Merge branch 'rabbitmq-management-157' into stable

Author: michaelklishin

src/rabbit_mgmt_cors.erl

@@ -0,0 +1,88 @@
+%%   The contents of this file are subject to the Mozilla Public License
+%%   Version 1.1 (the "License"); you may not use this file except in
+%%   compliance with the License. You may obtain a copy of the License at
+%%   http://www.mozilla.org/MPL/
+%%
+%%   Software distributed under the License is distributed on an "AS IS"
+%%   basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
+%%   License for the specific language governing rights and limitations
+%%   under the License.
+%%
+%%   The Original Code is RabbitMQ Management Plugin.
+%%
+%%   The Initial Developer of the Original Code is GoPivotal, Inc.
+%%   Copyright (c) 2007-2016 Pivotal Software, Inc.  All rights reserved.
+%%
+
+%% Useful documentation about CORS:
+%% * https://tools.ietf.org/html/rfc6454
+%% * https://www.w3.org/TR/cors/
+%% * https://staticapps.org/articles/cross-domain-requests-with-cors/
+-module(rabbit_mgmt_cors).
+
+-export([set_headers/2]).
+
+%% We don't set access-control-max-age because we currently have
+%% no way to know which headers apply to the whole resource. We
+%% only know for the next request.
+set_headers(ReqData, Module) ->
+    ReqData1 = case wrq:get_resp_header("vary", ReqData) of
+        undefined -> wrq:set_resp_header("vary", "origin", ReqData);
+        VaryValue -> wrq:set_resp_header("vary", VaryValue ++ ", origin", ReqData)
+    end,
+    case match_origin(ReqData1) of
+        false ->
+            ReqData1;
+        Origin ->
+            ReqData2 = case wrq:method(ReqData1) of
+                'OPTIONS' -> handle_options(ReqData1, Module);
+                _         -> ReqData1
+            end,
+            wrq:set_resp_headers([
+                {"access-control-allow-origin",      Origin},
+                {"access-control-allow-credentials", "true"}
+            ], ReqData2)
+    end.
+
+%% Set max-age from configuration (default: 30 minutes).
+%% Set allow-methods from what is defined in Module:allowed_methods/2.
+%% Set allow-headers to the same as the request (accept all headers).
+handle_options(ReqData, Module) ->
+    MaxAge = application:get_env(rabbitmq_management, cors_max_age, 1800),
+    {Methods, _, _} = Module:allowed_methods(undefined, undefined),
+    AllowMethods = string:join([atom_to_list(M) || M <- Methods], ", "),
+    ReqHeaders = wrq:get_req_header("access-control-request-headers", ReqData),
+    MaxAgeHd = case MaxAge of
+        undefined -> [];
+        _ -> {"access-control-max-age", integer_to_list(MaxAge)}
+    end,
+    MaybeAllowHeaders = case ReqHeaders of
+        undefined -> [];
+        _ -> [{"access-control-allow-headers", ReqHeaders}]
+    end,
+    wrq:set_resp_headers([MaxAgeHd,
+        {"access-control-allow-methods", AllowMethods}
+        |MaybeAllowHeaders], ReqData).
+
+%% If the origin header is missing or "null", we disable CORS.
+%% Otherwise, we only enable it if the origin is found in the
+%% cors_allow_origins configuration variable, or if "*" is (it
+%% allows all origins).
+match_origin(ReqData) ->
+    case wrq:get_req_header("origin", ReqData) of
+        undefined -> false;
+        "null" -> false;
+        Origin ->
+            AllowedOrigins = application:get_env(rabbitmq_management,
+                cors_allow_origins, []),
+            case lists:member(Origin, AllowedOrigins) of
+                true ->
+                    Origin;
+                false ->
+                    %% Maybe the configuration explicitly allows "*".
+                    case lists:member("*", AllowedOrigins) of
+                        true  -> Origin;
+                        false -> false
+                    end
+            end
+    end.

src/rabbit_mgmt_wm_aliveness_test.erl

@@ -17,6 +17,7 @@
 -module(rabbit_mgmt_wm_aliveness_test).
 
 -export([init/1, to_json/2, content_types_provided/2, is_authorized/2]).
+-export([finish_request/2, allowed_methods/2]).
 -export([encodings_provided/2]).
 -export([resource_exists/2]).
 
@@ -30,6 +31,12 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
+allowed_methods(ReqData, Context) ->
+    {['HEAD', 'GET', 'OPTIONS'], ReqData, Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 

src/rabbit_mgmt_wm_binding.erl

@@ -20,6 +20,7 @@
          content_types_provided/2, content_types_accepted/2,
          is_authorized/2, allowed_methods/2, delete_resource/2,
          args_hash/1]).
+-export([finish_request/2]).
 -export([encodings_provided/2]).
 
 -include("rabbit_mgmt.hrl").
@@ -29,6 +30,9 @@
 %%--------------------------------------------------------------------
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 
@@ -40,7 +44,7 @@ content_types_accepted(ReqData, Context) ->
    {[{"application/json", accept_content}], ReqData, Context}.
 
 allowed_methods(ReqData, Context) ->
-    {['HEAD', 'GET', 'DELETE'], ReqData, Context}.
+    {['HEAD', 'GET', 'DELETE', 'OPTIONS'], ReqData, Context}.
 
 resource_exists(ReqData, Context) ->
     Binding = binding(ReqData),

src/rabbit_mgmt_wm_bindings.erl

@@ -20,6 +20,7 @@
 -export([allowed_methods/2, post_is_create/2, create_path/2]).
 -export([content_types_accepted/2, accept_content/2, resource_exists/2]).
 -export([basic/1, augmented/2]).
+-export([finish_request/2]).
 -export([encodings_provided/2]).
 
 -include("rabbit_mgmt.hrl").
@@ -31,6 +32,9 @@
 init([Mode]) ->
     {ok, {Mode, #context{}}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 
@@ -49,8 +53,8 @@ content_types_accepted(ReqData, Context) ->
 
 allowed_methods(ReqData, {Mode, Context}) ->
     {case Mode of
-         source_destination -> ['HEAD', 'GET', 'POST'];
-         _                  -> ['HEAD', 'GET']
+         source_destination -> ['HEAD', 'GET', 'POST', 'OPTIONS'];
+         _                  -> ['HEAD', 'GET', 'OPTIONS']
      end, ReqData, {Mode, Context}}.
 
 post_is_create(ReqData, Context) ->

src/rabbit_mgmt_wm_channel.erl

@@ -17,6 +17,7 @@
 -module(rabbit_mgmt_wm_channel).
 
 -export([init/1, to_json/2, content_types_provided/2, is_authorized/2]).
+-export([finish_request/2, allowed_methods/2]).
 -export([encodings_provided/2]).
 -export([resource_exists/2]).
 
@@ -28,6 +29,12 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
+allowed_methods(ReqData, Context) ->
+    {['HEAD', 'GET', 'OPTIONS'], ReqData, Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 

src/rabbit_mgmt_wm_channels.erl

@@ -18,6 +18,7 @@
 
 -export([init/1, to_json/2, content_types_provided/2, is_authorized/2,
          augmented/2]).
+-export([finish_request/2, allowed_methods/2]).
 -export([encodings_provided/2]).
 
 -import(rabbit_misc, [pget/2]).
@@ -30,6 +31,12 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
+allowed_methods(ReqData, Context) ->
+    {['HEAD', 'GET', 'OPTIONS'], ReqData, Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 

src/rabbit_mgmt_wm_channels_vhost.erl

@@ -20,6 +20,7 @@
 
 -export([init/1, to_json/2, content_types_provided/2, is_authorized/2,
          augmented/2, resource_exists/2]).
+-export([finish_request/2, allowed_methods/2]).
 -export([encodings_provided/2]).
 
 -import(rabbit_misc, [pget/2]).
@@ -32,6 +33,12 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
+allowed_methods(ReqData, Context) ->
+    {['HEAD', 'GET', 'OPTIONS'], ReqData, Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 

src/rabbit_mgmt_wm_cluster_name.erl

@@ -19,6 +19,7 @@
 -export([init/1, resource_exists/2, to_json/2,
          content_types_provided/2, content_types_accepted/2,
          is_authorized/2, allowed_methods/2, accept_content/2]).
+-export([finish_request/2]).
 -export([encodings_provided/2]).
 
 -include("rabbit_mgmt.hrl").
@@ -28,6 +29,9 @@
 %%--------------------------------------------------------------------
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 
@@ -39,7 +43,7 @@ content_types_accepted(ReqData, Context) ->
    {[{"application/json", accept_content}], ReqData, Context}.
 
 allowed_methods(ReqData, Context) ->
-    {['HEAD', 'GET', 'PUT'], ReqData, Context}.
+    {['HEAD', 'GET', 'PUT', 'OPTIONS'], ReqData, Context}.
 
 resource_exists(ReqData, Context) ->
     {true, ReqData, Context}.

src/rabbit_mgmt_wm_connection.erl

@@ -18,6 +18,7 @@
 
 -export([init/1, resource_exists/2, to_json/2, content_types_provided/2,
          is_authorized/2, allowed_methods/2, delete_resource/2, conn/1]).
+-export([finish_request/2]).
 -export([encodings_provided/2]).
 
 -include("rabbit_mgmt.hrl").
@@ -28,6 +29,9 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 
@@ -36,7 +40,7 @@ encodings_provided(ReqData, Context) ->
      {"gzip", fun(X) -> zlib:gzip(X) end}], ReqData, Context}.
 
 allowed_methods(ReqData, Context) ->
-    {['HEAD', 'GET', 'DELETE'], ReqData, Context}.
+    {['HEAD', 'GET', 'DELETE', 'OPTIONS'], ReqData, Context}.
 
 resource_exists(ReqData, Context) ->
     case conn(ReqData) of

src/rabbit_mgmt_wm_connection_channels.erl

@@ -17,6 +17,7 @@
 -module(rabbit_mgmt_wm_connection_channels).
 
 -export([init/1, to_json/2, content_types_provided/2, is_authorized/2]).
+-export([finish_request/2, allowed_methods/2]).
 -export([encodings_provided/2]).
 -export([resource_exists/2]).
 
@@ -28,6 +29,12 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
+allowed_methods(ReqData, Context) ->
+    {['HEAD', 'GET', 'OPTIONS'], ReqData, Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 

src/rabbit_mgmt_wm_connections.erl

@@ -18,6 +18,7 @@
 
 -export([init/1, to_json/2, content_types_provided/2, is_authorized/2,
          augmented/2]).
+-export([finish_request/2, allowed_methods/2]).
 -export([encodings_provided/2]).
 
 -import(rabbit_misc, [pget/2]).
@@ -30,6 +31,12 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
+allowed_methods(ReqData, Context) ->
+    {['HEAD', 'GET', 'OPTIONS'], ReqData, Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 

src/rabbit_mgmt_wm_connections_vhost.erl

@@ -20,6 +20,7 @@
 
 -export([init/1, to_json/2, content_types_provided/2, is_authorized/2,
          augmented/2, resource_exists/2]).
+-export([finish_request/2, allowed_methods/2]).
 -export([encodings_provided/2]).
 
 -import(rabbit_misc, [pget/2]).
@@ -32,6 +33,12 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, ?MODULE), Context}.
+
+allowed_methods(ReqData, Context) ->
+    {['HEAD', 'GET', 'OPTIONS'], ReqData, Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 

src/rabbit_mgmt_wm_consumers.erl

@@ -17,6 +17,7 @@
 
 -export([init/1, to_json/2, content_types_provided/2, resource_exists/2,
          is_authorized/2]).
+-export([finish_request/2, allowed_methods/2]).
 -export([encodings_provided/2]).
 
 -import(rabbit_misc, [pget/2]).
@@ -29,6 +30,12 @@
 
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, Context), Context}.
+
+allowed_methods(ReqData, Context) ->
+    {['HEAD', 'GET', 'OPTIONS'], ReqData, Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 

src/rabbit_mgmt_wm_definitions.erl

@@ -19,6 +19,7 @@
 -export([init/1, to_json/2, content_types_provided/2, is_authorized/2]).
 -export([content_types_accepted/2, allowed_methods/2, accept_json/2]).
 -export([post_is_create/2, create_path/2, accept_multipart/2]).
+-export([finish_request/2]).
 -export([encodings_provided/2]).
 
 -export([apply_defs/3]).
@@ -32,6 +33,9 @@
 %%--------------------------------------------------------------------
 init(_Config) -> {ok, #context{}}.
 
+finish_request(ReqData, Context) ->
+    {ok, rabbit_mgmt_cors:set_headers(ReqData, Context), Context}.
+
 content_types_provided(ReqData, Context) ->
    {[{"application/json", to_json}], ReqData, Context}.
 
@@ -44,7 +48,7 @@ content_types_accepted(ReqData, Context) ->
      {"multipart/form-data", accept_multipart}], ReqData, Context}.
 
 allowed_methods(ReqData, Context) ->
-    {['HEAD', 'GET', 'POST'], ReqData, Context}.
+    {['HEAD', 'GET', 'POST', 'OPTIONS'], ReqData, Context}.
 
 post_is_create(ReqData, Context) ->
     {true, ReqData, Context}.