FIX: Ensure CORS rules exist for S3 using rake task (#14802)

This commit introduces a new s3:ensure_cors_rules rake task
that is run as a prerequisite to s3:upload_assets. This rake
task calls out to the S3CorsRulesets class to ensure that
the 3 relevant sets of CORS rules are applied, depending on
site settings:

* assets
* direct S3 backups
* direct S3 uploads

This works for both Global S3 settings and Database S3 settings
(the latter set directly via SiteSetting).

As it is, only one rule can be applied, which is generally
the assets rule as it is called first. This commit changes
the ensure_cors! method to be able to apply new rules as
well as the existing ones.

This commit also slightly changes the existing rules to cover
direct S3 uploads via uppy, especially multipart, which requires
some more headers.

lib/s3_helper.rb

@@ -40,6 +40,21 @@ class S3Helper
       end
   end
 
+  def self.build_from_config(use_db_s3_config: false, for_backup: false, s3_client: nil)
+    setting_klass = use_db_s3_config ? SiteSetting : GlobalSetting
+    options = S3Helper.s3_options(setting_klass)
+    options[:client] = s3_client if s3_client.present?
+
+    bucket =
+      if for_backup
+        setting_klass.s3_backup_bucket
+      else
+        use_db_s3_config ? SiteSetting.s3_upload_bucket : GlobalSetting.s3_bucket
+      end
+
+    S3Helper.new(bucket.downcase, '', options)
+  end
+
   def self.get_bucket_and_folder_path(s3_bucket_name)
     s3_bucket_name.downcase.split("/", 2)
   end
@@ -124,31 +139,36 @@ class S3Helper
     [destination, response.copy_object_result.etag.gsub('"', '')]
   end
 
-  # make sure we have a cors config for assets
-  # otherwise we will have no fonts
+  # Several places in the application need certain CORS rules to exist
+  # inside an S3 bucket so requests to the bucket can be made
+  # directly from the browser. The s3:ensure_cors_rules rake task
+  # is used to ensure these rules exist for assets, S3 backups, and
+  # direct S3 uploads, depending on configuration.
   def ensure_cors!(rules = nil)
     return unless SiteSetting.s3_install_cors_rule
+    rules = [rules] if !rules.is_a?(Array)
+    existing_rules = fetch_bucket_cors_rules
 
-    rule = nil
+    new_rules = rules - existing_rules
+    return false if new_rules.empty?
+
+    final_rules = existing_rules + new_rules
 
     begin
-      rule = s3_resource.client.get_bucket_cors(
-        bucket: @s3_bucket_name
-      ).cors_rules&.first
-    rescue Aws::S3::Errors::NoSuchCORSConfiguration
-      # no rule
-    end
-
-    unless rule
-      rules = [S3CorsRulesets::ASSETS] if rules.nil?
-
       s3_resource.client.put_bucket_cors(
         bucket: @s3_bucket_name,
         cors_configuration: {
-          cors_rules: rules
+          cors_rules: final_rules
         }
       )
+    rescue Aws::S3::Errors::AccessDenied => err
+      # TODO (martin) Remove this warning log level once we are sure this new
+      # ensure_cors! rule is functioning correctly.
+      Discourse.warn_exception(err, message: "Could not PutBucketCors rules for #{@s3_bucket_name}, rules: #{final_rules}")
+      return false
     end
+
+    true
   end
 
   def update_lifecycle(id, days, prefix: nil, tag: nil)
@@ -264,6 +284,17 @@ class S3Helper
 
   private
 
+  def fetch_bucket_cors_rules
+    begin
+      s3_resource.client.get_bucket_cors(
+        bucket: @s3_bucket_name
+      ).cors_rules&.map(&:to_h) || []
+    rescue Aws::S3::Errors::NoSuchCORSConfiguration
+      # no rule
+      []
+    end
+  end
+
   def default_s3_options
     if SiteSetting.enable_s3_uploads?
       options = self.class.s3_options(SiteSetting)