Mercurial > p > roundup > code

comparison roundup/rest.py @ 6693:9a1f5e496e6c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2551203 - Add support for CORS preflight request Add support for unauthenticated CORS preflight and fix headers for CORS. client.py: pass through unauthenticated CORS preflight to rest backend. Normal rest OPTION handlers (including tracker defined extensions) can see and handle the request. make some error cases return error json with crrect mime type rather than plain text tracebacks. create new functions to verify origin and referer that filter using allowed origins setting. remove tracker base url from error message is referer is not at an allowed origin. rest.py: fix up OPTION methods handlers to include Access-Control-Allow-Methods that are the same as the Allow header. set cache to one week for all Access-Control headers for CORS preflight only. remove self.client.setHeader("Access-Control-Allow-Origin", "*") and set Access-Control-Allow-Origin to the client supplied origin if it passes allowed origin checks. Required for CORS otherwise data isn't available to caller. Set for all responses. set Vary header now includes Origin as responses can differ based on Origin for all responses. set Access-Control-Allow-Credentials to true on all responses. test_liveserver.py: run server with setting to enforce origin csrf header check run server with setting to enforce x-requested-with csrf header check run server with setting for allowed_api_origins requests now set required csrf headers test preflight request on collections check new headers and Origin is no longer '*' rewrite all compression checks to use a single method with argument to use different compression methods. Reduce a lot of code duplication and makes updating for new headers easier. test_cgi: test new error messages in client.py account for new headers test preflight and new code paths
author John Rouillard <rouilj@ieee.org>
date Tue, 07 Jun 2022 09:39:35 -0400
parents 01a5dd90286e
children 3f60a71b0812
comparison
equal deleted inserted replaced
6692:1fbfb4a277d7 6693:9a1f5e496e6c
1749 ) 1749 )
1750 self.client.setHeader( 1750 self.client.setHeader(
1751 "Allow", 1751 "Allow",
1752 "OPTIONS, GET, PUT, DELETE, PATCH" 1752 "OPTIONS, GET, PUT, DELETE, PATCH"
1753 ) 1753 )
1754 self.client.setHeader(
1755 "Access-Control-Allow-Methods",
1756 "OPTIONS, GET, PUT, DELETE, PATCH"
1757 )
1754 return 204, "" 1758 return 204, ""
1755 1759
1756 @Routing.route("/data/<:class_name>/<:item_id>/<:attr_name>", 'OPTIONS') 1760 @Routing.route("/data/<:class_name>/<:item_id>/<:attr_name>", 'OPTIONS')
1757 @_data_decorator 1761 @_data_decorator
1758 def option_attribute(self, class_name, item_id, attr_name, input): 1762 def option_attribute(self, class_name, item_id, attr_name, input):
1772 ) 1776 )
1773 self.client.setHeader( 1777 self.client.setHeader(
1774 "Allow", 1778 "Allow",
1775 "OPTIONS, GET, PUT, DELETE, PATCH" 1779 "OPTIONS, GET, PUT, DELETE, PATCH"
1776 ) 1780 )
1781 self.client.setHeader(
1782 "Access-Control-Allow-Methods",
1783 "OPTIONS, GET, PUT, DELETE, PATCH"
1784 )
1777 elif attr_name in class_obj.getprops(protected=True): 1785 elif attr_name in class_obj.getprops(protected=True):
1778 # It must match a protected prop. These can't be written. 1786 # It must match a protected prop. These can't be written.
1779 self.client.setHeader( 1787 self.client.setHeader(
1780 "Allow", 1788 "Allow",
1789 "OPTIONS, GET"
1790 )
1791 self.client.setHeader(
1792 "Access-Control-Allow-Methods",
1781 "OPTIONS, GET" 1793 "OPTIONS, GET"
1782 ) 1794 )
1783 else: 1795 else:
1784 raise NotFound('Attribute %s not valid for Class %s' % ( 1796 raise NotFound('Attribute %s not valid for Class %s' % (
1785 attr_name, class_name)) 1797 attr_name, class_name))
1908 """ 1920 """
1909 self.client.setHeader( 1921 self.client.setHeader(
1910 "Allow", 1922 "Allow",
1911 "OPTIONS, GET" 1923 "OPTIONS, GET"
1912 ) 1924 )
1925 self.client.setHeader(
1926 "Access-Control-Allow-Methods",
1927 "OPTIONS, GET"
1928 )
1913 return 204, "" 1929 return 204, ""
1914 1930
1915 @Routing.route("/data") 1931 @Routing.route("/data")
1916 @_data_decorator 1932 @_data_decorator
1917 def data(self, input): 1933 def data(self, input):
1935 int: http status code 204 (No content) 1951 int: http status code 204 (No content)
1936 body (string): an empty string 1952 body (string): an empty string
1937 """ 1953 """
1938 self.client.setHeader( 1954 self.client.setHeader(
1939 "Allow", 1955 "Allow",
1956 "OPTIONS, GET"
1957 )
1958 self.client.setHeader(
1959 "Access-Control-Allow-Methods",
1940 "OPTIONS, GET" 1960 "OPTIONS, GET"
1941 ) 1961 )
1942 return 204, "" 1962 return 204, ""
1943 1963
1944 @Routing.route("/summary") 1964 @Routing.route("/summary")
2159 # accept_type will be set to json if there is no Accept header 2179 # accept_type will be set to json if there is no Accept header
2160 # accept_type wil be empty only if there is an Accept header 2180 # accept_type wil be empty only if there is an Accept header
2161 # with invalid values. 2181 # with invalid values.
2162 data_type = ext_type or accept_type or headers.get('Accept') or "invalid" 2182 data_type = ext_type or accept_type or headers.get('Accept') or "invalid"
2163 2183
2164 # add access-control-allow-* to support CORS 2184 if method.upper() == 'OPTIONS':
2165 self.client.setHeader("Access-Control-Allow-Origin", "*") 2185 # add access-control-allow-* access-control-max-age to support
2186 # CORS preflight
2187 self.client.setHeader(
2188 "Access-Control-Allow-Headers",
2189 "Content-Type, Authorization, X-Requested-With, X-HTTP-Method-Override"
2190 )
2191 # can be overridden by options handlers to provide supported
2192 # methods for endpoint
2193 self.client.setHeader(
2194 "Access-Control-Allow-Methods",
2195 "HEAD, OPTIONS, GET, POST, PUT, DELETE, PATCH"
2196 )
2197 # cache the Access headings for a week. Allows one CORS pre-flight
2198 # request to be reused again and again.
2199 self.client.setHeader("Access-Control-Max-Age", "86400")
2200
2201 # response may change based on Origin value.
2202 self.client.setVary("Origin")
2203
2204 # Allow-Origin must match origin supplied by client. '*' doesn't
2205 # work for authenticated requests.
2166 self.client.setHeader( 2206 self.client.setHeader(
2167 "Access-Control-Allow-Headers", 2207 "Access-Control-Allow-Origin",
2168 "Content-Type, Authorization, X-Requested-With, X-HTTP-Method-Override" 2208 self.client.request.headers.get("Origin")
2169 ) 2209 )
2210
2211 # allow credentials
2212 self.client.setHeader(
2213 "Access-Control-Allow-Credentials",
2214 "true"
2215 )
2216 # set allow header in case of error. 405 handlers below should
2217 # replace it with a custom version as will OPTIONS handler
2218 # doing CORS.
2170 self.client.setHeader( 2219 self.client.setHeader(
2171 "Allow", 2220 "Allow",
2172 "OPTIONS, GET, POST, PUT, DELETE, PATCH" 2221 "OPTIONS, GET, POST, PUT, DELETE, PATCH"
2173 ) 2222 )
2174 self.client.setHeader( 2223
2175 "Access-Control-Allow-Methods",
2176 "HEAD, OPTIONS, GET, POST, PUT, DELETE, PATCH"
2177 )
2178 # Is there an input.value with format json data? 2224 # Is there an input.value with format json data?
2179 # If so turn it into an object that emulates enough 2225 # If so turn it into an object that emulates enough
2180 # of the FieldStorge methods/props to allow a response. 2226 # of the FieldStorge methods/props to allow a response.
2181 content_type_header = headers.get('Content-Type', None) 2227 content_type_header = headers.get('Content-Type', None)
2182 # python2 is str type, python3 is bytes 2228 # python2 is str type, python3 is bytes
Roundup Issue Tracker: http://roundup-tracker.org/