Ignore appending allow origin if already present (#1371)

Author: akrambek

runtime/binding-http/src/main/java/io/aklivity/zilla/runtime/binding/http/internal/stream/HttpServerFactory.java

@@ -2415,46 +2415,55 @@ private void doEncodeHeaders(
             final String origin = exchange.origin;
             final HttpPolicyConfig policy = exchange.policy;
             final HttpAccessControlConfig access = binding.access();
-            HttpHeaderFW allowOrigin = access.allowOriginHeader(policy, origin);
-            if (allowOrigin != null)
-            {
-                codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value, allowOrigin);
-            }
 
-            HttpHeaderFW allowCredentials = access.allowCredentialsHeader();
-            if (allowCredentials != null)
-            {
-                codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value, allowCredentials);
-            }
+            final HttpHeaderFW allowCrossOrigin = headers.matchFirst(h ->
+                HEADER_ACCESS_CONTROL_ALLOW_ORIGIN.equals(h.name()));
 
-            if (access.exposeHeadersExplicit())
+            if (allowCrossOrigin == null)
             {
-                headers.forEach(h ->
+                HttpHeaderFW allowOrigin = access.allowOriginHeader(policy, origin);
+
+                if (allowOrigin != null)
                 {
-                    final String8FW name = h.name();
-                    if (access.exposeHeader(name.asString()))
+                    codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value, allowOrigin);
+                }
+
+                HttpHeaderFW allowCredentials = access.allowCredentialsHeader();
+                if (allowCredentials != null)
+                {
+                    codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value, allowCredentials);
+                }
+
+                if (access.exposeHeadersExplicit())
+                {
+                    headers.forEach(h ->
                     {
-                        String8FW expose = HEADER_ACCESS_CONTROL_EXPOSE_HEADERS;
-                        codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value, expose.value(), name.value(), true);
+                        final String8FW name = h.name();
+                        if (access.exposeHeader(name.asString()))
+                        {
+                            String8FW expose = HEADER_ACCESS_CONTROL_EXPOSE_HEADERS;
+                            codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value,
+                                expose.value(), name.value(), true);
+                        }
+                    });
+                }
+                else if (access.exposeHeaders())
+                {
+                    if (headers.anyMatch(h -> access.exposeHeader(h.name().asString())))
+                    {
+                        codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value,
+                                HEADER_ACCESS_CONTROL_EXPOSE_HEADERS_WILDCARD);
                     }
-                });
-            }
-            else if (access.exposeHeaders())
-            {
-                if (headers.anyMatch(h -> access.exposeHeader(h.name().asString())))
+                }
+
+                if (allowOrigin != null &&
+                    !allowOrigin.equals(HEADER_ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD))
                 {
                     codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value,
-                            HEADER_ACCESS_CONTROL_EXPOSE_HEADERS_WILDCARD);
+                            HEADER_VARY_ORIGIN, true);
                 }
             }
 
-            if (allowOrigin != null &&
-                !allowOrigin.equals(HEADER_ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD))
-            {
-                codecOffset.value = doEncodeHeader(codecBuffer, codecOffset.value,
-                        HEADER_VARY_ORIGIN, true);
-            }
-
             codecBuffer.putBytes(codecOffset.value, CRLF_BYTES);
             codecOffset.value += CRLF_BYTES.length;
 
@@ -6844,9 +6853,13 @@ void encodeHeaders(
                 headerBlock.header(b -> b.literal(l -> l.type(WITHOUT_INDEXING).name(54).value(server.value())));
             }
 
-            if (access != null)
+            final HttpHeaderFW allowCrossOrigin = headers.matchFirst(h ->
+                HEADER_ACCESS_CONTROL_ALLOW_ORIGIN.equals(h.name()));
+
+            if (allowCrossOrigin == null && access != null)
             {
                 HttpHeaderFW allowOrigin = access.allowOriginHeader(policy, origin);
+
                 if (allowOrigin != null)
                 {
                     headerBlock.header(b -> encodeHeader(allowOrigin, b));

runtime/binding-http/src/test/java/io/aklivity/zilla/runtime/binding/http/internal/streams/rfc7230/server/AccessControlIT.java

@@ -340,4 +340,26 @@ public void shouldAllowCredentialsCookie() throws Exception
     {
         k3po.finish();
     }
+
+    @Test
+    @Configuration("server.access.control.cross.origin.allow.explicit.yaml")
+    @Specification({
+        "${net}/allow.origin.present/client",
+        "${app}/allow.origin.present/server",
+    })
+    public void shouldNotDefaultExplicitAllowOriginWhenPresent() throws Exception
+    {
+        k3po.finish();
+    }
+
+    @Test
+    @Configuration("server.access.control.cross.origin.yaml")
+    @Specification({
+        "${net}/allow.origin.present/client",
+        "${app}/allow.origin.present/server",
+    })
+    public void shouldNotDefaultImplicitAllowOriginWhenPresent() throws Exception
+    {
+        k3po.finish();
+    }
 }

runtime/binding-http/src/test/java/io/aklivity/zilla/runtime/binding/http/internal/streams/rfc7540/server/AccessControlIT.java

@@ -364,4 +364,26 @@ public void shouldAllowCredentialsCookie() throws Exception
     {
         k3po.finish();
     }
+
+    @Test
+    @Configuration("server.access.control.cross.origin.allow.explicit.yaml")
+    @Specification({
+        "${net}/allow.origin.present/client",
+        "${app}/allow.origin.present/server",
+    })
+    public void shouldNotDefaultExplicitAllowOriginWhenPresent() throws Exception
+    {
+        k3po.finish();
+    }
+
+    @Test
+    @Configuration("server.access.control.cross.origin.yaml")
+    @Specification({
+        "${net}/allow.origin.present/client",
+        "${app}/allow.origin.present/server",
+    })
+    public void shouldNotDefaultImplicitAllowOriginWhenPresent() throws Exception
+    {
+        k3po.finish();
+    }
 }

specs/binding-http.spec/src/main/scripts/io/aklivity/zilla/specs/binding/http/streams/application/rfc7230/access.control/allow.origin.present/client.rpt

@@ -0,0 +1,49 @@
+#
+# Copyright 2021-2024 Aklivity Inc.
+#
+# Aklivity licenses this file to you under the Apache License,
+# version 2.0 (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+connect "zilla://streams/app0"
+        option zilla:window 40000
+        option zilla:transmission "half-duplex"
+
+
+write zilla:begin.ext ${http:beginEx()
+                            .typeId(zilla:id("http"))
+                            .header(":method", "GET")
+                            .header(":scheme", "https")
+                            .header(":path", "/")
+                            .header(":authority", "example.com:9090")
+                            .header("origin", "https://example.net:9090")
+                            .build()}
+
+connected
+
+write flush
+
+write close
+
+read zilla:begin.ext ${http:matchBeginEx()
+                           .typeId(zilla:id("http"))
+                           .header(":status", "200")
+                           .header("server", "Zilla")
+                           .header("date", "Tue, 02 Feb 2022 22:22:22 GMT")
+                           .header("content-type", "text/plain; charset=UTF-8")
+                           .header("content-length", "12")
+                           .header("access-control-allow-origin", "https://example.net:9090")
+                           .build()}
+
+read "Hello, world"
+
+read closed

specs/binding-http.spec/src/main/scripts/io/aklivity/zilla/specs/binding/http/streams/application/rfc7230/access.control/allow.origin.present/server.rpt

@@ -0,0 +1,47 @@
+#
+# Copyright 2021-2024 Aklivity Inc.
+#
+# Aklivity licenses this file to you under the Apache License,
+# version 2.0 (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+accept "zilla://streams/app0"
+        option zilla:window 40000
+        option zilla:transmission "half-duplex"
+accepted
+
+read zilla:begin.ext ${http:matchBeginEx()
+                           .typeId(zilla:id("http"))
+                           .header(":method", "GET")
+                           .header(":scheme", "https")
+                           .header(":path", "/")
+                           .header(":authority", "example.com:9090")
+                           .header("origin", "https://example.net:9090")
+                           .build()}
+connected
+
+read closed
+
+write zilla:begin.ext ${http:beginEx()
+                            .typeId(zilla:id("http"))
+                            .header(":status", "200")
+                            .header("server", "Zilla")
+                            .header("date", "Tue, 02 Feb 2022 22:22:22 GMT")
+                            .header("content-type", "text/plain; charset=UTF-8")
+                            .header("content-length", "12")
+                            .header("access-control-allow-origin", "https://example.net:9090")
+                            .build()}
+
+write "Hello, world"
+write flush
+
+write close

specs/binding-http.spec/src/main/scripts/io/aklivity/zilla/specs/binding/http/streams/application/rfc7540/access.control/allow.origin.present/client.rpt

@@ -0,0 +1,49 @@
+#
+# Copyright 2021-2024 Aklivity Inc.
+#
+# Aklivity licenses this file to you under the Apache License,
+# version 2.0 (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+connect "zilla://streams/app0"
+        option zilla:window 40000
+        option zilla:transmission "half-duplex"
+
+
+write zilla:begin.ext ${http:beginEx()
+                            .typeId(zilla:id("http"))
+                            .header(":method", "GET")
+                            .header(":scheme", "https")
+                            .header(":path", "/")
+                            .header(":authority", "example.com:9090")
+                            .header("origin", "https://example.net:9090")
+                            .build()}
+
+connected
+
+write flush
+
+write close
+
+read zilla:begin.ext ${http:matchBeginEx()
+                           .typeId(zilla:id("http"))
+                           .header(":status", "200")
+                           .header("server", "Zilla")
+                           .header("date", "Tue, 02 Feb 2022 22:22:22 GMT")
+                           .header("content-type", "text/plain; charset=UTF-8")
+                           .header("content-length", "12")
+                           .header("access-control-allow-origin", "https://example.net:9090")
+                           .build()}
+
+read "Hello, world"
+
+read closed

specs/binding-http.spec/src/main/scripts/io/aklivity/zilla/specs/binding/http/streams/application/rfc7540/access.control/allow.origin.present/server.rpt

@@ -0,0 +1,47 @@
+#
+# Copyright 2021-2024 Aklivity Inc.
+#
+# Aklivity licenses this file to you under the Apache License,
+# version 2.0 (the "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at:
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+accept "zilla://streams/app0"
+        option zilla:window 40000
+        option zilla:transmission "half-duplex"
+accepted
+
+read zilla:begin.ext ${http:matchBeginEx()
+                           .typeId(zilla:id("http"))
+                           .header(":method", "GET")
+                           .header(":scheme", "https")
+                           .header(":path", "/")
+                           .header(":authority", "example.com:9090")
+                           .header("origin", "https://example.net:9090")
+                           .build()}
+connected
+
+read closed
+
+write zilla:begin.ext ${http:beginEx()
+                            .typeId(zilla:id("http"))
+                            .header(":status", "200")
+                            .header("server", "Zilla")
+                            .header("date", "Tue, 02 Feb 2022 22:22:22 GMT")
+                            .header("content-type", "text/plain; charset=UTF-8")
+                            .header("content-length", "12")
+                            .header("access-control-allow-origin", "https://example.net:9090")
+                            .build()}
+
+write "Hello, world"
+write flush
+
+write close