Improve OpenApi CORS message

[sberyozkin]

Fixes #28377.

Improving the message as proposed by Yoann but without a specific doc link.

[yrodiere]

LGTM if we do need this log.

Still wondering if this shouldn't be moved to the vertx extension, though, since this is really not specific to openapi. But that's probably a separate issue.

Let's wait for @gsmet 's opinion though, as I'm sure he has one :)

[sberyozkin]

@yrodiere

LGTM if we do need this log.

The log is needed as it is doc-ed as a response to the Snyk SAST failure (in a separate analysis doc). While removing the default properties completely is a breaking change so it won't work as well.

Still wondering if this shouldn't be moved to the vertx extension, though, since this is really not specific to openapi.

This is specific to smallrye-open-api since it is only smallrye-open-api which enables wildcard CORS properties by default

[yrodiere]

This is specific to smallrye-open-api since it is only smallrye-open-api which enables wildcard CORS properties by default

Ok, I thought those wildcard CORS properties were equivalent to simply no CORS properties, but apparently that's not true. So I assume those wildcard CORS properties are useful somehow.

I assume those wildcard properties are also useful in development mode, probably because development setups would fail without those.

In production though... I'm sorry if I'm being thickheaded, but I keep thinking there's something strange here... To sum up, we have a default that is insecure in some cases (which we cannot detect), and presumably useful in others (which we cannot detect either). And, whatever the case, we would rather have users pick their configuration explicitly.

If we have an insecure default that we don't want people to rely on anyway, maybe we should reconsider that default, at least in the next minor or major, to be secure by default?

The only "secure" option I'm seeing is simply not setting any CORS headers at all when they are not enabled explicitly (in production). From what I understand that will cause errors in the browser, but at least those errors mention the need to enable CORS in the REST API, and from there users can go configure their application correctly.

Maybe that's already planned? I couldn't find a GitHub issue about that, though.

[sberyozkin]

Hey @yrodiere

Np, thanks for trying to make sure all is clear. So this log message will only be shown in the production mode. Wildcard CORS properties are really never useful in the production mode - but we just all tend do it to get past the annoying CORS errors which might show up, it is just convenient, but Quarkus can't offer this convenience by default without saying anything as eventually someone will report CVE.
IMHO the best thing should've been to remove these wildcard properties set by default, but I can imagine then we will annoy many users again. So this log message is some kind of compromise, we don't break the backward compatibility, but also make an effort to warn gently via the INFO that it is not a good idea, and to address a specific Snyk report problem along the way.
I don't mind though removing the default OpenApi properties altogether - if it is not in the product then I guess we can do it now

[sberyozkin]

I don't mind though removing the default OpenApi properties altogether - if it is not in the product then I guess we can do it now

It is in the product as this is why I've found about it via a product Snyk scan so we can't really remove these default properties easily. But deprecating them in a message would be even more annoying to the users who just would like to try it locally. So not sure what else we can do but make this message more informative as you have proposed

[yrodiere]

Wildcard CORS properties are really never useful in the production mode - but we just all tend do it to get past the annoying CORS errors which might show up, it is just convenient

Thanks for clarifying, I was suspecting as much but wasn't sure, given that's not really my area of expertise :)

but Quarkus can't offer this convenience by default without saying anything

Sure, it's still a good idea to keep and improve the message in the meantime.

we can't really remove these default properties easily

Right, if it's really too disruptive, regardless of products, maybe that's not something we want to do in a minor. Perhaps we could plan this change for the next major of Quarkus? No idea when/if that will happen of course, but in a major version it's more reasonable to introduce disruptive changes, especially if they make Quarkus more secure by default.

I created #28397, let's continue the discussion there :)

@gsmet Summary of the discussion so you don't have to read it all:

• There's an INFO log on startup when using smallrye-openapi and that's annoying.
• We cannot remove that log because of security scanners (we've used this log to justify an exception).
• This PR at least makes the log extra-clear.
• We opened Smallrye-OpenAPI: Don't produce any CORS headers by default in production when CORS is disabled #28397 to suggest another solution, but that'll have to wait until we can break backwards compatibility.

[sberyozkin]

@yrodiere Sure, but re #28397, we have this extension in the product, that is the problem...

[quarkus-bot]

Failing Jobs - Building c78f626

Status	Name	Step	Failures	Logs	Raw logs
✔️	JVM Tests - JDK 11
✔️	JVM Tests - JDK 17
✖	JVM Tests - JDK 17 MacOS M1	Set up runner	⚠️ Check →	Logs	Raw logs
✔️	JVM Tests - JDK 18

[sberyozkin]

@gsmet I'm going to merge shortly as @yrodiere has approved, to get it to 2.13.x if possible, and for 2.14.0.CR I'll try resolve #28397

[yrodiere]

@sberyozkin Fine by me, thanks!