[I] bug: allow_origins_by_metadata does not work without allow_origins [apisix]

Mon, 19 Feb 2024 01:24:09 -0800 


sheharyaar opened a new issue, #10946:
URL: https://github.com/apache/apisix/issues/10946

   ### Current Behavior
   
   If a user sets up `cors` plugin and uses `allow_origins_by_metadata` and 
**does not** add `allow_origins` explicitly in the request, the cors plugin 
returns CORS headers for all URLs.
   
   ### Expected Behavior
   
   The user expects the cors plugin to return CORS headers for the URLs in the 
metadata key matching with plugin metadata only.
   
   ### Error Logs
   
   There is no error log for this bug. The plugin applies the rules 
successfully.
   
   ### Steps to Reproduce
   
   1. Run APISIX locally
   2. Add plugin metadata to `cors` using this request, replace 
`${ADMIN_API_KEY}` with your admin API key :
   ```shell
   curl "http://127.0.0.1:9180/apisix/admin/plugin_metadata/cors"; -X PUT \
       -H "X-API-KEY: ${ADMIN_API_KEY}" \
       -d '{
       "allow_origins": {
         "key_1": "https://domain.com";
       },
       "inactive_timeout": 1
     }'
     ```
   3. Register a route with `allow_origins_with_metadata` and **without 
mentioning** `allow_origins`, using this request :
   ```shell
   curl "http://127.0.0.1:9180/apisix/admin/routes"; -X PUT \
       -H "X-API-KEY: ${ADMIN_API_KEY}" \
       -d '{
       "id": "cors-route",
       "uri": "/anything",
       "plugins": {
         "cors": {
           "allow_methods": "GET,POST",
           "allow_headers": "headr1,headr2",
           "expose_headers": "ex-headr1,ex-headr2",
           "max_age": 50,
           "allow_origins_by_metadata": ["key_1"]
         }
       },
       "upstream": {
         "nodes": {
           "httpbin.org:80 ": 1
         },
         "type": "roundrobin"
       }
     }'
   ```
   4. Make a request to the endpoint using host mentioned in the plugin 
metadata (here : `http://domain.com`) :
   ```shell
   curl "http://127.0.0.1:9080/anything"; -H "Origin: https://domain.com"; -I
   ```
   Response
   ```shell
   ...
   Access-Control-Allow-Origin: *
   Access-Control-Allow-Credentials: true
   Server: APISIX/3.8.0
   Access-Control-Allow-Methods: GET,POST
   Access-Control-Max-Age: 50
   Access-Control-Expose-Headers: ex-headr1,ex-headr2
   Access-Control-Allow-Headers: headr1,headr2
   ```
   
   5. Now make a request with another domain not present in the metadata value :
   ```shell
   curl "http://127.0.0.1:9080/anything"; -H "Origin: https://test.com"; -I
   ```
   Response : 
   ```shell
   ...
   Access-Control-Allow-Origin: *
   Access-Control-Allow-Credentials: true
   Server: APISIX/3.8.0
   Access-Control-Allow-Methods: GET,POST
   Access-Control-Max-Age: 50
   Access-Control-Expose-Headers: ex-headr1,ex-headr2
   Access-Control-Allow-Headers: headr1,headr2
   ```
   
   The response still returns CORS headers. But if you mention `allow_origins` 
in the plugin route, it returns CORS for the value present in the metadata 
**only**, it does not return CORS for the `allow_origins` value.
   
   1. Update the route :
   ```shell
   curl "http://127.0.0.1:9180/apisix/admin/routes"; -X PUT \
       -H "X-API-KEY: ${ADMIN_API_KEY}" \
       -d '{
       "id": "cors-route",
       "uri": "/anything",
       "plugins": {
         "cors": {
           "allow_methods": "GET,POST",
           "allow_headers": "headr1,headr2",
           "expose_headers": "ex-headr1,ex-headr2",
           "max_age": 50, 
           "allow_origins_by_metadata": ["key_1"],
           "allow_origins" : "http://test.com";
         }
       },
       "upstream": {
         "nodes": {
           "httpbin.org:80 ": 1
         },
         "type": "roundrobin"
       }
     }'
   ```
   
   2. Make request with Origin with the value from metadata :
   ```shell
   curl "http://127.0.0.1:9080/anything"; -H "Origin: https://domain.com"; -I
   ```
   Response
   ```
   ...
   Access-Control-Allow-Origin: https://domain.com
   Access-Control-Allow-Credentials: true
   Server: APISIX/3.8.0
   Vary: Origin
   Access-Control-Allow-Methods: GET,POST
   Access-Control-Max-Age: 50
   Access-Control-Expose-Headers: ex-headr1,ex-headr2
   Access-Control-Allow-Headers: headr1,headr2
   ```
   
   3. Make request with a random value :
   ```shell
   curl "http://127.0.0.1:9080/anything"; -H "Origin: https://abc.com"; -I
   ```
   Response
   ```shell
   ...
   Access-Control-Allow-Origin: https://abc.com
   Access-Control-Allow-Credentials: true
   Server: APISIX/3.8.0
   Vary: Origin
   ```
   
   4. Make request with the value in the `allow_origins` field : 
   ```shell
   curl "http://127.0.0.1:9080/anything"; -H "Origin: https://test.com"; -I
   ```
   Response : 
   ```shell
   ...
   Access-Control-Allow-Origin: https://test.com
   Access-Control-Allow-Credentials: true
   Server: APISIX/3.8.0
   Vary: Origin
   ```
   
   
   ### Environment
   
   - APISIX version (run `apisix version`): 3.8.0
   - Operating system (run `uname -a`): ```Linux rog 6.7.4-arch1-1 #1 SMP 
PREEMPT_DYNAMIC Mon, 05 Feb 2024 22:07:49 +0000 x86_64 GNU/Linux```
   - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): 
   ```
   nginx version: openresty/1.21.4.3
   built by gcc 13.2.1 20230801 (GCC) 
   built with OpenSSL 3.2.0 23 Nov 2023 (running with OpenSSL 3.2.1 30 Jan 2024)
   TLS SNI support enabled
   configure arguments: --prefix=/opt/openresty/nginx --with-cc-opt=-O2 
--add-module=../ngx_devel_kit-0.3.2 --add-module=../echo-nginx-module-0.63 
--add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 
--add-module=../set-misc-nginx-module-0.33 
--add-module=../form-input-nginx-module-0.12 
--add-module=../encrypted-session-nginx-module-0.09 
--add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.25 
--add-module=../ngx_lua_upstream-0.07 
--add-module=../headers-more-nginx-module-0.34 
--add-module=../array-var-nginx-module-0.06 
--add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 
--add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.13 
--with-ld-opt=-Wl,-rpath,/opt/openresty/luajit/lib 
--add-module=/home/wazir/workspace/internships/api7/openresty-1.21.4.3/../mod_dubbo
 
--add-module=/home/wazir/workspace/internships/api7/openresty-1.21.4.3/../ngx_multi_upstream_module
 --with-pcre-jit --with-stream --with-stream_
 ssl_module --with-stream_ssl_preread_module --with-http_v2_module 
--without-mail_pop3_module --without-mail_imap_module 
--without-mail_smtp_module --with-http_stub_status_module 
--with-http_realip_module --with-http_addition_module 
--with-http_auth_request_module --with-http_secure_link_module 
--with-http_random_index_module --with-http_gzip_static_module 
--with-http_sub_module --with-http_dav_module --with-http_flv_module 
--with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat 
--with-stream --with-http_ssl_module
   ```
   - etcd version, if relevant (run `curl 
http://127.0.0.1:9090/v1/server_info`): 
`{"boot_time":1708332811,"etcd_version":"3.5.0","id":"1bc17f04-abdf-4113-92c9-c0ce67606cac","hostname":"rog","version":"3.8.0"}
 `
   - APISIX Dashboard version, if relevant:
   - Plugin runner version, for issues related to plugin runners:
   - LuaRocks version, for installation issues (run `luarocks --version`): 3.8.0
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to