From f524e7cb24dbbfe7c68c537b493164dac868cd2f Mon Sep 17 00:00:00 2001
From: "Andres D. Molins" <amolinsdiaz@yahoo.es>
Date: Wed, 24 Apr 2024 21:27:46 +0200
Subject: [PATCH 1/2] Fix: Solve last CORS errors raised cause by duplication
 of headers returned.

---
 src/aleph/vm/orchestrator/resources.py            |  4 +++-
 src/aleph/vm/orchestrator/supervisor.py           | 13 -------------
 src/aleph/vm/orchestrator/views/__init__.py       | 12 +++++-------
 src/aleph/vm/orchestrator/views/authentication.py |  2 --
 4 files changed, 8 insertions(+), 23 deletions(-)

diff --git a/src/aleph/vm/orchestrator/resources.py b/src/aleph/vm/orchestrator/resources.py
index 6c042f056..a40c6ff13 100644
--- a/src/aleph/vm/orchestrator/resources.py
+++ b/src/aleph/vm/orchestrator/resources.py
@@ -11,6 +11,7 @@
 from pydantic import BaseModel, Field
 
 from aleph.vm.conf import settings
+from aleph.vm.utils import cors_allow_all
 
 
 class Period(BaseModel):
@@ -92,6 +93,7 @@ def get_machine_properties() -> MachineProperties:
     )
 
 
+@cors_allow_all
 async def about_system_usage(_: web.Request):
     """Public endpoint to expose information about the system usage."""
     period_start = datetime.now(timezone.utc).replace(second=0, microsecond=0)
@@ -116,7 +118,7 @@ async def about_system_usage(_: web.Request):
         ),
         properties=get_machine_properties(),
     )
-    return web.json_response(text=usage.json(exclude_none=True), headers={"Access-Control-Allow-Origin:": "*"})
+    return web.json_response(text=usage.json(exclude_none=True))
 
 
 class Allocation(BaseModel):
diff --git a/src/aleph/vm/orchestrator/supervisor.py b/src/aleph/vm/orchestrator/supervisor.py
index 9b2c3c1c1..4846104ae 100644
--- a/src/aleph/vm/orchestrator/supervisor.py
+++ b/src/aleph/vm/orchestrator/supervisor.py
@@ -69,19 +69,6 @@ async def server_version_middleware(
     return resp
 
 
-async def allow_cors_on_endpoint(request: web.Request):
-    """Allow CORS on endpoints that VM owners use to control their machine."""
-    return web.Response(
-        status=200,
-        headers={
-            "Access-Control-Allow-Headers": "*",
-            "Access-Control-Allow-Methods": "*",
-            "Access-Control-Allow-Origin": "*",
-            "Allow": "POST",
-        },
-    )
-
-
 async def http_not_found(request: web.Request):
     """Return a 404 error for unknown URLs."""
     return web.HTTPNotFound()
diff --git a/src/aleph/vm/orchestrator/views/__init__.py b/src/aleph/vm/orchestrator/views/__init__.py
index 7c1fd370e..4dbbb303b 100644
--- a/src/aleph/vm/orchestrator/views/__init__.py
+++ b/src/aleph/vm/orchestrator/views/__init__.py
@@ -215,11 +215,11 @@ async def status_check_fastapi(request: web.Request, vm_id: Optional[ItemHash] =
                 }
 
             return web.json_response(
-                result, status=200 if all(result.values()) else 503, headers={"Access-Control-Allow-Origin": "*"}
+                result, status=200 if all(result.values()) else 503
             )
     except aiohttp.ServerDisconnectedError as error:
         return web.json_response(
-            {"error": f"Server disconnected: {error}"}, status=503, headers={"Access-Control-Allow-Origin": "*"}
+            {"error": f"Server disconnected: {error}"}, status=503
         )
 
 
@@ -246,7 +246,7 @@ async def status_check_host(request: web.Request):
         },
     }
     result_status = 200 if all(result["ipv4"].values()) and all(result["ipv6"].values()) else 503
-    return web.json_response(result, status=result_status, headers={"Access-Control-Allow-Origin": "*"})
+    return web.json_response(result, status=result_status)
 
 
 @cors_allow_all
@@ -260,7 +260,7 @@ async def status_check_ipv6(request: web.Request):
             vm_ipv6 = False
 
     result = {"host": await check_host_egress_ipv6(), "vm": vm_ipv6}
-    return web.json_response(result, headers={"Access-Control-Allow-Origin": "*"})
+    return web.json_response(result)
 
 
 @cors_allow_all
@@ -283,7 +283,6 @@ async def status_check_version(request: web.Request):
         return web.Response(
             status=200,
             text=f"Up-to-date: version {current} >= {reference}",
-            headers={"Access-Control-Allow-Origin": "*"},
         )
     else:
         return web.HTTPForbidden(text=f"Outdated: version {current} < {reference}")
@@ -327,7 +326,6 @@ async def status_public_config(request: web.Request):
             },
         },
         dumps=dumps_for_json,
-        headers={"Access-Control-Allow-Origin": "*"},
     )
 
 
@@ -437,7 +435,7 @@ async def notify_allocation(request: web.Request):
         return web.HTTPBadRequest(reason="Body is not valid JSON")
     except ValidationError as error:
         return web.json_response(
-            data=error.json(), status=web.HTTPBadRequest.status_code, headers={"Access-Control-Allow-Origin": "*"}
+            data=error.json(), status=web.HTTPBadRequest.status_code
         )
 
     pubsub: PubSub = request.app["pubsub"]
diff --git a/src/aleph/vm/orchestrator/views/authentication.py b/src/aleph/vm/orchestrator/views/authentication.py
index 84dd96982..d38587015 100644
--- a/src/aleph/vm/orchestrator/views/authentication.py
+++ b/src/aleph/vm/orchestrator/views/authentication.py
@@ -227,8 +227,6 @@ async def wrapper(request):
             return web.json_response(data={"error": e.reason}, status=e.status)
 
         response = await handler(request, authenticated_sender)
-        # Allow browser clients to access the body of the response
-        response.headers.update({"Access-Control-Allow-Origin": request.headers.get("Origin", "")})
         return response
 
     return wrapper

From ed12122597a5f27d242b9d128240c914e2294fe6 Mon Sep 17 00:00:00 2001
From: "Andres D. Molins" <amolinsdiaz@yahoo.es>
Date: Wed, 24 Apr 2024 21:44:47 +0200
Subject: [PATCH 2/2] Fix: Solve code quality issues.

---
 src/aleph/vm/orchestrator/views/__init__.py | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/src/aleph/vm/orchestrator/views/__init__.py b/src/aleph/vm/orchestrator/views/__init__.py
index 4dbbb303b..994476cba 100644
--- a/src/aleph/vm/orchestrator/views/__init__.py
+++ b/src/aleph/vm/orchestrator/views/__init__.py
@@ -214,13 +214,9 @@ async def status_check_fastapi(request: web.Request, vm_id: Optional[ItemHash] =
                     # "ipv6": await status.check_ipv6(session),
                 }
 
-            return web.json_response(
-                result, status=200 if all(result.values()) else 503
-            )
+            return web.json_response(result, status=200 if all(result.values()) else 503)
     except aiohttp.ServerDisconnectedError as error:
-        return web.json_response(
-            {"error": f"Server disconnected: {error}"}, status=503
-        )
+        return web.json_response({"error": f"Server disconnected: {error}"}, status=503)
 
 
 @cors_allow_all
@@ -434,9 +430,7 @@ async def notify_allocation(request: web.Request):
     except JSONDecodeError:
         return web.HTTPBadRequest(reason="Body is not valid JSON")
     except ValidationError as error:
-        return web.json_response(
-            data=error.json(), status=web.HTTPBadRequest.status_code
-        )
+        return web.json_response(data=error.json(), status=web.HTTPBadRequest.status_code)
 
     pubsub: PubSub = request.app["pubsub"]
     pool: VmPool = request.app["vm_pool"]