Support Cors handling for HTTP endpoint

Signed-off-by: Hiroshi Hatake <[email protected]>

Author: cosmo0920

config.go

@@ -33,6 +33,22 @@ func loadTLSConfig(cfg TLSSettings) (*tls.Config, error) {
 	return tlsConfig, nil
 }
 
+func parseCorsConfig(cfg *Config, conf plugin.ConfigLoader) (*Config, error) {
+	if cfg == nil {
+		return nil, errors.New("cfg must not nil")
+	}
+	if corsStr := conf.String("server.cors.allowed_origins"); corsStr != "" {
+		for _, origin := range strings.Split(corsStr, ",") {
+			trimmedOrigin := strings.TrimSpace(origin)
+			if trimmedOrigin != "" { // Only append non-empty origins
+				cfg.ServerCors.AllowedOrigins = append(cfg.ServerCors.AllowedOrigins, trimmedOrigin)
+			}
+		}
+	}
+
+	return cfg, nil
+}
+
 func loadConfig(fbit *plugin.Fluentbit) (*Config, error) {
 	log := fbit.Logger
 	cfg := &Config{
@@ -45,6 +61,12 @@ func loadConfig(fbit *plugin.Fluentbit) (*Config, error) {
 		ServerGrpcListenAddr: fbit.Conf.String("server.grpc.listen_addr"),
 		ServerHeaders:        parseHeaders(fbit.Conf.String("server.headers")),
 	}
+
+	cfg, err := parseCorsConfig(cfg, fbit.Conf)
+	if err != nil {
+		return nil, err
+	}
+
 	if cfg.Mode == "" {
 		cfg.Mode = "all"
 	}

config_test.go

@@ -129,6 +129,69 @@ func Test_loadConfig_ModeServer(t *testing.T) {
 	})
 }
 
+func Test_loadConfig_CORS(t *testing.T) {
+	testCases := []struct {
+		name            string
+		inputConf       map[string]string
+		expectedOrigins []string
+	}{
+		{
+			name: "multiple origins with spaces",
+			inputConf: map[string]string{
+				"server.cors.allowed_origins": "http://localhost:3000, https://my-app.com",
+			},
+			expectedOrigins: []string{"http://localhost:3000", "https://my-app.com"},
+		},
+		{
+			name: "single origin",
+			inputConf: map[string]string{
+				"server.cors.allowed_origins": "https://my-app.com",
+			},
+			expectedOrigins: []string{"https://my-app.com"},
+		},
+		{
+			name: "wildcard origin",
+			inputConf: map[string]string{
+				"server.cors.allowed_origins": "*",
+			},
+			expectedOrigins: []string{"*"},
+		},
+		{
+			name:            "config key not present",
+			inputConf:       map[string]string{}, // The key is missing entirely
+			expectedOrigins: nil,                 // Expect a nil slice, not an empty one
+		},
+		{
+			name: "config key is an empty string",
+			inputConf: map[string]string{
+				"server.cors.allowed_origins": "",
+			},
+			expectedOrigins: nil,
+		},
+		{
+			name: "malformed string with extra spaces and commas",
+			inputConf: map[string]string{
+				"server.cors.allowed_origins": "  http://a.com, ,https://b.com  ,",
+			},
+			expectedOrigins: []string{"http://a.com", "https://b.com"},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			// Arrange: Create a fresh config and mock loader for each test.
+			cfg := &Config{}
+			conf := mapConfigLoader(tc.inputConf)
+
+			// Act: Call the function we are testing.
+			parseCorsConfig(cfg, conf)
+
+			// Assert: Check if the result matches the expectation.
+			assert.Equal(t, tc.expectedOrigins, cfg.ServerCors.AllowedOrigins)
+		})
+	}
+}
+
 func Test_loadConfig_Server_Defaults(t *testing.T) {
 	t.Run("server mode applies defaults for retry and keepalive", func(t *testing.T) {
 		fbit := &plugin.Fluentbit{

custom_jaeger_remote.go

@@ -50,6 +50,10 @@ type clientComponent struct {
 	tracerProvider *sdktrace.TracerProvider
 }
 
+type CorsSettings struct {
+	AllowedOrigins []string
+}
+
 type Config struct {
 	Mode    string // "client", "server", or "all"
 	Headers map[string]string
@@ -61,6 +65,7 @@ type Config struct {
 	ServerStrategyFile   string
 	ServerHttpListenAddr string
 	ServerGrpcListenAddr string
+	ServerCors           CorsSettings
 	ServerServiceNames   []string
 	ServerTLS            TLSSettings
 	ServerHeaders        map[string]string

jaeger_services.go

@@ -212,11 +212,50 @@ func (plug *jaegerRemotePlugin) loadStrategiesFromFile() error {
 	return nil
 }
 
+func (plug *jaegerRemotePlugin) corsMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if len(plug.config.ServerCors.AllowedOrigins) == 0 {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		origin := r.Header.Get("Origin")
+		isAllowed := false
+		for _, allowed := range plug.config.ServerCors.AllowedOrigins {
+			if allowed == "*" || allowed == origin {
+				isAllowed = true
+				break
+			}
+		}
+
+		if isAllowed {
+			w.Header().Set("Access-Control-Allow-Origin", origin)
+			w.Header().Set("Access-Control-Allow-Methods", "GET, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+		}
+
+		// Handle pre-flight OPTIONS request
+		if r.Method == "OPTIONS" {
+			if isAllowed {
+				w.WriteHeader(http.StatusNoContent)
+				return
+			}
+			// If not an allowed origin, forbid the request.
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
+
+		// Serve the actual request for GET, etc.
+		next.ServeHTTP(w, r)
+	})
+}
+
 func (plug *jaegerRemotePlugin) startHttpServer() *http.Server {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/sampling", plug.handleSampling)
 	mux.HandleFunc("/strategies", plug.handleGetStrategies)
-	server := &http.Server{Addr: plug.config.ServerHttpListenAddr, Handler: mux}
+
+	server := &http.Server{Addr: plug.config.ServerHttpListenAddr, Handler: plug.corsMiddleware(mux)} //
 	go func() {
 		if err := server.ListenAndServe(); err != http.ErrServerClosed {
 			plug.log.Error("HTTP server error: %v", err)

jaeger_services_test.go

@@ -280,6 +280,104 @@ func Test_InitServer_Failure(t *testing.T) {
 	})
 }
 
+func Test_corsMiddleware(t *testing.T) {
+	dummyHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("OK"))
+	})
+
+	plug := &jaegerRemotePlugin{
+		log: newTestLogger(t),
+		config: &Config{
+			ServerCors: CorsSettings{
+				AllowedOrigins: []string{"http://localhost:3000"},
+			},
+		},
+	}
+	testHandler := plug.corsMiddleware(dummyHandler) //
+
+	t.Run("GET request from allowed origin", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/sampling", nil)
+		req.Header.Set("Origin", "http://localhost:3000")
+		rr := httptest.NewRecorder()
+
+		testHandler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, "http://localhost:3000", rr.Header().Get("Access-Control-Allow-Origin"))
+	})
+
+	t.Run("pre-flight OPTIONS request from allowed origin", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodOptions, "/sampling", nil)
+		req.Header.Set("Origin", "http://localhost:3000")
+		rr := httptest.NewRecorder()
+
+		testHandler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusNoContent, rr.Code)
+		assert.Equal(t, "http://localhost:3000", rr.Header().Get("Access-Control-Allow-Origin"))
+	})
+
+	t.Run("GET request from disallowed origin", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/sampling", nil)
+		req.Header.Set("Origin", "https://evil-site.com")
+		rr := httptest.NewRecorder()
+
+		testHandler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, "", rr.Header().Get("Access-Control-Allow-Origin"))
+	})
+
+	t.Run("pre-flight OPTIONS request from disallowed origin", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodOptions, "/sampling", nil)
+		req.Header.Set("Origin", "https://evil-site.com")
+		rr := httptest.NewRecorder()
+
+		testHandler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusForbidden, rr.Code)
+	})
+
+	t.Run("request without CORS config should pass through", func(t *testing.T) {
+		plugWithoutCors := &jaegerRemotePlugin{
+			log:    newTestLogger(t),
+			config: &Config{},
+		}
+		handlerWithoutCors := plugWithoutCors.corsMiddleware(dummyHandler)
+
+		req := httptest.NewRequest(http.MethodGet, "/sampling", nil)
+		req.Header.Set("Origin", "http://localhost:3000")
+		rr := httptest.NewRecorder()
+
+		handlerWithoutCors.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, "", rr.Header().Get("Access-Control-Allow-Origin"))
+	})
+
+	t.Run("wildcard origin allows any origin", func(t *testing.T) {
+		plugWithWildcard := &jaegerRemotePlugin{
+			log: newTestLogger(t),
+			config: &Config{
+				ServerCors: CorsSettings{
+					AllowedOrigins: []string{"*"},
+				},
+			},
+		}
+		handlerWithWildcard := plugWithWildcard.corsMiddleware(dummyHandler)
+
+		req := httptest.NewRequest(http.MethodGet, "/sampling", nil)
+		req.Header.Set("Origin", "https://any-site.com")
+		rr := httptest.NewRecorder()
+
+		handlerWithWildcard.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, "https://any-site.com", rr.Header().Get("Access-Control-Allow-Origin"))
+	})
+}
+
 func Test_ServerHandlers(t *testing.T) {
 	mockJaeger := &samplingServer{
 		err: status.Error(codes.NotFound, "strategy not found for service"),