Refactor CORS support out of MVC Core

Author: javiercn

src/Microsoft.AspNetCore.Mvc.Core/Internal/HttpMethodActionConstraint.cs

@@ -15,10 +15,6 @@ public class HttpMethodActionConstraint : IActionConstraint
 
         private readonly IReadOnlyList<string> _httpMethods;
 
-        private readonly string OriginHeader = "Origin";
-        private readonly string AccessControlRequestMethod = "Access-Control-Request-Method";
-        private readonly string PreflightHttpMethod = "OPTIONS";
-
         // Empty collection means any method will be accepted.
         public HttpMethodActionConstraint(IEnumerable<string> httpMethods)
         {
@@ -70,18 +66,6 @@ public bool Accept(ActionConstraintContext context)
             var request = context.RouteContext.HttpContext.Request;
             var method = request.Method;
 
-            // Perf: Check http method before accessing the Headers collection.
-            if (string.Equals(method, PreflightHttpMethod, StringComparison.OrdinalIgnoreCase) &&
-                request.Headers.ContainsKey(OriginHeader))
-            {
-                // Update the http method if it is preflight request.
-                var accessControlRequestMethod = request.Headers[AccessControlRequestMethod];
-                if (!StringValues.IsNullOrEmpty(accessControlRequestMethod))
-                {
-                    method = accessControlRequestMethod;
-                }
-            }
-
             for (var i = 0; i < _httpMethods.Count; i++)
             {
                 var supportedMethod = _httpMethods[i];

src/Microsoft.AspNetCore.Mvc.Cors/Internal/CorsApplicationModelProvider.cs

@@ -5,6 +5,8 @@
 using System.Linq;
 using Microsoft.AspNetCore.Cors.Infrastructure;
 using Microsoft.AspNetCore.Mvc.ApplicationModels;
+using Microsoft.AspNetCore.Mvc.Internal;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Mvc.Cors.Internal
 {
@@ -28,23 +30,25 @@ public void OnProvidersExecuting(ApplicationModelProviderContext context)
                 throw new ArgumentNullException(nameof(context));
             }
 
-            IEnableCorsAttribute enableCors;
-            IDisableCorsAttribute disableCors;
+            var isCorsEnabledGlobally = context.Result.Filters.OfType<ICorsAuthorizationFilter>().Any() ||
+                context.Result.Filters.OfType<CorsAuthorizationFilterFactory>().Any();
 
             foreach (var controllerModel in context.Result.Controllers)
             {
-                enableCors = controllerModel.Attributes.OfType<IEnableCorsAttribute>().FirstOrDefault();
+                var enableCors = controllerModel.Attributes.OfType<IEnableCorsAttribute>().FirstOrDefault();
                 if (enableCors != null)
                 {
                     controllerModel.Filters.Add(new CorsAuthorizationFilterFactory(enableCors.PolicyName));
                 }
 
-                disableCors = controllerModel.Attributes.OfType<IDisableCorsAttribute>().FirstOrDefault();
+                var disableCors = controllerModel.Attributes.OfType<IDisableCorsAttribute>().FirstOrDefault();
                 if (disableCors != null)
                 {
                     controllerModel.Filters.Add(new DisableCorsAuthorizationFilter());
                 }
 
+                var corsOnController = enableCors != null || disableCors != null || controllerModel.Filters.OfType<ICorsAuthorizationFilter>().Any();
+
                 foreach (var actionModel in controllerModel.Actions)
                 {
                     enableCors = actionModel.Attributes.OfType<IEnableCorsAttribute>().FirstOrDefault();
@@ -58,6 +62,29 @@ public void OnProvidersExecuting(ApplicationModelProviderContext context)
                     {
                         actionModel.Filters.Add(new DisableCorsAuthorizationFilter());
                     }
+
+                    var corsOnAction = enableCors != null || disableCors != null || actionModel.Filters.OfType<ICorsAuthorizationFilter>().Any();
+
+                    if (isCorsEnabledGlobally || corsOnController || corsOnAction)
+                    {
+                        UpdateHttpMethodActionConstraint(actionModel);
+                    }
+                }
+            }
+        }
+
+        private static void UpdateHttpMethodActionConstraint(ActionModel actionModel)
+        {
+            for (var i = 0; i < actionModel.Selectors.Count; i++)
+            {
+                var selectorModel = actionModel.Selectors[i];
+                for (var j = 0; j < selectorModel.ActionConstraints.Count; j++)
+                {
+                    var httpConstraint = selectorModel.ActionConstraints[j] as HttpMethodActionConstraint;
+                    if (httpConstraint != null)
+                    {
+                        selectorModel.ActionConstraints[j] = new CorsHttpMethodActionConstraint(httpConstraint);
+                    }
                 }
             }
         }

src/Microsoft.AspNetCore.Mvc.Cors/Internal/CorsHttpMethodActionConstraint.cs

@@ -0,0 +1,65 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Collections.ObjectModel;
+using Microsoft.AspNetCore.Mvc.ActionConstraints;
+using Microsoft.Extensions.Primitives;
+using Microsoft.AspNetCore.Mvc.Internal;
+
+namespace Microsoft.AspNetCore.Mvc.Cors.Internal
+{
+    public class CorsHttpMethodActionConstraint : HttpMethodActionConstraint, IActionConstraint
+    {
+        private readonly string OriginHeader = "Origin";
+        private readonly string AccessControlRequestMethod = "Access-Control-Request-Method";
+        private readonly string PreflightHttpMethod = "OPTIONS";
+
+        public CorsHttpMethodActionConstraint(HttpMethodActionConstraint constraint)
+            : base(constraint.HttpMethods)
+        {
+        }
+
+        bool IActionConstraint.Accept(ActionConstraintContext context)
+        {
+            if (context == null)
+            {
+                throw new ArgumentNullException(nameof(context));
+            }
+
+            var methods = (ReadOnlyCollection<string>)HttpMethods;
+            if (methods.Count == 0)
+            {
+                return true;
+            }
+
+            var request = context.RouteContext.HttpContext.Request;
+            var method = request.Method;
+            if (string.Equals(
+                        request.Method,
+                        PreflightHttpMethod,
+                        StringComparison.OrdinalIgnoreCase) &&
+                request.Headers.ContainsKey(OriginHeader))
+            {
+                // Update the http method if it is preflight request.
+                var accessControlRequestMethod = request.Headers[AccessControlRequestMethod];
+                if (!StringValues.IsNullOrEmpty(accessControlRequestMethod))
+                {
+                    for (var i = 0; i < methods.Count; i++)
+                    {
+                        var supportedMethod = methods[i];
+                        if (string.Equals(supportedMethod, accessControlRequestMethod, StringComparison.OrdinalIgnoreCase))
+                        {
+                            return true;
+                        }
+                    }
+
+                    return false;
+                }
+            }
+
+            return base.Accept(context);
+        }
+    }
+}

test/Microsoft.AspNetCore.Mvc.Core.Test/Internal/HttpMethodActionConstraintTest.cs

@@ -26,7 +26,7 @@ public class HttpMethodActionConstraintTest
 
         [Theory]
         [MemberData(nameof(AcceptCaseInsensitiveData))]
-        public void HttpMethodActionConstraint_Accept_Preflight_CaseInsensitive(IEnumerable<string> httpMethods, string accessControlMethod)
+        public void HttpMethodActionConstraint_IgnoresPreflightRequests(IEnumerable<string> httpMethods, string accessControlMethod)
         {
             // Arrange
             var constraint = new HttpMethodActionConstraint(httpMethods);
@@ -37,7 +37,7 @@ public void HttpMethodActionConstraint_Accept_Preflight_CaseInsensitive(IEnumera
             var result = constraint.Accept(context);
 
             // Assert
-            Assert.True(result, "Request should have been accepted.");
+            Assert.False(result, "Request should have been rejected.");
         }
 
         [Theory]