CORS domain config api and config page

[TheAndrewJackson]

Closes fidesplus#1065

Description Of Changes

Add CORS configuration to the admin ui and config proxy api.

Screen.Recording.2023-09-14.at.09.38.37.mov

Code Changes

• Add CORS configuration page
• Update config proxy to have the cors_origin security field
• Update config api to update cors_origins within the CORS middleware at runtime

Steps to Confirm

• run nox -s dev
• update this line to const plus = true; so the admin ui thinks plus is running
• run the admin ui
• go to /management/cors-configuration
• add a new domain(s) to the form and save
• restart the server and ensure the values were saved properly
• remove the new domain(s) and save

Pre-Merge Checklist

• All CI Pipelines Succeeded
• Documentation:
  • documentation complete, PR opened in fidesdocs
  • documentation issue created in fidesdocs
• Issue Requirements are Met
• Relevant Follow-Up Issues Created
• Update CHANGELOG.md
• For API changes, the Postman collection has been updated

[cypress]

Passing run #4279 ↗︎

0	4	0	0	0
⚠️ You've recorded test results over your free plan limit. Upgrade your plan to view test results.

Details:

Merge ab261c4 into ce33cf6...
Project: fides	Commit: 3f77db6504 ℹ️
Status: Passed	Duration: 01:08 💡
Started: Sep 22, 2023 6:35 PM	Ended: Sep 22, 2023 6:36 PM

_{This comment has been generated by cypress-bot as a result of this project's GitHub integration settings.}

[codecov]

Codecov Report

Patch coverage: 89.83% and project coverage change: -0.01% ⚠️

Comparison is base (37c32f8) 87.51% compared to head (ab261c4) 87.50%.
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4073      +/-   ##
==========================================
- Coverage   87.51%   87.50%   -0.01%     
==========================================
  Files         326      326              
  Lines       20283    20324      +41     
  Branches     2634     2640       +6     
==========================================
+ Hits        17750    17785      +35     
- Misses       2076     2080       +4     
- Partials      457      459       +2     

Files Changed	Coverage Δ
src/fides/api/app_setup.py	68.91% <63.63%> (-0.87%)	⬇️
src/fides/api/models/application_config.py	97.46% <80.00%> (-2.54%)	⬇️
src/fides/api/api/v1/endpoints/config_endpoints.py	100.00% <100.00%> (ø)
src/fides/api/main.py	76.97% <100.00%> (ø)
src/fides/api/schemas/application_config.py	100.00% <100.00%> (ø)
src/fides/config/config_proxy.py	100.00% <100.00%> (ø)
src/fides/config/security_settings.py	98.93% <100.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[allisonking]

nice job, this seems to work great! I left a few minor comments. I'll leave the backend review to Adam :)

[TheAndrewJackson]

@adamsachs this should be good to go for another pass 👍

[adamsachs]

@TheAndrewJackson the code re-org looks great! i think having that sort of side-effect function on the ConfigProxy could be a nice pattern generally.

i just have one concern now on the particular update logic for the cors origins property - i should have realized this before i'd suggested this logic on my previous review 🤦

let me know if it's clear from my comments, i realize things are a bit tricky here and i would be more than happy to talk thru it, since it may be more efficient and i don't wanna hold you up on getting this across the line!

[adamsachs]

i know i sorta pointed you toward this implementation on your previous iteration, but i hadn't thought of a consequence of this additive logic that now seems like it could be problematic, unless i'm thinking about this wrong.

with the way this is written, won't we never be able to remove a domain that's been added at some point via config setting? initially a domain will be added to the allow_origins list/set, and then wouldn't it essentially stay there forever, since it'd continue to be retrieved as a current_middleware_domains on all subsequent updates (until the service is restarted).

would there be a significant downside to switching the logic here to replace the existing allow_origins list, so that it's exactly what's been specified in the ConfigProxy? i'm not sure if there's an initial set of allow_origins that we need to keep in place from the get-go...if so, i think this problem could be a bit tricky to solve. if not, then i feel like we'd be better off just replacing the cors_origins with whatever's been specified in the ConfigProxy.

i guess ultimately i'm wondering on the motivation for making this additive rather than just a replace. it seems to me like the additive logic is a bit at-odds with the way we set our config properties generally, which assumes a replace sort of functionality. i get worried that trying to reconcile those two can be a bit tricky.

sorry i hadn't thought of this on the previous iteration! but just wanna make sure we get this right 👍

Suggested change

	if mw.cls is CORSMiddleware:
	current_middleware_domains = (
	mw.options["allow_origins"]
	if mw.options["allow_origins"] is not None
	else []
	)
	current_config_proxy_domains = (
	self.security.cors_origins
	if self.security.cors_origins is not None
	else []
	)
	patch_domains = set(
	[*current_middleware_domains, *current_config_proxy_domains]
	)
	mw.options["allow_origins"] = [str(domain) for domain in patch_domains]
	if mw.cls is CORSMiddleware:
	current_config_proxy_domains = (
	self.security.cors_origins
	if self.security.cors_origins is not None
	else []
	)
	mw.options["allow_origins"] = [str(domain) for domain in current_config_proxy_domains]

^ may not be exactly how you'd wanna code it, but just to illustrate what i think would lead to a bit more consistent and transparent behavior, if we can get away with it.

[adamsachs]

right so this is the behavior that i think would be desirable, but per my above comment i'm worried that this isn't actually exactly what's happening. happy to talk through this more because it gets a bit tricky (and perhaps counterintuitive) with the config proxy, but i actually think that if we're going for this behavior, we can accomplish it with what i suggested above 👍

[TheAndrewJackson]

Nice catch!

[adamsachs]

BE is looking nice after all the iterations 😄

i have a sneaking suspicion we'll be coming back to the /config API again sometime soon since i feel like edge cases abound (not the concern of this PR), but i feel comfortable this is serving our current purposes well 👍

thanks for all the back and forth on this, i think we landed in a nice spot and are pushing some more generic functionality ⏩