Add custom headers to allowed CORS headers for CF actuators

Update CORS configuration to support Authorization and X-Cf-App-Instance.

See gh-7108

Author: mbhave

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryActuatorAutoConfiguration.java

@@ -90,6 +90,8 @@ private CorsConfiguration getCorsConfiguration() {
 		corsConfiguration.addAllowedOrigin(CorsConfiguration.ALL);
 		corsConfiguration.setAllowedMethods(
 				Arrays.asList(HttpMethod.GET.name(), HttpMethod.POST.name()));
+		corsConfiguration
+				.setAllowedHeaders(Arrays.asList("Authorization", "X-Cf-App-Instance"));
 		return corsConfiguration;
 	}
 

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundrySecurityInterceptor.java

@@ -25,6 +25,7 @@
 import org.springframework.boot.actuate.cloudfoundry.CloudFoundryAuthorizationException.Reason;
 import org.springframework.boot.actuate.endpoint.mvc.MvcEndpoint;
 import org.springframework.util.StringUtils;
+import org.springframework.web.cors.CorsUtils;
 import org.springframework.web.method.HandlerMethod;
 import org.springframework.web.servlet.HandlerInterceptor;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
@@ -55,6 +56,9 @@ class CloudFoundrySecurityInterceptor extends HandlerInterceptorAdapter {
 	@Override
 	public boolean preHandle(HttpServletRequest request, HttpServletResponse response,
 			Object o) throws Exception {
+		if (CorsUtils.isPreFlightRequest(request)) {
+			return true;
+		}
 		try {
 			if (!StringUtils.hasText(this.applicationId)) {
 				throw new CloudFoundryAuthorizationException(Reason.SERVICE_UNAVAILABLE,

spring-boot-actuator/src/test/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundryActuatorAutoConfigurationTests.java

@@ -16,6 +16,8 @@
 
 package org.springframework.boot.actuate.cloudfoundry;
 
+import java.util.Arrays;
+
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -75,18 +77,20 @@ public void close() {
 
 	@Test
 	public void cloudFoundryPlatformActive() throws Exception {
-		CloudFoundryEndpointHandlerMapping handlerMapping = x();
+		CloudFoundryEndpointHandlerMapping handlerMapping = getHandlerMapping();
 		assertThat(handlerMapping.getPrefix()).isEqualTo("/cloudfoundryapplication");
 		CorsConfiguration corsConfiguration = (CorsConfiguration) ReflectionTestUtils
 				.getField(handlerMapping, "corsConfiguration");
 		assertThat(corsConfiguration.getAllowedOrigins()).contains("*");
 		assertThat(corsConfiguration.getAllowedMethods()).contains(HttpMethod.GET.name(),
 				HttpMethod.POST.name());
+		assertThat(corsConfiguration.getAllowedHeaders()
+				.containsAll(Arrays.asList("Authorization", "X-Cf-App-Instance")));
 	}
 
 	@Test
 	public void cloudFoundryPlatformActiveSetsApplicationId() throws Exception {
-		CloudFoundryEndpointHandlerMapping handlerMapping = x();
+		CloudFoundryEndpointHandlerMapping handlerMapping = getHandlerMapping();
 		Object interceptor = ReflectionTestUtils.getField(handlerMapping,
 				"securityInterceptor");
 		String applicationId = (String) ReflectionTestUtils.getField(interceptor,
@@ -96,7 +100,7 @@ public void cloudFoundryPlatformActiveSetsApplicationId() throws Exception {
 
 	@Test
 	public void cloudFoundryPlatformActiveSetsCloudControllerUrl() throws Exception {
-		CloudFoundryEndpointHandlerMapping handlerMapping = x();
+		CloudFoundryEndpointHandlerMapping handlerMapping = getHandlerMapping();
 		Object interceptor = ReflectionTestUtils.getField(handlerMapping,
 				"securityInterceptor");
 		Object interceptorSecurityService = ReflectionTestUtils.getField(interceptor,
@@ -123,7 +127,7 @@ public void cloudFoundryPlatformActiveAndCloudControllerUrlNotPresent()
 		assertThat(interceptorSecurityService).isNull();
 	}
 
-	private CloudFoundryEndpointHandlerMapping x() {
+	private CloudFoundryEndpointHandlerMapping getHandlerMapping() {
 		EnvironmentTestUtils.addEnvironment(this.context, "VCAP_APPLICATION:---",
 				"vcap.application.application_id:my-app-id",
 				"vcap.application.cf_api:http://my-cloud-controller.com");

spring-boot-actuator/src/test/java/org/springframework/boot/actuate/cloudfoundry/CloudFoundrySecurityInterceptorTests.java

@@ -26,6 +26,7 @@
 import org.springframework.boot.actuate.cloudfoundry.CloudFoundryAuthorizationException.Reason;
 import org.springframework.boot.actuate.endpoint.AbstractEndpoint;
 import org.springframework.boot.actuate.endpoint.mvc.EndpointMvcAdapter;
+import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -69,6 +70,16 @@ public void setup() throws Exception {
 		this.response = new MockHttpServletResponse();
 	}
 
+	@Test
+	public void preHandleWhenRequestIsPreFlightShouldReturnTrue() throws Exception {
+		this.request.setMethod("OPTIONS");
+		this.request.addHeader(HttpHeaders.ORIGIN, "http://example.com");
+		this.request.addHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, "GET");
+		boolean preHandle = this.interceptor.preHandle(this.request, this.response,
+				this.handlerMethod);
+		assertThat(preHandle).isTrue();
+	}
+
 	@Test
 	public void preHandleWhenTokenIsMissingShouldReturnFalse() throws Exception {
 		boolean preHandle = this.interceptor.preHandle(this.request, this.response,