Added CORS middleware to Trove

This adds the CORS support middleware to Trove, allowing a deployer
to optionally configure rules under which a javascript client may
break the single-origin policy and access the API directly.

For trove, the paste.ini method of deploying the middleware was
chosen, because it needs to be able to annotate responses created
by keystonemiddleware. If the middleware were explicitly included
as in the previous patch, keystone would reject the request before
the cross-domain headers could be annotated, resulting in an
error response that was unreadable by the user agent.

OpenStack Spec:
   http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
Oslo_Middleware Docs:
   http://docs.openstack.org/developer/oslo.middleware/cors.html
Cloud Admin Guide Documentation:
   http://docs.openstack.org/admin-guide-cloud/cross_project_cors.html

Change-Id: Ic55305607e44069d893baf2a261d5fe7da777303

etc/trove/api-paste.ini

@@ -7,7 +7,7 @@ use = call:trove.common.wsgi:versioned_urlmap
 paste.app_factory = trove.versions:app_factory
 
 [pipeline:troveapi]
-pipeline = faultwrapper osprofiler authtoken authorization contextwrapper ratelimit extensions troveapp
+pipeline = cors faultwrapper osprofiler authtoken authorization contextwrapper ratelimit extensions troveapp
 #pipeline = debug extensions troveapp
 
 [filter:extensions]
@@ -19,6 +19,10 @@ paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 [filter:authorization]
 paste.filter_factory = trove.common.auth:AuthorizationMiddleware.factory
 
+[filter:cors]
+paste.filter_factory = oslo_middleware.cors:filter_factory
+oslo_config_project = trove
+
 [filter:contextwrapper]
 paste.filter_factory = trove.common.wsgi:ContextMiddleware.factory
 

etc/trove/trove.conf.sample

@@ -251,3 +251,42 @@ device_path = /dev/vdb
 cluster_support = True
 cluster_member_count = 3
 api_strategy = trove.common.strategies.cluster.experimental.vertica.api.VerticaAPIStrategy
+
+
+# ============ CORS configuration =============================
+
+[cors]
+
+#
+# Options defined in oslo_middleware.cors.CORS.
+# This entire section is optional.
+#
+
+# The default protocol, domain, and port from which HTTP requests are
+# permitted.
+# allowed_origin=https://localhost:443
+
+# Whether to permit credential headers on CORS requests.
+# allow_credentials = True
+
+# CORS preflight responses may be cached. This setting allows you to tell the
+# client how many seconds that cache should persist.
+# max_age=3600
+
+# The list of HTTP methods which clients may access. These may be overridden by
+# the software itself.
+# allow_methods=GET,POST,PUT,DELETE,PATCH
+
+# The default list of headers each CORS client may access.
+# allow_headers=X-Custom-Header
+
+# The default list of headers exposed on each CORS request. To allow proper
+# microversion detection, please ensure that the 'X-OpenStack-Ironic-API-Version
+# header is included in this list.
+# expose_headers=X-Custom-Header
+
+[cors.optional]
+
+# An additional domain from which CORS requests are permitted, which defaults
+# to settings set above.
+# allowed_origin=https://otherhost:443

requirements.txt

@@ -31,6 +31,7 @@ pexpect!=3.3,>=3.1 # ISC License
 oslo.config>=2.6.0 # Apache-2.0
 oslo.context>=0.2.0 # Apache-2.0
 oslo.i18n>=1.5.0 # Apache-2.0
+oslo.middleware>=2.8.0 # Apache-2.0
 oslo.serialization>=1.10.0 # Apache-2.0
 oslo.service>=0.10.0 # Apache-2.0
 oslo.utils!=2.6.0,>=2.4.0 # Apache-2.0