topic Re: Enabling CORS in API / CLI Discussion

Enabling CORS

kartik_galhotra — Fri, 20 Dec 2019 13:05:40 GMT

Hi Checkmates,

Project:- Developing a Customized web portal using Checkpoint API for different users via C# .

Problem:- i made a add-host API call to checkpoint FW and getting the error in Browser >>Console.

Error:-

OPTIONS https://<FW_management_ip>/web_api/add-host 401(Unauthorized)

Access to XMLHttpRequest at 'https://<FW_management_ip>/web_api/add-host' from origin 'http://localhost:53352' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

conclusion:- Some CORS policy has to be enabled or 'Access-Control-Allow-Origin' has to be included

How to do this ?🤔

Re: Enabling CORS

PhoneBoy — Fri, 20 Dec 2019 18:47:15 GMT

I suspect it’s an issue with what’s making the API call.
What does $FWDIR/log/api.elg say when you make the API call?
Also, what version of management is this?

Re: Enabling CORS

kartik_galhotra — Tue, 11 Feb 2020 17:42:57 GMT

Hi PhoneBoy,

Was away due to work.

Regarding the Issue in hand

a) From Expert mode in CLI was able to read api.log File using Vi editor.

But was not able to export it using IKEVIEW.

Needed your guidance to read the api.logs file.

Thank You

Re: Enabling CORS

PhoneBoy — Tue, 11 Feb 2020 18:04:33 GMT

IKEView is only for VPN-related debugs, not for API ones.
So you have to manually review the related files.

But now that I'm coming back to this, are you making the request with an HTTP GET?
Because if you're using HTTP OPTIONS, that definitely won't work.

Re: Enabling CORS

kartik_galhotra — Tue, 11 Feb 2020 18:11:50 GMT

As Mentioned in the API Reference guide, I am making the request with an HTTP Post.

Re: Enabling CORS

PhoneBoy — Tue, 11 Feb 2020 18:21:34 GMT

If you want help parsing the api logs, they need to be provided somehow.
If you don't want to do so here, I recommend a TAC case.

Re: Enabling CORS

Daniel_Schlifka — Tue, 11 Feb 2020 18:42:13 GMT

CORS issues are usually related to the webbrowsers security policies, this means your requests come from the Browser via ECMAscript/Typescript(aka javascript).
C# does not suffer from such(and neither do node.js)
If you build a webapp with c# backend, whats the reason that the api calls come from the webclient and not from the c# service?
In a clean ddd your webclient would speak with the c# service, and the service speaks with the API.
If this is a resource issue for your backend consider usage of async await and if even that is not enough establish CQRS with event-queuing.

Also never ever use CORS with a wildcard, instead propagate the resource which shall really be requested(at least provide the host ip). Setting a wildcard like * exposes your application for CSRF attacks.
It is the opposite of defensive programming and security bad practice.

CORS has its purpose and shall provide a secure workaround for SOP inside webbrowsers, for APIs it's a constant pain. AJAX might be simply not the right tool here.

Checkpoint has no influence on customer network designs, therefore they would have really difficulties to define clean CORS Headers(for example every NAT would mess it up).
You can of cause raise a feature request to checkpoint, but i have some doubts they will implement it for the given reasons.

Re: Enabling CORS

kartik_galhotra — Wed, 12 Feb 2020 17:47:48 GMT

Hi PhoneBoy,

Was able to get the api.elg logs.

After executing my C# code, was able to login and get the session-ID.

But when adding a new host, that is, Running "add-host" API.

It does not adds new host.

The following are the logs from api.elg.

ID: 13
Address: http://127.0.0.1:50276/web_api/login
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[undefined], accept-encoding=[gzip, deflate, br], Accept-Language=[en-GB,en-US;q=0.9,en;q=0.8], connection=[keep-alive], Content-Length=[38], content-type=[application/json], Host=[127.0.0.1:50276], Origin=[http://localhost:53352], Referer=[http://localhost:53352/Login.html], Sec-Fetch-Mode=[cors], Sec-Fetch-Site=[cross-site], User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36], X-Forwarded-For=[192.168.70.10], X-Forwarded-Host=[192.168.70.12], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[192.168.70.12]}
--------------------------------------
2020-02-12 21:36:34,846 INFO com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:25 [qtp273713186-29] - Cache created and initialized
2020-02-12 21:36:34,847 INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:132 [qtp273713186-29] - Executing [login] of version 1.1
2020-02-12 21:36:35,576 INFO com.checkpoint.management.web_api_is.utils.CsvFileWriterUtils.writeCsvLine:1 [qtp273713186-29] - 2020-02-12,21:36:35 +0530,login,PASSED,730
2020-02-12 21:36:35,587 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp273713186-29] - Outbound Message
---------------------------
ID: 13
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Wed, 12 Feb 2020 16:06:35 GMT]}
Payload: {
"uid" : "fe8a9e54-9e6d-4e29-9bf5-ebedf6895d41",
"sid" : "WMBQBmF8Ybu6SQLHQk0Lf51Zz2gIig8lbAcoe7CQX5U",
"url" : "https://192.168.70.12:443/web_api",
"session-timeout" : 600,
"last-login-was-at" : {
"posix" : 1581523449487,
"iso-8601" : "2020-02-12T21:34+0530"
},
"api-server-version" : "1.1"
}
--------------------------------------
2020-02-12 21:37:00,583 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp273713186-26] - Inbound Message
----------------------------
ID: 14
Address: http://127.0.0.1:50276/web_api/add-host
Http-Method: OPTIONS
Content-Type:
Headers: {Accept=[*/*], accept-encoding=[gzip, deflate, br], Accept-Language=[en-GB,en-US;q=0.9,en;q=0.8], Access-Control-Request-Headers=[content-type,x-chkp-sid], Access-Control-Request-Method=[POST], connection=[keep-alive], Content-Type=[null], Host=[127.0.0.1:50276], Origin=[http://localhost:53352], Referer=[http://localhost:53352/AddHost.html], Sec-Fetch-Mode=[cors], Sec-Fetch-Site=[cross-site], User-Agent=[Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36], X-Forwarded-For=[192.168.70.100], X-Forwarded-Host=[192.168.70.12], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[192.168.70.12]}
--------------------------------------
2020-02-12 21:37:00,583 ERROR com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorSessionValidator.handleMessage:11 [qtp273713186-26] - Session validation has failed
2020-02-12 21:37:00,584 ERROR com.checkpoint.management.web_api_is.utils.helpers.ThreadLocalStore$1.initialValue:4 [qtp273713186-26] - ThreadLocalStore.requestedVersion was requested before initialization! Initializing it with the latest API version: 1.1
2020-02-12 21:37:00,603 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp273713186-26] - Outbound Message
---------------------------
ID: 14
Response-Code: 401
Content-Type: text/plain
Headers: {Content-Type=[text/plain], Date=[Wed, 12 Feb 2020 16:07:00 GMT]}
Payload: code: "generic_err_missing_session_id"
message: "Can't retrieve session id from HTTP request method: [OPTIONS]"

--------------------------------------

In Visual Basic and Browser >> Inspect >> Console it displays the error:-

Failed to load resource: the server responded with a status of 404 (Not Found) [http://localhost:53352/favicon.ico]
Access to XMLHttpRequest at 'https://192.168.70.12/web_api/add-host' from origin 'http://localhost:53352' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. [http://localhost:53352/AddHost.html]

Also, specify the changes that are to be done.!

Re: Enabling CORS

PhoneBoy — Wed, 12 Feb 2020 19:05:19 GMT

The ultimate reason the API call is failing is because the SID isn't getting passed.
The CORS policy is definitely what's preventing these headers from coming across.
Like @Daniel_Schlifka points out, this is configured the way it is for security reasons.
My understanding is this needs to be fixed on the client side.
For example, something like: https://stackoverflow.com/questions/20035101/why-does-my-javascript-code-get-a-no-access-control-allow-origin-header-is-pr

We do not provide a mechanism to change the CORS policy on the server side.
This would have to be treated as an RFE.

Re: Enabling CORS

Daniel_Schlifka — Wed, 12 Feb 2020 23:52:26 GMT

I would not recommend to disable it from clientside.
Sadwise modern day browsers(at least Firefox, Edge and Chrome) only can disable SOP in general and there is no option to just disable it for a certain site. So disabling it is a all or nothing thing and it will expose all web applications which run inside that browser for csrf. Depending on environment it might also collide with security compliance rules or you have some 3rd parties where you can't influence the browser setup at all.
If you don't have the time to rewrite the whole thing(which i assume) the easiest way would be put a proxy in between the clients and the checkpoint and rewrite the http-headers between the firewall und your client to add an according Allow-Origin header to this resource. At least squid, apache and nginx offer such features. As these are only some API calls a really slim vm setup somewhere in your management network would do the trick.
Personally i would recommend nginx, in comparison with Apache and Squid the config is easy going and less complex for this purpose.

A basic nginx config would look like that(you can of cause spice it up - refer nginx docs for this):

server { listen 443; ssl on; ssl_certificate /etc/nginx/cert.crt; ssl_certificate_key /etc/nginx/cert.key; ssl_protocols TLSv1.2; location / { proxy_pass https://<checkpoint-ip>; add_header 'Access-Control-Allow-Origin' '<checkpoint-ip>/web_api/*'; } }

HtH

Re: Enabling CORS

kartik_galhotra — Thu, 13 Feb 2020 11:12:53 GMT

@PhoneBoy

Read the StackOverFlow Link Your specified and tried to implement,

None Worked.!

@Daniel_Schlifka

As per Your suggestion tried Proxy, but Some... Chrome Extensions,

Not Useful.!

So here I am Posting My Code:-

Login.html

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title></title>
</head>
<body>
<table border="1">
<tr>
<td>
<strong>
User Name:
</strong>
</td>
<td>
<input type="text" id="txt_username" />
</td>
</tr>
<tr>
<td>
<strong>
Password:
</strong>
</td>
<td>
<input type="password" id="txt_password" />
</td>
</tr>
<tr>
<td>
<input id="btn_login" type="button" value="Login" onclick="Login()" />
</td>
</tr>
</table>

<script src="Scripts/jquery-3.4.1.js"></script>
<script type="text/javascript">
var url = 'https://192.168.70.12/web_api/';

function Login() {
var username = $('#txt_username').val();
var password = $('#txt_password').val();

var obj = { "user": username, "password": password };

obj = JSON.stringify(obj);

$.ajax({
url: url + 'login',
type: 'POST',
contentType: 'application/json',
accepts: 'application/json',
data: obj,
success: function (response) {
alert('Login successfully');
sessionStorage.setItem('sessionid', response.sid);
sessionStorage.setItem('userid', response.uid);
window.location.href = 'AddHost.html'
},
error: function (a, b, c) {
alert('There is error');
console.log(a);
console.log(b);
console.log(c);
}
})
}
</script>
</body>
</html>

AddHost.html

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title></title>
</head>
<body>
<table border="1">
<tr>
<td>
<strong>
Host Name:
</strong>
</td>
<td>
<input type="text" id="txt_hostname" />
</td>
</tr>
<tr>
<td>
<strong>
Ip address:
</strong>
</td>
<td>
<input type="text" id="txt_ipaddress" />
</td>
</tr>
<tr>
<td>
<input type="button" value="Add Host" onclick="AddHost()" />
</td>
</tr>
</table>

var url = 'https://192.168.70.12/web_api/';

function AddHost() {
var hostname = $('#txt_hostname').val();
var ipAddress = $('#txt_ipaddress').val();
var sessionId = sessionStorage.getItem('sessionid');
var obj = { "name": hostname, "ip-address": ipAddress };

obj = JSON.stringify(obj);

$.ajax({
type: 'POST',
url: url + 'add-host',
contentType: 'application/json',
crossDomain: true,

headers: {
'X-chkp-sid': sessionId,
'Access-Control-Allow-Origin': "*",
//"Authorization": "basic " + sessionId
},
accepts: 'application/json',
data: obj,
//dataType: 'jsonp',

success: function (response) {
alert('created successfully');
console.log(response);
},
error: function (a, b, c) {
alert('There is error');
console.log(a);
console.log(b);
console.log(c);
}
})
}
</script>
</body>
</html>

Till Now Login is successfull but cannot add new host using webApi.

The Code Contains some modifications(on AddHost.html) which i did after reading the stackoverflow articles.

Thank you.

Re: Enabling CORS

Daniel_Schlifka — Thu, 13 Feb 2020 16:07:30 GMT

What do you mean with "some chrome plugin" , thats like "the computer is broken".
Please describe how you tried to achieve it, then we can go through it and see what went wrong.

Your javascript syntax is somewhat unfamiliar, but many ways lead to rome. I will test it locally and will give you some feedback tomorrow regarding this.

Re: Enabling CORS

kartik_galhotra — Thu, 13 Feb 2020 17:45:42 GMT

While reading some articles i encountered alternative to CORS that's where i got to know about, The Chrome Extensions.

Find It Here.

Also, In some articles and @PhoneBoy reply i learned that, this CORS can be done from server-side too.

As , the Checkpoint it in my test environment (VMware) and i have wrote my code in Visual Studio 2017.

So, Just to Give it a shot🤞, I got into the Checkpoint_FW >>web >>config >> httpd2.conf and commented the very last line

which is SAMEORIGIN. But, Unfortunately, it was all in vain.

@Daniel_Schlifka i am dropping the UI associated with code.

For Login.html

For AddHost.html

Hope we resolve the issue.!

Re: Enabling CORS

Daniel_Schlifka — Mon, 17 Feb 2020 17:58:41 GMT

Hi,

sorry for the delay.
It seems cors is once again your opponent here.
I tested it with enforcing cors completely off and it works.(older webbrowser), You will have to publish afterwards that it becomes visible.
Not sure how you want come around this limitation, the only way i see here is proxying or altering the checkpoint config,.

Re: Enabling CORS

kartik_galhotra — Tue, 18 Feb 2020 07:24:24 GMT

When using Older Browser, did you added proxy or just using the older browser resolves the issue ?

and what version of browser did u select ?

Also Please, Specify (if any) changes you have done to the code.

Thank You

Re: Enabling CORS

Daniel_Schlifka — Tue, 18 Feb 2020 18:11:49 GMT

hi,

i used ff36.0.4 it has no cors enabled, so no proxy here. It's completely outdated, i keep it for backward compability reasons only and wouldn't recommend it for daily usage.
I did some slight adjustments for my login. I will upload it to github and send you a link.

Re: Enabling CORS

PhoneBoy — Tue, 18 Feb 2020 18:34:35 GMT

Personally, I think you're better off developing this in a way that doesn't invoke CORS.
A simple nginx proxy as previously suggested should be sufficient.
Why is this option not feasible?

Re: Enabling CORS

kartik_galhotra — Wed, 19 Feb 2020 08:55:13 GMT

Hi,
as u mentioned, It Works for u, but i too was able to login from Login.html from beginning but was not able to add-host using AddHost.html.

Hope you were able to do the add-host using your code.!
will be waiting for your code.

Re: Enabling CORS

Daniel_Schlifka — Thu, 20 Feb 2020 19:58:41 GMT

hi,

i added you a plain example.
I used xmlhttprequest in this example, thats basically what jquery wraps around. I didn't take care for exception handling, but its identical to jquery in this point; you can easily recycle your code here. Using xmlhttprequest adds some boilerplate code but makes the whole communication more comprehensible. I also added a python example for the same thing. Its pretty similar in every language, no voodoo here. The api is astonishing easy to use(if cors is not in the way).
Consider using let instead of var. My test-ff was just to old to support ES6, so i had to use var.
ES6 'let' is the smarter way as it avoids some ugly scoping hells from earlier javascript versions. Check ES6 docs for more detail.
https://github.com/remingu/checkmates/tree/master/r80webapi