Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove CORS logic #851

Merged
merged 49 commits into from
Aug 16, 2022
Merged
Show file tree
Hide file tree
Changes from 31 commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
8b2189a
http: Add inner server data structure
lexnv Jul 25, 2022
669a43b
http: Handle RPC messages
lexnv Jul 25, 2022
aa0936a
http: Implement equivalent of `service_fn`
lexnv Jul 25, 2022
50725dc
http: Implement equivalent of `make_service_fn`
lexnv Jul 25, 2022
aab7f31
http: Expose `tower` compatible service
lexnv Jul 25, 2022
569f2b6
http: Prebuild http server with optional listener
lexnv Jul 25, 2022
7c74b0f
examples: WIP tower service
lexnv Jul 25, 2022
e2da10c
http: Fix warnings
lexnv Jul 27, 2022
26871de
tower_http: Fix warnings
lexnv Jul 27, 2022
1e7dcdf
http: Ensure service works with tower
lexnv Jul 27, 2022
50b9a0c
http: Remove `RPSeeServerMakeSvc` to allow further flexibility
lexnv Jul 27, 2022
25e3317
tower_http: Fix warnings
lexnv Jul 27, 2022
5af1282
tower_http: Resubmit the same request for testing
lexnv Jul 27, 2022
e8fa8b5
http: Transform builder into service directly
lexnv Jul 27, 2022
52ef967
http: Rename `RPSeeServerSvc` into user friendly `TowerService`
lexnv Jul 27, 2022
172b6f7
http: Rely on internal TowerService to handle requests
lexnv Jul 27, 2022
45a8105
Fix middleware typo
lexnv Jul 27, 2022
bd0e687
http-server: Improve API builder for tower service
lexnv Aug 8, 2022
75d5fc2
Merge remote-tracking branch 'origin/master' into poc_middleware_laye…
lexnv Aug 8, 2022
0f43236
Rename the inner service data and check comments
lexnv Aug 8, 2022
c328f86
examples: Add comments
lexnv Aug 8, 2022
602d481
http-server: Receive tower service builder as param
lexnv Aug 9, 2022
d64d1af
examples: Adjust tower_http example
lexnv Aug 9, 2022
69441f3
http-server: Add tower middleware on the HttpBuilder
lexnv Aug 9, 2022
47c1b4d
http-server: Do not expose the internal `TowerService` for now
lexnv Aug 9, 2022
7369bcb
Update http-server/src/server.rs
lexnv Aug 9, 2022
c026b0a
http-server: Use `std::error::Error`
lexnv Aug 10, 2022
de1276d
Fix fmt
lexnv Aug 10, 2022
5519222
http-server: Remove header and CORS validation
lexnv Aug 10, 2022
fa373b3
core: Remove CORS logic
lexnv Aug 10, 2022
1578163
examples: Add custom CORS layer to the RPC
lexnv Aug 11, 2022
4427f2a
Merge remote-tracking branch 'origin/master' into poc_middleware_laye…
niklasad1 Aug 12, 2022
e2f1ed5
address some grumbles
niklasad1 Aug 12, 2022
3801eb3
fix more grumbles: no more Infallible
niklasad1 Aug 12, 2022
6aa8b4f
make clippy happy
niklasad1 Aug 12, 2022
5685da9
Rename tower http example
lexnv Aug 12, 2022
76a9475
http-server: Remove handling of OPTIONS request
lexnv Aug 12, 2022
21a247a
tests: Test CORS with external layers
lexnv Aug 12, 2022
fa2a091
examples: Document access control and external CORS layer
lexnv Aug 12, 2022
e14e25b
Merge remote-tracking branch 'origin/poc_middleware_layer_v4' into re…
lexnv Aug 12, 2022
98488bc
Merge remote-tracking branch 'origin/master' into remove_cors_v2
lexnv Aug 12, 2022
750fb2f
Remove unused deps
lexnv Aug 12, 2022
3b7ca5d
remove unused CORS code
niklasad1 Aug 15, 2022
0e8a74c
Remove extra lifetime param
lexnv Aug 15, 2022
f26b401
Rename `invalid_allow_origin` to `origin_rejected`
lexnv Aug 15, 2022
f8783cc
Fix clippy
lexnv Aug 15, 2022
d8a32d8
Update core/src/server/access_control/origin.rs
lexnv Aug 15, 2022
a6cf3f8
Rename `AnyNonNull` to `Wildcard`
lexnv Aug 15, 2022
9857e7f
Rename `OriginType` to `Origin`
lexnv Aug 15, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
596 changes: 0 additions & 596 deletions core/src/server/access_control/cors.rs

This file was deleted.

12 changes: 6 additions & 6 deletions core/src/server/access_control/host.rs
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ impl Host {
}

impl Pattern for Host {
fn matches<T: AsRef<str>>(&self, other: T) -> bool {
fn matches<'a, T: AsRef<str> + PartialEq<&'a str>>(&self, other: T) -> bool {
lexnv marked this conversation as resolved.
Show resolved Hide resolved
self.matcher.matches(other)
}
}
Expand Down Expand Up @@ -186,22 +186,22 @@ mod tests {

#[test]
fn should_reject_if_header_not_on_the_list() {
assert!((AllowHosts::Only(vec![].into())).verify("parity.io").is_err());
assert!((AllowHosts::Only(vec![])).verify("parity.io").is_err());
}

#[test]
fn should_accept_if_on_the_list() {
assert!((AllowHosts::Only(vec!["parity.io".into()].into())).verify("parity.io").is_ok());
assert!((AllowHosts::Only(vec!["parity.io".into()])).verify("parity.io").is_ok());
}

#[test]
fn should_accept_if_on_the_list_with_port() {
assert!((AllowHosts::Only(vec!["parity.io:443".into()].into())).verify("parity.io:443").is_ok());
assert!((AllowHosts::Only(vec!["parity.io".into()].into())).verify("parity.io:443").is_err());
assert!((AllowHosts::Only(vec!["parity.io:443".into()])).verify("parity.io:443").is_ok());
assert!((AllowHosts::Only(vec!["parity.io".into()])).verify("parity.io:443").is_err());
}

#[test]
fn should_support_wildcards() {
assert!((AllowHosts::Only(vec!["*.web3.site:*".into()].into())).verify("parity.web3.site:8180").is_ok());
assert!((AllowHosts::Only(vec!["*.web3.site:*".into()])).verify("parity.web3.site:8180").is_ok());
}
}
4 changes: 2 additions & 2 deletions core/src/server/access_control/matcher.rs
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ use tracing::warn;
/// Pattern that can be matched to string.
pub(crate) trait Pattern {
/// Returns true if given string matches the pattern.
fn matches<T: AsRef<str>>(&self, other: T) -> bool;
fn matches<'a, T: AsRef<str> + PartialEq<&'a str>>(&self, other: T) -> bool;
lexnv marked this conversation as resolved.
Show resolved Hide resolved
}

#[derive(Clone)]
Expand All @@ -53,7 +53,7 @@ impl Matcher {
}

impl Pattern for Matcher {
fn matches<T: AsRef<str>>(&self, other: T) -> bool {
fn matches<'a, T: AsRef<str> + PartialEq<&'a str>>(&self, other: T) -> bool {
let s = other.as_ref();
match self.0 {
Some(ref matcher) => matcher.is_match(s),
Expand Down
82 changes: 11 additions & 71 deletions core/src/server/access_control/mod.rs
Original file line number Diff line number Diff line change
@@ -1,22 +1,19 @@
//! Access control based on HTTP headers

pub mod cors;
pub mod origin;
pub mod host;
mod matcher;

pub use cors::{AllowHeaders, AllowOrigin, Origin};
pub use host::{AllowHosts, Host};
pub use origin::{AllowOrigins, OriginType};
pub use host::{Host, AllowHosts};

use crate::Error;

use self::cors::get_cors_allow_origin;

/// Define access on control on HTTP layer.
#[derive(Clone, Debug)]
pub struct AccessControl {
allowed_hosts: AllowHosts,
allowed_origins: Option<Vec<AllowOrigin>>,
allowed_headers: AllowHeaders,
allowed_origins: AllowOrigins,
}

impl AccessControl {
Expand All @@ -32,60 +29,26 @@ impl AccessControl {
/// `host` is the return value from the `host header`
/// `origin` is the value from the `origin header`.
pub fn verify_origin(&self, origin: Option<&str>, host: &str) -> Result<(), Error> {
if let cors::AllowCors::Invalid = get_cors_allow_origin(origin, &self.allowed_origins, Some(host)) {
Err(Error::HttpHeaderRejected("origin", origin.unwrap_or("<missing>").into()))
} else {
Ok(())
}
}

/// Validate incoming request by CORS(`access-control-request-headers`).
///
/// header_name: all keys of the header in the request
/// cors_request_headers: values of `access-control-request-headers` headers.
///
pub fn verify_headers<T, I, II>(&self, header_names: I, cors_request_headers: II) -> Result<(), Error>
where
T: AsRef<str>,
I: Iterator<Item = T>,
II: Iterator<Item = T>,
{
let header =
cors::get_cors_allow_headers(header_names, cors_request_headers, &self.allowed_headers, |name| name);

if let cors::AllowCors::Invalid = header {
Err(Error::HttpHeaderRejected(
"access-control-request-headers",
"<too inefficient to displayed; use wireshark or something similar to find the header values>".into(),
))
} else {
Ok(())
}
}

/// Return the allowed headers we've set
pub fn allowed_headers(&self) -> &AllowHeaders {
&self.allowed_headers
self.allowed_origins.verify(origin, host)
}
}

impl Default for AccessControl {
fn default() -> Self {
Self { allowed_hosts: AllowHosts::Any, allowed_origins: None, allowed_headers: AllowHeaders::Any }
Self { allowed_hosts: AllowHosts::Any, allowed_origins: AllowOrigins::Any }
}
}

/// Convenience builder pattern
#[derive(Debug)]
pub struct AccessControlBuilder {
allowed_hosts: AllowHosts,
allowed_origins: Option<Vec<AllowOrigin>>,
allowed_headers: AllowHeaders,
allowed_origins: AllowOrigins,
}

impl Default for AccessControlBuilder {
fn default() -> Self {
Self { allowed_hosts: AllowHosts::Any, allowed_origins: None, allowed_headers: AllowHeaders::Any }
Self { allowed_hosts: AllowHosts::Any, allowed_origins: AllowOrigins::Any }
}
}

Expand All @@ -103,13 +66,7 @@ impl AccessControlBuilder {

/// Allow all origins.
pub fn allow_all_origins(mut self) -> Self {
self.allowed_origins = None;
self
}

/// Allow all headers.
pub fn allow_all_headers(mut self) -> Self {
self.allowed_headers = AllowHeaders::Any;
self.allowed_origins = AllowOrigins::Any;
self
}

Expand Down Expand Up @@ -137,27 +94,11 @@ impl AccessControlBuilder {
List: IntoIterator<Item = Origin>,
Origin: Into<String>,
{
let allowed_origins: Vec<AllowOrigin> = list.into_iter().map(Into::into).map(Into::into).collect();
let allowed_origins: Vec<OriginType> = list.into_iter().map(Into::into).map(Into::into).collect();
if allowed_origins.is_empty() {
return Err(Error::EmptyAllowList("Origin"));
}
self.allowed_origins = Some(allowed_origins);
Ok(self)
}

/// Configure allowed CORS headers.
///
/// Default - allow all.
pub fn set_allowed_headers<Header, List>(mut self, list: List) -> Result<Self, Error>
where
List: IntoIterator<Item = Header>,
Header: Into<String>,
{
let allowed_headers: Vec<String> = list.into_iter().map(Into::into).collect();
if allowed_headers.is_empty() {
return Err(Error::EmptyAllowList("Header"));
}
self.allowed_headers = AllowHeaders::Only(allowed_headers);
self.allowed_origins = AllowOrigins::Only(allowed_origins);
Ok(self)
}

Expand All @@ -166,7 +107,6 @@ impl AccessControlBuilder {
AccessControl {
allowed_hosts: self.allowed_hosts,
allowed_origins: self.allowed_origins,
allowed_headers: self.allowed_headers,
}
}
}
Loading