Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions app/artifact-cas/configs/config.devel.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ server:
# private_key: "../../devel/devkeys/selfsigned/cas.key"
http_metrics:
addr: 0.0.0.0:5001
# cors:
# allow_origins:
# - "http://localhost:3000"

credentials_service:
# we will check that we can read there
Expand Down
114 changes: 86 additions & 28 deletions app/artifact-cas/internal/conf/conf.pb.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 6 additions & 1 deletion app/artifact-cas/internal/conf/conf.proto
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
//
// Copyright 2024 The Chainloop Authors.
// Copyright 2024-2026 The Chainloop Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -43,6 +43,9 @@ message Server {
string addr = 2;
google.protobuf.Duration timeout = 3;
}
message CORS {
repeated string allow_origins = 1;
}
message TLS {
// path to certificate and private key
string certificate = 1;
Expand All @@ -60,6 +63,8 @@ message Server {
GRPC grpc = 2;
// hHTTP server where the prometheus metrics will get exposed
HTTP http_metrics = 3;
// CORS configuration for the HTTP download endpoint
CORS cors = 4;

@cubic-dev-ai cubic-dev-ai Bot Mar 14, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2: Moving cors from server.http to server breaks existing config paths. Keep backward compatibility or add an explicit migration so upgrades do not silently disable download CORS.

(Based on your team's feedback about ensuring cross-component and version compatibility.)

View Feedback

Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At app/artifact-cas/internal/conf/conf.proto, line 67:

<comment>Moving `cors` from `server.http` to `server` breaks existing config paths. Keep backward compatibility or add an explicit migration so upgrades do not silently disable download CORS.

(Based on your team's feedback about ensuring cross-component and version compatibility.) </comment>

<file context>
@@ -64,6 +63,8 @@ message Server {
   // hHTTP server where the prometheus metrics will get exposed
   HTTP http_metrics = 3;
+  // CORS configuration for the HTTP download endpoint
+  CORS cors = 4;
 }
 
</file context>
Fix with Cubic

}

message Auth {
Expand Down
78 changes: 78 additions & 0 deletions app/artifact-cas/internal/server/cors.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
//
// Copyright 2026 The Chainloop Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package server

import "net/http"

// CORSMiddleware returns an http.Handler that applies CORS headers based on allowedOrigins.
// If allowedOrigins is empty, the middleware is a passthrough (CORS disabled).
// If "*" is in the list, any origin is allowed.
// Otherwise, only origins in the list are echoed back.
// OPTIONS preflight requests are short-circuited with 204 No Content before reaching the next handler.
func CORSMiddleware(allowedOrigins []string, next http.Handler) http.Handler {
if len(allowedOrigins) == 0 {
return next
}

wildcard := false
allowed := make(map[string]struct{}, len(allowedOrigins))
for _, o := range allowedOrigins {
if o == "*" {
wildcard = true
}
allowed[o] = struct{}{}
}

return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
origin := r.Header.Get("Origin")
if origin == "" {
next.ServeHTTP(w, r)
return
}

var matchedOrigin string
switch {
case wildcard:
matchedOrigin = "*"
default:
if _, ok := allowed[origin]; ok {
matchedOrigin = origin
}
}

// Always set Vary: Origin when the response depends on the Origin header,
// so HTTP caches don't serve a cached response for the wrong origin.
// Use Add to avoid clobbering any existing Vary values.
w.Header().Add("Vary", "Origin")

if matchedOrigin == "" {
next.ServeHTTP(w, r)
return
}

w.Header().Set("Access-Control-Allow-Origin", matchedOrigin)

if r.Method == http.MethodOptions {
w.Header().Set("Access-Control-Allow-Methods", "GET, HEAD, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Authorization, Content-Type")
w.Header().Set("Access-Control-Max-Age", "86400")
w.WriteHeader(http.StatusNoContent)
return
}

next.ServeHTTP(w, r)
})
}
Loading
Loading