stop connecting directly to proctor in client js

Updated the client js to connect to the ProctorModule via
system.ajax_url and updated the ProctorModule to proxy the requests to
the proctor server. This avoids disclosing both the proctor server url
and basic auth username/password in the LMS html source. This also
removes the need for CORS.

common/lib/xmodule/xmodule/proctor_module.py

 import sys
 import json
 import logging
+import urlparse
 import requests
 
 from lxml import etree
@@ -43,21 +44,29 @@ class ProctorPanel(object):
         self.proc_user = proc_user
         self.proc_pass = proc_pass
         self.procset_name = procset_name
-        self.ses = requests.session()
         self.user = user
+        self.ses = requests.session()
 
-    def is_released(self):
-        url = '{1}/cmd/status/{0}'.format(self.user.id, self.proc_url)
-        log.info('ProctorPanel url={0}'.format(url))
-        ret = self.ses.get(url, verify=False,
+    def request(self, url, data=None, json=True):
+        ret = self.ses.get(urlparse.urljoin(self.proc_url, url),
+                           verify=False, data=data,
                            auth=(self.proc_user, self.proc_pass),
                            params={'problem': self.procset_name})
-        try:
-            retdat = ret.json()
-        except Exception:
-            log.error('bad return from proctor panel: '
-                      'ret.content={0}'.format(ret.content))
-            retdat = {}
+        if json:
+            try:
+                data = ret.json()
+            except Exception:
+                log.error('bad return from proctor panel: '
+                          'ret.content={0}'.format(ret.content))
+                data = {}
+        else:
+            data = ret.content
+        return data
+
+    def is_released(self):
+        url = 'cmd/status/{0}'.format(self.user.id)
+        log.info('ProctorPanel url={0}'.format(url))
+        retdat = self.request(url)
         log.info('ProctorPanel retdat={0}'.format(retdat))
         enabled = retdat.get('enabled', False)
         return enabled
@@ -197,6 +206,10 @@ class ProctorModule(ProctorFields, XModule):
             # if dispatch == 'grades':
             #     return self.grades()
 
+        # Proctor Panel requests (ALL USERS)
+        if dispatch.startswith('cmd/'):
+            return self.pp.request(dispatch, data, json=False)
+
         if not self.is_released():  # check each time we do get_html()
             html = self.not_released_html()
             return json.dumps({'html': [html], 'message': True})

lms/templates/proctor.html

@@ -27,7 +27,7 @@
   </div>
 </section>
 
-<!--We should be using this but currently it's broken-->
+<!--We should be using this but it's currently broken-->
 <!--<script type="text/javascript" src="${static.url('js/vendor/jquery.leanModal.min.js')}"></script>-->
 <script type="text/javascript" src="/static/js/vendor/jquery.leanModal.min.js"></script>
 <script type="text/javascript">
@@ -81,7 +81,7 @@ procrel = (function(){
 
     var mkurl = function(cmd) {
         ps = encodeURIComponent("${pp.procset_name}");
-        return "${pp.proc_url}/cmd/" + cmd + "/${pp.user.id}/" + ps;
+        return "${ajax_url}/cmd/" + cmd + "/${pp.user.id}/" + ps;
     }
 
     var statel = $('#proctor_stat_${element_id}');
@@ -96,11 +96,6 @@ procrel = (function(){
 		 data: { "uname": "${pp.user.username}",
 		         "name": "${pp.user.profile.name}"
 		       },
-                 xhrFields: {
-                      withCredentials: true
-                 },
-                 username: "${pp.proc_user}",
-                 password: "${pp.proc_pass}",
                  success: gfun,
 		 dataType: "json",
                  error: function(xhr, status, error) {