API, batch: add allowed_list to narrow use

- only allows processing batch calls to the urls that match the regexs in allowed_list controlling/decreasing the scope of the middleware
galaxyproject · Jul 14, 2016 · 6825f4c · 6825f4c
1 parent 7bfd641
commit 6825f4c
Show file tree

Hide file tree

Showing 8 changed files with 55,507 additions and 46 deletions.
diff --git a/lib/galaxy/web/framework/middleware/batch.py b/lib/galaxy/web/framework/middleware/batch.py
@@ -3,7 +3,10 @@
 import io
 from urlparse import urlparse
 import json
+import re
+
 from paste import httpexceptions
+import routes
 
 import logging
 log = logging.getLogger( __name__ )
@@ -13,15 +16,21 @@ class BatchMiddleware( object ):
     """
     """
     DEFAULT_CONFIG = {
-        'route' : '/api/batch'
+        'route' : '/api/batch',
+        'allowed_routes' : [
+            '^api\/users.*',
+            '^api\/histories.*',
+        ]
     }
 
     def __init__( self, galaxy, application, config=None ):
         #: the original galaxy webapp
         self.galaxy = galaxy
         #: the wrapped webapp
         self.application = application
-        self.config = config or self.DEFAULT_CONFIG
+        self.config = self.DEFAULT_CONFIG.copy()
+        self.config.update( config )
+        self.base_url = routes.url_for( '/' )
         self.handle_request = self.galaxy.handle_request
 
     def __call__( self, environ, start_response ):
@@ -35,7 +44,10 @@ def process_batch_requests( self, batch_environ, start_response ):
 
         responses = []
         for request in requests:
-            if not self._valid( request ):
+            print '------------------------'
+            print request
+            if not self._is_allowed_route( request[ 'url' ] ):
+                responses.append( self._disallowed_route_response( request[ 'url' ] ) )
                 continue
 
             request_environ = self._build_request_environ( batch_environ, request )
@@ -57,9 +69,28 @@ def _read_post_payload( self, environ ):
         payload = json.loads( request_body )
         return payload
 
-    def _valid( self, request ):
+    def _is_allowed_route( self, route ):
+        if self.config.get( 'allowed_routes', None ):
+            print self.base_url
+            shortened_route = route.replace( self.base_url, '', 1 )
+            matches = [ re.match( allowed, shortened_route ) for allowed in self.config[ 'allowed_routes' ] ]
+            print matches
+            return any( matches )
         return True
 
+    def _disallowed_route_response( self, route ):
+        return dict( status=403, headers=self._default_headers(), body={
+            'err_msg'   : 'Disallowed route used for batch operation',
+            'route'     : route,
+            'allowed'   : self.config[ 'allowed_routes' ]
+        })
+
+    def _create_invalid_batch_response( self ):
+        return dict( status=403, headers=self._default_headers(), body={
+            "err_msg"   : "Disallowed route used for batch operation",
+            "allowed"   : self.allowed_routes,
+        })
+
     def _build_request_environ( self, original_environ, request ):
         """
         Given a request and the original environ used to call the batch, return

diff --git a/static/scripts/bundled/analysis.bundled.js b/static/scripts/bundled/analysis.bundled.js
diff --git a/static/scripts/bundled/analysis.bundled.js.map b/static/scripts/bundled/analysis.bundled.js.map