Remove rejection handler, respond with default set of allowed methods and origins to all options requests in DriverRoute

author: Zach Smith <zach@driver.xyz> 2018-01-26 11:43:52 -0800
committer: Zach Smith <zach@driver.xyz> 2018-02-20 10:34:22 -0800
commit: a4b2648a288110350c0ff8dc784626668112ab84 (patch)
tree: 846a3dae554885348bd42b6f8fb1cc6a8200123f
parent: 32496bbc8f64f84c8b9bd8b567aa8cc13343414b (diff)
download: driver-core-a4b2648a288110350c0ff8dc784626668112ab84.tar.gz
driver-core-a4b2648a288110350c0ff8dc784626668112ab84.tar.bz2
driver-core-a4b2648a288110350c0ff8dc784626668112ab84.zip
7 files changed, 140 insertions, 58 deletions
diff --git a/src/main/resources/reference.conf b/src/main/resources/reference.conf
index 16dcfda..aed7b12 100644
--- a/src/main/resources/reference.conf
+++ b/src/main/resources/reference.conf
@@ -10,6 +10,20 @@
 application {
   baseUrl: "localhost:8080"
   environment: "local_testing"
+
+  cors {
+    allowedMethods: ["GET", "PUT", "POST", "PATCH", "DELETE", "OPTIONS"]
+    allowedOrigins: [
+      {
+        scheme: http
+        hostSuffix: localhost
+      },
+      {
+        scheme: https
+        hostSuffix: example.com
+      }
+    ]
+  }
 }
 
 # Settings about the auto-generated REST API documentation.
diff --git a/src/main/scala/xyz/driver/core/app/DriverApp.scala b/src/main/scala/xyz/driver/core/app/DriverApp.scala
index d95e254..a593893 100644
--- a/src/main/scala/xyz/driver/core/app/DriverApp.scala
+++ b/src/main/scala/xyz/driver/core/app/DriverApp.scala
@@ -2,7 +2,6 @@ package xyz.driver.core.app
 
 import akka.actor.ActorSystem
 import akka.http.scaladsl.marshallers.sprayjson.SprayJsonSupport
-import akka.http.scaladsl.model.StatusCodes._
 import akka.http.scaladsl.model._
 import akka.http.scaladsl.model.headers._
 import akka.http.scaladsl.server.Directives._
@@ -42,7 +41,6 @@ class DriverApp(
     port: Int = 8080,
     tracer: Tracer = NoTracer)(implicit actorSystem: ActorSystem, executionContext: ExecutionContext) {
   self =>
-  import DriverApp._
 
   implicit private lazy val materializer: ActorMaterializer = ActorMaterializer()(actorSystem)
   private lazy val http: HttpExt                            = Http()(actorSystem)
@@ -73,8 +71,9 @@ class DriverApp(
     val swaggerRoute   = swaggerService.routes ~ swaggerService.swaggerUI
     val versionRt      = versionRoute(version, gitHash, time.currentTime())
     val basicRoutes = new DriverRoute {
-      override def log: Logger  = self.log
-      override def route: Route = versionRt ~ healthRoute ~ swaggerRoute
+      override def log: Logger    = self.log
+      override def config: Config = xyz.driver.core.config.loadDefaultConfig
+      override def route: Route   = versionRt ~ healthRoute ~ swaggerRoute
     }
     val combinedRoute = modules.map(_.route).foldLeft(basicRoutes.routeWithDefaults)(_ ~ _)
 
@@ -221,29 +220,3 @@ class DriverApp(
     })
   }
 }
-
-object DriverApp {
-  implicit def rejectionHandler: RejectionHandler =
-    RejectionHandler
-      .newBuilder()
-      .handleAll[MethodRejection] { rejections =>
-        val methods    = rejections map (_.supported)
-        lazy val names = methods map (_.name) mkString ", "
-
-        options {
-          respondWithCorsHeaders {
-            respondWithCorsAllowedMethodHeaders(methods) {
-              complete(s"Supported methods: $names.")
-            }
-          }
-        } ~
-          complete(MethodNotAllowed -> s"HTTP method not allowed, supported methods: $names!")
-      }
-      .handleAll[Rejection] { rejections =>
-        respondWithCorsHeaders {
-          reject(rejections: _*)
-        }
-      }
-      .result()
-      .seal
-}
diff --git a/src/main/scala/xyz/driver/core/app/module.scala b/src/main/scala/xyz/driver/core/app/module.scala
index 7be38eb..0a255fb 100644
--- a/src/main/scala/xyz/driver/core/app/module.scala
+++ b/src/main/scala/xyz/driver/core/app/module.scala
@@ -30,8 +30,9 @@ class EmptyModule extends Module {
 
 class SimpleModule(override val name: String, theRoute: Route, routeType: Type) extends Module {
   private val driverRoute: DriverRoute = new DriverRoute {
-    override def route: Route = theRoute
-    override val log: Logger  = xyz.driver.core.logging.NoLogger
+    override def route: Route   = theRoute
+    override val config: Config = xyz.driver.core.config.loadDefaultConfig
+    override val log: Logger    = xyz.driver.core.logging.NoLogger
   }
 
   override def route: Route          = driverRoute.routeWithDefaults
diff --git a/src/main/scala/xyz/driver/core/rest/DriverRoute.scala b/src/main/scala/xyz/driver/core/rest/DriverRoute.scala
index 5f961b6..5647818 100644
--- a/src/main/scala/xyz/driver/core/rest/DriverRoute.scala
+++ b/src/main/scala/xyz/driver/core/rest/DriverRoute.scala
@@ -7,6 +7,7 @@ import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.model.headers._
 import akka.http.scaladsl.server.Directives._
 import akka.http.scaladsl.server.{Directive0, ExceptionHandler, RequestContext, Route}
+import com.typesafe.config.Config
 import com.typesafe.scalalogging.Logger
 import org.slf4j.MDC
 import xyz.driver.core.rest
@@ -16,17 +17,69 @@ import scala.compat.Platform.ConcurrentModificationException
 
 trait DriverRoute {
   def log: Logger
+  def config: Config
 
   def route: Route
 
   def routeWithDefaults: Route = {
-    (defaultResponseHeaders & handleExceptions(ExceptionHandler(exceptionHandler)))(route)
+    (defaultResponseHeaders & handleExceptions(ExceptionHandler(exceptionHandler))) {
+      route ~ defaultOptionsRoute
+    }
+  }
+
+  protected lazy val allowedCorsDomainSuffixes: Set[HttpOrigin] = {
+    import scala.collection.JavaConverters._
+    config
+      .getConfigList("application.cors.allowedOrigins")
+      .asScala
+      .map { c =>
+        HttpOrigin(c.getString("scheme"), Host(c.getString("hostSuffix")))
+      }(scala.collection.breakOut)
+  }
+
+  protected lazy val defaultCorsAllowedMethods: Set[HttpMethod] = {
+    import scala.collection.JavaConverters._
+    config.getStringList("application.cors.allowedMethods").asScala.toSet.flatMap(HttpMethods.getForKey)
+  }
+
+  protected lazy val defaultCorsAllowedOrigin: Origin =
+    Origin(allowedCorsDomainSuffixes.to[collection.immutable.Seq])
+
+  protected def corsAllowedOriginHeader(origin: Option[Origin]): HttpHeader = {
+    val allowedOrigin =
+      origin
+        .filter { requestOrigin =>
+          allowedCorsDomainSuffixes.exists { allowedOriginSuffix =>
+            requestOrigin.origins.exists(o =>
+              o.scheme == allowedOriginSuffix.scheme &&
+                o.host.host.address.endsWith(allowedOriginSuffix.host.host.address()))
+          }
+        }
+        .getOrElse(defaultCorsAllowedOrigin)
+
+    `Access-Control-Allow-Origin`(HttpOriginRange(allowedOrigin.origins: _*))
+  }
+
+  protected def respondWithAllCorsHeaders: Directive0 = {
+    respondWithCorsAllowedHeaders tflatMap { _ =>
+      respondWithCorsAllowedMethodHeaders(defaultCorsAllowedMethods) tflatMap { _ =>
+        optionalHeaderValueByType[Origin](()) flatMap { origin =>
+          respondWithHeader(corsAllowedOriginHeader(origin))
+        }
+      }
+    }
+  }
+
+  protected def defaultOptionsRoute: Route = options {
+    respondWithAllCorsHeaders {
+      complete("OK")
+    }
   }
 
   protected def defaultResponseHeaders: Directive0 = {
     extractRequest flatMap { request =>
       val tracingHeader = RawHeader(ContextHeaders.TrackingIdHeader, rest.extractTrackingId(request))
-      respondWithHeader(tracingHeader) & respondWithCorsHeaders
+      respondWithHeader(tracingHeader) & respondWithAllCorsHeaders
     }
   }
 
diff --git a/src/main/scala/xyz/driver/core/rest/package.scala b/src/main/scala/xyz/driver/core/rest/package.scala
index 88f78d9..5fd9417 100644
--- a/src/main/scala/xyz/driver/core/rest/package.scala
+++ b/src/main/scala/xyz/driver/core/rest/package.scala
@@ -110,22 +110,25 @@ object `package` {
     }
   }
 
-  def respondWithCorsHeaders: Directive0 = {
-    optionalHeaderValueByType[Origin](()) flatMap { originHeader =>
-      respondWithHeaders(
-        List[HttpHeader](
-          allowOrigin(originHeader),
-          `Access-Control-Allow-Headers`(AllowedHeaders: _*),
-          `Access-Control-Expose-Headers`(AllowedHeaders: _*)
-        ))
+  def respondWithCorsAllowedHeaders: Directive0 = {
+    respondWithHeaders(
+      List[HttpHeader](
+        `Access-Control-Allow-Headers`(AllowedHeaders: _*),
+        `Access-Control-Expose-Headers`(AllowedHeaders: _*)
+      ))
+  }
+
+  def respondWithCorsAllowedOriginHeaders(origin: Origin): Directive0 = {
+    respondWithHeader {
+      `Access-Control-Allow-Origin`(HttpOriginRange(origin.origins: _*))
     }
   }
 
-  def respondWithCorsAllowedMethodHeaders(methods: scala.collection.immutable.Seq[HttpMethod]): Directive0 = {
+  def respondWithCorsAllowedMethodHeaders(methods: Set[HttpMethod]): Directive0 = {
     respondWithHeaders(
       List[HttpHeader](
-        Allow(methods),
-        `Access-Control-Allow-Methods`(methods)
+        Allow(methods.to[collection.immutable.Seq]),
+        `Access-Control-Allow-Methods`(methods.to[collection.immutable.Seq])
       ))
   }
 
diff --git a/src/test/scala/xyz/driver/core/rest/DriverAppTest.scala b/src/test/scala/xyz/driver/core/rest/DriverAppTest.scala
index f5602be..991d7c5 100644
--- a/src/test/scala/xyz/driver/core/rest/DriverAppTest.scala
+++ b/src/test/scala/xyz/driver/core/rest/DriverAppTest.scala
@@ -1,7 +1,7 @@
 package xyz.driver.core.rest
 
 import akka.http.scaladsl.model.headers._
-import akka.http.scaladsl.model.{HttpMethods, StatusCodes}
+import akka.http.scaladsl.model.{HttpMethod, HttpMethods, StatusCodes}
 import akka.http.scaladsl.server.Directives._
 import akka.http.scaladsl.server.Route
 import akka.http.scaladsl.settings.RoutingSettings
@@ -15,8 +15,9 @@ import scala.reflect.runtime.universe._
 
 class DriverAppTest extends FlatSpec with ScalatestRouteTest with Matchers {
   class TestRoute extends DriverRoute {
-    override def log: Logger  = xyz.driver.core.logging.NoLogger
-    override def route: Route = path("api" / "v1" / "test")(post(complete("OK")))
+    override def log: Logger    = xyz.driver.core.logging.NoLogger
+    override def config: Config = xyz.driver.core.config.loadDefaultConfig
+    override def route: Route   = path("api" / "v1" / "test")(post(complete("OK")))
   }
 
   val module: Module = new Module {
@@ -30,29 +31,64 @@ class DriverAppTest extends FlatSpec with ScalatestRouteTest with Matchers {
     appName = "test-app",
     version = "0.1",
     gitHash = "deadb33f",
-    modules = Seq(module)
+    modules = Seq(module),
+    log = xyz.driver.core.logging.NoLogger
   )
 
   val config: Config                   = xyz.driver.core.config.loadDefaultConfig
   val routingSettings: RoutingSettings = RoutingSettings(config)
-  val appRoute: Route =
-    Route.seal(app.appRoute)(routingSettings = routingSettings, rejectionHandler = DriverApp.rejectionHandler)
+  val appRoute: Route                  = Route.seal(app.appRoute)(routingSettings = routingSettings)
+
+  val allowedMethods: collection.immutable.Seq[HttpMethod] = {
+    import scala.collection.JavaConverters._
+    config
+      .getStringList("application.cors.allowedMethods")
+      .asScala
+      .flatMap(HttpMethods.getForKey)
+      .to[collection.immutable.Seq]
+  }
+
+  val allowedOrigin: Origin = {
+    import scala.collection.JavaConverters._
+    Origin(
+      config
+        .getConfigList("application.cors.allowedOrigins")
+        .asScala
+        .map { c =>
+          HttpOrigin(c.getString("scheme"), Host(c.getString("hostSuffix")))
+        }(scala.collection.breakOut): _*)
+  }
 
   "DriverApp" should "respond with the correct CORS headers for the swagger OPTIONS route" in {
     Options(s"/api-docs/swagger.json") ~> appRoute ~> check {
       status shouldBe StatusCodes.OK
-      info(response.toString())
-      headers should contain(`Access-Control-Allow-Origin`(HttpOriginRange.*))
-      headers should contain(`Access-Control-Allow-Methods`(HttpMethods.GET))
+      headers should contain(`Access-Control-Allow-Origin`(HttpOriginRange(allowedOrigin.origins: _*)))
+      header[`Access-Control-Allow-Methods`].get.methods should contain theSameElementsAs allowedMethods
     }
   }
 
   it should "respond with the correct CORS headers for the test route" in {
     Options(s"/api/v1/test") ~> appRoute ~> check {
       status shouldBe StatusCodes.OK
-      info(response.toString())
-      headers should contain(`Access-Control-Allow-Origin`(HttpOriginRange.*))
-      headers should contain(`Access-Control-Allow-Methods`(HttpMethods.GET, HttpMethods.POST))
+      headers should contain(`Access-Control-Allow-Origin`(HttpOriginRange(allowedOrigin.origins: _*)))
+      header[`Access-Control-Allow-Methods`].get.methods should contain theSameElementsAs allowedMethods
+    }
+  }
+
+  it should "allow subdomains of allowed origin suffixes" in {
+    Options(s"/api/v1/test").withHeaders(Origin(HttpOrigin("https", Host("foo.example.com")))) ~> appRoute ~> check {
+      status shouldBe StatusCodes.OK
+      headers should contain(`Access-Control-Allow-Origin`(HttpOrigin("https", Host("foo.example.com"))))
+      header[`Access-Control-Allow-Methods`].get.methods should contain theSameElementsAs allowedMethods
+    }
+  }
+
+  it should "respond with default domains for invalid origins" in {
+    Options(s"/api/v1/test")
+      .withHeaders(Origin(HttpOrigin("https", Host("invalid.foo.bar.com")))) ~> appRoute ~> check {
+      status shouldBe StatusCodes.OK
+      headers should contain(`Access-Control-Allow-Origin`(HttpOriginRange(allowedOrigin.origins: _*)))
+      header[`Access-Control-Allow-Methods`].get.methods should contain theSameElementsAs allowedMethods
     }
   }
 }
diff --git a/src/test/scala/xyz/driver/core/rest/DriverRouteTest.scala b/src/test/scala/xyz/driver/core/rest/DriverRouteTest.scala
index f402261..c763dda 100644
--- a/src/test/scala/xyz/driver/core/rest/DriverRouteTest.scala
+++ b/src/test/scala/xyz/driver/core/rest/DriverRouteTest.scala
@@ -4,6 +4,7 @@ import akka.http.scaladsl.model.StatusCodes
 import akka.http.scaladsl.server.Directives.{complete => akkaComplete}
 import akka.http.scaladsl.server.Route
 import akka.http.scaladsl.testkit.ScalatestRouteTest
+import com.typesafe.config.Config
 import com.typesafe.scalalogging.Logger
 import org.scalatest.{AsyncFlatSpec, Matchers}
 import xyz.driver.core.logging.NoLogger
@@ -13,7 +14,8 @@ import scala.concurrent.Future
 
 class DriverRouteTest extends AsyncFlatSpec with ScalatestRouteTest with Matchers {
   class TestRoute(override val route: Route) extends DriverRoute {
-    override def log: Logger = NoLogger
+    override def log: Logger    = NoLogger
+    override def config: Config = xyz.driver.core.config.loadDefaultConfig
   }
 
   "DriverRoute" should "respond with 200 OK for a basic route" in {
author	Zach Smith <zach@driver.xyz>	2018-01-26 11:43:52 -0800
committer	Zach Smith <zach@driver.xyz>	2018-02-20 10:34:22 -0800
commit	a4b2648a288110350c0ff8dc784626668112ab84 (patch)
tree	846a3dae554885348bd42b6f8fb1cc6a8200123f
parent	32496bbc8f64f84c8b9bd8b567aa8cc13343414b (diff)
download	driver-core-a4b2648a288110350c0ff8dc784626668112ab84.tar.gz driver-core-a4b2648a288110350c0ff8dc784626668112ab84.tar.bz2 driver-core-a4b2648a288110350c0ff8dc784626668112ab84.zip