Add CORSRegexWildcardTest

extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSRegexWildcardTestCase.java

@@ -0,0 +1,27 @@
+package io.quarkus.vertx.http.cors;
+
+import static io.restassured.RestAssured.given;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.RegisterExtension;
+
+import io.quarkus.test.QuarkusUnitTest;
+
+public class CORSRegexWildcardTestCase {
+
+    @RegisterExtension
+    static QuarkusUnitTest runner = new QuarkusUnitTest()
+            .withApplicationRoot((jar) -> jar
+                    .addClasses(BeanRegisteringRoute.class)
+                    .addAsResource("conf/cors-regex-wildcard.properties", "application.properties"));
+
+    @Test
+    public void corsRegexValidOriginTest() {
+        given().header("Origin", "https://asdf.domain.com")
+                .when()
+                .get("/test").then()
+                .statusCode(200)
+                .header("Access-Control-Allow-Origin", "https://asdf.domain.com")
+                .header("Access-Control-Allow-Credentials", "false");
+    }
+}

extensions/vertx-http/deployment/src/test/java/io/quarkus/vertx/http/cors/CORSWildcardSecurityTestCase.java

@@ -57,7 +57,8 @@ public void corsPreflightTest() {
                 .statusCode(200)
                 .header("Access-Control-Allow-Origin", origin)
                 .header("Access-Control-Allow-Methods", methods)
-                .header("Access-Control-Allow-Headers", headers);
+                .header("Access-Control-Allow-Headers", headers)
+                .header("Access-Control-Allow-Credentials", "false");
 
         given().header("Origin", origin)
                 .header("Access-Control-Request-Method", methods)
@@ -68,7 +69,8 @@ public void corsPreflightTest() {
                 .statusCode(200)
                 .header("Access-Control-Allow-Origin", origin)
                 .header("Access-Control-Allow-Methods", methods)
-                .header("Access-Control-Allow-Headers", headers);
+                .header("Access-Control-Allow-Headers", headers)
+                .header("Access-Control-Allow-Credentials", "false");
 
         given().header("Origin", origin)
                 .header("Access-Control-Request-Method", methods)
@@ -79,7 +81,8 @@ public void corsPreflightTest() {
                 .statusCode(200)
                 .header("Access-Control-Allow-Origin", origin)
                 .header("Access-Control-Allow-Methods", methods)
-                .header("Access-Control-Allow-Headers", headers);
+                .header("Access-Control-Allow-Headers", headers)
+                .header("Access-Control-Allow-Credentials", "false");
 
         given().header("Origin", origin)
                 .header("Access-Control-Request-Method", methods)
@@ -90,41 +93,44 @@ public void corsPreflightTest() {
                 .statusCode(200)
                 .header("Access-Control-Allow-Origin", origin)
                 .header("Access-Control-Allow-Methods", methods)
-                .header("Access-Control-Allow-Headers", headers);
+                .header("Access-Control-Allow-Headers", headers)
+                .header("Access-Control-Allow-Credentials", "false");
     }
 
     @Test
     @DisplayName("Handles a direct CORS request correctly")
     public void corsNoPreflightTest() {
         String origin = "http://custom.origin.quarkus";
-        String methods = "GET, POST";
-        String headers = "X-Custom";
         given().header("Origin", origin)
                 .when()
                 .get("/test").then()
                 .statusCode(401)
-                .header("Access-Control-Allow-Origin", origin);
+                .header("Access-Control-Allow-Origin", origin)
+                .header("Access-Control-Allow-Credentials", "false");
 
         given().header("Origin", origin)
                 .when()
                 .auth().basic("test", "test")
                 .get("/test").then()
                 .statusCode(200)
                 .header("Access-Control-Allow-Origin", origin)
-                .body(Matchers.equalTo("test:/test"));
+                .body(Matchers.equalTo("test:/test"))
+                .header("Access-Control-Allow-Credentials", "false");
 
         given().header("Origin", origin)
                 .when()
                 .auth().basic("test", "wrongpassword")
                 .get("/test").then()
                 .statusCode(401)
-                .header("Access-Control-Allow-Origin", origin);
+                .header("Access-Control-Allow-Origin", origin)
+                .header("Access-Control-Allow-Credentials", "false");
 
         given().header("Origin", origin)
                 .when()
                 .auth().basic("user", "user")
                 .get("/test").then()
                 .statusCode(403)
-                .header("Access-Control-Allow-Origin", origin);
+                .header("Access-Control-Allow-Origin", origin)
+                .header("Access-Control-Allow-Credentials", "false");
     }
 }

extensions/vertx-http/deployment/src/test/resources/conf/cors-regex-wildcard.properties

@@ -0,0 +1,2 @@
+quarkus.http.cors=true
+quarkus.http.cors.origins=/.*/

extensions/vertx-http/runtime/src/main/java/io/quarkus/vertx/http/runtime/cors/CORSFilter.java

@@ -146,7 +146,7 @@ public void handle(RoutingContext event) {
 
             //for both normal and preflight requests we need to check the origin
             boolean allowsOrigin = wildcardOrigin;
-            boolean originMatches = corsConfig.origins.isPresent() &&
+            boolean originMatches = !wildcardOrigin && corsConfig.origins.isPresent() &&
                     (corsConfig.origins.get().contains(origin) || isOriginAllowedByRegex(allowedOriginsRegex, origin));
             if (!allowsOrigin) {
                 if (corsConfig.origins.isPresent()) {