PR feedback

Author: JamesNK

src/CORS/samples/SampleDestination/Startup.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
 using System.Net;
+using System.Text;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
@@ -57,15 +58,13 @@ public void ConfigureServices(IServiceCollection services)
 
         public void Configure(IApplicationBuilder app, IHostingEnvironment env)
         {
-            var sampleMiddleware = new SampleMiddleware(context => Task.CompletedTask);
-
             app.UseEndpointRouting(routing =>
             {
-                routing.Map("/allow-origin", sampleMiddleware.Invoke).RequireCors("AllowOrigin");
-                routing.Map("/allow-header-method", sampleMiddleware.Invoke).RequireCors("AllowHeaderMethod");
-                routing.Map("/allow-credentials", sampleMiddleware.Invoke).RequireCors("AllowCredentials");
-                routing.Map("/exposed-header", sampleMiddleware.Invoke).RequireCors("ExposedHeader");
-                routing.Map("/allow-all", sampleMiddleware.Invoke).RequireCors("AllowAll");
+                routing.Map("/allow-origin", HandleRequest).WithCorsPolicy("AllowOrigin");
+                routing.Map("/allow-header-method", HandleRequest).WithCorsPolicy("AllowHeaderMethod");
+                routing.Map("/allow-credentials", HandleRequest).WithCorsPolicy("AllowCredentials");
+                routing.Map("/exposed-header", HandleRequest).WithCorsPolicy("ExposedHeader");
+                routing.Map("/allow-all", HandleRequest).WithCorsPolicy("AllowAll");
             });
 
             app.UseCors();
@@ -77,5 +76,19 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env)
                 await context.Response.WriteAsync("Hello World!");
             });
         }
+
+        private Task HandleRequest(HttpContext context)
+        {
+            var content = Encoding.UTF8.GetBytes("Hello world");
+
+            context.Response.Headers["X-AllowedHeader"] = "Test-Value";
+            context.Response.Headers["X-DisallowedHeader"] = "Test-Value";
+
+            context.Response.ContentType = "text/plain; charset=utf-8";
+            context.Response.ContentLength = content.Length;
+            context.Response.Body.Write(content, 0, content.Length);
+
+            return Task.CompletedTask;
+        }
     }
 }

src/CORS/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsEndpointConventionBuilderExtensions.cs

@@ -1,16 +1,15 @@
 // Copyright (c) .NET Foundation. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
 
+using System;
 using Microsoft.AspNetCore.Cors;
 using Microsoft.AspNetCore.Routing;
-using System;
-using System.Linq;
 
 namespace Microsoft.AspNetCore.Builder
 {
     public static class CorsEndpointConventionBuilderExtensions
     {
-        public static IEndpointConventionBuilder RequireCors(this IEndpointConventionBuilder builder, string policyName)
+        public static IEndpointConventionBuilder WithCorsPolicy(this IEndpointConventionBuilder builder, string policyName)
         {
             if (builder == null)
             {

src/CORS/src/Microsoft.AspNetCore.Cors/Infrastructure/CorsMiddleware.cs

@@ -125,7 +125,24 @@ public Task Invoke(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
 
         private async Task InvokeCore(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
         {
-            var corsPolicy = _policy ?? await corsPolicyProvider.GetPolicyAsync(context, ResolveCorsPolicyName(context));
+            var endpoint = context.GetEndpoint();
+
+            // Get the most significant CORS metadata for the endpoint
+            // For backwards compatibility reasons this is then downcast to Enable/Disable metadata
+            var corsMetadata = endpoint?.Metadata.GetMetadata<ICorsAttribute>();
+            if (corsMetadata is IDisableCorsAttribute)
+            {
+                await _next(context);
+                return;
+            }
+
+            string policyName = _corsPolicyName;
+            if (corsMetadata is IEnableCorsAttribute enableCorsAttribute)
+            {
+                policyName = enableCorsAttribute.PolicyName;
+            }
+
+            var corsPolicy = _policy ?? await corsPolicyProvider.GetPolicyAsync(context, policyName);
             if (corsPolicy == null)
             {
                 Logger?.NoCorsPolicyFound();
@@ -150,12 +167,6 @@ private async Task InvokeCore(HttpContext context, ICorsPolicyProvider corsPolic
             }
         }
 
-        internal string ResolveCorsPolicyName(HttpContext context)
-        {
-            var endpoint = context.GetEndpoint();
-            return endpoint?.Metadata.GetMetadata<IEnableCorsAttribute>()?.PolicyName ?? _corsPolicyName;
-        }
-
         private static Task OnResponseStarting(object state)
         {
             var (middleware, context, result) = (Tuple<CorsMiddleware, HttpContext, CorsResult>)state;

src/CORS/src/Microsoft.AspNetCore.Cors/Infrastructure/ICorsAttribute.cs

@@ -0,0 +1,12 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+namespace Microsoft.AspNetCore.Cors.Infrastructure
+{
+    /// <summary>
+    /// A marker interface which can be used to identify CORS metdata.
+    /// </summary>
+    public interface ICorsAttribute
+    {
+    }
+}

src/CORS/src/Microsoft.AspNetCore.Cors/Infrastructure/IDisableCorsAttribute.cs

@@ -6,7 +6,7 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
     /// <summary>
     /// An interface which can be used to identify a type which provides metdata to disable cors for a resource.
     /// </summary>
-    public interface IDisableCorsAttribute
+    public interface IDisableCorsAttribute : ICorsAttribute
     {
     }
-}
+}

src/CORS/src/Microsoft.AspNetCore.Cors/Infrastructure/IEnableCorsAttribute.cs

@@ -6,11 +6,11 @@ namespace Microsoft.AspNetCore.Cors.Infrastructure
     /// <summary>
     /// An interface which can be used to identify a type which provides metadata needed for enabling CORS support.
     /// </summary>
-    public interface IEnableCorsAttribute
+    public interface IEnableCorsAttribute : ICorsAttribute
     {
         /// <summary>
         /// The name of the policy which needs to be applied.
         /// </summary>
         string PolicyName { get; set; }
     }
-}
+}

src/CORS/test/Microsoft.AspNetCore.Cors.Test/CorsEndpointConventionBuilderExtensionsTests.cs

@@ -0,0 +1,54 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Xunit;
+
+namespace Microsoft.AspNetCore.Cors.Infrastructure
+{
+    public class CorsEndpointConventionBuilderExtensionsTests
+    {
+        [Fact]
+        public void WithCorsPolicy_MetadataAdded()
+        {
+            // Arrange
+            var testConventionBuilder = new TestEndpointConventionBuilder();
+
+            // Act
+            testConventionBuilder.WithCorsPolicy("TestPolicyName");
+
+            // Assert
+            var addCorsPolicy = Assert.Single(testConventionBuilder.Conventions);
+
+            var endpointModel = new TestEndpointModel();
+            addCorsPolicy(endpointModel);
+            var endpoint = endpointModel.Build();
+
+            var metadata = endpoint.Metadata.GetMetadata<IEnableCorsAttribute>();
+            Assert.NotNull(metadata);
+            Assert.Equal("TestPolicyName", metadata.PolicyName);
+        }
+
+        private class TestEndpointModel : EndpointModel
+        {
+            public override Endpoint Build()
+            {
+                return new Endpoint(RequestDelegate, new EndpointMetadataCollection(Metadata), DisplayName);
+            }
+        }
+
+        private class TestEndpointConventionBuilder : IEndpointConventionBuilder
+        {
+            public IList<Action<EndpointModel>> Conventions { get; } = new List<Action<EndpointModel>>();
+
+            public void Apply(Action<EndpointModel> convention)
+            {
+                Conventions.Add(convention);
+            }
+        }
+    }
+}

src/CORS/test/Microsoft.AspNetCore.Cors.Test/CorsMiddlewareTests.cs

@@ -567,47 +567,123 @@ public async Task CorsRequest_SetsResponseHeader_IfExceptionHandlerClearsRespons
         }
 
         [Fact]
-        public void ResolveCorsPolicyName_NoEndpoint_UseDefaultPolicyName()
+        public async Task Invoke_HasEndpointWithNoMetadata_RunsCors()
         {
             // Arrange
-            var middleware = new CorsMiddleware(c => Task.CompletedTask, Mock.Of<ICorsService>(), Mock.Of<ILoggerFactory>(), "DefaultPolicyName");
-            var context = new DefaultHttpContext();
+            var corsService = Mock.Of<ICorsService>();
+            var mockProvider = new Mock<ICorsPolicyProvider>();
+            var loggerFactory = NullLoggerFactory.Instance;
+            mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()))
+                .Returns(Task.FromResult<CorsPolicy>(null))
+                .Verifiable();
+
+            var middleware = new CorsMiddleware(
+                Mock.Of<RequestDelegate>(),
+                corsService,
+                loggerFactory,
+                "DefaultPolicyName");
+
+            var httpContext = new DefaultHttpContext();
+            httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, EndpointMetadataCollection.Empty, "Test endpoint"));
+            httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
 
             // Act
-            var resolvedPolicyName = middleware.ResolveCorsPolicyName(context);
+            await middleware.Invoke(httpContext, mockProvider.Object);
 
             // Assert
-            Assert.Equal("DefaultPolicyName", resolvedPolicyName);
+            mockProvider.Verify(
+                o => o.GetPolicyAsync(It.IsAny<HttpContext>(), "DefaultPolicyName"),
+                Times.Once);
         }
 
         [Fact]
-        public void ResolveCorsPolicyName_EndpointWithoutMetadata_UseDefaultPolicyName()
+        public async Task Invoke_HasEndpointWithEnableMetadata_RunsCorsWithPolicyName()
         {
             // Arrange
-            var middleware = new CorsMiddleware(c => Task.CompletedTask, Mock.Of<ICorsService>(), Mock.Of<ILoggerFactory>(), "DefaultPolicyName");
-            var context = new DefaultHttpContext();
-            context.SetEndpoint(new Endpoint(c => Task.CompletedTask, EndpointMetadataCollection.Empty, "Test endpoint"));
+            var corsService = Mock.Of<ICorsService>();
+            var mockProvider = new Mock<ICorsPolicyProvider>();
+            var loggerFactory = NullLoggerFactory.Instance;
+            mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()))
+                .Returns(Task.FromResult<CorsPolicy>(null))
+                .Verifiable();
+
+            var middleware = new CorsMiddleware(
+                Mock.Of<RequestDelegate>(),
+                corsService,
+                loggerFactory,
+                "DefaultPolicyName");
+
+            var httpContext = new DefaultHttpContext();
+            httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute("MetadataPolicyName")), "Test endpoint"));
+            httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
 
             // Act
-            var resolvedPolicyName = middleware.ResolveCorsPolicyName(context);
+            await middleware.Invoke(httpContext, mockProvider.Object);
 
             // Assert
-            Assert.Equal("DefaultPolicyName", resolvedPolicyName);
+            mockProvider.Verify(
+                o => o.GetPolicyAsync(It.IsAny<HttpContext>(), "MetadataPolicyName"),
+                Times.Once);
         }
 
         [Fact]
-        public void ResolveCorsPolicyName_EndpointWithMetadata_UseDefaultPolicyName()
+        public async Task Invoke_HasEndpointWithDisableMetadata_SkipCors()
         {
             // Arrange
-            var middleware = new CorsMiddleware(c => Task.CompletedTask, Mock.Of<ICorsService>(), Mock.Of<ILoggerFactory>(), "DefaultPolicyName");
-            var context = new DefaultHttpContext();
-            context.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute("MetadataPolicyName")), "Test endpoint"));
+            var corsService = Mock.Of<ICorsService>();
+            var mockProvider = new Mock<ICorsPolicyProvider>();
+            var loggerFactory = NullLoggerFactory.Instance;
+            mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()))
+                .Returns(Task.FromResult<CorsPolicy>(null))
+                .Verifiable();
+
+            var middleware = new CorsMiddleware(
+                Mock.Of<RequestDelegate>(),
+                corsService,
+                loggerFactory,
+                "DefaultPolicyName");
+
+            var httpContext = new DefaultHttpContext();
+            httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new DisableCorsAttribute()), "Test endpoint"));
+            httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
+
+            // Act
+            await middleware.Invoke(httpContext, mockProvider.Object);
+
+            // Assert
+            mockProvider.Verify(
+                o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()),
+                Times.Never);
+        }
+
+        [Fact]
+        public async Task Invoke_HasEndpointWithMutlipleMetadata_SkipCorsBecauseOfMetadataOrder()
+        {
+            // Arrange
+            var corsService = Mock.Of<ICorsService>();
+            var mockProvider = new Mock<ICorsPolicyProvider>();
+            var loggerFactory = NullLoggerFactory.Instance;
+            mockProvider.Setup(o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()))
+                .Returns(Task.FromResult<CorsPolicy>(null))
+                .Verifiable();
+
+            var middleware = new CorsMiddleware(
+                Mock.Of<RequestDelegate>(),
+                corsService,
+                loggerFactory,
+                "DefaultPolicyName");
+
+            var httpContext = new DefaultHttpContext();
+            httpContext.SetEndpoint(new Endpoint(c => Task.CompletedTask, new EndpointMetadataCollection(new EnableCorsAttribute("MetadataPolicyName"), new DisableCorsAttribute()), "Test endpoint"));
+            httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { "http://example.com" });
 
             // Act
-            var resolvedPolicyName = middleware.ResolveCorsPolicyName(context);
+            await middleware.Invoke(httpContext, mockProvider.Object);
 
             // Assert
-            Assert.Equal("MetadataPolicyName", resolvedPolicyName);
+            mockProvider.Verify(
+                o => o.GetPolicyAsync(It.IsAny<HttpContext>(), It.IsAny<string>()),
+                Times.Never);
         }
     }
 }