feat: add CORS support for HTTP API and metrics endpoints

anchor/client/Cargo.toml

@@ -21,7 +21,6 @@ fdlimit = "0.3"
 global_config = { workspace = true }
 http_api = { workspace = true }
 http_metrics = { workspace = true }
-hyper = { workspace = true }
 keygen = { workspace = true }
 logging = { workspace = true }
 message_receiver = { workspace = true }
@@ -49,6 +48,7 @@ strum = { workspace = true }
 subnet_service = { workspace = true }
 task_executor = { workspace = true }
 tokio = { workspace = true }
+tower-http = { workspace = true }
 tracing = { workspace = true }
 types = { workspace = true }
 validator_metrics = { workspace = true }

anchor/client/src/cli.rs

@@ -323,8 +323,19 @@ pub struct Node {
         help_heading = FLAG_HEADER
     )]
     pub enable_high_validator_count_metrics: bool,
-    // TODO: Metrics CORS Origin
-    // https://github.com/sigp/anchor/issues/249
+
+    #[clap(
+        long,
+        value_name = "ORIGIN",
+        help = "Set the value of the Access-Control-Allow-Origin response HTTP header \
+                for the metrics server. Use * to allow any origin (not recommended in production). \
+                If no value is supplied, the CORS allowed origin is set to the listen \
+                address of this server (e.g., http://localhost:5164).",
+        display_order = 0,
+        requires = "metrics"
+    )]
+    pub metrics_allow_origin: Option<String>,
+
     #[clap(
         long,
         global = true,

anchor/client/src/config.rs

@@ -12,6 +12,7 @@ use network_utils::unused_port::{
 };
 use sensitive_url::SensitiveUrl;
 use ssv_types::OperatorId;
+use tower_http::cors::AllowOrigin;
 use tracing::{error, warn};
 
 use crate::cli::Node;
@@ -249,12 +250,10 @@ pub fn from_cli(cli_args: &Node, global_config: GlobalConfig) -> Result<Config,
     }
 
     if let Some(allow_origin) = &cli_args.http_allow_origin {
-        // Pre-validate the config value to give feedback to the user on node startup, instead of
-        // as late as when the first API response is produced.
-        hyper::header::HeaderValue::from_str(allow_origin)
+        let header_value = allow_origin
+            .parse()
             .map_err(|_| "Invalid allow-origin value")?;
-
-        config.http_api.allow_origin = Some(allow_origin.to_string());
+        config.http_api.allow_origin = AllowOrigin::exact(header_value);
     }
 
     // Prometheus metrics HTTP server
@@ -271,6 +270,13 @@ pub fn from_cli(cli_args: &Node, global_config: GlobalConfig) -> Result<Config,
         config.http_metrics.listen_port = port;
     }
 
+    if let Some(allow_origin) = &cli_args.metrics_allow_origin {
+        let header_value = allow_origin
+            .parse()
+            .map_err(|_| "Invalid metrics-allow-origin value")?;
+        config.http_metrics.allow_origin = AllowOrigin::exact(header_value);
+    }
+
     config.enable_high_validator_count_metrics = cli_args.enable_high_validator_count_metrics;
 
     config.impostor = cli_args.impostor.map(OperatorId);

anchor/client/src/lib.rs

@@ -155,7 +155,12 @@ impl Client {
                 .await
                 .map_err(|e| format!("Unable to bind to metrics server port: {e}"))?;
 
-            let metrics_future = http_metrics::serve(listener, shared_state.clone(), exit);
+            let metrics_future = http_metrics::serve(
+                listener,
+                shared_state.clone(),
+                config.http_metrics.allow_origin.clone(),
+                exit,
+            );
 
             executor.spawn_without_exit(metrics_future, "metrics-http");
 

anchor/http_api/Cargo.toml

@@ -22,6 +22,7 @@ slot_clock = { workspace = true }
 ssv_types = { workspace = true }
 task_executor = { workspace = true }
 tokio = { workspace = true }
+tower-http = { workspace = true }
 tracing = { workspace = true }
 types = { workspace = true }
 version = { workspace = true }

anchor/http_api/src/config.rs

@@ -2,15 +2,15 @@
 
 use std::net::{IpAddr, Ipv4Addr};
 
-use serde::{Deserialize, Serialize};
+use tower_http::cors::AllowOrigin;
 
 /// Configuration for the HTTP server.
-#[derive(PartialEq, Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone)]
 pub struct Config {
     pub enabled: bool,
     pub listen_addr: IpAddr,
     pub listen_port: u16,
-    pub allow_origin: Option<String>,
+    pub allow_origin: AllowOrigin,
 }
 
 impl Default for Config {
@@ -19,7 +19,7 @@ impl Default for Config {
             enabled: false,
             listen_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)),
             listen_port: 5062,
-            allow_origin: None,
+            allow_origin: AllowOrigin::any(),
         }
     }
 }

anchor/http_api/src/lib.rs

@@ -3,12 +3,14 @@ mod router;
 
 use std::{net::SocketAddr, path::PathBuf, sync::Arc};
 
+use axum::http::Method;
 pub use config::Config;
 use database::NetworkState;
 use parking_lot::RwLock;
 use slot_clock::SlotClock;
 use task_executor::TaskExecutor;
 use tokio::{net::TcpListener, sync::watch};
+use tower_http::cors::CorsLayer;
 use tracing::info;
 /// A wrapper around all the items required to spawn the HTTP server.
 ///
@@ -38,11 +40,14 @@ pub async fn run(config: Config, shared_state: Arc<RwLock<Shared>>) -> Result<()
         return Ok(());
     }
 
+    let cors = CorsLayer::new()
+        .allow_methods([Method::GET, Method::POST])
+        .allow_origin(config.allow_origin);
+
     // Generate the axum routes
-    let router = router::new(shared_state);
+    let router = router::new(shared_state).layer(cors);
 
     // Set up a listening address
-
     let socket = SocketAddr::new(config.listen_addr, config.listen_port);
     let listener = TcpListener::bind(socket).await.map_err(|e| e.to_string())?;
 

anchor/http_metrics/src/lib.rs

@@ -22,10 +22,9 @@ use axum::{
 use libp2p::metrics::Registry;
 use parking_lot::RwLock;
 use prometheus_client::encoding::text::encode;
-use serde::{Deserialize, Serialize};
 use slot_clock::{SlotClock, SystemTimeSlotClock};
 use tokio::net::TcpListener;
-use tower_http::cors::{Any, CorsLayer};
+use tower_http::cors::{AllowOrigin, CorsLayer};
 use tracing::error;
 use types::EthSpec;
 use validator_services::duties_service::DutiesService;
@@ -41,12 +40,12 @@ pub struct Shared<E: EthSpec> {
 }
 
 /// Configuration for the HTTP server.
-#[derive(PartialEq, Debug, Clone, Serialize, Deserialize)]
+#[derive(Debug, Clone)]
 pub struct Config {
     pub enabled: bool,
     pub listen_addr: IpAddr,
     pub listen_port: u16,
-    pub allow_origin: Option<String>,
+    pub allow_origin: AllowOrigin,
 }
 
 impl Default for Config {
@@ -55,17 +54,18 @@ impl Default for Config {
             enabled: false,
             listen_addr: IpAddr::V4(Ipv4Addr::LOCALHOST),
             listen_port: 5164,
-            allow_origin: None,
+            allow_origin: AllowOrigin::any(),
         }
     }
 }
 
-fn create_router<E: EthSpec>(shared_state: Arc<RwLock<Shared<E>>>) -> Router {
+fn create_router<E: EthSpec>(
+    shared_state: Arc<RwLock<Shared<E>>>,
+    allow_origin: AllowOrigin,
+) -> Router {
     let cors = CorsLayer::new()
-        // allow `GET` and `POST` when accessing the resource
         .allow_methods([Method::GET, Method::POST])
-        // allow requests from any origin
-        .allow_origin(Any);
+        .allow_origin(allow_origin);
 
     Router::new()
         .route("/metrics", get(metrics_handler))
@@ -148,10 +148,11 @@ async fn metrics_handler<E: EthSpec>(
 pub async fn serve<E: EthSpec>(
     listener: TcpListener,
     shared_state: Arc<RwLock<Shared<E>>>,
+    allow_origin: AllowOrigin,
     shutdown: impl Future<Output = ()> + Send + Sync + 'static,
 ) {
     // Generate the axum routes
-    let router = create_router(shared_state);
+    let router = create_router(shared_state, allow_origin);
 
     // Start the http api server
     if let Err(e) = axum::serve(listener, router)