1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
|
package cors
import (
"fmt"
"net/http"
"strconv"
"strings"
)
// CORSRule represents a single CORS rule
type CORSRule struct {
AllowedHeaders []string `xml:"AllowedHeader,omitempty" json:"AllowedHeaders,omitempty"`
AllowedMethods []string `xml:"AllowedMethod" json:"AllowedMethods"`
AllowedOrigins []string `xml:"AllowedOrigin" json:"AllowedOrigins"`
ExposeHeaders []string `xml:"ExposeHeader,omitempty" json:"ExposeHeaders,omitempty"`
MaxAgeSeconds *int `xml:"MaxAgeSeconds,omitempty" json:"MaxAgeSeconds,omitempty"`
ID string `xml:"ID,omitempty" json:"ID,omitempty"`
}
// CORSConfiguration represents the CORS configuration for a bucket
type CORSConfiguration struct {
CORSRules []CORSRule `xml:"CORSRule" json:"CORSRules"`
}
// CORSRequest represents a CORS request
type CORSRequest struct {
Origin string
Method string
RequestHeaders []string
IsPreflightRequest bool
AccessControlRequestMethod string
AccessControlRequestHeaders []string
}
// CORSResponse represents the response for a CORS request
type CORSResponse struct {
AllowOrigin string
AllowMethods string
AllowHeaders string
ExposeHeaders string
MaxAge string
AllowCredentials bool
}
// ValidateConfiguration validates a CORS configuration
func ValidateConfiguration(config *CORSConfiguration) error {
if config == nil {
return fmt.Errorf("CORS configuration cannot be nil")
}
if len(config.CORSRules) == 0 {
return fmt.Errorf("CORS configuration must have at least one rule")
}
if len(config.CORSRules) > 100 {
return fmt.Errorf("CORS configuration cannot have more than 100 rules")
}
for i, rule := range config.CORSRules {
if err := validateRule(&rule); err != nil {
return fmt.Errorf("invalid CORS rule at index %d: %v", i, err)
}
}
return nil
}
// ParseRequest parses an HTTP request to extract CORS information
func ParseRequest(r *http.Request) *CORSRequest {
corsReq := &CORSRequest{
Origin: r.Header.Get("Origin"),
Method: r.Method,
}
// Check if this is a preflight request
if r.Method == "OPTIONS" {
corsReq.IsPreflightRequest = true
corsReq.AccessControlRequestMethod = r.Header.Get("Access-Control-Request-Method")
if headers := r.Header.Get("Access-Control-Request-Headers"); headers != "" {
corsReq.AccessControlRequestHeaders = strings.Split(headers, ",")
for i := range corsReq.AccessControlRequestHeaders {
corsReq.AccessControlRequestHeaders[i] = strings.TrimSpace(corsReq.AccessControlRequestHeaders[i])
}
}
}
return corsReq
}
// validateRule validates a single CORS rule
func validateRule(rule *CORSRule) error {
if len(rule.AllowedMethods) == 0 {
return fmt.Errorf("AllowedMethods cannot be empty")
}
if len(rule.AllowedOrigins) == 0 {
return fmt.Errorf("AllowedOrigins cannot be empty")
}
// Validate allowed methods
validMethods := map[string]bool{
"GET": true,
"PUT": true,
"POST": true,
"DELETE": true,
"HEAD": true,
}
for _, method := range rule.AllowedMethods {
if !validMethods[method] {
return fmt.Errorf("invalid HTTP method: %s", method)
}
}
// Validate origins
for _, origin := range rule.AllowedOrigins {
if origin == "*" {
continue
}
if err := validateOrigin(origin); err != nil {
return fmt.Errorf("invalid origin %s: %v", origin, err)
}
}
// Validate MaxAgeSeconds
if rule.MaxAgeSeconds != nil && *rule.MaxAgeSeconds < 0 {
return fmt.Errorf("MaxAgeSeconds cannot be negative")
}
return nil
}
// validateOrigin validates an origin string
func validateOrigin(origin string) error {
if origin == "" {
return fmt.Errorf("origin cannot be empty")
}
// Special case: "*" is always valid
if origin == "*" {
return nil
}
// Count wildcards
wildcardCount := strings.Count(origin, "*")
if wildcardCount > 1 {
return fmt.Errorf("origin can contain at most one wildcard")
}
// If there's a wildcard, it should be in a valid position
if wildcardCount == 1 {
// Must be in the format: http://*.example.com or https://*.example.com
if !strings.HasPrefix(origin, "http://") && !strings.HasPrefix(origin, "https://") {
return fmt.Errorf("origin with wildcard must start with http:// or https://")
}
}
return nil
}
// EvaluateRequest evaluates a CORS request against a CORS configuration
func EvaluateRequest(config *CORSConfiguration, corsReq *CORSRequest) (*CORSResponse, error) {
if config == nil || corsReq == nil {
return nil, fmt.Errorf("config and corsReq cannot be nil")
}
if corsReq.Origin == "" {
return nil, fmt.Errorf("origin header is required for CORS requests")
}
// Find the first rule that matches the origin
for _, rule := range config.CORSRules {
if matchesOrigin(rule.AllowedOrigins, corsReq.Origin) {
// For preflight requests, we need more detailed validation
if corsReq.IsPreflightRequest {
return buildPreflightResponse(&rule, corsReq), nil
} else {
// For actual requests, check method
if containsString(rule.AllowedMethods, corsReq.Method) {
return buildResponse(&rule, corsReq), nil
}
}
}
}
return nil, fmt.Errorf("no matching CORS rule found")
}
// buildPreflightResponse builds a CORS response for preflight requests
func buildPreflightResponse(rule *CORSRule, corsReq *CORSRequest) *CORSResponse {
response := &CORSResponse{
AllowOrigin: corsReq.Origin,
}
// Check if the requested method is allowed
methodAllowed := corsReq.AccessControlRequestMethod == "" || containsString(rule.AllowedMethods, corsReq.AccessControlRequestMethod)
// Check requested headers
var allowedRequestHeaders []string
allHeadersAllowed := true
if len(corsReq.AccessControlRequestHeaders) > 0 {
// Check if wildcard is allowed
hasWildcard := false
for _, header := range rule.AllowedHeaders {
if header == "*" {
hasWildcard = true
break
}
}
if hasWildcard {
// All requested headers are allowed with wildcard
allowedRequestHeaders = corsReq.AccessControlRequestHeaders
} else {
// Check each requested header individually
for _, requestedHeader := range corsReq.AccessControlRequestHeaders {
if matchesHeader(rule.AllowedHeaders, requestedHeader) {
allowedRequestHeaders = append(allowedRequestHeaders, requestedHeader)
} else {
allHeadersAllowed = false
}
}
}
}
// Only set method and header info if both method and ALL headers are allowed
if methodAllowed && allHeadersAllowed {
response.AllowMethods = strings.Join(rule.AllowedMethods, ", ")
if len(allowedRequestHeaders) > 0 {
response.AllowHeaders = strings.Join(allowedRequestHeaders, ", ")
}
// Set exposed headers
if len(rule.ExposeHeaders) > 0 {
response.ExposeHeaders = strings.Join(rule.ExposeHeaders, ", ")
}
// Set max age
if rule.MaxAgeSeconds != nil {
response.MaxAge = strconv.Itoa(*rule.MaxAgeSeconds)
}
}
return response
}
// buildResponse builds a CORS response from a matching rule
func buildResponse(rule *CORSRule, corsReq *CORSRequest) *CORSResponse {
response := &CORSResponse{
AllowOrigin: corsReq.Origin,
}
// Set allowed methods
response.AllowMethods = strings.Join(rule.AllowedMethods, ", ")
// Set allowed headers
if len(rule.AllowedHeaders) > 0 {
response.AllowHeaders = strings.Join(rule.AllowedHeaders, ", ")
}
// Set expose headers
if len(rule.ExposeHeaders) > 0 {
response.ExposeHeaders = strings.Join(rule.ExposeHeaders, ", ")
}
// Set max age
if rule.MaxAgeSeconds != nil {
response.MaxAge = strconv.Itoa(*rule.MaxAgeSeconds)
}
return response
}
// Helper functions
// matchesOrigin checks if the request origin matches any allowed origin
func matchesOrigin(allowedOrigins []string, origin string) bool {
for _, allowedOrigin := range allowedOrigins {
if allowedOrigin == "*" {
return true
}
if allowedOrigin == origin {
return true
}
// Handle wildcard patterns like https://*.example.com
if strings.Contains(allowedOrigin, "*") {
if matchWildcard(allowedOrigin, origin) {
return true
}
}
}
return false
}
// matchWildcard performs wildcard matching for origins
func matchWildcard(pattern, text string) bool {
// Simple wildcard matching - only supports single * at the beginning
if strings.HasPrefix(pattern, "http://*") {
suffix := pattern[8:] // Remove "http://*"
return strings.HasPrefix(text, "http://") && strings.HasSuffix(text, suffix)
}
if strings.HasPrefix(pattern, "https://*") {
suffix := pattern[9:] // Remove "https://*"
return strings.HasPrefix(text, "https://") && strings.HasSuffix(text, suffix)
}
return false
}
// matchesHeader checks if a header is allowed
func matchesHeader(allowedHeaders []string, header string) bool {
// If no headers are specified, all headers are allowed
if len(allowedHeaders) == 0 {
return true
}
// Header matching is case-insensitive
header = strings.ToLower(header)
for _, allowedHeader := range allowedHeaders {
allowedHeaderLower := strings.ToLower(allowedHeader)
// Wildcard match
if allowedHeaderLower == "*" {
return true
}
// Exact match
if allowedHeaderLower == header {
return true
}
// Prefix wildcard match (e.g., "x-amz-*" matches "x-amz-date")
if strings.HasSuffix(allowedHeaderLower, "*") {
prefix := strings.TrimSuffix(allowedHeaderLower, "*")
if strings.HasPrefix(header, prefix) {
return true
}
}
}
return false
}
// containsString checks if a slice contains a specific string
func containsString(slice []string, item string) bool {
for _, s := range slice {
if s == item {
return true
}
}
return false
}
// ApplyHeaders applies CORS headers to an HTTP response
func ApplyHeaders(w http.ResponseWriter, corsResp *CORSResponse) {
if corsResp == nil {
return
}
if corsResp.AllowOrigin != "" {
w.Header().Set("Access-Control-Allow-Origin", corsResp.AllowOrigin)
if corsResp.AllowOrigin != "*" {
w.Header().Add("Vary", "Origin")
}
}
if corsResp.AllowMethods != "" {
w.Header().Set("Access-Control-Allow-Methods", corsResp.AllowMethods)
}
if corsResp.AllowHeaders != "" {
w.Header().Set("Access-Control-Allow-Headers", corsResp.AllowHeaders)
}
if corsResp.ExposeHeaders != "" {
w.Header().Set("Access-Control-Expose-Headers", corsResp.ExposeHeaders)
}
if corsResp.MaxAge != "" {
w.Header().Set("Access-Control-Max-Age", corsResp.MaxAge)
}
if corsResp.AllowCredentials {
w.Header().Set("Access-Control-Allow-Credentials", "true")
}
}
|
