Enable CORS access to EdgeX microservices about go-mod-bootstrap HOT 16 CLOSED

For future reference, the current implementation of API gateway is based on KONG. From the document it seems KONG has limited support to enable CORS/cross-origin resource sharing.

https://docs.konghq.com/hub/kong-inc/cors/

from go-mod-bootstrap.

A quick verification/band aid style fix is to run Curl command against KONG. Here is the command that may work:

curl -X POST http://localhost:8001/plugins --data "name=cors" --data "config.origins=*"  --data "config.methods=GET"  --data "config.methods=POST" --data "config.headers=Accept" --data "config.headers=Accept-Version" --data "config.headers=Content-Length" --data "config.headers=Content-MD5" --data "config.headers=Content-Type" --data "config.headers=Date" --data "config.headers=X-Auth-Token" --data "config.exposed_headers=X-Auth-Token" --data "config.credentials=true" --data "config.max_age=3600"

from go-mod-bootstrap.

If anyone else is looking for a solution to this, simply using * for origins did not work for me. Only when restricted to specific origins (with proper http or https AND port) did it work (i.e. config.origins=https://localhost:3000)

Additionally, you will need to configure the OPTIONS and other methods to be allowed on all the routes. I accomplished this with a simple loop in a script

ROUTES=(
    "coredata"
    "metadata"
    "command"
    "notifications"
    "scheduler"
    "rulesengine"
)

# Loop download each
for route in "${ROUTES[@]}"; do
    curl -X PATCH "http://localhost:8001/routes/${route}/" \
        --data "methods=OPTIONS" \
        --data "methods=GET" \
        --data "methods=POST" \
        --data "methods=PUT" \
        --data "methods=DELETE"
done

from go-mod-bootstrap.

Example utility for CORS from Intel reference implementation
https://github.com/intel-iot-devkit/automated-checkout-utilities/blob/0dd0e1e344399f3042b1f64b82ccbc2d2e0333aa/utilities.go#L69

We might be able to handle this in the middleware for REST

from go-mod-bootstrap.

Discussed in Core WG meeting 5/13/21. To be done for Jakarta release. Looking at whether there is common code (such as in bootstrapping) or if this needs to be added to edgex-go, SDKs (and associated services) separately as part of the request handling process. For Kong, we'll need to add the Kong plugin (https://docs.konghq.com/hub/kong-inc/cors/) - again for Jakarta

from go-mod-bootstrap.

It was decided in Security WG on 9/15/2021 that the project wants CORS support to be enabled even in the non-security use case. Persuant to this direction, we want to back out the changes for edgexfoundry/edgex-go#1913 and re-implement them in the EdgeX middleware instead of in Kong.

As such, we will back out commit edgexfoundry/edgex-go@25b03d0 of PR edgexfoundry/edgex-go#3678

The following configuration options should be added to the service to control the CORS headers:

EnableCORS = false
CORSAllowCredentials = false
CORSAllowedOrigins = "https://localhost"
CORSAllowedMethods = "GET, POST, PUT, DELETE"
CORSAllowedHeaders = "Content-Type"
CORSExposedHeaders = ""
CORSPreflightMaxAge = 3600

Actual real-life example from a Kong user:

    curl -X POST http://localhost:8001/plugins/ \
    --data "name=cors"  \
    --data "config.origins=http://yyy.yyy.yyy.yyy:4200" \
    --data "config.methods=GET" \
    --data "config.methods=POST" \
    --data "config.methods=OPTIONS" \
    --data "config.headers=Accept" \
    --data "config.headers=Accept-Version" \
    --data "config.headers=Content-Length" \
    --data "config.headers=Content-MD5" \
    --data "config.headers=Content-Type" \
    --data "config.headers=Date" \
    --data "config.headers=X-Auth-Token" \
    --data "config.headers=Authorization" \
    --data "config.exposed_headers=X-Auth-Token" \
    --data "config.credentials=true" \
    --data "config.max_age=3600" 

from go-mod-bootstrap.

Middleware implementation should be done in https://github.com/edgexfoundry/go-mod-bootstrap and in C SDK

from go-mod-bootstrap.

More details on the proposed implementation.

1. Add new CORS configuration settings above to ServiceInfo. Suggest sub-struct CorsInfo.
2. Implement adding the CORS info (when enabled) to response header in the bootstrap handler here:
   https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/handlers/httpserver.go#L97

from go-mod-bootstrap.

@cloudxxx8 please take a look at the amount of work here

from go-mod-bootstrap.

it's not hard to add this implementation, but we need more time to test it manually
according to the current test infrastructure, we can't add automation tests for this because it needs multiple machines

from go-mod-bootstrap.

On Core WG call we agreed to add PATCH to the CORSAllowedMethods

i.e.

CORSAllowedMethods = "GET, POST, PUT, PATCH, DELETE"

@cloudxxx8 and team, please aim to complete in the next week if possible

from go-mod-bootstrap.

fixed by #286 and #288

from go-mod-bootstrap.

Reopening the issue because I realized that we're not done. There is actually logic we need to implement on the server side.

https://www.html5rocks.com/en/tutorials/cors//#toc-cors-server-flowchart

Also need to set "Vary: Origin" when supporting CORS.

Note that the consul API does not currently expose CORS headers. There was a PR to add the feature, though it is pretty low-level: https://github.com/hashicorp/consul/pull/558/files

from go-mod-bootstrap.

@jpwhitemn @lenny-intel we might need to postpone the code freeze date for this issue

from go-mod-bootstrap.

Waiting for edgexfoundry/edgex-docs#608

from go-mod-bootstrap.

Issue has been resolved, but believe just Docs work to be done. Per TSC 11/10/21 - close this

from go-mod-bootstrap.