Added CORS support on supervisor endpoints (#542)

* Fix: Implemented CORS support on supervisor endpoints.

* Fix: Apply code review suggestions.

* Fix: Apply same new decorator to operator endpoints.

packaging/Makefile

@@ -15,7 +15,7 @@ debian-package-code:
  cp ../examples/instance_message_from_aleph.json ./aleph-vm/opt/aleph-vm/examples/instance_message_from_aleph.json
  cp -r ../examples/data ./aleph-vm/opt/aleph-vm/examples/data
  mkdir -p ./aleph-vm/opt/aleph-vm/examples/volumes
- pip3 install --target ./aleph-vm/opt/aleph-vm/ 'aleph-message==0.4.2' 'jwskate==0.8.0' 'eth-account==0.9.0' 'sentry-sdk==1.31.0' 'qmp==1.1.0' 'superfluid==0.2.1' 'sqlalchemy[asyncio]' 'aiosqlite==0.19.0' 'alembic==1.13.1'
+ pip3 install --target ./aleph-vm/opt/aleph-vm/ 'aleph-message==0.4.2' 'jwskate==0.8.0' 'eth-account==0.9.0' 'sentry-sdk==1.31.0' 'qmp==1.1.0' 'superfluid==0.2.1' 'sqlalchemy[asyncio]' 'aiosqlite==0.19.0' 'alembic==1.13.1' 'aiohttp_cors==0.7.0'
  python3 -m compileall ./aleph-vm/opt/aleph-vm/
 
 debian-package-resources: firecracker-bins vmlinux download-ipfs-kubo

pyproject.toml

@@ -48,7 +48,8 @@ dependencies = [
  "superfluid~=0.2.1",
  "sqlalchemy[asyncio]",
  "aiosqlite==0.19.0",
- "alembic==1.13.1"
+ "alembic==1.13.1",
+ "aiohttp_cors~=0.7.0",
 ]
 
 [project.urls]

src/aleph/vm/orchestrator/supervisor.py

@@ -13,6 +13,7 @@
 from secrets import token_urlsafe
 from typing import Callable
 
+import aiohttp_cors
 from aiohttp import web
 
 from aleph.vm.conf import settings
@@ -68,9 +69,6 @@ async def server_version_middleware(
  return resp
 
 
-app = web.Application(middlewares=[server_version_middleware])
-
-
 async def allow_cors_on_endpoint(request: web.Request):
  """Allow CORS on endpoints that VM owners use to control their machine."""
  return web.Response(
@@ -84,6 +82,9 @@ async def allow_cors_on_endpoint(request: web.Request):
  )
 
 
+app = web.Application(middlewares=[server_version_middleware])
+cors = aiohttp_cors.setup(app)
+
 app.add_routes(
  [
  # /about APIs return information about the VM Orchestrator
@@ -108,15 +109,6 @@ async def allow_cors_on_endpoint(request: web.Request):
  web.get("/status/check/version", status_check_version),
  web.get("/status/check/ipv6", status_check_ipv6),
  web.get("/status/config", status_public_config),
- # Allow CORS on endpoints expected to be called from a web browser
- web.options("/about/executions/list", allow_cors_on_endpoint),
- web.options("/about/usage/system", allow_cors_on_endpoint),
- web.options("/control/allocation/notify", allow_cors_on_endpoint),
- web.options(
- "/control/machine/{ref}/{view:.*}",
- allow_cors_on_endpoint,
- ),
- web.options("/status/check/ipv6", allow_cors_on_endpoint),
  # Raise an HTTP Error 404 if attempting to access an unknown URL within these paths.
  web.get("/about/{suffix:.*}", lambda _: web.HTTPNotFound()),
  web.get("/control/{suffix:.*}", lambda _: web.HTTPNotFound()),

src/aleph/vm/orchestrator/views/__init__.py

@@ -5,6 +5,7 @@
 from hashlib import sha256
 from json import JSONDecodeError
 from pathlib import Path
+from secrets import compare_digest
 from string import Template
 from typing import Optional
 
@@ -46,6 +47,7 @@
 from aleph.vm.utils import (
  HostNotFoundError,
  b32_to_b16,
+ cors_allow_all,
  dumps_for_json,
  get_ref_from_dns,
 )
@@ -110,16 +112,18 @@ def authenticate_request(request: web.Request) -> None:
  raise web.HTTPUnauthorized(reason="Invalid token", text="401 Invalid token")
 
 
+@cors_allow_all
 async def about_login(request: web.Request) -> web.Response:
  token = request.query.get("token")
- if token == request.app["secret_token"]:
+ if compare_digest(token, request.app["secret_token"]):
  response = web.HTTPFound("/about/config")
  response.cookies["token"] = token
  return response
  else:
  return web.json_response({"success": False}, status=401)
 
 
+@cors_allow_all
 async def about_executions(request: web.Request) -> web.Response:
  authenticate_request(request)
  pool: VmPool = request.app["vm_pool"]
@@ -129,6 +133,7 @@ async def about_executions(request: web.Request) -> web.Response:
  )
 
 
+@cors_allow_all
 async def list_executions(request: web.Request) -> web.Response:
  pool: VmPool = request.app["vm_pool"]
  return web.json_response(
@@ -143,10 +148,10 @@ async def list_executions(request: web.Request) -> web.Response:
  if execution.is_running
  },
  dumps=dumps_for_json,
- headers={"Access-Control-Allow-Origin": "*"},
  )
 
 
+@cors_allow_all
 async def about_config(request: web.Request) -> web.Response:
  authenticate_request(request)
  return web.json_response(
@@ -155,9 +160,10 @@ async def about_config(request: web.Request) -> web.Response:
  )
 
 
+@cors_allow_all
 async def about_execution_records(_: web.Request):
  records = await get_execution_records()
- return web.json_response(records, dumps=dumps_for_json, headers={"Access-Control-Allow-Origin": "*"})
+ return web.json_response(records, dumps=dumps_for_json)
 
 
 async def index(request: web.Request):
@@ -174,6 +180,7 @@ async def index(request: web.Request):
  return web.Response(content_type="text/html", body=body)
 
 
+@cors_allow_all
 async def status_check_fastapi(request: web.Request, vm_id: Optional[ItemHash] = None):
  """Check that the FastAPI diagnostic VM runs correctly"""
 
@@ -215,11 +222,13 @@ async def status_check_fastapi(request: web.Request, vm_id: Optional[ItemHash] =
  )
 
 
+@cors_allow_all
 async def status_check_fastapi_legacy(request: web.Request):
  """Check that the legacy FastAPI VM runs correctly"""
  return await status_check_fastapi(request, vm_id=ItemHash(settings.LEGACY_CHECK_FASTAPI_VM_ID))
 
 
+@cors_allow_all
 async def status_check_host(request: web.Request):
  """Check that the platform is supported and configured correctly"""
 
@@ -239,6 +248,7 @@ async def status_check_host(request: web.Request):
  return web.json_response(result, status=result_status, headers={"Access-Control-Allow-Origin": "*"})
 
 
+@cors_allow_all
 async def status_check_ipv6(request: web.Request):
  """Check that the platform has IPv6 egress connectivity"""
  timeout = aiohttp.ClientTimeout(total=2)
@@ -252,6 +262,7 @@ async def status_check_ipv6(request: web.Request):
  return web.json_response(result, headers={"Access-Control-Allow-Origin": "*"})
 
 
+@cors_allow_all
 async def status_check_version(request: web.Request):
  """Check if the software is running a version equal or newer than the given one"""
  reference_str: Optional[str] = request.query.get("reference")
@@ -277,6 +288,7 @@ async def status_check_version(request: web.Request):
  return web.HTTPForbidden(text=f"Outdated: version {current} < {reference}")
 
 
+@cors_allow_all
 async def status_public_config(request: web.Request):
  """Expose the public fields from the configuration"""
  return web.json_response(
@@ -414,6 +426,7 @@ async def update_allocations(request: web.Request):
  )
 
 
+@cors_allow_all
 async def notify_allocation(request: web.Request):
  """Notify instance allocation, only used for Pay as you Go feature"""
  try:
@@ -501,5 +514,4 @@ async def notify_allocation(request: web.Request):
  "errors": {vm_hash: repr(error) for vm_hash, error in scheduling_errors.items()},
  },
  status=status_code,
- headers={"Access-Control-Allow-Origin": "*"},
  )

src/aleph/vm/orchestrator/views/operator.py

@@ -5,6 +5,7 @@
 import aiohttp.web_exceptions
 from aiohttp import web
 from aiohttp.web_urldispatcher import UrlMappingMatchInfo
+from aiohttp_cors import ResourceOptions, custom_cors
 from aleph_message.exceptions import UnknownHashError
 from aleph_message.models import ItemHash
 from aleph_message.models.execution import BaseExecutableContent
@@ -17,6 +18,7 @@
  require_jwk_authentication,
 )
 from aleph.vm.pool import VmPool
+from aleph.vm.utils import cors_allow_all
 
 logger = logging.getLogger(__name__)
 
@@ -50,6 +52,7 @@ def is_sender_authorized(authenticated_sender: str, message: BaseExecutableConte
  return False
 
 
+@cors_allow_all
 async def stream_logs(request: web.Request) -> web.StreamResponse:
  """Stream the logs of a VM.
 
@@ -105,6 +108,7 @@ async def authenticate_for_vm_or_403(execution, request, vm_hash, ws):
  raise web.HTTPForbidden(body="Unauthorized sender")
 
 
+@cors_allow_all
 @require_jwk_authentication
 async def operate_expire(request: web.Request, authenticated_sender: str) -> web.Response:
  """Stop the virtual machine, smoothly if possible.
@@ -131,6 +135,7 @@ async def operate_expire(request: web.Request, authenticated_sender: str) -> web
  return web.Response(status=200, body=f"Expiring VM with ref {vm_hash} in {timeout} seconds")
 
 
+@cors_allow_all
 @require_jwk_authentication
 async def operate_stop(request: web.Request, authenticated_sender: str) -> web.Response:
  """Stop the virtual machine, smoothly if possible."""
@@ -155,6 +160,7 @@ async def operate_stop(request: web.Request, authenticated_sender: str) -> web.R
  return web.Response(status=200, body="Already stopped, nothing to do")
 
 
+@cors_allow_all
 @require_jwk_authentication
 async def operate_reboot(request: web.Request, authenticated_sender: str) -> web.Response:
  """
@@ -181,6 +187,7 @@ async def operate_reboot(request: web.Request, authenticated_sender: str) -> web
  return web.Response(status=200, body="Starting VM (was not running) with ref {vm_hash}")
 
 
+@cors_allow_all
 @require_jwk_authentication
 async def operate_erase(request: web.Request, authenticated_sender: str) -> web.Response:
  """Delete all data stored by a virtual machine.

src/aleph/vm/utils.py

@@ -14,6 +14,7 @@
 
 import aiodns
 import msgpack
+from aiohttp_cors import ResourceOptions, custom_cors
 from aleph_message.models import ExecutableContent, InstanceContent, ProgramContent
 from aleph_message.models.execution.base import MachineType
 from eth_typing import HexAddress, HexStr
@@ -31,6 +32,17 @@ def get_message_executable_content(message_dict: Dict) -> ExecutableContent:
  raise ValueError(f"Unknown message type {message_dict['type']}")
 
 
+def cors_allow_all(function):
+ default_config = {
+ "*": ResourceOptions(
+ allow_credentials=True,
+ allow_headers="*",
+ expose_headers="*",
+ )
+ }
+ return custom_cors(config=default_config)(function)
+
+
 class MsgpackSerializable:
  def __post_init__(self, *args, **kwargs):
  if not is_dataclass(self):