fix: cors handling after gorilla mux update (#9980)

fixes #9979
4 years ago · 93e7e4a0e5
parent c2f7cd1104
commit 93e7e4a0e5
3 changed files with 53 additions and 51 deletions
--- a/cmd/api-router.go
+++ b/cmd/api-router.go
@ -21,6 +21,8 @@ import (

 	"github.com/gorilla/mux"
 	xhttp "github.com/minio/minio/cmd/http"
+	"github.com/minio/minio/pkg/wildcard"
+	"github.com/rs/cors"
 )

 func newHTTPServerFn() *xhttp.Server {
@ -290,8 +292,58 @@ func registerAPIRouter(router *mux.Router, encryptionEnabled, allowSSEKMS bool)
 	apiRouter.Methods(http.MethodGet).Path(SlashSeparator + SlashSeparator).HandlerFunc(
 		maxClients(collectAPIStats("listbuckets", httpTraceAll(api.ListBucketsHandler))))

+	// Supports cors only for S3 handlers
+	apiRouter.Methods(http.MethodOptions).Path(SlashSeparator).HandlerFunc(
+		maxClients(collectAPIStats("cors", httpTraceAll(corsHandlerFunc()))))
+
+	apiRouter.Methods(http.MethodOptions).Path(SlashSeparator + SlashSeparator).HandlerFunc(
+		maxClients(collectAPIStats("cors", httpTraceAll(corsHandlerFunc()))))
+
 	// If none of the routes match add default error handler routes
 	apiRouter.NotFoundHandler = http.HandlerFunc(collectAPIStats("notfound", httpTraceAll(errorResponseHandler)))
 	apiRouter.MethodNotAllowedHandler = http.HandlerFunc(collectAPIStats("methodnotallowed", httpTraceAll(errorResponseHandler)))

 }
+
+// setCorsHandler handler for CORS (Cross Origin Resource Sharing)
+func corsHandlerFunc() http.HandlerFunc {
+	commonS3Headers := []string{
+		xhttp.Date,
+		xhttp.ETag,
+		xhttp.ServerInfo,
+		xhttp.Connection,
+		xhttp.AcceptRanges,
+		xhttp.ContentRange,
+		xhttp.ContentEncoding,
+		xhttp.ContentLength,
+		xhttp.ContentType,
+		"X-Amz*",
+		"x-amz*",
+		"*",
+	}
+
+	c := cors.New(cors.Options{
+		AllowOriginFunc: func(origin string) bool {
+			for _, allowedOrigin := range globalAPIConfig.getCorsAllowOrigins() {
+				if wildcard.MatchSimple(allowedOrigin, origin) {
+					return true
+				}
+			}
+			return false
+		},
+		AllowedMethods: []string{
+			http.MethodGet,
+			http.MethodPut,
+			http.MethodHead,
+			http.MethodPost,
+			http.MethodDelete,
+			http.MethodOptions,
+			http.MethodPatch,
+		},
+		AllowedHeaders:   commonS3Headers,
+		ExposedHeaders:   commonS3Headers,
+		AllowCredentials: true,
+	})
+
+	return c.HandlerFunc
+}
--- a/cmd/generic-handlers.go
+++ b/cmd/generic-handlers.go
@ -30,8 +30,6 @@ import (
 	"github.com/minio/minio/cmd/http/stats"
 	"github.com/minio/minio/cmd/logger"
 	"github.com/minio/minio/pkg/handlers"
-	"github.com/minio/minio/pkg/wildcard"
-	"github.com/rs/cors"
 )

 // MiddlewareFunc - useful to chain different http.Handler middlewares
@ -394,49 +392,6 @@ type resourceHandler struct {
 	handler http.Handler
 }

-// setCorsHandler handler for CORS (Cross Origin Resource Sharing)
-func setCorsHandler(h http.Handler) http.Handler {
-	commonS3Headers := []string{
-		xhttp.Date,
-		xhttp.ETag,
-		xhttp.ServerInfo,
-		xhttp.Connection,
-		xhttp.AcceptRanges,
-		xhttp.ContentRange,
-		xhttp.ContentEncoding,
-		xhttp.ContentLength,
-		xhttp.ContentType,
-		"X-Amz*",
-		"x-amz*",
-		"*",
-	}
-
-	c := cors.New(cors.Options{
-		AllowOriginFunc: func(origin string) bool {
-			for _, allowedOrigin := range globalAPIConfig.getCorsAllowOrigins() {
-				if wildcard.MatchSimple(allowedOrigin, origin) {
-					return true
-				}
-			}
-			return false
-		},
-		AllowedMethods: []string{
-			http.MethodGet,
-			http.MethodPut,
-			http.MethodHead,
-			http.MethodPost,
-			http.MethodDelete,
-			http.MethodOptions,
-			http.MethodPatch,
-		},
-		AllowedHeaders:   commonS3Headers,
-		ExposedHeaders:   commonS3Headers,
-		AllowCredentials: true,
-	})
-
-	return c.Handler(h)
-}
-
 // setIgnoreResourcesHandler -
 // Ignore resources handler is wrapper handler used for API request resource validation
 // Since we do not support all the S3 queries, it is necessary for us to throw back a
--- a/cmd/routers.go
+++ b/cmd/routers.go
@ -63,8 +63,6 @@ var globalHandlers = []MiddlewareFunc{
 	setBrowserCacheControlHandler,
 	// Validates all incoming requests to have a valid date header.
 	setTimeValidityHandler,
-	// CORS setting for all browser API requests.
-	setCorsHandler,
 	// Validates all incoming URL resources, for invalid/unsupported
 	// resources client receives a HTTP error.
 	setIgnoreResourcesHandler,
@ -114,10 +112,7 @@ func configureServerHandler(endpointZones EndpointZones) (http.Handler, error) {
 	// but don't allow SSE-KMS.
 	registerAPIRouter(router, true, false)

-	// If none of the routes match add default error handler routes
-	router.NotFoundHandler = http.HandlerFunc(httpTraceAll(errorResponseHandler))
-	router.MethodNotAllowedHandler = http.HandlerFunc(httpTraceAll(errorResponseHandler))
-
 	router.Use(registerMiddlewares)
+
 	return router, nil
 }