Cors fix default header

Allowed x-auth-token headers by default Change-Id: I8182bd57c2d13606677d2d127dbfd290620de524
2018-09-05 18:22:00 +02:00 · 2018-09-05 18:22:00 +02:00 · cbc3e8d3a1
parent f596a06fae
commit cbc3e8d3a1
2 changed files with 33 additions and 21 deletions
--- a/etc/iotronic/iotronic.conf
+++ b/etc/iotronic/iotronic.conf
@ -53,28 +53,28 @@ project_domain_id= default
 auth_url = http://<keystone_host>:35357

 [cors]
+# Indicate whether this resource may be shared with the domain
+# received in the requests "origin" header. Format:
+# "<protocol>://<host>[:<port>]", no trailing slash. Example:
+# https://horizon.example.com (list value)
+#allowed_origin = <None>

-# Indicate whether this resource may be shared with the domain received in the
-# requests "origin" header. Format: "<protocol>://<host>[:<port>]", no trailing
-# slash. Example: https://horizon.example.com (list value)
-#allowed_origin = <none>
-
-# Indicate that the actual request can include user credentials (boolean value)
+# Indicate that the actual request can include user
+# credentials (boolean value)
 #allow_credentials = true

-# Indicate which headers are safe to expose to the API. Defaults to HTTP Simple
-# Headers. (list value)
-#expose_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token
+# Indicate which headers are safe to expose to the API.
+# Defaults to HTTP Simple Headers. (list value)
+#expose_headers =

-# Maximum cache age of CORS preflight requests. (integer value)
+# Maximum cache age of CORS preflight requests. (integer
+# value)
 #max_age = 3600

-# Indicate which methods can be used during the actual request. (list value)
-#allow_methods = GET,PUT,POST,DELETE,PATCH
-
-# Indicate which header field names may be used during the actual request.
-# (list value)
-#allow_headers = X-Auth-Token,X-Openstack-Request-Id,X-Subject-Token,X-Project-Id,X-Project-Name,X-Project-Domain-Id,X-Project-Domain-Name,X-Domain-Id,X-Domain-Name
-
-
+# Indicate which methods can be used during the actual
+# request. (list value)
+#allow_methods = OPTIONS,GET,HEAD,POST,PUT,DELETE,TRACE,PATCH

+# Indicate which header field names may be used during the
+# actual request. (list value)
+#allow_headers =
--- a/iotronic/api/app.py
+++ b/iotronic/api/app.py
@ -95,6 +95,20 @@ def get_pecan_config():
    return pecan.configuration.conf_from_file(filename)


+class IotronicCORS(cors_middleware.CORS):
+    """Iotronic-specific CORS class
+    We're adding the Iotronic-specific version headers to the list of simple
+    headers in order that a request bearing those headers might be accepted by
+    the Iotronic REST API.
+    """
+    simple_headers = cors_middleware.CORS.simple_headers + [
+        'X-Auth-Token',
+        base.Version.max_string,
+        base.Version.min_string,
+        base.Version.string
+    ]
+
+
 def setup_app(config=None):

    app_hooks = [hooks.ConfigHook(),
@ -121,10 +135,8 @@ def setup_app(config=None):

    # Create a CORS wrapper, and attach iotronic-specific defaults that must be
    # included in all CORS responses.
-    app = cors_middleware.CORS(app, CONF)
+    app = IotronicCORS(app, CONF)
    cors_middleware.set_defaults(
-        allow_headers=[base.Version.max_string, base.Version.min_string,
-                       base.Version.string],
        allow_methods=['GET', 'PUT', 'POST', 'DELETE', 'PATCH'],
        expose_headers=[base.Version.max_string, base.Version.min_string,
                        base.Version.string]