update CORS middleware and make it configurable

webdav/pkg/command/server.go

@@ -30,6 +30,15 @@ func Server(cfg *config.Config) *cli.Command {
 			if !cfg.Supervised {
 				return ParseConfig(ctx, cfg)
 			}
+			if origins := ctx.StringSlice("cors-allowed-origins"); len(origins) != 0 {
+				cfg.HTTP.CORS.AllowedOrigins = origins
+			}
+			if methods := ctx.StringSlice("cors-allowed-methods"); len(methods) != 0 {
+				cfg.HTTP.CORS.AllowedMethods = methods
+			}
+			if headers := ctx.StringSlice("cors-allowed-headers"); len(headers) != 0 {
+				cfg.HTTP.CORS.AllowedOrigins = headers
+			}
 			logger.Debug().Str("service", "webdav").Msg("ignoring config file parsing when running supervised")
 			return nil
 		},

webdav/pkg/config/config.go

@@ -18,10 +18,19 @@ type Debug struct {
 	Zpages bool
 }
 
+// CORS defines the available cors configuration.
+type CORS struct {
+	AllowedOrigins   []string
+	AllowedMethods   []string
+	AllowedHeaders   []string
+	AllowCredentials bool
+}
+
 // HTTP defines the available http configuration.
 type HTTP struct {
 	Addr string
 	Root string
+	CORS CORS
 }
 
 // Service defines the available service configuration.
@@ -42,13 +51,13 @@ type Tracing struct {
 
 // Config combines all available configuration parts.
 type Config struct {
-	File    string
-	Log     Log
-	Debug   Debug
-	HTTP    HTTP
-	Tracing Tracing
-	Service Service
-	OcisPublicURL string
+	File            string
+	Log             Log
+	Debug           Debug
+	HTTP            HTTP
+	Tracing         Tracing
+	Service         Service
+	OcisPublicURL   string
 	WebdavNamespace string
 
 	Context    context.Context

webdav/pkg/flagset/flagset.go

@@ -127,6 +127,30 @@ func ServerWithConfig(cfg *config.Config) []cli.Flag {
 			EnvVars:     []string{"WEBDAV_HTTP_NAMESPACE"},
 			Destination: &cfg.Service.Namespace,
 		},
+		&cli.StringSliceFlag{
+			Name:    "cors-allowed-origins",
+			Value:   cli.NewStringSlice("*"),
+			Usage:   "Set the allowed CORS origins",
+			EnvVars: []string{"WEBDAV_CORS_ALLOW_ORIGINS", "OCIS_CORS_ALLOW_ORIGINS"},
+		},
+		&cli.StringSliceFlag{
+			Name:    "cors-allowed-methods",
+			Value:   cli.NewStringSlice("GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"),
+			Usage:   "Set the allowed CORS origins",
+			EnvVars: []string{"WEBDAV_CORS_ALLOW_METHODS", "OCIS_CORS_ALLOW_METHODS"},
+		},
+		&cli.StringSliceFlag{
+			Name:    "cors-allowed-headers",
+			Value:   cli.NewStringSlice("Authorization", "Origin", "Content-Type", "Accept", "X-Requested-With"),
+			Usage:   "Set the allowed CORS origins",
+			EnvVars: []string{"WEBDAV_CORS_ALLOW_HEADERS", "OCIS_CORS_ALLOW_HEADERS"},
+		},
+		&cli.BoolFlag{
+			Name:    "cors-allow-credentials",
+			Value:   flags.OverrideDefaultBool(cfg.HTTP.CORS.AllowCredentials, true),
+			Usage:   "Allow credentials for CORS",
+			EnvVars: []string{"WEBDAV_CORS_ALLOW_CREDENTIALS", "OCIS_CORS_ALLOW_CREDENTIALS"},
+		},
 		&cli.StringFlag{
 			Name:        "service-name",
 			Value:       flags.OverrideDefaultString(cfg.Service.Name, "webdav"),

webdav/pkg/server/debug/server.go

@@ -22,6 +22,10 @@ func Server(opts ...Option) (*http.Server, error) {
 		debug.Zpages(options.Config.Debug.Zpages),
 		debug.Health(health(options.Config)),
 		debug.Ready(ready(options.Config)),
+		debug.CorsAllowedOrigins(options.Config.HTTP.CORS.AllowedOrigins),
+		debug.CorsAllowedMethods(options.Config.HTTP.CORS.AllowedMethods),
+		debug.CorsAllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
+		debug.CorsAllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
 	), nil
 }
 

webdav/pkg/server/http/server.go

@@ -2,6 +2,7 @@ package http
 
 import (
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
+	"github.com/owncloud/ocis/ocis-pkg/cors"
 	"github.com/owncloud/ocis/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/ocis-pkg/service/http"
 	svc "github.com/owncloud/ocis/webdav/pkg/service/v0"
@@ -29,7 +30,13 @@ func Server(opts ...Option) (http.Service, error) {
 			chimiddleware.RealIP,
 			chimiddleware.RequestID,
 			middleware.NoCache,
-			middleware.Cors,
+			middleware.Cors(
+				cors.Logger(options.Logger),
+				cors.AllowedOrigins(options.Config.HTTP.CORS.AllowedOrigins),
+				cors.AllowedMethods(options.Config.HTTP.CORS.AllowedMethods),
+				cors.AllowedHeaders(options.Config.HTTP.CORS.AllowedHeaders),
+				cors.AllowCredentials(options.Config.HTTP.CORS.AllowCredentials),
+			),
 			middleware.Secure,
 			middleware.Version(
 				options.Config.Service.Name,