feat(http): add cors flags (#372)

* feat(http): add cors flags

* docs(http): readme and changelog

* docs(readme): remove duplicate `cors configuration` section

* test(http): add venom test for cors headers

* test(http): pull with cors header

---------

Co-authored-by: Adrien Aury <[email protected]>

Author: youen

CHANGELOG.md

@@ -14,6 +14,10 @@ Types of changes
 - `Fixed` for any bug fixes.
 - `Security` in case of vulnerabilities.
 
+## [3.3.0]
+
+ - `Added` configurable CORS support to http command
+
 ## [3.2.1]
 
  - `Fixed`Filter Parameter Not Working in "lino http" Command [#369](https://github.com/CGI-FR/LINO/issues/369)

README.md

@@ -568,6 +568,49 @@ $ lino pull source --limit 3 | jq '{ "manager": .customer_store_id_fkey.store_ma
 }
 ```
 
+## HTTP Sub-Command
+
+The `http` sub-command in LINO is used to start an HTTP server that facilitates the interaction with LINO's data management functionalities via HTTP requests. This allows users to pull and push data using common HTTP methods like `GET`, `POST`, and `PATCH`.
+
+To start the server, you can use the command:
+
+```bash
+lino http --port 8080
+```
+
+Where `--port` specifies the port on which the server will listen. The default port is `8000` if not specified.
+
+### Example of using the HTTP server:
+
+Start the Server:
+
+```bash
+lino http --port 8080
+```
+
+Make an HTTP GET Request to Pull Data:
+
+You can use curl or any other HTTP client to interact with the server. For instance, to pull data from the source, you would use:
+
+```bash
+curl http://localhost:8080/api/v1/data/source
+```
+
+This command retrieves data from the specified source via the LINO HTTP interface.
+
+Others HTTP methods are available in the tests [here](tests/suites/http/pull.yml)
+
+### CORS Configuration
+
+The HTTP server also supports Cross-Origin Resource Sharing (CORS), which is essential for managing resource access from different origins. You can enable and configure CORS to fit your needs:
+- `--cors-headers strings`: Allowed CORS headers (default `[Content-Type,Authorization]`)
+- `--cors-methods strings`: Allowed CORS methods (default `[GET,POST,OPTIONS,DELETE]`)
+- `--cors-origins strings`: Allowed CORS origins (e.g. `http://localhost:3000`) (default `[*]`)
+- `--enable-cors`: Enable CORS support
+
+These flags allow you to specify which headers, methods, and origins are allowed, providing flexible control over your server's security and accessibility.
+
+
 ## Installation
 
 Download the last binary release in your path.

docker-compose.yml

@@ -89,7 +89,13 @@ services:
     environment:
       - PASSWORD=sakila
       - CGO_ENABLED=0
-    command: http
+    command:
+      - http
+      - --enable-cors
+      - --cors-origins
+      - http://localhost:3000
+      - --cors-methods
+      - GET
     expose:
       - 8000
     volumes:

go.mod

@@ -19,6 +19,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20
 	github.com/microsoft/go-mssqldb v1.8.0
 	github.com/mitchellh/go-homedir v1.1.0
+	github.com/rs/cors v1.11.1
 	github.com/rs/zerolog v1.33.0
 	github.com/schollz/progressbar/v3 v3.18.0
 	github.com/sijms/go-ora/v2 v2.8.24

go.sum

@@ -338,6 +338,8 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
 github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
+github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=

internal/app/http/cli.go

@@ -22,18 +22,23 @@ import (
 	"net/http"
 	"os"
 
-	"github.com/gorilla/mux"
-	"github.com/spf13/cobra"
-
 	"github.com/cgi-fr/lino/internal/app/pull"
 	"github.com/cgi-fr/lino/internal/app/push"
+
+	"github.com/gorilla/mux"
+	"github.com/rs/cors"
+	"github.com/spf13/cobra"
 )
 
 // NewCommand implements the cli http command
 func NewCommand(fullName string, err *os.File, out *os.File, in *os.File) *cobra.Command {
 	var (
 		port              uint
 		ingressDescriptor string
+		enableCORS        bool
+		corsOrigins       []string
+		corsMethods       []string
+		corsHeaders       []string
 	)
 
 	cmd := &cobra.Command{
@@ -43,9 +48,9 @@ func NewCommand(fullName string, err *os.File, out *os.File, in *os.File) *cobra
 		Example: fmt.Sprintf("  %[1]s http --port 8080", fullName),
 		Args:    cobra.ExactArgs(0),
 		Run: func(cmd *cobra.Command, args []string) {
-			r := mux.NewRouter()
+			router := mux.NewRouter()
 
-			api := r.PathPrefix("/api/v1").Subrouter()
+			api := router.PathPrefix("/api/v1").Subrouter()
 
 			api.Path("/data/{dataSource}").
 				Methods(http.MethodGet).
@@ -67,8 +72,23 @@ func NewCommand(fullName string, err *os.File, out *os.File, in *os.File) *cobra
 				Methods(http.MethodPost).
 				HandlerFunc(push.TruncatHandlerFactory(ingressDescriptor))
 
-			http.Handle("/", r)
+			var handler http.Handler = router
+
+			if enableCORS {
+				fmt.Printf("enable cors :%s\n", corsOrigins)
+
+				corsHandler := cors.New(cors.Options{
+					AllowedOrigins: corsOrigins,
+					AllowedMethods: corsMethods,
+					AllowedHeaders: corsHeaders,
+				})
+				handler = corsHandler.Handler(router)
+			}
+
+			http.Handle("/", handler)
 			bind := fmt.Sprintf(":%d", port)
+			fmt.Printf("listen on :%d\n", port)
+
 			e1 := http.ListenAndServe(bind, nil) //nolint:gosec
 
 			if err != nil {
@@ -79,6 +99,13 @@ func NewCommand(fullName string, err *os.File, out *os.File, in *os.File) *cobra
 	}
 	cmd.Flags().UintVarP(&port, "port", "p", 8000, "HTTP Port to bind")
 	cmd.Flags().StringVarP(&ingressDescriptor, "ingress-descriptor", "i", "ingress-descriptor.yaml", "Ingress descriptor filename")
+
+	// CORS flags
+	cmd.Flags().BoolVar(&enableCORS, "enable-cors", false, "Enable CORS support")
+	cmd.Flags().StringSliceVar(&corsOrigins, "cors-origins", []string{"*"}, "Allowed CORS origins (e.g. http://localhost:3000)")
+	cmd.Flags().StringSliceVar(&corsMethods, "cors-methods", []string{"GET", "POST", "OPTIONS", "DELETE"}, "Allowed CORS methods")
+	cmd.Flags().StringSliceVar(&corsHeaders, "cors-headers", []string{"Content-Type", "Authorization"}, "Allowed CORS headers")
+
 	cmd.SetOut(out)
 	cmd.SetErr(err)
 	cmd.SetIn(in)

tests/suites/http/pull.yml

@@ -118,3 +118,39 @@ testcases:
         assertions:
           - result.statuscode ShouldEqual 200
           - result.bodyjson.address_id ShouldEqual 15
+
+  - name: pull whith good Origin header
+    steps:
+      - type: http
+        method: GET
+        url: http://lino:8000/api/v1/data/source?limit=1
+        headers:
+          Origin: http://localhost:3000
+
+        assertions:
+          - result.statuscode ShouldEqual 200
+          - result.headers.Access-Control-Allow-Origin ShouldEqual http://localhost:3000
+
+  - name: pull with bad Origin header
+    steps:
+      - type: http
+        method: GET
+        url: http://lino:8000/api/v1/data/source?limit=1
+        headers:
+          Origin: http://foo.com
+
+        assertions:
+          - result.statuscode ShouldEqual 200
+          - result.headers.Access-Control-Allow-Origin ShouldBeNil
+
+  - name: pull with bad method
+    steps:
+      - type: http
+        method: POST
+        url: http://lino:8000/api/v1/
+        headers:
+          Origin: http://localhost:3000
+
+        assertions:
+          - result.statuscode ShouldEqual 404
+          - result.headers.Access-Control-Allow-Origin ShouldBeNil