From 82965f4bcbe6c19d80255d414372249c76dd599f Mon Sep 17 00:00:00 2001
From: Michael Krotscheck <krotscheck@gmail.com>
Date: Wed, 10 Feb 2016 11:04:02 -0800
Subject: [PATCH] Added CORS support to Solum

This adds the CORS support middleware to Solum, allowing a deployer
to optionally configure rules under which a javascript client may
break the single-origin policy and access the API directly.

For solum, the middleware was added directly to the application
factory, including various default headers usually required by
keystone. Note that the CORS middleware must be the first one in
the middleware chain, so that it can annotate all responses -
even error responses - generated by other middleware.

Smoke tests have also been provided, and the middleware has
been added to genconfig.

OpenStack CrossProject Spec:
   http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
Oslo_Middleware Docs:
   http://docs.openstack.org/developer/oslo.middleware/cors.html
OpenStack Cloud Admin Guide:
   http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html

Change-Id: Ie6bf73ea69ae956e9afe25ceca417c3a32edc312
---
 etc/solum/config-generator.conf    |   1 +
 requirements.txt                   |   1 +
 solum/api/app.py                   |  17 ++++-
 solum/tests/api/test_middleware.py | 100 +++++++++++++++++++++++++++++
 4 files changed, 118 insertions(+), 1 deletion(-)
 create mode 100644 solum/tests/api/test_middleware.py

diff --git a/etc/solum/config-generator.conf b/etc/solum/config-generator.conf
index 92e8b213d..9b930af97 100644
--- a/etc/solum/config-generator.conf
+++ b/etc/solum/config-generator.conf
@@ -23,3 +23,4 @@ namespace = solum.deployer.handlers.heat
 namespace = keystonemiddleware.auth_token
 namespace = solum.worker.config
 namespace = oslo.messaging
+namespace = oslo.middleware.cors
diff --git a/requirements.txt b/requirements.txt
index 308850fc6..781ea12f0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -9,6 +9,7 @@ netaddr>=0.7.6
 oslo.config>=3.2.0 # Apache-2.0
 oslo.db>=0.2.0  # Apache-2.0
 oslo.messaging>=1.3.0
+oslo.middleware>=3.0.0 # Apache-2.0
 oslo.serialization>=1.10.0  # Apache-2.0
 pbr>=0.11,<2.0
 pecan>=0.5.0
diff --git a/solum/api/app.py b/solum/api/app.py
index 6949cd368..878a2b711 100644
--- a/solum/api/app.py
+++ b/solum/api/app.py
@@ -15,6 +15,7 @@
 # under the License.
 
 from oslo_config import cfg
+import oslo_middleware.cors as cors_middleware
 import pecan
 
 from solum.api import auth
@@ -71,4 +72,18 @@ def setup_app(config=None):
         logging=getattr(config, 'logging', {}),
         **app_conf
     )
-    return auth.install(app, CONF)
+
+    app = auth.install(app, CONF)
+
+    # Create a CORS wrapper, and attach solum-specific defaults that must be
+    # supported on all CORS responses.
+    app = cors_middleware.CORS(app, CONF)
+    app.set_latent(
+        allow_headers=['X-Auth-Token', 'X-Openstack-Request-Id',
+                       'X-Subject-Token'],
+        allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
+        expose_headers=['X-Auth-Token', 'X-Openstack-Request-Id',
+                        'X-Subject-Token']
+    )
+
+    return app
diff --git a/solum/tests/api/test_middleware.py b/solum/tests/api/test_middleware.py
new file mode 100644
index 000000000..586deaad6
--- /dev/null
+++ b/solum/tests/api/test_middleware.py
@@ -0,0 +1,100 @@
+# -*- encoding: utf-8 -*-
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+"""
+Tests to assert that various incorporated middleware works as expected.
+"""
+
+from oslo_config import cfg
+import oslo_middleware.cors as cors_middleware
+import webob
+
+from solum.api import app as api_app
+from solum.openstack.common.fixture import config
+from solum.tests import base
+
+
+class TestCORSMiddleware(base.BaseTestCase):
+    '''Provide a basic smoke test to ensure CORS middleware is active.
+
+    The tests below provide minimal confirmation that the CORS middleware
+    is active, and may be configured. For comprehensive tests, please consult
+    the test suite in oslo_middleware.
+    '''
+
+    def setUp(self):
+        super(TestCORSMiddleware, self).setUp()
+
+        # Config fixture
+        self.CONF = self.useFixture(config.Config())
+        # Disable keystone
+        self.CONF.config(enable_authentication=False)
+        # Make sure the options are registered before overriding them.
+        self.CONF.register_opts(cors_middleware.CORS_OPTS, 'cors')
+        # Set our test data overrides.
+        self.CONF.config(allowed_origin="http://valid.example.com",
+                         group='cors')
+
+        # Initialize the conf object. Make sure we pass empty args=[], else the
+        # testr CLI arguments will be picked up.
+        cfg.CONF(project='solum', args=[])
+
+        # Create the application.
+        self.app = api_app.setup_app()
+
+    def test_valid_cors_options_request(self):
+        request = webob.Request.blank('/')
+        request.method = 'OPTIONS'
+        request.headers['Origin'] = 'http://valid.example.com'
+        request.headers['Access-Control-Request-Method'] = 'GET'
+        response = request.get_response(self.app)
+
+        # Assert response status.
+        self.assertEqual(200, response.status_code)
+        self.assertIn('Access-Control-Allow-Origin', response.headers)
+        self.assertEqual('http://valid.example.com',
+                         response.headers['Access-Control-Allow-Origin'])
+
+    def test_invalid_cors_options_request(self):
+        request = webob.Request.blank('/')
+        request.method = 'OPTIONS'
+        request.headers['Origin'] = 'http://invalid.example.com'
+        request.headers['Access-Control-Request-Method'] = 'GET'
+        response = request.get_response(self.app)
+
+        # Assert response status.
+        self.assertEqual(200, response.status_code)
+        self.assertNotIn('Access-Control-Allow-Origin', response.headers)
+
+    def test_valid_cors_get_request(self):
+        request = webob.Request.blank('/')
+        request.method = 'GET'
+        request.headers['Origin'] = 'http://valid.example.com'
+        response = request.get_response(self.app)
+
+        # Assert response status.
+        self.assertEqual(200, response.status_code)
+        self.assertIn('Access-Control-Allow-Origin', response.headers)
+        self.assertEqual('http://valid.example.com',
+                         response.headers['Access-Control-Allow-Origin'])
+
+    def test_invalid_cors_get_request(self):
+        request = webob.Request.blank('/')
+        request.method = 'GET'
+        request.headers['Origin'] = 'http://invalid.example.com'
+        response = request.get_response(self.app)
+
+        # Assert response status.
+        self.assertEqual(200, response.status_code)
+        self.assertNotIn('Access-Control-Allow-Origin', response.headers)