authorization: automatically pass "trusted" IPs when cors_domains is configured.

If a trusted IP address is passed as the origin then it is safe to assume that CORS access to this origin should be granted, but only if CORS is enabled by specifying at least one cors domain.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Arksine 2021-03-10 18:17:32 -05:00
parent 0a3a83de37
commit 93e7eaa5b5
1 changed files with 16 additions and 1 deletions

View File

@ -193,7 +193,7 @@ class Authorization:
return False return False
def check_cors(self, origin, request=None): def check_cors(self, origin, request=None):
if origin is None: if origin is None or not self.cors_domains:
return False return False
for regex in self.cors_domains: for regex in self.cors_domains:
match = re.match(regex, origin) match = re.match(regex, origin)
@ -206,6 +206,21 @@ class Authorization:
else: else:
logging.debug(f"Partial Cors Match: {match.group()}") logging.debug(f"Partial Cors Match: {match.group()}")
else: else:
# Check to see if the origin contains an IP that matches a
# current trusted connection
match = re.search(r"^https?://([^/]+)$", origin)
if match is not None:
ip = match.group(1)
try:
ipaddr = ipaddress.ip_address(ip)
except ValueError:
pass
else:
if self._check_authorized_ip(ipaddr):
logging.debug(
f"Cors request matched trusted IP: {ip}")
self._set_cors_headers(origin, request)
return True
logging.debug(f"No CORS match for origin: {origin}\n" logging.debug(f"No CORS match for origin: {origin}\n"
f"Patterns: {self.cors_domains}") f"Patterns: {self.cors_domains}")
return False return False