improve REST interface security When using REST, we reflect the client's origin. If the wildcard '*' is used in allowed_api_origins all origins are allowed. When this is done, it also added an 'Access-Control-Allow-Credentials: true' header. This Credentials header should not be added if the site is matched only by '*'. This header should be provided only for explicit origins (e.g. https://example.org) not for the wildcard. This is now fixed for CORS preflight OPTIONS request as well as normal GET, PUT, DELETE, POST, PATCH and OPTIONS requests. A missing Access-Control-Allow-Credentials will prevent the tracker from being accessed using credentials. This prevents an unauthorized third party web site from using a user's credentials to access information in the tracker that is not publicly available. Added test for this specific case. In addition, allowed_api_origins can include explicit origins in addition to '*'. '*' must be first in the list. Also adapted numerous tests to work with these changes. Doc updates.

'''Set of functions of adding/checking timestamp to be used to limit
   form submission for cgi actions.
'''

import time, struct, binascii, base64
from roundup.cgi.exceptions import FormError
from roundup.i18n import _
from roundup.anypy.strings import b2s, s2b


def pack_timestamp():
    return b2s(base64.b64encode(struct.pack("i", int(time.time()))).strip())


def unpack_timestamp(s):
    try:
        timestamp = struct.unpack("i", base64.b64decode(s2b(s)))[0]
    except (struct.error, binascii.Error, TypeError):
        raise FormError(_("Form is corrupted."))
    return timestamp


class Timestamped:
    def timecheck(self, field, delay):
        try:
            created = unpack_timestamp(self.form[field].value)
        except KeyError:
            raise FormError(_("Form is corrupted, missing: %s." % field))
        if time.time() - created < delay:
            raise FormError(_("Responding to form too quickly."))
        return True