authorize: allow CORS preflight requests (#672)

* proxy: implement preserve host header option

* authorize: allow CORS preflight requests

authorize/evaluator/opa/policy/authz.rego

@@ -11,6 +11,16 @@ allow {
 	route_policies[route].AllowPublicUnauthenticatedAccess == true
 }
 
+# allow cors preflight
+allow {
+	route := first_allowed_route(input.url)
+	route_policies[route].CORSAllowPreflight == true
+	input.method == "OPTIONS"
+	count(object.get(input.headers, "Access-Control-Request-Method", [])) > 0
+	count(object.get(input.headers, "Origin", [])) > 0
+}
+
+
 # allow by email
 allow {
 	route := first_allowed_route(input.url)
@@ -62,7 +72,6 @@ allow {
 	token.valid
 	count(deny)==0
 }
-
 # allow pomerium urls
 allow {
 	contains(input.url, "/.pomerium/")

authorize/evaluator/opa/policy/authz_test.rego

@@ -110,6 +110,36 @@ test_pomerium_denied {
 	}
 }
 
+test_cors_preflight_allowed {
+	allow with data.route_policies as [{
+		"source": "example.com",
+		"allowed_users": ["bob@example.com"],
+		"CORSAllowPreflight": true
+	}] with input as {
+		"url": "http://example.com/",
+		"host": "example.com",
+		"method": "OPTIONS",
+		"headers": {
+			"Origin": ["someorigin"],
+			"Access-Control-Request-Method": ["GET"]
+		}
+	}
+}
+test_cors_preflight_denied {
+	not allow with data.route_policies as [{
+		"source": "example.com",
+		"allowed_users": ["bob@example.com"]
+	}] with input as {
+		"url": "http://example.com/",
+		"host": "example.com",
+		"method": "OPTIONS",
+		"headers": {
+			"Origin": ["someorigin"],
+			"Access-Control-Request-Method": ["GET"]
+		}
+	}
+}
+
 test_parse_url {
 	url := parse_url("http://example.com/some/path?qs")
 	url.scheme == "http"