Added CORS support middleware to Ironic

This adds the CORS support middleware to Ironic, allowing a deployer to optionally configure rules under which a javascript client may break the single-origin policy and access the API directly. OpenStack Spec: https://review.openstack.org/#/c/179866/ Oslo_Middleware Docs: http://docs.openstack.org/developer/oslo.middleware/cors.html OpenStack Cloud Admin Guide Documentation: http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html Co-Authored-By: Devananda van der Veen <devananda.vdv@gmail.com> Depends-on: I2deed897f8f9ef87e4a74227c4fcea9afdb151e8 Change-Id: Ic55305607e44069d893baf2a261d5fe7da777303
2015-05-06 12:05:24 -07:00 · 2015-05-06 12:05:24 -07:00 · 05f4a64aed
parent ec461e7e38
commit 05f4a64aed
5 changed files with 87 additions and 2 deletions
--- a/etc/ironic/ironic.conf.sample
+++ b/etc/ironic/ironic.conf.sample
@ -598,6 +598,68 @@
 #subprocess_timeout=10


+[cors]
+
+#
+# Options defined in oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. (string value)
+#allowed_origin=<None>
+
+# Indicate that the actual request can include user
+# credentials (boolean value)
+#allow_credentials=true
+
+# Indicate which headers are safe to expose to the API.
+# Defaults to HTTP Simple Headers. (list value)
+#expose_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer
+# value)
+#max_age=3600
+
+# Indicate which methods can be used during the actual
+# request. (list value)
+#allow_methods=GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the
+# actual request. (list value)
+#allow_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
+[cors.subdomain]
+
+#
+# Options defined in oslo.middleware.cors
+#
+
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. (string value)
+#allowed_origin=<None>
+
+# Indicate that the actual request can include user
+# credentials (boolean value)
+#allow_credentials=true
+
+# Indicate which headers are safe to expose to the API.
+# Defaults to HTTP Simple Headers. (list value)
+#expose_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+# Maximum cache age of CORS preflight requests. (integer
+# value)
+#max_age=3600
+
+# Indicate which methods can be used during the actual
+# request. (list value)
+#allow_methods=GET,POST,PUT,DELETE,OPTIONS
+
+# Indicate which header field names may be used during the
+# actual request. (list value)
+#allow_headers=Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma
+
+
 [database]

 #
--- a/ironic/api/app.py
+++ b/ironic/api/app.py
@ -16,10 +16,12 @@
 #    under the License.

 from oslo_config import cfg
+import oslo_middleware.cors as cors_middleware
 import pecan

 from ironic.api import acl
 from ironic.api import config
+from ironic.api.controllers.base import Version
 from ironic.api import hooks
 from ironic.api import middleware
 from ironic.common.i18n import _
@ -73,6 +75,15 @@ def setup_app(pecan_config=None, extra_hooks=None):
        wrap_app=middleware.ParsableErrorMiddleware,
    )

+    # Create a CORS wrapper, and attach ironic-specific defaults that must be
+    # included in all CORS responses.
+    app = cors_middleware.CORS(app, CONF)
+    app.set_latent(
+        allow_headers=[Version.max_string, Version.min_string, Version.string],
+        allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
+        expose_headers=[Version.max_string, Version.min_string, Version.string]
+    )
+
    if pecan_config.app.enable_acl:
        return acl.install(app, cfg.CONF, pecan_config.app.acl_public_routes)

--- a/requirements.txt
+++ b/requirements.txt
@ -27,6 +27,7 @@ oslo.db>=2.4.1 # Apache-2.0
 oslo.rootwrap>=2.0.0 # Apache-2.0
 oslo.i18n>=1.5.0 # Apache-2.0
 oslo.log>=1.8.0 # Apache-2.0
+oslo.middleware>=2.8.0  # Apache-2.0
 oslo.policy>=0.5.0 # Apache-2.0
 oslo.serialization>=1.4.0 # Apache-2.0
 oslo.service>=0.7.0 # Apache-2.0
--- a/tools/config/oslo.config.generator.rc
+++ b/tools/config/oslo.config.generator.rc
@ -1,2 +1,2 @@
-export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging keystonemiddleware.auth_token oslo.concurrency oslo.policy oslo.log oslo.service.service oslo.service.periodic_task'
+export IRONIC_CONFIG_GENERATOR_EXTRA_LIBRARIES='oslo.db oslo.messaging oslo.middleware.cors keystonemiddleware.auth_token oslo.concurrency oslo.policy oslo.log oslo.service.service oslo.service.periodic_task'
 export IRONIC_CONFIG_GENERATOR_EXTRA_MODULES=
--- a/vagrant.yaml
+++ b/vagrant.yaml
@ -124,6 +124,14 @@
            section: 'DEFAULT',
            option: 'pecan_debug', value: 'true'
          }
+        - {
+            section: 'DEFAULT',
+            option: 'verbose', value: 'true'
+          }
+        - {
+            section: 'DEFAULT',
+            option: 'debug', value: 'true'
+          }
        - {
            section: 'oslo_messaging_rabbit',
            option: 'rabbit_host', value: "{{ip}}"
@ -136,7 +144,10 @@
            section: 'oslo_messaging_rabbit',
            option: 'rabbit_password', value: "ironic"
          }
-
+        - { # CORS Domain For Ironic-Webclient's dev server.
+            section: 'cors',
+            option: 'allowed_origin', value: "http://localhost:8000"
+          }

  #############################################################################
  # Handlers