From 93e7e4a0e517fb99a24362c7a189b2168ce0e73b Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Mon, 6 Jul 2020 20:55:19 -0700
Subject: [PATCH] fix: cors handling after gorilla mux update (#9980)

fixes #9979
---
 cmd/api-router.go       | 52 +++++++++++++++++++++++++++++++++++++++++
 cmd/generic-handlers.go | 45 -----------------------------------
 cmd/routers.go          |  7 +-----
 3 files changed, 53 insertions(+), 51 deletions(-)

diff --git a/cmd/api-router.go b/cmd/api-router.go
index cfd26e7f7..397d6fe75 100644
--- a/cmd/api-router.go
+++ b/cmd/api-router.go
@@ -21,6 +21,8 @@ import (
 
 	"github.com/gorilla/mux"
 	xhttp "github.com/minio/minio/cmd/http"
+	"github.com/minio/minio/pkg/wildcard"
+	"github.com/rs/cors"
 )
 
 func newHTTPServerFn() *xhttp.Server {
@@ -290,8 +292,58 @@ func registerAPIRouter(router *mux.Router, encryptionEnabled, allowSSEKMS bool)
 	apiRouter.Methods(http.MethodGet).Path(SlashSeparator + SlashSeparator).HandlerFunc(
 		maxClients(collectAPIStats("listbuckets", httpTraceAll(api.ListBucketsHandler))))
 
+	// Supports cors only for S3 handlers
+	apiRouter.Methods(http.MethodOptions).Path(SlashSeparator).HandlerFunc(
+		maxClients(collectAPIStats("cors", httpTraceAll(corsHandlerFunc()))))
+
+	apiRouter.Methods(http.MethodOptions).Path(SlashSeparator + SlashSeparator).HandlerFunc(
+		maxClients(collectAPIStats("cors", httpTraceAll(corsHandlerFunc()))))
+
 	// If none of the routes match add default error handler routes
 	apiRouter.NotFoundHandler = http.HandlerFunc(collectAPIStats("notfound", httpTraceAll(errorResponseHandler)))
 	apiRouter.MethodNotAllowedHandler = http.HandlerFunc(collectAPIStats("methodnotallowed", httpTraceAll(errorResponseHandler)))
 
 }
+
+// setCorsHandler handler for CORS (Cross Origin Resource Sharing)
+func corsHandlerFunc() http.HandlerFunc {
+	commonS3Headers := []string{
+		xhttp.Date,
+		xhttp.ETag,
+		xhttp.ServerInfo,
+		xhttp.Connection,
+		xhttp.AcceptRanges,
+		xhttp.ContentRange,
+		xhttp.ContentEncoding,
+		xhttp.ContentLength,
+		xhttp.ContentType,
+		"X-Amz*",
+		"x-amz*",
+		"*",
+	}
+
+	c := cors.New(cors.Options{
+		AllowOriginFunc: func(origin string) bool {
+			for _, allowedOrigin := range globalAPIConfig.getCorsAllowOrigins() {
+				if wildcard.MatchSimple(allowedOrigin, origin) {
+					return true
+				}
+			}
+			return false
+		},
+		AllowedMethods: []string{
+			http.MethodGet,
+			http.MethodPut,
+			http.MethodHead,
+			http.MethodPost,
+			http.MethodDelete,
+			http.MethodOptions,
+			http.MethodPatch,
+		},
+		AllowedHeaders:   commonS3Headers,
+		ExposedHeaders:   commonS3Headers,
+		AllowCredentials: true,
+	})
+
+	return c.HandlerFunc
+}
diff --git a/cmd/generic-handlers.go b/cmd/generic-handlers.go
index 7bce4fd5d..e8e642696 100644
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@@ -30,8 +30,6 @@ import (
 	"github.com/minio/minio/cmd/http/stats"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/handlers"
-	"github.com/minio/minio/pkg/wildcard"
-	"github.com/rs/cors"
 )
 
 // MiddlewareFunc - useful to chain different http.Handler middlewares
@@ -394,49 +392,6 @@ type resourceHandler struct {
 	handler http.Handler
 }
 
-// setCorsHandler handler for CORS (Cross Origin Resource Sharing)
-func setCorsHandler(h http.Handler) http.Handler {
-	commonS3Headers := []string{
-		xhttp.Date,
-		xhttp.ETag,
-		xhttp.ServerInfo,
-		xhttp.Connection,
-		xhttp.AcceptRanges,
-		xhttp.ContentRange,
-		xhttp.ContentEncoding,
-		xhttp.ContentLength,
-		xhttp.ContentType,
-		"X-Amz*",
-		"x-amz*",
-		"*",
-	}
-
-	c := cors.New(cors.Options{
-		AllowOriginFunc: func(origin string) bool {
-			for _, allowedOrigin := range globalAPIConfig.getCorsAllowOrigins() {
-				if wildcard.MatchSimple(allowedOrigin, origin) {
-					return true
-				}
-			}
-			return false
-		},
-		AllowedMethods: []string{
-			http.MethodGet,
-			http.MethodPut,
-			http.MethodHead,
-			http.MethodPost,
-			http.MethodDelete,
-			http.MethodOptions,
-			http.MethodPatch,
-		},
-		AllowedHeaders:   commonS3Headers,
-		ExposedHeaders:   commonS3Headers,
-		AllowCredentials: true,
-	})
-
-	return c.Handler(h)
-}
-
 // setIgnoreResourcesHandler -
 // Ignore resources handler is wrapper handler used for API request resource validation
 // Since we do not support all the S3 queries, it is necessary for us to throw back a
diff --git a/cmd/routers.go b/cmd/routers.go
index 85a137cdc..64e2977f0 100644
--- a/cmd/routers.go
+++ b/cmd/routers.go
@@ -63,8 +63,6 @@ var globalHandlers = []MiddlewareFunc{
 	setBrowserCacheControlHandler,
 	// Validates all incoming requests to have a valid date header.
 	setTimeValidityHandler,
-	// CORS setting for all browser API requests.
-	setCorsHandler,
 	// Validates all incoming URL resources, for invalid/unsupported
 	// resources client receives a HTTP error.
 	setIgnoreResourcesHandler,
@@ -114,10 +112,7 @@ func configureServerHandler(endpointZones EndpointZones) (http.Handler, error) {
 	// but don't allow SSE-KMS.
 	registerAPIRouter(router, true, false)
 
-	// If none of the routes match add default error handler routes
-	router.NotFoundHandler = http.HandlerFunc(httpTraceAll(errorResponseHandler))
-	router.MethodNotAllowedHandler = http.HandlerFunc(httpTraceAll(errorResponseHandler))
-
 	router.Use(registerMiddlewares)
+
 	return router, nil
 }