Enable CORS access to EdgeX microservices

[magallardo]

Hello,

🚀 Feature Request

Relevant Package

This feature request is for the API Gateway

Description

The Edgex components are exposed through REST APIs and those services are usually called from a UI running on a browser. Most browser prevent calls to services at a different origin (CORS) thus making it difficult the interactions with services like Edgex.
There are basically 2 ways to solve the CORS issue. The first one is on the client side (UI application) by using a proxy server. Unfortunately this solution is static and need to know before hand the back end servers.
The second option is to enable the backend server to allow CORS.

Describe the solution you'd like

Currently I have been bypassing this issue by using a proxy server at the client site. However, this solution is not working due to the nature of IoT projects and solutions. The IoT solutions tend to be very dynamic and in my specific example, the number of instances where the Edgex framework is deployed is dynamic and can change. That makes the proxy option irrelevant as that solution is static.

So, the preferred solution will be to allow the user to enable/disable CORS as desired on the API Gateway. That will allow calling the API from UI clients without requiring to use a proxy.

Describe alternatives you've considered

As described above, I am already using a proxy solution but it only works for a static number of Edgex installations.

Thanks in advance,
Marcelo

[tingyuz]

For future reference, the current implementation of API gateway is based on KONG. From the document it seems KONG has limited support to enable CORS/cross-origin resource sharing.

https://docs.konghq.com/hub/kong-inc/cors/

[tingyuz]

A quick verification/band aid style fix is to run Curl command against KONG. Here is the command that may work:

curl -X POST http://localhost:8001/plugins --data "name=cors" --data "config.origins=*"  --data "config.methods=GET"  --data "config.methods=POST" --data "config.headers=Accept" --data "config.headers=Accept-Version" --data "config.headers=Content-Length" --data "config.headers=Content-MD5" --data "config.headers=Content-Type" --data "config.headers=Date" --data "config.headers=X-Auth-Token" --data "config.exposed_headers=X-Auth-Token" --data "config.credentials=true" --data "config.max_age=3600"

[aj-n]

If anyone else is looking for a solution to this, simply using * for origins did not work for me. Only when restricted to specific origins (with proper http or https AND port) did it work (i.e. config.origins=https://localhost:3000)

Additionally, you will need to configure the OPTIONS and other methods to be allowed on all the routes. I accomplished this with a simple loop in a script

ROUTES=(
    "coredata"
    "metadata"
    "command"
    "notifications"
    "scheduler"
    "rulesengine"
)

# Loop download each
for route in "${ROUTES[@]}"; do
    curl -X PATCH "http://localhost:8001/routes/${route}/" \
        --data "methods=OPTIONS" \
        --data "methods=GET" \
        --data "methods=POST" \
        --data "methods=PUT" \
        --data "methods=DELETE"
done

[lenny-goodell]

Example utility for CORS from Intel reference implementation
https://github.com/intel-iot-devkit/automated-checkout-utilities/blob/0dd0e1e344399f3042b1f64b82ccbc2d2e0333aa/utilities.go#L69

We might be able to handle this in the middleware for REST

[jpwhitemn]

Discussed in Core WG meeting 5/13/21. To be done for Jakarta release. Looking at whether there is common code (such as in bootstrapping) or if this needs to be added to edgex-go, SDKs (and associated services) separately as part of the request handling process. For Kong, we'll need to add the Kong plugin (https://docs.konghq.com/hub/kong-inc/cors/) - again for Jakarta

[bnevis-i]

It was decided in Security WG on 9/15/2021 that the project wants CORS support to be enabled even in the non-security use case. Persuant to this direction, we want to back out the changes for edgexfoundry/edgex-go#1913 and re-implement them in the EdgeX middleware instead of in Kong.

As such, we will back out commit edgexfoundry/edgex-go@25b03d0 of PR edgexfoundry/edgex-go#3678

The following configuration options should be added to the service to control the CORS headers:

EnableCORS = false
CORSAllowCredentials = false
CORSAllowedOrigins = "https://localhost"
CORSAllowedMethods = "GET, POST, PUT, DELETE"
CORSAllowedHeaders = "Content-Type"
CORSExposedHeaders = ""
CORSPreflightMaxAge = 3600

Actual real-life example from a Kong user:

    curl -X POST http://localhost:8001/plugins/ \
    --data "name=cors"  \
    --data "config.origins=http://yyy.yyy.yyy.yyy:4200" \
    --data "config.methods=GET" \
    --data "config.methods=POST" \
    --data "config.methods=OPTIONS" \
    --data "config.headers=Accept" \
    --data "config.headers=Accept-Version" \
    --data "config.headers=Content-Length" \
    --data "config.headers=Content-MD5" \
    --data "config.headers=Content-Type" \
    --data "config.headers=Date" \
    --data "config.headers=X-Auth-Token" \
    --data "config.headers=Authorization" \
    --data "config.exposed_headers=X-Auth-Token" \
    --data "config.credentials=true" \
    --data "config.max_age=3600" 

[bnevis-i]

Middleware implementation should be done in https://github.com/edgexfoundry/go-mod-bootstrap and in C SDK

[lenny-goodell]

More details on the proposed implementation.

1. Add new CORS configuration settings above to ServiceInfo. Suggest sub-struct CorsInfo.
2. Implement adding the CORS info (when enabled) to response header in the bootstrap handler here:
   https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/handlers/httpserver.go#L97

[JamesKButcher]

@cloudxxx8 please take a look at the amount of work here

[cloudxxx8]

it's not hard to add this implementation, but we need more time to test it manually
according to the current test infrastructure, we can't add automation tests for this because it needs multiple machines

[JamesKButcher]

On Core WG call we agreed to add PATCH to the CORSAllowedMethods

i.e.

CORSAllowedMethods = "GET, POST, PUT, PATCH, DELETE"

@cloudxxx8 and team, please aim to complete in the next week if possible

[cloudxxx8]

fixed by #286 and #288

[bnevis-i]

Reopening the issue because I realized that we're not done. There is actually logic we need to implement on the server side.

https://www.html5rocks.com/en/tutorials/cors//#toc-cors-server-flowchart

Also need to set "Vary: Origin" when supporting CORS.

Note that the consul API does not currently expose CORS headers. There was a PR to add the feature, though it is pretty low-level: https://github.com/hashicorp/consul/pull/558/files

[cloudxxx8]

@jpwhitemn @lenny-intel we might need to postpone the code freeze date for this issue

[bnevis-i]

Waiting for edgexfoundry/edgex-docs#608

[jpwhitemn]

Issue has been resolved, but believe just Docs work to be done. Per TSC 11/10/21 - close this