Mercurial > p > roundup > code

comparison roundup/configuration.py @ 6681:ab2ed11c021e

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
issue2551205: Add support for specifying valid origins for api: xmlrpc/rest We now have an allow list to filter the hosts allowed to do api requests. An element of this allow list must match the http ORIGIN header exactly or the rest/xmlrpc CORS request will result in an error. The tracker host is always allowed to do a request.
author John Rouillard <rouilj@ieee.org>
date Tue, 17 May 2022 17:18:51 -0400
parents 408fd477761f
children 0b8d34b64930
comparison
equal deleted inserted replaced
6680:b4d0b48b3096 6681:ab2ed11c021e
538 _val = Option.get(self) 538 _val = Option.get(self)
539 if _val and not os.path.isabs(_val): 539 if _val and not os.path.isabs(_val):
540 _val = os.path.join(self.config["HOME"], _val) 540 _val = os.path.join(self.config["HOME"], _val)
541 return _val 541 return _val
542 542
543 class SpaceSeparatedListOption(Option):
544
545 """List of space seperated elements.
546 """
547
548 class_description = "A list of space separated elements."
549
550 def get(self):
551 pathlist = []
552 _val = Option.get(self)
553 for elem in _val.split():
554 pathlist.append(elem)
555 if pathlist:
556 return pathlist
557 else:
558 return None
559
560 class OriginHeadersListOption(Option):
561
562 """List of space seperated origin header values.
563 """
564
565 class_description = "A list of space separated case sensitive origin headers 'scheme://host'."
566
567
568 def set(self, _val):
569 pathlist = self._value = []
570 for elem in _val.split():
571 pathlist.append(elem)
572 if '*' in pathlist and len(pathlist) != 1:
573 raise OptionValueError(self, _val,
574 "If using '*' it must be the only element.")
543 575
544 class MultiFilePathOption(Option): 576 class MultiFilePathOption(Option):
545 577
546 """List of space seperated File or directory path name 578 """List of space seperated File or directory path name
547 579
1168 the field is missing. 1200 the field is missing.
1169 Set this to 'logfailure' to log a notice to the roundup 1201 Set this to 'logfailure' to log a notice to the roundup
1170 log if the header is invalid or missing, but accept 1202 log if the header is invalid or missing, but accept
1171 the post. 1203 the post.
1172 Set this to 'no' to ignore the header and accept the post."""), 1204 Set this to 'no' to ignore the header and accept the post."""),
1205 (OriginHeadersListOption, 'allowed_api_origins', "",
1206 """A comma separated list of additonal valid Origin header
1207 values used when enforcing the header origin. They are used
1208 only for the api URL's (/rest and /xmlrpc). They are not
1209 used for the usual html URL's. These strings must match the
1210 value of the Origin header exactly. So 'https://bar.edu' and
1211 'https://Bar.edu' are two different Origin values. Note that
1212 the origin value is scheme://host. There is no path
1213 component. So 'https://bar.edu/' would never be valid.
1214
1215 You need to set these if you have a web application on a
1216 different origin accessing your roundup instance.
1217
1218 (The origin from the tracker.web setting in config.ini is
1219 always valid and does not need to be specified.)"""),
1173 (CsrfSettingOption, 'csrf_enforce_header_x-forwarded-host', "yes", 1220 (CsrfSettingOption, 'csrf_enforce_header_x-forwarded-host', "yes",
1174 """Verify that the X-Forwarded-Host http header matches 1221 """Verify that the X-Forwarded-Host http header matches
1175 the host part of the tracker.web setting in config.ini. 1222 the host part of the tracker.web setting in config.ini.
1176 Set this to 'required' to block the post and notify 1223 Set this to 'required' to block the post and notify
1177 the user if the header is missing or invalid. 1224 the user if the header is missing or invalid.
Roundup Issue Tracker: http://roundup-tracker.org/