The CORS Configuration problem

[Jean-Baptiste-Lasselle]

Description of issue

Gravitee APIM version : 1.30.11

• I was working on CORS with Gravitee : So I tested an API that I configured CORS for, but apparetly CORS allow all origin *, though I could check the configuration is active
• And then I think about Traefik : How are CORS configured at the Traefik level ? This is question I need to check, before I can confirm that The CORS configuration at the Gravitee level is actually applied, for the API

Checking what allow-access-origin-* are allowed for a given API in Gravitee

• my first test checks if rules are there configured :

curl -iv https://${GRAVITEE_APIM_GATEWAY}:443/apiverte -H "Access-Control-Request-Method: GET" -H "Origin: https://sub.domain2.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b" |& tee  masortie.out | tail -n 1 | jq .
cat masortie.out | grep 'access-control-allow-'

• my output was (so all orgins are allowed currently on the API I configured):

jbl@poste-devops-jbl-16gbram:~/atelier-helm$ # curl -iv https://${GRAVITEE_APIM_GATEWAY}:443/apiverte -H "Access-Control-Request-Method: GET" -H "Origin: https://sub.domain2.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b" |& tee  masortie.out | tail -n 1 | jq .
jbl@poste-devops-jbl-16gbram:~/atelier-helm$ cat masortie.out | grep 'access-control-allow-'
< access-control-allow-origin: *
access-control-allow-origin: *

• So checking its configuration :

jbl@poste-devops-jbl-16gbram:~/atelier-helm$ export URL_APPEL_GRAVITEE_APIM_API="${GRAVITEE_APIM_API_PROTOCOL}://${GRAVITEE_APIM_API_HOST}:${GRAVITEE_APIM_API_PORT}/management/apis/${MY_API_GRAVITEE_UID}"jbl@poste-devops-jbl-16gbram:~/atelier-helm$ echo "curl -k -X GET ${URL_APPEL_GRAVITEE_APIM_API} -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer ${GRAVITEE_APIM_API_TOKEN}" | jq ."
curl -k -X GET http://127.0.0.1:8484/management/apis/c8e32a32-9e94-41be-a32a-329e9401be26 -H 'Accept: application/json' -H 'Content-Type: application/json' -H Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiobfuscatedZlZjNiYzkiLCJmaXJobfuscatedpc3Npbobfuscated3JpdHkiobfuscatedRNSU4ifV0sImlzcyI6ImdyYXZpdGVobfuscatednQtYXobfuscated2NzobfuscatedPPksQfyH3JawS8g | jq .
jbl@poste-devops-jbl-16gbram:~/atelier-helm$ echo "URL_APPEL_GRAVITEE_APIM_API=[${URL_APPEL_GRAVITEE_APIM_API}]"URL_APPEL_GRAVITEE_APIM_API=[http://127.0.0.1:8484/management/apis/c8e32a32-9e94-41be-a32a-329e9401be26]
jbl@poste-devops-jbl-16gbram:~/atelier-helm$ curl -k -X GET ${URL_APPEL_GRAVITEE_APIM_API} -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer ${GRAVITEE_APIM_API_TOKEN}" | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2204  100  2204    0     0  28684      0 --:--:-- --:--:-- --:--:-- 29000
{
  "id": "c8e32a32-9e94-41be-a32a-329e9401be26",
  "name": "apiVerte",
  "version": "4.1.85",
  "description": "une nouvelle description",
  "visibility": "private",
  "state": "started",
  "tags": [],
  "entrypoints": [
    {
      "target": "https://api.company.com/apiverte"
    }
  ],
  "proxy": {
    "virtual_hosts": [
      {
        "path": "/apiverte"
      }
    ],
    "strip_context_path": false,
    "preserve_host": false,
    "groups": [
      {
        "name": "default-group",
        "endpoints": [
          {
            "name": "default",
            "target": "https://randomuser.me/api",
            "weight": 1,
            "backup": false,
            "type": "HTTP",
            "http": {
              "connectTimeout": 5000,
              "idleTimeout": 60000,
              "keepAlive": true,
              "readTimeout": 10000,
              "pipelining": false,
              "maxConcurrentConnections": 100,
              "useCompression": true,
              "followRedirects": false,
              "encodeURI": false
            }
          }
        ],
        "load_balancing": {
          "type": "ROUND_ROBIN"
        },
        "http": {
          "connectTimeout": 5000,
          "idleTimeout": 60000,
          "keepAlive": true,
          "readTimeout": 10000,
          "pipelining": false,
          "maxConcurrentConnections": 100,
          "useCompression": true,
          "followRedirects": false,
          "encodeURI": false
        }
      }
    ],
    "cors": {
      "enabled": true,
      "allowCredentials": true,
      "allowOrigin": [
        "https://sub.domain1.com",
        "https://sub.domain2.com"
      ],
      "allowHeaders": [],
      "allowMethods": [
        "TRACE",
        "HEAD",
        "DELETE",
        "POST",
        "GET",
        "OPTIONS",
        "PATCH",
        "PUT"
      ],
      "exposeHeaders": [],
      "maxAge": -1
    }
  },
  "paths": {
    "/": []
  },
  "deployed_at": 1594384046615,
  "created_at": 1594373500593,
  "updated_at": 1594390129549,
  "owner": {
    "id": "4f39d236-bb46-4f3b-b9d2-36bb46ef3bc9",
    "email": "",
    "displayName": ""
  },
  "services": {},
  "picture_url": "http://127.0.0.1:8484/management/apis/c8e32a32-9e94-41be-a32a-329e9401be26/picture",
  "resources": [],
  "path_mappings": [],
  "response_templates": {},
  "lifecycle_state": "created"
}

Solution found : but stil...

• I just solved part of the issue : now CORS config is applied by Gravitee, and Traefik does not mess with it, fr sure.

• the fix was to "re-deploy" API :

  • after configuring CORS, the API we configured, in my example /apiverte goes into an out-of-sync state, and that, I remembered from the Web UI notifications.
  • So I ran again the DEPLOY operation, but that was not enough ,
  • Therefore I ran the whole cycle to DEPLOY/ASK FOR REVIEW/ACCEPT REVIEW/START, but adding first a STOP ( n + 1 = 0, if it's a cycle... So adding one more step brings back to zero state, the initial state, whatever it is) : et voilà (it perfectly worked).
  • Note : I think everytime we invoke Gravitee APIM API with the HTTP PUT method, we get to the OUT OF SYNC state, and must the exact same way "redeploy" the API

• see the output of the test you can run yourself to check CORS config is applied :

  • the test :

# allow-cross-origin HTTP metadata here will appear
curl -iv https://${GRAVITEE_APIM_GATEWAY}:443/apiverte -H "Access-Control-Request-Method: GET" -H "Origin: https://sub.domain2.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b" |& tee  masortie.out | tail -n 1 | jq .
cat masortie.out | grep 'access-control-allow-'

curl -X OPTIONS -iv https://${GRAVITEE_APIM_GATEWAY}:443/apiverte -H "Access-Control-Request-Method: OPTIONS" -H "Origin: https://sub.domain2.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b" |& tee  masortie.options.out | tail -n 1 | jq .
cat masortie.options.out | grep 'access-control-allow-'

• the output :

  
  jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ curl -iv https://${GRAVITEE_APIM_GATEWAY}:443/apiverte -H "Access-Control-Request-Method: GET" -H "Origin: https://sub.domain2.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b" |& tee  masortie.out | tail -n 1 | jq .
  {
  "results": [
  {
    "gender": "female",
    "name": {
      "title": "Miss",
      "first": "Viviane",
      "last": "Bosboom"
    },
    "location": {
      "street": {
        "number": 4771,
        "name": "Derde Wittenburgerdwarsstraat"
      },
      "city": "Dalen",
      "state": "Zeeland",
      "country": "Netherlands",
      "postcode": 12013,
      "coordinates": {
        "latitude": "44.1831",
        "longitude": "43.2962"
      },
      "timezone": {
        "offset": "+3:00",
        "description": "Baghdad, Riyadh, Moscow, St. Petersburg"
      }
    },
    "email": "viviane.bosboom@example.com",
    "login": {
      "uuid": "f129762e-0ec8-4b89-920b-da0257a5ebd9",
      "username": "sadswan712",
      "password": "1955",
      "salt": "7UIRGKfj",
      "md5": "6726e187bd89d15dfefbc8d7f3bc50a2",
      "sha1": "254924014de669f014bb887a4eaf395b39ae2923",
      "sha256": "01e393762d1ea27fc8926927730a0610dd16ee4a8853df79830948f6dc5cf6ae"
    },
    "dob": {
      "date": "1945-04-01T19:00:06.033Z",
      "age": 75
    },
    "registered": {
      "date": "2005-06-06T02:51:02.537Z",
      "age": 15
    },
    "phone": "(463)-968-5447",
    "cell": "(325)-557-7453",
    "id": {
      "name": "BSN",
      "value": "80290263"
    },
    "picture": {
      "large": "https://randomuser.me/api/portraits/women/35.jpg",
      "medium": "https://randomuser.me/api/portraits/med/women/35.jpg",
      "thumbnail": "https://randomuser.me/api/portraits/thumb/women/35.jpg"
    },
    "nat": "NL"
  }
  ],
  "info": {
  "seed": "95df8556f0ad0d10",
  "results": 1,
  "page": 1,
  "version": "1.3"
  }
  jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ cat masortie.out | grep 'access-control-allow-'
  < access-control-allow-credentials: true
  < access-control-allow-origin: https://sub.domain2.com
  access-control-allow-credentials: true
  access-control-allow-origin: https://sub.domain2.com
  jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ curl -X OPTIONS -iv https://${GRAVITEE_APIM_GATEWAY_HOST}:443/apiverte -H "Access-Control-Request-Method: OPTIONS" -H "Origin: https://sub.domain1.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b" |& tee  masortie.options.out | tail -n 1 | jq .
  jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ 
  jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ 
  jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ cat masortie.options.out | grep 'access-control-allow-'< access-control-allow-credentials: true
  < access-control-allow-headers: 
  < access-control-allow-methods: TRACE, HEAD, DELETE, POST, GET, OPTIONS, PATCH, PUT
  < access-control-allow-origin: https://sub.domain1.com
  access-control-allow-credentials: true
  access-control-allow-headers: 
  access-control-allow-methods: TRACE, HEAD, DELETE, POST, GET, OPTIONS, PATCH, PUT
  access-control-allow-origin: https://sub.domain1.com

* So indeed, now My Configuration on Gravitee Applies for sure, we no longer have : 

```bashjbl@poste-devops-jbl-16gbram:~/atelier-helm$ cat masortie.out | grep 'access-control-allow-'
< access-control-allow-origin: *
access-control-allow-origin: *

• Now, What I do not understand, is how to test the configured CORS actually block any access... :
  • executing :

curl -ivk https://${GRAVITEE_APIM_GATEWAY_HOST}:443/apiverte -H "Access-Control-Request-Method: GET" -H "Origin: https://unalloawed.domain3.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b"

• output is :

  
  jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ curl -ivk https://${GRAVITEE_APIM_GATEWAY_HOST}:443/apiverte -H "Access-Control-Request-Method: GET" -H "Origin: https://unalloawed.domain3.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b"
  *   Trying 52.209.80.97...
  * TCP_NODELAY set
  * Connected to ${GRAVITEE_APIM_GATEWAY_HOST} (52.209.80.97) port 443 (#0)
  * ALPN, offering h2
  * ALPN, offering http/1.1
  * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  * successfully set certificate verify locations:
  *   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
  * TLSv1.2 (OUT), TLS header, Certificate Status (22):
  * TLSv1.2 (OUT), TLS handshake, Client hello (1):
  * TLSv1.2 (IN), TLS handshake, Server hello (2):
  * TLSv1.2 (IN), TLS handshake, Certificate (11):
  * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  * TLSv1.2 (IN), TLS handshake, Server finished (14):
  * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  * TLSv1.2 (OUT), TLS handshake, Finished (20):
  * TLSv1.2 (IN), TLS change cipher, Client hello (1):
  * TLSv1.2 (IN), TLS handshake, Finished (20):
  * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
  * ALPN, server accepted to use h2
  * Server certificate:
  *  subject: CN=${GRAVITEE_APIM_GATEWAY_HOST}
  *  start date: Jul  6 12:33:50 2020 GMT
  *  expire date: Oct  4 12:33:50 2020 GMT
  *  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
  *  SSL certificate verify ok.
  * Using HTTP2, server supports multi-use
  * Connection state changed (HTTP/2 confirmed)
  * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  * Using Stream ID: 1 (easy handle 0x55ffcd8f5ea0)
  > GET /apiverte HTTP/1.1
  > Host: ${GRAVITEE_APIM_GATEWAY_HOST}
  > User-Agent: curl/7.52.1
  > Accept: */*
  > Access-Control-Request-Method: GET
  > Origin: https://unalloawed.domain3.com
  > X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b
  > 
  * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
  < HTTP/2 200 
  HTTP/2 200 
  < cache-control: no-cache
  cache-control: no-cache
  < cf-cache-status: DYNAMIC
  cf-cache-status: DYNAMIC
  < cf-ray: 5b13130f0b1ddc1f-LHR
  cf-ray: 5b13130f0b1ddc1f-LHR
  < cf-request-id: 03dfca3d680000dc1f0d998200000001
  cf-request-id: 03dfca3d680000dc1f0d998200000001
  < content-type: application/json; charset=utf-8
  content-type: application/json; charset=utf-8
  < date: Sat, 11 Jul 2020 14:04:35 GMT
  date: Sat, 11 Jul 2020 14:04:35 GMT
  < etag: W/"45d-Emriv3CZE3cx8gtZiL6GZA6Xc2g"
  etag: W/"45d-Emriv3CZE3cx8gtZiL6GZA6Xc2g"
  < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
  expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
  < server: cloudflare
  server: cloudflare
  < set-cookie: __cfduid=d8082fdf533ce2728290f623f525d7e501594476275; expires=Mon, 10-Aug-20 14:04:35 GMT; path=/; domain=.randomuser.me; HttpOnly; SameSite=Lax
  set-cookie: __cfduid=d8082fdf533ce2728290f623f525d7e501594476275; expires=Mon, 10-Aug-20 14:04:35 GMT; path=/; domain=.randomuser.me; HttpOnly; SameSite=Lax
  < vary: Accept-Encoding
  vary: Accept-Encoding
  < vary: Accept-Encoding
  vary: Accept-Encoding
  < x-gravitee-transaction-id: 44a2013d-f3d5-40b5-a201-3df3d550b576
  x-gravitee-transaction-id: 44a2013d-f3d5-40b5-a201-3df3d550b576
  < x-powered-by: Express
  x-powered-by: Express
  < content-length: 1117
  content-length: 1117

< {"results":[{"gender":"male","name":{"title":"Mr","first":"Per","last":"Grøstad"},"location":{"street":{"number":5071,"name":"Eiriks gate"},"city":"Fannrem","state":"Akershus","country":"Norway","postcode":"0240","coordinates":{"latitude":"56.9742","longitude":"-102.9261"},"timezone":{"offset":"-9:00","description":"Alaska"}},"email":"per.grostad@example.com","login":{"uuid":"c4182206-4729-4c8c-8bc3-f1b033f90adc","username":"silverduck992","password":"rebels","salt":"tBlKUGWW","md5":"5d65c6e03be544bc643c5f0ad75809b7","sha1":"2397e927eb28eb8f48144b2ac806b7c6520ed477","sha256":"f85a40e6f5fa2d9c0b07622ef83a4c0c423b1341ad9cb4f8e9d761c023ad29b3"},"dob":{"date":"1949-05-04T17:48:47.690Z","age":71},"registered":{"date":"2014-11-13T18:59:50.434Z","age":6},"phone":"31950687","cell":"45957016","id":{"name":"FN","value":"04054909581"},"picture":{"large":"https://randomuser.me/api/portraits/men/4.jpg","medium":"https://randomuser.me/api/portraits/med/men/4.jpg","thumbnail":"https://randomuser.me/api/portraits/thumb/men/* Curl_http_done: called premature == 0

• Connection #0 to host ${GRAVITEE_APIM_GATEWAY_HOST} left intact 4.jpg"},"nat":"NO"}],"info":{"seed":"54d4804140fbf3c2","results":1,"page":1,"version":"1.3"}}jibl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$

Re-deploy an Out-Of-Sync API in Gravitee

Here below is the shell script that I tested (works) :

• about this script, you will notice that many env variables are valued from local files, : the ae just json responses persisted ro files while creating/configuring the '/apiverte' for the first time. So here just use the values you have tfor your own api, and your Gravtiee APIM an AM APIs token
• so here is the script that worked (some operations are redundant, i just want to keep the exact sequence that I ran, to get to success, though simplification may be done afterwards) :

# -------------------------------------------------------------------------
# ENV 'Gravitee APIM API'
# Gravitee APIM version : `1.30.11`
# -------------------------------------------------------------------------
#
export GRAVITEE_APIM_USER_NAME=admin
export GRAVITEE_APIM_USER_PWD=admin
export GRAVITEE_APIM_API_HOST=apim.gravitee.io
export GRAVITEE_APIM_API_HOST=127.0.0.1
export GRAVITEE_APIM_API_PORT=8484
export GRAVITEE_APIM_API_PROTOCOL=https
export GRAVITEE_APIM_API_PROTOCOL=http

# --
export GRAVITEE_APIM_API_TOKEN=$(cat ./my.gravitee-apim.api.token.json | jq -r '.token')
echo "GRAVITEE_APIM_API_TOKEN=[${GRAVITEE_APIM_API_TOKEN}]"

# re-deploy out of sync api like DEMO WEB UI : is it just running the deploy operation again ?

export URL_APPEL_GRAVITEE_APIM_API="${GRAVITEE_APIM_API_PROTOCOL}://${GRAVITEE_APIM_API_HOST}:${GRAVITEE_APIM_API_PORT}/management/apis/${MY_API_GRAVITEE_UID}/deploy"
curl -k -X POST ${URL_APPEL_GRAVITEE_APIM_API} -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer ${GRAVITEE_APIM_API_TOKEN}" | jq .

# re-deploy out of sync api like DEMO WEB UI : is it just running the deploy operation again ? No, did not work fro me.

# --- STOP the API
# So (n+1=0) to return to initial state : first : stop the started API
export MY_API_GRAVITEE_UID=$(cat my.gravitee-apim.apiVerte.json | jq .id | awk -F '"' '{print $2}')
echo "MY_API_GRAVITEE_UID=[${MY_API_GRAVITEE_UID}]"
# could be either START or STOP
export GRAVITEE_API_LICYCLE_ACTION=STOP
export URL_APPEL_GRAVITEE_APIM_API="${GRAVITEE_APIM_API_PROTOCOL}://${GRAVITEE_APIM_API_HOST}:${GRAVITEE_APIM_API_PORT}/management/apis/${MY_API_GRAVITEE_UID}?api=${MY_API_GRAVITEE_UID}&action=${GRAVITEE_API_LICYCLE_ACTION}"

curl -k -X POST ${URL_APPEL_GRAVITEE_APIM_API} -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer ${GRAVITEE_APIM_API_TOKEN}"

# --- DEPLOY API
export MY_API_GRAVITEE_UID=$(cat my.gravitee-apim.apiVerte.json | jq .id | awk -F '"' '{print $2}')
echo "MY_API_GRAVITEE_UID=[${MY_API_GRAVITEE_UID}]"
export URL_APPEL_GRAVITEE_APIM_API="${GRAVITEE_APIM_API_PROTOCOL}://${GRAVITEE_APIM_API_HOST}:${GRAVITEE_APIM_API_PORT}/management/apis/${MY_API_GRAVITEE_UID}/deploy?api=${MY_API_GRAVITEE_UID}"

curl -k -X POST ${URL_APPEL_GRAVITEE_APIM_API} -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer ${GRAVITEE_APIM_API_TOKEN}" | jq .

# ---
# --- REVIEW API before STARTING IT
# --- https://docs.gravitee.io/apim/1.x/management-api/1.30/#operation/doReviewAction
#
export MY_API_GRAVITEE_UID=$(cat my.gravitee-apim.apiVerte.json | jq .id | awk -F '"' '{print $2}')
echo "MY_API_GRAVITEE_UID=[${MY_API_GRAVITEE_UID}]"
# could be  either "ASK" or "ACCEPT"
export GRAVITEE_API_REVIEWS_ACTION=ASK
export GRAVITEE_API_REVIEWS_MSG="I am $(whoami) -bot and silently reviewed the Gravitee API of UID [${MY_API_GRAVITEE_UID}]"
export GRAVITEE_API_REVIEWS_MSG="simpleotherreviewmessageforurlencoding"

export URL_APPEL_GRAVITEE_APIM_API="${GRAVITEE_APIM_API_PROTOCOL}://${GRAVITEE_APIM_API_HOST}:${GRAVITEE_APIM_API_PORT}/management/apis/${MY_API_GRAVITEE_UID}/reviews?api=${MY_API_GRAVITEE_UID}&action=${GRAVITEE_API_REVIEWS_ACTION}"

# That'"s going to be the reviewer's (me) comment"
export PAYLOAD="{
  \"message\": \"${GRAVITEE_API_REVIEWS_MSG}\"
}"

curl -ivk -X POST ${URL_APPEL_GRAVITEE_APIM_API} --data "${PAYLOAD}" -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer ${GRAVITEE_APIM_API_TOKEN}"

# The HTTP 204 No Content success status response code indicates that the request has succeeded, but that the client doesn't need to go away from its current page. A 204 response is cacheable by default. An ETag header is included in such a response.
# The common use case is to return 204 as a result of a PUT request, updating a resource, without changing the current content of the page displayed to the user. If the resource is created, 201 Created is returned instead. If the page should be changed to the newly updated page, the 200 should be used instead.

# --- ALSO NEED TO ACCEPT REVIEW 
# --- (Note VALIDATION COULD BE SET TO AUTO ACCEPT DEPLOYMENTS)

export GRAVITEE_API_REVIEWS_ACTION=ACCEPT
export GRAVITEE_API_REVIEWS_MSG="I am $(whoami) -bot and silently reviewed the Gravitee API of UID [${MY_API_GRAVITEE_UID}]"
export GRAVITEE_API_REVIEWS_MSG="acceptingapiotherreviewfrombot"

export URL_APPEL_GRAVITEE_APIM_API="${GRAVITEE_APIM_API_PROTOCOL}://${GRAVITEE_APIM_API_HOST}:${GRAVITEE_APIM_API_PORT}/management/apis/${MY_API_GRAVITEE_UID}/reviews?api=${MY_API_GRAVITEE_UID}&action=${GRAVITEE_API_REVIEWS_ACTION}"

# That'"s going to be the reviewer's (me) comment"
export PAYLOAD="{
  \"message\": \"${GRAVITEE_API_REVIEWS_MSG}\"
}"

curl -k -X POST ${URL_APPEL_GRAVITEE_APIM_API} --data "${PAYLOAD}" -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer ${GRAVITEE_APIM_API_TOKEN}"

# expected : HTTP 204

# --- (RE-)START the API
export MY_API_GRAVITEE_UID=$(cat my.gravitee-apim.apiVerte.json | jq .id | awk -F '"' '{print $2}')
echo "MY_API_GRAVITEE_UID=[${MY_API_GRAVITEE_UID}]"
# could be either START or STOP
export GRAVITEE_API_LICYCLE_ACTION=START
export URL_APPEL_GRAVITEE_APIM_API="${GRAVITEE_APIM_API_PROTOCOL}://${GRAVITEE_APIM_API_HOST}:${GRAVITEE_APIM_API_PORT}/management/apis/${MY_API_GRAVITEE_UID}?api=${MY_API_GRAVITEE_UID}&action=${GRAVITEE_API_LICYCLE_ACTION}"

curl -k -X POST ${URL_APPEL_GRAVITEE_APIM_API} -H 'Accept: application/json' -H 'Content-Type: application/json' -H "Authorization: Bearer ${GRAVITEE_APIM_API_TOKEN}"

Comparing to swagger.io 's Petstore CORS Configuration

• Yeah, I am no way near a working configuration on my Gravitee API, even though I did the configuration :

jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ curl -I https://${GRAVITEE_APIM_GATEWAY_HOST}:443/apiverte -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b"
HTTP/2 200 
cache-control: no-cache
cf-cache-status: DYNAMIC
cf-ray: 5b1442b07bf6e678-LHR
cf-request-id: 03e088024c0000e67826a0c200000001
content-type: application/json; charset=utf-8
date: Sat, 11 Jul 2020 17:31:51 GMT
etag: W/"484-VyZcJbM8iMj8PygzruibXfPhXY8"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
set-cookie: __cfduid=d32339f88cd6871adee789c0e446b07b71594488711; expires=Mon, 10-Aug-20 17:31:51 GMT; path=/; domain=.randomuser.me; HttpOnly; SameSite=Lax
vary: Accept-Encoding
vary: Accept-Encoding
x-gravitee-transaction-id: 6214f98a-ebc2-4af3-94f9-8aebc2caf3e7
x-powered-by: Express

jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ curl -I "https://petstore.swagger.io/v2/swagger.json"HTTP/1.1 200 OK
Access-Control-Allow-Headers: Content-Type, api_key, Authorization
Access-Control-Allow-Methods: GET, POST, DELETE, PUT
Access-Control-Allow-Origin: *
Content-Length: 0
Content-Type: application/json
Date: Sat, 11 Jul 2020 17:32:22 GMT
Server: Jetty(9.2.9.v20150224)
Connection: keep-alive

jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ 

• So I do not know what has changed, though something has changed for sure, since I do not have anymore the :

jbl@poste-devops-jbl-16gbram:~/atelier-helm$ # curl -iv https://${GRAVITEE_APIM_GATEWAY_HOST}:443/apiverte -H "Access-Control-Request-Method: GET" -H "Origin: https://sub.domain2.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b" |& tee  masortie.out | tail -n 1 | jq .
jbl@poste-devops-jbl-16gbram:~/atelier-helm$ cat masortie.out | grep 'access-control-allow-'
< access-control-allow-origin: *
access-control-allow-origin: *

• but instead I have :
  • When I run :

    curl -iv https://${GRAVITEE_APIM_GATEWAY_HOST}:443/apiverte -H "Access-Control-Request-Method: GET" -H "Origin: https://sub.domain2.com" -H "X-Gravitee-Api-Key: 6f90f6ec-4c4e-4029-aa0c-b79826dec06b" |& tee  masortie.out | tail -n 1 | jq .
    cat masortie.out | grep 'access-control-allow-'

  • I have :

    jbl@poste-devops-jbl-16gbram:~/atelier-helm/config-api-verte/configs/jullet/semaine2/integration$ cat masortie.out | grep 'access-control-allow-'
    < access-control-allow-credentials: true
    < access-control-allow-origin: https://sub.domain2.com
    access-control-allow-credentials: true
    access-control-allow-origin: https://sub.domain2.com

[Jean-Baptiste-Lasselle]

Ok, so to properly test CORS, I am implementing this :

• https://github.com/pegasus-io/the-cors-tester
• to test the CORS, I can use mocha chai