Add CORS allowed origins config override to app host (#6250)

Author: JamesNK

playground/BrowserTelemetry/BrowserTelemetry.AppHost/Program.cs

@@ -4,7 +4,8 @@
 var builder = DistributedApplication.CreateBuilder(args);
 
 builder.AddProject<Projects.BrowserTelemetry_Web>("web")
-    .WithExternalHttpEndpoints();
+    .WithExternalHttpEndpoints()
+    .WithReplicas(2);
 
 #if !SKIP_DASHBOARD_REFERENCE
 // This project is only added in playground projects to support development/debugging

playground/BrowserTelemetry/BrowserTelemetry.AppHost/Properties/launchSettings.json

@@ -11,7 +11,8 @@
         "DOTNET_ENVIRONMENT": "Development",
         "DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL": "https://localhost:16175",
         "DOTNET_RESOURCE_SERVICE_ENDPOINT_URL": "https://localhost:17037",
-        "DOTNET_ASPIRE_SHOW_DASHBOARD_RESOURCES": "true"
+        "DOTNET_ASPIRE_SHOW_DASHBOARD_RESOURCES": "true",
+        "DOTNET_DASHBOARD_CORS_ALLOWED_ORIGINS": "*"
       }
     },
     "http": {
@@ -25,7 +26,8 @@
         "DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL": "http://localhost:16175",
         "DOTNET_RESOURCE_SERVICE_ENDPOINT_URL": "http://localhost:17037",
         "DOTNET_ASPIRE_SHOW_DASHBOARD_RESOURCES": "true",
-        "ASPIRE_ALLOW_UNSECURED_TRANSPORT": "true"
+        "ASPIRE_ALLOW_UNSECURED_TRANSPORT": "true",
+        "DOTNET_DASHBOARD_CORS_ALLOWED_ORIGINS": "*"
       }
     },
     "generate-manifest": {

src/Aspire.Hosting/Dashboard/DashboardLifecycleHook.cs

@@ -178,38 +178,19 @@ private void ConfigureAspireDashboardResource(IResource dashboardResource)
             {
                 context.EnvironmentVariables[DashboardConfigNames.DashboardOtlpHttpUrlName.EnvVarName] = otlpHttpEndpointUrl;
 
-                var model = context.ExecutionContext.ServiceProvider.GetRequiredService<DistributedApplicationModel>();
-                var allResourceEndpoints = model.Resources
-                    .Where(r => !string.Equals(r.Name, KnownResourceNames.AspireDashboard, StringComparisons.ResourceName))
-                    .SelectMany(r => r.Annotations)
-                    .OfType<EndpointAnnotation>()
-                    .ToList();
-
-                var corsOrigins = new HashSet<string>(StringComparers.UrlHost);
-                foreach (var endpoint in allResourceEndpoints)
-                {
-                    if (endpoint.UriScheme is "http" or "https")
-                    {
-                        // Prefer allocated endpoint over EndpointAnnotation.Port.
-                        var origin = endpoint.AllocatedEndpoint?.UriString;
-                        var targetOrigin = (endpoint.TargetPort != null)
-                            ? $"{endpoint.UriScheme}://localhost:{endpoint.TargetPort}"
-                            : null;
+                // Use explicitly defined allowed origins if configured.
+                var allowedOrigins = configuration[KnownConfigNames.DashboardCorsAllowedOrigins];
 
-                        if (origin != null)
-                        {
-                            corsOrigins.Add(origin);
-                        }
-                        if (targetOrigin != null)
-                        {
-                            corsOrigins.Add(targetOrigin);
-                        }
-                    }
+                // If allowed origins are not configured then calculate allowed origins from endpoints.
+                if (string.IsNullOrEmpty(allowedOrigins))
+                {
+                    var model = context.ExecutionContext.ServiceProvider.GetRequiredService<DistributedApplicationModel>();
+                    allowedOrigins = GetAllowedOriginsFromResourceEndpoints(model);
                 }
 
-                if (corsOrigins.Count > 0)
+                if (!string.IsNullOrEmpty(allowedOrigins))
                 {
-                    context.EnvironmentVariables[DashboardConfigNames.DashboardOtlpCorsAllowedOriginsKeyName.EnvVarName] = string.Join(',', corsOrigins);
+                    context.EnvironmentVariables[DashboardConfigNames.DashboardOtlpCorsAllowedOriginsKeyName.EnvVarName] = allowedOrigins;
                     context.EnvironmentVariables[DashboardConfigNames.DashboardOtlpCorsAllowedHeadersKeyName.EnvVarName] = "*";
                 }
             }
@@ -266,6 +247,44 @@ private void ConfigureAspireDashboardResource(IResource dashboardResource)
         }));
     }
 
+    private static string? GetAllowedOriginsFromResourceEndpoints(DistributedApplicationModel model)
+    {
+        var allResourceEndpoints = model.Resources
+            .Where(r => !string.Equals(r.Name, KnownResourceNames.AspireDashboard, StringComparisons.ResourceName))
+            .SelectMany(r => r.Annotations)
+            .OfType<EndpointAnnotation>()
+            .ToList();
+
+        var corsOrigins = new HashSet<string>(StringComparers.UrlHost);
+        foreach (var endpoint in allResourceEndpoints)
+        {
+            if (endpoint.UriScheme is "http" or "https")
+            {
+                // Prefer allocated endpoint over EndpointAnnotation.Port.
+                var origin = endpoint.AllocatedEndpoint?.UriString;
+                var targetOrigin = (endpoint.TargetPort != null)
+                    ? $"{endpoint.UriScheme}://localhost:{endpoint.TargetPort}"
+                    : null;
+
+                if (origin != null)
+                {
+                    corsOrigins.Add(origin);
+                }
+                if (targetOrigin != null)
+                {
+                    corsOrigins.Add(targetOrigin);
+                }
+            }
+        }
+
+        if (corsOrigins.Count > 0)
+        {
+            return string.Join(',', corsOrigins);
+        }
+
+        return null;
+    }
+
     private async Task WatchDashboardLogsAsync(CancellationToken cancellationToken)
     {
         var loggerCache = new ConcurrentDictionary<string, ILogger>(StringComparer.Ordinal);

src/Shared/KnownConfigNames.cs

@@ -12,5 +12,6 @@ internal static class KnownConfigNames
     public const string DashboardFrontendBrowserToken = "DOTNET_DASHBOARD_FRONTEND_BROWSERTOKEN";
     public const string DashboardResourceServiceClientApiKey = "DOTNET_DASHBOARD_RESOURCESERVICE_APIKEY";
     public const string DashboardUnsecuredAllowAnonymous = "DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS";
+    public const string DashboardCorsAllowedOrigins = "DOTNET_DASHBOARD_CORS_ALLOWED_ORIGINS";
     public const string ResourceServiceEndpointUrl = "DOTNET_RESOURCE_SERVICE_ENDPOINT_URL";
 }

tests/Aspire.Hosting.Tests/Dashboard/DashboardResourceTests.cs

@@ -280,8 +280,10 @@ public async Task DashboardResourceServiceUriIsSet()
         Assert.Equal("http://localhost:5000", config.Single(e => e.Key == DashboardConfigNames.ResourceServiceUrlName.EnvVarName).Value);
     }
 
-    [Fact]
-    public async Task DashboardResource_OtlpHttpEndpoint_CorsEnvVarSet()
+    [Theory]
+    [InlineData("*")]
+    [InlineData(null)]
+    public async Task DashboardResource_OtlpHttpEndpoint_CorsEnvVarSet(string? explicitCorsAllowedOrigins)
     {
         // Arrange
         using var builder = TestDistributedApplicationBuilder.Create(
@@ -297,7 +299,8 @@ public async Task DashboardResource_OtlpHttpEndpoint_CorsEnvVarSet()
         builder.Configuration.AddInMemoryCollection(new Dictionary<string, string?>
         {
             ["ASPNETCORE_URLS"] = "http://localhost",
-            ["DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL"] = "http://localhost"
+            ["DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL"] = "http://localhost",
+            ["DOTNET_DASHBOARD_CORS_ALLOWED_ORIGINS"] = explicitCorsAllowedOrigins
         });
 
         using var app = builder.Build();
@@ -315,12 +318,15 @@ public async Task DashboardResource_OtlpHttpEndpoint_CorsEnvVarSet()
 
         var config = await EnvironmentVariableEvaluator.GetEnvironmentVariablesAsync(dashboard, DistributedApplicationOperation.Run, app.Services).DefaultTimeout();
 
-        Assert.Equal("http://localhost:8081,http://localhost:58080", config.Single(e => e.Key == DashboardConfigNames.DashboardOtlpCorsAllowedOriginsKeyName.EnvVarName).Value);
+        var expectedAllowedOrigins = !string.IsNullOrEmpty(explicitCorsAllowedOrigins) ? explicitCorsAllowedOrigins : "http://localhost:8081,http://localhost:58080";
+        Assert.Equal(expectedAllowedOrigins, config.Single(e => e.Key == DashboardConfigNames.DashboardOtlpCorsAllowedOriginsKeyName.EnvVarName).Value);
         Assert.Equal("*", config.Single(e => e.Key == DashboardConfigNames.DashboardOtlpCorsAllowedHeadersKeyName.EnvVarName).Value);
     }
 
-    [Fact]
-    public async Task DashboardResource_OtlpGrpcEndpoint_CorsEnvVarNotSet()
+    [Theory]
+    [InlineData("*")]
+    [InlineData(null)]
+    public async Task DashboardResource_OtlpGrpcEndpoint_CorsEnvVarNotSet(string? explicitCorsAllowedOrigins)
     {
         // Arrange
         using var builder = TestDistributedApplicationBuilder.Create(
@@ -336,7 +342,8 @@ public async Task DashboardResource_OtlpGrpcEndpoint_CorsEnvVarNotSet()
         builder.Configuration.AddInMemoryCollection(new Dictionary<string, string?>
         {
             ["ASPNETCORE_URLS"] = "http://localhost",
-            ["DOTNET_DASHBOARD_OTLP_ENDPOINT_URL"] = "http://localhost"
+            ["DOTNET_DASHBOARD_OTLP_ENDPOINT_URL"] = "http://localhost",
+            ["DOTNET_DASHBOARD_CORS_ALLOWED_ORIGINS"] = explicitCorsAllowedOrigins
         });
 
         using var app = builder.Build();