From 9b47de3095e5afacf70106c1e3a3f265d64c7822 Mon Sep 17 00:00:00 2001 From: Romain LE DISEZ Date: Thu, 23 Feb 2017 11:45:28 +0100 Subject: [PATCH] Enable cluster-wide CORS Expose-Headers setting An operator proposing a web UX to its customers might want to allow web browser to access some headers by default (eg: X-Storage-Policy, X-Container-Read, ...). This commit adds a new setting to the proxy-server to allow some headers to be added cluster-wide to the CORS header Access-Control-Expose-Headers. Change-Id: I5ca90a052f27c98a514a96ee2299bfa1b6d46334 --- doc/manpages/proxy-server.conf.5 | 2 + doc/source/deployment_guide.rst | 5 +++ etc/proxy-server.conf-sample | 3 ++ swift/proxy/controllers/base.py | 2 + swift/proxy/server.py | 4 ++ test/unit/proxy/test_server.py | 70 ++++++++++++++++++++++++++++++++ 6 files changed, 86 insertions(+) diff --git a/doc/manpages/proxy-server.conf.5 b/doc/manpages/proxy-server.conf.5 index c8fdfd5735..b7075b4dca 100644 --- a/doc/manpages/proxy-server.conf.5 +++ b/doc/manpages/proxy-server.conf.5 @@ -143,6 +143,8 @@ This is very useful when one is managing more than one swift cluster. Use a comma separated list of full URL (http://foo.bar:1234,https://foo.bar) .IP \fBstrict_cors_mode\fR The default is true. +.IP \fBcors_expose_headers\fR +Comma separated list of headers to expose through Access-Control-Expose-Headers .IP \fBnice_priority\fR Modify scheduling priority of server processes. Niceness values range from -20 (most favorable to the process) to 19 (least favorable to the process). diff --git a/doc/source/deployment_guide.rst b/doc/source/deployment_guide.rst index c8e24dbeea..e0f890a108 100644 --- a/doc/source/deployment_guide.rst +++ b/doc/source/deployment_guide.rst @@ -1573,6 +1573,11 @@ cors_allow_origin This is a list o header in addition to what the container has set. strict_cors_mode True +cors_expose_headers This is a list of headers that + are included in the header + Access-Control-Expose-Headers + in addition to what the container + has set. client_timeout 60 trans_id_suffix This optional suffix (default is empty) that would be appended to the swift diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 1cccc9bee9..1b6b133003 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -73,6 +73,9 @@ bind_port = 8080 # cors_allow_origin = # strict_cors_mode = True # +# Comma separated list of headers to expose through Access-Control-Expose-Headers +# cors_expose_headers = +# # client_timeout = 60 # eventlet_debug = false # diff --git a/swift/proxy/controllers/base.py b/swift/proxy/controllers/base.py index 108bf610f6..feedce445f 100644 --- a/swift/proxy/controllers/base.py +++ b/swift/proxy/controllers/base.py @@ -232,6 +232,7 @@ def cors_validation(func): # - simple response headers, # http://www.w3.org/TR/cors/#simple-response-header # - swift specific: etag, x-timestamp, x-trans-id + # - headers provided by the operator in cors_expose_headers # - user metadata headers # - headers provided by the user in # x-container-meta-access-control-expose-headers @@ -240,6 +241,7 @@ def cors_validation(func): 'cache-control', 'content-language', 'content-type', 'expires', 'last-modified', 'pragma', 'etag', 'x-timestamp', 'x-trans-id', 'x-openstack-request-id']) + expose_headers.update(controller.app.cors_expose_headers) for header in resp.headers: if header.startswith('X-Container-Meta') or \ header.startswith('X-Object-Meta'): diff --git a/swift/proxy/server.py b/swift/proxy/server.py index 142f67801e..53eeb973a8 100644 --- a/swift/proxy/server.py +++ b/swift/proxy/server.py @@ -147,6 +147,10 @@ class Application(object): a.strip() for a in conf.get('cors_allow_origin', '').split(',') if a.strip()] + self.cors_expose_headers = [ + a.strip() + for a in conf.get('cors_expose_headers', '').split(',') + if a.strip()] self.strict_cors_mode = config_true_value( conf.get('strict_cors_mode', 't')) self.node_timings = {} diff --git a/test/unit/proxy/test_server.py b/test/unit/proxy/test_server.py index daac999c5a..a75a76599b 100644 --- a/test/unit/proxy/test_server.py +++ b/test/unit/proxy/test_server.py @@ -5319,6 +5319,76 @@ class TestObjectController(unittest.TestCase): self.assertEqual('x-trans-id', resp.headers['access-control-expose-headers']) + def test_CORS_expose_headers(self): + default_expected_exposed = set([ + 'cache-control', 'content-language', 'content-type', 'expires', + 'last-modified', 'pragma', 'etag', 'x-timestamp', 'x-trans-id', + 'x-openstack-request-id']) + + def objectGET(controller, req): + return Response(headers={ + 'X-Custom-Operator': 'hush', + 'X-Custom-User': 'hush', + }) + + # test default expose_headers + self.app.cors_expose_headers = [] + container_cors = {'allow_origin': 'http://foo.bar'} + resp = self._get_CORS_response(container_cors=container_cors, + strict_mode=False, object_get=objectGET) + + self.assertEqual(200, resp.status_int) + self.assertIn('access-control-expose-headers', resp.headers) + exposed = set( + h.strip() for h in + resp.headers['access-control-expose-headers'].split(',')) + self.assertEqual(default_expected_exposed, exposed) + + # test operator expose_headers + self.app.cors_expose_headers = ['x-custom-operator', ] + container_cors = {'allow_origin': 'http://foo.bar'} + resp = self._get_CORS_response(container_cors=container_cors, + strict_mode=False, object_get=objectGET) + + self.assertEqual(200, resp.status_int) + self.assertIn('access-control-expose-headers', resp.headers) + exposed = set( + h.strip() for h in + resp.headers['access-control-expose-headers'].split(',')) + self.assertEqual(default_expected_exposed | set(['x-custom-operator']), + exposed) + + # test user expose_headers + self.app.cors_expose_headers = [] + container_cors = {'allow_origin': 'http://foo.bar', + 'expose_headers': 'x-custom-user'} + resp = self._get_CORS_response(container_cors=container_cors, + strict_mode=False, object_get=objectGET) + + self.assertEqual(200, resp.status_int) + self.assertIn('access-control-expose-headers', resp.headers) + exposed = set( + h.strip() for h in + resp.headers['access-control-expose-headers'].split(',')) + self.assertEqual(default_expected_exposed | set(['x-custom-user']), + exposed) + + # test user and operator expose_headers + self.app.cors_expose_headers = ['x-custom-operator', ] + container_cors = {'allow_origin': 'http://foo.bar', + 'expose_headers': 'x-custom-user'} + resp = self._get_CORS_response(container_cors=container_cors, + strict_mode=False, object_get=objectGET) + + self.assertEqual(200, resp.status_int) + self.assertIn('access-control-expose-headers', resp.headers) + exposed = set( + h.strip() for h in + resp.headers['access-control-expose-headers'].split(',')) + self.assertEqual(default_expected_exposed | set(['x-custom-user', + 'x-custom-operator']), + exposed) + def _gather_x_container_headers(self, controller_call, req, *connect_args, **kwargs): header_list = kwargs.pop('header_list', ['X-Container-Device',