core: Fix CORS origin match for OAuth2 Clients (ory#1624)

Previously, `http://*` would not work as it would not be properly splitted by the glob library. This patch resolves that and closes ory#1615 Signed-off-by: Aterocana <[email protected]>
tecfu · Nov 2, 2019 · b48b1a0 · b48b1a0
1 parent 9722506
commit b48b1a0
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/driver/cors.go b/driver/cors.go
@@ -22,6 +22,7 @@ package driver
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"strings"
 
@@ -44,6 +45,11 @@ func OAuth2AwareCORSMiddleware(iface string, reg Registry, conf configuration.Pr
 	corsOptions := conf.CORSOptions(iface)
 	var patterns []glob.Glob
 	for _, o := range corsOptions.AllowedOrigins {
+		// if the protocol (http or https) is specified, but the url is wildcard, use special ** glob, which ignore the '.' separator.
+		// This way g := glob.Compile("http://**") g.Match("http://google.com") returns true.
+		if splittedO := strings.Split(o, "://"); len(splittedO) != 1 && splittedO[1] == "*" {
+			o = fmt.Sprintf("%s://**", splittedO[0])
+		}
 		g, err := glob.Compile(strings.ToLower(o), '.')
 		if err != nil {
 			reg.Logger().WithError(err).Fatalf("Unable to parse cors origin: %s", o)

diff --git a/driver/cors_test.go b/driver/cors_test.go
@@ -157,6 +157,17 @@ func TestOAuth2AwareCORSMiddleware(t *testing.T) {
 			header:       http.Header{"Origin": {"http://foobar.com"}, "Authorization": {"Bearer " + token}},
 			expectHeader: http.Header{"Access-Control-Allow-Credentials": []string{"true"}, "Access-Control-Allow-Origin": []string{"http://foobar.com"}, "Access-Control-Expose-Headers": []string{"Content-Type"}, "Vary": []string{"Origin"}},
 		},
+		{
+			d: "should accept any allowed specified origin protocol",
+			prep: func() {
+				r.ClientManager().CreateClient(context.Background(), &client.Client{ClientID: "foo-11", Secret: "bar", AllowedCORSOrigins: []string{"*"}})
+				viper.Set("serve.public.cors.enabled", true)
+				viper.Set("serve.public.cors.allowed_origins", []string{"http://*", "https://*"})
+			},
+			code:         http.StatusNotImplemented,
+			header:       http.Header{"Origin": {"http://foo.foobar.com"}, "Authorization": {"Basic Zm9vLTQ6YmFy"}},
+			expectHeader: http.Header{"Access-Control-Allow-Credentials": []string{"true"}, "Access-Control-Allow-Origin": []string{"http://foo.foobar.com"}, "Access-Control-Expose-Headers": []string{"Content-Type"}, "Vary": []string{"Origin"}},
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d/description=%s", k, tc.d), func(t *testing.T) {
 			if tc.prep != nil {