Add Access-Control-Allow-Credentials header

Fixes #415
2023-09-26 13:38:22 +02:00 · 2023-09-26 13:38:22 +02:00 · b134e81406
commit b134e81406
--- a/1
+++ b/1
@ -21,6 +21,7 @@ ENV \
    S3PROXY_CORS_ALLOW_ORIGINS="" \
    S3PROXY_CORS_ALLOW_METHODS="" \
    S3PROXY_CORS_ALLOW_HEADERS="" \
+    S3PROXY_CORS_ALLOW_CREDENTIAL="" \
    S3PROXY_IGNORE_UNKNOWN_HEADERS="false" \
    S3PROXY_ENCRYPTED_BLOBSTORE="" \
    S3PROXY_ENCRYPTED_BLOBSTORE_PASSWORD="" \
--- a/README.md
+++ b/README.md
@ -140,6 +140,7 @@ file (and corresponding ENV variables for Docker):
 s3proxy.cors-allow-origins=https://example\.com https://.+\.example\.com https://example\.cloud
 s3proxy.cors-allow-methods=GET PUT
 s3proxy.cors-allow-headers=Accept Content-Type
+s3proxy.cors-allow-credential=true
 ```

 CORS cannot be configured per bucket. `s3proxy.cors-allow-all=true` will accept any origin and header.
--- a/src/main/java/org/gaul/s3proxy/CrossOriginResourceSharing.java
+++ b/src/main/java/org/gaul/s3proxy/CrossOriginResourceSharing.java
@ -40,6 +40,7 @@ public final class CrossOriginResourceSharing {
    private static final String HEADER_VALUE_SEPARATOR = ", ";
    private static final String ALLOW_ANY_ORIGIN = "*";
    private static final String ALLOW_ANY_HEADER = "*";
+    private static final String ALLOW_CREDENTIALS = "true";

    private static final Logger logger = LoggerFactory.getLogger(
            CrossOriginResourceSharing.class);
@ -50,16 +51,18 @@ public final class CrossOriginResourceSharing {
    private final Set<Pattern> allowedOrigins;
    private final Set<String> allowedMethods;
    private final Set<String> allowedHeaders;
+    private final String allowCredentials;

    public CrossOriginResourceSharing() {
        // CORS Allow all
        this(Lists.newArrayList(ALLOW_ANY_ORIGIN), SUPPORTED_METHODS,
-                Lists.newArrayList(ALLOW_ANY_HEADER));
+                Lists.newArrayList(ALLOW_ANY_HEADER), "");
    }

    public CrossOriginResourceSharing(Collection<String> allowedOrigins,
            Collection<String> allowedMethods,
-            Collection<String> allowedHeaders) {
+            Collection<String> allowedHeaders,
+            String allowCredentials) {
        Set<Pattern> allowedPattern = new HashSet<Pattern>();
        boolean anyOriginAllowed = false;

@ -92,9 +95,12 @@ public final class CrossOriginResourceSharing {
        this.allowedHeadersRaw = Joiner.on(HEADER_VALUE_SEPARATOR).join(
                this.allowedHeaders);

+        this.allowCredentials = allowCredentials;
+
        logger.info("CORS allowed origins: {}", allowedOrigins);
        logger.info("CORS allowed methods: {}", allowedMethods);
        logger.info("CORS allowed headers: {}", allowedHeaders);
+        logger.info("CORS allow credentials: {}", allowCredentials);
    }

    public String getAllowedMethods() {
@ -166,6 +172,10 @@ public final class CrossOriginResourceSharing {
        return result;
    }

+    public boolean isAllowCredentials() {
+        return ALLOW_CREDENTIALS.equals(allowCredentials);
+    }
+
    @Override
    public boolean equals(Object object) {
        if (this == object) {
--- a/src/main/java/org/gaul/s3proxy/S3Proxy.java
+++ b/src/main/java/org/gaul/s3proxy/S3Proxy.java
@ -267,6 +267,9 @@ public final class S3Proxy {
                        S3ProxyConstants.PROPERTY_CORS_ALLOW_METHODS, "");
                String corsAllowHeaders = properties.getProperty(
                        S3ProxyConstants.PROPERTY_CORS_ALLOW_HEADERS, "");
+                String allowCredentials = properties.getProperty(
+                        S3ProxyConstants.PROPERTY_CORS_ALLOW_CREDENTIAL, "");
+
                Splitter splitter = Splitter.on(" ").trimResults()
                        .omitEmptyStrings();

@ -285,7 +288,8 @@ public final class S3Proxy {
                builder.corsRules(new CrossOriginResourceSharing(
                        Lists.newArrayList(splitter.split(corsAllowOrigins)),
                        Lists.newArrayList(splitter.split(corsAllowMethods)),
-                        Lists.newArrayList(splitter.split(corsAllowHeaders))));
+                        Lists.newArrayList(splitter.split(corsAllowHeaders)),
+                        allowCredentials));
            }

            String jettyMaxThreads = properties.getProperty(
--- a/src/main/java/org/gaul/s3proxy/S3ProxyConstants.java
+++ b/src/main/java/org/gaul/s3proxy/S3ProxyConstants.java
@ -40,6 +40,8 @@ public final class S3ProxyConstants {
            "s3proxy.cors-allow-methods";
    public static final String PROPERTY_CORS_ALLOW_HEADERS =
            "s3proxy.cors-allow-headers";
+    public static final String PROPERTY_CORS_ALLOW_CREDENTIAL =
+            "s3proxy.cors-allow-credential";
    public static final String PROPERTY_CREDENTIAL =
            "s3proxy.credential";
    public static final String PROPERTY_IGNORE_UNKNOWN_HEADERS =
--- a/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
+++ b/src/main/java/org/gaul/s3proxy/S3ProxyHandler.java
@ -2994,6 +2994,9 @@ public class S3ProxyHandler {
                    corsRules.getAllowedOrigin(corsOrigin));
            response.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS,
                    corsRules.getAllowedMethods());
+            if (corsRules.isAllowCredentials()) {
+                response.addHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
+            }
        }
    }

--- a/src/main/resources/run-docker-container.sh
+++ b/src/main/resources/run-docker-container.sh
@ -15,6 +15,7 @@ exec java \
    -Ds3proxy.cors-allow-origins="${S3PROXY_CORS_ALLOW_ORIGINS}" \
    -Ds3proxy.cors-allow-methods="${S3PROXY_CORS_ALLOW_METHODS}" \
    -Ds3proxy.cors-allow-headers="${S3PROXY_CORS_ALLOW_HEADERS}" \
+    -Ds3proxy.cors-allow-credential="${S3PROXY_CORS_ALLOW_CREDENTIAL}" \
    -Ds3proxy.ignore-unknown-headers="${S3PROXY_IGNORE_UNKNOWN_HEADERS}" \
    -Ds3proxy.encrypted-blobstore="${S3PROXY_ENCRYPTED_BLOBSTORE}" \
    -Ds3proxy.encrypted-blobstore-password="${S3PROXY_ENCRYPTED_BLOBSTORE_PASSWORD}" \
--- a/src/test/java/org/gaul/s3proxy/CrossOriginResourceSharingResponseTest.java
+++ b/src/test/java/org/gaul/s3proxy/CrossOriginResourceSharingResponseTest.java
@ -303,6 +303,9 @@ public final class CrossOriginResourceSharingResponseTest {
        assertThat(response.getFirstHeader(
                HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS).getValue())
                .isEqualTo("Accept, Content-Type");
+        assertThat(response.getFirstHeader(
+                HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS))
+                .isNull();
    }

    @Test
--- a/src/test/java/org/gaul/s3proxy/CrossOriginResourceSharingRuleTest.java
+++ b/src/test/java/org/gaul/s3proxy/CrossOriginResourceSharingRuleTest.java
@ -38,9 +38,10 @@ public final class CrossOriginResourceSharingRuleTest {
                        "https://.+\\.example\\.com",
                        "https://example\\.cloud"),
                Lists.newArrayList("GET", "PUT"),
-                Lists.newArrayList("Accept", "Content-Type"));
+                Lists.newArrayList("Accept", "Content-Type"),
+                "true");
        // CORS disabled
-        corsOff = new CrossOriginResourceSharing(null, null, null);
+        corsOff = new CrossOriginResourceSharing(null, null, null, null);
    }

    @Test
@ -174,4 +175,10 @@ public final class CrossOriginResourceSharingRuleTest {
        assertThat(corsCfg.isEveryHeaderAllowed(probe))
                .as("check '%s' as header", probe).isTrue();
    }
+
+    @Test
+    public void testAllowCredentials() {
+        assertThat(corsOff.isAllowCredentials()).isFalse();
+        assertThat(corsCfg.isAllowCredentials()).isTrue();
+    }
 }