Bug 1599259 - Getting CORS error while creating quotas via javascript
Summary: Getting CORS error while creating quotas via javascript
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.10.0
Assignee: Joe Vlcek
QA Contact: Parthvi Vala
URL:
Whiteboard:
Depends On:
Blocks: 1595269 1646606
TreeView+ depends on / blocked
 
Reported: 2018-07-09 10:31 UTC by Nikhil Gupta
Modified: 2019-02-11 14:03 UTC (History)
14 users (show)

Fixed In Version: 5.10.0.23
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1646606 (view as bug list)
Environment:
Last Closed: 2019-02-11 14:03:08 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3649141 None None None 2018-10-12 00:40:26 UTC

Description Nikhil Gupta 2018-07-09 10:31:31 UTC
Description of problem:
Developing a Webapp using js and trying to create a tenant and then create quotas for that tenant. 

I was able to create the tenant, then from response, I got the id and call the api to create a quota for that tenant. However, I don't get the cors from /api/tenants/:id/quotas and get 404 error.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost/api/tenants/1000000000140/quotas. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost/api/tenants/1000000000140/quotas. (Reason: CORS request did not succeed).

Version-Release number of selected component (if applicable):
cfme-5.9.2

How reproducible:
Always

Steps to Reproduce:
1. Create tenant using js
2. Get tenant id 
3. Using tenant id, create quotas for it.

Actual results:
CORS request did not succeed

Expected results:
CORS request should succeed

Additional info:
/api/tenants/:id/quotas doesn't return correct headers.

Comment 4 Gregg Tanzillo 2018-07-09 13:40:46 UTC
Can you please try to recreate this issue outside of the js code you've included? It's not clear if this is an issue with the API or the js that is calling it. Thanks!

Comment 5 Nikhil Gupta 2018-07-09 23:47:51 UTC
Hi Greg,

Thank you for your reply.

I am able to create the tenant and quota via api on my test system and status is 200 OK. 
I have created them as follows:
~~~
### Tenant create ###
{
  "action" : "create",
  "resource" : {
    "name": "tenantapi",
    "description": "Tenant for api",
    "parent": {"id": "99000000000001"}
  }
}

### Quota create ###
{
  "action" : "create",
  "resources" : [
  	{
  		"name" : "cpu_allocated",
		"value" : 1
	},
	{
		"name": "mem_allocated",
    	        "value": 2147483648000
	}
  ]
}
~~~
However, customer is facing this issue with js. He able to create the tenant and groups via js but facing CORS error while creating quotas. The /api/tenants/:id/quotas is not returning correct headers.
All we have to do is opt-in to CORS requests on cfme API server by returning the proper headers based on the request.

Regards,
Niks

Comment 20 CFME Bot 2018-10-18 20:17:36 UTC
New commit detected on ManageIQ/manageiq-api/master:

https://github.com/ManageIQ/manageiq-api/commit/5edf913e6ae26c3a6f5f6bb9836c1d2776fbb52d
commit 5edf913e6ae26c3a6f5f6bb9836c1d2776fbb52d
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Tue Oct 16 14:41:38 2018 -0400
Commit:     Joe VLcek <jvlcek@redhat.com>
CommitDate: Tue Oct 16 14:41:38 2018 -0400

    Add subcollection options support for CORS prefilghted requests

    https://bugzilla.redhat.com/show_bug.cgi?id=1599259

 app/controllers/api/base_controller.rb | 6 +-
 config/routes.rb | 3 +
 spec/requests/tenant_quotas_spec.rb | 6 +
 3 files changed, 14 insertions(+), 1 deletion(-)

Comment 21 CFME Bot 2018-10-18 21:57:54 UTC
New commit detected on ManageIQ/manageiq-api/hammer:

https://github.com/ManageIQ/manageiq-api/commit/9b4e42018e90d95bc0d46cfe970859ee82386146
commit 9b4e42018e90d95bc0d46cfe970859ee82386146
Author:     Alberto Bellotti <abellotti@users.noreply.github.com>
AuthorDate: Thu Oct 18 16:14:04 2018 -0400
Commit:     Alberto Bellotti <abellotti@users.noreply.github.com>
CommitDate: Thu Oct 18 16:14:04 2018 -0400

    Merge pull request #495 from jvlcek/bz_1599259_CORS

    Add subcollection options support for CORS prefilghted requests

    (cherry picked from commit 3502e51181ce92c28866a4626fdfadf0d31bd591)

    https://bugzilla.redhat.com/show_bug.cgi?id=1599259

 app/controllers/api/base_controller.rb | 6 +-
 config/routes.rb | 3 +
 spec/requests/tenant_quotas_spec.rb | 6 +
 3 files changed, 14 insertions(+), 1 deletion(-)

Comment 26 Parthvi Vala 2018-11-22 06:31:37 UTC
FIXED. Verified on 5.10.0.24.20181113213923_03b81fd.

Steps taken to verify the BZ:
1) Create `tenant` using API.
Request: POST /api/tenants
Query: {
  "name" : "Test Tenant",
  "description" : "Test Tenant Description",
  "parent" : { "href" : "http://<ip_address>/api/tenants/:id" }
}

2) Create quota for the tenant.
Request: POST /api/tenants/:id/quotas
Query: {
  "name" : "cpu_allocated",
  "value" : 1
}

3) Send `OPTIONS` to /api/tenants/:id/quotas and check HEADER.

HEADERS:
Date: Wed, 21 Nov 2018 07:08:21 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_auth_kerb/5.4
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Content-Type: application/json; charset=utf-8
Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report
Strict-Transport-Security: max-age=631152000
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
X-Request-Id: d0a3cbba-1c51-4781-a695-903088ec8bc6
X-Runtime: 0.013794
Content-Length: 0


These are headers from the request sent to a 5.9.2 appliance.
Date: Wed, 21 Nov 2018 07:08:54 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
Content-Type: text/html; charset=utf-8
X-Request-Id: 4fdae38a-5977-4244-918f-e4a0b966be6f
X-Runtime: 0.003523
Content-Length: 728

This was not verified via AJAX Request. I checked via CURL and verified that `Access-Control-Allow-Origin` was present in the HEADER of OPTIONS request sent to a 5.10.0.24 appliance, which was earlier not present in the HEADER of OPTIONS request sent to a 5.9.2 appliance.


Note You need to log in before you can comment on or make changes to this bug.