chore: update cors config

deploy/demo/env.yaml

@@ -76,3 +76,5 @@ spec:
               secretKeyRef:
                 name: commonurl-demo
                 key: DATASET_CATALOG_BASE_URI
+          - name: CORS_ORIGIN_PATTERNS
+            value: https://*.demo.fellesdatakatalog.digdir.no

deploy/prod/env.yaml

@@ -76,3 +76,5 @@ spec:
               secretKeyRef:
                 name: commonurl-prod
                 key: DATASET_CATALOG_BASE_URI
+          - name: CORS_ORIGIN_PATTERNS
+            value: https://*.fellesdatakatalog.digdir.no

deploy/staging/env.yaml

@@ -76,3 +76,5 @@ spec:
               secretKeyRef:
                 name: commonurl-staging
                 key: DATASET_CATALOG_BASE_URI
+          - name: CORS_ORIGIN_PATTERNS
+            value: https://*.staging.fellesdatakatalog.digdir.no,http://localhost:*

src/main/kotlin/no/fdk/dataset_catalog/configuration/SecurityProperties.kt

@@ -4,5 +4,6 @@ import org.springframework.boot.context.properties.ConfigurationProperties
 
 @ConfigurationProperties("security")
 data class SecurityProperties(
-    val fdkIssuer: String
-)
+    val fdkIssuer: String,
+    val corsOriginPatterns: List<String>
+)

src/main/kotlin/no/fdk/dataset_catalog/controller/ApplicationStatusController.kt

@@ -3,12 +3,10 @@ package no.fdk.dataset_catalog.controller
 import no.fdk.dataset_catalog.service.DatasetService
 import org.springframework.http.HttpStatus
 import org.springframework.http.ResponseEntity
-import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RestController
 
 @RestController
-@CrossOrigin
 class ApplicationStatusController(private val datasetService: DatasetService) {
 
     @GetMapping("/ping")

src/main/kotlin/no/fdk/dataset_catalog/controller/CatalogController.kt

@@ -15,7 +15,6 @@ import org.springframework.web.bind.annotation.*
 private val logger = LoggerFactory.getLogger(CatalogController::class.java)
 
 @RestController
-@CrossOrigin
 @RequestMapping(value = ["/catalogs"])
 class CatalogController(
     private val catalogService: CatalogService,

src/main/kotlin/no/fdk/dataset_catalog/controller/DatasetController.kt

@@ -17,7 +17,6 @@ import org.springframework.web.bind.annotation.*
 private val logger = LoggerFactory.getLogger(DatasetController::class.java)
 
 @RestController
-@CrossOrigin
 @RequestMapping(value = ["/catalogs/{catalogId}/datasets"])
 class DatasetController(
     private val datasetService: DatasetService,

src/main/kotlin/no/fdk/dataset_catalog/controller/RDFController.kt

@@ -8,7 +8,6 @@ import org.springframework.http.ResponseEntity
 import org.springframework.web.bind.annotation.*
 
 @RestController
-@CrossOrigin
 @RequestMapping(
     value = ["/catalogs"],
     produces = ["text/turtle", "text/n3", "application/rdf+json", "application/ld+json", "application/rdf+xml",

src/main/kotlin/no/fdk/dataset_catalog/controller/SearchController.kt

@@ -14,7 +14,6 @@ import org.springframework.web.bind.annotation.*
 private val logger = LoggerFactory.getLogger(SearchController::class.java)
 
 @RestController
-@CrossOrigin
 @RequestMapping(value = ["/search"])
 class SearchController (
     private val searchService: SearchService) {
@@ -36,4 +35,3 @@ class SearchController (
                 ResponseEntity(HttpStatus.BAD_REQUEST)
         }
 }
-

src/main/kotlin/no/fdk/dataset_catalog/security/SecurityConfig.kt

@@ -12,6 +12,7 @@ import org.springframework.security.oauth2.jwt.*
 import org.springframework.security.web.SecurityFilterChain
 import org.springframework.security.web.util.matcher.RequestMatcher
 import jakarta.servlet.http.HttpServletRequest
+import org.springframework.web.cors.CorsConfiguration
 
 @Configuration
 open class SecurityConfig(
@@ -20,15 +21,27 @@ open class SecurityConfig(
 
     @Bean
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
-        http.csrf().disable()
-            .cors().and()
+        http
+            .cors { cors ->
+                cors.configurationSource { _ ->
+                    val config = CorsConfiguration()
+                    config.allowCredentials = false
+                    config.allowedHeaders = listOf("*")
+                    config.maxAge = 3600L
+                    config.allowedOriginPatterns = securityProperties.corsOriginPatterns
+                    config.allowedMethods = listOf("GET", "POST", "OPTIONS", "DELETE", "PUT", "PATCH")
+
+                    config
+                }
+            }
+            .csrf { it.disable() }
             .authorizeHttpRequests{ authorize ->
                 authorize.requestMatchers(RDFMatcher()).permitAll()
                     .requestMatchers(HttpMethod.OPTIONS).permitAll()
                     .requestMatchers(HttpMethod.GET,"/ping").permitAll()
                     .requestMatchers(HttpMethod.GET,"/ready").permitAll()
                     .anyRequest().authenticated() }
-            .oauth2ResourceServer { resourceServer -> resourceServer.jwt() }
+            .oauth2ResourceServer { resourceServer -> resourceServer.jwt { } }
         return http.build()
     }
 

src/main/resources/application.yml

@@ -35,6 +35,7 @@ application:
   exchangeName: harvests
 security:
   fdkIssuer: ${OIDC_ISSUER:https://sso.staging.fellesdatakatalog.digdir.no/auth/realms/fdk}
+  corsOriginPatterns: "${CORS_ORIGIN_PATTERNS}"
 
 ---
 spring:
@@ -53,6 +54,7 @@ application:
   catalogHarvestRoute: dataset.publisher.HarvestTrigger
   newDataSourceRoute: dataset.publisher.NewDataSource
   exchangeName: harvests
+security.corsOriginPatterns: "*"
 
 ---
 spring:
@@ -67,3 +69,4 @@ application:
   catalogHarvestRoute: dataset.publisher.HarvestTrigger
   newDataSourceRoute: dataset.publisher.NewDataSource
   exchangeName: harvests
+security.corsOriginPatterns: "*"