opentdf · strantalis · Dec 11, 2024 · Dec 11, 2024
@@ -24,9 +24,9 @@ services:
   entityresolution:
     log_level: info
     url: http://localhost:8888/auth
-    clientid: 'tdf-entity-resolution'
-    clientsecret: 'secret'
-    realm: 'opentdf'
+    clientid: "tdf-entity-resolution"
+    clientsecret: "secret"
+    realm: "opentdf"
     legacykeycloak: true
     inferid:
       from:
@@ -45,8 +45,8 @@ server:
   auth:
     enabled: true
     enforceDPoP: false
-    public_client_id: 'opentdf-public'
-    audience: 'http://localhost:8080'
+    public_client_id: "opentdf-public"
+    audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
@@ -78,10 +78,9 @@ server:
       #  [matchers]
       #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
   cors:
-    enabled: false
     # "*" to allow any origin or a specific domain like "https://yourdomain.com"
     allowedorigins:
-      - '*'
+      - "*"
     # List of methods. Examples: "GET,POST,PUT"
     allowedmethods:
       - GET

@@ -9,9 +9,9 @@ services:
   entityresolution:
     log_level: info
     url: http://localhost:8888/auth
-    clientid: 'tdf-entity-resolution'
-    clientsecret: 'secret'
-    realm: 'opentdf'
+    clientid: "tdf-entity-resolution"
+    clientsecret: "secret"
+    realm: "opentdf"
     legacykeycloak: true
     inferid:
       from:
@@ -21,8 +21,8 @@ server:
   auth:
     enabled: true
     enforceDPoP: false
-    public_client_id: 'opentdf-public'
-    audience: 'http://localhost:8080'
+    public_client_id: "opentdf-public"
+    audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
       ## Default policy for all requests
@@ -61,10 +61,9 @@ server:
       #  [matchers]
       #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
   cors:
-    enabled: false
     # "*" to allow any origin or a specific domain like "https://yourdomain.com"
     allowedorigins:
-      - '*'
+      - "*"
     # List of methods. Examples: "GET,POST,PUT"
     allowedmethods:
       - GET

@@ -15,9 +15,9 @@ services:
     rsacertid: r1
   entityresolution:
     url: http://keycloak:8888/auth
-    clientid: 'tdf-entity-resolution'
-    clientsecret: 'secret'
-    realm: 'opentdf'
+    clientid: "tdf-entity-resolution"
+    clientsecret: "secret"
+    realm: "opentdf"
     legacykeycloak: true
     inferid:
       from:
@@ -32,8 +32,8 @@ server:
   auth:
     enabled: true
     enforceDPoP: false
-    public_client_id: 'opentdf-public'
-    audience: 'http://localhost:8080'
+    public_client_id: "opentdf-public"
+    audience: "http://localhost:8080"
     issuer: http://keycloak:8888/auth/realms/opentdf
     policy:
       ## Dot notation is used to access nested claims (i.e. realm_access.roles)
@@ -65,10 +65,9 @@ server:
       #  [matchers]
       #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
   cors:
-    enabled: false
     # "*" to allow any origin or a specific domain like "https://yourdomain.com"
     allowedorigins:
-      - '*'
+      - "*"
     # List of methods. Examples: "GET,POST,PUT"
     allowedmethods:
       - GET

@@ -96,11 +96,12 @@ type CORSConfig struct {
 	// Enable CORS for the server (default: true)
 	Enabled          bool     `mapstructure:"enabled" json:"enabled" default:"true"`
 	AllowedOrigins   []string `mapstructure:"allowedorigins" json:"allowedorigins"`
-	AllowedMethods   []string `mapstructure:"allowedmethods" json:"allowedmethods"`
-	AllowedHeaders   []string `mapstructure:"allowedheaders" json:"allowedheaders"`
+	AllowedMethods   []string `mapstructure:"allowedmethods" json:"allowedmethods" default:"[\"GET\",\"POST\",\"PATCH\",\"DELETE\",\"OPTIONS\"]"`
+	AllowedHeaders   []string `mapstructure:"allowedheaders" json:"allowedheaders" default:"[\"Accept\",\"Content-Type\",\"Content-Length\",\"Accept-Encoding\",\"X-CSRF-Token\",\"Authorization\",\"X-Requested-With\",\"Dpop\"]"`
 	ExposedHeaders   []string `mapstructure:"exposedheaders" json:"exposedheaders"`
 	AllowCredentials bool     `mapstructure:"allowcredentials" json:"allowedcredentials" default:"true"`
 	MaxAge           int      `mapstructure:"maxage" json:"maxage" default:"3600"`
+	Debug            bool     `mapstructure:"debug" json:"debug"`
 }
 
 type ConnectRPC struct {
@@ -264,6 +265,14 @@ func newHTTPServer(c Config, connectRPC http.Handler, originalGrpcGateway http.H
 		originalGrpcGateway.ServeHTTP(grpcRW, r)
 	})
 
+	// Add authN interceptor to extra handlers
+	if c.Auth.Enabled {
+		grpcGateway = a.MuxHandler(grpcGateway)
+	} else {
+		l.Error("disabling authentication. this is deprecated and will be removed. if you are using an IdP without DPoP set `enforceDPoP = false`")
+	}
+
+	// Note: The grpc-gateway handlers are getting chained together in reverse. So the last handler is the first to be called.
 	// CORS
 	if c.CORS.Enabled {
 		corsHandler := cors.New(cors.Options{
@@ -283,20 +292,14 @@ func newHTTPServer(c Config, connectRPC http.Handler, originalGrpcGateway http.H
 			ExposedHeaders:   c.CORS.ExposedHeaders,
 			AllowCredentials: c.CORS.AllowCredentials,
 			MaxAge:           c.CORS.MaxAge,
+			Debug:            c.CORS.Debug,
 		})
 
 		// Apply CORS to connectRPC and extra handlers
 		connectRPC = corsHandler.Handler(connectRPC)
 		grpcGateway = corsHandler.Handler(grpcGateway)
 	}
 
-	// Add authN interceptor to extra handlers
-	if c.Auth.Enabled {
-		grpcGateway = a.MuxHandler(grpcGateway)
-	} else {
-		l.Error("disabling authentication. this is deprecated and will be removed. if you are using an IdP without DPoP set `enforceDPoP = false`")
-	}
-
 	// Enable pprof
 	if c.EnablePprof {
 		grpcGateway = pprofHandler(grpcGateway)

@@ -78,4 +78,49 @@
   echo "$output"
   [ $status = 0 ]
   [ $(jq -r .status <<<"${output}") = SERVING ]
-}
+}
+
+@test "GRPC-Gateway: Validate CORS" {
+  run curl -X OPTIONS -v -s "https://localhost:8080/healthz" -H "Origin: https://example.com" -H "Access-Control-Request-Method: GET"
+  echo "$output"
+  [ $(grep -c "access-control-allow-origin: https://example.com" <<<"${output}") -eq 1 ]
+  [ $(grep -c "access-control-allow-methods: GET" <<<"${output}") -eq 1 ]
+  [ $(grep -c "access-control-allow-credentials: true" <<<"${output}") -eq 1 ]
+}
+
+@test "GRPC-Gateway: Reject non-accepted headers" {
+  run curl -X OPTIONS -v -s "https://localhost:8080/healthz" \
+    -H "Origin: https://example.com" \
+    -H "Access-Control-Request-Method: GET" \
+    -H "Access-Control-Request-Headers: X-Not-Allowed-Header"
+
+  echo "$output"
+  # Verify the headers are not present in the response
+  [ $(grep -c "access-control-allow-origin: https://example.com" <<<"${output}") -eq 0 ]
+  [ $(grep -c "access-control-allow-methods: GET" <<<"${output}") -eq 0 ]
+  [ $(grep -c "access-control-allow-credentials: true" <<<"${output}") -eq 0 ]
+  [ $(grep -c "access-control-max-age: 3600" <<<"${output}") -eq 0 ]
+}
+
+@test "Connect-RPC: Validate CORS" {
+  run curl -X OPTIONS -v -s "https://localhost:8080/grpc.health.v1.Health/Check" -H "Origin: https://example.com" -H "Access-Control-Request-Method: GET"
+  echo "$output"
+  [ $(grep -c "access-control-allow-origin: https://example.com" <<<"${output}") -eq 1 ]
+  [ $(grep -c "access-control-allow-methods: GET" <<<"${output}") -eq 1 ]
+  [ $(grep -c "access-control-allow-credentials: true" <<<"${output}") -eq 1 ]
+}
+
+@test "Connect-RPC: Reject non-accepted headers" {
+  run curl -X OPTIONS -v -s "https://localhost:8080/grpc.health.v1.Health/Check" \
+    -H "Origin: https://example.com" \
+    -H "Access-Control-Request-Method: GET" \
+    -H "Access-Control-Request-Headers: X-Not-Allowed-Header"
+
+  echo "$output"
+  # Verify the headers are not present in the response
+  [ $(grep -c "access-control-allow-origin: https://example.com" <<<"${output}") -eq 0 ]
+  [ $(grep -c "access-control-allow-methods: GET" <<<"${output}") -eq 0 ]
+  [ $(grep -c "access-control-allow-credentials: true" <<<"${output}") -eq 0 ]
+  [ $(grep -c "access-control-max-age: 3600" <<<"${output}") -eq 0 ]
+}
+