateNetwork boolean field to the CORS configuration across the UI, API definition models, and gateway processors (both V2 and Reactive). The UI now includes a toggle for this setting, and the gateway logic has been updated to respond with Access-Control-Allow-Private-Network: true when enabled and requested. Associated serialization, deserialization, OpenAPI documentation, and test cases have also been updated. Review comments suggest improving maintainability by defining hardcoded header names as constants in the gateway processors and their respective tests.

[sonarqubecloud]

Quality Gate passed for 'Gravitee.io APIM - Reporter'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud