Skip to content
This repository has been archived by the owner on Nov 8, 2022. It is now read-only.

SDI-1659: support for CORS header #1509

Merged
merged 1 commit into from
Feb 10, 2017
Merged

Conversation

candysmurf
Copy link
Contributor

@candysmurf candysmurf commented Feb 7, 2017

Fixes #998

Summary of changes:

  • Added CORS support.
  • Cors origins have to be specified in the global config. Otherwise it's the same origin.

Testing done:

  • swagger-ur which is in a different origin of Snap.

@intelsdi-x/snap-maintainers


// Deals with CORS
c := cors.New(cors.Options{
AllowedOrigins: []string{"*"},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that it's safe to allow unrestricted access from any domain. Is there a possibility to constrain allowed origins - via snapteld configuration maybe?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrzej-k, agreed your concerns. Should we allow localhost for now until we know whoch domains are allowed?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Configurable with 'localhost' as the default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jcooklin, sounds good. I'll add it as a global option.

// Deals with CORS
c := cors.New(cors.Options{
AllowedOrigins: []string{"*"},
AllowedMethods: []string{"GET, POST, DELETE, PUT, PATCH, OPTIONS"},
Copy link
Contributor

@marcintao marcintao Feb 7, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not all of the HTTP methods were allowed previously. I believe it would be the safest to keep the list of allowed methods to a necessary minimum.
PATCH - I didn't find it declared for any of REST controllers. Are you sure we need to allow it?
OPTIONS - the same as for PATCH. It's not needed for pre-flight requests. Negroni allows it implicitly only for the purpose of CORS. On the other hand, if it's needed for Snap API, it should be enabled with a flag OptionsPassthrough.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OPTIONS is needed for preflight. I can remove PATCH for now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you're right - OPTIONS are needed for preflight. But isn't it handled before the actual request? I'm thinking about this: https://github.com/rs/cors/blob/master/cors.go#L189. I guess the actual request handling and method checking takes place later.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@marcintao, thanks for looking into it. However, Snap has two places to be patched. One place cannot use the lib. I added maxAge to ease your concerns. Please let me know any other suggestions you have.

@candysmurf
Copy link
Contributor Author

candysmurf commented Feb 8, 2017

@andrzej-k, @marcintao, @jcooklin, CORS PR is updated. Please review when you have a chance.

@@ -192,6 +192,9 @@ restapi:

# port sets the port to start the REST API server on. Default is 8181
port: 8181

# corsd sets the allowed origins in a comma separated list. It defaults to the same origin if the value is empty.
corsd: http://127.0.0.1:8080, http://snap.example.io, http://example.com
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. "corsd" sounds cryptic - how about changing to, for example: "allowed_origins"?
  2. Will it work with https origins? If so, maybe add to the list https example also

@@ -60,7 +60,11 @@ var (
Name: "pprof",
Usage: "Enables profiling tools",
}
flCorsd = cli.StringFlag{
Name: "corsd",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider changing to, for example "allowed_origins"

@@ -60,6 +70,7 @@ type Server struct {
// the following instance variables are used to cleanly shutdown the server
serverListener net.Listener
closingChan chan bool
allowedOrigins map[string]bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't seem that "allowedOrigins" is used to "cleanly shutdown the server" - consider moving new variable before this comment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure your comment here. It's used in authMiddleware method.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm just saying that "allowedOrigins" variable is added in a section which is described with a comment (3 lines above):
// the following instance variables are used to cleanly shutdown the server

This may be misleading, so I just proposed to move "allowedOrigins" before that comment, i.e. 4 lines up.

Convey("Origins match results", func() {
So(s.allowedOrigins, ShouldResemble, map[string]bool{"http://127.0.0.1:80": true, "http://example.com": true})
So(len(o), ShouldEqual, 2)
})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding more rainy day scenarios, ie. incorrect origin format, incorrect separator, etc.

for _, o := range os {
s.allowedOrigins[strings.TrimSpace(o)] = true
}
return os
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding more validation, for example if origin format is correct, something like:

  • httpa://domain.com
  • 127.0.0.0.1
  • http://?domain.com
  • ...

should not pass, and user should be warned early that configuration is not valid.

@candysmurf
Copy link
Contributor Author

@andrzej-k, thanks for your awesome review. I changed the name, added URL validation and more negative tests as you suggested. Please let me know if anything else.

Copy link
Contributor

@andrzej-k andrzej-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after addressing all comments.

@@ -195,6 +195,9 @@ restapi:

# port sets the port to start the REST API server on. Default is 8181
port: 8181

# corsd sets the allowed origins in a comma separated list. It defaults to the same origin if the value is empty.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"corsd" -> "allowed_origins"

@@ -60,6 +70,7 @@ type Server struct {
// the following instance variables are used to cleanly shutdown the server
serverListener net.Listener
closingChan chan bool
allowedOrigins map[string]bool
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm just saying that "allowedOrigins" variable is added in a section which is described with a comment (3 lines above):
// the following instance variables are used to cleanly shutdown the server

This may be misleading, so I just proposed to move "allowedOrigins" before that comment, i.e. 4 lines up.

@candysmurf
Copy link
Contributor Author

good catch! Changed. Thanks @andrzej-k!

@jcooklin
Copy link
Collaborator

LGTM

added global config, tests, docs for cors

added url validation, more nagtive tests

changed typo and variable localtion
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants