public void CorsPolicy()
{
IClientStore store = Fixture.GetService <IClientStore>();
Client client = CreateClient();
client.AllowedCorsOrigins = new List <string>()
{
"aaa", "bbb"
};
Client result = store.FindClientByIdAsync(client.ClientId).Result;
Assert.Null(result);
Provider.AddClientAsync(client).Wait();
result = store.FindClientByIdAsync(client.ClientId).Result;
Assert.NotNull(result);
ICorsPolicyService cors = Fixture.GetService <ICorsPolicyService>();
Assert.False(cors.IsOriginAllowedAsync("ccc").Result);
Assert.True(cors.IsOriginAllowedAsync("aaa").Result);
}
public async Task IsOriginAllowedAsync()
{
(await _corsPolicyService.IsOriginAllowedAsync("https://client1-origin.com")).ShouldBeTrue();
(await _corsPolicyService.IsOriginAllowedAsync("https://client2-origin.com")).ShouldBeFalse();
(await _corsPolicyService.IsOriginAllowedAsync("https://abp.io")).ShouldBeTrue();
(await _corsPolicyService.IsOriginAllowedAsync("https://t1.abp.io")).ShouldBeTrue();
(await _corsPolicyService.IsOriginAllowedAsync("https://t1.ng.abp.io")).ShouldBeTrue();
}
async Task <CorsPolicy> ProcessAsync(HttpContext context)
{
var origin = context.Request.GetCorsOrigin();
if (origin != null)
{
var path = context.Request.Path;
if (IsPathAllowed(path))
{
_logger.LogDebug("CORS request made for path: {path} from origin: {origin}", path, origin);
if (await _corsPolicyService.IsOriginAllowedAsync(origin))
{
_logger.LogDebug("CorsPolicyService allowed origin: {origin}", origin);
return(Allow(origin));
}
else
{
_logger.LogWarning("CorsPolicyService did not allow origin: {origin}", origin);
}
}
else
{
_logger.LogDebug("CORS request made for path: {path} from origin: {origin} but rejected because invalid CORS path", path, origin);
}
}
return(null);
}
public async Task <CorsPolicy> GetPolicyAsync(HttpContext context, string policyName)
{
var path = context.Request.Path.ToString();
var origin = context.Request.Headers["Origin"].First();
var thisOrigin = context.Request.Scheme + "://" + context.Request.Host;
// see if the Origin is different than this server's origin. if so
// that indicates a proper CORS request. some browsers send Origin
// on POST requests.
// todo: do we still need this check?
if (origin != null && origin != thisOrigin)
{
if (IsPathAllowed(path))
{
_logger.LogInformation("CORS request made for path: {0} from origin: {1}", path, origin);
if (await _corsPolicyService.IsOriginAllowedAsync(origin))
{
_logger.LogInformation("CorsPolicyService allowed origin");
return(Allow(origin));
}
else
{
_logger.LogInformation("CorsPolicyService did not allow origin");
}
}
else
{
_logger.LogWarning("CORS request made for path: {0} from origin: {1} but rejected because invalid CORS path", path, origin);
}
}
return(null);
}
/// <summary>
/// Determines whether origin is allowed.
/// </summary>
/// <param name="origin">The origin.</param>
/// <returns></returns>
public virtual async Task <bool> IsOriginAllowedAsync(string origin)
{
var entry = await CorsCache.GetAsync(origin,
Options.Caching.CorsExpiration,
async() => new CorsCacheEntry(await Inner.IsOriginAllowedAsync(origin)),
Logger);
return(entry.Allowed);
}
public async Task <CorsPolicy> GetPolicyAsync(HttpContext context, string policyName)
{
if (policyName != FabricIdentityConstants.FabricCorsPolicyName)
{
_logger.Information("PolicyName: {policyName} not applicable to FabricCorsPolicyProvider: {PolicyName}", policyName, FabricIdentityConstants.FabricCorsPolicyName);
return(null);
}
var path = context.Request.Path;
if (!path.StartsWithSegments(_allowedBasePath))
{
_logger.Information("Path: {@path} not allowed - not generating CORS policy.", path);
return(null);
}
var origin = context.Request.GetCorsOrigin();
if (origin == null)
{
_logger.Information("No origin specified - not generating a CORS policy.");
return(null);
}
if (!await _corsPolicyService.IsOriginAllowedAsync(origin))
{
_logger.Information("Origin: {origin} not allowed, not specifying a CORS policy.", origin);
return(null);
}
var policyBuilder = new CorsPolicyBuilder()
.WithOrigins(origin)
.AllowAnyHeader()
.AllowAnyMethod();
var corsPolicy = policyBuilder.Build();
_logger.Information("Origin: {origin} is a valid origin, generated {@corsPolicy}", origin, corsPolicy);
return(corsPolicy);
}
public async Task IsOriginAllowedAsync()
{
(await _corsPolicyService.IsOriginAllowedAsync("https://client1-origin.com")).ShouldBeTrue();
(await _corsPolicyService.IsOriginAllowedAsync("https://unknown-origin.com")).ShouldBeFalse();
}
/// <summary>
/// Determines whether origin is allowed.
/// </summary>
/// <param name="origin">The origin.</param>
/// <returns></returns>
public virtual async Task <bool> IsOriginAllowedAsync(string origin)
{
using var activity = Tracing.StoreActivitySource.StartActivity("CachingCorsPolicyService.IsOriginAllowed");
activity?.SetTag(Tracing.Properties.Origin, origin);
var entry = await CorsCache.GetOrAddAsync(origin,
Options.Caching.CorsExpiration,
async() => new CorsCacheEntry(await Inner.IsOriginAllowedAsync(origin)));
return(entry.Allowed);
}
/// <summary>
/// Determines whether origin is allowed.
/// </summary>
/// <param name="origin">The origin.</param>
/// <returns></returns>
public async Task <bool> IsOriginAllowedAsync(string origin)
{
var entry = await _corsCache.GetAsync(origin,
_options.Caching.CorsExpiration,
async() => new CorsCacheEntry(await _inner.IsOriginAllowedAsync(origin)),
_logger);
return(entry.Allowed);
}
