Polish "Add config prop for endpoints' CORS allowed origin patterns"

wilkinsona · wilkinsona · commit b095c7761aa4 · 2021-01-19T15:51:14.000Z
See gh-24680
diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/web/CorsEndpointProperties.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/main/java/org/springframework/boot/actuate/autoconfigure/endpoint/web/CorsEndpointProperties.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,15 +37,18 @@
 public class CorsEndpointProperties {
 
 	/**
-	 * Comma-separated list of origins to allow. '*' allows all origins. When not set,
-	 * CORS support is disabled. When credentials are supported only explicit urls are
-	 * allowed.
+	 * Comma-separated list of origins to allow. '*' allows all origins. When credentials
+	 * are allowed, '*' cannot be used and origin patterns should be configured instead.
+	 * When no allowed origins or allowed origin patterns are set, CORS support is
+	 * disabled.
 	 */
 	private List<String> allowedOrigins = new ArrayList<>();
 
 	/**
-	 * Comma-separated list of origins patterns to allow. Must be used when credentials
-	 * are supported and do you want to use wildcard urls.
+	 * Comma-separated list of origin patterns to allow. Unlike allowed origins which only
+	 * supports '*', origin patterns are more flexible (for example
+	 * 'https://*.example.com') and can be used when credentials are allowed. When no
+	 * allowed origin patterns or allowed origins are set, CORS support is disabled.
 	 */
 	private List<String> allowedOriginPatterns = new ArrayList<>();
 
diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/WebFluxEndpointCorsIntegrationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/WebFluxEndpointCorsIntegrationTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2020 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,9 +16,6 @@
 
 package org.springframework.boot.actuate.autoconfigure.integrationtest;
 
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.options;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 import java.util.function.Consumer;
 
 import org.junit.jupiter.api.Test;
@@ -74,6 +71,19 @@ void settingAllowedOriginsEnablesCors() {
 				}));
 	}
 
+	@Test
+	void settingAllowedOriginPatternsEnablesCors() {
+		this.contextRunner
+				.withPropertyValues("management.endpoints.web.cors.allowed-origin-patterns:*.example.org",
+						"management.endpoints.web.cors.allow-credentials:true")
+				.run(withWebTestClient((webTestClient) -> {
+					webTestClient.options().uri("/actuator/beans").header("Origin", "spring.example.com")
+							.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET").exchange().expectStatus()
+							.isForbidden();
+					performAcceptedCorsRequest(webTestClient, "/actuator/beans");
+				}));
+	}
+
 	@Test
 	void maxAgeDefaultsTo30Minutes() {
 		this.contextRunner.withPropertyValues("management.endpoints.web.cors.allowed-origins:spring.example.org")
@@ -148,29 +158,6 @@ void credentialsCanBeDisabled() {
 						.expectHeader().doesNotExist(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS)));
 	}
 
-	@Test
-	void settingAllowedOriginsPattern() {
-		this.contextRunner
-				.withPropertyValues("management.endpoints.web.cors.allowed-origin-patterns:*.example.com",
-						"management.endpoints.web.cors.allow-credentials:true")
-				.run(withWebTestClient((webTestClient) -> webTestClient.options().uri("/actuator/beans")
-						.header("Origin", "spring.example.com")
-						.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "HEAD").exchange().expectStatus().isOk()
-						.expectHeader().valueEquals(HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, "GET,HEAD")));
-	}
-
-	@Test
-	void requestsWithDisallowedOriginPatternsAreRejected() {
-		this.contextRunner
-				.withPropertyValues("management.endpoints.web.cors.allowed-origin-patterns:*.example.com",
-						"management.endpoints.web.cors.allow-credentials:true")
-				.run(withWebTestClient((webTestClient) -> webTestClient.options().uri("/actuator/beans")
-						.header("Origin", "spring.example.org")
-						.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "HEAD").exchange().expectStatus()
-						.isForbidden()));
-
-	}
-
 	private ContextConsumer<ReactiveWebApplicationContext> withWebTestClient(Consumer<WebTestClient> webTestClient) {
 		return (context) -> webTestClient.accept(WebTestClient.bindToApplicationContext(context).configureClient()
 				.baseUrl("https://spring.example.org").build());
diff --git a/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/WebMvcEndpointCorsIntegrationTests.java b/spring-boot-project/spring-boot-actuator-autoconfigure/src/test/java/org/springframework/boot/actuate/autoconfigure/integrationtest/WebMvcEndpointCorsIntegrationTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2019 the original author or authors.
+ * Copyright 2012-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -77,6 +77,17 @@ void settingAllowedOriginsEnablesCors() {
 				}));
 	}
 
+	@Test
+	void settingAllowedOriginPatternsEnablesCors() {
+		this.contextRunner.withPropertyValues("management.endpoints.web.cors.allowed-origin-patterns:*.example.com",
+				"management.endpoints.web.cors.allow-credentials:true").run(withMockMvc((mockMvc) -> {
+					mockMvc.perform(options("/actuator/beans").header("Origin", "bar.example.org")
+							.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"))
+							.andExpect(status().isForbidden());
+					performAcceptedCorsRequest(mockMvc);
+				}));
+	}
+
 	@Test
 	void maxAgeDefaultsTo30Minutes() {
 		this.contextRunner.withPropertyValues("management.endpoints.web.cors.allowed-origins:foo.example.com")
@@ -156,27 +167,6 @@ void credentialsCanBeDisabled() {
 						.andExpect(header().doesNotExist(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS))));
 	}
 
-	@Test
-	void settingAllowedOriginsPattern() {
-		this.contextRunner.withPropertyValues("management.endpoints.web.cors.allowed-origin-patterns:*.example.com",
-				"management.endpoints.web.cors.allow-credentials:true").run(withMockMvc((mockMvc) -> {
-					mockMvc.perform(options("/actuator/beans").header("Origin", "bar.example.com")
-							.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET")).andExpect(status().isOk());
-					performAcceptedCorsRequest(mockMvc);
-				}));
-	}
-
-	@Test
-	void requestsWithDisallowedOriginPatternsAreRejected() {
-		this.contextRunner.withPropertyValues("management.endpoints.web.cors.allowed-origin-patterns:*.example.com",
-				"management.endpoints.web.cors.allow-credentials:true").run(withMockMvc((mockMvc) -> {
-					mockMvc.perform(options("/actuator/beans").header("Origin", "bar.domain.com")
-							.header(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET"))
-							.andExpect(status().isForbidden());
-					performAcceptedCorsRequest(mockMvc);
-				}));
-	}
-
 	private ContextConsumer<WebApplicationContext> withMockMvc(MockMvcConsumer mockMvc) {
 		return (context) -> mockMvc.accept(MockMvcBuilders.webAppContextSetup(context).build());
 	}
