Add CORS header support on metrics PUT/POST. (#60)

In the scenario where prom-aggregation-gateway is exposed to external client
that writes metrics (so, browser for example) it should support adding CORS
header (`Access-Control-Allow-Origin`) also on PUT/POST requests.
This adds another layer of security (incorrect origins will be rejected) and
allows matching origins to read the response from the gateway - browser client
can confirm that metrics were indeed sent correctly.

Also added few simple router tests for GET and PUT with both failed and successful CORS.

Fixes #58

Signed-off-by: Andrzej Voss <git@poczta.tril.pl>
Co-authored-by: Andrzej Voss <git@poczta.tril.pl>

Author: triluch

routers/public.go

@@ -33,6 +33,7 @@ func setupAPIRouter(cfg ApiRouterConfig, agg *metrics.Aggregate, promConfig prom
 	} else {
 		corsConfig.AllowAllOrigins = true
 	}
+	corsHandler := cors.New(corsConfig)
 	cfg.authAccounts = processAuthConfig(cfg.Accounts)
 
 	metricsMiddleware := middleware.New(middleware.Config{
@@ -47,13 +48,15 @@ func setupAPIRouter(cfg ApiRouterConfig, agg *metrics.Aggregate, promConfig prom
 
 	neededHandlers := []gin.HandlerFunc{}
 
+	neededHandlers = append(neededHandlers, corsHandler)
+
 	if len(cfg.Accounts) > 0 {
 		neededHandlers = append(neededHandlers, gin.BasicAuth(cfg.authAccounts))
 	}
 
 	r.GET("/metrics",
 		mGin.Handler("getMetrics", metricsMiddleware),
-		cors.New(corsConfig),
+		corsHandler,
 		agg.HandleRender,
 	)
 

routers/router_test.go

@@ -181,3 +181,74 @@ func TestAuthRouter(t *testing.T) {
 		})
 	}
 }
+
+func TestCorsRouter(t *testing.T) {
+	tests := []struct {
+		name           string
+		path           string
+		method         string
+		corsDomain     string
+		origin         string
+		statusCode     int
+		expectedHeader string
+	}{
+		{
+			"GET returning header on all allowed origins",
+			"/metrics",
+			"GET",
+			"*",
+			"https://cors-domain",
+			200,
+			"*",
+		},
+		{
+			"PUT returning header on all allowed origins",
+			"/metrics",
+			"PUT",
+			"*",
+			"https://cors-domain",
+			202,
+			"*",
+		},
+		{
+			"GET returning 403 and not returning header on origin not in cors config",
+			"/metrics",
+			"GET",
+			"https://cors-domain",
+			"https://invalid-domain",
+			403,
+			"",
+		},
+		{
+			"PUT returning 403 and not returning header on origin not in cors config",
+			"/metrics",
+			"PUT",
+			"https://cors-domain",
+			"https://invalid-domain",
+			403,
+			"",
+		},
+	}
+
+	for idx, test := range tests {
+		t.Run(fmt.Sprintf("test #%d: %s", idx+1, test.name), func(t *testing.T) {
+			// setup router
+			router := setupTestRouter(ApiRouterConfig{CorsDomain: test.corsDomain})
+
+			buf := bytes.NewBufferString("")
+			req, err := http.NewRequest(test.method, test.path, buf)
+			require.NoError(t, err)
+
+			req.Header.Set("origin", test.origin)
+
+			// make request
+			w := httptest.NewRecorder()
+			router.ServeHTTP(w, req)
+
+			assert.Equal(t, test.statusCode, w.Code)
+
+			responseHeaders := w.Header()
+			assert.Equal(t, test.expectedHeader, responseHeaders.Get("access-control-allow-origin"))
+		})
+	}
+}