https://cerbos.dev logo
#community
Title
# community
r

Roman Levytskyi

08/18/2023, 8:53 AM
Hi guys, for the
cors
block can we use
*
in it?
Copy code
cors:
  allowedOrigins:
  - '*.<http://domain.com|domain.com>'
and if so, would the
<http://my.sub.domain.com|my.sub.domain.com>
be allowed?
o

oguzhan

08/18/2023, 9:34 AM
Hi, It is possible to use
*
per allowed origin and it matches and allows the
<http://sub.domain.com|sub.domain.com>
. I am not sure about
<http://my.sub.domain.com|my.sub.domain.com>
.
cerbos/cerbos
uses the
rs/cors
package and I’ve checked the source code for it and come up with a little test by copying over some logic;
Copy code
package cors_test

import (
	"strings"
	"testing"

    "<http://github.com/stretchr/testify/require|github.com/stretchr/testify/require>"
)

func TestCors(t *testing.T) {
	rule := "*.<http://domain.com|domain.com>" // the rule given in cerbos configuration
    // if block from <https://github.com/rs/cors/blob/066574eebbd0f5f1b6cd1154a160cc292ac1835e/cors.go#L153C21-L153C21>
	var wc wildcard
	if i := strings.IndexByte(rule, '*'); i >= 0 {
		wc = wildcard{rule[0:i], rule[i+1:]}
	}

	testCases := []struct {
		domain string
	}{
		{"<http://sub.sub.domain.com|sub.sub.domain.com>"},
		{"<http://sub.domain.com|sub.domain.com>"},
		{"<http://domain.com|domain.com>"},
	}

	for _, testCase := range testCases {
		t.Run(testCase.domain, func(t *testing.T) {
            require.True(t, wc.match(testCase.domain))
		})
	}
}

// wildcard struct from <https://github.com/rs/cors/blob/066574eebbd0f5f1b6cd1154a160cc292ac1835e/utils.go#L9>
type wildcard struct {
	prefix string
	suffix string
}

// wildcard match method from <https://github.com/rs/cors/blob/066574eebbd0f5f1b6cd1154a160cc292ac1835e/utils.go#L14>
func (w wildcard) match(s string) bool {
	return len(s) >= len(w.prefix)+len(w.suffix) && strings.HasPrefix(s, w.prefix) && strings.HasSuffix(s, w.suffix)
}
All of the subdomain cases seem to pass🤞🏻
Copy code
--- FAIL: TestCors (0.00s)
    --- PASS: TestCors/sub.sub.domain.com (0.00s)
    --- PASS: TestCors/sub.domain.com (0.00s)
    --- FAIL: TestCors/domain.com (0.00s)
r

Roman Levytskyi

08/21/2023, 8:26 AM
thank you!
2 Views