[v16] Add CORS policy to app spec (#46389)

gravitational · Sep 18, 2024 · 34874e7 · 34874e7
1 parent 626c618
commit 34874e7
Show file tree

Hide file tree

Showing 13 changed files with 3,553 additions and 2,327 deletions.
diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
@@ -944,6 +944,22 @@ message AppV3 {
   ];
 }
 
+// CORSPolicy defines the CORS policy for AppSpecV3
+message CORSPolicy {
+  // allowed_origins specifies which origins are allowed to access the app.
+  repeated string allowed_origins = 1 [(gogoproto.jsontag) = "allowed_origins,omitempty"];
+  // allowed_methods specifies which methods are allowed when accessing the app.
+  repeated string allowed_methods = 2 [(gogoproto.jsontag) = "allowed_methods,omitempty"];
+  // allowed_headers specifies which headers can be used when accessing the app.
+  repeated string allowed_headers = 3 [(gogoproto.jsontag) = "allowed_headers,omitempty"];
+  // allow_credentials indicates whether credentials are allowed.
+  bool allow_credentials = 4 [(gogoproto.jsontag) = "allow_credentials,omitempty"];
+  // max_age indicates how long (in seconds) the results of a preflight request can be cached.
+  uint32 max_age = 5 [(gogoproto.jsontag) = "max_age,omitempty"];
+  // exposed_headers indicates which headers are made available to scripts via the browser.
+  repeated string exposed_headers = 6 [(gogoproto.jsontag) = "exposed_headers,omitempty"];
+}
+
 // AppSpecV3 is the AppV3 resource spec.
 message AppSpecV3 {
   // URI is the web app endpoint.
@@ -972,6 +988,8 @@ message AppSpecV3 {
   // RequiredAppNames is a list of app names that are required for this app to function. Any app listed here will
   // be part of the authentication redirect flow and authenticate along side this app.
   repeated string RequiredAppNames = 10 [(gogoproto.jsontag) = "required_app_names,omitempty"];
+  // CORSPolicy defines the Cross-Origin Resource Sharing settings for the app.
+  CORSPolicy CORS = 11 [(gogoproto.jsontag) = "cors,omitempty"];
 }
 
 // AppServerOrSAMLIdPServiceProviderV1 holds either an AppServerV3 or a SAMLIdPServiceProviderV1 resource (never both).

diff --git a/api/types/app.go b/api/types/app.go
@@ -84,6 +84,8 @@ type Application interface {
 	GetIntegration() string
 	// GetRequiredAppNames will return a list of required apps names that should be authenticated during this apps authentication process.
 	GetRequiredAppNames() []string
+	// GetCORS returns the CORS configuration for the app.
+	GetCORS() *CORSPolicy
 }
 
 // NewAppV3 creates a new app resource.
@@ -325,6 +327,10 @@ func (a *AppV3) GetRequiredAppNames() []string {
 	return a.Spec.RequiredAppNames
 }
 
+func (a *AppV3) GetCORS() *CORSPolicy {
+	return a.Spec.CORS
+}
+
 // MatchSearch goes through select field values and tries to
 // match against the list of search values.
 func (a *AppV3) MatchSearch(values []string) bool {

diff --git a/api/types/app_test.go b/api/types/app_test.go
@@ -388,6 +388,71 @@ func TestNewAppV3(t *testing.T) {
 			},
 			wantErr: require.NoError,
 		},
+		{
+			name: "app with required apps list",
+			meta: Metadata{Name: "clientapp"},
+			spec: AppSpecV3{RequiredAppNames: []string{"api22"}, URI: "example.com"},
+			want: &AppV3{
+				Kind:     "app",
+				Version:  "v3",
+				Metadata: Metadata{Name: "clientapp", Namespace: "default"},
+				Spec:     AppSpecV3{RequiredAppNames: []string{"api22"}, URI: "example.com"},
+			},
+			wantErr: require.NoError,
+		},
+		{
+			name: "app with basic CORS policy",
+			meta: Metadata{Name: "api22"},
+			spec: AppSpecV3{
+				URI: "example.com",
+				CORS: &CORSPolicy{
+					AllowedOrigins:   []string{"https://client.example.com"},
+					AllowedMethods:   []string{"GET", "POST"},
+					AllowedHeaders:   []string{"Content-Type", "Authorization"},
+					AllowCredentials: true,
+					MaxAge:           86400,
+				},
+			},
+			want: &AppV3{
+				Kind:    "app",
+				Version: "v3",
+				Metadata: Metadata{
+					Name:      "api22",
+					Namespace: "default",
+				},
+				Spec: AppSpecV3{
+					URI: "example.com",
+					CORS: &CORSPolicy{
+						AllowedOrigins:   []string{"https://client.example.com"},
+						AllowedMethods:   []string{"GET", "POST"},
+						AllowedHeaders:   []string{"Content-Type", "Authorization"},
+						AllowCredentials: true,
+						MaxAge:           86400,
+					},
+				},
+			},
+			wantErr: require.NoError,
+		},
+		{
+			name: "app with no CORS policy",
+			meta: Metadata{Name: "api22"},
+			spec: AppSpecV3{
+				URI: "example.com",
+			},
+			want: &AppV3{
+				Kind:    "app",
+				Version: "v3",
+				Metadata: Metadata{
+					Name:      "api22",
+					Namespace: "default",
+				},
+				Spec: AppSpecV3{
+					URI: "example.com",
+					// CORS is nil, indicating no CORS policy
+				},
+			},
+			wantErr: require.NoError,
+		},
 		{
 			name:    "invalid cloud identifier",
 			meta:    Metadata{Name: "dummy"},

diff --git a/api/types/derived.gen.go b/api/types/derived.gen.go