Added CORS support to Mistral
This adds the CORS support middleware to Mistral, allowing a deployer to optionally configure rules under which a javascript client may break the single-origin policy and access the API directly. For Mistral, the CORS middleware was added directly to the wsgi factory. Config generation and tests have also been provided. OpenStack CrossProject Spec: http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html Oslo_Middleware Docs: http://docs.openstack.org/developer/oslo.middleware/cors.html OpenStack Cloud Admin Guide: http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html DocImpact: Add link to CORS configuration in admin cloud guide. Change-Id: Ic8f2e257acb256d9ea99b66d2ed1dcfc8652ae89
This commit is contained in:
parent
2994bb4b46
commit
b57e1b0286
@ -15,6 +15,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
from oslo_config import cfg
|
||||
import oslo_middleware.cors as cors_middleware
|
||||
import pecan
|
||||
|
||||
from mistral.api import access_control
|
||||
@ -62,4 +63,17 @@ def setup_app(config=None):
|
||||
# Set up access control.
|
||||
app = access_control.setup(app)
|
||||
|
||||
# Create a CORS wrapper, and attach mistral-specific defaults that must be
|
||||
# included in all CORS responses.
|
||||
app = cors_middleware.CORS(app, cfg.CONF)
|
||||
app.set_latent(
|
||||
allow_headers=['X-Auth-Token', 'X-Identity-Status', 'X-Roles',
|
||||
'X-Service-Catalog', 'X-User-Id', 'X-Tenant-Id'
|
||||
'X-Project-Id', 'X-User-Name', 'X-Project-Name'],
|
||||
allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
|
||||
expose_headers=['X-Auth-Token', 'X-Subject-Token',
|
||||
'X-Service-Token', 'X-Project-Id', 'X-User-Name',
|
||||
'X-Project-Name']
|
||||
)
|
||||
|
||||
return app
|
||||
|
96
mistral/tests/unit/api/test_cors_middleware.py
Normal file
96
mistral/tests/unit/api/test_cors_middleware.py
Normal file
@ -0,0 +1,96 @@
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
"""Tests cors middleware."""
|
||||
|
||||
from mistral.tests.unit.api import base
|
||||
from oslo_config import cfg as cfg
|
||||
from oslo_middleware import cors as cors_middleware
|
||||
|
||||
|
||||
class TestCORSMiddleware(base.FunctionalTest):
|
||||
'''Provide a basic smoke test to ensure CORS middleware is active.
|
||||
|
||||
The tests below provide minimal confirmation that the CORS middleware
|
||||
is active, and may be configured. For comprehensive tests, please consult
|
||||
the test suite in oslo_middleware.
|
||||
'''
|
||||
|
||||
def setUp(self):
|
||||
# Make sure the CORS options are registered
|
||||
cfg.CONF.register_opts(cors_middleware.CORS_OPTS, 'cors')
|
||||
|
||||
# Load up our valid domain values before the application is created.
|
||||
cfg.CONF.set_override(
|
||||
"allowed_origin",
|
||||
"http://valid.example.com",
|
||||
group='cors'
|
||||
)
|
||||
|
||||
# Create the application.
|
||||
super(TestCORSMiddleware, self).setUp()
|
||||
|
||||
def test_valid_cors_options_request(self):
|
||||
response = self.app.options(
|
||||
'/',
|
||||
headers={
|
||||
'Origin': 'http://valid.example.com',
|
||||
'Access-Control-Request-Method': 'GET'
|
||||
}
|
||||
)
|
||||
|
||||
self.assertEqual(200, response.status_code)
|
||||
self.assertIn('access-control-allow-origin', response.headers)
|
||||
self.assertEqual(
|
||||
'http://valid.example.com',
|
||||
response.headers['access-control-allow-origin']
|
||||
)
|
||||
|
||||
def test_invalid_cors_options_request(self):
|
||||
response = self.app.options(
|
||||
'/',
|
||||
headers={
|
||||
'Origin': 'http://invalid.example.com',
|
||||
'Access-Control-Request-Method': 'GET'
|
||||
}
|
||||
)
|
||||
|
||||
self.assertEqual(200, response.status_code)
|
||||
self.assertNotIn('access-control-allow-origin', response.headers)
|
||||
|
||||
def test_valid_cors_get_request(self):
|
||||
response = self.app.get(
|
||||
'/',
|
||||
headers={
|
||||
'Origin': 'http://valid.example.com'
|
||||
}
|
||||
)
|
||||
|
||||
self.assertEqual(200, response.status_code)
|
||||
self.assertIn('access-control-allow-origin', response.headers)
|
||||
self.assertEqual(
|
||||
'http://valid.example.com',
|
||||
response.headers['access-control-allow-origin']
|
||||
)
|
||||
|
||||
def test_invalid_cors_get_request(self):
|
||||
response = self.app.get(
|
||||
'/',
|
||||
headers={
|
||||
'Origin': 'http://invalid.example.com'
|
||||
}
|
||||
)
|
||||
|
||||
self.assertEqual(200, response.status_code)
|
||||
self.assertNotIn('access-control-allow-origin', response.headers)
|
@ -14,6 +14,7 @@ oslo.concurrency>=2.3.0 # Apache-2.0
|
||||
oslo.config>=3.2.0 # Apache-2.0
|
||||
oslo.db>=4.1.0 # Apache-2.0
|
||||
oslo.messaging>=4.0.0 # Apache-2.0
|
||||
oslo.middleware>=3.0.0 # Apache-2.0
|
||||
oslo.utils>=3.4.0 # Apache-2.0
|
||||
oslo.log>=1.14.0 # Apache-2.0
|
||||
oslo.serialization>=1.10.0 # Apache-2.0
|
||||
|
@ -2,6 +2,7 @@
|
||||
namespace = mistral.config
|
||||
namespace = oslo.db
|
||||
namespace = oslo.messaging
|
||||
namespace = oslo.middleware.cors
|
||||
namespace = keystonemiddleware.auth_token
|
||||
namespace = periodic.config
|
||||
namespace = oslo.log
|
Loading…
Reference in New Issue
Block a user