From 6e99d1737aa6f9606a3881e4d93dbffbb89f2286 Mon Sep 17 00:00:00 2001 From: Michael Krotscheck Date: Wed, 9 Dec 2015 08:33:41 -0800 Subject: [PATCH] Added CORS support to Barbican This adds the CORS support middleware to Barbican, allowing a deployer to optionally configure rules under which a javascript client may break the single-origin policy and access the API directly. Included are Barbican's custom headers, so that anyone activating this middleware does not have to explicitly enable them. The paste.ini method of deploying the middleware was chosen, because it needs to be able to annotate responses created by other middleware. OpenStack CrossProject Spec: http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html Oslo_Middleware Docs: http://docs.openstack.org/developer/oslo.middleware/cors.html OpenStack Cloud Admin Guide: http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html Change-Id: If144ec774c01e8fc9e10903076fad11a0b946b6d --- etc/barbican/barbican-api-paste.ini | 15 ++++++-- etc/barbican/barbican.conf | 59 +++++++++++++++++++++++++++++ requirements.txt | 1 + 3 files changed, 71 insertions(+), 4 deletions(-) diff --git a/etc/barbican/barbican-api-paste.ini b/etc/barbican/barbican-api-paste.ini index 8ebaff82b..464d080e4 100644 --- a/etc/barbican/barbican-api-paste.ini +++ b/etc/barbican/barbican-api-paste.ini @@ -5,21 +5,21 @@ use = egg:Paste#urlmap # Use this pipeline for Barbican API - versions no authentication [pipeline:barbican_version] -pipeline = versionapp +pipeline = cors versionapp # Use this pipeline for Barbican API - DEFAULT no authentication [pipeline:barbican_api] -pipeline = unauthenticated-context apiapp +pipeline = cors unauthenticated-context apiapp #pipeline = keystone_authtoken context apiapp #Use this pipeline to activate a repoze.profile middleware and HTTP port, # to provide profiling information for the REST API processing. [pipeline:barbican-profile] -pipeline = unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp +pipeline = cors unauthenticated-context egg:Paste#cgitb egg:Paste#httpexceptions profile apiapp #Use this pipeline for keystone auth [pipeline:barbican-api-keystone] -pipeline = keystone_authtoken context apiapp +pipeline = cors keystone_authtoken context apiapp [app:apiapp] paste.app_factory = barbican.api.app:create_main_app @@ -60,3 +60,10 @@ discard_first_request = true path = /__profile__ flush_at_shutdown = true unwind = false + +[filter:cors] +paste.filter_factory = oslo_middleware.cors:filter_factory +oslo_config_project = barbican +latent_allow_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles +latent_expose_headers = X-Auth-Token, X-Openstack-Request-Id, X-Project-Id, X-Identity-Status, X-User-Id, X-Storage-Token, X-Domain-Id, X-User-Domain-Id, X-Project-Domain-Id, X-Roles +latent_allow_methods = GET, PUT, POST, DELETE, PATCH diff --git a/etc/barbican/barbican.conf b/etc/barbican/barbican.conf index 1a1fc22bc..3f0096e27 100644 --- a/etc/barbican/barbican.conf +++ b/etc/barbican/barbican.conf @@ -313,3 +313,62 @@ ca_cert_key_path = /etc/barbican/snakeoil-ca.key ca_cert_chain_path = /etc/barbican/snakeoil-ca.chain ca_cert_pkcs7_path = /etc/barbican/snakeoil-ca.p7b subca_cert_key_directory=/etc/barbican/snakeoil-cas + +[cors] + +# +# From oslo.middleware.cors +# + +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials +# (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to +# HTTP Simple Headers. (list value) +#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list +# value) +#allow_methods = GET,POST,PUT,DELETE,OPTIONS + +# Indicate which header field names may be used during the actual +# request. (list value) +#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma + + +[cors.subdomain] + +# +# From oslo.middleware.cors +# + +# Indicate whether this resource may be shared with the domain +# received in the requests "origin" header. (list value) +#allowed_origin = + +# Indicate that the actual request can include user credentials +# (boolean value) +#allow_credentials = true + +# Indicate which headers are safe to expose to the API. Defaults to +# HTTP Simple Headers. (list value) +#expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma + +# Maximum cache age of CORS preflight requests. (integer value) +#max_age = 3600 + +# Indicate which methods can be used during the actual request. (list +# value) +#allow_methods = GET,POST,PUT,DELETE,OPTIONS + +# Indicate which header field names may be used during the actual +# request. (list value) +#allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma diff --git a/requirements.txt b/requirements.txt index b738fdca2..c535f62f2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -12,6 +12,7 @@ oslo.config>=3.4.0 # Apache-2.0 oslo.context>=0.2.0 # Apache-2.0 oslo.i18n>=2.1.0 # Apache-2.0 oslo.messaging>=4.0.0 # Apache-2.0 +oslo.middleware>=3.0.0 # Apache-2.0 oslo.log>=1.14.0 # Apache-2.0 oslo.policy>=0.5.0 # Apache-2.0 oslo.serialization>=1.10.0 # Apache-2.0