Add a little logic to CORS config processing and significantly update the CORS doc

cors/src/main/java/io/helidon/cors/Aggregator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2023 Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -118,10 +118,23 @@ public Aggregator build() {
 
         Builder config(Config config) {
             if (config.exists()) {
-                ConfigValue<CrossOriginConfig.Builder> configValue = config.map(CrossOriginConfig::builder);
-                if (configValue.isPresent()) {
-                    CrossOriginConfig crossOriginConfig = configValue.get().build();
-                    addPathlessCrossOrigin(crossOriginConfig);
+                // The config node might be a simple config block for a single cross-origin config (containing allow-origins,
+                // allow-methods, etc.). Or it might be a mapped cross-origin config introduced by "paths" and
+                // containing a list, each element of which has a path-pattern plus the "plain" cross-origin config settings
+                // (allow-origins, etc.)
+                Config pathsNode = config.get(CrossOriginConfig.CORS_PATHS_CONFIG_KEY);
+                if (pathsNode.exists()) {
+                    ConfigValue<MappedCrossOriginConfig.Builder> configValue = config.map(MappedCrossOriginConfig::builder);
+                    if (configValue.isPresent()) {
+                        MappedCrossOriginConfig mappedCrossOriginConfig = configValue.get().build();
+                        mappedCrossOriginConfig.forEach(this::addCrossOrigin);
+                    }
+                } else {
+                    ConfigValue<CrossOriginConfig.Builder> configValue = config.map(CrossOriginConfig::builder);
+                    if (configValue.isPresent()) {
+                        CrossOriginConfig crossOriginConfig = configValue.get().build();
+                        addPathlessCrossOrigin(crossOriginConfig);
+                    }
                 }
             }
             return this;

cors/src/main/java/io/helidon/cors/CorsSupportHelper.java

@@ -472,7 +472,7 @@ Optional<R> processCorsRequest(
 
         CrossOriginConfig crossOriginConfig = crossOriginOpt.get();
 
-        // If enabled but not whitelisted, deny request
+        // If enabled but not allow-listed, deny request
         List<String> allowedOrigins = Arrays.asList(crossOriginConfig.allowOrigins());
         Optional<String> originOpt = requestAdapter.firstHeader(HeaderNames.ORIGIN);
         if (!allowedOrigins.contains("*") && !contains(originOpt, allowedOrigins, CorsSupportHelper::compareOrigins)) {
@@ -555,7 +555,7 @@ R processCorsPreFlightRequest(CorsRequestAdapter<Q> requestAdapter, CorsResponse
         }
         CrossOriginConfig crossOrigin = crossOriginOpt.get();
 
-        // If enabled but not whitelisted, deny request
+        // If enabled but not allow-listed, deny request
         List<String> allowedOrigins = Arrays.asList(crossOrigin.allowOrigins());
         if (!allowedOrigins.contains("*") && !contains(originOpt, allowedOrigins, CorsSupportHelper::compareOrigins)) {
             return forbid(requestAdapter,

cors/src/main/java/io/helidon/cors/LogHelper.java

@@ -96,20 +96,23 @@ static <T> void logIsRequestTypeNormal(boolean result, boolean silent, CorsReque
         }
 
         if (host.isEmpty()) {
-            reasonsWhyNormal.add("header " + HeaderNames.HOST + " is absent");
+            reasonsWhyNormal.add("header " + HeaderNames.HOST + "/requested URI is absent");
         } else {
-            factorsWhyCrossHost.add(String.format("header %s is present (%s)", HeaderNames.HOST, host));
+            factorsWhyCrossHost.add(String.format("header %s/requested URI is present (%s)", HeaderNames.HOST, host));
         }
 
         if (originOpt.isPresent()) {
             String partOfOriginMatchingHost = "://" + host;
             if (originOpt.get()
                     .contains(partOfOriginMatchingHost)) {
-                reasonsWhyNormal.add(String.format("header %s '%s' matches header %s '%s'", HeaderNames.ORIGIN,
+                reasonsWhyNormal.add(String.format("header %s '%s' matches header/requested URI %s '%s'", HeaderNames.ORIGIN,
                                                    effectiveOrigin, HeaderNames.HOST, host));
             } else {
-                factorsWhyCrossHost.add(String.format("header %s '%s' does not match header %s '%s'", HeaderNames.ORIGIN,
-                                                      effectiveOrigin, HeaderNames.HOST, host));
+                factorsWhyCrossHost.add(String.format("header %s '%s' does not match header/requested URI %s '%s'",
+                                                      HeaderNames.ORIGIN,
+                                                      effectiveOrigin,
+                                                      HeaderNames.HOST,
+                                                      host));
             }
         }
 

cors/src/test/java/io/helidon/cors/CrossOriginConfigTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2022 Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2024 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,9 +19,14 @@
 import java.util.List;
 import java.util.Optional;
 
+import io.helidon.common.testing.junit5.OptionalMatcher;
+import io.helidon.common.uri.UriInfo;
 import io.helidon.config.Config;
 import io.helidon.config.ConfigSources;
 import io.helidon.config.MissingValueException;
+import io.helidon.http.HeaderNames;
+import io.helidon.http.Status;
+import io.helidon.http.WritableHeaders;
 
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeAll;
@@ -175,4 +180,58 @@ void testOrdering() {
                    crossOriginConfigOpt.get().pathPattern(),
                    is(crossOriginConfigs.get(1).pathPattern()));
     }
+
+    @Test
+    void testBuiltInServiceConfig() {
+        Config node = testConfig.get("built-in-service");
+        assertThat(node, is(notNullValue()));
+        assertThat(node.exists(), is(true));
+        CorsSupportHelper<TestCorsServerRequestAdapter, TestCorsServerResponseAdapter> helper =
+                CorsSupportHelper.<TestCorsServerRequestAdapter, TestCorsServerResponseAdapter>builder()
+                .config(node)
+                .build();
+
+        // In the first test, use an unacceptable origin and make sure we get a 403 response.
+        WritableHeaders<?> headers = WritableHeaders.create();
+        headers.add(HeaderNames.ORIGIN, "http://bad.com")
+                .add(HeaderNames.HOST, "someProxy.com")
+                .add(HeaderNames.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+        UriInfo uriInfo = UriInfo.builder()
+                .scheme("http")
+                .host("localhost")
+                .path("/")
+                .port(80)
+                .build();
+        CorsRequestAdapter<TestCorsServerRequestAdapter> req = new TestCorsServerRequestAdapter("/observe/health",
+                                                                                                uriInfo,
+                                                                                                "GET",
+                                                                                                headers);
+        CorsResponseAdapter<TestCorsServerResponseAdapter> resp = new TestCorsServerResponseAdapter();
+        Optional<TestCorsServerResponseAdapter> resultOpt = helper.processRequest(req, resp);
+
+        assertThat("Response from GET to built-in service path",
+                   resultOpt,
+                   OptionalMatcher.optionalPresent());
+        assertThat("Response status from secure PUT to unsecured path",
+                   resultOpt.get().status(),
+                   is(Status.FORBIDDEN_403.code()));
+
+        // In the next test, use an acceptable origin in the request. There should be no response because that's how
+        // the CORS support helper lets the caller know that it's an acceptable CORS request.
+        headers = WritableHeaders.create();
+        headers.add(HeaderNames.ORIGIN, "http://roothere.com")
+                .add(HeaderNames.HOST, "someProxy.com")
+                .add(HeaderNames.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+        req = new TestCorsServerRequestAdapter("/observe/health",
+                                               uriInfo,
+                                               "GET",
+                                               headers);
+        resp = new TestCorsServerResponseAdapter();
+
+        resultOpt = helper.processRequest(req, resp);
+
+        assertThat("Response from GET to built-in service path",
+                   resultOpt,
+                   OptionalMatcher.optionalEmpty());
+    }
 }

cors/src/test/resources/configMapperTest.yaml

@@ -73,3 +73,10 @@ same-host-diff-ports:
       allow-origins: [ "http://here.com:8080"]
     - path-pattern: "/greet"
       allow-origins: [ "http://here.com"]
+
+
+built-in-service:
+  paths:
+    - path-pattern: "/observe/health"
+      allow-origins: ["http://roothere.com"]
+      allow-methods: ["GET", "HEAD"]

docs/src/main/asciidoc/includes/attributes.adoc

@@ -197,6 +197,7 @@ endif::[]
 :config-git-javadoc-base-url: {javadoc-base-url}/io.helidon.config.git
 :config-mapping-javadoc-base-url: {javadoc-base-url}/io.helidon.config.objectmapping
 :configurable-javadoc-base-url: {javadoc-base-url}/io.helidon.common.configurable
+:cors-javadoc-base-url: {javadoc-base-url}/io.helidon.cors
 :faulttolerance-javadoc-base-url: {javadoc-base-url}/io.helidon.faulttolerance
 :grpc-server-javadoc-base-url: {javadoc-base-url}/io.helidon.webserver.grpc
 :health-javadoc-base-url: {javadoc-base-url}/io.helidon.health.checks