-
Notifications
You must be signed in to change notification settings - Fork 297
Conversation
mgmt/rest/server.go
Outdated
|
||
// Deals with CORS | ||
c := cors.New(cors.Options{ | ||
AllowedOrigins: []string{"*"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think that it's safe to allow unrestricted access from any domain. Is there a possibility to constrain allowed origins - via snapteld configuration maybe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andrzej-k, agreed your concerns. Should we allow localhost for now until we know whoch domains are allowed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configurable with 'localhost' as the default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jcooklin, sounds good. I'll add it as a global option.
mgmt/rest/server.go
Outdated
// Deals with CORS | ||
c := cors.New(cors.Options{ | ||
AllowedOrigins: []string{"*"}, | ||
AllowedMethods: []string{"GET, POST, DELETE, PUT, PATCH, OPTIONS"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not all of the HTTP methods were allowed previously. I believe it would be the safest to keep the list of allowed methods to a necessary minimum.
PATCH
- I didn't find it declared for any of REST controllers. Are you sure we need to allow it?
OPTIONS
- the same as for PATCH
. It's not needed for pre-flight requests. Negroni allows it implicitly only for the purpose of CORS. On the other hand, if it's needed for Snap API, it should be enabled with a flag OptionsPassthrough
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OPTIONS is needed for preflight. I can remove PATCH for now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, you're right - OPTIONS are needed for preflight. But isn't it handled before the actual request? I'm thinking about this: https://github.com/rs/cors/blob/master/cors.go#L189. I guess the actual request handling and method checking takes place later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@marcintao, thanks for looking into it. However, Snap has two places to be patched. One place cannot use the lib. I added maxAge to ease your concerns. Please let me know any other suggestions you have.
4abab8f
to
e431cc7
Compare
@andrzej-k, @marcintao, @jcooklin, CORS PR is updated. Please review when you have a chance. |
docs/SNAPTELD_CONFIGURATION.md
Outdated
@@ -192,6 +192,9 @@ restapi: | |||
|
|||
# port sets the port to start the REST API server on. Default is 8181 | |||
port: 8181 | |||
|
|||
# corsd sets the allowed origins in a comma separated list. It defaults to the same origin if the value is empty. | |||
corsd: http://127.0.0.1:8080, http://snap.example.io, http://example.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- "corsd" sounds cryptic - how about changing to, for example: "allowed_origins"?
- Will it work with https origins? If so, maybe add to the list https example also
mgmt/rest/flags.go
Outdated
@@ -60,7 +60,11 @@ var ( | |||
Name: "pprof", | |||
Usage: "Enables profiling tools", | |||
} | |||
flCorsd = cli.StringFlag{ | |||
Name: "corsd", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider changing to, for example "allowed_origins"
mgmt/rest/server.go
Outdated
@@ -60,6 +70,7 @@ type Server struct { | |||
// the following instance variables are used to cleanly shutdown the server | |||
serverListener net.Listener | |||
closingChan chan bool | |||
allowedOrigins map[string]bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't seem that "allowedOrigins" is used to "cleanly shutdown the server" - consider moving new variable before this comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure your comment here. It's used in authMiddleware method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm just saying that "allowedOrigins" variable is added in a section which is described with a comment (3 lines above):
// the following instance variables are used to cleanly shutdown the server
This may be misleading, so I just proposed to move "allowedOrigins" before that comment, i.e. 4 lines up.
mgmt/rest/server_test.go
Outdated
Convey("Origins match results", func() { | ||
So(s.allowedOrigins, ShouldResemble, map[string]bool{"http://127.0.0.1:80": true, "http://example.com": true}) | ||
So(len(o), ShouldEqual, 2) | ||
}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider adding more rainy day scenarios, ie. incorrect origin format, incorrect separator, etc.
mgmt/rest/server.go
Outdated
for _, o := range os { | ||
s.allowedOrigins[strings.TrimSpace(o)] = true | ||
} | ||
return os |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider adding more validation, for example if origin format is correct, something like:
- httpa://domain.com
- 127.0.0.0.1
- http://?domain.com
- ...
should not pass, and user should be warned early that configuration is not valid.
@andrzej-k, thanks for your awesome review. I changed the name, added URL validation and more negative tests as you suggested. Please let me know if anything else. |
3c8774a
to
7ed7e38
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after addressing all comments.
docs/SNAPTELD_CONFIGURATION.md
Outdated
@@ -195,6 +195,9 @@ restapi: | |||
|
|||
# port sets the port to start the REST API server on. Default is 8181 | |||
port: 8181 | |||
|
|||
# corsd sets the allowed origins in a comma separated list. It defaults to the same origin if the value is empty. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"corsd" -> "allowed_origins"
mgmt/rest/server.go
Outdated
@@ -60,6 +70,7 @@ type Server struct { | |||
// the following instance variables are used to cleanly shutdown the server | |||
serverListener net.Listener | |||
closingChan chan bool | |||
allowedOrigins map[string]bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm just saying that "allowedOrigins" variable is added in a section which is described with a comment (3 lines above):
// the following instance variables are used to cleanly shutdown the server
This may be misleading, so I just proposed to move "allowedOrigins" before that comment, i.e. 4 lines up.
good catch! Changed. Thanks @andrzej-k! |
LGTM |
added global config, tests, docs for cors added url validation, more nagtive tests changed typo and variable localtion
Fixes #998
Summary of changes:
Testing done:
@intelsdi-x/snap-maintainers