authorization: Add wildcards to cors_domians option

Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2020-11-15 17:13:21 -05:00 · 2020-11-15 17:13:21 -05:00 · ac1d798a36
parent 2d2f8bfbcd
commit ac1d798a36
2 changed files with 17 additions and 15 deletions
--- a/moonraker/authorization.py
+++ b/moonraker/authorization.py
@ -8,6 +8,7 @@ import uuid
 import os
 import time
 import ipaddress
+import re
 import logging
 import tornado
 from tornado.ioloop import IOLoop, PeriodicCallback
@ -28,8 +29,8 @@ class Authorization:

        # Get allowed cors domains
        cors_cfg = config.get('cors_domains', "").strip()
-        self.cors_domains = [d.strip() for d in cors_cfg.split('\n')
-                             if d.strip()]
+        self.cors_domains = [d.strip().replace(".", "\\.").replace("*", ".*")
+                             for d in cors_cfg.split('\n')if d.strip()]

        # Get Trusted Clients
        self.trusted_ips = []
@ -182,14 +183,18 @@ class Authorization:
        return False

    def check_cors(self, origin, request=None):
-        if origin in self.cors_domains:
-            logging.debug(f"CORS Domain Allowed: {origin}")
-            self._set_cors_headers(origin, request)
-        elif "*" in self.cors_domains:
-            self._set_cors_headers("*", request)
-        else:
+        if origin is None:
            return False
-        return True
+        for regex in self.cors_domains:
+            match = re.match(regex, origin)
+            if match is not None and match.group() == origin:
+                logging.debug(f"CORS Pattern Matched, origin: {origin} "
+                              f" | pattern: {regex}")
+                self._set_cors_headers(origin, request)
+                return True
+        else:
+            logging.debug(f"No CORS match for origin: {origin}")
+        return False

    def _set_cors_headers(self, origin, request):
        if request is None:
--- a/moonraker/websockets.py
+++ b/moonraker/websockets.py
@ -315,12 +315,9 @@ class WebSocket(WebSocketHandler):
        io_loop.spawn_callback(self.wsm.remove_websocket, self)

    def check_origin(self, origin):
-        if self.auth.check_cors(origin):
-            # allow CORS
-            return True
-        else:
-            return super(WebSocket, self).check_origin(origin)
-
+        if not super(WebSocket, self).check_origin(origin):
+            return self.auth.check_cors(origin)
+        return True
    # Check Authorized User
    def prepare(self):
        if not self.auth.check_authorized(self.request):