Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1599259

Summary: Getting CORS error while creating quotas via javascript
Product: Red Hat CloudForms Management Engine Reporter: Nikhil Gupta <ngupta>
Component: APIAssignee: Joe Vlcek <jvlcek>
Status: CLOSED CURRENTRELEASE QA Contact: Parthvi Vala <pvala>
Severity: high Docs Contact:
Priority: high    
Version: 5.9.0CC: cpelland, dmetzger, gtanzill, hkataria, jprause, jvlcek, lavenel, lgalis, mfeifer, mpovolny, ngupta, obarenbo, pvala, simaishi
Target Milestone: GAKeywords: TestOnly, ZStream
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.0.23 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1646606 (view as bug list) Environment:
Last Closed: 2019-02-11 14:03:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1595269, 1646606    

Description Nikhil Gupta 2018-07-09 10:31:31 UTC
Description of problem:
Developing a Webapp using js and trying to create a tenant and then create quotas for that tenant. 

I was able to create the tenant, then from response, I got the id and call the api to create a quota for that tenant. However, I don't get the cors from /api/tenants/:id/quotas and get 404 error.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost/api/tenants/1000000000140/quotas. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost/api/tenants/1000000000140/quotas. (Reason: CORS request did not succeed).

Version-Release number of selected component (if applicable):
cfme-5.9.2

How reproducible:
Always

Steps to Reproduce:
1. Create tenant using js
2. Get tenant id 
3. Using tenant id, create quotas for it.

Actual results:
CORS request did not succeed

Expected results:
CORS request should succeed

Additional info:
/api/tenants/:id/quotas doesn't return correct headers.

Comment 4 Gregg Tanzillo 2018-07-09 13:40:46 UTC
Can you please try to recreate this issue outside of the js code you've included? It's not clear if this is an issue with the API or the js that is calling it. Thanks!

Comment 5 Nikhil Gupta 2018-07-09 23:47:51 UTC
Hi Greg,

Thank you for your reply.

I am able to create the tenant and quota via api on my test system and status is 200 OK. 
I have created them as follows:
~~~
### Tenant create ###
{
  "action" : "create",
  "resource" : {
    "name": "tenantapi",
    "description": "Tenant for api",
    "parent": {"id": "99000000000001"}
  }
}

### Quota create ###
{
  "action" : "create",
  "resources" : [
  	{
  		"name" : "cpu_allocated",
		"value" : 1
	},
	{
		"name": "mem_allocated",
    	        "value": 2147483648000
	}
  ]
}
~~~
However, customer is facing this issue with js. He able to create the tenant and groups via js but facing CORS error while creating quotas. The /api/tenants/:id/quotas is not returning correct headers.
All we have to do is opt-in to CORS requests on cfme API server by returning the proper headers based on the request.

Regards,
Niks

Comment 20 CFME Bot 2018-10-18 20:17:36 UTC
New commit detected on ManageIQ/manageiq-api/master:

https://github.com/ManageIQ/manageiq-api/commit/5edf913e6ae26c3a6f5f6bb9836c1d2776fbb52d
commit 5edf913e6ae26c3a6f5f6bb9836c1d2776fbb52d
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Tue Oct 16 14:41:38 2018 -0400
Commit:     Joe VLcek <jvlcek@redhat.com>
CommitDate: Tue Oct 16 14:41:38 2018 -0400

    Add subcollection options support for CORS prefilghted requests

    https://bugzilla.redhat.com/show_bug.cgi?id=1599259

 app/controllers/api/base_controller.rb | 6 +-
 config/routes.rb | 3 +
 spec/requests/tenant_quotas_spec.rb | 6 +
 3 files changed, 14 insertions(+), 1 deletion(-)

Comment 21 CFME Bot 2018-10-18 21:57:54 UTC
New commit detected on ManageIQ/manageiq-api/hammer:

https://github.com/ManageIQ/manageiq-api/commit/9b4e42018e90d95bc0d46cfe970859ee82386146
commit 9b4e42018e90d95bc0d46cfe970859ee82386146
Author:     Alberto Bellotti <abellotti@users.noreply.github.com>
AuthorDate: Thu Oct 18 16:14:04 2018 -0400
Commit:     Alberto Bellotti <abellotti@users.noreply.github.com>
CommitDate: Thu Oct 18 16:14:04 2018 -0400

    Merge pull request #495 from jvlcek/bz_1599259_CORS

    Add subcollection options support for CORS prefilghted requests

    (cherry picked from commit 3502e51181ce92c28866a4626fdfadf0d31bd591)

    https://bugzilla.redhat.com/show_bug.cgi?id=1599259

 app/controllers/api/base_controller.rb | 6 +-
 config/routes.rb | 3 +
 spec/requests/tenant_quotas_spec.rb | 6 +
 3 files changed, 14 insertions(+), 1 deletion(-)

Comment 26 Parthvi Vala 2018-11-22 06:31:37 UTC
FIXED. Verified on 5.10.0.24.20181113213923_03b81fd.

Steps taken to verify the BZ:
1) Create `tenant` using API.
Request: POST /api/tenants
Query: {
  "name" : "Test Tenant",
  "description" : "Test Tenant Description",
  "parent" : { "href" : "http://<ip_address>/api/tenants/:id" }
}

2) Create quota for the tenant.
Request: POST /api/tenants/:id/quotas
Query: {
  "name" : "cpu_allocated",
  "value" : 1
}

3) Send `OPTIONS` to /api/tenants/:id/quotas and check HEADER.

HEADERS:
Date: Wed, 21 Nov 2018 07:08:21 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_auth_kerb/5.4
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: origin, content-type, authorization, x-auth-token
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Content-Type: application/json; charset=utf-8
Content-Security-Policy: default-src 'self'; connect-src 'self'; frame-src 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; report-uri /dashboard/csp_report
Strict-Transport-Security: max-age=631152000
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache
X-Request-Id: d0a3cbba-1c51-4781-a695-903088ec8bc6
X-Runtime: 0.013794
Content-Length: 0


These are headers from the request sent to a 5.9.2 appliance.
Date: Wed, 21 Nov 2018 07:08:54 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4
Content-Type: text/html; charset=utf-8
X-Request-Id: 4fdae38a-5977-4244-918f-e4a0b966be6f
X-Runtime: 0.003523
Content-Length: 728

This was not verified via AJAX Request. I checked via CURL and verified that `Access-Control-Allow-Origin` was present in the HEADER of OPTIONS request sent to a 5.10.0.24 appliance, which was earlier not present in the HEADER of OPTIONS request sent to a 5.9.2 appliance.