private CorsAccessResponse CalculateResponse(
CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry)
{
CorsAccessResponse response = new CorsAccessResponse();
if (configEntry != null)
{
if (CheckOrigin(accessRequest, configEntry))
{
if (accessRequest.IsCorsSimple)
{
AddOrigin(accessRequest, configEntry, response);
AddCookies(configEntry, response);
AddExposedHeaders(configEntry, response);
}
else if (accessRequest.IsCorsPreflight)
{
if (CheckMethods(accessRequest, configEntry) &&
CheckRequestHeaders(accessRequest, configEntry))
{
AddOrigin(accessRequest, configEntry, response);
AddCookies(configEntry, response);
AddCacheDuration(configEntry, response);
AddAllowedMethods(accessRequest, configEntry, response);
AddAllowedRequestHeaders(accessRequest, configEntry, response);
}
}
}
}
return(response);
}
private CorsAccessResponse CalculateResponse(
CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry)
{
CorsAccessResponse response = new CorsAccessResponse();
if (configEntry != null)
{
if (CheckOrigin(accessRequest, configEntry))
{
if (accessRequest.IsCorsSimple)
{
AddOrigin(accessRequest, configEntry, response);
AddCookies(configEntry, response);
AddExposedHeaders(configEntry, response);
}
else if (accessRequest.IsCorsPreflight)
{
if (CheckMethods(accessRequest, configEntry)
&& CheckRequestHeaders(accessRequest, configEntry))
{
AddOrigin(accessRequest, configEntry, response);
AddCookies(configEntry, response);
AddCacheDuration(configEntry, response);
AddAllowedMethods(accessRequest, configEntry, response);
AddAllowedRequestHeaders(accessRequest, configEntry, response);
}
}
}
}
return response;
}
private CorsConfigurationEntry GetEntryFromStaticConfiguration(CorsAccessRequest accessRequest)
{
var configSetting = FindByResourceAndOrigin(accessRequest.Resource, accessRequest.Origin);
if (configSetting == null)
{
configSetting = FindByResourceAnyOrigin(accessRequest.Resource);
}
if (configSetting == null)
{
configSetting = FindAnyResourceByOrigin(accessRequest.Origin);
}
if (configSetting == null)
{
configSetting = FindAnyResourceForAnyOrigin();
}
if (configSetting != null && StaticConfigurationAccessFilter != null)
{
var current = configSetting.Clone();
var response = StaticConfigurationAccessFilter(accessRequest, current);
if (response == null)
{
// if they pass back null, they're indicating that the origin is not allowed
configSetting = null;
}
else
{
configSetting = response.EntryFromAllowProperties(accessRequest);
}
}
return(configSetting);
}
private static bool CheckMethods(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry)
{
if (configEntry.AllowAllMethods) return true;
var configMethods = configEntry.Methods.Select(x => x.ToUpper());
var requestedMethod = accessRequest.RequestedMethod;
return configMethods.Contains(requestedMethod);
}
private CorsConfigurationAllowProperties GetEntryFromDynamicConfiguration(CorsAccessRequest accessRequest)
{
if (DynamicConfigurationCallback != null)
{
return(DynamicConfigurationCallback(accessRequest));
}
return(null);
}
public CorsAccessResponse CheckAccess(CorsAccessRequest accessRequest)
{
if (!accessRequest.IsCors)
{
return(null);
}
var configEntry = configuration.GetConfigurationEntryForRequest(accessRequest);
return(CalculateResponse(accessRequest, configEntry));
}
private bool CheckRequestHeaders(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry)
{
if (configEntry.AllowAllRequestedHeaders) return true;
var requestedHeaders = accessRequest.RequestedHeaders.RemoveSimpleRequestHeaders();
var allowedHeaders = configEntry.RequestHeaders.RemoveSimpleRequestHeaders();
// the requested headers must all be in the allowed list
var both = requestedHeaders.Intersect(allowedHeaders, StringComparer.OrdinalIgnoreCase);
return both.Count() == requestedHeaders.Count();
}
private static bool CheckMethods(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry)
{
if (configEntry.AllowAllMethods)
{
return(true);
}
var configMethods = configEntry.Methods.Select(x => x.ToUpper());
var requestedMethod = accessRequest.RequestedMethod;
return(configMethods.Contains(requestedMethod));
}
internal CorsConfigurationEntry GetConfigurationEntryForRequest(CorsAccessRequest accessRequest)
{
var configEntry = GetEntryFromStaticConfiguration(accessRequest);
if (configEntry == null)
{
var response = GetEntryFromDynamicConfiguration(accessRequest);
if (response != null)
{
configEntry = response.EntryFromAllowProperties(accessRequest);
}
}
return(configEntry);
}
private static void AddAllowedMethods(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry, CorsAccessResponse response)
{
if (!accessRequest.RequestedMethod.IsSimpleMethod())
{
if (configEntry.AllowAllMethods)
{
response.AllowedMethods = CorsConstants.NotSimpleMethods;
}
else
{
response.AllowedMethods = configEntry.Methods.Select(x => x.ToUpper()).ToArray();
}
}
}
private bool CheckRequestHeaders(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry)
{
if (configEntry.AllowAllRequestedHeaders)
{
return(true);
}
var requestedHeaders = accessRequest.RequestedHeaders.RemoveSimpleRequestHeaders();
var allowedHeaders = configEntry.RequestHeaders.RemoveSimpleRequestHeaders();
// the requested headers must all be in the allowed list
var both = requestedHeaders.Intersect(allowedHeaders, StringComparer.OrdinalIgnoreCase);
return(both.Count() == requestedHeaders.Count());
}
private static void AddOrigin(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry, CorsAccessResponse response)
{
if (configEntry.AllowAnyOrigin)
{
if (configEntry.AllowCookies == true)
{
response.OriginAllowed = accessRequest.Origin;
}
else
{
response.OriginAllowed = CorsConstants.ResponseHeader_AllowOrign_Wildcard;
}
}
else
{
response.OriginAllowed = accessRequest.Origin;
}
}
internal static CorsConfigurationEntry EntryFromAllowProperties(this CorsConfigurationAllowProperties other, CorsAccessRequest accessRequest)
{
return new CorsConfigurationEntry
{
AllResources = false,
Resource = accessRequest.Resource,
Origin = accessRequest.Origin,
AllowAllMethods = other.AllowAllMethods,
AllowAllRequestedHeaders = other.AllowAllRequestedHeaders,
AllowAnyOrigin = other.AllowAnyOrigin,
AllowCookies = other.AllowCookies,
Methods = other.Methods.ToArray(),
RequestHeaders = other.RequestHeaders.ToArray(),
ResponseHeaders = other.ResponseHeaders.ToArray(),
CacheDuration = other.CacheDuration
};
}
private static void AddAllowedRequestHeaders(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry, CorsAccessResponse response)
{
var requestedHeaders = accessRequest.RequestedHeaders.RemoveSimpleRequestHeaders();
if (requestedHeaders.Any())
{
if (configEntry.AllowAllRequestedHeaders)
{
response.AllowedRequestHeaders = requestedHeaders;
}
else
{
response.AllowedRequestHeaders = configEntry.RequestHeaders.RemoveSimpleRequestHeaders().ToArray();
}
}
var simpleRequestedHeaders = accessRequest.RequestedHeaders.Intersect(CorsConstants.SimpleRequestHeaders, StringComparer.OrdinalIgnoreCase);
if (simpleRequestedHeaders.Any())
{
// chrome asks for things like "Origin" and "Accept", so placate them
response.AllowedRequestHeaders = simpleRequestedHeaders.Union(response.AllowedRequestHeaders ?? Enumerable.Empty <string>()).Distinct();
}
}
private static void AddAllowedRequestHeaders(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry, CorsAccessResponse response)
{
var requestedHeaders = accessRequest.RequestedHeaders.RemoveSimpleRequestHeaders();
if (requestedHeaders.Any())
{
if (configEntry.AllowAllRequestedHeaders)
{
response.AllowedRequestHeaders = requestedHeaders;
}
else
{
response.AllowedRequestHeaders = configEntry.RequestHeaders.RemoveSimpleRequestHeaders().ToArray();
}
}
var simpleRequestedHeaders = accessRequest.RequestedHeaders.Intersect(CorsConstants.SimpleRequestHeaders, StringComparer.OrdinalIgnoreCase);
if (simpleRequestedHeaders.Any())
{
// chrome asks for things like "Origin" and "Accept", so placate them
response.AllowedRequestHeaders = simpleRequestedHeaders.Union(response.AllowedRequestHeaders ?? Enumerable.Empty<string>()).Distinct();
}
}
public CorsAccessResponse CheckAccess(CorsAccessRequest accessRequest)
{
if (!accessRequest.IsCors) return null;
var configEntry = configuration.GetConfigurationEntryForRequest(accessRequest);
return CalculateResponse(accessRequest, configEntry);
}
private CorsConfigurationAllowProperties GetEntryFromDynamicConfiguration(CorsAccessRequest accessRequest)
{
if (DynamicConfigurationCallback != null)
{
return DynamicConfigurationCallback(accessRequest);
}
return null;
}
private CorsConfigurationEntry GetEntryFromStaticConfiguration(CorsAccessRequest accessRequest)
{
var configSetting = FindByResourceAndOrigin(accessRequest.Resource, accessRequest.Origin);
if (configSetting == null) configSetting = FindByResourceAnyOrigin(accessRequest.Resource);
if (configSetting == null) configSetting = FindAnyResourceByOrigin(accessRequest.Origin);
if (configSetting == null) configSetting = FindAnyResourceForAnyOrigin();
if (configSetting != null && StaticConfigurationAccessFilter != null)
{
var current = configSetting.Clone();
var response = StaticConfigurationAccessFilter(accessRequest, current);
if (response == null)
{
// if they pass back null, they're indicating that the origin is not allowed
configSetting = null;
}
else
{
configSetting = response.EntryFromAllowProperties(accessRequest);
}
}
return configSetting;
}
internal CorsConfigurationEntry GetConfigurationEntryForRequest(CorsAccessRequest accessRequest)
{
var configEntry = GetEntryFromStaticConfiguration(accessRequest);
if (configEntry == null)
{
var response = GetEntryFromDynamicConfiguration(accessRequest);
if (response != null)
{
configEntry = response.EntryFromAllowProperties(accessRequest);
}
}
return configEntry;
}
private static void AddOrigin(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry, CorsAccessResponse response)
{
if (configEntry.AllowAnyOrigin)
{
if (configEntry.AllowCookies == true)
{
response.OriginAllowed = accessRequest.Origin;
}
else
{
response.OriginAllowed = CorsConstants.ResponseHeader_AllowOrign_Wildcard;
}
}
else
{
response.OriginAllowed = accessRequest.Origin;
}
}
private static bool CheckOrigin(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry)
{
return
(configEntry.AllowAnyOrigin ||
accessRequest.Origin.Equals(configEntry.Origin, StringComparison.OrdinalIgnoreCase));
}
private static bool CheckOrigin(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry)
{
return
configEntry.AllowAnyOrigin ||
accessRequest.Origin.Equals(configEntry.Origin, StringComparison.OrdinalIgnoreCase);
}
private static void AddAllowedMethods(CorsAccessRequest accessRequest, CorsConfigurationEntry configEntry, CorsAccessResponse response)
{
if (!accessRequest.RequestedMethod.IsSimpleMethod())
{
if (configEntry.AllowAllMethods)
{
response.AllowedMethods = CorsConstants.NotSimpleMethods;
}
else
{
response.AllowedMethods = configEntry.Methods.Select(x=>x.ToUpper()).ToArray();
}
}
}
internal static CorsConfigurationEntry EntryFromAllowProperties(this CorsConfigurationAllowProperties other, CorsAccessRequest accessRequest)
{
return(new CorsConfigurationEntry
{
AllResources = false,
Resource = accessRequest.Resource,
Origin = accessRequest.Origin,
AllowAllMethods = other.AllowAllMethods,
AllowAllRequestedHeaders = other.AllowAllRequestedHeaders,
AllowAnyOrigin = other.AllowAnyOrigin,
AllowCookies = other.AllowCookies,
Methods = other.Methods.ToArray(),
RequestHeaders = other.RequestHeaders.ToArray(),
ResponseHeaders = other.ResponseHeaders.ToArray(),
CacheDuration = other.CacheDuration
});
}
