Bug 1646606

Summary: Getting CORS error while creating quotas via javascript
Product: Red Hat CloudForms Management Engine Reporter: Satoe Imaishi <simaishi>
Component: APIAssignee: Joe Vlcek <jvlcek>
Status: CLOSED ERRATA QA Contact: Parthvi Vala <pvala>
Severity: high Docs Contact:
Priority: high    
Version: 5.9.0CC: cpelland, dmetzger, gtanzill, hkataria, jprause, jvlcek, lavenel, lgalis, mfeifer, mpovolny, ngupta, obarenbo, pvala, simaishi
Target Milestone: GAKeywords: ZStream
Target Release: 5.9.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.9.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1599259 Environment:
Last Closed: 2018-12-13 15:15:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On: 1599259    
Bug Blocks: 1622587    

Comment 2 CFME Bot 2018-11-05 18:44:15 UTC 
New commit detected on ManageIQ/manageiq-api/gaprindashvili:

https://github.com/ManageIQ/manageiq-api/commit/9cc1ee9d5a8e6ad34c6e8846228f78cdd181a57c
commit 9cc1ee9d5a8e6ad34c6e8846228f78cdd181a57c
Author:     Alberto Bellotti <abellotti.github.com>
AuthorDate: Thu Oct 18 16:14:04 2018 -0400
Commit:     Alberto Bellotti <abellotti.github.com>
CommitDate: Thu Oct 18 16:14:04 2018 -0400

    Merge pull request #495 from jvlcek/bz_1599259_CORS

    Add subcollection options support for CORS prefilghted requests

    (cherry picked from commit 3502e51181ce92c28866a4626fdfadf0d31bd591)

    https://bugzilla.redhat.com/show_bug.cgi?id=1646606

 app/controllers/api/base_controller.rb | 6 +-
 config/routes.rb | 3 +
 spec/requests/tenant_quotas_spec.rb | 6 +
 3 files changed, 14 insertions(+), 1 deletion(-)
Comment 3 Parthvi Vala 2018-11-22 06:23:32 UTC 
FIXED. Verified on 5.9.6.2.20181119175512_3a18916.

Steps taken to verify the BZ:
1) Create `tenant` using API.
Request: POST /api/tenants
Query: {
  "name" : "Test Tenant",
  "description" : "Test Tenant Description",
  "parent" : { "href" : "http://<ip_address>/api/tenants/:id" }
}

2) Create quota for the tenant.
Request: POST /api/tenants/:id/quotas
Query: {
  "name" : "cpu_allocated",
  "value" : 1
}

3) Send `OPTIONS` to /api/tenants/:id/quotas and check HEADER.
HEADERS:
Date: Thu, 22 Nov 2018 06:20:06 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Content-Type: application/json; charset=utf-8
Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report
Strict-Transport-Security: max-age=631152000
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
X-Request-Id: dd4ff3b4-d2a4-4eae-978d-c8f598280192
X-Runtime: 0.006549
Content-Length: 0

These are headers from the request sent to a 5.9.2 appliance.
HEADERS:
Date: Thu, 22 Nov 2018 06:22:45 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
Content-Type: text/html; charset=utf-8
X-Request-Id: cde690b3-f0d4-4032-9a5d-534d8c698d18
X-Runtime: 0.015369
Content-Length: 728

I checked via CURL and verified that `Access-Control-Allow-Origin` is present in the HEADER, it was not verified via AJAX Request.
Comment 5 errata-xmlrpc 2018-12-13 15:15:44 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3816