From b48b1a0856d0bd043ef21a4ba82ecb92294df443 Mon Sep 17 00:00:00 2001
From: Maurizio <Aterocana@users.noreply.github.com>
Date: Sat, 2 Nov 2019 13:46:24 +0100
Subject: [PATCH] core: Fix CORS origin match for OAuth2 Clients (#1624)

Previously, `http://*` would not work as it would not be properly splitted by the glob library. This patch resolves that and closes #1615

Signed-off-by: Aterocana <dominicimaurizio@gmail.com>
---
 driver/cors.go      |  6 ++++++
 driver/cors_test.go | 11 +++++++++++
 2 files changed, 17 insertions(+)

diff --git a/driver/cors.go b/driver/cors.go
index c3e0c1668db..deaac02ed50 100644
--- a/driver/cors.go
+++ b/driver/cors.go
@@ -22,6 +22,7 @@ package driver
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"strings"
 
@@ -44,6 +45,11 @@ func OAuth2AwareCORSMiddleware(iface string, reg Registry, conf configuration.Pr
 	corsOptions := conf.CORSOptions(iface)
 	var patterns []glob.Glob
 	for _, o := range corsOptions.AllowedOrigins {
+		// if the protocol (http or https) is specified, but the url is wildcard, use special ** glob, which ignore the '.' separator.
+		// This way g := glob.Compile("http://**") g.Match("http://google.com") returns true.
+		if splittedO := strings.Split(o, "://"); len(splittedO) != 1 && splittedO[1] == "*" {
+			o = fmt.Sprintf("%s://**", splittedO[0])
+		}
 		g, err := glob.Compile(strings.ToLower(o), '.')
 		if err != nil {
 			reg.Logger().WithError(err).Fatalf("Unable to parse cors origin: %s", o)
diff --git a/driver/cors_test.go b/driver/cors_test.go
index 9ac772d51c7..78e26e5a6b6 100644
--- a/driver/cors_test.go
+++ b/driver/cors_test.go
@@ -157,6 +157,17 @@ func TestOAuth2AwareCORSMiddleware(t *testing.T) {
 			header:       http.Header{"Origin": {"http://foobar.com"}, "Authorization": {"Bearer " + token}},
 			expectHeader: http.Header{"Access-Control-Allow-Credentials": []string{"true"}, "Access-Control-Allow-Origin": []string{"http://foobar.com"}, "Access-Control-Expose-Headers": []string{"Content-Type"}, "Vary": []string{"Origin"}},
 		},
+		{
+			d: "should accept any allowed specified origin protocol",
+			prep: func() {
+				r.ClientManager().CreateClient(context.Background(), &client.Client{ClientID: "foo-11", Secret: "bar", AllowedCORSOrigins: []string{"*"}})
+				viper.Set("serve.public.cors.enabled", true)
+				viper.Set("serve.public.cors.allowed_origins", []string{"http://*", "https://*"})
+			},
+			code:         http.StatusNotImplemented,
+			header:       http.Header{"Origin": {"http://foo.foobar.com"}, "Authorization": {"Basic Zm9vLTQ6YmFy"}},
+			expectHeader: http.Header{"Access-Control-Allow-Credentials": []string{"true"}, "Access-Control-Allow-Origin": []string{"http://foo.foobar.com"}, "Access-Control-Expose-Headers": []string{"Content-Type"}, "Vary": []string{"Origin"}},
+		},
 	} {
 		t.Run(fmt.Sprintf("case=%d/description=%s", k, tc.d), func(t *testing.T) {
 			if tc.prep != nil {