diff --git a/services/identity/src/config.rs b/services/identity/src/config.rs --- a/services/identity/src/config.rs +++ b/services/identity/src/config.rs @@ -5,10 +5,10 @@ use tracing::{error, info}; use crate::constants::{ - DEFAULT_OPENSEARCH_ENDPOINT, DEFAULT_TUNNELBROKER_ENDPOINT, - KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, OPAQUE_SERVER_SETUP, - OPENSEARCH_ENDPOINT, SECRETS_DIRECTORY, SECRETS_SETUP_FILE, - TUNNELBROKER_GRPC_ENDPOINT, + cors::ALLOW_ORIGIN_LIST, DEFAULT_OPENSEARCH_ENDPOINT, + DEFAULT_TUNNELBROKER_ENDPOINT, KEYSERVER_PUBLIC_KEY, LOCALSTACK_ENDPOINT, + OPAQUE_SERVER_SETUP, OPENSEARCH_ENDPOINT, SECRETS_DIRECTORY, + SECRETS_SETUP_FILE, TUNNELBROKER_GRPC_ENDPOINT, }; /// Raw CLI arguments, should be only used internally to create ServerConfig @@ -49,6 +49,11 @@ #[arg(env = OPENSEARCH_ENDPOINT)] #[arg(default_value = DEFAULT_OPENSEARCH_ENDPOINT)] opensearch_endpoint: String, + + /// Allowed origins + #[arg(long, global = true)] + #[arg(env = ALLOW_ORIGIN_LIST)] + allow_origin_list: Option, } #[derive(Subcommand)] @@ -73,6 +78,7 @@ pub keyserver_public_key: Option, pub tunnelbroker_endpoint: String, pub opensearch_endpoint: String, + pub allow_origin_list: Option, } impl ServerConfig { @@ -85,7 +91,6 @@ if let Some(endpoint) = &cli.localstack_endpoint { info!("Using Localstack endpoint: {}", endpoint); } - info!("Using OpenSearch endpoint: {}", cli.opensearch_endpoint); let mut path_buf = path::PathBuf::new(); @@ -101,20 +106,20 @@ opensearch_endpoint: cli.opensearch_endpoint.clone(), server_setup, keyserver_public_key, + allow_origin_list: cli.allow_origin_list.clone(), }) } - - pub fn is_dev(&self) -> bool { - self.localstack_endpoint.is_some() - } } impl fmt::Debug for ServerConfig { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { f.debug_struct("ServerConfig") - .field("server_keypair", &"** redacted **") - .field("keyserver_auth_token", &"** redacted **") .field("localstack_endpoint", &self.localstack_endpoint) + .field("server_setup", &"** redacted **") + .field("keyserver_public_key", &self.keyserver_public_key) + .field("tunnelbroker_endpoint", &self.tunnelbroker_endpoint) + .field("opensearch_endpoint", &self.opensearch_endpoint) + .field("allow_origin_list", &"** redacted **") .finish() } } @@ -131,6 +136,8 @@ Json(serde_json::Error), #[display(...)] Decode(DecodeError), + #[display(...)] + InvalidRemoteEnvironment, } fn get_server_setup( diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs --- a/services/identity/src/constants.rs +++ b/services/identity/src/constants.rs @@ -216,6 +216,5 @@ super::request_metadata::DEVICE_ID, super::request_metadata::ACCESS_TOKEN, ]; - pub const DEFAULT_ALLOW_ORIGIN: [&str; 2] = - ["https://web.comm.app", "http://localhost:3000"]; + pub const ALLOW_ORIGIN_LIST: &str = "ALLOW_ORIGIN_LIST"; } diff --git a/services/identity/src/cors.rs b/services/identity/src/cors.rs --- a/services/identity/src/cors.rs +++ b/services/identity/src/cors.rs @@ -4,15 +4,9 @@ use crate::{config::CONFIG, constants::cors}; pub fn cors_layer() -> CorsLayer { - let allow_origin = if CONFIG.is_dev() { - AllowOrigin::mirror_request() - } else { - AllowOrigin::list( - cors::DEFAULT_ALLOW_ORIGIN - .iter() - .cloned() - .map(HeaderValue::from_static), - ) + let allow_origin = match &CONFIG.allow_origin_list { + None => AllowOrigin::mirror_request(), + Some(allow_origin_list) => slice_to_allow_origin(allow_origin_list), }; CorsLayer::new() .allow_origin(allow_origin) @@ -33,3 +27,10 @@ .collect::>(), ) } + +fn slice_to_allow_origin(origins: &str) -> AllowOrigin { + let allow_origin_list = origins.split(',').map(|s| { + HeaderValue::from_str(s.trim()).expect("failed to parse allow origin list") + }); + AllowOrigin::list(allow_origin_list) +}