From 3445c3007d0e4b8244f2396332631c00455d954b Mon Sep 17 00:00:00 2001 From: Tietew Date: Tue, 7 Jan 2025 12:54:02 +0900 Subject: [PATCH 1/3] add validations on ResponseHeadersCorsBehavior.accessControlAllowMethods --- .../lib/response-headers-policy.ts | 14 +++++++++- .../test/response-headers-policy.test.ts | 26 +++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts index 3c4e561fd463c..4bb0cfcdb819d 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts @@ -1,6 +1,6 @@ import { Construct } from 'constructs'; import { CfnResponseHeadersPolicy } from './cloudfront.generated'; -import { Duration, Names, Resource, Token } from '../../core'; +import { Duration, Names, Resource, Token, withResolved } from '../../core'; /** * Represents a response headers policy. @@ -130,6 +130,15 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP } private _renderCorsConfig(behavior: ResponseHeadersCorsBehavior): CfnResponseHeadersPolicy.CorsConfigProperty { + withResolved(behavior.accessControlAllowMethods, (methods) => { + const allowedMethods = ['GET', 'DELETE', 'HEAD', 'OPTIONS', 'PATCH', 'POST', 'PUT', 'ALL']; + if (methods.includes('ALL') && methods.length !== 1) { + throw new Error("accessControlAllowMethods cannot be mixed 'ALL' with other values"); + } else if (!methods.every((method) => Token.isUnresolved(method) || allowedMethods.includes(method))) { + throw new Error(`accessControlAllowMethods contains unexpected method name; allowed values: ${allowedMethods.join(', ')}`); + } + }); + return { accessControlAllowCredentials: behavior.accessControlAllowCredentials, accessControlAllowHeaders: { items: behavior.accessControlAllowHeaders }, @@ -211,6 +220,9 @@ export interface ResponseHeadersCorsBehavior { /** * A list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header. + * + * Allowed methods: `'GET'`, `'DELETE'`, `'HEAD'`, `'OPTIONS'`, `'PATCH'`, `'POST'`, and `'PUT'`. + * You can specify `['ALL']` to allow all methods. */ readonly accessControlAllowMethods: string[]; diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts index 44299554f07ac..441d128ed3dc3 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts @@ -180,4 +180,30 @@ describe('ResponseHeadersPolicy', () => { }, }); }); + + describe('corsBehavior', () => { + test('throws if accessControlAllowMethods is mixed with `ALL` and other values', () => { + expect(() => new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', { + corsBehavior: { + accessControlAllowCredentials: false, + accessControlAllowHeaders: ['*'], + accessControlAllowMethods: ['ALL', 'GET'], + accessControlAllowOrigins: ['*'], + originOverride: true, + }, + })).toThrow("accessControlAllowMethods cannot be mixed 'ALL' with other values"); + }); + + test('throws if accessControlAllowMethods contains unallowed value', () => { + expect(() => new ResponseHeadersPolicy(stack, 'ResponseHeadersPolicy', { + corsBehavior: { + accessControlAllowCredentials: false, + accessControlAllowHeaders: ['*'], + accessControlAllowMethods: ['PROPFIND'], + accessControlAllowOrigins: ['*'], + originOverride: true, + }, + })).toThrow(/accessControlAllowMethods contains unexpected method name/); + }); + }); }); From 7c262204a7ae570cd3bdca3724e5c5c77b5f1854 Mon Sep 17 00:00:00 2001 From: Tietew Date: Sat, 18 Jan 2025 18:22:38 +0900 Subject: [PATCH 2/3] Update packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts Co-authored-by: Grace Luo <54298030+gracelu0@users.noreply.github.com> --- .../aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts b/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts index 4bb0cfcdb819d..ab7a65efddfef 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/lib/response-headers-policy.ts @@ -133,7 +133,7 @@ export class ResponseHeadersPolicy extends Resource implements IResponseHeadersP withResolved(behavior.accessControlAllowMethods, (methods) => { const allowedMethods = ['GET', 'DELETE', 'HEAD', 'OPTIONS', 'PATCH', 'POST', 'PUT', 'ALL']; if (methods.includes('ALL') && methods.length !== 1) { - throw new Error("accessControlAllowMethods cannot be mixed 'ALL' with other values"); + throw new Error("accessControlAllowMethods - 'ALL' cannot be combined with specific HTTP methods."); } else if (!methods.every((method) => Token.isUnresolved(method) || allowedMethods.includes(method))) { throw new Error(`accessControlAllowMethods contains unexpected method name; allowed values: ${allowedMethods.join(', ')}`); } From 7cd99fdb6d3a5c8455185a3abceead07713ff8ca Mon Sep 17 00:00:00 2001 From: Tietew Date: Sat, 18 Jan 2025 20:35:47 +0900 Subject: [PATCH 3/3] Update response-headers-policy.test.ts --- .../aws-cloudfront/test/response-headers-policy.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts index 441d128ed3dc3..10550d07d9500 100644 --- a/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts +++ b/packages/aws-cdk-lib/aws-cloudfront/test/response-headers-policy.test.ts @@ -191,7 +191,7 @@ describe('ResponseHeadersPolicy', () => { accessControlAllowOrigins: ['*'], originOverride: true, }, - })).toThrow("accessControlAllowMethods cannot be mixed 'ALL' with other values"); + })).toThrow("accessControlAllowMethods - 'ALL' cannot be combined with specific HTTP methods."); }); test('throws if accessControlAllowMethods contains unallowed value', () => {