PR feedback

Author: JamesNK

src/CORS/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsMiddleware.cs

@@ -125,6 +125,13 @@ public Task Invoke(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
 
         private async Task InvokeCore(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
         {
+            // CORS policy resolution rules:
+            //
+            // 1. If there is an endpoint with IDisableCorsAttribute then CORS is not run
+            // 2. If there is an endpoint with IEnableCorsAttribute that has a policy name then
+            //    fetch policy by name, prioritizing it above policy on middleware
+            // 3. If there is no policy on middleware then use name on middleware
+
             var endpoint = context.GetEndpoint();
 
             // Get the most significant CORS metadata for the endpoint
@@ -136,13 +143,22 @@ private async Task InvokeCore(HttpContext context, ICorsPolicyProvider corsPolic
                 return;
             }
 
-            string policyName = _corsPolicyName;
-            if (corsMetadata is IEnableCorsAttribute enableCorsAttribute)
+            var corsPolicy = _policy;
+            var policyName = _corsPolicyName;
+            if (corsMetadata is IEnableCorsAttribute enableCorsAttribute &&
+                enableCorsAttribute.PolicyName != null)
             {
+                // If a policy name has been provided on the endpoint metadata then prioritizing it above the static middleware policy
                 policyName = enableCorsAttribute.PolicyName;
+                corsPolicy = null;
+            }
+
+            if (corsPolicy == null)
+            {
+                // Resolve policy by name if the local policy is not being used
+                corsPolicy = await corsPolicyProvider.GetPolicyAsync(context, policyName);
             }
 
-            var corsPolicy = _policy ?? await corsPolicyProvider.GetPolicyAsync(context, policyName);
             if (corsPolicy == null)
             {
                 Logger?.NoCorsPolicyFound();

src/CORS/test/Microsoft.AspNetCore.Cors.Test/CorsMiddlewareTests.cs

@@ -597,7 +597,7 @@ public async Task Invoke_HasEndpointWithNoMetadata_RunsCors()
         }
 
         [Fact]
-        public async Task Invoke_HasEndpointWithEnableMetadata_RunsCorsWithPolicyName()
+        public async Task Invoke_HasEndpointWithEnableMetadata_MiddlewareHasPolicyName_RunsCorsWithPolicyName()
         {
             // Arrange
             var corsService = Mock.Of<ICorsService>();
@@ -626,6 +626,74 @@ public async Task Invoke_HasEndpointWithEnableMetadata_RunsCorsWithPolicyName()
                 Times.Once);
         }
 
+        [Fact]
+        public async Task Invoke_HasEndpointWithEnableMetadata_MiddlewareHasPolicy_RunsCorsWithPolicyName()
+        {
+            // Arrange
+            var policy = new CorsPolicyBuilder().Build();
+            var corsService = Mock.Of<ICorsService>();
+            var mockProvider = new Mock<ICorsPolicyProvider>();
+            var loggerFactory = NullLoggerFactory.Instance;
+            mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()))
+                .Returns(Task.FromResult<CorsPolicy>(null))
+                .Verifiable();
+
+            var middleware = new CorsMiddleware(
+                Mock.Of<RequestDelegate>(),
+                corsService,
+                policy,
+                loggerFactory);
+
+            var httpContext = new DefaultHttpContext();
+            httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute("MetadataPolicyName")), "Test endpoint"));
+            httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
+
+            // Act
+            await middleware.Invoke(httpContext, mockProvider.Object);
+
+            // Assert
+            mockProvider.Verify(
+                o => o.GetPolicyAsync(It.IsAny<HttpContext>(), "MetadataPolicyName"),
+                Times.Once);
+        }
+
+        [Fact]
+        public async Task Invoke_HasEndpointWithEnableMetadataWithNoName_RunsCorsWithStaticPolicy()
+        {
+            // Arrange
+            var policy = new CorsPolicyBuilder().Build();
+            var mockCorsService = new Mock<ICorsService>();
+            var mockProvider = new Mock<ICorsPolicyProvider>();
+            var loggerFactory = NullLoggerFactory.Instance;
+            mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()))
+                .Returns(Task.FromResult<CorsPolicy>(null))
+                .Verifiable();
+            mockCorsService.Setup(o => o.EvaluatePolicy(It.IsAny<HttpContext>(), It.IsAny<CorsPolicy>()))
+                .Returns(new CorsResult())
+                .Verifiable();
+
+            var middleware = new CorsMiddleware(
+                Mock.Of<RequestDelegate>(),
+                mockCorsService.Object,
+                policy,
+                loggerFactory);
+
+            var httpContext = new DefaultHttpContext();
+            httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute()), "Test endpoint"));
+            httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
+
+            // Act
+            await middleware.Invoke(httpContext, mockProvider.Object);
+
+            // Assert
+            mockProvider.Verify(
+                o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()),
+                Times.Never);
+            mockCorsService.Verify(
+                o => o.EvaluatePolicy(It.IsAny<HttpContext>(), policy),
+                Times.Once);
+        }
+
         [Fact]
         public async Task Invoke_HasEndpointWithDisableMetadata_SkipCors()
         {