Merge pull request #2337 from hirokikana/in-http-cors-subdomain

in_http: Add support for subdomain in CORS domain

lib/fluent/plugin/in_http.rb

@@ -394,7 +394,7 @@ def handle_options_request
         if @cors_allow_origins.include?('*')
           header["Access-Control-Allow-Origin"] = "*"
           send_response_and_close("200 OK", header, "")
-        elsif @cors_allow_origins.include?(@origin)
+        elsif include_cors_allow_origin
           header["Access-Control-Allow-Origin"] = @origin
           send_response_and_close("200 OK", header, "")
         else
@@ -414,7 +414,7 @@ def on_message_complete
         # For every incoming request, we check if we have some CORS
         # restrictions and white listed origins through @cors_allow_origins.
         unless @cors_allow_origins.nil?
-          unless @cors_allow_origins.include?('*') or @cors_allow_origins.include?(@origin)
+          unless @cors_allow_origins.include?('*') or include_cors_allow_origin
             send_response_and_close("403 Forbidden", {'Connection' => 'close'}, "")
             return
           end
@@ -464,7 +464,7 @@ def on_message_complete
         unless @cors_allow_origins.nil?
           if @cors_allow_origins.include?('*')
             header['Access-Control-Allow-Origin'] = '*'
-          elsif @cors_allow_origins.include?(@origin)
+          elsif include_cors_allow_origin
             header['Access-Control-Allow-Origin'] = @origin
           end
         end
@@ -512,6 +512,17 @@ def send_response_nobody(code, header)
         data << "\r\n"
         write data
       end
+
+      def include_cors_allow_origin
+        if @cors_allow_origins.include?(@origin)
+          return true
+        end
+        filtered_cors_allow_origins = @cors_allow_origins.select {|origin| origin != ""}
+        return filtered_cors_allow_origins.find do |origin|
+          (start_str,end_str) = origin.split("*",2)
+          @origin.start_with?(start_str) and @origin.end_with?(end_str)
+        end != nil
+      end
     end
   end
 end

test/plugin/test_in_http.rb

@@ -641,6 +641,63 @@ def test_cors_preflight
     end
   end
 
+  def test_cors_allowed_wildcard_for_subdomain
+    d = create_driver(CONFIG + 'cors_allow_origins ["http://*.foo.com"]')
+
+    time = event_time("2011-01-02 13:14:15 UTC")
+    events = [
+      ["tag1", time, {"a"=>1}],
+    ]
+
+    d.run do
+      events.each do |tag, time, record|
+        headers = {"Origin" => "http://subdomain.foo.com"}
+
+        res = post("/#{tag}", {"json" => record.to_json, "time" => time.to_i}, headers)
+
+        assert_equal "200", res.code
+        assert_equal "http://subdomain.foo.com", res["Access-Control-Allow-Origin"]
+      end
+    end
+  end
+
+  def test_cors_allowed_exclude_empty_string
+    d = create_driver(CONFIG + 'cors_allow_origins ["", "http://*.foo.com"]')
+
+    time = event_time("2011-01-02 13:14:15 UTC")
+    events = [
+      ["tag1", time, {"a"=>1}],
+    ]
+
+    d.run do
+      events.each do |tag, time, record|
+        headers = {"Origin" => "http://subdomain.foo.com"}
+
+        res = post("/#{tag}", {"json" => record.to_json, "time" => time.to_i}, headers)
+
+        assert_equal "200", res.code
+        assert_equal "http://subdomain.foo.com", res["Access-Control-Allow-Origin"]
+      end
+    end
+  end
+
+  def test_cors_allowed_wildcard_preflight_for_subdomain
+    d = create_driver(CONFIG + 'cors_allow_origins ["http://*.foo.com"]')
+
+    d.run do
+      header = {
+        "Origin" => "http://subdomain.foo.com",
+        "Access-Control-Request-Method" => "POST",
+        "Access-Control-Request-Headers" => "Content-Type",
+      }
+      res = options("/cors.test", {}, header)
+
+      assert_equal "200", res.code
+      assert_equal "http://subdomain.foo.com", res["Access-Control-Allow-Origin"]
+      assert_equal "POST", res["Access-Control-Allow-Methods"]
+    end
+  end
+
   def test_content_encoding_gzip
     d = create_driver