From 24d8b49c13f55f41f001e4ffe734d3a3eede028e Mon Sep 17 00:00:00 2001 From: David Barroso Date: Fri, 5 Apr 2024 12:37:26 +0200 Subject: [PATCH] chore: change cors library for the config server (#850) --- cmd/configserver/configserver.go | 8 +- go.mod | 3 +- go.sum | 6 +- vendor/github.com/gin-contrib/cors/.gitignore | 25 - .../github.com/gin-contrib/cors/.golangci.yml | 39 -- .../gin-contrib/cors/.goreleaser.yaml | 56 --- vendor/github.com/gin-contrib/cors/README.md | 95 ---- vendor/github.com/gin-contrib/cors/config.go | 155 ------ vendor/github.com/gin-contrib/cors/cors.go | 198 -------- vendor/github.com/gin-contrib/cors/utils.go | 90 ---- .../{gin-contrib => rs}/cors/LICENSE | 12 +- vendor/github.com/rs/cors/README.md | 116 +++++ vendor/github.com/rs/cors/cors.go | 446 ++++++++++++++++++ vendor/github.com/rs/cors/utils.go | 71 +++ vendor/github.com/rs/cors/wrapper/gin/LICENSE | 19 + vendor/github.com/rs/cors/wrapper/gin/gin.go | 50 ++ vendor/modules.txt | 9 +- 17 files changed, 721 insertions(+), 677 deletions(-) delete mode 100644 vendor/github.com/gin-contrib/cors/.gitignore delete mode 100644 vendor/github.com/gin-contrib/cors/.golangci.yml delete mode 100644 vendor/github.com/gin-contrib/cors/.goreleaser.yaml delete mode 100644 vendor/github.com/gin-contrib/cors/README.md delete mode 100644 vendor/github.com/gin-contrib/cors/config.go delete mode 100644 vendor/github.com/gin-contrib/cors/cors.go delete mode 100644 vendor/github.com/gin-contrib/cors/utils.go rename vendor/github.com/{gin-contrib => rs}/cors/LICENSE (86%) create mode 100644 vendor/github.com/rs/cors/README.md create mode 100644 vendor/github.com/rs/cors/cors.go create mode 100644 vendor/github.com/rs/cors/utils.go create mode 100644 vendor/github.com/rs/cors/wrapper/gin/LICENSE create mode 100644 vendor/github.com/rs/cors/wrapper/gin/gin.go diff --git a/cmd/configserver/configserver.go b/cmd/configserver/configserver.go index 9485e26b9..cd7cd406e 100644 --- a/cmd/configserver/configserver.go +++ b/cmd/configserver/configserver.go @@ -6,10 +6,10 @@ import ( "os" "github.com/99designs/gqlgen/graphql" - "github.com/gin-contrib/cors" "github.com/gin-gonic/gin" "github.com/google/uuid" "github.com/nhost/be/services/mimir/graph" + cors "github.com/rs/cors/wrapper/gin" "github.com/urfave/cli/v2" ) @@ -141,11 +141,7 @@ func serve(cCtx *cli.Context) error { cCtx.App.Version, []graphql.FieldMiddleware{}, gin.Recovery(), - cors.New(cors.Config{ //nolint: exhaustruct - AllowOrigins: []string{"https://local.dashboard.nhost.run"}, - AllowMethods: []string{"GET", "POST"}, - AllowCredentials: true, - }), + cors.Default(), ) if err := r.Run(cCtx.String(bindFlag)); err != nil { return fmt.Errorf("failed to run gin: %w", err) diff --git a/go.mod b/go.mod index 1d3c846a0..a2bdb4c3a 100644 --- a/go.mod +++ b/go.mod @@ -9,7 +9,6 @@ require ( github.com/Yamashou/gqlgenc v0.19.3 github.com/charmbracelet/lipgloss v0.10.0 github.com/creack/pty v1.1.21 - github.com/gin-contrib/cors v1.7.1 github.com/gin-gonic/gin v1.9.1 github.com/go-git/go-git/v5 v5.12.0 github.com/google/go-cmp v0.6.0 @@ -17,6 +16,7 @@ require ( github.com/hashicorp/go-getter v1.7.3 github.com/nhost/be v0.0.0-20240403074641-7c96c314a29a github.com/pelletier/go-toml/v2 v2.2.0 + github.com/rs/cors/wrapper/gin v0.0.0-20240228164225-8d33ca4794ea github.com/sirupsen/logrus v1.9.3 github.com/urfave/cli/v2 v2.27.1 github.com/wI2L/jsondiff v0.5.1 @@ -96,6 +96,7 @@ require ( github.com/prometheus/common v0.51.1 // indirect github.com/prometheus/procfs v0.13.0 // indirect github.com/rivo/uniseg v0.4.7 // indirect + github.com/rs/cors v1.8.1 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect github.com/skeema/knownhosts v1.2.2 // indirect diff --git a/go.sum b/go.sum index 79e8b1adf..5529011a8 100644 --- a/go.sum +++ b/go.sum @@ -296,8 +296,6 @@ github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSw github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0= github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= -github.com/gin-contrib/cors v1.7.1 h1:s9SIppU/rk8enVvkzwiC2VK3UZ/0NNGsWfUKvV55rqs= -github.com/gin-contrib/cors v1.7.1/go.mod h1:n/Zj7B4xyrgk/cX1WCX2dkzFfaNm/xJb6oIUk7WTtps= github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE= github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg= @@ -539,6 +537,10 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= +github.com/rs/cors v1.8.1 h1:OrP+y5H+5Md29ACTA9imbALaKHwOSUZkcizaG0LT5ow= +github.com/rs/cors v1.8.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU= +github.com/rs/cors/wrapper/gin v0.0.0-20240228164225-8d33ca4794ea h1:zDqxp+k0Xtoh+2gTtG2eODpGSrNbnqQ0WRO1ycox22g= +github.com/rs/cors/wrapper/gin v0.0.0-20240228164225-8d33ca4794ea/go.mod h1:gmu40DuK3SLdKUzGOUofS3UDZwyeOUy6ZjPPuaALatw= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= diff --git a/vendor/github.com/gin-contrib/cors/.gitignore b/vendor/github.com/gin-contrib/cors/.gitignore deleted file mode 100644 index 002df848c..000000000 --- a/vendor/github.com/gin-contrib/cors/.gitignore +++ /dev/null @@ -1,25 +0,0 @@ -*.o -*.a -*.so - -_obj -_test - -*.[568vq] -[568vq].out - -*.cgo1.go -*.cgo2.c -_cgo_defun.c -_cgo_gotypes.go -_cgo_export.* - -_testmain.go - -*.exe -*.test -*.prof - -coverage.out - -.idea diff --git a/vendor/github.com/gin-contrib/cors/.golangci.yml b/vendor/github.com/gin-contrib/cors/.golangci.yml deleted file mode 100644 index d59c99bd4..000000000 --- a/vendor/github.com/gin-contrib/cors/.golangci.yml +++ /dev/null @@ -1,39 +0,0 @@ -linters: - enable-all: false - disable-all: true - fast: false - enable: - - bodyclose - - dogsled - - dupl - - errcheck - - exportloopref - - exhaustive - - gochecknoinits - - goconst - - gocritic - - gocyclo - - gofmt - - goimports - - goprintffuncname - - gosec - - gosimple - - govet - - ineffassign - - lll - - misspell - - nakedret - - noctx - - nolintlint - - rowserrcheck - - staticcheck - - stylecheck - - typecheck - - unconvert - - unparam - - unused - - whitespace - - gofumpt - -run: - timeout: 3m diff --git a/vendor/github.com/gin-contrib/cors/.goreleaser.yaml b/vendor/github.com/gin-contrib/cors/.goreleaser.yaml deleted file mode 100644 index d26795543..000000000 --- a/vendor/github.com/gin-contrib/cors/.goreleaser.yaml +++ /dev/null @@ -1,56 +0,0 @@ -project_name: queue - -builds: - - # If true, skip the build. - # Useful for library projects. - # Default is false - skip: true - -changelog: - # Set it to true if you wish to skip the changelog generation. - # This may result in an empty release notes on GitHub/GitLab/Gitea. - skip: false - - # Changelog generation implementation to use. - # - # Valid options are: - # - `git`: uses `git log`; - # - `github`: uses the compare GitHub API, appending the author login to the changelog. - # - `gitlab`: uses the compare GitLab API, appending the author name and email to the changelog. - # - `github-native`: uses the GitHub release notes generation API, disables the groups feature. - # - # Defaults to `git`. - use: git - - # Sorts the changelog by the commit's messages. - # Could either be asc, desc or empty - # Default is empty - sort: asc - - # Group commits messages by given regex and title. - # Order value defines the order of the groups. - # Proving no regex means all commits will be grouped under the default group. - # Groups are disabled when using github-native, as it already groups things by itself. - # - # Default is no groups. - groups: - - title: Features - regexp: "^.*feat[(\\w)]*:+.*$" - order: 0 - - title: "Bug fixes" - regexp: "^.*fix[(\\w)]*:+.*$" - order: 1 - - title: "Enhancements" - regexp: "^.*chore[(\\w)]*:+.*$" - order: 2 - - title: Others - order: 999 - - filters: - # Commit messages matching the regexp listed here will be removed from - # the changelog - # Default is empty - exclude: - - "^docs" - - "CICD" - - typo diff --git a/vendor/github.com/gin-contrib/cors/README.md b/vendor/github.com/gin-contrib/cors/README.md deleted file mode 100644 index d43523295..000000000 --- a/vendor/github.com/gin-contrib/cors/README.md +++ /dev/null @@ -1,95 +0,0 @@ -# CORS gin's middleware - -[![Run Tests](https://github.com/gin-contrib/cors/actions/workflows/go.yml/badge.svg)](https://github.com/gin-contrib/cors/actions/workflows/go.yml) -[![codecov](https://codecov.io/gh/gin-contrib/cors/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-contrib/cors) -[![Go Report Card](https://goreportcard.com/badge/github.com/gin-contrib/cors)](https://goreportcard.com/report/github.com/gin-contrib/cors) -[![GoDoc](https://godoc.org/github.com/gin-contrib/cors?status.svg)](https://godoc.org/github.com/gin-contrib/cors) - -Gin middleware/handler to enable CORS support. - -## Usage - -### Start using it - -Download and install it: - -```sh -go get github.com/gin-contrib/cors -``` - -Import it in your code: - -```go -import "github.com/gin-contrib/cors" -``` - -### Canonical example - -```go -package main - -import ( - "time" - - "github.com/gin-contrib/cors" - "github.com/gin-gonic/gin" -) - -func main() { - router := gin.Default() - // CORS for https://foo.com and https://github.com origins, allowing: - // - PUT and PATCH methods - // - Origin header - // - Credentials share - // - Preflight requests cached for 12 hours - router.Use(cors.New(cors.Config{ - AllowOrigins: []string{"https://foo.com"}, - AllowMethods: []string{"PUT", "PATCH"}, - AllowHeaders: []string{"Origin"}, - ExposeHeaders: []string{"Content-Length"}, - AllowCredentials: true, - AllowOriginFunc: func(origin string) bool { - return origin == "https://github.com" - }, - MaxAge: 12 * time.Hour, - })) - router.Run() -} -``` - -### Using DefaultConfig as start point - -```go -func main() { - router := gin.Default() - // - No origin allowed by default - // - GET,POST, PUT, HEAD methods - // - Credentials share disabled - // - Preflight requests cached for 12 hours - config := cors.DefaultConfig() - config.AllowOrigins = []string{"http://google.com"} - // config.AllowOrigins = []string{"http://google.com", "http://facebook.com"} - // config.AllowAllOrigins = true - - router.Use(cors.New(config)) - router.Run() -} -``` - -Note: while Default() allows all origins, DefaultConfig() does not and you will still have to use AllowAllOrigins. - -### Default() allows all origins - -```go -func main() { - router := gin.Default() - // same as - // config := cors.DefaultConfig() - // config.AllowAllOrigins = true - // router.Use(cors.New(config)) - router.Use(cors.Default()) - router.Run() -} -``` - -Using all origins disables the ability for Gin to set cookies for clients. When dealing with credentials, don't allow all origins. diff --git a/vendor/github.com/gin-contrib/cors/config.go b/vendor/github.com/gin-contrib/cors/config.go deleted file mode 100644 index 8a295e3db..000000000 --- a/vendor/github.com/gin-contrib/cors/config.go +++ /dev/null @@ -1,155 +0,0 @@ -package cors - -import ( - "net/http" - "strings" - - "github.com/gin-gonic/gin" -) - -type cors struct { - allowAllOrigins bool - allowCredentials bool - allowOriginFunc func(string) bool - allowOriginWithContextFunc func(*gin.Context, string) bool - allowOrigins []string - normalHeaders http.Header - preflightHeaders http.Header - wildcardOrigins [][]string - optionsResponseStatusCode int -} - -var ( - DefaultSchemas = []string{ - "http://", - "https://", - } - ExtensionSchemas = []string{ - "chrome-extension://", - "safari-extension://", - "moz-extension://", - "ms-browser-extension://", - } - FileSchemas = []string{ - "file://", - } - WebSocketSchemas = []string{ - "ws://", - "wss://", - } -) - -func newCors(config Config) *cors { - if err := config.Validate(); err != nil { - panic(err.Error()) - } - - for _, origin := range config.AllowOrigins { - if origin == "*" { - config.AllowAllOrigins = true - } - } - - if config.OptionsResponseStatusCode == 0 { - config.OptionsResponseStatusCode = http.StatusNoContent - } - - return &cors{ - allowOriginFunc: config.AllowOriginFunc, - allowOriginWithContextFunc: config.AllowOriginWithContextFunc, - allowAllOrigins: config.AllowAllOrigins, - allowCredentials: config.AllowCredentials, - allowOrigins: normalize(config.AllowOrigins), - normalHeaders: generateNormalHeaders(config), - preflightHeaders: generatePreflightHeaders(config), - wildcardOrigins: config.parseWildcardRules(), - optionsResponseStatusCode: config.OptionsResponseStatusCode, - } -} - -func (cors *cors) applyCors(c *gin.Context) { - origin := c.Request.Header.Get("Origin") - if len(origin) == 0 { - // request is not a CORS request - return - } - host := c.Request.Host - - if origin == "http://"+host || origin == "https://"+host { - // request is not a CORS request but have origin header. - // for example, use fetch api - return - } - - if !cors.isOriginValid(c, origin) { - c.AbortWithStatus(http.StatusForbidden) - return - } - - if c.Request.Method == "OPTIONS" { - cors.handlePreflight(c) - defer c.AbortWithStatus(cors.optionsResponseStatusCode) - } else { - cors.handleNormal(c) - } - - if !cors.allowAllOrigins { - c.Header("Access-Control-Allow-Origin", origin) - } -} - -func (cors *cors) validateWildcardOrigin(origin string) bool { - for _, w := range cors.wildcardOrigins { - if w[0] == "*" && strings.HasSuffix(origin, w[1]) { - return true - } - if w[1] == "*" && strings.HasPrefix(origin, w[0]) { - return true - } - if strings.HasPrefix(origin, w[0]) && strings.HasSuffix(origin, w[1]) { - return true - } - } - - return false -} - -func (cors *cors) isOriginValid(c *gin.Context, origin string) bool { - valid := cors.validateOrigin(origin) - if !valid && cors.allowOriginWithContextFunc != nil { - valid = cors.allowOriginWithContextFunc(c, origin) - } - return valid -} - -func (cors *cors) validateOrigin(origin string) bool { - if cors.allowAllOrigins { - return true - } - for _, value := range cors.allowOrigins { - if value == origin { - return true - } - } - if len(cors.wildcardOrigins) > 0 && cors.validateWildcardOrigin(origin) { - return true - } - if cors.allowOriginFunc != nil { - return cors.allowOriginFunc(origin) - } - return false -} - -func (cors *cors) handlePreflight(c *gin.Context) { - header := c.Writer.Header() - for key, value := range cors.preflightHeaders { - header[key] = value - } -} - -func (cors *cors) handleNormal(c *gin.Context) { - header := c.Writer.Header() - for key, value := range cors.normalHeaders { - header[key] = value - } -} diff --git a/vendor/github.com/gin-contrib/cors/cors.go b/vendor/github.com/gin-contrib/cors/cors.go deleted file mode 100644 index 2261df759..000000000 --- a/vendor/github.com/gin-contrib/cors/cors.go +++ /dev/null @@ -1,198 +0,0 @@ -package cors - -import ( - "errors" - "fmt" - "strings" - "time" - - "github.com/gin-gonic/gin" -) - -// Config represents all available options for the middleware. -type Config struct { - AllowAllOrigins bool - - // AllowOrigins is a list of origins a cross-domain request can be executed from. - // If the special "*" value is present in the list, all origins will be allowed. - // Default value is [] - AllowOrigins []string - - // AllowOriginFunc is a custom function to validate the origin. It takes the origin - // as an argument and returns true if allowed or false otherwise. If this option is - // set, the content of AllowOrigins is ignored. - AllowOriginFunc func(origin string) bool - - // Same as AllowOriginFunc except also receives the full request context. - // This function should use the context as a read only source and not - // have any side effects on the request, such as aborting or injecting - // values on the request. - AllowOriginWithContextFunc func(c *gin.Context, origin string) bool - - // AllowMethods is a list of methods the client is allowed to use with - // cross-domain requests. Default value is simple methods (GET, POST, PUT, PATCH, DELETE, HEAD, and OPTIONS) - AllowMethods []string - - // AllowPrivateNetwork indicates whether the response should include allow private network header - AllowPrivateNetwork bool - - // AllowHeaders is list of non simple headers the client is allowed to use with - // cross-domain requests. - AllowHeaders []string - - // AllowCredentials indicates whether the request can include user credentials like - // cookies, HTTP authentication or client side SSL certificates. - AllowCredentials bool - - // ExposeHeaders indicates which headers are safe to expose to the API of a CORS - // API specification - ExposeHeaders []string - - // MaxAge indicates how long (with second-precision) the results of a preflight request - // can be cached - MaxAge time.Duration - - // Allows to add origins like http://some-domain/*, https://api.* or http://some.*.subdomain.com - AllowWildcard bool - - // Allows usage of popular browser extensions schemas - AllowBrowserExtensions bool - - // Allows to add custom schema like tauri:// - CustomSchemas []string - - // Allows usage of WebSocket protocol - AllowWebSockets bool - - // Allows usage of file:// schema (dangerous!) use it only when you 100% sure it's needed - AllowFiles bool - - // Allows to pass custom OPTIONS response status code for old browsers / clients - OptionsResponseStatusCode int -} - -// AddAllowMethods is allowed to add custom methods -func (c *Config) AddAllowMethods(methods ...string) { - c.AllowMethods = append(c.AllowMethods, methods...) -} - -// AddAllowHeaders is allowed to add custom headers -func (c *Config) AddAllowHeaders(headers ...string) { - c.AllowHeaders = append(c.AllowHeaders, headers...) -} - -// AddExposeHeaders is allowed to add custom expose headers -func (c *Config) AddExposeHeaders(headers ...string) { - c.ExposeHeaders = append(c.ExposeHeaders, headers...) -} - -func (c Config) getAllowedSchemas() []string { - allowedSchemas := DefaultSchemas - if c.AllowBrowserExtensions { - allowedSchemas = append(allowedSchemas, ExtensionSchemas...) - } - if c.AllowWebSockets { - allowedSchemas = append(allowedSchemas, WebSocketSchemas...) - } - if c.AllowFiles { - allowedSchemas = append(allowedSchemas, FileSchemas...) - } - if c.CustomSchemas != nil { - allowedSchemas = append(allowedSchemas, c.CustomSchemas...) - } - return allowedSchemas -} - -func (c Config) validateAllowedSchemas(origin string) bool { - allowedSchemas := c.getAllowedSchemas() - for _, schema := range allowedSchemas { - if strings.HasPrefix(origin, schema) { - return true - } - } - return false -} - -// Validate is check configuration of user defined. -func (c Config) Validate() error { - hasOriginFn := c.AllowOriginFunc != nil - hasOriginFn = hasOriginFn || c.AllowOriginWithContextFunc != nil - - if c.AllowAllOrigins && (hasOriginFn || len(c.AllowOrigins) > 0) { - originFields := strings.Join([]string{ - "AllowOriginFunc", - "AllowOriginFuncWithContext", - "AllowOrigins", - }, " or ") - return fmt.Errorf( - "conflict settings: all origins enabled. %s is not needed", - originFields, - ) - } - if !c.AllowAllOrigins && !hasOriginFn && len(c.AllowOrigins) == 0 { - return errors.New("conflict settings: all origins disabled") - } - for _, origin := range c.AllowOrigins { - if !strings.Contains(origin, "*") && !c.validateAllowedSchemas(origin) { - return errors.New("bad origin: origins must contain '*' or include " + strings.Join(c.getAllowedSchemas(), ",")) - } - } - return nil -} - -func (c Config) parseWildcardRules() [][]string { - var wRules [][]string - - if !c.AllowWildcard { - return wRules - } - - for _, o := range c.AllowOrigins { - if !strings.Contains(o, "*") { - continue - } - - if c := strings.Count(o, "*"); c > 1 { - panic(errors.New("only one * is allowed").Error()) - } - - i := strings.Index(o, "*") - if i == 0 { - wRules = append(wRules, []string{"*", o[1:]}) - continue - } - if i == (len(o) - 1) { - wRules = append(wRules, []string{o[:i], "*"}) - continue - } - - wRules = append(wRules, []string{o[:i], o[i+1:]}) - } - - return wRules -} - -// DefaultConfig returns a generic default configuration mapped to localhost. -func DefaultConfig() Config { - return Config{ - AllowMethods: []string{"GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"}, - AllowHeaders: []string{"Origin", "Content-Length", "Content-Type"}, - AllowCredentials: false, - MaxAge: 12 * time.Hour, - } -} - -// Default returns the location middleware with default configuration. -func Default() gin.HandlerFunc { - config := DefaultConfig() - config.AllowAllOrigins = true - return New(config) -} - -// New returns the location middleware with user-defined custom configuration. -func New(config Config) gin.HandlerFunc { - cors := newCors(config) - return func(c *gin.Context) { - cors.applyCors(c) - } -} diff --git a/vendor/github.com/gin-contrib/cors/utils.go b/vendor/github.com/gin-contrib/cors/utils.go deleted file mode 100644 index b98e90b8c..000000000 --- a/vendor/github.com/gin-contrib/cors/utils.go +++ /dev/null @@ -1,90 +0,0 @@ -package cors - -import ( - "net/http" - "strconv" - "strings" - "time" -) - -type converter func(string) string - -func generateNormalHeaders(c Config) http.Header { - headers := make(http.Header) - if c.AllowCredentials { - headers.Set("Access-Control-Allow-Credentials", "true") - } - if len(c.ExposeHeaders) > 0 { - exposeHeaders := convert(normalize(c.ExposeHeaders), http.CanonicalHeaderKey) - headers.Set("Access-Control-Expose-Headers", strings.Join(exposeHeaders, ",")) - } - if c.AllowAllOrigins { - headers.Set("Access-Control-Allow-Origin", "*") - } else { - headers.Set("Vary", "Origin") - } - return headers -} - -func generatePreflightHeaders(c Config) http.Header { - headers := make(http.Header) - if c.AllowCredentials { - headers.Set("Access-Control-Allow-Credentials", "true") - } - if len(c.AllowMethods) > 0 { - allowMethods := convert(normalize(c.AllowMethods), strings.ToUpper) - value := strings.Join(allowMethods, ",") - headers.Set("Access-Control-Allow-Methods", value) - } - if len(c.AllowHeaders) > 0 { - allowHeaders := convert(normalize(c.AllowHeaders), http.CanonicalHeaderKey) - value := strings.Join(allowHeaders, ",") - headers.Set("Access-Control-Allow-Headers", value) - } - if c.MaxAge > time.Duration(0) { - value := strconv.FormatInt(int64(c.MaxAge/time.Second), 10) - headers.Set("Access-Control-Max-Age", value) - } - - if c.AllowPrivateNetwork { - headers.Set("Access-Control-Allow-Private-Network", "true") - } - - if c.AllowAllOrigins { - headers.Set("Access-Control-Allow-Origin", "*") - } else { - // Always set Vary headers - // see https://github.com/rs/cors/issues/10, - // https://github.com/rs/cors/commit/dbdca4d95feaa7511a46e6f1efb3b3aa505bc43f#commitcomment-12352001 - - headers.Add("Vary", "Origin") - headers.Add("Vary", "Access-Control-Request-Method") - headers.Add("Vary", "Access-Control-Request-Headers") - } - return headers -} - -func normalize(values []string) []string { - if values == nil { - return nil - } - distinctMap := make(map[string]bool, len(values)) - normalized := make([]string, 0, len(values)) - for _, value := range values { - value = strings.TrimSpace(value) - value = strings.ToLower(value) - if _, seen := distinctMap[value]; !seen { - normalized = append(normalized, value) - distinctMap[value] = true - } - } - return normalized -} - -func convert(s []string, c converter) []string { - var out []string - for _, i := range s { - out = append(out, c(i)) - } - return out -} diff --git a/vendor/github.com/gin-contrib/cors/LICENSE b/vendor/github.com/rs/cors/LICENSE similarity index 86% rename from vendor/github.com/gin-contrib/cors/LICENSE rename to vendor/github.com/rs/cors/LICENSE index 4e2cfb015..d8e2df5a4 100644 --- a/vendor/github.com/gin-contrib/cors/LICENSE +++ b/vendor/github.com/rs/cors/LICENSE @@ -1,13 +1,11 @@ -MIT License - -Copyright (c) 2016 Gin-Gonic +Copyright (c) 2014 Olivier Poitrey Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: +copies of the Software, and to permit persons to whom the Software is furnished +to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. @@ -17,5 +15,5 @@ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/rs/cors/README.md b/vendor/github.com/rs/cors/README.md new file mode 100644 index 000000000..0ad3e94e1 --- /dev/null +++ b/vendor/github.com/rs/cors/README.md @@ -0,0 +1,116 @@ +# Go CORS handler [![godoc](http://img.shields.io/badge/godoc-reference-blue.svg?style=flat)](https://godoc.org/github.com/rs/cors) [![license](http://img.shields.io/badge/license-MIT-red.svg?style=flat)](https://raw.githubusercontent.com/rs/cors/master/LICENSE) [![build](https://img.shields.io/travis/rs/cors.svg?style=flat)](https://travis-ci.org/rs/cors) [![Coverage](http://gocover.io/_badge/github.com/rs/cors)](http://gocover.io/github.com/rs/cors) + +CORS is a `net/http` handler implementing [Cross Origin Resource Sharing W3 specification](http://www.w3.org/TR/cors/) in Golang. + +## Getting Started + +After installing Go and setting up your [GOPATH](http://golang.org/doc/code.html#GOPATH), create your first `.go` file. We'll call it `server.go`. + +```go +package main + +import ( + "net/http" + + "github.com/rs/cors" +) + +func main() { + mux := http.NewServeMux() + mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + w.Write([]byte("{\"hello\": \"world\"}")) + }) + + // cors.Default() setup the middleware with default options being + // all origins accepted with simple methods (GET, POST). See + // documentation below for more options. + handler := cors.Default().Handler(mux) + http.ListenAndServe(":8080", handler) +} +``` + +Install `cors`: + + go get github.com/rs/cors + +Then run your server: + + go run server.go + +The server now runs on `localhost:8080`: + + $ curl -D - -H 'Origin: http://foo.com' http://localhost:8080/ + HTTP/1.1 200 OK + Access-Control-Allow-Origin: foo.com + Content-Type: application/json + Date: Sat, 25 Oct 2014 03:43:57 GMT + Content-Length: 18 + + {"hello": "world"} + +### Allow * With Credentials Security Protection + +This library has been modified to avoid a well known security issue when configured with `AllowedOrigins` to `*` and `AllowCredentials` to `true`. Such setup used to make the library reflects the request `Origin` header value, working around a security protection embedded into the standard that makes clients to refuse such configuration. This behavior has been removed with [#55](https://github.com/rs/cors/issues/55) and [#57](https://github.com/rs/cors/issues/57). + +If you depend on this behavior and understand the implications, you can restore it using the `AllowOriginFunc` with `func(origin string) {return true}`. + +Please refer to [#55](https://github.com/rs/cors/issues/55) for more information about the security implications. + +### More Examples + +* `net/http`: [examples/nethttp/server.go](https://github.com/rs/cors/blob/master/examples/nethttp/server.go) +* [Goji](https://goji.io): [examples/goji/server.go](https://github.com/rs/cors/blob/master/examples/goji/server.go) +* [Martini](http://martini.codegangsta.io): [examples/martini/server.go](https://github.com/rs/cors/blob/master/examples/martini/server.go) +* [Negroni](https://github.com/codegangsta/negroni): [examples/negroni/server.go](https://github.com/rs/cors/blob/master/examples/negroni/server.go) +* [Alice](https://github.com/justinas/alice): [examples/alice/server.go](https://github.com/rs/cors/blob/master/examples/alice/server.go) +* [HttpRouter](https://github.com/julienschmidt/httprouter): [examples/httprouter/server.go](https://github.com/rs/cors/blob/master/examples/httprouter/server.go) +* [Gorilla](http://www.gorillatoolkit.org/pkg/mux): [examples/gorilla/server.go](https://github.com/rs/cors/blob/master/examples/gorilla/server.go) +* [Buffalo](https://gobuffalo.io): [examples/buffalo/server.go](https://github.com/rs/cors/blob/master/examples/buffalo/server.go) +* [Gin](https://gin-gonic.github.io/gin): [examples/gin/server.go](https://github.com/rs/cors/blob/master/examples/gin/server.go) +* [Chi](https://github.com/go-chi/chi): [examples/chi/server.go](https://github.com/rs/cors/blob/master/examples/chi/server.go) + +## Parameters + +Parameters are passed to the middleware thru the `cors.New` method as follow: + +```go +c := cors.New(cors.Options{ + AllowedOrigins: []string{"http://foo.com", "http://foo.com:8080"}, + AllowCredentials: true, + // Enable Debugging for testing, consider disabling in production + Debug: true, +}) + +// Insert the middleware +handler = c.Handler(handler) +``` + +* **AllowedOrigins** `[]string`: A list of origins a cross-domain request can be executed from. If the special `*` value is present in the list, all origins will be allowed. An origin may contain a wildcard (`*`) to replace 0 or more characters (i.e.: `http://*.domain.com`). Usage of wildcards implies a small performance penality. Only one wildcard can be used per origin. The default value is `*`. +* **AllowOriginFunc** `func (origin string) bool`: A custom function to validate the origin. It takes the origin as an argument and returns true if allowed, or false otherwise. If this option is set, the content of `AllowedOrigins` is ignored. +* **AllowOriginRequestFunc** `func (r *http.Request, origin string) bool`: A custom function to validate the origin. It takes the HTTP Request object and the origin as argument and returns true if allowed or false otherwise. If this option is set, the content of `AllowedOrigins` and `AllowOriginFunc` is ignored +* **AllowedMethods** `[]string`: A list of methods the client is allowed to use with cross-domain requests. Default value is simple methods (`GET` and `POST`). +* **AllowedHeaders** `[]string`: A list of non simple headers the client is allowed to use with cross-domain requests. +* **ExposedHeaders** `[]string`: Indicates which headers are safe to expose to the API of a CORS API specification +* **AllowCredentials** `bool`: Indicates whether the request can include user credentials like cookies, HTTP authentication or client side SSL certificates. The default is `false`. +* **MaxAge** `int`: Indicates how long (in seconds) the results of a preflight request can be cached. The default is `0` which stands for no max age. +* **OptionsPassthrough** `bool`: Instructs preflight to let other potential next handlers to process the `OPTIONS` method. Turn this on if your application handles `OPTIONS`. +* **OptionsSuccessStatus** `int`: Provides a status code to use for successful OPTIONS requests. Default value is `http.StatusNoContent` (`204`). +* **Debug** `bool`: Debugging flag adds additional output to debug server side CORS issues. + +See [API documentation](http://godoc.org/github.com/rs/cors) for more info. + +## Benchmarks + + BenchmarkWithout 20000000 64.6 ns/op 8 B/op 1 allocs/op + BenchmarkDefault 3000000 469 ns/op 114 B/op 2 allocs/op + BenchmarkAllowedOrigin 3000000 608 ns/op 114 B/op 2 allocs/op + BenchmarkPreflight 20000000 73.2 ns/op 0 B/op 0 allocs/op + BenchmarkPreflightHeader 20000000 73.6 ns/op 0 B/op 0 allocs/op + BenchmarkParseHeaderList 2000000 847 ns/op 184 B/op 6 allocs/op + BenchmarkParse…Single 5000000 290 ns/op 32 B/op 3 allocs/op + BenchmarkParse…Normalized 2000000 776 ns/op 160 B/op 6 allocs/op + +## Licenses + +All source code is licensed under the [MIT License](https://raw.github.com/rs/cors/master/LICENSE). diff --git a/vendor/github.com/rs/cors/cors.go b/vendor/github.com/rs/cors/cors.go new file mode 100644 index 000000000..2ce24e3f3 --- /dev/null +++ b/vendor/github.com/rs/cors/cors.go @@ -0,0 +1,446 @@ +/* +Package cors is net/http handler to handle CORS related requests +as defined by http://www.w3.org/TR/cors/ + +You can configure it by passing an option struct to cors.New: + + c := cors.New(cors.Options{ + AllowedOrigins: []string{"foo.com"}, + AllowedMethods: []string{http.MethodGet, http.MethodPost, http.MethodDelete}, + AllowCredentials: true, + }) + +Then insert the handler in the chain: + + handler = c.Handler(handler) + +See Options documentation for more options. + +The resulting handler is a standard net/http handler. +*/ +package cors + +import ( + "log" + "net/http" + "os" + "strconv" + "strings" +) + +// Options is a configuration container to setup the CORS middleware. +type Options struct { + // AllowedOrigins is a list of origins a cross-domain request can be executed from. + // If the special "*" value is present in the list, all origins will be allowed. + // An origin may contain a wildcard (*) to replace 0 or more characters + // (i.e.: http://*.domain.com). Usage of wildcards implies a small performance penalty. + // Only one wildcard can be used per origin. + // Default value is ["*"] + AllowedOrigins []string + // AllowOriginFunc is a custom function to validate the origin. It take the origin + // as argument and returns true if allowed or false otherwise. If this option is + // set, the content of AllowedOrigins is ignored. + AllowOriginFunc func(origin string) bool + // AllowOriginRequestFunc is a custom function to validate the origin. It takes the HTTP Request object and the origin as + // argument and returns true if allowed or false otherwise. If this option is set, the content of `AllowedOrigins` + // and `AllowOriginFunc` is ignored. + AllowOriginRequestFunc func(r *http.Request, origin string) bool + // AllowedMethods is a list of methods the client is allowed to use with + // cross-domain requests. Default value is simple methods (HEAD, GET and POST). + AllowedMethods []string + // AllowedHeaders is list of non simple headers the client is allowed to use with + // cross-domain requests. + // If the special "*" value is present in the list, all headers will be allowed. + // Default value is [] but "Origin" is always appended to the list. + AllowedHeaders []string + // ExposedHeaders indicates which headers are safe to expose to the API of a CORS + // API specification + ExposedHeaders []string + // MaxAge indicates how long (in seconds) the results of a preflight request + // can be cached + MaxAge int + // AllowCredentials indicates whether the request can include user credentials like + // cookies, HTTP authentication or client side SSL certificates. + AllowCredentials bool + // OptionsPassthrough instructs preflight to let other potential next handlers to + // process the OPTIONS method. Turn this on if your application handles OPTIONS. + OptionsPassthrough bool + // Provides a status code to use for successful OPTIONS requests. + // Default value is http.StatusNoContent (204). + OptionsSuccessStatus int + // Debugging flag adds additional output to debug server side CORS issues + Debug bool +} + +// Logger generic interface for logger +type Logger interface { + Printf(string, ...interface{}) +} + +// Cors http handler +type Cors struct { + // Debug logger + Log Logger + // Normalized list of plain allowed origins + allowedOrigins []string + // List of allowed origins containing wildcards + allowedWOrigins []wildcard + // Optional origin validator function + allowOriginFunc func(origin string) bool + // Optional origin validator (with request) function + allowOriginRequestFunc func(r *http.Request, origin string) bool + // Normalized list of allowed headers + allowedHeaders []string + // Normalized list of allowed methods + allowedMethods []string + // Normalized list of exposed headers + exposedHeaders []string + maxAge int + // Set to true when allowed origins contains a "*" + allowedOriginsAll bool + // Set to true when allowed headers contains a "*" + allowedHeadersAll bool + // Status code to use for successful OPTIONS requests + optionsSuccessStatus int + allowCredentials bool + optionPassthrough bool +} + +// New creates a new Cors handler with the provided options. +func New(options Options) *Cors { + c := &Cors{ + exposedHeaders: convert(options.ExposedHeaders, http.CanonicalHeaderKey), + allowOriginFunc: options.AllowOriginFunc, + allowOriginRequestFunc: options.AllowOriginRequestFunc, + allowCredentials: options.AllowCredentials, + maxAge: options.MaxAge, + optionPassthrough: options.OptionsPassthrough, + } + if options.Debug && c.Log == nil { + c.Log = log.New(os.Stdout, "[cors] ", log.LstdFlags) + } + + // Normalize options + // Note: for origins and methods matching, the spec requires a case-sensitive matching. + // As it may error prone, we chose to ignore the spec here. + + // Allowed Origins + if len(options.AllowedOrigins) == 0 { + if options.AllowOriginFunc == nil && options.AllowOriginRequestFunc == nil { + // Default is all origins + c.allowedOriginsAll = true + } + } else { + c.allowedOrigins = []string{} + c.allowedWOrigins = []wildcard{} + for _, origin := range options.AllowedOrigins { + // Normalize + origin = strings.ToLower(origin) + if origin == "*" { + // If "*" is present in the list, turn the whole list into a match all + c.allowedOriginsAll = true + c.allowedOrigins = nil + c.allowedWOrigins = nil + break + } else if i := strings.IndexByte(origin, '*'); i >= 0 { + // Split the origin in two: start and end string without the * + w := wildcard{origin[0:i], origin[i+1:]} + c.allowedWOrigins = append(c.allowedWOrigins, w) + } else { + c.allowedOrigins = append(c.allowedOrigins, origin) + } + } + } + + // Allowed Headers + if len(options.AllowedHeaders) == 0 { + // Use sensible defaults + c.allowedHeaders = []string{"Origin", "Accept", "Content-Type", "X-Requested-With"} + } else { + // Origin is always appended as some browsers will always request for this header at preflight + c.allowedHeaders = convert(append(options.AllowedHeaders, "Origin"), http.CanonicalHeaderKey) + for _, h := range options.AllowedHeaders { + if h == "*" { + c.allowedHeadersAll = true + c.allowedHeaders = nil + break + } + } + } + + // Allowed Methods + if len(options.AllowedMethods) == 0 { + // Default is spec's "simple" methods + c.allowedMethods = []string{http.MethodGet, http.MethodPost, http.MethodHead} + } else { + c.allowedMethods = convert(options.AllowedMethods, strings.ToUpper) + } + + // Options Success Status Code + if options.OptionsSuccessStatus == 0 { + c.optionsSuccessStatus = http.StatusNoContent + } else { + c.optionsSuccessStatus = options.OptionsSuccessStatus + } + + return c +} + +// Default creates a new Cors handler with default options. +func Default() *Cors { + return New(Options{}) +} + +// AllowAll create a new Cors handler with permissive configuration allowing all +// origins with all standard methods with any header and credentials. +func AllowAll() *Cors { + return New(Options{ + AllowedOrigins: []string{"*"}, + AllowedMethods: []string{ + http.MethodHead, + http.MethodGet, + http.MethodPost, + http.MethodPut, + http.MethodPatch, + http.MethodDelete, + }, + AllowedHeaders: []string{"*"}, + AllowCredentials: false, + }) +} + +// Handler apply the CORS specification on the request, and add relevant CORS headers +// as necessary. +func (c *Cors) Handler(h http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" { + c.logf("Handler: Preflight request") + c.handlePreflight(w, r) + // Preflight requests are standalone and should stop the chain as some other + // middleware may not handle OPTIONS requests correctly. One typical example + // is authentication middleware ; OPTIONS requests won't carry authentication + // headers (see #1) + if c.optionPassthrough { + h.ServeHTTP(w, r) + } else { + w.WriteHeader(c.optionsSuccessStatus) + } + } else { + c.logf("Handler: Actual request") + c.handleActualRequest(w, r) + h.ServeHTTP(w, r) + } + }) +} + +// HandlerFunc provides Martini compatible handler +func (c *Cors) HandlerFunc(w http.ResponseWriter, r *http.Request) { + if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" { + c.logf("HandlerFunc: Preflight request") + c.handlePreflight(w, r) + + w.WriteHeader(c.optionsSuccessStatus) + } else { + c.logf("HandlerFunc: Actual request") + c.handleActualRequest(w, r) + } +} + +// Negroni compatible interface +func (c *Cors) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) { + if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Method") != "" { + c.logf("ServeHTTP: Preflight request") + c.handlePreflight(w, r) + // Preflight requests are standalone and should stop the chain as some other + // middleware may not handle OPTIONS requests correctly. One typical example + // is authentication middleware ; OPTIONS requests won't carry authentication + // headers (see #1) + if c.optionPassthrough { + next(w, r) + } else { + w.WriteHeader(c.optionsSuccessStatus) + } + } else { + c.logf("ServeHTTP: Actual request") + c.handleActualRequest(w, r) + next(w, r) + } +} + +// handlePreflight handles pre-flight CORS requests +func (c *Cors) handlePreflight(w http.ResponseWriter, r *http.Request) { + headers := w.Header() + origin := r.Header.Get("Origin") + + if r.Method != http.MethodOptions { + c.logf(" Preflight aborted: %s!=OPTIONS", r.Method) + return + } + // Always set Vary headers + // see https://github.com/rs/cors/issues/10, + // https://github.com/rs/cors/commit/dbdca4d95feaa7511a46e6f1efb3b3aa505bc43f#commitcomment-12352001 + headers.Add("Vary", "Origin") + headers.Add("Vary", "Access-Control-Request-Method") + headers.Add("Vary", "Access-Control-Request-Headers") + + if origin == "" { + c.logf(" Preflight aborted: empty origin") + return + } + if !c.isOriginAllowed(r, origin) { + c.logf(" Preflight aborted: origin '%s' not allowed", origin) + return + } + + reqMethod := r.Header.Get("Access-Control-Request-Method") + if !c.isMethodAllowed(reqMethod) { + c.logf(" Preflight aborted: method '%s' not allowed", reqMethod) + return + } + reqHeaders := parseHeaderList(r.Header.Get("Access-Control-Request-Headers")) + if !c.areHeadersAllowed(reqHeaders) { + c.logf(" Preflight aborted: headers '%v' not allowed", reqHeaders) + return + } + if c.allowedOriginsAll { + headers.Set("Access-Control-Allow-Origin", "*") + } else { + headers.Set("Access-Control-Allow-Origin", origin) + } + // Spec says: Since the list of methods can be unbounded, simply returning the method indicated + // by Access-Control-Request-Method (if supported) can be enough + headers.Set("Access-Control-Allow-Methods", strings.ToUpper(reqMethod)) + if len(reqHeaders) > 0 { + + // Spec says: Since the list of headers can be unbounded, simply returning supported headers + // from Access-Control-Request-Headers can be enough + headers.Set("Access-Control-Allow-Headers", strings.Join(reqHeaders, ", ")) + } + if c.allowCredentials { + headers.Set("Access-Control-Allow-Credentials", "true") + } + if c.maxAge > 0 { + headers.Set("Access-Control-Max-Age", strconv.Itoa(c.maxAge)) + } + c.logf(" Preflight response headers: %v", headers) +} + +// handleActualRequest handles simple cross-origin requests, actual request or redirects +func (c *Cors) handleActualRequest(w http.ResponseWriter, r *http.Request) { + headers := w.Header() + origin := r.Header.Get("Origin") + + // Always set Vary, see https://github.com/rs/cors/issues/10 + headers.Add("Vary", "Origin") + if origin == "" { + c.logf(" Actual request no headers added: missing origin") + return + } + if !c.isOriginAllowed(r, origin) { + c.logf(" Actual request no headers added: origin '%s' not allowed", origin) + return + } + + // Note that spec does define a way to specifically disallow a simple method like GET or + // POST. Access-Control-Allow-Methods is only used for pre-flight requests and the + // spec doesn't instruct to check the allowed methods for simple cross-origin requests. + // We think it's a nice feature to be able to have control on those methods though. + if !c.isMethodAllowed(r.Method) { + c.logf(" Actual request no headers added: method '%s' not allowed", r.Method) + + return + } + if c.allowedOriginsAll { + headers.Set("Access-Control-Allow-Origin", "*") + } else { + headers.Set("Access-Control-Allow-Origin", origin) + } + if len(c.exposedHeaders) > 0 { + headers.Set("Access-Control-Expose-Headers", strings.Join(c.exposedHeaders, ", ")) + } + if c.allowCredentials { + headers.Set("Access-Control-Allow-Credentials", "true") + } + c.logf(" Actual response added headers: %v", headers) +} + +// convenience method. checks if a logger is set. +func (c *Cors) logf(format string, a ...interface{}) { + if c.Log != nil { + c.Log.Printf(format, a...) + } +} + +// check the Origin of a request. No origin at all is also allowed. +func (c *Cors) OriginAllowed(r *http.Request) bool { + origin := r.Header.Get("Origin") + return c.isOriginAllowed(r, origin) +} + +// isOriginAllowed checks if a given origin is allowed to perform cross-domain requests +// on the endpoint +func (c *Cors) isOriginAllowed(r *http.Request, origin string) bool { + if c.allowOriginRequestFunc != nil { + return c.allowOriginRequestFunc(r, origin) + } + if c.allowOriginFunc != nil { + return c.allowOriginFunc(origin) + } + if c.allowedOriginsAll { + return true + } + origin = strings.ToLower(origin) + for _, o := range c.allowedOrigins { + if o == origin { + return true + } + } + for _, w := range c.allowedWOrigins { + if w.match(origin) { + return true + } + } + return false +} + +// isMethodAllowed checks if a given method can be used as part of a cross-domain request +// on the endpoint +func (c *Cors) isMethodAllowed(method string) bool { + if len(c.allowedMethods) == 0 { + // If no method allowed, always return false, even for preflight request + return false + } + method = strings.ToUpper(method) + if method == http.MethodOptions { + // Always allow preflight requests + return true + } + for _, m := range c.allowedMethods { + if m == method { + return true + } + } + return false +} + +// areHeadersAllowed checks if a given list of headers are allowed to used within +// a cross-domain request. +func (c *Cors) areHeadersAllowed(requestedHeaders []string) bool { + if c.allowedHeadersAll || len(requestedHeaders) == 0 { + return true + } + for _, header := range requestedHeaders { + header = http.CanonicalHeaderKey(header) + found := false + for _, h := range c.allowedHeaders { + if h == header { + found = true + break + } + } + if !found { + return false + } + } + return true +} diff --git a/vendor/github.com/rs/cors/utils.go b/vendor/github.com/rs/cors/utils.go new file mode 100644 index 000000000..6bb120cae --- /dev/null +++ b/vendor/github.com/rs/cors/utils.go @@ -0,0 +1,71 @@ +package cors + +import "strings" + +const toLower = 'a' - 'A' + +type converter func(string) string + +type wildcard struct { + prefix string + suffix string +} + +func (w wildcard) match(s string) bool { + return len(s) >= len(w.prefix)+len(w.suffix) && strings.HasPrefix(s, w.prefix) && strings.HasSuffix(s, w.suffix) +} + +// convert converts a list of string using the passed converter function +func convert(s []string, c converter) []string { + out := []string{} + for _, i := range s { + out = append(out, c(i)) + } + return out +} + +// parseHeaderList tokenize + normalize a string containing a list of headers +func parseHeaderList(headerList string) []string { + l := len(headerList) + h := make([]byte, 0, l) + upper := true + // Estimate the number headers in order to allocate the right splice size + t := 0 + for i := 0; i < l; i++ { + if headerList[i] == ',' { + t++ + } + } + headers := make([]string, 0, t) + for i := 0; i < l; i++ { + b := headerList[i] + switch { + case b >= 'a' && b <= 'z': + if upper { + h = append(h, b-toLower) + } else { + h = append(h, b) + } + case b >= 'A' && b <= 'Z': + if !upper { + h = append(h, b+toLower) + } else { + h = append(h, b) + } + case b == '-' || b == '_' || b == '.' || (b >= '0' && b <= '9'): + h = append(h, b) + } + + if b == ' ' || b == ',' || i == l-1 { + if len(h) > 0 { + // Flush the found header + headers = append(headers, string(h)) + h = h[:0] + upper = true + } + } else { + upper = b == '-' || b == '_' + } + } + return headers +} diff --git a/vendor/github.com/rs/cors/wrapper/gin/LICENSE b/vendor/github.com/rs/cors/wrapper/gin/LICENSE new file mode 100644 index 000000000..d8e2df5a4 --- /dev/null +++ b/vendor/github.com/rs/cors/wrapper/gin/LICENSE @@ -0,0 +1,19 @@ +Copyright (c) 2014 Olivier Poitrey + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished +to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/vendor/github.com/rs/cors/wrapper/gin/gin.go b/vendor/github.com/rs/cors/wrapper/gin/gin.go new file mode 100644 index 000000000..2c775416a --- /dev/null +++ b/vendor/github.com/rs/cors/wrapper/gin/gin.go @@ -0,0 +1,50 @@ +// Package cors/wrapper/gin provides gin.HandlerFunc to handle CORS related +// requests as a wrapper of github.com/rs/cors handler. +package gin + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/rs/cors" +) + +// Options is a configuration container to setup the CORS middleware. +type Options = cors.Options + +// corsWrapper is a wrapper of cors.Cors handler which preserves information +// about configured 'optionPassthrough' option. +type corsWrapper struct { + *cors.Cors + optionPassthrough bool +} + +// build transforms wrapped cors.Cors handler into Gin middleware. +func (c corsWrapper) build() gin.HandlerFunc { + return func(ctx *gin.Context) { + c.HandlerFunc(ctx.Writer, ctx.Request) + if !c.optionPassthrough && + ctx.Request.Method == http.MethodOptions && + ctx.GetHeader("Access-Control-Request-Method") != "" { + // Abort processing next Gin middlewares. + ctx.AbortWithStatus(http.StatusOK) + } + } +} + +// AllowAll creates a new CORS Gin middleware with permissive configuration +// allowing all origins with all standard methods with any header and +// credentials. +func AllowAll() gin.HandlerFunc { + return corsWrapper{Cors: cors.AllowAll()}.build() +} + +// Default creates a new CORS Gin middleware with default options. +func Default() gin.HandlerFunc { + return corsWrapper{Cors: cors.Default()}.build() +} + +// New creates a new CORS Gin middleware with the provided options. +func New(options Options) gin.HandlerFunc { + return corsWrapper{cors.New(options), options.OptionsPassthrough}.build() +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 897158813..43a3b61df 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -277,9 +277,6 @@ github.com/gabriel-vasile/mimetype github.com/gabriel-vasile/mimetype/internal/charset github.com/gabriel-vasile/mimetype/internal/json github.com/gabriel-vasile/mimetype/internal/magic -# github.com/gin-contrib/cors v1.7.1 -## explicit; go 1.18 -github.com/gin-contrib/cors # github.com/gin-contrib/sse v0.1.0 ## explicit; go 1.12 github.com/gin-contrib/sse @@ -563,6 +560,12 @@ github.com/prometheus/procfs/internal/util # github.com/rivo/uniseg v0.4.7 ## explicit; go 1.18 github.com/rivo/uniseg +# github.com/rs/cors v1.8.1 +## explicit; go 1.13 +github.com/rs/cors +# github.com/rs/cors/wrapper/gin v0.0.0-20240228164225-8d33ca4794ea +## explicit; go 1.17 +github.com/rs/cors/wrapper/gin # github.com/russross/blackfriday/v2 v2.1.0 ## explicit github.com/russross/blackfriday/v2