Update CORS middleware to use endpoint metadata

Author: JamesNK

src/Middleware/CORS/samples/SampleDestination/Program.cs

@@ -1,6 +1,7 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using System.IO;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.Extensions.Logging;
@@ -11,12 +12,30 @@ public class Program
     {
         public static void Main(string[] args)
         {
+            Type startupType = null;
+
+            var startup = Environment.GetEnvironmentVariable("CORS_STARTUP");
+            switch (startup)
+            {
+                case "Startup":
+                    startupType = typeof(Startup);
+                    break;
+                case "StartupWithoutEndpointRouting":
+                    startupType = typeof(StartupWithoutEndpointRouting);
+                    break;
+            }
+
+            if (startupType == null)
+            {
+                throw new InvalidOperationException("Could not resolve the startup type. Unexpected CORS_STARTUP environment variable.");
+            }
+
             var host = new WebHostBuilder()
                 .UseKestrel()
                 .UseUrls("http://+:9000")
                 .UseContentRoot(Directory.GetCurrentDirectory())
                 .ConfigureLogging(factory => factory.AddConsole())
-                .UseStartup<Startup>()
+                .UseStartup(startupType)
                 .Build();
 
             host.Run();

src/Middleware/CORS/samples/SampleDestination/Startup.cs

@@ -1,7 +1,6 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
-using System;
 using System.Net;
 using System.Text;
 using System.Threading.Tasks;
@@ -26,66 +25,70 @@ public Startup(ILoggerFactory loggerFactory)
 
         public void ConfigureServices(IServiceCollection services)
         {
-            services.AddCors();
-        }
-
-        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
-        {
-            app.Map("/allow-origin", innerBuilder =>
+            services.AddCors(options =>
             {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("AllowOrigin", policy => policy
                     .WithOrigins(DefaultAllowedOrigin)
                     .AllowAnyMethod()
                     .AllowAnyHeader());
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
-            });
-
-            app.Map("/allow-header-method", innerBuilder =>
-            {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("AllowHeaderMethod", policy => policy
                     .WithOrigins(DefaultAllowedOrigin)
                     .WithHeaders("X-Test", "Content-Type")
                     .WithMethods("PUT"));
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
-            });
-
-            app.Map("/allow-credentials", innerBuilder =>
-            {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("AllowCredentials", policy => policy
                     .WithOrigins(DefaultAllowedOrigin)
                     .AllowAnyHeader()
                     .WithMethods("GET", "PUT")
                     .AllowCredentials());
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
-            });
-
-            app.Map("/exposed-header", innerBuilder =>
-            {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("ExposedHeader", policy => policy
                     .WithOrigins(DefaultAllowedOrigin)
                     .WithExposedHeaders("X-AllowedHeader", "Content-Length"));
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
-            });
-
-            app.Map("/allow-all", innerBuilder =>
-            {
-                innerBuilder.UseCors(policy => policy
+                options.AddPolicy("AllowAll", policy => policy
                     .AllowAnyOrigin()
                     .AllowAnyMethod()
                     .AllowAnyHeader()
                     .AllowCredentials());
+            });
+            services.AddRouting();
+        }
 
-                innerBuilder.UseMiddleware<SampleMiddleware>();
+        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+        {
+            app.UseRouting(routing =>
+            {
+                routing.Map("/allow-origin", HandleRequest).WithCorsPolicy("AllowOrigin");
+                routing.Map("/allow-header-method", HandleRequest).WithCorsPolicy("AllowHeaderMethod");
+                routing.Map("/allow-credentials", HandleRequest).WithCorsPolicy("AllowCredentials");
+                routing.Map("/exposed-header", HandleRequest).WithCorsPolicy("ExposedHeader");
+                routing.Map("/allow-all", HandleRequest).WithCorsPolicy("AllowAll");
             });
 
+            app.UseCors();
+
+            app.UseEndpoint();
+
             app.Run(async (context) =>
             {
                 await context.Response.WriteAsync("Hello World!");
             });
         }
+
+        private Task HandleRequest(HttpContext context)
+        {
+            var content = Encoding.UTF8.GetBytes("Hello world");
+
+            context.Response.Headers["X-AllowedHeader"] = "Test-Value";
+            context.Response.Headers["X-DisallowedHeader"] = "Test-Value";
+
+            context.Response.ContentType = "text/plain; charset=utf-8";
+            context.Response.ContentLength = content.Length;
+            context.Response.Body.Write(content, 0, content.Length);
+
+            return Task.CompletedTask;
+        }
     }
 }

src/Middleware/CORS/samples/SampleDestination/StartupWithoutEndpointRouting.cs

@@ -0,0 +1,88 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Net;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace SampleDestination
+{
+    public class StartupWithoutEndpointRouting
+    {
+        private static readonly string DefaultAllowedOrigin = $"http://{Dns.GetHostName()}:9001";
+        private readonly ILogger<StartupWithoutEndpointRouting> _logger;
+
+        public StartupWithoutEndpointRouting(ILoggerFactory loggerFactory)
+        {
+            _logger = loggerFactory.CreateLogger<StartupWithoutEndpointRouting>();
+            _logger.LogInformation($"Setting up CORS middleware to allow clients on {DefaultAllowedOrigin}");
+        }
+
+        public void ConfigureServices(IServiceCollection services)
+        {
+            services.AddCors();
+        }
+
+        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
+        {
+            app.Map("/allow-origin", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .WithOrigins(DefaultAllowedOrigin)
+                    .AllowAnyMethod()
+                    .AllowAnyHeader());
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Map("/allow-header-method", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .WithOrigins(DefaultAllowedOrigin)
+                    .WithHeaders("X-Test", "Content-Type")
+                    .WithMethods("PUT"));
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Map("/allow-credentials", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .WithOrigins(DefaultAllowedOrigin)
+                    .AllowAnyHeader()
+                    .WithMethods("GET", "PUT")
+                    .AllowCredentials());
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Map("/exposed-header", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .WithOrigins(DefaultAllowedOrigin)
+                    .WithExposedHeaders("X-AllowedHeader", "Content-Length"));
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Map("/allow-all", innerBuilder =>
+            {
+                innerBuilder.UseCors(policy => policy
+                    .AllowAnyOrigin()
+                    .AllowAnyMethod()
+                    .AllowAnyHeader()
+                    .AllowCredentials());
+
+                innerBuilder.UseMiddleware<SampleMiddleware>();
+            });
+
+            app.Run(async (context) =>
+            {
+                await context.Response.WriteAsync("Hello World!");
+            });
+        }
+    }
+}

src/Middleware/CORS/samples/SampleOrigin/Program.cs

@@ -1,4 +1,4 @@
-// Copyright (c) .NET Foundation. All rights reserved.
+// Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.IO;

src/Middleware/CORS/src/Infrastructure/CorsEndpointConventionBuilderExtensions.cs

@@ -0,0 +1,26 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using Microsoft.AspNetCore.Cors;
+using Microsoft.AspNetCore.Routing;
+
+namespace Microsoft.AspNetCore.Builder
+{
+    public static class CorsEndpointConventionBuilderExtensions
+    {
+        public static IEndpointConventionBuilder WithCorsPolicy(this IEndpointConventionBuilder builder, string policyName)
+        {
+            if (builder == null)
+            {
+                throw new ArgumentNullException(nameof(builder));
+            }
+
+            builder.Apply(endpointBuilder =>
+            {
+                endpointBuilder.Metadata.Add(new EnableCorsAttribute(policyName));
+            });
+            return builder;
+        }
+    }
+}

src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs

@@ -5,6 +5,7 @@
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Cors.Internal;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Endpoints;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 
@@ -124,7 +125,40 @@ public Task Invoke(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
 
         private async Task InvokeCore(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
         {
-            var corsPolicy = _policy ?? await corsPolicyProvider.GetPolicyAsync(context, _corsPolicyName);
+            // CORS policy resolution rules:
+            //
+            // 1. If there is an endpoint with IDisableCorsAttribute then CORS is not run
+            // 2. If there is an endpoint with IEnableCorsAttribute that has a policy name then
+            //    fetch policy by name, prioritizing it above policy on middleware
+            // 3. If there is no policy on middleware then use name on middleware
+
+            var endpoint = context.GetEndpoint();
+
+            // Get the most significant CORS metadata for the endpoint
+            // For backwards compatibility reasons this is then downcast to Enable/Disable metadata
+            var corsMetadata = endpoint?.Metadata.GetMetadata<ICorsAttribute>();
+            if (corsMetadata is IDisableCorsAttribute)
+            {
+                await _next(context);
+                return;
+            }
+
+            var corsPolicy = _policy;
+            var policyName = _corsPolicyName;
+            if (corsMetadata is IEnableCorsAttribute enableCorsAttribute &&
+                enableCorsAttribute.PolicyName != null)
+            {
+                // If a policy name has been provided on the endpoint metadata then prioritizing it above the static middleware policy
+                policyName = enableCorsAttribute.PolicyName;
+                corsPolicy = null;
+            }
+
+            if (corsPolicy == null)
+            {
+                // Resolve policy by name if the local policy is not being used
+                corsPolicy = await corsPolicyProvider.GetPolicyAsync(context, policyName);
+            }
+
             if (corsPolicy == null)
             {
                 Logger?.NoCorsPolicyFound();

src/Middleware/CORS/src/Infrastructure/ICorsAttribute.cs

@@ -0,0 +1,12 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNetCore.Cors.Infrastructure
+{
+    /// <summary>
+    /// A marker interface which can be used to identify CORS metdata.
+    /// </summary>
+    public interface ICorsAttribute
+    {
+    }
+}

src/Middleware/CORS/src/Infrastructure/IDisableCorsAttribute.cs

@@ -6,7 +6,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
     /// <summary>
     /// An interface which can be used to identify a type which provides metdata to disable cors for a resource.
     /// </summary>
-    public interface IDisableCorsAttribute
+    public interface IDisableCorsAttribute : ICorsAttribute
     {
     }
-}
+}

src/Middleware/CORS/src/Infrastructure/IEnableCorsAttribute.cs

@@ -6,11 +6,11 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
     /// <summary>
     /// An interface which can be used to identify a type which provides metadata needed for enabling CORS support.
     /// </summary>
-    public interface IEnableCorsAttribute
+    public interface IEnableCorsAttribute : ICorsAttribute
     {
         /// <summary>
         /// The name of the policy which needs to be applied.
         /// </summary>
         string PolicyName { get; set; }
     }
-}
+}