Enable CORS for RESTful API (#2711)

fixes #2710

Author: wy193777

opengrok-indexer/src/test/java/org/opengrok/indexer/index/IndexerTest.java

@@ -33,7 +33,6 @@
 import java.io.FileWriter;
 import java.io.IOException;
 import java.io.StringWriter;
-import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -46,7 +45,6 @@
 import java.util.concurrent.ConcurrentLinkedQueue;
 import java.util.stream.Collectors;
 import org.junit.After;
-import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;

opengrok-web/src/main/java/org/opengrok/web/api/v1/controller/SearchController.java

@@ -25,6 +25,7 @@
 import org.apache.lucene.search.Query;
 import org.opengrok.indexer.search.Hit;
 import org.opengrok.indexer.search.SearchEngine;
+import org.opengrok.web.api.v1.filter.CorsEnable;
 import org.opengrok.web.api.v1.suggester.provider.service.SuggesterService;
 
 import javax.inject.Inject;
@@ -57,6 +58,7 @@ public class SearchController {
     private SuggesterService suggester;
 
     @GET
+    @CorsEnable
     @Produces(MediaType.APPLICATION_JSON)
     public SearchResult search(
             @Context final HttpServletRequest req,

opengrok-web/src/main/java/org/opengrok/web/api/v1/controller/SuggesterController.java

@@ -35,6 +35,7 @@
 import org.opengrok.indexer.logger.LoggerFactory;
 import org.opengrok.indexer.search.QueryBuilder;
 import org.opengrok.indexer.web.Util;
+import org.opengrok.web.api.v1.filter.CorsEnable;
 import org.opengrok.web.api.v1.suggester.model.SuggesterData;
 import org.opengrok.web.api.v1.suggester.model.SuggesterQueryData;
 import org.opengrok.web.api.v1.suggester.parser.SuggesterQueryDataParser;
@@ -96,6 +97,7 @@ public final class SuggesterController {
      */
     @GET
     @Authorized
+    @CorsEnable
     @Produces(MediaType.APPLICATION_JSON)
     public Result getSuggestions(@Valid @BeanParam final SuggesterQueryData data) throws ParseException {
         Instant start = Instant.now();
@@ -160,6 +162,7 @@ private boolean satisfiesConfiguration(final SuggesterData data, final Suggester
      */
     @GET
     @Path("/config")
+    @CorsEnable
     @Produces(MediaType.APPLICATION_JSON)
     public SuggesterConfig getConfig() {
         return env.getSuggesterConfig();

opengrok-web/src/main/java/org/opengrok/web/api/v1/filter/CorsEnable.java

@@ -0,0 +1,15 @@
+package org.opengrok.web.api.v1.filter;
+
+import javax.ws.rs.NameBinding;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * This decorator is to enable CORS for paths.
+ */
+@NameBinding
+@Target({ElementType.METHOD, ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+public @interface CorsEnable { }

opengrok-web/src/main/java/org/opengrok/web/api/v1/filter/CorsFilter.java

@@ -0,0 +1,26 @@
+package org.opengrok.web.api.v1.filter;
+
+import javax.ws.rs.container.*;
+import javax.ws.rs.ext.Provider;
+
+@Provider
+@CorsEnable
+public class CorsFilter implements ContainerResponseFilter {
+
+    public static final String ALLOW_CORS_HEADER = "Access-Control-Allow-Origin";
+    public static final String CORS_REQUEST_HEADER = "Origin";
+
+    /**
+     * Method for ContainerResponseFilter.
+     */
+    @Override
+    public void filter(ContainerRequestContext request, ContainerResponseContext response) {
+        // if there is no Origin header, then it is not a
+        // cross origin request. We don't do anything.
+        if (request.getHeaderString(CORS_REQUEST_HEADER) == null) {
+            return;
+        }
+
+        response.getHeaders().add(ALLOW_CORS_HEADER, "*");
+    }
+}

opengrok-web/src/test/java/org/opengrok/web/CorsFilterTest.java

@@ -0,0 +1,44 @@
+package org.opengrok.web;
+
+import org.junit.Test;
+import org.opengrok.web.api.v1.filter.CorsFilter;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerResponseContext;
+import javax.ws.rs.core.MultivaluedHashMap;
+import javax.ws.rs.core.MultivaluedMap;
+
+import java.util.Arrays;
+import java.util.List;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.opengrok.web.api.v1.filter.CorsFilter.ALLOW_CORS_HEADER;
+import static org.opengrok.web.api.v1.filter.CorsFilter.CORS_REQUEST_HEADER;
+
+public class CorsFilterTest {
+    @Test
+    public void nonCorsTest() {
+        testBoth(null, null);
+    }
+
+    @Test
+    public void CorsTest() {
+        testBoth("https://example.org", Arrays.asList("*"));
+    }
+
+    private void testBoth(String origin, List<Object> headerValue) {
+        CorsFilter filter = new CorsFilter();
+        ContainerRequestContext request = mock(ContainerRequestContext.class);
+        when(request.getHeaderString(CORS_REQUEST_HEADER)).thenReturn(origin);
+
+        ContainerResponseContext response = mock(ContainerResponseContext.class);
+        MultivaluedMap<String, Object> headers = new MultivaluedHashMap<>();
+        when(response.getHeaders()).thenReturn(headers);
+
+        filter.filter(request, response);
+        assertEquals(headerValue, headers.get(ALLOW_CORS_HEADER));
+    }
+
+}

opengrok-web/src/test/java/org/opengrok/web/api/v1/controller/SearchControllerTest.java

@@ -0,0 +1,66 @@
+package org.opengrok.web.api.v1.controller;
+
+import org.glassfish.jersey.test.JerseyTest;
+import org.junit.*;
+import org.opengrok.indexer.condition.ConditionalRunRule;
+import org.opengrok.indexer.configuration.RuntimeEnvironment;
+import org.opengrok.indexer.index.Indexer;
+import org.opengrok.indexer.util.TestRepository;
+import org.opengrok.web.api.v1.RestApp;
+
+import javax.ws.rs.core.Application;
+import javax.ws.rs.core.Response;
+import java.util.Collections;
+
+import static org.junit.Assert.assertEquals;
+import static org.opengrok.web.api.v1.filter.CorsFilter.ALLOW_CORS_HEADER;
+import static org.opengrok.web.api.v1.filter.CorsFilter.CORS_REQUEST_HEADER;
+
+public class SearchControllerTest extends JerseyTest {
+    @ClassRule
+    public static ConditionalRunRule rule = new ConditionalRunRule();
+
+    private static final RuntimeEnvironment env = RuntimeEnvironment.getInstance();
+
+
+    private static TestRepository repository;
+
+    @Override
+    protected Application configure() {
+        return new RestApp();
+    }
+
+    @BeforeClass
+    public static void setUpClass() throws Exception {
+        System.setProperty("sun.net.http.allowRestrictedHeaders", "true"); // necessary to test CORS from controllers
+        repository = new TestRepository();
+
+        repository.create(SearchControllerTest.class.getResourceAsStream("/org/opengrok/indexer/index/source.zip"));
+
+        env.setHistoryEnabled(false);
+        env.setProjectsEnabled(true);
+        env.setDefaultProjectsFromNames(Collections.singleton("__all__"));
+
+        env.getSuggesterConfig().setRebuildCronConfig(null);
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+        repository.destroy();
+    }
+
+    @Before
+    public void before() {
+
+    }
+
+    @Test
+    public void testSearchCors() {
+        Response response = target(SearchController.PATH)
+                .request()
+                .header(CORS_REQUEST_HEADER, "http://example.com")
+                .get();
+        assertEquals("*", response.getHeaderString(ALLOW_CORS_HEADER));
+    }
+
+}

opengrok-web/src/test/java/org/opengrok/web/api/v1/controller/SuggesterControllerTest.java

@@ -45,7 +45,6 @@
 import javax.ws.rs.core.Response;
 import java.lang.reflect.Field;
 import java.util.AbstractMap.SimpleEntry;
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
@@ -60,6 +59,8 @@
 import static org.hamcrest.collection.IsIterableContainingInOrder.contains;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
+import static org.opengrok.web.api.v1.filter.CorsFilter.ALLOW_CORS_HEADER;
+import static org.opengrok.web.api.v1.filter.CorsFilter.CORS_REQUEST_HEADER;
 
 @ConditionalRun(CtagsInstalled.class)
 @FixMethodOrder(MethodSorters.NAME_ASCENDING)
@@ -104,6 +105,7 @@ protected Application configure() {
 
     @BeforeClass
     public static void setUpClass() throws Exception {
+        System.setProperty("sun.net.http.allowRestrictedHeaders", "true"); // necessary to test CORS from controllers
         repository = new TestRepository();
 
         repository.create(SuggesterControllerTest.class.getResourceAsStream("/org/opengrok/indexer/index/source.zip"));
@@ -152,6 +154,16 @@ public void testGetSuggesterConfig() {
         assertEquals(env.getSuggesterConfig(), config);
     }
 
+    @Test
+    public void testGetSuggesterConfigCors() {
+        Response response = target(SuggesterController.PATH)
+                .path("config")
+                .request()
+                .header(CORS_REQUEST_HEADER, "http://example.com")
+                .get();
+        assertEquals("*", response.getHeaderString(ALLOW_CORS_HEADER));
+    }
+
     @Test
     public void testGetSuggestionsSimpleFull() {
         Result res = target(SuggesterController.PATH)
@@ -165,6 +177,19 @@ public void testGetSuggestionsSimpleFull() {
                 containsInAnyOrder("innermethod", "innerclass"));
     }
 
+    @Test
+    public void testGetSuggestionsCors() {
+        Response response = target(SuggesterController.PATH)
+                .queryParam(AuthorizationFilter.PROJECTS_PARAM, "java")
+                .queryParam("field", QueryBuilder.FULL)
+                .queryParam(QueryBuilder.FULL, "inner")
+                .request()
+                .header(CORS_REQUEST_HEADER, "http://example.com")
+                .get();
+
+        assertEquals("*", response.getHeaderString(ALLOW_CORS_HEADER));
+    }
+
     @Test
     public void testGetSuggestionsSimpleDefs() {
         Result res = target(SuggesterController.PATH)