attestation-service: enable CORS support in restful-as for browser scenarios

attestation-service/Cargo.toml

@@ -24,7 +24,7 @@ rvps-grpc = [ "prost", "tonic" ]
 grpc-bin = [ "clap", "env_logger", "prost", "tonic" ]
 
 # For restful CoCo-AS binary
-restful-bin = [ "actix-web/openssl", "clap", "env_logger" ]
+restful-bin = [ "actix-cors", "actix-web/openssl", "clap", "env_logger" ]
 
 [[bin]]
 name = "grpc-as"
@@ -39,6 +39,10 @@ name = "attestation-challenge-client"
 path = "src/bin/attestation-challenge-client/main.rs"
 
 [dependencies]
+# Pinned to 0.7.0: actix-cors 0.7.1 pulls in derive_more 2.x which requires
+# rustc >= 1.81, while this fork's toolchain is 1.76. 0.7.0 uses derive_more
+# 0.99 and builds fine. Bump once the MSRV is raised.
+actix-cors = { version = "=0.7.0", optional = true }
 actix-web = { workspace = true, optional = true }
 aes-gcm = "0.10"
 aes-kw = "0.2"

attestation-service/src/bin/restful-as.rs

@@ -1,6 +1,7 @@
 use std::{net::SocketAddr, path::Path, sync::Arc};
 
-use actix_web::{web, App, HttpServer};
+use actix_cors::Cors;
+use actix_web::{http::header, web, App, HttpServer};
 use anyhow::Result;
 use attestation_service::{config::Config, config::ConfigError, AttestationService, ServiceError};
 use clap::{arg, command, Parser};
@@ -41,6 +42,12 @@ pub struct Cli {
     /// private key are provided then HTTPS will be enabled.
     #[arg(short = 'k', long)]
     pub https_prikey: Option<String>,
+
+    /// Allowed origin for CORS access (e.g., "http://localhost:3000").
+    /// Can be specified multiple times or comma-separated. When empty
+    /// (the default), no CORS origins are allowed.
+    #[arg(short = 'r', long = "allowed_origin", value_delimiter = ',', num_args = 1..)]
+    pub allowed_origin: Vec<String>,
 }
 
 #[derive(EnumString, AsRefStr)]
@@ -87,6 +94,36 @@ pub enum RestfulError {
     Certificate(#[from] anyhow::Error),
 }
 
+fn configure_cors(allowed_origin: &[String]) -> Cors {
+    let mut cors = Cors::default()
+        .allowed_methods(vec!["POST", "GET", "OPTIONS"])
+        .allowed_headers(vec![header::CONTENT_TYPE, header::AUTHORIZATION])
+        .max_age(86400);
+
+    // Parse origin
+    if !allowed_origin.is_empty() {
+        let origins: Vec<String> = allowed_origin
+            .iter()
+            .flat_map(|s| s.split(','))
+            .map(|s| s.trim().to_string())
+            .filter(|s| !s.is_empty())
+            .collect();
+
+        for ori in &origins {
+            if ori.starts_with("http://") || ori.starts_with("https://") {
+                log::info!("Allowed CORS origin: {ori:?}");
+                cors = cors.allowed_origin(ori.as_str());
+            } else {
+                log::error!(
+                    "Invalid CORS origin format: '{ori}'. Must start with http:// or https://"
+                );
+            }
+        }
+    };
+
+    cors
+}
+
 #[actix_web::main]
 async fn main() -> Result<(), RestfulError> {
     env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
@@ -106,9 +143,12 @@ async fn main() -> Result<(), RestfulError> {
 
     let attestation_service = AttestationService::new(config).await?;
 
+    let allowed_origin = cli.allowed_origin.clone();
+
     let attestation_service = web::Data::new(Arc::new(RwLock::new(attestation_service)));
     let server = HttpServer::new(move || {
         App::new()
+            .wrap(configure_cors(&allowed_origin))
             .service(web::resource(WebApi::Attestation.as_ref()).route(web::post().to(attestation)))
             .service(
                 web::resource(WebApi::Policy.as_ref())