openstack/oslo.middleware
Code Issues Proposed changes
e744501c47
oslo.middleware/oslo_middleware/cors.py

326 lines
13 KiB
Python
Raw Normal View History

Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Copyright (c) 2015 Hewlett-Packard Development Company, L.P.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied. See the License for the specific language governing permissions and
# limitations under the License.
# Default allowed headers
import copy
import logging
Use correct oslo_middleware.base methods in CORS middleware. This patch modifies the CORS middleware to use the __call__ logic from its parent class, rather than overriding it. Logic has been moved into process_request and process_response accordingly. Change-Id: Ia5907ec37c1103a9b9a24d549a81822b1b3ad332
2015-06-11 11:49:51 -07:00
Drop use of 'oslo' namespace package The Oslo libraries have moved all of their code out of the 'oslo' namespace package into per-library packages. The namespace package was retained during kilo for backwards compatibility, but will be removed by the liberty-2 milestone. This change removes the use of the namespace package, replacing it with the new package names. Blueprint: remove-namespace-packages https://blueprints.launchpad.net/oslo-incubator/+spec/remove-namespace-packages Change-Id: I783117608e1e6ea402e1c83309f80d994108baff
2015-05-11 21:10:50 +00:00
from oslo_config import cfg
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
from oslo_middleware import base
import webob.dec
import webob.exc
import webob.response
LOG = logging.getLogger(__name__)
CORS_OPTS = [
cfg.StrOpt('allowed_origin',
default=None,
help='Indicate whether this resource may be shared with the '
'domain received in the requests "origin" header.'),
cfg.BoolOpt('allow_credentials',
default=True,
help='Indicate that the actual request can include user '
'credentials'),
cfg.ListOpt('expose_headers',
default=['Content-Type', 'Cache-Control', 'Content-Language',
'Expires', 'Last-Modified', 'Pragma'],
help='Indicate which headers are safe to expose to the API. '
'Defaults to HTTP Simple Headers.'),
cfg.IntOpt('max_age',
default=3600,
help='Maximum cache age of CORS preflight requests.'),
cfg.ListOpt('allow_methods',
default=['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
help='Indicate which methods can be used during the actual '
'request.'),
cfg.ListOpt('allow_headers',
default=['Content-Type', 'Cache-Control', 'Content-Language',
'Expires', 'Last-Modified', 'Pragma'],
help='Indicate which header field names may be used during '
'the actual request.')
]
class CORS(base.Middleware):
"""CORS Middleware.
This middleware allows a WSGI app to serve CORS headers for multiple
configured domains.
For more information, see http://www.w3.org/TR/cors/
"""
simple_headers = [
'Content-Type',
'Cache-Control',
'Content-Language',
'Expires',
'Last-Modified',
'Pragma'
]
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
def __init__(self, application, conf=None):
Remove usage of oslo.config global Currently application that doesn't use the global configuration object have to rely on hack to setup the global oslo config object for each middleware it want to use. For example, gnocchi have its own middleware loader and add crap to load keystonemiddleware: https://github.com/openstack/gnocchi/blob/master/gnocchi/rest/app.py#L140 And it can't use oslo.middleware that relies on the global conf object. Also aodh (use 'paste' for middleware) have to hack the global configuration object for each middlewares it want to use by code... https://review.openstack.org/#/c/208632/1/aodh/service.py But middleware are optional deployer stuffs, we should not write any code for them... This change allows application to use paste-deploy (or any middleware loader) without enforcing the application to use the global oslo.config object. If the middleware want to use oslo.config it should load the configuration file himself (and fallback to the global one if any) The proposed paste configuration to allow this is: [filter:cors] paste.filter_factory = oslo.middleware:cors oslo_config_project = aodh So the cors middleware can find and load the aodh config and what is it interested in. Also, some of them use oslo.config local, some other the global object. Some can be loaded by an middleware loader like paste, some other not. This change make consistent the way we bootstrap all middlewares. Closes-bug: #1482086 Change-Id: Iad197d1f3a386683d818b59718df34e14e15ca5c
2015-08-06 09:15:57 +02:00
super(CORS, self).__init__(application, conf)
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
# Begin constructing our configuration hash.
self.allowed_origins = {}
Remove usage of oslo.config global Currently application that doesn't use the global configuration object have to rely on hack to setup the global oslo config object for each middleware it want to use. For example, gnocchi have its own middleware loader and add crap to load keystonemiddleware: https://github.com/openstack/gnocchi/blob/master/gnocchi/rest/app.py#L140 And it can't use oslo.middleware that relies on the global conf object. Also aodh (use 'paste' for middleware) have to hack the global configuration object for each middlewares it want to use by code... https://review.openstack.org/#/c/208632/1/aodh/service.py But middleware are optional deployer stuffs, we should not write any code for them... This change allows application to use paste-deploy (or any middleware loader) without enforcing the application to use the global oslo.config object. If the middleware want to use oslo.config it should load the configuration file himself (and fallback to the global one if any) The proposed paste configuration to allow this is: [filter:cors] paste.filter_factory = oslo.middleware:cors oslo_config_project = aodh So the cors middleware can find and load the aodh config and what is it interested in. Also, some of them use oslo.config local, some other the global object. Some can be loaded by an middleware loader like paste, some other not. This change make consistent the way we bootstrap all middlewares. Closes-bug: #1482086 Change-Id: Iad197d1f3a386683d818b59718df34e14e15ca5c
2015-08-06 09:15:57 +02:00
self._init_from_oslo(self.oslo_conf)
self._init_from_conf()
@classmethod
def factory(cls, global_conf, allowed_origin, **local_conf):
# Ensures allowed_origin config exists
return super(CORS, cls).factory(global_conf,
allowed_origin=allowed_origin,
**local_conf)
def _init_from_conf(self):
"""Load configuration from paste.deploy
allowed_origin: Protocol, host, and port for the allowed origin.
allow_credentials: Whether to permit credentials.
expose_headers: A list of headers to expose.
max_age: Maximum cache duration.
allow_methods: List of HTTP methods to permit.
allow_headers: List of HTTP headers to permit from the client.
"""
if 'allowed_origin' in self.conf:
self.add_origin(
allowed_origin=self.conf['allowed_origin'],
allow_credentials=self.conf.get('allow_credentials', True),
expose_headers=self.conf.get('expose_headers'),
max_age=self.conf.get('max_age'),
allow_methods=self.conf.get('allow_methods'),
allow_headers=self.conf.get('allow_headers'))
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
def _init_from_oslo(self, conf):
'''Initialize this middleware from an oslo.config instance.'''
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# First, check the configuration and register global options.
conf.register_opts(CORS_OPTS, 'cors')
# Clone our original CORS_OPTS, and set the defaults to whatever is
# set in the global conf instance. This is done explicitly (instead
# of **kwargs), since we don't accidentally want to catch
# allowed_origin.
subgroup_opts = copy.deepcopy(CORS_OPTS)
cfg.set_defaults(subgroup_opts,
allow_credentials=conf.cors.allow_credentials,
expose_headers=conf.cors.expose_headers,
max_age=conf.cors.max_age,
allow_methods=conf.cors.allow_methods,
allow_headers=conf.cors.allow_headers)
# If the default configuration contains an allowed_origin, don't
# forget to register that.
if conf.cors.allowed_origin:
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
self.add_origin(**conf.cors)
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Iterate through all the loaded config sections, looking for ones
# prefixed with 'cors.'
for section in conf.list_all_sections():
if section.startswith('cors.'):
# Register with the preconstructed defaults
conf.register_opts(subgroup_opts, section)
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
self.add_origin(**conf[section])
def add_origin(self, allowed_origin, allow_credentials=True,
expose_headers=None, max_age=None, allow_methods=None,
allow_headers=None):
'''Add another origin to this filter.
:param allowed_origin: Protocol, host, and port for the allowed origin.
:param allow_credentials: Whether to permit credentials.
:param expose_headers: A list of headers to expose.
:param max_age: Maximum cache duration.
:param allow_methods: List of HTTP methods to permit.
:param allow_headers: List of HTTP headers to permit from the client.
:return:
'''
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
if allowed_origin in self.allowed_origins:
LOG.warn('Allowed origin [%s] already exists, skipping' % (
allowed_origin,))
return
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
self.allowed_origins[allowed_origin] = {
'allow_credentials': allow_credentials,
'expose_headers': expose_headers,
'max_age': max_age,
'allow_methods': allow_methods,
'allow_headers': allow_headers
}
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
Use correct oslo_middleware.base methods in CORS middleware. This patch modifies the CORS middleware to use the __call__ logic from its parent class, rather than overriding it. Logic has been moved into process_request and process_response accordingly. Change-Id: Ia5907ec37c1103a9b9a24d549a81822b1b3ad332
2015-06-11 11:49:51 -07:00
def process_response(self, response, request=None):
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
'''Check for CORS headers, and decorate if necessary.
Perform two checks. First, if an OPTIONS request was issued, let the
application handle it, and (if necessary) decorate the response with
preflight headers. In this case, if a 404 is thrown by the underlying
application (i.e. if the underlying application does not handle
OPTIONS requests, the response code is overridden.
In the case of all other requests, regular request headers are applied.
'''
# Sanity precheck: If we detect CORS headers provided by something in
# in the middleware chain, assume that it knows better.
if 'Access-Control-Allow-Origin' in response.headers:
return response
# Doublecheck for an OPTIONS request.
if request.method == 'OPTIONS':
return self._apply_cors_preflight_headers(request=request,
response=response)
# Apply regular CORS headers.
Use correct oslo_middleware.base methods in CORS middleware. This patch modifies the CORS middleware to use the __call__ logic from its parent class, rather than overriding it. Logic has been moved into process_request and process_response accordingly. Change-Id: Ia5907ec37c1103a9b9a24d549a81822b1b3ad332
2015-06-11 11:49:51 -07:00
self._apply_cors_request_headers(request=request, response=response)
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Finally, return the response.
Use correct oslo_middleware.base methods in CORS middleware. This patch modifies the CORS middleware to use the __call__ logic from its parent class, rather than overriding it. Logic has been moved into process_request and process_response accordingly. Change-Id: Ia5907ec37c1103a9b9a24d549a81822b1b3ad332
2015-06-11 11:49:51 -07:00
return response
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
def _split_header_values(self, request, header_name):
"""Convert a comma-separated header value into a list of values."""
values = []
if header_name in request.headers:
for value in request.headers[header_name].rsplit(','):
value = value.strip()
if value:
values.append(value)
return values
def _apply_cors_preflight_headers(self, request, response):
"""Handle CORS Preflight (Section 6.2)
Given a request and a response, apply the CORS preflight headers
appropriate for the request.
"""
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
# If the response contains a 2XX code, we have to assume that the
# underlying middleware's response content needs to be persisted.
# Otherwise, create a new response.
if 200 > response.status_code or response.status_code >= 300:
response = webob.response.Response(status=webob.exc.HTTPOk.code)
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Does the request have an origin header? (Section 6.2.1)
if 'Origin' not in request.headers:
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
return response
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Is this origin registered? (Section 6.2.2)
origin = request.headers['Origin']
if origin not in self.allowed_origins:
Added CORS wildcard handling The CORS specification permits the declaration of '*' as a response wildcard domain, which explicitly allows _all_ domains to break the single-origin policy. While we DO NOT recommend this method, the ability to set a global policy should be included for the sake of completeness. Change-Id: Ifcc65ca74fa976dbd322a7ffd4ffba5443d1df5b
2015-05-22 10:03:14 -07:00
if '*' in self.allowed_origins:
origin = '*'
else:
LOG.debug('CORS request from origin \'%s\' not permitted.'
% (origin,))
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
return response
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
cors_config = self.allowed_origins[origin]
# If there's no request method, exit. (Section 6.2.3)
if 'Access-Control-Request-Method' not in request.headers:
Added verbose debug logging to CORS This patch adds a few additional log statements, which should make debugging this middleware easier for operators. Change-Id: I50636a7960e5130950fe22ac69b4bfe18aa186da
2015-07-10 13:42:00 -07:00
LOG.debug('CORS request does not contain '
'Access-Control-Request-Method header.')
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
return response
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
request_method = request.headers['Access-Control-Request-Method']
# Extract Request headers. If parsing fails, exit. (Section 6.2.4)
try:
request_headers = \
self._split_header_values(request,
'Access-Control-Request-Headers')
except Exception:
LOG.debug('Cannot parse request headers.')
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
return response
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Compare request method to permitted methods (Section 6.2.5)
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
if request_method not in cors_config['allow_methods']:
Added verbose debug logging to CORS This patch adds a few additional log statements, which should make debugging this middleware easier for operators. Change-Id: I50636a7960e5130950fe22ac69b4bfe18aa186da
2015-07-10 13:42:00 -07:00
LOG.debug('Request method \'%s\' not in permitted list: %s'
% (request_method, cors_config['allow_methods']))
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
return response
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Compare request headers to permitted headers, case-insensitively.
# (Section 6.2.6)
for requested_header in request_headers:
upper_header = requested_header.upper()
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
permitted_headers = (cors_config['allow_headers'] +
self.simple_headers)
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
if upper_header not in (header.upper() for header in
permitted_headers):
Added verbose debug logging to CORS This patch adds a few additional log statements, which should make debugging this middleware easier for operators. Change-Id: I50636a7960e5130950fe22ac69b4bfe18aa186da
2015-07-10 13:42:00 -07:00
LOG.debug('Request header \'%s\' not in permitted list: %s'
% (requested_header, permitted_headers))
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
return response
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Set the default origin permission headers. (Sections 6.2.7, 6.4)
response.headers['Vary'] = 'Origin'
response.headers['Access-Control-Allow-Origin'] = origin
# Does this CORS configuration permit credentials? (Section 6.2.7)
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
if cors_config['allow_credentials']:
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
response.headers['Access-Control-Allow-Credentials'] = 'true'
# Attach Access-Control-Max-Age if appropriate. (Section 6.2.8)
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
if 'max_age' in cors_config and cors_config['max_age']:
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
response.headers['Access-Control-Max-Age'] = \
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
str(cors_config['max_age'])
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
# Attach Access-Control-Allow-Methods. (Section 6.2.9)
response.headers['Access-Control-Allow-Methods'] = request_method
# Attach Access-Control-Allow-Headers. (Section 6.2.10)
if request_headers:
response.headers['Access-Control-Allow-Headers'] = \
','.join(request_headers)
CORS Middleware defers to server response. If this middleware detects a server response with existing CORS headers, it deactivates itself in favor of what is already provided. This is to support API's (such as Swift) that permit configurable CORS rules for exposed endpoints. Change-Id: Ia416bcf6b4cc28025b8204e2eb936a491e8538a6
2015-06-11 13:27:13 -07:00
return response
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
def _apply_cors_request_headers(self, request, response):
"""Handle Basic CORS Request (Section 6.1)
Given a request and a response, apply the CORS headers appropriate
for the request to the response.
"""
# Does the request have an origin header? (Section 6.1.1)
if 'Origin' not in request.headers:
return
# Is this origin registered? (Section 6.1.2)
origin = request.headers['Origin']
if origin not in self.allowed_origins:
LOG.debug('CORS request from origin \'%s\' not permitted.'
% (origin,))
return
cors_config = self.allowed_origins[origin]
# Set the default origin permission headers. (Sections 6.1.3 & 6.4)
response.headers['Vary'] = 'Origin'
response.headers['Access-Control-Allow-Origin'] = origin
# Does this CORS configuration permit credentials? (Section 6.1.3)
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
if cors_config['allow_credentials']:
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
response.headers['Access-Control-Allow-Credentials'] = 'true'
# Attach the exposed headers and exit. (Section 6.1.4)
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
if cors_config['expose_headers']:
Add CORS Middleware for Oslo. This aims to provide a comprehensive middleware solution for the CORS (Cross-Origin-Resource-Sharing) specification - http://www.w3.org/TR/cors/. Tests and documentation have been provided. Change-Id: I3c0ff620f10bec2cbf7b748d48fff025aab44351
2015-04-01 21:41:33 -07:00
response.headers['Access-Control-Expose-Headers'] = \
Support PasteDeploy This patch removes the oslo_config specific code out of the middleware's class, and instead provides a factory method by which this middleware may be constructed. It then also provides a similar factory method that supports pastedeploy's filter_factory protocol. Change-Id: I68d9c5439707a624aa24f3dbe7bbfd616b382a6d
2015-06-12 14:31:14 -07:00
','.join(cors_config['expose_headers'])
Remove usage of oslo.config global Currently application that doesn't use the global configuration object have to rely on hack to setup the global oslo config object for each middleware it want to use. For example, gnocchi have its own middleware loader and add crap to load keystonemiddleware: https://github.com/openstack/gnocchi/blob/master/gnocchi/rest/app.py#L140 And it can't use oslo.middleware that relies on the global conf object. Also aodh (use 'paste' for middleware) have to hack the global configuration object for each middlewares it want to use by code... https://review.openstack.org/#/c/208632/1/aodh/service.py But middleware are optional deployer stuffs, we should not write any code for them... This change allows application to use paste-deploy (or any middleware loader) without enforcing the application to use the global oslo.config object. If the middleware want to use oslo.config it should load the configuration file himself (and fallback to the global one if any) The proposed paste configuration to allow this is: [filter:cors] paste.filter_factory = oslo.middleware:cors oslo_config_project = aodh So the cors middleware can find and load the aodh config and what is it interested in. Also, some of them use oslo.config local, some other the global object. Some can be loaded by an middleware loader like paste, some other not. This change make consistent the way we bootstrap all middlewares. Closes-bug: #1482086 Change-Id: Iad197d1f3a386683d818b59718df34e14e15ca5c
2015-08-06 09:15:57 +02:00
# NOTE(sileht): Shortcut for backwards compatibility
filter_factory = CORS.factory
Copy Permalink