debuginfod: in --cors mode, add CORS response headers and OPTIONS method

CORS is the Cross-Origin-Resource-Sharing mechanism explained at https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS 1. by default JavaScript code from Website A cannot request arbitrary resources from website B, these are called cross-origin-requests 2. The browser performs what is called a preflight check, this the OPTIONS method 3. the response allows website B fine-grained control over what the web browser should allow 4. Setting "Access-Control-Allow-Origin: *" tells the web browser to allow all access, e.g. the same behavior you get with curl or debuginfod-find The website mentions that the corresponding spec has been changed, such that preflight requests are no longer necessary, but in the browsers I use today (Firefox 132 and Chromium 131) they are still necessary. I have confirmed that I can use debuginfod with this patch from my web application at https://core-explorer.github.io/cdx-type/ FChE simplified the code and added a few quick "curl -i | grep" tests to confirm the new headers are there. * debuginfod/debuginfod.cxx (handle_options): New function. (handler_cb): Call it for OPTIONS. Add ACAO header for all successful requests. (parse_opt): Parse --cors. * tests/run-debuginfod-federation-metrics.sh, tests/run-debuginfod-find-metadata.sh: Lightly test. * doc/debuginfod.8: Document --cors option, default off. Signed-off-by: Henning Meyer <[email protected]> Signed-off-by: Frank Ch. Eigler <[email protected]>
author: Henning Meyer <[email protected]> 2024-12-07 15:01:54 -0500
committer: Frank Ch. Eigler <[email protected]> 2024-12-08 16:01:05 -0500
commit: 87e7f211aa30888f80448be97bc4177c676fef82 (patch)
tree: cc7c656c94636845d2e4e5ca5a4ab10fb6907fb4 /tests
parent: 04ba163e813f6b88da850c658a03ac7b5f19f7ad (diff)
2 files changed, 9 insertions, 3 deletions
diff --git a/tests/run-debuginfod-federation-metrics.sh b/tests/run-debuginfod-federation-metrics.sh
index 60fe69ca..715a575c 100755
--- a/tests/run-debuginfod-federation-metrics.sh
+++ b/tests/run-debuginfod-federation-metrics.sh
@@ -37,7 +37,7 @@ base=9000
 get_ports
 
 # Launch server which will be unable to follow symlinks
-env LD_LIBRARY_PATH=$ldpath ${abs_builddir}/../debuginfod/debuginfod $VERBOSE -d ${DB} -F -U -t0 -g0 -p $PORT1 L D F > vlog$PORT1 2>&1 &
+env LD_LIBRARY_PATH=$ldpath ${abs_builddir}/../debuginfod/debuginfod $VERBOSE -d ${DB} -F -U -t0 -g0 -p $PORT1 --cors L D F > vlog$PORT1 2>&1 &
 PID1=$!
 tempfiles vlog$PORT1
 errfiles vlog$PORT1
@@ -75,7 +75,7 @@ wait_ready $PORT1 'thread_busy{role="http-metrics"}' 1
 export DEBUGINFOD_CACHE_PATH=${PWD}/.client_cache2
 mkdir -p $DEBUGINFOD_CACHE_PATH
 # NB: run in -L symlink-following mode for the L subdir
-env LD_LIBRARY_PATH=$ldpath DEBUGINFOD_URLS=http://127.0.0.1:$PORT1 ${abs_builddir}/../debuginfod/debuginfod $VERBOSE -d ${DB}_2 -F -U -p $PORT2 -L L D > vlog$PORT2 2>&1 &
+env LD_LIBRARY_PATH=$ldpath DEBUGINFOD_URLS=http://127.0.0.1:$PORT1 ${abs_builddir}/../debuginfod/debuginfod $VERBOSE -d ${DB}_2 -F -U -p $PORT2 --cors -L L D > vlog$PORT2 2>&1 &
 PID2=$!
 tempfiles vlog$PORT2
 errfiles vlog$PORT2
@@ -153,6 +153,8 @@ testrun ${abs_builddir}/debuginfod_build_id_find -e F/prog 1
 curl -s http://127.0.0.1:$PORT1/badapi
 curl -s http://127.0.0.1:$PORT1/metrics
 curl -s http://127.0.0.1:$PORT2/metrics
+curl -i -s http://127.0.0.1:$PORT1/metrics | grep -i access.control.allow.origin:
+curl -X OPTIONS -i -s http://127.0.0.1:$PORT1/ | grep -i access.control.allow.origin:
 curl -s http://127.0.0.1:$PORT1/metrics | grep -q 'http_responses_total.*result.*error'
 curl -s http://127.0.0.1:$PORT2/metrics | grep -q 'http_responses_total.*result.*upstream'
 curl -s http://127.0.0.1:$PORT1/metrics | grep 'http_responses_duration_milliseconds_count'
@@ -181,6 +183,7 @@ rm -f .client_cache*/$BUILDID/debuginfo
 testrun ${abs_top_builddir}/debuginfod/debuginfod-find debuginfo $BUILDID
 testrun ${abs_top_builddir}/debuginfod/debuginfod-find debuginfo $BUILDID
 testrun ${abs_top_builddir}/debuginfod/debuginfod-find debuginfo $BUILDID
+curl -i -s http://127.0.0.1:$PORT2/buildid/$BUILDID/debuginfo | grep -i access.control.allow.origin:
 rm -f .client_cache*/$BUILDID/debuginfo
 testrun ${abs_top_builddir}/debuginfod/debuginfod-find debuginfo $BUILDID
 
diff --git a/tests/run-debuginfod-find-metadata.sh b/tests/run-debuginfod-find-metadata.sh
index 78a34f09..99759cff 100755
--- a/tests/run-debuginfod-find-metadata.sh
+++ b/tests/run-debuginfod-find-metadata.sh
@@ -52,7 +52,7 @@ wait_ready $PORT1 'thread_work_pending{role="scan"}' 0
 wait_ready $PORT1 'thread_busy{role="scan"}' 0
 
 env LD_LIBRARY_PATH=$ldpath DEBUGINFOD_URLS="http://127.0.0.1:$PORT1 https://bad/url.web" ${VALGRIND_CMD} ${abs_builddir}/../debuginfod/debuginfod $VERBOSE -U \
-    -d ${DB}_2 -p $PORT2 -t0 -g0 D > vlog$PORT2 2>&1 &
+    -d ${DB}_2 -p $PORT2 -t0 -g0 --cors D > vlog$PORT2 2>&1 &
 PID2=$!
 tempfiles vlog$PORT2
 errfiles vlog$PORT2
@@ -79,6 +79,9 @@ test $N_FOUND -eq 2
 
 # Query via the webapi as well
 curl http://127.0.0.1:$PORT2'/metadata?key=glob&value=/usr/bin/*hi*'
+# no --cors on $PORT1's debuginfod
+test "`curl -s -i http://127.0.0.1:$PORT1'/metadata?key=glob&value=/usr/bin/*hi*' | grep -i access.control.allow.origin: || true`" == ""
+curl -s -i http://127.0.0.1:$PORT2'/metadata?key=glob&value=/usr/bin/*hi*' | grep -i access.control.allow.origin:
 test `curl -s http://127.0.0.1:$PORT2'/metadata?key=glob&value=/usr/bin/*hi*' | jq '.results[0].buildid == "f17a29b5a25bd4960531d82aa6b07c8abe84fa66"'` = 'true'
 test `curl -s http://127.0.0.1:$PORT2'/metadata?key=glob&value=/usr/bin/*hi*' | jq '.results[0].file == "/usr/bin/hithere"'` = 'true'
 test `curl -s http://127.0.0.1:$PORT2'/metadata?key=glob&value=/usr/bin/*hi*' | jq '.results[0].archive | test(".*hithere.*deb")'` = 'true'
author	Henning Meyer <[email protected]>	2024-12-07 15:01:54 -0500
committer	Frank Ch. Eigler <[email protected]>	2024-12-08 16:01:05 -0500
commit	87e7f211aa30888f80448be97bc4177c676fef82 (patch)
tree	cc7c656c94636845d2e4e5ca5a4ab10fb6907fb4 /tests
parent	04ba163e813f6b88da850c658a03ac7b5f19f7ad (diff)