From dfce8528b68cc99792572d89776a46b655c1eb78 Mon Sep 17 00:00:00 2001
From: Sergey Beryozkin <sberyozkin@gmail.com>
Date: Wed, 5 Apr 2023 17:10:41 +0100
Subject: [PATCH] Add one more CORS same origin unit test

---
 .../vertx/http/runtime/cors/CORSFilter.java        | 14 ++++++++++++++
 .../vertx/http/runtime/cors/CORSFilterTest.java    | 11 +++++++++++
 2 files changed, 25 insertions(+)

diff --git a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java
index 9722e703417e2..25a4244fb8425 100644
--- a/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java
+++ b/extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java
@@ -10,6 +10,8 @@
 import java.util.Optional;
 import java.util.regex.Pattern;
 
+import org.jboss.logging.Logger;
+
 import io.vertx.core.Handler;
 import io.vertx.core.http.HttpHeaders;
 import io.vertx.core.http.HttpMethod;
@@ -19,6 +21,7 @@
 
 public class CORSFilter implements Handler<RoutingContext> {
 
+    private static final Logger LOG = Logger.getLogger(CORSFilter.class);
     private static final Pattern COMMA_SEPARATED_SPLIT_REGEX = Pattern.compile("\\s*,\\s*");
 
     // This is set in the recorder at runtime.
@@ -214,10 +217,12 @@ public void handle(RoutingContext event) {
             }
 
             if (!allowsOrigin) {
+                LOG.debug("Origin is not allowed");
                 response.setStatusCode(403);
                 response.setStatusMessage("CORS Rejected - Invalid origin");
                 response.end();
             } else if (request.method().equals(HttpMethod.OPTIONS) && (requestedHeaders != null || requestedMethods != null)) {
+                LOG.debug("Preflight request has completed");
                 if (corsConfig.accessControlMaxAge.isPresent()) {
                     response.putHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE,
                             String.valueOf(corsConfig.accessControlMaxAge.get().getSeconds()));
@@ -233,6 +238,9 @@ static boolean isSameOrigin(HttpServerRequest request, String origin) {
         //fast path check, when everything is the same
         if (origin.startsWith(request.scheme())) {
             if (!substringMatch(origin, request.scheme().length(), "://", false)) {
+                LOG.debugf(
+                        "Same origin check has failed, the origin is not a substring of the request URI. Request URI: %s, origin: %s",
+                        request.absoluteURI(), origin);
                 return false;
             }
             if (substringMatch(origin, request.scheme().length() + 3, request.host(), true)) {
@@ -253,9 +261,14 @@ static boolean isSameOriginSlowPath(HttpServerRequest request, String origin) {
         if (!originUri.getPath().isEmpty()) {
             //origin should not contain a path component
             //just reject it in this case
+            LOG.debugf("Same origin check has failed as the origin contains a path component. Request URI: %s, origin: %s",
+                    request.absoluteURI(), origin);
             return false;
         }
         if (!baseUri.getHost().equals(originUri.getHost())) {
+            LOG.debugf("Same origin check has failed, the host values do not match. Request URI: %s, origin: %s",
+                    request.absoluteURI(),
+                    origin);
             return false;
         }
         if (baseUri.getPort() == originUri.getPort()) {
@@ -280,6 +293,7 @@ static boolean isSameOriginSlowPath(HttpServerRequest request, String origin) {
                 }
             }
         }
+        LOG.debugf("Same origin check has failed. Request URI: %s, origin: %s", request.absoluteURI(), origin);
         return false;
     }
 
diff --git a/extensions/vertx-http/runtime/src/test/java/io/quarkus/vertx/http/runtime/cors/CORSFilterTest.java b/extensions/vertx-http/runtime/src/test/java/io/quarkus/vertx/http/runtime/cors/CORSFilterTest.java
index e2348e9efcf7b..241bbee477d35 100644
--- a/extensions/vertx-http/runtime/src/test/java/io/quarkus/vertx/http/runtime/cors/CORSFilterTest.java
+++ b/extensions/vertx-http/runtime/src/test/java/io/quarkus/vertx/http/runtime/cors/CORSFilterTest.java
@@ -75,6 +75,17 @@ public void sameOriginTest() {
 
     }
 
+    @Test
+    public void sameOriginPublicWebAddressTest() {
+        var request = Mockito.mock(HttpServerRequest.class);
+        Mockito.when(request.scheme()).thenReturn("https");
+        Mockito.when(request.host()).thenReturn("stage.code.quarkus.io");
+        Mockito.when(request.absoluteURI()).thenReturn("https://stage.code.quarkus.io/api/project");
+        Assertions.assertFalse(isSameOrigin(request, "http://localhost"));
+        Assertions.assertFalse(isSameOrigin(request, "https://code.quarkus.io"));
+        Assertions.assertTrue(isSameOrigin(request, "https://stage.code.quarkus.io"));
+    }
+
     @Test
     public void testSubstringMatches() {
         Assertions.assertTrue(substringMatch("localhost", 0, "local", false));