Roundup Tracker - Issues

Issue 2551205

classification
Add support for specifying valid origins for api: xmlrpc/rest
Type: Severity: normal
Components: Versions:
process
Status: open
:
: rouilj : marcus.priesch, rouilj
Priority: high :

Created on 2022-05-17 15:33 by rouilj, last changed 2022-05-17 21:22 by rouilj.

Messages
msg7534 Author: [hidden] (rouilj) Date: 2022-05-17 15:33
When using roundup's rest or xmlrpc api interfaces from an application
not at the same origin as the roundup tracker, CORS and CORS preflight
are used (see issue2551203).

This scenario looks like it requires disabling
csrf_enforce_header_origin in config.ini for html and api requests. To
stop this add an config.ini option:

  allowed_origins_for_api =

that can take a comma separated list of url prefixes (ending with /)
or the character '*',

The origin header when evaluating xmlrpc or rest requests must begin
with:

  tracker.web (base element so scheme:://host/)
  any value on the allowed_origins_for_api

If the allowed_original_for_api is * the origin is allowed.

For preflight requests, the returned value for
Access-Control-Allow-Origin should be the client supplied origin
value.

This test should be extracted to a method on the client class
(check_origin_header(self, api=False)) and called in handle_csrf(self,
xmlrpc=False) replacing the existing origin check code. If handle_csrf
is called with xmlrpc=True, call check_origin_header with
api=True. (Consider replacing the name xmlrpc with api.)

It should also be used in client.py::handle_rest() (with api=True) to
verify the origin header for preflight requests. If the Origin header
check fails for preflight return 401 with no CORS preflight headers.
msg7535 Author: [hidden] (rouilj) Date: 2022-05-17 21:21
First pass at implementation.

Changes from spec:

confi.ini param is allowed_api_origins (shorter name).
Origin values are space (not comma) separated and must exactly equal the origin header value. 
So  https://foo.edu is not the same as https://Foo.edu.

It seems to me that these should be a case insensitive match, but the original CORS spec says 
case sensitive and the newer spec has nothing to say on it.

check_origin_header(self, api=False) renamed as is_origin_header_ok(self, api=false)

Swapped out xmlrpc parm for api param. Updated comments.

The code to handle preflight requests isn't done yet, so those items are still open.

Also until CORS preflight support is implemented for xmlrpc, I am not adding origin
filter there.

Docs updated.

changeset:   6681:ab2ed11c021e
History
Date User Action Args
2022-05-17 21:22:05rouiljsetstatus: new -> open
priority: high
2022-05-17 21:21:22rouiljsetmessages: + msg7535
2022-05-17 15:33:20rouiljcreate