From juan.hernandez at redhat.com Thu Jan 29 08:38:41 2015
Content-Type: multipart/mixed; boundary="===============2516466980650669175=="
MIME-Version: 1.0
From: juan.hernandez at redhat.com
To: engine-commits at ovirt.org
Subject: Change in ovirt-engine[master]: restapi: Add CORS filter
Date: Thu, 29 Jan 2015 08:38:39 -0500
Message-ID: <201501291338.t0TDcdmZ030288@gerrit.ovirt.org>
In-Reply-To: gerrit.1419361159406.I40f9a13105fe99bb6b4035e61b8945efd8315f57@gerrit.ovirt.org

--===============2516466980650669175==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Juan Hernandez has submitted this change and it was merged.

Change subject: restapi: Add CORS filter
......................................................................


restapi: Add CORS filter

This patch adds CORS (Cross Origin Resource Sharing) support to the
RESTAPI. This is based on the existing CORS filter developed by eBay and
available here:

  https://github.com/ebay/cors-filter

On top of that filter this patch adds the possibility to configure it
with two configuration parameters stored in the engine database and
supported by the "engine-config" tool:

  CORSSupport:
  This is a boolean parameter that indicates if the CORS support should
  be enabled. If its value is "false" then the support will be disabled
  and the RESTAPI will behave exactly as before intoducing this patch.
  If the value is "true" then the CORS support will be enabled, but by
  default no origin will be allowed, so the second parameter has also
  to be configured correctly. The default value is "false".

  CORSAllowedOrigin:
  This is a comma separated list of the allowed origins. If it is empty
  CORS support will be effectively disabled, even if the value of the
  "CORSSupport" parameter is "true". It can also have the special value
  "*", and in that case all origins will be allowed.

In practice, to use the filter, both parameters need to be set. For
example, in order to allow requests from scripts downloaded from the
"my.app" the following configuration changes are required:

  # engine-config -s CORSSupport=3Dtrue
  # engine-config -s CORSAllowedOrigins=3Dhttp://my.app
  # systemctl ovirt-engine restart

To test the filter you can use a simple JavaScript application like the
following deployed in the root of the web server of "my.app":

  <html>
    <head>
      <script>
        function onGet() {
          var xhr =3D prepareRequest("GET");
          xhr.send();
        }

        function prepareRequest(method) {
          var url =3D document.getElementById("url");
          var user =3D document.getElementById("user");
          var password =3D document.getElementById("password");
          var body =3D document.getElementById("body");
          var xhr =3D new XMLHttpRequest();
          xhr.open(method, url.value);
          xhr.setRequestHeader("Authorization", "Basic " + window.btoa(user=
.value + ":" + password.value));
          xhr.setRequestHeader("Accept", "application/xml");
          xhr.setRequestHeader("Content-Type", "application/xml");
          xhr.onload =3D function (e) {
            var text =3D xhr.responseText;
            body.value =3D text;
          };
          return xhr;
        }
      </script>
    </head>
    <body>
      <form action=3D"">
       <table>
         <tr>
           <td>URL</td>
           <td><input id=3D"url" type=3D"text" value=3D"https://my.engine/o=
virt-engine/api"/></td>
         </tr>
         <tr>
           <td>User</td>
           <td><input id=3D"user" type=3D"text" value=3D"admin(a)internal"/=
></td>
         </tr>
         <tr>
           <td>Password</td>
           <td><input id=3D"password" type=3D"password" value=3D""/></td>
         </tr>
         <tr>
           <td colspan=3D"2">
             <div>
               Body
             </div>
             <div>
               <textarea id=3D"body" rows=3D"10" cols=3D"80">
               </textarea>
             </div>
           </td>
         </tr>
         <tr>
          <td colspan=3D"2">
            <input type=3D"button" value=3D"GET" onclick=3D"onGet()"/>
         </tr>
       </table>
      </form>
    </body>
  </html>

When running this application the browser should send an initial OPTIONS
request to the server, asking for permission to send the actual request:

  OPTIONS /ovirt-engine/api HTTP/1.1
  Host: my.engine
  Origin: http://my.app
  Access-Control-Request-Method: GET
  Access-Control-Request-Headers: accept,authorization,content-type
  ...

The server should then respond with something like this:

  HTTP/1.1 200 OK
  Access-Control-Allow-Headers: accept,content-type,authorization
  Access-Control-Allow-Methods: GET
  Access-Control-Allow-Origin: http://my.app
  Access-Control-Max-Age: 1800
  Access-Control-Allow-Credentials: true
  ...

Then the browser will send the actual GET request, as the server
approved it.

For more details about the CORS protocol see here:

  W3C:
  http://www.w3.org/TR/cors

  Mozilla:
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

Change-Id: I40f9a13105fe99bb6b4035e61b8945efd8315f57
Bug-Url: https://bugzilla.redhat.com/1181530
Signed-off-by: Juan Hernandez <juan.hernandez(a)redhat.com>
---
M backend/manager/dependencies/common/pom.xml
A backend/manager/dependencies/common/src/main/modules/org/ebaysf/web/cors-=
filter/main/module.xml
M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/Backe=
nd.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common=
/config/ConfigValues.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common=
/queries/ConfigurationValues.java
M backend/manager/modules/common/src/main/java/org/ovirt/engine/core/common=
/queries/GetConfigurationValueParameters.java
M backend/manager/modules/restapi/interface/common/jaxrs/pom.xml
A backend/manager/modules/restapi/interface/common/jaxrs/src/main/java/org/=
ovirt/engine/api/common/security/CORSSupportFilter.java
M backend/manager/modules/restapi/interface/common/jaxrs/src/main/modules/o=
rg/ovirt/engine/api/interface-common-jaxrs/main/module.xml
M backend/manager/modules/restapi/webapp/src/main/webapp/WEB-INF/web.xml
M packaging/dbscripts/upgrade/pre_upgrade/0000_config.sql
M packaging/etc/engine-config/engine-config.properties
12 files changed, 289 insertions(+), 20 deletions(-)

Approvals:
  Juan Hernandez: Verified; Looks good to me, approved
  Greg Sheremeta: Verified; Looks good to me, but someone else must approve



-- =

To view, visit http://gerrit.ovirt.org/36367
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I40f9a13105fe99bb6b4035e61b8945efd8315f57
Gerrit-PatchSet: 8
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Alexander Wels <awels(a)redhat.com>
Gerrit-Reviewer: Einav Cohen <ecohen(a)redhat.com>
Gerrit-Reviewer: Greg Sheremeta <gshereme(a)redhat.com>
Gerrit-Reviewer: Jenny Kang <jennykang95(a)gmail.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez(a)redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vszocs(a)redhat.com>
Gerrit-Reviewer: automation(a)ovirt.org
Gerrit-Reviewer: oVirt Jenkins CI Server

--===============2516466980650669175==--