18 files changed, 265 insertions, 18 deletions
diff --git a/README.rst b/README.rst
index 2689a33..fcf528a 100644
--- a/README.rst
+++ b/README.rst
@@ -16,6 +16,6 @@ enhanced with functionality like add/delete/modification of http headers
 and support for limiting size/connection etc.
 
 * Free software: Apache license
-* Documentation: https://docs.openstack.org/developer/oslo.middleware
+* Documentation: https://docs.openstack.org/oslo.middleware/latest
 * Source: https://git.openstack.org/cgit/openstack/oslo.middleware
 * Bugs: https://bugs.launchpad.net/oslo.middleware
diff --git a/doc/source/admin/cross-project-cors.rst b/doc/source/admin/cross-project-cors.rst
new file mode 100644
index 0000000..26a8c55
--- /dev/null
+++ b/doc/source/admin/cross-project-cors.rst
@@ -0,0 +1,195 @@
+.. _cross-project:
+
+=============================
+Cross-origin resource sharing
+=============================
+
+.. note::
+
+   This is a new feature in OpenStack Liberty.
+
+OpenStack supports :term:`Cross-Origin Resource Sharing (CORS)`, a W3C
+specification defining a contract by which the single-origin policy of a user
+agent (usually a browser) may be relaxed. It permits the javascript engine
+to access an API that does not reside on the same domain, protocol, or port.
+
+This feature is most useful to organizations which maintain one or more
+custom user interfaces for OpenStack, as it permits those interfaces to access
+the services directly, rather than requiring an intermediate proxy server. It
+can, however, also be misused by malicious actors; please review the
+security advisory below for more information.
+
+Enabling CORS with configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In most cases, CORS support is built directly into the service itself. To
+enable it, simply follow the configuration options exposed in the default
+configuration file, or add it yourself according to the pattern below.
+
+.. code-block:: ini
+
+   [cors]
+   allowed_origin = https://first_ui.example.com
+   max_age = 3600
+   allow_methods = GET,POST,PUT,DELETE
+   allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
+   expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
+
+Additional origins can be explicitly added. To express this in
+your configuration file, first begin with a ``[cors]`` group as above,
+into which you place your default configuration values. Then, add as many
+additional configuration groups as necessary, naming them
+``[cors.{something}]`` (each name must be unique). The purpose of the
+suffix to ``cors.`` is legibility, we recommend using a reasonable
+human-readable string:
+
+.. code-block:: ini
+
+   [cors.ironic_webclient]
+   # CORS Configuration for a hypothetical ironic webclient, which overrides
+   # authentication
+   allowed_origin = https://ironic.example.com:443
+   allow_credentials = True
+
+   [cors.horizon]
+   # CORS Configuration for horizon, which uses global options.
+   allowed_origin = https://horizon.example.com:443
+
+   [cors.wildcard]
+   # CORS Configuration for the CORS specified domain wildcard, which only
+   # permits HTTP GET requests.
+   allowed_origin = *
+   allow_methods = GET
+
+For more information about CORS configuration,
+see `cross-origin resource sharing
+<https://docs.openstack.org/ocata/config-reference/common-configurations/cors.html>`_
+in OpenStack Configuration Reference.
+
+Enabling CORS with PasteDeploy
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+CORS can also be configured using PasteDeploy. First of all, ensure that
+OpenStack's ``oslo_middleware`` package (version 2.4.0 or later) is
+available in the Python environment that is running the service. Then,
+add the following configuration block to your ``paste.ini`` file.
+
+.. code-block:: ini
+
+   [filter:cors]
+   paste.filter_factory = oslo_middleware.cors:filter_factory
+   allowed_origin = https://website.example.com:443
+   max_age = 3600
+   allow_methods = GET,POST,PUT,DELETE
+   allow_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
+   expose_headers = Content-Type,Cache-Control,Content-Language,Expires,Last-Modified,Pragma,X-Custom-Header
+
+.. note::
+   To add an additional domain in oslo_middleware v2.4.0, add
+   another filter. In v3.0.0 and after, you may add multiple domains
+   in the above ``allowed_origin`` field, separated by commas.
+
+Security concerns
+~~~~~~~~~~~~~~~~~
+
+CORS specifies a wildcard character ``*``, which permits access to all user
+agents, regardless of domain, protocol, or host. While there are valid use
+cases for this approach, it also permits a malicious actor to create a
+convincing facsimile of a user interface, and trick users into revealing
+authentication credentials. Please carefully evaluate your use case and the
+relevant documentation for any risk to your organization.
+
+.. note::
+
+   The CORS specification does not support using this wildcard as
+   a part of a URI. Setting ``allowed_origin`` to ``*`` would work, while
+   ``*.openstack.org`` would not.
+
+Troubleshooting
+~~~~~~~~~~~~~~~
+
+CORS is very easy to get wrong, as even one incorrect property will violate
+the prescribed contract. Here are some steps you can take to troubleshoot
+your configuration.
+
+Check the service log
+---------------------
+
+The CORS middleware used by OpenStack provides verbose debug logging that
+should reveal most configuration problems. Here are some example log
+messages, and how to resolve them.
+
+Problem
+-------
+
+``CORS request from origin 'http://example.com' not permitted.``
+
+Solution
+--------
+
+A request was received from the origin ``http://example.com``, however this
+origin was not found in the permitted list. The cause may be a superfluous
+port notation (ports 80 and 443 do not need to be specified). To correct,
+ensure that the configuration property for this host is identical to the
+host indicated in the log message.
+
+Problem
+-------
+
+``Request method 'DELETE' not in permitted list: GET,PUT,POST``
+
+Solution
+--------
+
+A user agent has requested permission to perform a DELETE request, however
+the CORS configuration for the domain does not permit this. To correct, add
+this method to the ``allow_methods`` configuration property.
+
+Problem
+-------
+
+``Request header 'X-Custom-Header' not in permitted list: X-Other-Header``
+
+Solution
+--------
+
+A request was received with the header ``X-Custom-Header``, which is not
+permitted. Add this header to the ``allow_headers`` configuration
+property.
+
+Open your browser's console log
+-------------------------------
+
+Most browsers provide helpful debug output when a CORS request is rejected.
+Usually this happens when a request was successful, but the return headers on
+the response do not permit access to a property which the browser is trying
+to access.
+
+Manually construct a CORS request
+---------------------------------
+
+By using ``curl`` or a similar tool, you can trigger a CORS response with a
+properly constructed HTTP request. An example request and response might look
+like this.
+
+Request example:
+
+.. code-block:: console
+
+   $ curl -I -X OPTIONS https://api.example.com/api -H "Origin: https://ui.example.com"
+
+Response example:
+
+.. code-block:: console
+
+   HTTP/1.1 204 No Content
+   Content-Length: 0
+   Access-Control-Allow-Origin: https://ui.example.com
+   Access-Control-Allow-Methods: GET,POST,PUT,DELETE
+   Access-Control-Expose-Headers: origin,authorization,accept,x-total,x-limit,x-marker,x-client,content-type
+   Access-Control-Allow-Headers: origin,authorization,accept,x-total,x-limit,x-marker,x-client,content-type
+   Access-Control-Max-Age: 3600
+
+If the service does not return any access control headers, check the service
+log, such as ``/var/log/upstart/ironic-api.log`` for an indication on what
+went wrong.
diff --git a/doc/source/admin/index.rst b/doc/source/admin/index.rst
new file mode 100644
index 0000000..c90230c
--- /dev/null
+++ b/doc/source/admin/index.rst
@@ -0,0 +1,13 @@
+======================
+Cross-project features
+======================
+
+Many features are common to all the OpenStack services and are consistent in
+their configuration and deployment patterns. Unless explicitly noted, you can
+safely assume that the features in this chapter are supported and configured
+in a consistent manner.
+
+.. toctree::
+   :maxdepth: 2
+
+   cross-project-cors.rst
diff --git a/doc/source/conf.py b/doc/source/conf.py
index a5301af..fd0ddce 100755
--- a/doc/source/conf.py
+++ b/doc/source/conf.py
@@ -23,11 +23,19 @@ sys.path.insert(0, os.path.abspath('../..'))
 extensions = [
     'sphinx.ext.autodoc',
     #'sphinx.ext.intersphinx',
-    'oslosphinx',
     'oslo_config.sphinxext',
+    'openstackdocstheme',
     'stevedore.sphinxext',
 ]
 
+# openstackdocstheme options
+repository_name = 'openstack/oslo.middleware'
+bug_project = 'oslo.middleware'
+bug_tag = ''
+
+# Must set this variable to include year, month, day, hours, and minutes.
+html_last_updated_fmt = '%Y-%m-%d %H:%M'
+
 # autodoc generation is a bit aggressive and a nuisance when doing heavy
 # text edit cycles.
 # execute "export SPHINX_DEBUG=1" in your terminal to disable
diff --git a/doc/source/oslo_config.rst b/doc/source/configuration/index.rst
index e6134a5..6ca076e 100644
--- a/doc/source/oslo_config.rst
+++ b/doc/source/configuration/index.rst
@@ -53,5 +53,5 @@ This will override any configuration done via oslo.config
 
 .. note::
 
-    healtcheck middleware does not yet use oslo.config, see :doc:`healthcheck_plugins`
+    healtcheck middleware does not yet use oslo.config, see :doc:`../reference/healthcheck_plugins`
 
diff --git a/doc/source/contributing.rst b/doc/source/contributor/index.rst
index 2ca75d1..ed5290b 100644
--- a/doc/source/contributing.rst
+++ b/doc/source/contributor/index.rst
@@ -2,4 +2,4 @@
  Contributing
 ==============
 
-.. include:: ../../CONTRIBUTING.rst
+.. include:: ../../../CONTRIBUTING.rst
diff --git a/doc/source/glossary.rst b/doc/source/glossary.rst
new file mode 100644
index 0000000..72e1759
--- /dev/null
+++ b/doc/source/glossary.rst
@@ -0,0 +1,19 @@
+========
+Glossary
+========
+
+This glossary offers a list of terms and definitions to define a
+vocabulary for OpenStack-related concepts.
+
+C
+~
+
+.. glossary::
+
+   Cross-Origin Resource Sharing (CORS)
+
+      A mechanism that allows many resources (for example,
+      fonts, JavaScript) on a web page to be requested from
+      another domain outside the domain from which the resource
+      originated. In particular, JavaScript's AJAX calls can use
+      the XMLHttpRequest mechanism.
diff --git a/doc/source/history.rst b/doc/source/history.rst
deleted file mode 100644
index 69ed4fe..0000000
--- a/doc/source/history.rst
+++ /dev/null
@@ -1 +0,0 @@
-.. include:: ../../ChangeLog
diff --git a/doc/source/index.rst b/doc/source/index.rst
index f53e5bd..5bf8ff0 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -6,12 +6,12 @@ Contents
 .. toctree::
    :maxdepth: 2
 
-   installation
-   api
-   healthcheck_plugins
-   cors
-   oslo_config
-   contributing
+   install/index
+   contributor/index
+   configuration/index
+   admin/index
+   reference/index
+   glossary
 
 Release Notes
 =============
@@ -19,4 +19,4 @@ Release Notes
 .. toctree::
    :maxdepth: 1
 
-   history
+   user/history
diff --git a/doc/source/installation.rst b/doc/source/install/index.rst
index 4fd1d47..4fd1d47 100644
--- a/doc/source/installation.rst
+++ b/doc/source/install/index.rst
diff --git a/doc/source/api.rst b/doc/source/reference/api.rst
index 50ad06d..50ad06d 100644
--- a/doc/source/api.rst
+++ b/doc/source/reference/api.rst
diff --git a/doc/source/cors.rst b/doc/source/reference/cors.rst
index 77bb6ed..77bb6ed 100644
--- a/doc/source/cors.rst
+++ b/doc/source/reference/cors.rst
diff --git a/doc/source/healthcheck_plugins.rst b/doc/source/reference/healthcheck_plugins.rst
index 3ea93c5..3ea93c5 100644
--- a/doc/source/healthcheck_plugins.rst
+++ b/doc/source/reference/healthcheck_plugins.rst
diff --git a/doc/source/reference/index.rst b/doc/source/reference/index.rst
new file mode 100644
index 0000000..5a2d80a
--- /dev/null
+++ b/doc/source/reference/index.rst
@@ -0,0 +1,8 @@
+==============================
+ oslo.middleware Reference
+==============================
+
+.. toctree::
+   :glob:
+
+   *
diff --git a/doc/source/user/history.rst b/doc/source/user/history.rst
new file mode 100644
index 0000000..f69be70
--- /dev/null
+++ b/doc/source/user/history.rst
@@ -0,0 +1 @@
+.. include:: ../../../ChangeLog
diff --git a/oslo_middleware/opts.py b/oslo_middleware/opts.py
index 1584f9b..6cf6f4d 100644
--- a/oslo_middleware/opts.py
+++ b/oslo_middleware/opts.py
@@ -132,7 +132,6 @@ def list_opts_cors():
     """
     return [
         ('cors', copy.deepcopy(cors.CORS_OPTS)),
-        ('cors.subdomain', copy.deepcopy(cors.CORS_OPTS))
     ]
 
 
diff --git a/releasenotes/source/conf.py b/releasenotes/source/conf.py
index a53fc2c..c450f3a 100644
--- a/releasenotes/source/conf.py
+++ b/releasenotes/source/conf.py
@@ -34,10 +34,15 @@
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
-    'oslosphinx',
     'reno.sphinxext',
+    'openstackdocstheme'
 ]
 
+# openstackdocstheme options
+repository_name = 'openstack/oslo.middleware'
+bug_project = 'oslo.middleware'
+bug_tag = ''
+
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
 
@@ -109,7 +114,7 @@ pygments_style = 'sphinx'
 
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
-html_theme = 'default'
+html_theme = 'openstackdocs'
 
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
@@ -147,7 +152,7 @@ html_static_path = ['_static']
 
 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.
-# html_last_updated_fmt = '%b %d, %Y'
+html_last_updated_fmt = '%Y-%m-%d %H:%M'
 
 # If true, SmartyPants will be used to convert quotes and dashes to
 # typographically correct entities.
diff --git a/test-requirements.txt b/test-requirements.txt
index d51ef3c..fb4395f 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -5,9 +5,9 @@
 fixtures>=3.0.0 # Apache-2.0/BSD
 hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
 mock>=2.0 # BSD
-oslosphinx>=4.7.0 # Apache-2.0
+openstackdocstheme>=1.11.0 # Apache-2.0
 oslotest>=1.10.0 # Apache-2.0
-sphinx!=1.6.1,>=1.5.1 # BSD
+sphinx>=1.6.2 # BSD
 testtools>=1.4.0 # MIT
 coverage!=4.4,>=4.0 # Apache-2.0
 reno!=2.3.1,>=1.8.0 # Apache-2.0