From eb219abbf416650e048b4d7a468407864cdf3fea Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Wed, 8 Feb 2023 15:32:09 +0100 Subject: [PATCH 1/4] CORS middleware not registered any more --- internal/handler/decision/app.go | 52 +++++++++++++------------------- 1 file changed, 21 insertions(+), 31 deletions(-) diff --git a/internal/handler/decision/app.go b/internal/handler/decision/app.go index 724498ace..cd4fb2701 100644 --- a/internal/handler/decision/app.go +++ b/internal/handler/decision/app.go @@ -17,11 +17,8 @@ package decision import ( - "strings" - "github.com/goccy/go-json" "github.com/gofiber/fiber/v2" - "github.com/gofiber/fiber/v2/middleware/cors" "github.com/gofiber/fiber/v2/middleware/recover" "github.com/prometheus/client_golang/prometheus" "github.com/rs/zerolog" @@ -65,9 +62,12 @@ func newApp(args appArgs) *fiber.App { JSONEncoder: json.Marshal, }) - app.Use(recover.New(recover.Config{EnableStackTrace: true})) - app.Use(tracingmiddleware.New( - tracingmiddleware.WithTracer(otel.GetTracerProvider().Tracer("github.com/dadrus/heimdall/decision")))) + app.Use( + recover.New(recover.Config{EnableStackTrace: true}), + tracingmiddleware.New( + tracingmiddleware.WithTracer(otel.GetTracerProvider().Tracer("github.com/dadrus/heimdall/decision")), + ), + ) if args.Config.Metrics.Enabled { app.Use(prometheusmiddleware.New( @@ -76,31 +76,21 @@ func newApp(args appArgs) *fiber.App { )) } - app.Use(accesslogmiddleware.New(args.Logger)) - app.Use(loggermiddlerware.New(args.Logger)) - - if service.CORS != nil { - app.Use(cors.New(cors.Config{ - AllowOrigins: strings.Join(service.CORS.AllowedOrigins, ","), - AllowMethods: strings.Join(service.CORS.AllowedMethods, ","), - AllowHeaders: strings.Join(service.CORS.AllowedHeaders, ","), - AllowCredentials: service.CORS.AllowCredentials, - ExposeHeaders: strings.Join(service.CORS.ExposedHeaders, ","), - MaxAge: int(service.CORS.MaxAge.Seconds()), - })) - } - - app.Use(errormiddleware.New( - errormiddleware.WithVerboseErrors(service.Respond.Verbose), - errormiddleware.WithPreconditionErrorCode(service.Respond.With.ArgumentError.Code), - errormiddleware.WithAuthenticationErrorCode(service.Respond.With.AuthenticationError.Code), - errormiddleware.WithAuthorizationErrorCode(service.Respond.With.AuthorizationError.Code), - errormiddleware.WithCommunicationErrorCode(service.Respond.With.CommunicationError.Code), - errormiddleware.WithMethodErrorCode(service.Respond.With.BadMethodError.Code), - errormiddleware.WithNoRuleErrorCode(service.Respond.With.NoRuleError.Code), - errormiddleware.WithInternalServerErrorCode(service.Respond.With.InternalError.Code), - )) - app.Use(cachemiddleware.New(args.Cache)) + app.Use( + accesslogmiddleware.New(args.Logger), + loggermiddlerware.New(args.Logger), + errormiddleware.New( + errormiddleware.WithVerboseErrors(service.Respond.Verbose), + errormiddleware.WithPreconditionErrorCode(service.Respond.With.ArgumentError.Code), + errormiddleware.WithAuthenticationErrorCode(service.Respond.With.AuthenticationError.Code), + errormiddleware.WithAuthorizationErrorCode(service.Respond.With.AuthorizationError.Code), + errormiddleware.WithCommunicationErrorCode(service.Respond.With.CommunicationError.Code), + errormiddleware.WithMethodErrorCode(service.Respond.With.BadMethodError.Code), + errormiddleware.WithNoRuleErrorCode(service.Respond.With.NoRuleError.Code), + errormiddleware.WithInternalServerErrorCode(service.Respond.With.InternalError.Code), + ), + cachemiddleware.New(args.Cache), + ) return app } From ae581ac610993526ff34a75134cb29ebca31529c Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Wed, 8 Feb 2023 15:32:26 +0100 Subject: [PATCH 2/4] schema adjusted --- schema/config.schema.json | 255 +++++++++++++++++++++----------------- 1 file changed, 143 insertions(+), 112 deletions(-) diff --git a/schema/config.schema.json b/schema/config.schema.json index 8efd12e3c..5411ec149 100644 --- a/schema/config.schema.json +++ b/schema/config.schema.json @@ -205,132 +205,61 @@ } } }, - "serviceConfig": { - "description": "Service Configuration", - "additionalProperties": false, + + "responseOverride": { "type": "object", + "description": "Overrides the defaults for responses", + "additionalProperties": false, "properties": { - "port": { - "description": "The port to listen on.", - "type": "integer" - }, - "host": { - "description": "The network interface to listen on.", - "type": "string", - "default": "", - "examples": [ - "localhost", - "127.0.0.1" - ] - }, - "timeout": { - "$ref": "#/definitions/timeoutConfig" - }, - "cors": { - "$ref": "#/definitions/corsConfig" - }, - "tls": { - "$ref": "#/definitions/tlsConfig" - }, - "trusted_proxies": { - "description": "The list IPs or CIDRs heimdall should trust and thus make use of headers, like X-Forwarded-*, Forwarded, etc", - "type": "array", - "items": { - "type": "string" - } + "code": { + "type": "integer", + "description": "The HTTP status code" } } }, - "ruleExecutorServiceConfig": { - "description": "Service Configuration for Proxy and Decision services", - "additionalProperties": false, + "respondWithConfig": { "type": "object", + "description": "How the service should response", + "additionalProperties": false, "properties": { - "port": { - "description": "The port to listen on.", - "type": "integer" - }, - "host": { - "description": "The network interface to listen on.", - "type": "string", - "default": "", - "examples": [ - "localhost", - "127.0.0.1" - ] - }, - "timeout": { - "$ref": "#/definitions/timeoutConfig" - }, - "cors": { - "$ref": "#/definitions/corsConfig" - }, - "tls": { - "$ref": "#/definitions/tlsConfig" - }, - "trusted_proxies": { - "description": "The list IPs or CIDRs heimdall should trust and thus make use of headers, like X-Forwarded-*, Forwarded, etc", - "type": "array", - "items": { - "type": "string" - } + "verbose": { + "type": "boolean", + "description": "Whether the response should be verbose in error cases", + "default": false }, - "respond": { + "with": { "type": "object", - "description": "How the service should response", + "description": "Overrides for the status codes", "additionalProperties": false, "properties": { - "verbose": { - "type": "boolean", - "description": "Whether the response should be verbose in error cases", - "default": false + "accepted": { + "$ref": "#/definitions/responseOverride" }, - "with": { - "type": "object", - "description": "Overrides for the status codes", - "additionalProperties": false, - "properties": { - "accepted": { - "$ref": "#/definitions/responseOverride" - }, - "precondition_error": { - "$ref": "#/definitions/responseOverride" - }, - "authentication_error": { - "$ref": "#/definitions/responseOverride" - }, - "authorization_error": { - "$ref": "#/definitions/responseOverride" - }, - "method_error": { - "$ref": "#/definitions/responseOverride" - }, - "communication_error": { - "$ref": "#/definitions/responseOverride" - }, - "internal_error": { - "$ref": "#/definitions/responseOverride" - }, - "no_rule_error": { - "$ref": "#/definitions/responseOverride" - } - } + "precondition_error": { + "$ref": "#/definitions/responseOverride" + }, + "authentication_error": { + "$ref": "#/definitions/responseOverride" + }, + "authorization_error": { + "$ref": "#/definitions/responseOverride" + }, + "method_error": { + "$ref": "#/definitions/responseOverride" + }, + "communication_error": { + "$ref": "#/definitions/responseOverride" + }, + "internal_error": { + "$ref": "#/definitions/responseOverride" + }, + "no_rule_error": { + "$ref": "#/definitions/responseOverride" } } } } }, - "responseOverride": { - "type": "object", - "description": "Overrides the defaults for responses", - "additionalProperties": false, - "properties": { - "code": { - "type": "integer", - "description": "The HTTP status code" - } - } - }, "subjectConfiguration": { "description": "Configuration of where to get subject information/attributes from", "type": "object", @@ -1790,13 +1719,115 @@ "type": "object", "properties": { "decision": { - "$ref": "#/definitions/ruleExecutorServiceConfig" + "description": "Decision service Configuration", + "type": "object", + "additionalProperties": false, + "properties": { + "port": { + "description": "The port to listen on.", + "type": "integer" + }, + "host": { + "description": "The network interface to listen on.", + "type": "string", + "default": "", + "examples": [ + "localhost", + "127.0.0.1" + ] + }, + "timeout": { + "$ref": "#/definitions/timeoutConfig" + }, + "tls": { + "$ref": "#/definitions/tlsConfig" + }, + "trusted_proxies": { + "description": "The list IPs or CIDRs heimdall should trust and thus make use of headers, like X-Forwarded-*, Forwarded, etc", + "type": "array", + "items": { + "type": "string" + } + }, + "respond": { + "$ref": "#/definitions/respondWithConfig" + } + } }, "proxy": { - "$ref": "#/definitions/ruleExecutorServiceConfig" + "description": "Proxy service configuration", + "type": "object", + "additionalProperties": false, + "properties": { + "port": { + "description": "The port to listen on.", + "type": "integer" + }, + "host": { + "description": "The network interface to listen on.", + "type": "string", + "default": "", + "examples": [ + "localhost", + "127.0.0.1" + ] + }, + "timeout": { + "$ref": "#/definitions/timeoutConfig" + }, + "cors": { + "$ref": "#/definitions/corsConfig" + }, + "tls": { + "$ref": "#/definitions/tlsConfig" + }, + "trusted_proxies": { + "description": "The list IPs or CIDRs heimdall should trust and thus make use of headers, like X-Forwarded-*, Forwarded, etc", + "type": "array", + "items": { + "type": "string" + } + }, + "respond": { + "$ref": "#/definitions/respondWithConfig" + } + } }, "management": { - "$ref": "#/definitions/serviceConfig" + "description": "Management service configuration", + "type": "object", + "additionalProperties": false, + "properties": { + "port": { + "description": "The port to listen on.", + "type": "integer" + }, + "host": { + "description": "The network interface to listen on.", + "type": "string", + "default": "", + "examples": [ + "localhost", + "127.0.0.1" + ] + }, + "timeout": { + "$ref": "#/definitions/timeoutConfig" + }, + "cors": { + "$ref": "#/definitions/corsConfig" + }, + "tls": { + "$ref": "#/definitions/tlsConfig" + }, + "trusted_proxies": { + "description": "The list IPs or CIDRs heimdall should trust and thus make use of headers, like X-Forwarded-*, Forwarded, etc", + "type": "array", + "items": { + "type": "string" + } + } + } } } }, From 578288b1a5fccedfd2191cc9a53cfb0b5ee143a3 Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Wed, 8 Feb 2023 15:32:47 +0100 Subject: [PATCH 3/4] config used for schema validation updated --- internal/config/test_data/test_config.yaml | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/internal/config/test_data/test_config.yaml b/internal/config/test_data/test_config.yaml index da7fd26d9..4e58de0bc 100644 --- a/internal/config/test_data/test_config.yaml +++ b/internal/config/test_data/test_config.yaml @@ -6,18 +6,6 @@ serve: read: 2s write: 5s idle: 2m - cors: - allowed_origins: - - example.org - allowed_methods: - - GET - - POST - allowed_headers: - - Authorization - exposed_headers: - - X-My-Header - allow_credentials: true - max_age: 1m tls: key_store: path: /path/to/keystore/file.pem From 89e7160f849f0fda5741429e9ec4ed69c3cebfb1 Mon Sep 17 00:00:00 2001 From: Dimitrij Drus Date: Wed, 8 Feb 2023 15:33:11 +0100 Subject: [PATCH 4/4] documentation updated --- .../configuration/reference/reference.adoc | 12 ----------- .../docs/configuration/services/decision.adoc | 20 ------------------- 2 files changed, 32 deletions(-) diff --git a/docs/content/docs/configuration/reference/reference.adoc b/docs/content/docs/configuration/reference/reference.adoc index b7d802a61..2128e5a6c 100644 --- a/docs/content/docs/configuration/reference/reference.adoc +++ b/docs/content/docs/configuration/reference/reference.adoc @@ -30,18 +30,6 @@ serve: read: 2s write: 5s idle: 2m - cors: - allowed_origins: - - example.org - allowed_methods: - - GET - - POST - allowed_headers: - - Authorization - exposed_headers: - - X-My-Header - allow_credentials: true - max_age: 1m tls: key_store: path: /path/to/key/store.pem diff --git a/docs/content/docs/configuration/services/decision.adoc b/docs/content/docs/configuration/services/decision.adoc index eb070304f..68a59cd44 100644 --- a/docs/content/docs/configuration/services/decision.adoc +++ b/docs/content/docs/configuration/services/decision.adoc @@ -61,26 +61,6 @@ decision: ---- ==== -* *`cors`*: _link:{{< relref "/docs/configuration/reference/types.adoc#_cors" >}}[CORS]_ (optional) -+ -https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[CORS] (Cross-Origin Resource Sharing) headers can be added and configured by making use of this option. This functionality allows for advanced security features to quickly be set. If CORS headers are set, then the Heimdall does not pass preflight requests to its decision pipeline, instead the response will be generated and sent back to the client directly. -+ -.Possible CORS configuration -==== -[source, yaml] ----- -decision: - cors: - allowed_origins: - - example.org - allowed_methods: - - HEAD - - PATCH - allow_credentials: true - max_age: 10s ----- -==== - * *`tls`*: _link:{{< relref "/docs/configuration/reference/types.adoc#_tls" >}}[TLS]_ (optional) + By default, the Decision service accepts HTTP requests. Depending on your deployment scenario, you could require Heimdall to accept HTTPs requests only (which is highly recommended). You can do so by making use of this option.